Ok, I see.
I believe that this approach shoud work better when defining the rule (use the VLAN interface names instead of their network addresses):
DROP all opt — in ETH00.24 out ETH00.74 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt — in ETH00.74 out ETH00.24 0.0.0.0/0 -> 0.0.0.0/0
NOTE: The above example will block anything from VLAN 24 to VLAN 74 and vice-versa
PS: Note that once the VLAN exists, it’s virtual interface name will be available in Input and Output dropdown lists when creating a new rule.
I actually was just applying a firewall rule to that effect. Here is what i have now:
DROP all opt — in ETH01.20 out ETH01 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt — in ETH01 out ETH01.20 0.0.0.0/0 -> 0.0.0.0/0
I can still reach eth1.20 (172.30.0.1) from the native vlan…… 🙁