One Way Guest Firewall Rule

I’m trying to block untrusted networks from my internal network with two exceptions:

  • Any device on the untrusted network can hit my public webserver on Internal.
  • Any device on Internal can manage any device on Untrusted.

I applied this to the IN direction on all Untrusted interfaces with a default of AcceptAll.

Half of it works as expected. The untrusted clients can hit the webserver (after fixing the hairpin NAT issue). But why can’t Internal connect to Untrusted? If I remove the third drop-all rule, then traffic flows both ways.

I only have policies on WAN (IN, LOCAL) and Untrusted (IN, LOCAL) interfaces. There isn’t a policy defined on the Internal interface.

Put stuff like web-servers and Email into a zone (and call it DMZ), then allow internal, guest and public into that zone.

Internal is transitioning to DMZ. Untrusted is/will be a half dozen VLANs designed for workstations, employee devices, public wifi, etc. I want to lock down traffic between all of these groups once I figure out how to configure a firewall (and upgrade my switches).

Okay, I had to add a rule to allow established/connected. Since it was an IN rule on the untrusted, it couldn’t reply back to the Internal network.