RV325 (like RV320) Access Rules seem to have no effect for LAN traffic

l_s · ‎05-19-2020

I have a couple of untrusted devices with static IPs on our LAN. I want to allow them access to the WAN but not to other devices on the LAN (except for DNS on the router/gateway).

I've tried many rules and none seem to have any effect, much like this post. I reduced it to a single rule to test whether anything works, but these devices can still make outgoing connections. Other posts about such rules mostly deal with incoming traffic and port-forwarding from the WAN, which is not relevant to this issue.

What is the correct way to block traffic from one LAN device to another?

agekov · ‎05-22-2020

Hello @l_s,

Hope you are doing well!

My name is Anton and I am part of the Cisco SBS Support Team.

I assume that the 192.168.1.7-192.168.1.8 are the untrusted IP's that you want to isolate from the rest of the LAN.

In this aspect your rule seems correct to me.

I would make it more specific by selecting LAN as the Source Interface.

Can you say whether you have added the static IP addresses in the DHCP table ( DHCP->IP&MAC Binding)?

Kind Regards!

Anton Gekov
Technical Consulting Engineer – Level 1
Global CX Centers – Small Business Support

l_s · ‎05-22-2020

Hi @agekov,

Thanks for replying. Yes, those are the untrusted IPs, and both have reserved addresses based on their MAC.

I've tried the same rule using both LAN and ANY as the source interface.

Thanks.

l_s · ‎05-24-2020

@agekov I have also added such a rule via the SSH interface, as well as trying a netmask version 192.168.1.8/255.255.255.255 (which it would not accept), but none made any difference.

l_s · ‎06-18-2020

So I'm to understand that the Firewall on this device is effectively useless, even after updating to the Jun-17 firmware?

With these rules, I expect to be able to connect into the restricted devices (web interface/SSH) but not have them connect out except for DNS and to the WAN. However, they can directly access any network resource.