Hi all,

Need help on how I configure RB750 to block comms between VLANs on internal IPs (10.x.0.0/16 subnets, 1 per VLAN) but allow DHCP (inc relay) and allow any traffic directed at public IPs which have NAT rules forwarding to a host on one of the VLANs.

Put a filter in the forwarding chain which drops everything (action=drop), then add filters above that one to permit (action=accept) each traffic type that you want to permit.

Edited:

I have this working now, except for one particular exception.

I have rules set as per below

Accept UDP 67-68 from 10.4.0.0/16 to 10.0.0.5
Drop all (other) from 10.4.0.0/16 to 10.0.0.0/8

I'm trying to add the following (above the drop rule), but it appears the below isn't allowing traffic to flow as desired.

Accept any from 10.4.0.0/16 to 10.0.6.1-2
(I've also tried adding Accept any from 10.0.6.1-2 to 10.4.0.0/16 as well even though my drop rule isn't configured to block this direction)

Any suggestions?

Resolved - devices I was creating an exception for had a mis-configured gateway!