I've got a MX64 and MS120-8 in a waste water treatment plant with two vlans. One for data and one for controls.
The machine that controls the PLC's and other equipment lives on the controls vlan and needs internet access, but the rest of the equipment on that vlan doesn't need access.
What I'm having trouble determining is how to block just internet access for the PLC's and other equipment, while still allowing them to communicate on the LAN.
Any ideas are appreciated.
Thanks for the suggestion. I was over-thinking the solution.
I created two rules:
1: Allow any/any for the machine
2: Deny any/any for the entire controls subnet
Note that this also means that your PLC's won't be able to initiate connections to the "machine". This is fine if all communication is initiated from the "machine" (because the firewall is stateful), but if not, you're better off doing what @jdsilva said. E.g. PLC needs to get a new firmware over TFTP from the "machine".