Can't use "any zone" as source zone in Traffic Rules

So I have my lan subnet 192.168.0.0/24 and I have my tfsi subnet (wireguard interface) 10.13.13.0/24. I have setup two rules:

Going by the rules above, the only traffic that should be allowed to access the tfsi subnet is the IPs 192.168.0.11 & .22 & .33. However when both rules are enabled as they are, all traffic is blocked to tfsi from everywhere. If I change the source zone in the "Block all TFSI" rule to "lan" the rules then work as expected. Why is this? I'd rather have it that just those 3 IPs from lan are allowed to access tfsi but everything else is blocked.

Try reordering the rules so the specific allow is after the general block.

This won't work...

The firewall will stop processing once it finds a match. If you put the general block first, it will take action there and stop.. it will not continue the next rule.

@nickshanks347 - can we see your complete config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

The problem is the scoping. Rules with „any zone“ as source will be processed earlier in the hierarchy than rules with a specific source zone, regardless of the config order. Try changing the accept rule source to „any zone“ as well, the source ip limitation should be sufficient.

1 Like

The block all rule is not even needed with the default reject setting in policy forward.