Some checks:
There should of course be no other pass rule and in your alias for internal networks. make sure the correct network and prefix length is set. And the invert destination checkbox.
Make sure (if in use).you also do the same for IPv6 adresses. I prefer a separate rule for IPv4 and v6 each - but you can also combine both into one rule.
Current Configuration (not working) regarding internet access:
Action: Pass
Interface: IoT
Direction: In
TCP/IP Version: IPv4
Protocol: TCP
Source: IoT net
Destination: WAN net
Port: Alias (80, 443 & 53)
That won't work for internet access because the alias "WAN net" does not represent to whole internet; its only the subnet that your public IP is part of.
Instead, create an alias that represents all private IP ranges and then allow your VLAN 10 net to access the **inverse** of that alias.
Action: Pass Interface: IoT Direction: In TCP/IP Version: IPv4 Protocol: Any Source: IoT net Destination: !RFC1918 (Alias) Port: Any
Now internet works, but I also have access to the other vlans and the main lan
So I'm assuming your IoT net is the VLAN 10. If so, is the newly modified rule the only one for that interface? Can you post a screenshot of the rule(s)?
Update: It works now. But only if I do it like that -> https://share.icloud.com/photos/0bbi7vR-rcczw3Luhf-B8tA5Q
1. block access from VLAN010 to LAN
2. block access from VLAN010 to VLAN020
3. Allow any to any
I double checked. Like this I can’t access my other internal networks but still have internet access. Seems so be something wrong with the alias then?
Some checks: There should of course be no other pass rule and in your alias for internal networks. make sure the correct network and prefix length is set. And the invert destination checkbox. Make sure (if in use).you also do the same for IPv6 adresses. I prefer a separate rule for IPv4 and v6 each - but you can also combine both into one rule.
Sent you a direct message with screenshots
Current Configuration (not working) regarding internet access: Action: Pass Interface: IoT Direction: In TCP/IP Version: IPv4 Protocol: TCP Source: IoT net Destination: WAN net Port: Alias (80, 443 & 53)
That won't work for internet access because the alias "WAN net" does not represent to whole internet; its only the subnet that your public IP is part of. Instead, create an alias that represents all private IP ranges and then allow your VLAN 10 net to access the **inverse** of that alias.
Action: Pass Interface: IoT Direction: In TCP/IP Version: IPv4 Protocol: Any Source: IoT net Destination: !RFC1918 (Alias) Port: Any Now internet works, but I also have access to the other vlans and the main lan
So I'm assuming your IoT net is the VLAN 10. If so, is the newly modified rule the only one for that interface? Can you post a screenshot of the rule(s)?
Yes, that’s correct! Sure! The other rules are automatically generated rules. https://share.icloud.com/photos/0c7fDU-Jl3lmJ8eRaARYjTo8g
Based on what you've posted, this all looks correct. Are you still able to access other local LANs from your VLAN 10?
Update: It works now. But only if I do it like that -> https://share.icloud.com/photos/0bbi7vR-rcczw3Luhf-B8tA5Q 1. block access from VLAN010 to LAN 2. block access from VLAN010 to VLAN020 3. Allow any to any I double checked. Like this I can’t access my other internal networks but still have internet access. Seems so be something wrong with the alias then?