DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Open ports for specific IP's on 2820

  • mousework
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Jul 2010 12:10 #62614 by mousework
Open ports for specific IP's on 2820 was created by mousework
Hi
My client has asked me to open port 1433 but make it only accessible from two external IP's and the local internal network.

Its something to do with SQL Standard 2008 running on a local PC with an IP address of 192.168.0.21 and the website.

I haven't a clue how to do this

Basically local network is on 192.168.0.1 to 192.168.0.255 range,
and then two external Ip addresses.

How do I do this on their 2820.

Thanks for help guys
Mark

Please Log in or Create an account to join the conversation.

More
01 Jul 2010 12:55 #62617 by sbv3000
Replied by sbv3000 on topic Open ports for specific IP's on 2820
afaik its not possible to limit which clients can externally connect through the 2820. You can create an open port and any external client with sql tools could connect. this could be bad. It might be possible to setup a port forward from two external ports both pointing to 1433 and tell the client to use those connection ports in the settings of the clients sql tools.
also see this MS KB for help as it may not only be 1433 that you need to open/forward
http://support.microsoft.com/kb/287932

Please Log in or Create an account to join the conversation.

  • mousework
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Jul 2010 16:49 #62629 by mousework
Replied by mousework on topic Open ports for specific IP's on 2820
is there a better Draytek product that does allow this to be done?

Please Log in or Create an account to join the conversation.

More
01 Jul 2010 20:55 #62634 by cocospm
Replied by cocospm on topic Open ports for specific IP's on 2820
Yes, you can do this with the 2820. First, open port 1433 through to your local server at 192.168.0.21. Then create firewall filter rules that restrict traffic on port 1433 to only that originating from the two external IP addresses, as follows:

1. Create a Service Type Object for TCP port 1433, naming it anything you like.
2. Create two IP Objects, one for each of your external IP addresses.
3. Create an IP Group and add the 2 IP Objects to it.
4. Create two filter rules in Filter Set 3, say, as follows:
- The first rule is for WAN -> LAN traffic, for Any source IP and Any destination IP. Use your Service Type Object for the Service Type and set the Filter Action to "Block If No Further Match".
- The second rule is also for WAN -> LAN traffic, using your IP Group as the source IP and Any destination IP. Use your Service Type Object for the Service Type and set the Filter Action to "Pass Immediately".
5. Open the filter set 2 (Default Data Filter) and set its "Next Filter Set" to your filter set (Set#3).

I'd also suggest you ensure you have everything right by testing from external IP addresses - make sure all works from the two external IP addresses, and ensure telnet'ing to port 1433 on your public IP address fails from other IP addresses.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami