Missing something simple - DMZ rules

[itcinc]

I just setup a new device with 3 interfaces
External - [static IP]
Internal - 192.168.1.0/24
DMZ - 192.168.2.0/24

Straight from the wiki is a description of what I want to accomplish:
If you're looking for a guest WiFi network walled off from your private network, the easiest way is to plug the wireless AP into its own interface and configure the Untangle to hand out DHCP on that interface. You can then use the Firewall to wall off that interface from connecting to your private network.

Wireless AP is plugged into the DMZ and DHCP is working properly. Internet is working correctly on both Internal and DMZ network segments.

So far so good but I also want to separate the two networks as described in the wiki. I have added and enabled the firewall rules shown in the attachments to attempt to block traffic between Internal and DMZ. The default action of the firewall is pass and there are no other firewall rules. However, I can ping between the interfaces and ever RDP to a server from the DMZ - not a desired action. Nothing shows in the firewall logs as blocked or passed. Is there a settings somewhere that is bypassing my rules or do my rules need to be modified?

I am sure this is very simple but the "duh" moment has not hit me yet. Maybe one of you kind souls can show me the error of my ways.

[hlarsen]

ping is going to work unless you change TCP & UDP to Any.
is all the traffic going through one rack?

[itcinc]

Ok - just changed traffic type to "any" in both rules. From 192.168.1.x I can still ping the 192.168.2.254 DMZ port. I don't have any other devices on 192.168.2.x yet until I secure that network segment.

Yes, there is only one rack. I have not specifically assigned DMZ to a rack - assumed that default would apply to everything unless otherwise changed. Is it possible that the DMZ traffic is bypassing the default rack? I did not add any bypass rules beyond the standard install.

[hlarsen]

without any policies it should indeed all be going to the default rack.

traceroute / Packet Test shows the traffic going through the Untangle?
you don't have any Bypass rules that might be affecting the traffic, do you?

try using the Packet Filter to block traffic flow between them.

[itcinc]

Now this is really getting weird....power supply went out over the night. Replaced power supply and it is up and running again.

I added a packet rule and it did indeed block traffic between the networks. However, I removed the rule and now the firewall rules are blocking some traffic???? They still do not block ping traffic from DMZ to Internal. However, they now block and log connections on 80, 3389 and other ports between DMZ and Internal. No other changes made.

The gateway ports seem to be treated differently by the firewall rules. If I tracert from 192.168.1.x to 192.168.2.x the route starts with 192.168.1.254 - default internal gateway. If I tracert from 192.168.1.x to 192.168.2.254 - default DMZ gateway - it does *not* go through default internal gateway - just a direct connection to 192.168.2.254.

Seriously considering starting over with this installation......

[sky-knight]

ping is going to work unless you change TCP & UDP to Any.
is all the traffic going through one rack?

This is embarrassing...

The firewall cannot control protocols other than TCP and UDP. The "any" field in the firewall module may as well not even be there. It's TCP, UDP, or both.

Why? Because those are the only traffic types processed by the UVM itself, no other protocols even enter the rack, much less the firewall module.

If you want to control protocols other than TCP and UDP you MUST use the packet filter.