Hi

I have recently taken on the management of a network that has a Vigor 2860. What I am strugling with is the firewall configuration.

I have a few questions that maybe someone can help me with.

1. Out of the box does the firewall block all inbound traffic?

2. Out of the box does the firewall allow all outbound traffic?

3. The note on the general firewall setup page says "1.Data Filter Sets and Rules 2.Block connections initiated from WAN 3.Default Rule". Is No2 the thing the blocks all inbound traffic by default. So all I need to do is create a rule that allows say 3389 from and to a specific ip address? Is that correct?

4. What is meant by default rule?

Any help would be appreciated.

Hello @eddiek1561,

Lets try to answer your questions backwards for OUT OF THE BOX settings

4). The Default rule is a kind of global rule which is applied to all traffic. By default this is set to PASS all traffic with no enforcements. You can, however, configure this to enforce QoS, Web Content, URL Content User management etc. etc. (Full details in the user manual https://www.draytek.co.uk/support/downloads/vigor-2860 )

3). There are two FILTER rules set up (CALL FILTER and DATA FILTER) by default, and both are to prevent NETBIOS packets escaping to the internet. You can examine these rules from the FILTER SETUP Dialog. The note you are referring to tells you in which order rules will be processed, so filter rule sets first, Strict Firewall and then Routed from WAN (IPv4 unchecked), and finally that Default Rule.

What is blocking inbound traffic from the WAN is NAT, and that is what you would need to set up. To allow access via a specific port to a specific machine on the LAN use NAT Port redirection.

2). All outbound traffic is allowed

1). All inbound traffic is blocked by NAT (not the firewall).

If you can enlighten me on what you are trying to do with port 3389 I can perhaps give more help.

John.

OK thats is a great explanation so far. So just to clarify, Out of the box, the router is secure purely because the NAT blocks incoming traffic completely unless I have set up port forwarding or something similar.

What I am trying to do is open up port 3389 to a PC on our LAN. I then want to restrict access to that port to a specific external IP Address. I have been following this https://www.draytek.co.uk/support/guides/kb-ipfilter-allowing-inbound-traffic
which seems to provide the info I need. Its just that my predecessor has set up lots of rules and I am unsure why some of them are needed. One for example in filter set 3 seems to block everything in or out. I dont think that is needed.

I haven't got a clue what your firewall rules do without looking at them, so can't really comment.

For the remote access I would use port forwarding (quick and simple) to set up access to the machine on the LAN and then define an IP object for your home/work network (which will be the real world address that your home/work router gets as its WAN address from your ISP). Then associate that in the "Source IP" box to limit access to that IP. Remember that if you don't have fixed IP's from your ISP, the IP may change after you reboot your home/work router, so you'd loose access if that happens until you change the source IP to reflect the change.

This is a fairly new feature in port forwarding / open ports, which means you no longer have to define a firewall rule to restrict access as explained in this KB article:-

https://www.draytek.co.uk/support/guides/kb-firewall-rules-port-forwarding?highlight=WyJwb3J0IiwiZm9yd2FyZGluZyJd&return=8673210

John.