DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

understanding NAT interaction with firewall rules on 2820

  • alittlerusty
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2011 12:20 #65869 by alittlerusty
Hi, new to draytek's and having difficulty understanding filter rules and NAT interaction.

What I want to do is allow https access to one server on my lan from a single ip address on the outside. My thinking is that this should work-

1. Open port 443 in NAT to my internal HTTPS server.
2. Create a data filter with 'Block if no further match' - source IP of any, destination IP of my internal HTTPS server, service type destination port 443
3. Create a data filter with 'Pass Immediately', source IP of the external IP I want to allow access, destination IP of my internal HTTPS server, service type destination port 443.

Now this all appears to work, by my problem is I expected that if I did a port scan of 443 with say shields up that the port should show as closed? But it shows as open. Why is this, does rule 2 not effectively close the port to other ip addresses?
I am obviously missing something fundamental here......


thanks

Philip

Please Log in or Create an account to join the conversation.

More
26 Jan 2011 21:21 #65885 by voodle
Those should work but make sure to leave the Source Port as 1-65535 in the Service Type for the firewall rule, that's what usually breaks filter rules :)
It seems you might have already done that but it's worth mentioning. Also if you've set up those rules in filter set 3 or something, make sure filter set #2 (the default) links to it otherwise it won't check those rules.

Also, if it's still showing port 443 as open, check whether the router is using that port for remote management, it won't respond to it if you don't have remote management enabled but it will show as open with a port scanner like that. That's set the from system maintenance then management.

Please Log in or Create an account to join the conversation.

  • alittlerusty
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2011 23:37 #65888 by alittlerusty
Ah, I have the source port in service type as 443 only, I assumed that I was just forwarding this one port so that is all I needed. Stupid really should have thought as any external IP address port could send a packet to my external 443 port....

Thanks, I knew I was missing something fundamental!

Please Log in or Create an account to join the conversation.

  • alittlerusty
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2011 23:56 #65889 by alittlerusty
One further thing I don't quite understand- why is IM/P2P filter selection available in every filter set rule? I realise that I would need to 'turn it on' somewhere if I required it but not in every filter set rule surely? Again I am obviously not grasping something here.....

Please Log in or Create an account to join the conversation.

More
27 Jan 2011 01:54 #65891 by voodle
im/p2p, url content filter etc are in each filter rule so that they can be 'tagged', mostly by source IP or schedule time normally, if you wanted to tag one of those, you'd use a separate rule with the action of pass immediately or pass if no further match. Normally you can enable those from the firewall general setup bit but filter rules are also where you'd make exceptions if you enabled that :)

Good that the source port seems to have been the problem, the rule setup otherwise looks ideal.

Please Log in or Create an account to join the conversation.

  • alittlerusty
  • Topic Author
  • Offline
  • New Member
  • New Member
More
28 Jan 2011 12:58 #65957 by alittlerusty
Thanks for the explanation I'm slowly getting there. 8)

Please Log in or Create an account to join the conversation.

Moderators: Sami