DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
understanding NAT interaction with firewall rules on 2820
- alittlerusty
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
26 Jan 2011 12:20 #65869
by alittlerusty
understanding NAT interaction with firewall rules on 2820 was created by alittlerusty
Hi, new to draytek's and having difficulty understanding filter rules and NAT interaction.
What I want to do is allow https access to one server on my lan from a single ip address on the outside. My thinking is that this should work-
1. Open port 443 in NAT to my internal HTTPS server.
2. Create a data filter with 'Block if no further match' - source IP of any, destination IP of my internal HTTPS server, service type destination port 443
3. Create a data filter with 'Pass Immediately', source IP of the external IP I want to allow access, destination IP of my internal HTTPS server, service type destination port 443.
Now this all appears to work, by my problem is I expected that if I did a port scan of 443 with say shields up that the port should show as closed? But it shows as open. Why is this, does rule 2 not effectively close the port to other ip addresses?
I am obviously missing something fundamental here......
thanks
Philip
What I want to do is allow https access to one server on my lan from a single ip address on the outside. My thinking is that this should work-
1. Open port 443 in NAT to my internal HTTPS server.
2. Create a data filter with 'Block if no further match' - source IP of any, destination IP of my internal HTTPS server, service type destination port 443
3. Create a data filter with 'Pass Immediately', source IP of the external IP I want to allow access, destination IP of my internal HTTPS server, service type destination port 443.
Now this all appears to work, by my problem is I expected that if I did a port scan of 443 with say shields up that the port should show as closed? But it shows as open. Why is this, does rule 2 not effectively close the port to other ip addresses?
I am obviously missing something fundamental here......
thanks
Philip
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
26 Jan 2011 21:21 #65885
by voodle
Replied by voodle on topic understanding NAT interaction with firewall rules on 2820
Those should work but make sure to leave the Source Port as 1-65535 in the Service Type for the firewall rule, that's what usually breaks filter rules
It seems you might have already done that but it's worth mentioning. Also if you've set up those rules in filter set 3 or something, make sure filter set #2 (the default) links to it otherwise it won't check those rules.
Also, if it's still showing port 443 as open, check whether the router is using that port for remote management, it won't respond to it if you don't have remote management enabled but it will show as open with a port scanner like that. That's set the from system maintenance then management.
It seems you might have already done that but it's worth mentioning. Also if you've set up those rules in filter set 3 or something, make sure filter set #2 (the default) links to it otherwise it won't check those rules.
Also, if it's still showing port 443 as open, check whether the router is using that port for remote management, it won't respond to it if you don't have remote management enabled but it will show as open with a port scanner like that. That's set the from system maintenance then management.
Please Log in or Create an account to join the conversation.
- alittlerusty
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
26 Jan 2011 23:37 #65888
by alittlerusty
Replied by alittlerusty on topic understanding NAT interaction with firewall rules on 2820
Ah, I have the source port in service type as 443 only, I assumed that I was just forwarding this one port so that is all I needed. Stupid really should have thought as any external IP address port could send a packet to my external 443 port....
Thanks, I knew I was missing something fundamental!
Thanks, I knew I was missing something fundamental!
Please Log in or Create an account to join the conversation.
- alittlerusty
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
26 Jan 2011 23:56 #65889
by alittlerusty
Replied by alittlerusty on topic understanding NAT interaction with firewall rules on 2820
One further thing I don't quite understand- why is IM/P2P filter selection available in every filter set rule? I realise that I would need to 'turn it on' somewhere if I required it but not in every filter set rule surely? Again I am obviously not grasping something here.....
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
27 Jan 2011 01:54 #65891
by voodle
Replied by voodle on topic understanding NAT interaction with firewall rules on 2820
im/p2p, url content filter etc are in each filter rule so that they can be 'tagged', mostly by source IP or schedule time normally, if you wanted to tag one of those, you'd use a separate rule with the action of pass immediately or pass if no further match. Normally you can enable those from the firewall general setup bit but filter rules are also where you'd make exceptions if you enabled that
Good that the source port seems to have been the problem, the rule setup otherwise looks ideal.
Good that the source port seems to have been the problem, the rule setup otherwise looks ideal.
Please Log in or Create an account to join the conversation.
- alittlerusty
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
28 Jan 2011 12:58 #65957
by alittlerusty
Replied by alittlerusty on topic understanding NAT interaction with firewall rules on 2820
Thanks for the explanation I'm slowly getting there. 8)
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek