On Mon, May 4, 2020 at 4:43 PM Marko Cupać <marko.cu...@mimar.rs> wrote:
> ...so I can permit hosts on guest vlan access Internet hosts, but not > hosts on other private vlans similar to: > > block log all > pass in on $guest_vlan from $guest_vlan:network to <routable> > I suspect the best path forward here is: block log all pass in on $guest_vlan from $guest_vlan:network to ! <guest-unroutable> Then make a <guest-unroutable> table that's like <martians>, but also including your other vlan subnets you don't want guests to be able to reach. Each entry added to a table is implicitly an 'or'. So adding A and B to <test> means that you get a match if you check for A, or you check for B. And adding !A and !B means that <test> matches if it's not A, OR not B. A satisfies '!B' so that matches, B satisfies '!A' so that matches, and indeed anything else also matches. So using ! *inside* a table definition rarely does what you intend. Using ! <table>, however, is fine and should do what you want. -ken
