I have a very simple configuration. One DSL modem to the WAN port on a Soekris 4801-70 running SmallWall. One wireless AP on each of the other two interfaces. One for guests and one for my office.
DSL->SmallWall(WAN/sis1)->(LAN/sis0)->Wifi AP DSL->SmallWall(WAN/sis1)->(OPT1/sis2)->Wifi AP
The LAN subnet works like a charm. The APs are configured identically except for the subnet settings. However, I am unable to ping the sis2 interface when connected to the AP. The firewall logs show the traffic being blocked but not the blocking rule. I am tearing my hair out trying to support guests this weekend with OPT1. I tried disabling all the blocking rules for OPT1 but I must be missing something.
LAN: 192.168.1.0/24 OPT1: 192.168.2.0/24
LAN: PASS * LAN net * * * Default LAN -> any OPT1: BLOCK TCP * * LAN net * Block DMZ traffic to LAN OPT1: PASS TCP DMZ net * ! LAN net * Permit DMZ to any but LAN
When I connect to the AP on OPT1 I can ping myself (DHCP issued address) but not the OPT1 interface (gateway 192.168.2.100). Something is blocking ICMP and standard TCP handshakes.
Act Time If Source Destination Proto X 19:39:05.028871 DMZ 192.168.2.20 192.168.2.100, type echo/0 ICMP
OK, way too much coffee and Christmas goodies here. I neglected adding a rule to pass everything else after all of my restriction rules. It's not like I don't maintain iptables rules for an entire org. Whew!
Guests will be thrilled and I can go to bed ;-)
Software developer, IoT security architect, maker of smoke
Those rules are doing exactly what I want them to do. The little "X" icon for block didn't make the cut-n-paste. I had forgotten to add my default rule to OPT1 which would allow ICMP, UDP, etc. 100% brain fade on my part...
Many thanks for continuing and maturing this application. While the interface may be a little dated the internals are solid and it runs on very lightweight hardware.