Let me try to explain in more detail.
My ISP-Router has the IP 192.168.1.1 and is connected to the internet
At the WAN Port of the ISP-Router my Turris is wired with a static IP 192.168.1.2
From ISP-Router to Turris is a static route: Target Network 192.168.2.0 forward to 192.168.1.2
On my Turris I have the interface WAN and LAN (Internal IT Devices and Playstation)
The Turris Network setting is 192.168.2.1 (<- it is a different IP “internal”, then the static IP from the ISP-Router)
My Aim is to block every connection from WAN to the LAN. As long as I don’t set a specific policy to allow traffic.
And what i dont understand is my settings.
wan > drop: input output and forward is drop
lan ( every eth and wifi) > wan: is allow
for my understanding, every connection from WAN to LAN should now be stopped and so the connection from ISP over WAN to my LAN should also be blocked right?
maybe i do not understand the concept of zoning. The gui is a bit strange. specially within the zone settings.
//Edit: Let my test something else.
I have my ipad over Wifi at the ISP with a static IP: 192.168.1.150.
With the current setting, i am not allowed to connect to the turris 192.168.2.1
Now i create a Traffic policy: from WAN - IP 192.168.1.150 to LAN: Destination 192.168.2.1 to allow. but connection is not working.
///Edit:
I tried also these settings:
Zone Wan to LAN: Input output forward to drop
Traffic Policy: From WAN (Source ip Ipad 192.168.1.150) to source LAN (IP 192.168.2.1) Allow
→ it create a allow forward policy (why forward?!)
Result: I can NOT access the Turris (192.168.2.1)
When I create a Policy
WAN (Des IP IPAD) to “this device” des port 192.168.2.1
→ it creates a allow output
Result: My IPAD can access to all IPs, not only the 192.168.2.1… this is really strange to me.
