(Traffic comes in with vlan. This vlan has the def. gateway IP for the client's network. This vlan sits on a bridge interface. Bridge interface has several incoming physical (ethernet) interfaces for client traffic from different directions)
Same router has WAN interface connected to ISP. (This interface is on its own, not part of bridge or whatever.)
In router we have src-nat rule translating local IP into public IP.
Code: Select all
add action=src-nat chain=srcnat comment="" out-interface=ether1-WAN src-address=1xx.xx.xx.xx to-addresses=89.140.xxx.xxxSo far this all works fine for many clients and several years. But now I want to setup a system where clients are presented a 'reminder to pay' html page and at the same time block their traffic. So spend some time reading on the forum and the aid of google and decided to start;
In router I make firewall address-list listing of client local IP and call it 'test'
Code: Select all
add address=172.25.55.9 list="test"Code: Select all
add chain=forward comment="tcp dns requests accepted for test clients" dst-port=53 protocol=udp src-address-list="test"
add chain=forward comment="tcp dns reply accepted for test clients" dst-address-list="test" protocol=udp src-port=53
add action=drop chain=forward comment="tcp p80 traffic for test_client is blocked. (No More Browsing!)" src-address-list="test"I open another browser on same client laptop, page not loading.. good.
I open http file download... file is downloading.... not good!
(The file download is actually done by an http:// url download from a microsoft server. That would make it a p80 download no?)
My rules should block all traffic, no? Obviously not...why not?
