Hallo Manuel,

Manuel Kasper schrieb am 17. December 2004:

[no rule on OPT1 interface = no traffic. So far, so good]

>>Now I insert one single rule on OPT1:
 
>>Action: Pass, Interface: OPT1, Protocol: AH, Source: any,
>>Destination: NOT LAN subnet

>>After "apply" I can do this with client 192.168.101.99 on OPT1:

>Sorry, can't reproduce here.

LAN : 192.168.100.100/24
OPT1: 192.168.101.100/24

Since I saw some internal rules dealing with 192.168.0.0/16, I also
experimented and set the OPT1 interface to a 10.0.0.0/4 net, same
results: traffic from OPT1 could reach LAN.

However as I said: on the LAN-interface everything works as expected:
changing the last "pass" rule to "destination not OPT1" prevents any
traffic to OPT1. It just doesn't work the other way round: prevent
traffic from OPT1 to LAN.

The following info might be helpful: I am on SDSL (synchronous DSL)
with 2mBit in each direction. My provider gave me a router and two
static IP-addresses: one for the provider's router (which is the
default gateway in m0n0wall) and another IP-address for m0n0wall.
Both addresses are on a /30 net (netmask 255.255.255.252).

Regardless of the fact, that OPT1 can reach LAN, everything works
perfectly without any problems.

>Yes, please post your entire (anonymized) status.php.

Meanwhile I assigned "FUNK" as a symbolic name to OPT1, this is my
current config in which LAN is open to "FUNK", although it should be
not accessible to "FUNK".

By the way: thank you very much for your attention and the time to
read my mail. I'm a little ashamed to have to utilize your precious
time, but I really want my WLAN ("FUNK") to be unable to access LAN,
because I plan an intentionally open AP with Captive Portal (I came to
enjoy open WLANs when I'm away and want to do the same for others).

Kind regards Frederick