Page 1 of 1
Most irritating firewall
Posted: Tue Sep 10, 2013 11:16 pm
by sebus05
It should be easy:
setup Virtual Server ie RDP
use IP filters inbound to allow connection to this RDP VS from a single external WAN IP
It seems not possible to do it as per:
http://forums.whirlpool.net.au/archive/2081202
Once the VS is setup, IP Filtering Incoming is being completely ignored & ANY WAN IP can connect to the LAN service (of course if it is on)
That makes no sense at all!
The solution in the above is to create outgoing filter rules to drop unwanted packets
That is upside-down, I do not want to disable everything under the sun, just want to enable single entity
Anybody has any idea?
sebus
Re: Most irritating firewall
Posted: Wed Sep 11, 2013 9:54 am
by billion_fan
sebus05 wrote:It should be easy:
setup Virtual Server ie RDP
use IP filters inbound to allow connection to this RDP VS from a single external WAN IP
It seems not possible to do it as per:
http://forums.whirlpool.net.au/archive/2081202
Once the VS is setup, IP Filtering Incoming is being completely ignored & ANY WAN IP can connect to the LAN service (of course if it is on)
That makes no sense at all!
The solution in the above is to create outgoing filter rules to drop unwanted packets
That is upside-down, I do not want to disable everything under the sun, just want to enable single entity
Anybody has any idea?
sebus
I have been told the same by our engineers, setup a outgoing IP filtering rule, add the internal IP address, then add the ports as source ports (so only the ports entered will be restriced via WAN IP) and in the destination IP will have to be all IPs (excluding the one you want to allow), as shown in the attached screen shot examples
PC-1 with IP Address 192.168.1.2 is running Web Server
PC-2 with IP Address 192.168.1.3 is running VNC
Only one external IP Address 112.30.223.34 allow to access the VNC in internal IP Address 192.168.1.3
We must create 2 rules to block the WAN IP started at 1.1.1.1 to 112.30.223.33 and from WAN IP 112.30.223.35 to 255.255.255.254
Re: Most irritating firewall
Posted: Wed Sep 11, 2013 5:09 pm
by Philip_L
Hi
Absolutely stupid the changes in the firewall. You don't block incoming access by blocking outgoing packets, that is ridiculous. What is the point of the Incoming IP Filter?
With the 7800N the process made sense, you set up a NAT, then in the Firewall added a filter to accept from a given IP address ticked to allow, so at that point the Firewall rule would be "true" from the wanted IP address then no more rules would be run. Then a second rule underneath blocked any access to the port, so any other IP would fall into this rule and be caught by a rule that was marked "Block". This meant only the wanted IP had access.
With the new 7800 models, the incoming IP filter doesn't do anything. By default the incoming filter is allow everything, rules can be added which seem to be only allow rules, so what is the point of the IP incoming filter? Can you give an example when the incoming IP filter would be used?
Seems to me the Firewall aspect is completely broken. Thankfully I no longer run a server at home as otherwise I'd not be happy as previously I used incoming rules quite a bit from restricted IP address ranges.
I hope this gets passed back to the developers and Broadcom.
Regards
Phil
Re: Most irritating firewall
Posted: Wed Sep 11, 2013 5:39 pm
by Philip_L
Hi
These new models need more testing, or the English is badly translated so things don't do what they seem to suggest.
Bug seems to be:
1) Add a virtual server entry, check it works from outside.
2) From Exceptional Rule page it says, "The Exceptional Rule is only applied to Virtual Server and DMZ Host.", okay so is this a way to restrict by IP address, not perfect as you can't specify ports. So I set Default Action to "Block". This implies to me that all Virtual Server entries are blocked unless there is an Exceptional Rule IP range. Test access, I can still access the ports externally even though Virtual Server is set to blocked.
3) I try different options of adding Exceptional Rules and they seem to have no effect.
So what exactly is the "Exceptional Rule" used for, and is it another thing broken?
Bug on the Virtual Server page in FireFox, when adding a simple Custom Server I get a JavaScript error (it seemed to work if selecting one from the list and editing it)
Code: Select all
Error: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDOMWindow.alert]
Source File: http://192.168.1.254/scvrtsrv.cgi?editVrtsrv=0&sessionKey=1694611999
Line: 783
Also Virtual Servers should contain a filter to show or hide UPnP entries, ideally these UPnP entries should appear elsewhere, as they can't be edited under Virtual Servers, and it makes the list very cluttered when trying to add/edit true port forwarding entries. The 7800N had it right in this respect.
Regards
Phil
Re: Most irritating firewall
Posted: Thu Sep 12, 2013 6:59 am
by sebus05
Agree, it is a total mess. Yet it should be something so fundamental & simple!
Billion, do something about it, not tomorrow, but NOW
sebus
Re: Most irritating firewall
Posted: Thu Sep 12, 2013 11:20 am
by admin
Hi guys!
We had a quick chat with our engineers on the 7800DX series firewall earlier. We were told that the new Broadcom chipset has changes to the firewall impletation and hence it is quite different to the previous 7800 series. We are still in discussion with engineers on this and we will keep you posted on the progress.
Re: Most irritating firewall
Posted: Thu Sep 12, 2013 9:09 pm
by sebus05
Please do, as in the current state it simply is unusable & a joke, £20 router with no name is in this respect better
Re: Most irritating firewall
Posted: Wed Nov 06, 2013 8:55 pm
by sebus05
Any news about this issue?
Re: Most irritating firewall
Posted: Thu Nov 07, 2013 9:32 am
by billion_fan
sebus05 wrote:Any news about this issue?
Our engineers have added drop/forward sections to the outgoing filtering section (firmware 2.32c), so its more like the 7800N.
More info can be found here
viewtopic.php?f=18&t=2072