Firewall Zones & Forwardings help

This is really confusing me so here's my firewall configuration:

I want lan and guest to access wan

I want lan to access guest
I want lan to access tfsi

I want guest NOT access lan
I want guest NOT access tfsi

Am I doing this right because I just can't get my head around this? I guess I don't fully understand the Zone => Forwardings but also the Input, Output and Forward.

It's correct what you have configured.

1 Like

Thank you. It would be really great if you could help me understand why this configuration is correct. What does it mean if it says REJECT after the => and what does the input output and forward mean? Like what would forwarded traffic look like into lan for example?

Zone is not allowed to forward to any other zone.

ingress and egress traffic to/from the router from/to the zone. Forward is for interzone traffic, if a zone has two or more interfaces.

okay so does that mean that the forward rule only has an effect on the last rule (as that contains multiple zones)?

and where have I explicitly stated that guest cannot access lan & tfsi, and that it can only access wan?

No. The forward column relates to traffic between different interfaces in the same zone, not to traffic between zones.

By default zones cannot access each other. By adding a forward from guest to wan you've allowed access.

Sorry, I wanted to say intrazone traffic, not interzone which is regulated with forwardings.

If you look a bit higher in the page, there are the default input/output/forward. The default forward is to reject.