Will This Rule Ever Match?....

efaden · March 20, 2014, 1:14am

Hey,

So I have a CRS where port 1 is the gateway and ports 2-24 are all one switch group. I am cleaning up a rule set and found:
add chain=forward comment=“Private Ranges” dst-address-list=PrivateRanges
in-interface=!ether01-gateway out-interface=!ether01-gateway
src-address-list=PrivateRangesPrivateRanges has only 10.0.0.0/24 in it…

I cannot for the life of me figure out what this rule would match… I could see it matching if PrivateRanges had more than one range in it, but not without that. Can anyone else see something that I am missing?

rextended · March 20, 2014, 1:54am

Simply translation of this rule:
accept all the packet between 2 machine on 10.0.0.0/24 range.
Is like to disable firewall for all internal comunications between internal computers.
You can put in address list private-ranges all the range you use inside your network.

If I have solved your mystery, add Karma!

efaden · March 20, 2014, 1:57am

But those packets should never get to the router since they are in the same subnet.

Sent from my SCH-I545 using Tapatalk

rextended · March 20, 2014, 1:58am

Why not?
If one PC is on ether2 and another on ether3, this rule count if cpu are on the same switch group or connection tracking or bridge firewall are active.

However, useful or not, the rule do this.

pongko · April 30, 2014, 12:50pm

in forward chain? try to catch in prerouting chain .. since you just matching packet at other than eth1-public .. and is this a “switch”, right?