mjp66 / Ubiquiti

765 stars 70 forks source link

Wired Separate In Firewall Rule Issue #57

Closed alberg79 closed 3 years ago

alberg79 commented 3 years ago

Seems that the FWR 5 Wired Separate In rule blocks all local IP's including the devices on that port from making connections out to the WAN. I disabled that one rule to get that port access to the internet. Thinking Outbound rules on the other interfaces would block eth2 from access to those networks instead.

mjp66 commented 3 years ago

Hi,

What I see in section 62. WIRED_SEPARATE Firewall Rules are two (one in, one local) rule sets. The in set has "default-action accept" and address-group RFC-1918_GROUP drop. The local set has "default-action drop" and then allows DHCP and allows DNS.

The intent of the separate network is to (only) allow those devices access to the internet. I don't see how the stated rules would inhibit access to the internet.

Maybe check your separate firewall rules for the above and maybe check (all) your firewall rules for correct interface and direction attributes.

You can also compare your configuration backup file against the published reference config.

Good luck, -Mike

alberg79 commented 3 years ago

Got it. I had WIRED_SEPERATE_IN rule 1 drop rule applied to source not destination. So all traffic from a local IP was being dropped on that port. Thanks!