Block rule doesn't work

Hello everybody,

I have a VLAN (IOT) where everybody may talk to anybody, may talk to the internet, but not with any other VLAN and to the NAS on the same VLAN only to specific ports (e.g. to deny acces to the admin dashboard/SSH):

With those rules set I can still reach the BackupserverIOT on Port 22. But why?

Thanks for help.

One reason I can think of is the alias definition:

The BackupserverIOT is a Synolgoy NAS which is reachable under (Static DHCP mapping, VLAN IOT ID 10) and it has an internal domain backupserver.netzkiel.lan which is taken care of by the DNS resolver.

Are there any other reason why it doesn’t work?

I think you have too many rules and can accomplish this with less rules. Look at my reply here.

Might be, but a connection to BackupserverIOT on port 22 should be blocked due to rule number 2. If it doesn’t the traffic will be passed due to rule number 6. So the question is, what does rule number 2 make to pass traffic to BackupserverIOT on port 22?

If your IP’s are in the same broadcast domain, you cannot block access to it. If your range is then you cannot block traffic within that range on that vlan.

Haven’t been aware of that. Apparently clients can use their ARP table to communicate purely on layer-2. Make sense.

But then all rules of type X subnet to X subnet are useless. Then I do not even need a pass rule for that? I can just block private networks without allowing my own subnet?

How can you ensure client isolation then?

Maybe this will help.