Hi rpottersr , how are u ? Hope fine !! btw , I haven’t clearly understood what’s the problem … an host attached to a switchport (eg. member of vlan 3) can surf the web but not pinging his def-gw ?
With the fw rule posted above ,only traffic from ETH00.2 direct to ETH00 should be denied , but all the rest of traffic should be allowed (since the default policy is accept.. or it was changed ??).
Did you make any change in the fw rules ? Could you briefly describe your topology , ip addresses, firewall rules, and the most important, the result that would obtain ?