Hi!
I’ve successfully blocked access from blue network to green - maybe this is the default anyway. Nevertheless, I can access the blue network from green.
At least I can ping blue IP-addresses from a command line running on a client in green network.
So how can I block this access, too? I already have those rules in place:
Michael
No, the GREEN network is allowed to access any other network by default.
You must have another firewall rule that permits this then.
So by
you mean to prevent PINGs from green to blue, right? My rules from above are not sufficient if correct at all?
If that rule was the only one it would be correct and sufficient. But rules work on a top-to-bottom first match. The one that matches first will be acted on. NAT rules always have priority.
The first rule is on position 3 and no further rules regarding the green or blue interface are before.
The second rule posted in OP is the first and only one.
Nevertheless, a ping to a blue client is possible. The blue client cannot access the green network.
OTH, I guess I’ve got a totally different issue here because a Wireshark session, running on blue client, logs various broadcasts (protocol ARP) from the green network and this should not occur IMO, I assume.
Looks like you have a switch in the green network connected to one in the blue network.
Guess you are correct! I need to re-think my config about the blue network using VLAN-ID 100 
OTH, I think it’s merely an issue with my virt. machine where Wireshark reported those broadcasts. The virt. machine is using it’s own dedicated network adapter configured to use VLAN-ID 100. This machine is running on a Windows host in green network, though. Maybe this is the root of the broadcast?
