Hi guys,
has anyone successfully implemented a zone-based firewall including DPI based filtering? I've got an ER-8-Pro with 8 zones and one ruleset per pair (lan-wan, guests-wan, lan-local, guests-local [...]).The wan zone contains two WAN interfaces, eth1 (inactive) and pppoe0 (active and default gateway).
Everything's working as expected except for application based filtering. When trying to filter traffic in the 'lan-wan' ruleset (lan traffic leaving the wan interface) it simply won't match the traffic of the selected application set (e.g. Facebook as part of Social-Network).
Image may be NSFW.
Clik here to view.
admin@rb01# show firewall name lan-wan
default-action drop
rule 10 {
action drop
application {
category Social-Network
}
description "test: drop social networks"
log disable
protocol all
}
rule 20 {
action accept
description "accept established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "drop invalid"
log disable
state {
invalid enable
}
}
rule 40 {
action drop
description "block public dns"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 50 {
action accept
description "general outbound"
log disable
protocol all
}
[edit]
No matches. Am I overlooking something? Anyone else having the same problem?