Hi all,
yes, you´re right! I didn’t consider that! Sorry!
I will go through it again.
One more question:
Is it usefull to block the communication to the GW? The GW answers if you ping it.
Christian.
You changed your requirements. First you say you wanted vlan10 and vlan20 to talk, then you say you don’t. I was going by your original request and only looked at your new request. Secondly, it should very clear by now how easy it is to make it work whatever way you need, in this case simply removing the VlanFriends rule …
I recommend not managing your outbound Internet access from the filter section. Create another address list, e.g. InternetAllowed and add the address list to the default src-nat masquerade rule in the NAT section.
You can create a rule to drop all input chain traffic to the router (then perhaps another rule to Accept DNS on udp and tcp port 53 if you have Allow Remote Requests enabled under IP DNS), but only after you have guaranteed your Management VLAN works and you have an Admin exemption at or very near the top of your input chain firewall filter rules, otherwise you may lose access to your router.
Hi squeeze,
sorry for this! This was a typo. Permit and probit are very similar! Oh je, I’m very embarrassed and sorry for confusion.
But it is clear now and I am not longer confused. Thank you so much for your support. I will play a little bit with the configs.
Don´t worry about the internet rules. The RB3011 is behind the Fritzbox Router at the moment, and firewall in the Fritzbox is on. I think, everything is save!
Regads,
Christian