Network Services Filters on RT-BE86U

[stonypass]

Setting up a new RT-BE86U with an Admin (Main) and several VLAN networks, on the latest Merlin firmware for that model.

I'm entering rules in network services filters and apparently don't understand how that part of the GUI works.
If I select Deny in the drop down and enter: Source IP - 192.168.90.0/24 (90=IoT Vlan) Desntination IP - 192.168.50.0/24 (50=Admin) select TCP, click the Plus to add it below, then click Apply it appears to have run.
If I then use the drop down to select Allow, the previous entry is still there.

Can the GUI not be used to edit the Deny or Allow list by displaying entries, and removing them or adding new ones?

 

[ColinTaylor]

If I then use the drop down to select Allow, the previous entry is still there.

Can the GUI not be used to edit the Deny or Allow list by displaying entries, and removing them or adding new ones?

You can only set the NSF Table to be an Allow List or a Deny List. You cannot have two separate lists, one for Allow and another for Deny.

 

[stonypass]

You can only set the NSF Table to be an Allow List or a Deny List. You cannot have two separate lists, one for Allow and another for Deny.

Here is what I'm after, do I even need the Allow entries (at the bottom) at all?
If so, I guess I can configure routes for those?

VLAN Name Subnet Notes
1 Admin 192.168.50.0/24 My Phone/PC
60 Home 192.168.60.0/24 Phones, PCs, tablets
80 Media 192.168.80.0/24 Smart TV, Streaming Devices, HDHomeRun/Emby
90 IoT 192.168.90.0/24 Cameras, Smart Plugs/Switches
100 Guest 192.168.100.0/24 Internet-only, fully isolated

Network Services Filter List
Source Destination
1 192.168.100.0/24 192.168.50.0/24 TCP DENY
2 192.168.100.0/24 192.168.50.0/24 UDP DENY
3 192.168.100.0/24 192.168.60.0/24 TCP DENY
4 192.168.100.0/24 192.168.60.0/24 UDP DENY
5 192.168.100.0/24 192.168.80.0/24 TCP DENY
6 192.168.100.0/24 192.168.80.0/24 UDP DENY
7 192.168.100.0/24 192.168.90.0/24 TCP DENY
8 192.168.100.0/24 192.168.90.0/24 UDP DENY
9 192.168.60.0/24 192.168.50.0/24 TCP DENY
10 192.168.60.0/24 192.168.50.0/24 UDP DENY
11 192.168.80.0/24 192.168.50.0/24 TCP DENY
12 192.168.80.0/24 192.168.50.0/24 UDP DENY
13 192.168.80.0/24 192.168.60.0/24 TCP DENY
14 192.168.80.0/24 192.168.60.0/24 UDP DENY
15 192.168.80.0/24 192.168.90.0/24 TCP DENY
16 192.168.80.0/24 192.168.90.0/24 UDP DENY
17 192.168.90.0/24 192.168.50.0/24 TCP DENY
18 192.168.90.0/24 192.168.50.0/24 UDP DENY

19 192.168.60.0/24 192.168.90.0/24 TCP ALLOW
20 192.168.60.0/24 192.168.90.0/24 UDP ALLOW

 

[ColinTaylor]

The Network Services Filter blocks the LAN to WAN traffic (as it says at the top of the page), not LAN to LAN. Whether that's changed with the introduction of VLANs in the 3006.102 firmware I don't know.

 

[Tech9]

VLAN Name Subnet Notes

Your VLANs are isolated already. What you are trying to do is inter-VLAN routing between 60 and 90. I don't think there is GUI option, CLI only. Search around for examples. NSF is unrelated to what you need.