Route10 firewall rule regarding blocking traffic & Interface In

Routers
1

Hello everyone,
I’m an Alta Labs green hand, whose products have magic to make me wanna try!!! :wink:
I have difficulty in dealing with traffic-blocking firewall rule. :frowning:

VLAN1 (192.168.99.0/24) is the default VLAN.
VLAN2 (192.168.92.0/24) is the VLAN I created as DMZ.
As shown below, L2 is with VLAN2 untagged.

20250904_122214000_iOS
20250904_122214000_iOS717×1003 80.3 KB

My PC connected to L2 can visit 192.168.99.1. My PC without access to 192.168.99.1 is my goal. Therefore, I created below firewall rule to achieve the goal but it failed. I want to know why it failed…

20250904_124046000_iOS
20250904_124046000_iOS714×1190 89.9 KB

I found that my pc had no access to 192.168.99.1 when I used “Zone In: Any”…

Another question, I have doubt about the default notes “Interface In: i.e. eth3”. Which port is eth3? Is my L2 eth3? Is it possible to use W1/L1/L2/L3/L4/W2 in Interface In/Interface Out (If No, I hope it would work in the future.)?

2

For the firewall rule, you may want to specify a source. In this case, 192.168.92.0/24.

For the zones, you can specify LAN for both In and Out or Any for both. Note that ICMP (ping/echo) will continue to work unless you supply ICMP in the Protocols list.

The values that have i.e. in there aren’t defaults, they’re simply placeholders. The raw interfaces don’t directly map 1:1 with how they’re displayed in the UI or the labels on the Route10 due to the way Linux maps interfaces. Here is a default map, in case you’re curious.

eth0 (LAN3)
eth1 (LAN2)
eth2 (LAN1)
eth3 (WAN1)
eth4 (WAN2)
eth5 (LAN4)

Then eth0, eth1, eth2, and eth5 are all bridged, comprising br-lan, this is where the VLANs are created and would be formatted like br-lan_2 meaning VLAN 2 on the br-lan interface.

1 Like
3

From my testing looks like you can still ping the gateway of each vlan even with block rules.

2 Likes
4

Does ping work even with settings according to

2 Likes
5

Excellent catch @dalewhlrr and @ebuckland81 and it boils down to if the traffic is traversing through the Route10 or is destined to the Route10.

In short, if you specify Zone Out == None, that means traffic directed at the Route10.

We’re having some internal discussions about a better way to present that in the UI.

4 Likes
6

Just tested and that worked, thanks for the info.

1 Like
7

FYI, here are my testings on Route10 (v1.4j):

Setup1

20250906_115741000_iOS
20250906_115741000_iOS711×1185 90.1 KB

Setup2

20250906_115957000_iOS
20250906_115957000_iOS717×1185 92.1 KB

Setup3

20250906_121139000_iOS
20250906_121139000_iOS715×1174 90.4 KB

Setup4

20250906_121207000_iOS
20250906_121207000_iOS717×1185 93.6 KB

Off
Off1464×115 5.84 KB

On
On1464×115 6.71 KB

I’m confused about “VLAN2(192.168.92.0/24) ping VLAN1 (192.168.99.0/24 excl. 192.168.99.1)”: Setup1, Setup3 & Setup4 (VLAN1 & VLAN2 are with Isolation turned on) bring reply from 192.168.92.1. Why is the result not the same as Setup1, Setup3 & Setup4 (VLAN1 & VLAN2 are with Isolation turned off) to be “Request timed out” ?

Does “Zone Out: None” mean “Zone Out: Not specified”, i.e. “Zone Out: None” mean “Zone Out: Any” or “Zone Out: No (traffic directed at the Route10)”?

8

This thread has been automatically closed due to inactivity. If you believe you have the same issue, please create a new post describing your issue. Feel free to link to this post for context if desired.