Hi, new to draytek's and having difficulty understanding filter rules and NAT interaction.

What I want to do is allow https access to one server on my lan from a single ip address on the outside. My thinking is that this should work-

1. Open port 443 in NAT to my internal HTTPS server.
2. Create a data filter with 'Block if no further match' - source IP of any, destination IP of my internal HTTPS server, service type destination port 443
3. Create a data filter with 'Pass Immediately', source IP of the external IP I want to allow access, destination IP of my internal HTTPS server, service type destination port 443.

Now this all appears to work, by my problem is I expected that if I did a port scan of 443 with say shields up that the port should show as closed? But it shows as open. Why is this, does rule 2 not effectively close the port to other ip addresses?
I am obviously missing something fundamental here......


thanks

Philip

Those should work but make sure to leave the Source Port as 1-65535 in the Service Type for the firewall rule, that's what usually breaks filter rules
It seems you might have already done that but it's worth mentioning. Also if you've set up those rules in filter set 3 or something, make sure filter set #2 (the default) links to it otherwise it won't check those rules.

Also, if it's still showing port 443 as open, check whether the router is using that port for remote management, it won't respond to it if you don't have remote management enabled but it will show as open with a port scanner like that. That's set the from system maintenance then management.

Ah, I have the source port in service type as 443 only, I assumed that I was just forwarding this one port so that is all I needed. Stupid really should have thought as any external IP address port could send a packet to my external 443 port....

Thanks, I knew I was missing something fundamental!

One further thing I don't quite understand- why is IM/P2P filter selection available in every filter set rule? I realise that I would need to 'turn it on' somewhere if I required it but not in every filter set rule surely? Again I am obviously not grasping something here.....

im/p2p, url content filter etc are in each filter rule so that they can be 'tagged', mostly by source IP or schedule time normally, if you wanted to tag one of those, you'd use a separate rule with the action of pass immediately or pass if no further match. Normally you can enable those from the firewall general setup bit but filter rules are also where you'd make exceptions if you enabled that

Good that the source port seems to have been the problem, the rule setup otherwise looks ideal.

Thanks for the explanation I'm slowly getting there. 8)