Going by the rules above, the only traffic that should be allowed to access the tfsi subnet is the IPs 192.168.0.11 & .22 & .33. However when both rules are enabled as they are, all traffic is blocked to tfsi from everywhere. If I change the source zone in the "Block all TFSI" rule to "lan" the rules then work as expected. Why is this? I'd rather have it that just those 3 IPs from lan are allowed to access tfsi but everything else is blocked.
The firewall will stop processing once it finds a match. If you put the general block first, it will take action there and stop.. it will not continue the next rule.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
The problem is the scoping. Rules with „any zone“ as source will be processed earlier in the hierarchy than rules with a specific source zone, regardless of the config order. Try changing the accept rule source to „any zone“ as well, the source ip limitation should be sufficient.