Internal firewall--how to specify rule with a "network" source or destination

Surf SOHO Mk3 running 8.0.1: With Inter-VLAN routing turned off for all four of my VLAN subnets, I’m trying to allow devices on one of the subnets to communicate with a printer on a separate subnet by creating an Internal Network Firewall Rule. I try to select “Network” for the Source, but then I’m apparently not clear on how to call out the corresponding IP address… let’s say, “192.168.1.x” isn’t valid (“192.168.1.*” also doesn’t work), so I try using the gateway for that subnet: “”. The latter is accepted as valid. Mask is (/24). For the printer, I specify “Single address” and enter the IP address However, there’s no successful communication between 192.168.1.x and the printer. I can ping the printer from the router on the printer’s subnet, but not from the intended source subnet.

Is there something obvious I’m doing wrong?

  1. Inter-VLAN routing needs to be turned on for the 2 subnets you want to talk to each other.
  2. Create 2 firewall rules…
    2A. / 24 to allow
    2B. to / 24 allow

Thank you! I turned on Inter-VLAN routing on both subnets and created the two internal firewall rules as you suggested… The good news is that I’m successfully able to ping the printer from the other subnet. The bad news is that I still cannot actually print to the printer from a computer on the other subnet–so still a work in progress, possibly an issue with settings (port tagging) on a couple of intervening managed switches.

Nevertheless, this fix upends my understanding of the Surf SOHO’s implementation of internal firewalls between subnets. I assumed that by UNchecking “Enable Inter-VLAN routing”, one was instructing the router to create an internal firewall for that subnet, and only then would need to create rules for any exceptions needed. Conversely, if “Enable Inter-VLAN routine” is checked, then it would not establish a firewall; any subnet-to-subnet traffic would be allowed.

But apparently the internal firewall is there REGARDLESS of whether that Inter-VLAN routine box is checked or not… the only difference is that it needs to be enabled/checked for any exception rules to work… is that it?

Michael Horowitz’s configuration recommendations for the Surf SOHO include NOT enabling Inter-VLAN routing. But perhaps his advice really pertains to the VLAN=1 untagged LAN and any subnet just for guest internet access, not necessarily to other VLAN subnets where some sharing makes sense. ??

Yes. Think of them as 2 steps. Step 1. Route, Step 2. Firewall. They are both there and both have to be successful.

A good use for turning off inter-vlan routing is guest VLANs… I want to keep a guest device that might have malware from infecting my protected devices on other VLANs. I could write a firewall rule to accomplish the same thing, but turning off routing for the Guest VLAN is easier and faster :slight_smile:

The firewalls in these devices are always on. No way to turn them off, just a way to allow all or deny all. :slight_smile: