Why firewall in Simple Zone + SNAT not work

[david_tao]

Hi Everyone:
Have anyone can tell me have something I doing wrong? the Firewall rule in Simple Zone + SNAT just not work.
I have setup an Simple Zone with SNAT, and connect a VM into the Simple Zone. until now the VM was getted the IP 172.16.1.2 and the goto default GW(10.36.4.256) through NAT(172.16.1.1). That is all work fine.

And then because I want to limit the VM not to touch any host in 10.36.4.0/24 except the defaul GW(10.36.4.256) and still success go out to Internet, so I added some firewall rules in the Simple Zone as follow


After click "Apply" above firewall rules change in the SNAT0001, the VM in SNAT0001 is still get response from ping 10.36.4.93!

After that, I turn on the VM firewall and setup same rules, it work grate as charm.. ^_^!

 

[shanreich]

The VNet firewall is for traffic inside the VNet, i.e. traffic from 172.16.1.0/24 to 172.16.1.0/24
In your case you are using the host as gateway to reach the 10.36.4.93 - so you will need configure forward rules on the host, instead of inside the VNet.

 

[david_tao]

The VNet firewall is for traffic inside the VNet, i.e. traffic from 172.16.1.0/24 to 172.16.1.0/24
In your case you are using the host as gateway to reach the 10.36.4.93 - so you will need configure forward rules on the host, instead of inside the VNet.

Thank you very much, shanreich. so you mean is if I want separate 172.16.1.0/24 into two group (172.16.1.0/28 and 172.16.1.129/28) and let the two group can only communication with them own group, then I can make the firewall rule in Simple Zone, am I right?