I have a strange case here. I have a device that I wish to block from using internet. Therefor I had blocked it in the firewall. It works. But If I block it that way, my docker container which have an IP via macvlan seems also blocked from Internet.
I there a way to allow them?
So how did you block it in the firewall to begin with?
1 Like
Network -> Firewall -> Traffic rules
Protocol: Any
Source-Zone: Any
Source-Adress: 192.168.10.50/32
Destination-Zone: WAN
Destination-Adress: -
Action: reject
(Translated from german)
It is a zone based firewall so ‘any zone’ becomes an output reject rule.
You are trying to do a forward reject rule and that is only defined with zone to zone which you can fine tune with an IP address in the zones.
So you must define what zone the IP address is living in.
Zone is a zone, ip address is one interface or device or many interfaces in a zone.
You don’t really need the /32 since you have defined the complete IP address.
That's wrong, the any zone acts as a forwarding rule. It would have to be the Device in order to be an output rule.
On which system is the docker container running? OpenWrt? On the device you wish to block from the internet?
What IP does it get?
OpenWRT Router -> Synology NAS (docker) -> macvlan -> Portainer
And which IP does the Portainer use?
Router: 192.168.10.1
Synology NAS: 192.168.10.50
Portainer: 192.168.10.51
Are you sure that the .51 is reaching the OpenWrt and is not NATed to .50?
Run a tcpdump and try to initiate some traffic from portainer.
tcpdump -i any -n host 92.168.10.51
tcpdump works and flood the output but what data should I look for?
I tried tcpdum on NAS and on router. And I'm not able to value the output.
Can we have a look at the output of tcpdump?