Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Same subnet/vlan traffic blocked when crossing ports

Follow
Avatar
Robert Kobbeman
I am looking for clarification on blocked flows. My IoT vlan exists on port 1 and port 2 of FWG+. I noticed traffic from this vlan being blocked when accessing devices on the same vlan. Diagnose shows “Block traffic from and to all local networks “ as the culprit. I haven’t spent a lot of time looking into this, but initial research suggests that when this same-vlan traffic is being blocked it is when the devices exist on different fwg ports. Although this is not causing me problems, I was surprised by the blocked flows.
0

Comments

10 comments

Sort by Date Votes
  • Avatar
    Support Team

    Yes, this is expected.

    If you want to allow same-VLAN traffic, you may need to change rules to block only other networks.

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    Yes, this is expected.

    If you want to allow same-VLAN traffic, you may need to change rules to block only other networks.

    What is the rationale for this behavior? I find it very counter-intuitive, and I can't think of a reason I'd want rules to apply to same-VLAN traffic across ports.

    It might be expected, but it still seems like a bug to me.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    For this particular rule "Block traffic from and to all local networks"

    Firewalla can only be implemented as what it sees. For example, if you have devices on the same LAN, and ask the system to block traffic from local networks, if firewalla sees the traffic, it will block. Unless you place devices on a switch, then firewalla won't be able to block anything. 

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    I think the OP and myself both interpreted "Block traffic from and to all local networks" as "Block traffic from and to all other local networks".

    For example, if you have devices on the same LAN, and ask the system to block traffic from local networks, if firewalla sees the traffic, it will block.

    Firewalla certainly knows that the source and destination of the traffic is the same network.

    0
    Comment actions Permalink
  • Avatar
    Robert Kobbeman

    I created an Allow rule on my IoT network, which allows traffic To the IoT network. Looks funny having a rule to allow traffic to itself, but works.

    I’m guessing firewalla considers cross port traffic as different lan/vlan traffic.

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    I’m guessing firewalla considers cross port traffic as different lan/vlan traffic.

    It clearly does, but why? Is there any use case for wanting to block inter-LAN traffic between ports?

    0
    Comment actions Permalink
  • Avatar
    Robert Kobbeman
    • Edited

    For my setup, IoT traffic is the only vlan spanning ports. All other vlans stick to their own port, so it was by chance I found this.

    I don’t have IoT devices that NEED to talk to each other, so this wasn’t problematic for me. It did confuse me a bit though. 😁

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    It did confuse me a bit though.

    That's my point. This behavior is confusing. I understand at a technical level why the Firewalla is doing what it's doing, but I certainly wouldn't have expected this behavior. (I don't have any networks spanning ports, so I never noticed this.)

    Firewalla is saying that this is expected behavior, but you and I both find it confusing. In the absence of a good reason to support this behavior, I feel it is a bug that should be fixed, to avoid confusing other users.

    0
    Comment actions Permalink
  • Avatar
    Robert Kobbeman

    It clearly does, but why? Is there any use case for wanting to block inter-LAN traffic between ports?

     

    I can't think of one. I would have thought firewalla would see that traffic as the same lan/vlan and allowed it. Not sure if this behavior is working as intended, or simply a bug.

    So now I have the existing Block Traffic from & to All Local Networks still in place, but have also added an Allow Traffic to IoT network on the IoT network (allow traffic to itself). Seems to be working OK.

    This "behavior" is probably something folks should take note to. I could see this causing issues if one didn't realize what was going on.

    0
    Comment actions Permalink
  • Avatar
    Robert Kobbeman

    That's my point. This behavior is confusing. I understand at a technical level why the Firewalla is doing what it's doing, but I certainly wouldn't have expected this behavior. (I don't have any networks spanning ports, so I never noticed this.)

    Firewalla is saying that this is expected behavior, but you and I both find it confusing. In the absence of a good reason to support this behavior, I feel it is a bug that should be fixed, to avoid confusing other users.

    Totally agree.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post