[ previous ] [ next ] [ threads ]
 From:  'Frederick Page' <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] unable to block LAN from OPT1
 Date:  Thu, 16 Dec 2004 19:35:27 +0100
Hallo James,

James W. McKeand schrieb am 15. December 2004:

[Some suggestions, already tried, didn't work either way]

>I would change the default LAN rule's destination from "any" to be
>*NOT* "OPT1 Subnet":
>Destination: Check the "not" and select "OPT1 Subnet"

Did that and it FINALLY worked! Thank you very, very much.

>Then add a rule for the OPT1 interface that allows from OPT1 subnet to
>*NOT* "LAN Subnet": (...)

I also changed the last (default) rule from destination "any" to
"!LAN" and this worked too.

>Then add in any rules that you environment requires. These two rules
>need to be the final rules on the respective interfaces. 

That was it! I left the (last) default-rule untouched (any to any) and
this somehow made the first rule not stick. Thank you again very much!

>These two rules logically state: Traffic on the LAN interface from the
>LAN subnet is allowed to anywhere *BUT* the OPT1 subnet. And traffic
>on the OPT1 interface from the OPT1 subnet is allowed to anywhere
>*BUT* the LAN subnet.

Yes, that was it, I never changed the default-rules, would have been
much easier if I did that in the first place, instead of trying to
insert an additional rule as first (which never worked).

Only pings work now, but nothing else. Glad you helped out, this is
REALLY appreciated.

Kind regards Frederick