thanks for your answer. i wasn't very explicit....i wil describe the situation for a better understanding.

one public ip set on wan1 interface

class c virtual ip's on lan interface ( 192.168.111.x ).

restrict http acces for all lan ip addresses on wan1 (nat or/and firewall ) and allow only certain ip addresses form same subnet (lan) to have acces to translation (or any other way to acces internet)

most of the ip's from lan pass through an ipsec tunnel to a proxy server located somewhere else and must not have acces directly to the internet. - this is working fine...

but there are some exceptions for some users.and those exceptions should have acces to the internet directly.

if the router is set in gateway mode, every ip from lan translates and have internet acces, even though there is a firewall rule about this:  deny http wan1 any any .

is there a way i can solve this?

thanks a lot.

>if the router is set in gateway mode, every ip from lan translates  and have internet acces, even though there is a firewall rule about  this:  deny http wan1 any any .

If you want to restrict internet access (http on port 80) for certain LAN IP range, the access rule should look like this:

deny  http  lan  ip_range  any

thanks for your answer, the rule works for all http traffic in lan. but this will restrict them also from accessing any http that's local. any local http server won't be accesable.

so i partially solved my problem with another firewall rule to allow http traffic through tunnel ip classes, allowing http acces through tunnel.

is there a way to allow local http open and restrict only the http internet traffic?

by that i mean to be able to acces http port on another lan computer.

i believe another firewall rule will solve this too

allow lan range ip destination ip (lan ip)

thanks a lot for your help.

>i believe another firewall rule will solve this too

Yes, you would need another allow rule, unless the local LAN IP and remote LAN IP that are allowed are part of the same class A subnet.