Hi,
thanks to everyone who sent me tips and ideas about the topic.
At the moment I am testing "negated table" approach, which seems to work
fine:
block log all
pass in on $vlan_guests from $vlan:guests:network to ! <unroutable>
...where table <unroutable> is list of subnets I don't want to be
reachable from guest vlan (basically <martians> table from pf FAQ).
I have also been testing "table with negated records" approach, which
also seems to work fine
block log all
pass in on $vlan_guests from $vlan:guests:network to <routable>
...where routable is list of negated subnets I don't want to be
reachable from guest vlan (basically <martians> table from pf FAQ but
with negated records, plus 0.0.0.0/0 on top). Could it be that pf FAQ is
outdated about 0.0.0.0/0 shouldn't be used in tables? pfctl has no
problem adding, removing and listing 0.0.0.0/0 subnet in tables.
I'll test some more and send some feedback.
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/