How do I block a subnet or interface from accessing others?

Do you have an interface that needs to be blocked from accessing other interfaces? Maybe you want to prevent your guest Wifi from accessing your internal devices or perhaps you have an interface devoted to file servers which should not have access to the Internet. 

You can create those rules in Config > Network > Filter Rules. You'll need to create one rule for each interface you want to restrict. Each rule will include the conditions:

  • Source Interface is [the interface you're restricting access from]
  • Destination Interface is [any interfaces the source interface is not allowed to access]

For example, maybe you've got remote users connecting via OpenVPN and want them to be able to access internal devices, but not to reach the internet through the External interface of your NGFW. You could create a rule like this:

Alternately, if the goal is to allow OpenVPN to only access LAN devices (and explicitly nothing else in your network, including WANs and other VPNs), you could use 'is not' plus the interface(s) they are allowed to reach:


If you want to completely segregate interfaces from one another, remember that you'll need to block it both ways. Following the above article, if you want to prevent internal devices from accessing those connected via OpenVPN, you'll want to reverse the rule:

Was this article helpful?
3 out of 5 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk