VLAN200 (IoT) is supposed to have access to the internet and other devices on the same VLAN. But when I connect my phone to that VLAN, I’m still able to access devices in VLAN100.
By my understanding of the rules I’ve got setup, devices on this VLAN should have access to other devices on the same VLAN (10.20.0.0/22), time sync, DNS, access to private networks is BLOCKED (which should include the other VLANs), and anything remaining which should only be the internet. 10.0.0.0/8 DOES include any ip address beginning with 10.x.x.x – correct?
For giggles, here is the list of rules for the Primary VLAN (the one containing the devices that the phone is accessing which it shouldn’t be able to access):
When my phone is on the IoT VLAN, it’s still able to access 10.10.0.10, 10.10.0.11 & 10.10.0.12 (mail server, NextCloud and Vaultwarden). All things I do not want the IoT devices having access to.
I almost forgot to say I even went so far as to put a block rule that specifically blocked those IP Addresses at the top of the list and was still able to access them.
I’m sorry if that came across as snarky – that wasn’t my intent, when I re-read it, it sounded snarky to me – I realize and appreciate that you’re just trying to help.
please say you haven’t just turned off the firewall during some testing.
above looks good so please check this. if it’s off I need to find this fix, it should be any easy one.
Also, are you using floating rules. You don’t want to be doing that,
If you are we can discuss moving away from this.
Also noticed you define your source within the VLAN IoT firewall listings, this is not required. You can use * , it’s cleaner. It also means that any IP routed say within your vLAN is also not permitted. (hard to explain. Save a config, make the change and give it a go, you will see.)
Not as far as I know. When I rearranged rules trying to troubleshoot this, I wasn’t able to access the Internet when connected to the IoT network so I would have to say that it’s not turned off.
Nope. I’ve read that they can be dangerous so I never ventured into them.
If you’re referring to the first rule in the first image, someone else pointed that out and I’ve removed it. I had it in there to (try to) make it visually clear what was SUPPOSED to happen.
I’d be open to trying it – if I understood what you were suggesting that I change.
Saying that the Yellow note on my rule shows me that there is a group in play that is above these rules. That has all the DNS and NTP etc in it. Items that would need to be used by all basically
And again, you said you don’t think the firewall setting is off and nothing about the IPv6 but take a moment to review and confirm. - please
just been back through the post, I would complete the following if you have not already.
Remove and rules that allow the source network of itself to itself (the top line that was noted to remove - but for all networks)
Remove any rules that use the ! (NOT) for filtering, for what you are doing this isn’t required
Turn off IPv6 as suggested. (can look to turn back on after, just get the IPv4 running 1st)
in IoT, remove the source fields from the remaining lines (like my example above you only need two at this time - BLOCK RFC1918 and PERMIT all
Your BLOCK rule has touched traffic so i would like to see what that is.
To find out what that rule is doing you take the ID and search results in the firewall logs. Maybe test accessing something you shouldn’t be able.
You can also do this on the permit rule and then tell it to create a block rule. This will be handy to see where it puts it and you can build from that OR if you tell it to block and traffic still works then it’s not rules, it’s main config / NAT.