Firewall: NSF -> Block all traffic except to LAN and VPN for Few

[rtth8]

I am trying to achieve the following for which I'm attempting to use the Network Service Filter under firewall.


2 IP CAMS which should only have access to local LAN but at the same time if I VPN into this gateway I want the VPN clients to be able to communicate with these IP cams

1) I've tried setting up WHITE LIST feature. Where IPCAMS can only access my local subnet with with a line entry like this

192.X.X.200 (port left empty) 192.X.X.0/24 (port left empty) TCP/UDP
Added another line pointing to VPN client subnet

What this does i that other dhcp clients end up also getting blocked altho I've not put them on the Whitelist. (SAD)

2) I've even split my DHCP so that 192.X.X.0-128 is assigned automatically to rest of devices. And I set the IPCAMS to 192.X.X.200/201 statically. Next I added following lines in the Whitelist

192.X.X.200 (port left empty) 192.X.X.0/24 (port left empty) TCP/UDP
Added another line pointing to VPN client subnet
192.X.X.0/25 (port left empty) 0.0.0.0/1 (port left empty) TCP/UDP
192.X.X.0/25 (port left empty) 128.0.0.0/1 (port left empty) TCP UDP

This is my understanding
Line 1 says that IPCAM at 200 can access anything on my LAN (192.X.X.0 to 192.X.X.255)
Line 2 & 3 combine to say anything between 192.X.X.0 - 192.X.X.127 can access any IP

This does not work either as other devices are still blocked from accessing internet (SAD)


Any help is appreciated

 

[rtth8]

Got it to work.

What did I change?
1) Instead of TCP ALL I just used TCP (after reading another post relating to another NSF issue)
2) Instead of using 0.0.0.0/1 and 128.0.0.0/1 just left box empty. KISS applies here