On my 2862, I have LAN 3 (subnet 3) for PC's and LAN 4 (subnet 4) for "things" printers, heating system etc). In general I don't want LAN3 and 4 to see each other, but do want certain ports open (eg for printing).

So my plan was to have LAN3/4 inter-LAN routing ticked, then set up a subnet3-subnet4 blocking firewall rule and then rules to open certain ports. My problem is that I can't get subnet-wide blocking to work. I can block 1 IP at a time, but not a range of IP's, nor subnet - the rule just seems to be ignored.

Something like this works:
Source = 192.168.33.145
Destintaion = 192.168.44.0/24

but this doesn't:
Source = 192.168.33.0/24
Destination = 192.168.44.0/24

nor does this
Source = 192.168.33.10~192.168.33.100
Destination = 192.168.44.0/24

Why can't source be a subnet or range of IP's?
Is there another (better?) way to achieve the end goal?

It sounds like it ought to work...

Have you used the "Syslog [ ]" option to confirm the rules are/aren't firing, or is it from general observation of the results?

Does the Firewall >> Diagnose function shed any light?


FWIW, I did it the other way round (on my 2860) and set up a filter set, whose first rule was "Block if no further match" ... then added individual exceptions. I used subnet addresses in the 'block rule', though I defined them as IP objects.

I tried all sorts of diagnoses. In the end, it turns out that if you use Wizard mode, when you select LAN/RT/VPN->LAN/RT/VPN, the LAN's are not always automatically ticked in the background (not sure exactly what conditions it does/doesn't work in) - but effectively, I had to go to advanced mode and click "Advanced" next to the LAN/RT/VPN->LAN/RT/VPN dropdown and then select the LAN's.

If I could work out how to paste an image, I'd show you what I mean, but it looks like that requires some sort of external pic host or something else that's too many steps for me to be working out this time of night :?