Group rule that allows access to one LAN device and blocks all the rest
Just yesterday, I installed:
-Firewalla Gold Pro
-AP7 Desktop
-with an AP7 Ceiling install happening next
All I want is for certain groups to be allowed access to a single host on my LAN (which has a private IP reservation) and block all other LAN traffic. I have a single LAN, and this thing has only 4 ports, one of which goes to WAN (2 once I go multi-WAN). I guess I'm going to need a managed switch and setup VLANs? That was not in scope nor my budget.
ALLOW groups should take precedence over DENY groups at the same level? Because that's not working. All the documentation suggests what I am doing should work fine.
I have a "Media" group. The Rules are:
ALLOW - Traffic to Internet, Outbound only, Always
ALLOW - IP 10.0.0.10, Bi-Directional, Always
DENY - Traffic From & To All Local Networks.
(I tried the same DENY rule for just my LAN, as well).
As soon as I add the DENY rule, traffic to 10.0.0.10 is immediately denied for devices in that group. So, ALLOW rules actually don't take precedence over DENY rules. I guess I will need to put my media server in its own VLAN, which requires more hardware (and more money and frustration).
I'm disappointed. Firewalla Gold Pro looked like it had such potential. Don't even get me started on having to strain my neck, eyes, and thumbs to make a change because there is no web ui with feature parity.
-
Sorry for the confusion. If the devices are connected to the Firewalla AP7, you don’t need an extra switch to manage local traffic. Allow rules take precedence over block rules, and the failure to allow local IPs appears to be a bug on our side — our developers will work on a fix.
In the meantime, please try adding the host you want to allow to the Media group’s Allowed Devices list: In the Firewalla App, go to Devices → "Media" group. Scroll to the bottom and tap Allowed Devices. Add the host you’d like to allow. You can find more details in our Microsegmentation doc.
Side note: There’s no need for the rule "ALLOW – Traffic to Internet, Outbound only, Always". In Router Mode, the inbound firewall is already enabled to block incoming traffic, and outbound traffic is allowed by default.
-
Thanks. To clarify, the Media group is a mix of wired and WiFi clients, but the 10.0.0.10 is a Wired server on LAN 1.
Thanks for the tip about not needing the rule "ALLOW – Traffic to Internet, Outbound only, Always". That will simplify my configurations and maybe be good for performance.
I will look into the Microsegmentation. I did consider that very early on, but I couldn't get that configured the way I thought it would be, either. But I know a lot more about how these rules are supposed to work now than I did then, so I'll try it.
As for this problem, I did a little test where I checked iptables before and after making the changes. I see that this:
Chain FW_FIREWALL_DEV_G_ALLOW
comes before this:
Chain FW_FIREWALL_DEV_G_BLOCK
And that's where my Rules landed (which contain the ipset lists). iptables rules get applied in order, so I'm unclear on why this isn't working, actually. Of course, that was also based on a very cursory check. I'll try to parse that out better, those ipset groups and iptables rules can get very confusing very fast.
Finally, my frustration. Sorry. It's all good, I know these things take work. I was indeed frustrated because I had spent so long setting up everything the way I wanted it and running into some roadblocks. But this is, I think, my one remaining issue, as I have already setup Pi-Hole in Docker per the article on this site (I had to make a few modifications to that process, I'll post my updates there).
Thanks!
Please sign in to leave a comment.
Comments
3 comments