In the controller "logon-control" user role I understand the reasoning for all the firewall rules listed below except the one circled in red. Why is this natt allowed anywhere by default? I'm just curious. I would think this might allow someone to get/go places they should not prior to going through the captive portal...hope that makes sense, thanks.