in particular... the wireless side of things... i'm not convinced yours is fully setup and this will complicate things...
(when you get to the 'INPUT' rules... in your case the mqqt side of things are 'FORWARD' and how you structure them will depend on the default policy for the ZONE )
in your case you will need 'forwarding' to IOT<=>lan(not wan)... and then the additional rules... to allow what you want then dissallow the rest...
it is much easier testing first time setups of these ZONE isolations;
purely over wired... and
on VM's if need be...
without other zones floating around to confuse you
until you have grasped the concepts...
i dont understand this so far i tried your tutorial.
i want only disable all and just enable traffic from specified port to specified ip.
this shouldnt be that hard or is it possible to disallow all except 1 port via traffic rules. i dont want set up traffic rules for every protokoll that exists.
this is clear... and you have provided most of the info to help... ( mqqt conf access lists? routing table of mqqt server? )
all I was doing was trying to get that information and clarify what the purpose of each 'step' is, in a general sense... and highlight that the simpler you make your setup... then the easier it is to test such things...
( I think your wireless config is potentially incorrect... no amount of firewall rules will correct this )
i'm sure someone will be able to give you some more specific answers... ( can take time )...
nothing no acceslist. mqtt server starts on tcp port 1884 its an build in function of the server.
i only use ip,login,passwort on all my mqtt devices. and it works.
if they in the same wlan/firewall, called "lan" above
great! i'm setting up what your trying to do now... so if nobody spots the issue with your firewall (and your APs are all setup correct )... I can provide you with some working config once i'm done...
not saying this is perfect or correct... but you can see the default ZONE policy is to ACCEPT input and output... this should take care of dhcp/dns(aka services direct from the router)... ( I do not show this part of the setup )
you may need other REJECT rules on the router(input) or totally different rules if you use another default policy... ( see NOTE1 )
I then create two rules to allow the MQQT traffic in both directions... (adding only the actual IP of the server would make these rules more secure)
most wiki guides either rely on setting up ZONE<>ZONE forwardings or leveraging existing ZONES... this will typically require you to the block stuff you do not want... the example above is the opposite... forwarding is dissallowed and we ALLOW what we want for FORWARDING only... I have not tested this yet... but I shows how forwarding and zone policy is critical to how your rules are structured...
and here you can see those rules having been applied as FORWARD rules..
if you do it the other way around and add iotnowan<->lan zone forwarding by default... (but still want a 'permissive' ruleset) you need a final rule at the bottom which will REJECT...
here I invert the earlier PERMIT rule... and use it as the FINAL REJECT and allow if MQQT || REJECT everything else ( hitting forward_iotnomqqt->lan || forward_lan->iotnomqqt )
by default the above probably won't work... check the default policies... lan>iot is ok... but iot>lan is still setup as REJECT forwarding by default... so I either need to change that... or make an ACCEPT rule in that direction...
most guides will allow all traffic in one direction... so the policy need only be applied in the other... ( the lan->iot rule can be removed in this case as the default forward policy is accept and all other traffic enforcment can be done on the other side )