DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Firewall Filter Rule Not Working

  • cdutoit
  • Topic Author
  • Offline
  • New Member
  • New Member
More
25 Jun 2010 22:52 #62494 by cdutoit
Firewall Filter Rule Not Working was created by cdutoit
Hi,

I am trying to get a firewall rule to work, but can't figure out what I am missing.

Currently under the Firewall General Setup I have the Default Web Content Filter active which block all the Child Protection Group type categories (and I can confirm that this is working).

I now wish to create a second rule with a more strict Web Content Filter, so I went to Firewall, Filter Setup and added a new item called "Visitors" on Set 3.

I have set the Filter to Active and when drilled into the Rule, I have set the "Check to enable the Filter Rule" to active as well with the following settings:

Direction: LAN -> WAN
Source IP: 192.168.1.50~192.168.1.254
Destination IP: Any
Source Type: Any
Fragments: Don't Care
Filter: Pass If No Further Match
Branch to Other Filter Set: None
P2P Filter: None
URL Filter: None
Web Content Filter: Visitor (Everything blocked for testing)

My expectations is that with the above rule that any IP between 50 and 254 would be restricted by the "Visitor" Web Content Filter, but this is not my experience. Not sure what I am missing.

My NIC has an IP of 192.168.1.2 (I have disabled this)
My Wireless card has an IP of 192.168.1.150 (Only see the default rule applied but not the Visitor rule although I am in the IP range.

Please help

Please Log in or Create an account to join the conversation.

More
29 Jun 2010 14:34 #62564 by asimm.it
Replied by asimm.it on topic Firewall Filter Rule Not Working
hi cdutoit,

try changing the filter to block immediately instead of if no further match.

i'm guessing that the other child protection filter is contraditing this filter as it has a higher prevalence.

Please Log in or Create an account to join the conversation.

  • cdutoit
  • Topic Author
  • Offline
  • New Member
  • New Member
More
29 Jun 2010 18:18 #62568 by cdutoit
Replied by cdutoit on topic Firewall Filter Rule Not Working
If I set it to Block Immediately, the below items is greyed out (which mean that I cant specify the Web Content Filter to be used):

Branch to Other Filter Set
P2P Filter
URL Filter
Web Content Filter

Please Log in or Create an account to join the conversation.

More
29 Jun 2010 18:27 #62569 by asimm.it
Replied by asimm.it on topic Firewall Filter Rule Not Working
sorry cdutoit,

my previous post should have said pass immediately not block immediately.

change it to that and then report back

Please Log in or Create an account to join the conversation.

  • cdutoit
  • Topic Author
  • Offline
  • New Member
  • New Member
More
29 Jun 2010 18:41 #62570 by cdutoit
Replied by cdutoit on topic Firewall Filter Rule Not Working
I have just found the fix...

In the Default Data Filter Set #2, I had to change "Next Filter Set" to
Set #3. After I changed this the rule got applied.

For some reason I thought all ROOT level filters would get applied and that the "Next Filter Set" is just to re-apply a rule set after the current one completed.

I did not need to make any changes from what I originally posted appart from the above.

Thanks for your input!

Please Log in or Create an account to join the conversation.

More
30 Jun 2010 07:43 #62574 by asimm.it
Replied by asimm.it on topic Firewall Filter Rule Not Working
hi cdutoit,

no problems thanks for the update!

there has to be some form of order/precedence in the rules otherwise it gets very complicated and messy to troubleshoot issues.

i personally approach it the same was as i would an active directory group policy and the first policy/rule is the strictest i.e blocking everything then all sub policies/rules are rules which relax the restrictions on the strict policy.

this way i can be sure that i have a straight forward approach to troubleshooting and i can be sure that so long as the first policy/strictist policy is in place and working that there will be no potential security holes or loops within any following policies/rules.

Please Log in or Create an account to join the conversation.

Moderators: Sami