Firewall/NAT

Hey guys, so I have a monowall setup with 3, 4 port NICs and I need to block traffic from one port to the next. What I've done is create a rule that says... !=LAN ---> PASS ... and that still allows access to the other 11 ports from say, port 3 or 4 or 5, etc.

I tried to create != WAN ---> BLOCK ... but that blocked everything, and I tried the above in conjunction with this rule and still it blocked everything.

Any idea's?

Everything is blocked by default, so you don't need to create additional block rules. What I recommend is approach this from the "allow" standpoint. Only allow certain LAN, OPT1 to where you want (WAN-Internet), other OPT2, other LAN, etc. by creating only rules for where each is allowed.

Much easier to setup and work from a logical standpoint in regards to your network layout.

Everything is blocked by default, so you don't need to create additional block rules. What I recommend is approach this from the "allow" standpoint. Only allow certain LAN, OPT1 to where you want (WAN-Internet), other OPT2, other LAN, etc. by creating only rules for where each is allowed.

Much easier to setup and work from a logical standpoint in regards to your network layout.

Thats how I thought it was setup, but my client claims he can ping 192.168.102.254(Router IP on Interface 2 for office 102) from 192.168.101.20(PC on LAN of Interface 3 for office 101).. does that make sense? basically he can ping the router on another interface, but he doesnt have any machines setup, so I dont know if he's blocked from accessing a machine, but he can hit the router.

You might want to review the m0n0wall Handbook section 13.1.4 for an example of what I think it is you are trying to accomplish.

You might want to review the m0n0wall Handbook section 13.1.4 for an example of what I think it is you are trying to accomplish.

Hey Fred, thats actually what I followed. The problem is, I have 11 more ports on this monowall configuration besides the WAN and the LAN port. So my rule is blocking access to the LAN, but I can still ping the other 11 ports which are all setup with different IP ranges... for example..

WAN is static public IP
LAN is set to 192.168.1.254
Opt1 is 192.168.101.254
Opt2 is 192.168.102.254
Opt3 is 192.168.103.254
..... and so on.

There is an Opt1-Opt11, and each is connecting a different office in my building (I'm giving my tenants internet), but I dont want them to be able to discover each other.

Thats how I thought it was setup, but my client claims he can ping 192.168.102.254(Router IP on Interface 2 for office 102) from 192.168.101.20(PC on LAN of Interface 3 for office 101).. does that make sense? basically he can ping the router on another interface, but he doesnt have any machines setup, so I dont know if he's blocked from accessing a machine, but he can hit the router.

It should be, I've never seen any traffic flow between the two interfaces unless there was a rule in place to allow it. I just setup a m0n0wall machine not 5 minutes ago with 1.3 and could verify that unless there is an allow rule in place, no data goes anywhere between the two.

couldnt you just create a rule for each card that was PASS OPT -> WAN

If you still have issues create a rule above the previous rule BLOCK OPT -> 192.168.0.0/16

I'm having a similar issue. Did you ever get yours resolved?

Best I can figure from logs, the default block firewall rule is dropping the packets before the interface's allow rule can pass it.