Network Services Filters on RT-BE86U

[stonypass]

Setting up a new RT-BE86U with an Admin (Main) and several VLAN networks, on the latest Merlin firmware for that model.

I'm entering rules in network services filters and apparently don't understand how that part of the GUI works.
If I select Deny in the drop down and enter: Source IP - 192.168.90.0/24 (90=IoT Vlan) Desntination IP - 192.168.50.0/24 (50=Admin) select TCP, click the Plus to add it below, then click Apply it appears to have run.
If I then use the drop down to select Allow, the previous entry is still there.

Can the GUI not be used to edit the Deny or Allow list by displaying entries, and removing them or adding new ones?

 

[ColinTaylor]

If I then use the drop down to select Allow, the previous entry is still there.

Can the GUI not be used to edit the Deny or Allow list by displaying entries, and removing them or adding new ones?

You can only set the NSF Table to be an Allow List or a Deny List. You cannot have two separate lists, one for Allow and another for Deny.

 

[stonypass]

You can only set the NSF Table to be an Allow List or a Deny List. You cannot have two separate lists, one for Allow and another for Deny.

Here is what I'm after, do I even need the Allow entries (at the bottom) at all?
If so, I guess I can configure routes for those?

VLAN Name Subnet Notes
1 Admin 192.168.50.0/24 My Phone/PC
60 Home 192.168.60.0/24 Phones, PCs, tablets
80 Media 192.168.80.0/24 Smart TV, Streaming Devices, HDHomeRun/Emby
90 IoT 192.168.90.0/24 Cameras, Smart Plugs/Switches
100 Guest 192.168.100.0/24 Internet-only, fully isolated

Network Services Filter List
Source Destination
1 192.168.100.0/24 192.168.50.0/24 TCP DENY
2 192.168.100.0/24 192.168.50.0/24 UDP DENY
3 192.168.100.0/24 192.168.60.0/24 TCP DENY
4 192.168.100.0/24 192.168.60.0/24 UDP DENY
5 192.168.100.0/24 192.168.80.0/24 TCP DENY
6 192.168.100.0/24 192.168.80.0/24 UDP DENY
7 192.168.100.0/24 192.168.90.0/24 TCP DENY
8 192.168.100.0/24 192.168.90.0/24 UDP DENY
9 192.168.60.0/24 192.168.50.0/24 TCP DENY
10 192.168.60.0/24 192.168.50.0/24 UDP DENY
11 192.168.80.0/24 192.168.50.0/24 TCP DENY
12 192.168.80.0/24 192.168.50.0/24 UDP DENY
13 192.168.80.0/24 192.168.60.0/24 TCP DENY
14 192.168.80.0/24 192.168.60.0/24 UDP DENY
15 192.168.80.0/24 192.168.90.0/24 TCP DENY
16 192.168.80.0/24 192.168.90.0/24 UDP DENY
17 192.168.90.0/24 192.168.50.0/24 TCP DENY
18 192.168.90.0/24 192.168.50.0/24 UDP DENY

19 192.168.60.0/24 192.168.90.0/24 TCP ALLOW
20 192.168.60.0/24 192.168.90.0/24 UDP ALLOW

 

[ColinTaylor]

The Network Services Filter blocks the LAN to WAN traffic (as it says at the top of the page), not LAN to LAN. Whether that's changed with the introduction of VLANs in the 3006.102 firmware I don't know.

 

[Tech9]

VLAN Name Subnet Notes

Your VLANs are isolated already. What you are trying to do is inter-VLAN routing between 60 and 90. I don't think there is GUI option, CLI only. Search around for examples. NSF is unrelated to what you need.

 

[stonypass]

The Network Services Filter blocks the LAN to WAN traffic (as it says at the top of the page), not LAN to LAN. Whether that's changed with the introduction of VLANs in the 3006.102 firmware I don't know.

Thanks

Tech9:
Your VLANs are isolated already. What you are trying to do is inter-VLAN routing between 60 and 90. I don't think there is GUI option, CLI only. Search around for examples. NSF is unrelated to what you need.
Thanks

 

[bennor]

Here is what I'm after, do I even need the Allow entries (at the bottom) at all?
If so, I guess I can configure routes for those?

VLAN Name Subnet Notes
1 Admin 192.168.50.0/24 My Phone/PC
60 Home 192.168.60.0/24 Phones, PCs, tablets
80 Media 192.168.80.0/24 Smart TV, Streaming Devices, HDHomeRun/Emby
90 IoT 192.168.90.0/24 Cameras, Smart Plugs/Switches
100 Guest 192.168.100.0/24 Internet-only, fully isolated

19 192.168.60.0/24 192.168.90.0/24 TCP ALLOW
20 192.168.60.0/24 192.168.90.0/24 UDP ALLOW

As indicated, if you have already setup Guest Network Pro or Network profiles that are already isolated from the main LAN then Network Service Filter isn't needed what you seek. Instead you will likely have to use custom firewall scripting to configure IPtables (or similar) to allow traffic from the 192.168.60.0/24 to the 192.168.90.0/24 network. Use the forum search feature to find the many past discussions and examples of IPTables scripting (likely using /jffs/scripts/firewall-start) to allow traffic between isolated networks.

 

[Tech9]

@stonypass - keep it simple and you'll be happier. One network for all trusted devices, one for guests and eventually separate for IoTs. This in case you want to play with CLI or access your IoTs over Internet. Even simpler is one Main network for all your devices and one for Guests. This is a home router and home network, not business environment. Don't hurt other users experience with your sysadmin ideas.