DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2130 Firewall

  • geowaverider
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 Feb 2013 20:07 #75150 by geowaverider
Vigor 2130 Firewall was created by geowaverider
I want to allow inbound on port 25 from a set of specific IP addresses.

Can some kind soul point me in the correct direction?

I have 2700/2800 routers set up using the Default Data Filter to do the same and they work a treat.

In the 2130n there are two areas that look likely candidates: Traffic Control and Access Control Lists.

I have attempted to set both up and all traffic on port 25 comes in regardless of senders IP Address.

Now in Access Control Lists I have two entries allowing inbound traffic from specific IP addresses on port 25 (these are defined as IPv4/TCP types) and then a third entry denying all traffic from any ip address on port 25.

Still email comes in from the outside world :-(

Thanks in advance, frustrated of Halifax!

Please Log in or Create an account to join the conversation.

  • geowaverider
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 Feb 2013 23:25 #75242 by geowaverider
Replied by geowaverider on topic Re: Vigor 2130 Firewall
I have been doing some more testing.

If I set an Open Port configuration in NAT:

NAME
>SMTP
PROTOCOL---->TCP
START PORT-->25
END PORT
>25
LOCAL HOST->192.168.1.201
LOCAL PORT-->25

Then all inbound traffic on port 25 does get delivered to the internal server 192.168.1.201 on port 25 as expected.

Now I am trying to lock this traffic down further by only allowing traffic on port 25 from specific external IP Addresses.

There looks to be two areas where this is possible:

Firewall->Traffic Control example:

NAME
>Service-01
SOURCE
>WAN
DESTINATION
>LAN
PROTOCOL
>TCP
SOURCE PORT
>25
DESTINATION PORT
>25
SOURCE ADDRESS
>xx.xxx.xxx.0/24
DESTINATION ADDRESS->192.168.1.201
ACTION
>ACCEPT

followed by:

NAME
>SMTP-Block
SOURCE
>WAN
DESTINATION
>LAN
PROTOCOL
>TCP
SOURCE PORT
>25
DESTINATION PORT
>25
SOURCE ADDRESS
>Any
DESTINATION ADDRESS->Any
ACTION
>REJECT

I would expect with these rules enabled that I would only get into my internal network on the external IP address entered in the Service-01 rule. Instead all traffic on port 25 is passed.

If I disable the NAT-Open Ports SMTP configuration then no traffic is passed at all so it looks like I do need that before I set up any other Firewall configurations.

If I instead use the Firewall->Access Cotrol Lists then I can setup similar PERMIT and DENY rules but to no avail still all traffic is allowed.

I hope this more detailed explanation helps someone to offer a solution.

Thanks

Brian

Please Log in or Create an account to join the conversation.

Moderators: Chris