Isn’t NAT-PMP a LAN side only thing? If so, then I don’t think that an internal firewall rule is appropriate. I think they are intended for controlling vlan to vlan access and vlan to untagged lan access. Take this with a grain of salt, a bit over my head here.
I am somewhat out of my depth, but I think by definition a firewall lives at the boundary of two networks. Traffic from one LAN device to another LAN device traverses no boundary, so firewalls don’t come into play. The exception being if the LAN side devices were in different VLANs. You can have internal firewall rules that govern VLAN to VLAN traffic.
Right. Obviously I don’t expect the firewall to do anything with traffic that doesn’t hit the routers lan ports. I guess I just want to know more about what exactly “Internal Network Firewall” can do, or how to properly use it.
Since NAT-PMP is a service running on the router, the traffic has to hit the router lan port (5351 UDP)… I know that my deny rule “no nat-pmp” does kill the nat-pmp function… nothing can use it… so i know the filter is working. My probablem is trying to get an exception that that rule to work. I want 1.8 to be able to use it.
To extend on @Michael234 guidance, there is two firewalls available
between the WAN & LAN sides of the network
between the VLANs
There is no ability to firewall on the same LAN/VLAN segment of the balance routers (and from my checks that includes the SD switch series), if you want to operate a firewall between the physical LAN ports, you will need to assign each of them to a separate VLAN and then setup suitable rules between the VLANs.
Have a look at this previous reply, it highlights six different threads on setting up VLANs, most of it is to do with InControl2 though there is some good information there.