Hello!
I have three subnets: S_n=192.168.n.0/24, where n=1, 2, 3, and clients of S_2 and S_3 shouldn't see anything outside its own subnet. Clients of S_1 can see the others. Each subnet belongs to an interface, I_n, n=1,2,3.
Now, I thought it should be taken care of by setting three firewall zones for each interface, say F_n, and
say, "students" is F_3 (and I_3 for the interface)
config zone
option name 'students'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'students'
config forwarding
option src 'students'
option dest 'wan'
Then the only allowed outbound-forwarding is "wan", so the clients in S_3 shouldn't be able to see anything on S_1 and S_2.
But, it seems it's not working that way. If I just leave it and get onto S_3, use IP scanner to browse S_2, I can see the names of the devices on S_2. The separation is realized only after I put a traffic rule
config rule
option name 'Students don'\''t see the others'
option src 'students'
option dest '*'
option target 'DROP'
list proto 'all'
list dest_ip '192.168.0.0/16'
Then I can't see the device on S_2 from S_3 anymore.
I don't understand why the first general rule about forwarding only to wan was not sufficient.
Another question is, if I have this traffic rule, suppose a client on my net is using wireguard or whatever to access to his own network at home, where the subnet belongs to 192.168.n.0/24. Is my rule blocking him from browsing his own home network?
I appreciate if someone could please explain that to me.