DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

SOLVED - 2927 Firewall not working

  • hornbyp
  • User
  • User
More
18 Mar 2021 02:27 #19 by hornbyp
Replied by hornbyp on topic Re: 2927 Firewall not working

I wrote:
In the meantime - now I know how to use the "Diagnose" function - I'm going to work my way through my own, and prove that they all trigger...



As I commenced this mammoth task (and discovered that I really need 3 concurrent GUI sessions to the 2860 :cry: ), I noticed something...

Piste Basher wrote:
Update on 17th - I've tried it again, this time re-booting after setting up Rule 2 - still no joy, packet still not handled by the firewall :?:



Are you testing the Firewall with a valid (i.e. open) destination Port, as well as valid WAN IP address :?:

My first Set of Rules, says:-

1.) WAN (everyone) -> LAN (anyone) Block if no further match
2.) Group comprising various Chinese Web Spiders, Nasty 'census' tools etc, -> LAN (anyone:any port) = BLOCK.
3.) DNS and stuff - Pass if it's from 'Buddyns'
4.) SMTP and Web - Pass if no further match.

I tried with 198.20.69.74 (god knows who they are, or why they're in my list :roll: ), using Port 1 -> My WAN, Port:1 (Using Port 1 to save typing :wink: )
and it DIDN'T fire any Rule ... it said "Packet not handled by Firewall"

However, repeating it with a target port that is defined in the 'Open Ports' list (53,80,25 etc), it DID trigger Set #1, Rule #2

In other words, "not handled by Firewall" seems to also mean that it fell at the first hurdle (inbound NAT) and was simply discarded :idea:

(By this point, it is becoming apparent that my understanding of Draytek's Firewall implementation, is , er, not quite the same as theirs :roll: )

Continuing..,

My second set, is basically just a huge list of people who have upset me over the years :)

So if I 'send' a packet from 38.0.0.1 => MyWan:80, it triggers a Rule in Set #2. But if I 'send' it to an arbitrary (closed) Port, I get "Packet is not handled by Firewall)"

There also seem to be a discrepancy between the Firewall 'Diagnose' function, and what gets sent to Syslog (if the Rule is set to do that).

If I enable Syslog on that Set #1, Rule #1 - Block if no further match, it generates lots of output - which when fed back into the Diagnose function just give "Not handled".
These seem to be mainly the 'back end' of conversations: for example, 52.30.199.89:443 => somelanclient:36440 ... it's arguable whether it's the Firewall misbehaving, or the remote system - but either way, the actual Firewall and the "Diagnose" function do not work the same way :(

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
18 Mar 2021 06:06 #20 by chaser
Replied by chaser on topic Re: 2927 Firewall not working

hornbyp wrote:
As I commenced this mammoth task (and discovered that I really need 3 concurrent GUI sessions to the 2860 :cry: ), I noticed something...

Piste Basher wrote:
Update on 17th - I've tried it again, this time re-booting after setting up Rule 2 - still no joy, packet still not handled by the firewall :?:



Are you testing the Firewall with a valid (i.e. open) destination Port, as well as valid WAN IP address :?:

<...SNIP...>

In other words, "not handled by Firewall" seems to also mean that it fell at the first hurdle (inbound NAT) and was simply discarded :idea:


Good point. I just tested on my firewall and I see the same behaviour. I'll need to update one of my earlier posts to reflect this behaviour.

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
18 Mar 2021 06:24 #21 by chaser
Replied by chaser on topic Re: 2927 Firewall not working

chaser wrote:
If I use the diagnostic tool on 212.70.149.71 it blocks on Set 1, Rule 3 (note that rules 2 & 3 are identical). If I then disable rule 3 from set 1 using the WebGUI:

<...Snip...>

This time, if I use the diagnostic tool with exactly the same 212.70.149.71 address (and all the same other parameters) the tool reports a pass on Default Set, Default Rule. Rule 2 has not been triggered. The IP addresses in Set 1 Rules 4 and 5 don't work either, unless I put those IP addresses into Rule 3. If they're in rule 3 the firewall will then block them.

Go figure!


I just noticed an error in that earlier post. I was using 188.162.199.76 with the diagnostic tool. Not 212.70.149.71. Post updated to reflect the correct IP address. Hopefully it makes more sense now!

Please Log in or Create an account to join the conversation.

More
18 Mar 2021 08:31 #22 by piste basher
Replied by piste basher on topic Re: 2927 Firewall not working



Are you testing the Firewall with a valid (i.e. open) destination Port, as well as valid WAN IP address :?:



No, I was taking the various "instructions" (posted by the earlier thread you quoted etc) literally, where they all say "port can be anything", such as 1234, when running the diagnostic. I have tried it with 80 and 465.

But since the "Destination" is my WAN address - and there are lots of devices with open ports 80 and various others behind that address, what more can I do to "open" a valid port?

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
18 Mar 2021 09:00 #23 by chaser
Replied by chaser on topic Re: 2927 Firewall not working

Piste Basher wrote:



Are you testing the Firewall with a valid (i.e. open) destination Port, as well as valid WAN IP address :?:



No, I was taking the various "instructions" (posted by the earlier thread you quoted etc) literally, where they all say "port can be anything", such as 1234, when running the diagnostic. I have tried it with 80 and 465.


I corrected my earlier post, where I now say that the Destination port must be an open port on the router. This is what it says now:

chaser wrote:
Mode: TCP IPV4
Direction: From WAN
Dest IP: My WAP IP4 address
Dest Port: 465 (needs to be a valid port that is open or redirected on your router) <--- Updated based on discussions further down on this thread
Src IP: 212.70.149.71
Src Port: 1234 (but can be anything)



Piste Basher wrote:
But since the "Destination" is my WAN address - and there are lots of devices with open ports 80 and various others behind that address, what more can I do to "open" a valid port?


Under the NAT heading on your router WebGUI you need to make sure you've opened a port or redirected a port to a device on your LAN.

Please Log in or Create an account to join the conversation.

More
18 Mar 2021 09:35 #24 by piste basher
Replied by piste basher on topic Re: 2927 Firewall not working
There are a goodly number of devices with both redirected ports and open ports on my LAN.

Since I have multiple WAN addresses I thought I'd try a different one (which directs to an IP camera) - on my first try with "diagnose" from 212.70.149.71 port 80 to this WAN port 80 I get "packet passed by default rule" :!:

Rule 2, the Block Immediately rule, appeared to have been completely ignored.

However, in the "Advanced" section of the Rule set up I then ticked on "All WANS" and "All LANS"

Running the test again and this time Blocked :D

Success!

Please Log in or Create an account to join the conversation.