Firewall and NAT

[WynneM]

Hi,

What settings do I need to set to have only one external IP address access to a port on an internal connected device)

I've seen this talked about before on the board, but can't see a resolution.

I have a 7800DX with fairly typical default setup. On the WAN (ppp0.1, Firewall and NAT enabled)

I've tried fiddling with both the NAT and Incoming IP Filter but as yet I have not managed to get it working.

For example lets say I want WAN traffic from 212.50.10.10:8080 to direct to LAN site 192.168.1.10:443 and any other external IPs should be blocked

Thanks,

[billion_fan]

Try following the attached screen shots

For this example I used a HTTP server on port 80,

The first rule redirects the port, the second rule within the outgoing filter blocks all outgoing connections from port 80 to any WAN IP address, the third rule allows outgoing conenctions from port 80 to a external IP address

The screen grabs are off firmware 2.32c

[WynneM]

Thanks Billion_Fan,

I don't have Action: drop/forward options? Is this new with firmware 2.32c, or are you on a different router? I've go the 7800DX with 2.32b

I've not upgraded yet as its a long manual process of copying all the settings, by the looks and I've not had the time.

Cheers,

[billion_fan]

Thanks Billion_Fan,

I don't have Action: drop/forward options? Is this new with firmware 2.32c, or are you on a different router? I've go the 7800DX with 2.32b

I've not upgraded yet as its a long manual process of copying all the settings, by the looks and I've not had the time.

Cheers,

Yes this is the new feature within firmware 2.32c, some customers have stated they have upgraded from 2.32b without resetting the device and they have not experienced any issues, you can try it if you want.

(remember you can always backup your settings, before the upgrade, if you have issues you can always downgrade the firmware and restore your settings)

[WynneM]

Hmm, I've upgraded the firmware and I've copied your example pretty much exactly and its not working? It is dropping the packets OK, just not allowing from the external? Have I done something stupid?

1.png

2.PNG

3.PNG

On a side note, as you suspected I was able to upgrade the firmware using the 2.32b config.

[billion_fan]

Hmm, I've upgraded the firmware and I've copied your example pretty much exactly and its not working? It is dropping the packets OK, just not allowing from the external? Have I done something stupid?

1.png

2.PNG

3.PNG

On a side note, as you suspected I was able to upgrade the firmware using the 2.32b config.

I will run some more tests tomorrow and drop you a update, (my HTTP server is in use at the moment )

[billion_fan]

Hmm, I've upgraded the firmware and I've copied your example pretty much exactly and its not working? It is dropping the packets OK, just not allowing from the external? Have I done something stupid?

1.png

2.PNG

3.PNG

On a side note, as you suspected I was able to upgrade the firmware using the 2.32b config.

I just tested it again and works fine here, please make sure the drop rule is below the allow rule as shown in the attached screen shot. (I have also used the same ports you were using)

[WynneM]

Thanks billion_fan,

That was the key, you need the allows before the drops. I swear I read somewhere it was a OR set up rather than a FALL though one. Kinda sucks you can't reorder, you have to remove and get them all in the write order?!

[sebus05]

And what is Exceptional Rule Group?

Do we really need to have the illogical allow before drop etc?

Exceptional Rule Group seems to facilitate inputting Exceptional Rule IP Range with action (allow or block)

That should be enough in Virtual Servers Setup section

(apart from the fact that Group Information Default Action is logically wrong - one selects Allow & it make entry read Block & vice versa - is that another bug or twisted logic?)

That is enough for proper IP restrictions with NO need for any outgoing rules

edit:

Tested without any outgoing rules, just pure Virtual Servers Setup with Exceptional Rule Group

By now this firewall behaves almost completely acceptable to end user (if one needs only a single IP or a range - 2 separate IPs can not be added this way!):

NAT enabled = ALL allowed (as previously which is just plain bad!)
but NOW
Exceptional Rule Group selected = NONE allowed (just like any normal firewall!) apart from the very exception we allowed

So logically is not like normal firewall implementation, but by now very usable

For 2 separate IPs allow access one would need to to the way it is described in the posts above (via Outgoing IP Filtering Setup) WITHOUT any Exceptional Rule Group setup

Seb

[mouse1]

Just set up my first Billion, and I am having difficulty configuring the inbound IP filter.

Shields-up shows telnet (23) is open by default, so I added an inbound filter rule but telnet still says it is open.

There's no allow/block setting on the inbound rules

If I log an inbound rule I seem to get the return packets from outbound rules. (So it's not stateful?)

Firewall is enabled on WAN interface. Firmware is: 2.32d.dm12

I have some virtual servers set up. These seem to work.

Am I missing something?

Mouse