My problem is, computers on VLAN30 (10.30.1.x) are able to communicate with computers on the default VLAN (10.9.8.x) and I want them separate. I thought inter VLAN communication was off by default in the firewall (ie: you have to make a rule to turn it on) but that is not the case with me.
Firewall rules:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""
1 ;;; Allow Established connections
chain=input action=accept connection-state=established log=no log-prefix=""
2 ;;; Allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
3 chain=input action=accept src-address=10.9.8.0/24 in-interface=!ether1-WAN log=no log-prefix=""
4 ;;; allow related
chain=input action=accept connection-state=related log=no log-prefix=""
5 ;;; PPTP
chain=input action=accept connection-state=new protocol=tcp dst-port=1723 log=no log-prefix=""
6 ;;; Drop everything else
chain=input action=drop log=no log-prefix=""
7 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid protocol=tcp log=no log-prefix=""
8 ;;; Allow established connections
chain=forward action=accept connection-state=established log=no log-prefix=""
9 ;;; allow related connections
chain=forward action=accept connection-state=related log=no log-prefix=""
10 chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix=""
11 chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix=""
12 chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix=""
13 chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix=""
14 chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix=""
15 chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix=""
16 chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix=""
17 chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix=""
18 chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
19 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix=""
20 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix=""
21 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix=""
22 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139 log=no log-prefix=""
23 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix=""
24 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix=""
25 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no log-prefix=""
26 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix=""
27 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix=""
28 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68 log=no log-prefix=""
29 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69 log=no log-prefix=""
30 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111 log=no log-prefix=""
31 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135 log=no log-prefix=""
32 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139 log=no log-prefix=""
33 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049 log=no log-prefix=""
34 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133 log=no log-prefix=""
35 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""
36 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""
37 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""
38 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""
39 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0 log=no log-prefix=""
40 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""
41 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""
42 chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""
43 ;;; deny all other types
chain=icmp action=drop log=no log-prefix=""
My subnets are all /24's. I am missing something obvious...