Dear all,

I am having a real nightmare with the Draytek 2820v firewall. I must be missing something. Any help would be greatly appreciated.

My intention (for the time being) is to just restrict incoming traffic to a server I want accessible from the Internet. For the benefit of the test, I have a Nagios probe running on PORT 12489 on the server within my LAN (192.168.1.100). The external IP (dummy for the example) is 78.78.78.78. This is what I have done. (Please assume all other settings are at factory default).

1. NAT --> Open Ports : I have assigned the external IP (78.78.78.78 ) to an internal IP and open ALL ports. It IS enabled.

2. In Firewall --> General Setup : I have both the default CALL and DATA filters as active. Filter is set to PASS. Data filter is point to the default SET#2 (which has a NetBios BLOCK in it)

At this stage - the external Nagios Server can talk to the probe on my LAN on PORT 12489. The test is to try and block this. This is what I tried.

3. Firewall --> Fliter Setup --> Edit Filter Rule Set#2 : I add a new filter (below the standard bios one) :

DIRECTION : WAN --> LAN
SOURCE : ANY
DESTINATION : 192.168.1.100 (and have tried ANY to)
SERVICE TYPE : TCP PORT 12489
FILTER : BLOCK IMMEDIATELY

4. I have OK'd all the screens and confirmed all is set.

The problem is, despite me trying to BLOCK this port (12489) it will not - instead it just passed it. I know this seems a simple and pointless test but this is what is going to help me understand how it works.

Any ideas? I just cant work it out and my hair is falling out!

Anyone out there got any ideas?

Sorry to harras - desperate for help.

I empathise as i've spent many days on trying to get two 2910 to create a perimeter and inner network.

For what its worth I made progress using block all in the firewall general setup Then made a rule to allow/block the specific port. (But you need some other route to your internet for testing)

Later you may trip over the next bit :-
It appears one needs two rules for each conversation : an incoming (from the internet) any source and specific destination and port. And then for the reply an outdoing rule from specific port to any destination. I'm waiting for confirmation from support, but its the only way I've got my ones to do the job

I have actually worked this out. In fact, I have also progressed somewhat and managed to create firewalls for both directions. (Its all well having traffic blocked on the way in but its also good to ensure you block traffic going out).

Its a little complicated to explain so if you need some help then please ask some specific questions and Ill let you know what I found out.

Needless to say - I now only have two PORTS allowed coming in and around 10 going out which is pretty tight for a small office environment.

Hi Brad,

Thanks for your offer to help.

I've configured my two routers using "Block" as the general Filter rule and then setting individual filters passing only the traffic I wish to.

I've hit a problem but only with SysLog.

My networks are Internet (say 79.98.xx.xx) -> Vigor2910 outer firewall > perimeter network (say 10.0.xx.xx) -> Vigor 2910 inner firewall -> inner network (say 192.168.xx.xx)

All syslog sent to another computer on the internet (say 213.190.xx.xx)

I can (always) see the traffic from the outer Vigor.
But I can only see the traffic from the inner Vigor if I set the outer general firewall to "PASS" even though there are two PASS filters one for outgoing 514 and incomming 514 (OK I know there is no reply to syslog but I had already set it up when I discovered that )

This seems generically very similar (actual inverse) to the situation you described where you have PASSed everything and the filters failed to BLOCK specifics.

Thanks in advance for any advice you can give

Regard.