Firewall rules/orders for dummies

Started by tdalej, December 17, 2025, 08:23:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 17, 2025, 08:23:07 PM
I just upgraded to 25.7.9_7 and adjusting networks afterwards. 

I have separate physical subnets for various purposes.
One I use for all WIFI and a security camera NVR.
I need _one_ camera on  LAN40 to talk to the NVR on LAN40.
I had the Wifi subnet isolated from the other subnets by the 3rd and 4th rule (successfully I thought).
I tried adding the top two rules for any protocol/any port between 192.168.20.70 and 192.168.40.5
I'm missing something because the block tot eh subnet appears to be working, but the rules prior to that do not.
I'm not sure what I'm missing here, but if anyone can explain it to me like I'm a dummy, I'd appreciate it.


                Automatically generated rules    
      IPv4 *    192.168.20.70/24    *    192.168.40.5/24    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/24    *    192.168.20.70/24    *    *    *       Out Rule for Security Camera    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block out to private subnets rule    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block in to private subnets rule    
      IPv4 *    WIFI net    *    *    *    *    *       Default allow WiFi to any rule    
December 17, 2025, 08:38:42 PM #1 Last Edit: December 17, 2025, 08:42:13 PM by chemlud
rule 1 and 2: /32 instead of /24

why OUT rules? normally only IN needed. IN with respect to the interface....
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 17, 2025, 08:40:57 PM #2
If both devices are on LAN40 you do not need any rule.

If they are not and this is just a typo, you need one rule on the interface with the device that initiates the connection. So that depends on if the camera pushes to the recorder of if the recorder pulls from the camera.

Direction: in
Source: device initiating the connection /32 (!)
Destination: target device / 32 (!)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 17, 2025, 09:58:02 PM #3
NVR is on LAN40 and the camera in question is on LAN20.
LAN40 is used for things that I don't want to have access to the other networks.
Putting that one camera on LAN40 would cost another POE injector, and I already have a POE switch in that location on LAN20 ...

I added out and in rule because I need to be able to register the camera to the NVR and it needs bi directional traffic?
The rules right below block all traffic between those networks if I understand them correctly.

changing to /32 from /24 made no difference. 
Do I need to disable and reenable, or reboot?
Print
Go Up Pages1
User actions