Can't use "any zone" as source zone in Traffic Rules

nickshanks347 · May 10, 2023, 11:12pm

So I have my lan subnet 192.168.0.0/24 and I have my tfsi subnet (wireguard interface) 10.13.13.0/24. I have setup two rules:

Going by the rules above, the only traffic that should be allowed to access the tfsi subnet is the IPs 192.168.0.11 & .22 & .33. However when both rules are enabled as they are, all traffic is blocked to tfsi from everywhere. If I change the source zone in the "Block all TFSI" rule to "lan" the rules then work as expected. Why is this? I'd rather have it that just those 3 IPs from lan are allowed to access tfsi but everything else is blocked.

VA1DER · May 11, 2023, 12:00am

Try reordering the rules so the specific allow is after the general block.

psherman · May 11, 2023, 12:21am

This won't work...

The firewall will stop processing once it finds a match. If you put the general block first, it will take action there and stop.. it will not continue the next rule.

@nickshanks347 - can we see your complete config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

jow · May 11, 2023, 7:12am

The problem is the scoping. Rules with „any zone“ as source will be processed earlier in the hierarchy than rules with a specific source zone, regardless of the config order. Try changing the accept rule source to „any zone“ as well, the source ip limitation should be sufficient.

trendy · May 11, 2023, 9:17am

The block all rule is not even needed with the default reject setting in policy forward.

system · July 8, 2023, 1:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.