I’ve successfully blocked access from blue network to green - maybe this is the default anyway. Nevertheless, I can access the blue network from green.
At least I can ping blue IP-addresses from a command line running on a client in green network.
So how can I block this access, too? I already have those rules in place:
If that rule was the only one it would be correct and sufficient. But rules work on a top-to-bottom first match. The one that matches first will be acted on. NAT rules always have priority.
The first rule is on position 3 and no further rules regarding the green or blue interface are before.
The second rule posted in OP is the first and only one.
Nevertheless, a ping to a blue client is possible. The blue client cannot access the green network.
OTH, I guess I’ve got a totally different issue here because a Wireshark session, running on blue client, logs various broadcasts (protocol ARP) from the green network and this should not occur IMO, I assume.
Guess you are correct! I need to re-think my config about the blue network using VLAN-ID 100
OTH, I think it’s merely an issue with my virt. machine where Wireshark reported those broadcasts. The virt. machine is using it’s own dedicated network adapter configured to use VLAN-ID 100. This machine is running on a Windows host in green network, though. Maybe this is the root of the broadcast?