This should be really simple in blocking two VLANs from communicating with each other but this failing miserably. I've created the two L3 outbound firewall rules as per below:
When testing via the MX itself i'm able to ping through to devices on the 10.228.139.0/24 subnet from 10.228.138.0/24.
This can also be seen via a packet capture on the LAN:
I'm 200 miles away from site so can't test locally before anyone asks 😉
Is 10.228.138.1 a SVI on your MX ?
I think that behavior is expected. I don't think you are able to ping hosts with that rule , but you can ping the default gateways.
hi @RaphaelL the SVI's are on the MX itself. Agree that pinging the SVI's may be possible due to traffic/packet flow but i shouldn't be able to ping the hosts which in this instance i can.
Correct.
I believe I saw that behavior in the documentation but I can't find it ...
I believe locally sourced traffic will not abide by your layer 3 policies. <-- This is probably the reason why. So you would probably need 2 hosts on the 2 vlans to test.
I could request a support ticket 😂 😉
I expect that this is something like it's also on the ASA. Traffic generated from the box itself is not subject to ACLs.
Can't you test it locally? 😉
+1, I believe locally sourced traffic will not abide by your layer 3 policies.
so what we're saying is these rules could be working but there's just no way of me testing using the dashboard remotely?
I even bet that these rules will work. 😉
I would be highly disappointed in you if you didn't deploy a full stack so that you can test from the APs for example ... 😉
off to build a full-stack.....
😂- there's always one. Better get in the car