looking for a tool to make sure all traffic is going where intended, being blocked where intended, and not leaking data where it shouldn't
i have vlan 10,20,30,40
lan has a rule that lets it access all 4 vlans, vlan 10, and 20 are in the lan firewall zone. vlan 30 and 40 are in the custom created iso zone
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan10'
list network 'vlan20'
config zone
option name 'iso'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan30'
list network 'vlan40'
2 forwardings and 2 custom rules were created
config forwarding
option src 'iso'
option dest 'wan'
config forwarding
option src 'lan'
option desk 'iso'
vlan 30, and 40 are in the iso zone and have the following custom rules
#because i have reject setup on input, this rule allows internet traffic in
config rule
option name 'iso-dhcp-dns'
option src 'iso'
option dest_port '53 67'
option target 'ACCEPT'
#this rule allows ipv6 access to the iso zone (im not fully confident on why, but i know if i remove it, ipv6 stops working in iso)
config rule
option name 'Allow-ICMPv6-Input-iso'
option src 'iso'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'