THe easy way to do this is to modify the concept of the default firewall setup which is allow everything block a few things, to Block everything and allow only needed traffic.
Hence this ( and in the right order ) :
(default rules to keep in the right order)
add action=fasttrack-connection chain=forward comment=" fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=" drop invalid" connection-state=invalid
(user rules for allowed traffic)
add action=accept chain=forward comment="internet" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Base Access" in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
What I found confusing is your comment on VLANS not getting internet?
Your config didnt block any LAN to WAN traffic it only blocked WAN to LAN not involved in port forwarding.
The config provided, allows all vlans to access the internet but not ether5 since its not on the interface list VLAN.
The config provided, blocks vlans from each other and so the rule allowing based to other vlans was added.
Hence this ( and in the right order ) :
(default rules to keep in the right order)
add action=fasttrack-connection chain=forward comment=" fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=" drop invalid" connection-state=invalid
(user rules for allowed traffic)
add action=accept chain=forward comment="internet" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Base Access" in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
What I found confusing is your comment on VLANS not getting internet?
Your config didnt block any LAN to WAN traffic it only blocked WAN to LAN not involved in port forwarding.
The config provided, allows all vlans to access the internet but not ether5 since its not on the interface list VLAN.
The config provided, blocks vlans from each other and so the rule allowing based to other vlans was added.
Statistics: Posted by anav — Sat Dec 30, 2023 3:20 pm