DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

SOLVED - 2927 Firewall not working

  • hornbyp
  • User
  • User
More
16 Mar 2021 15:57 #7 by hornbyp
Replied by hornbyp on topic Re: 2927 Firewall not working

chaser wrote:
I have:

Rule 1: xNetBios
Rule 2: Immediate block 212.70.149.71
Rule 3: Immediate block 212.70.149.71 (Duplicate of Rule 2)

If I run the Diagnose tool on 212.70.149.71, it blocks on Rule 2 (good!)
If I then swap rules 2 & 3 around and run the Diagnose tool on 212.70.149.71, it blocks on Rule 3 (good that it blocks, but bad that it seems to skip past rule 2).



If Rule 2 and Rule 3 are duplicates, then how can you "swap rules 2 & 3" :?: (Surely nothing should change (if they're duplicates)... but clearly, something does :? )

Perhaps have a look with the Telnet "ipf view -r" command - just in case the Web GUI has allowed some dodgy input. (This command doesn't seem to list the Rules in any particular order on my 2860, so it doesn't help with that aspect).

Even trying to set up new rules in Set 2 doesn't work.



Is the "Next Filter Set" option correctly set (to Set#2) (I can't remember what the default is - it may be "none") :?:

Some Draytek resources (that I've not previously been aware of) :-
https://www.draytek.com/support/knowledge-base/4961 "Introduction to Firewall Content Security Management"
https://www.youtube.com/watch?v=P-BHhGO7tKk "Webinar - Firewall and its Application Part 1"
https://www.youtube.com/watch?v=L4B0wUFMW5k "Webinar - Firewall and its Application (Part 2)"

There is, of course, always the possibility that you've found a bug.

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
16 Mar 2021 16:48 #8 by chaser
Replied by chaser on topic Re: 2927 Firewall not working

hornbyp wrote:
If Rule 2 and Rule 3 are duplicates, then how can you "swap rules 2 & 3" :?: (Surely nothing should change (if they're duplicates)... but clearly, something does :? )


On the WebGUI there are 'Move Up' & 'Move Down' buttons against each rule that allows you to swap the order of the rules, which I assume sets the order in which they are checked. So if you click on the 'Move Up' button for rule 3, that rule moves up to become rule 2 and rule 2 drops down and becomes rule 3. But because the rules are duplicates, you're right in that nothing visibly actually changes, but behind the scenes, the 'identical' rules do actually swap position. This is clearly more obvious if rules 2 and 3 are not identical!

hornbyp wrote:
Perhaps have a look with the Telnet "ipf view -r" command - just in case the Web GUI has allowed some dodgy input. (This command doesn't seem to list the Rules in any particular order on my 2860, so it doesn't help with that aspect).


I've never tried the Telnet commands, so I'll check that out now and see what it shows.

hornbyp wrote:
Some Draytek resources (that I've not previously been aware of) :-
https://www.draytek.com/support/knowledge-base/4961 "Introduction to Firewall Content Security Management"
https://www.youtube.com/watch?v=P-BHhGO7tKk "Webinar - Firewall and its Application Part 1"
https://www.youtube.com/watch?v=L4B0wUFMW5k "Webinar - Firewall and its Application (Part 2)"

There is, of course, always the possibility that you've found a bug.


I have had a look at some of those resources, but couldn't see anything obvious that would help. I'll check again. I have also raised a ticket, because it does feel like a bug.

Thanks for the suggestions. Much appreciated. I'll report back once I've run the Telnet command.

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
16 Mar 2021 17:02 #9 by hornbyp
Replied by hornbyp on topic Re: 2927 Firewall not working

chaser wrote:
On the WebGUI there are 'Move Up' & 'Move Down' buttons against each rule that allows you to swap the order of the rules, which I assume sets the order in which they are checked.


Ah right - I see :)

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
16 Mar 2021 17:11 #10 by chaser
Replied by chaser on topic Re: 2927 Firewall not working
Right, I've disabled Set 2 for now, and heres, the output of ipf view -r:

Code:
DrayTek> ipf view -r ------ LAN/DMZ/RT/VPN -> WAN Data Filter Rules ------ [Set 1 Rule 1] Schedule: Source IP: Any Destination IP: Any Service Type: TCP/UDP port from 137-139 to 53 Fragments: Don't Care Action: Block immediately ------ WAN -> LAN/DMZ/RT/VPN Data Filter Rules ------ [Set 1 Rule 2] Schedule: Source IP: 188.162.199.76 ~ 188.162.199.76 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately [Set 1 Rule 3] Schedule: Source IP: 188.162.199.76 ~ 188.162.199.76 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately [Set 1 Rule 4] Schedule: Source IP: 212.70.149.71 ~ 212.70.149.71 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately [Set 1 Rule 5] Schedule: Source IP: 84.69.132.197 ~ 84.69.132.197 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately ------ LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN Data Filter Rules ------ empty! DrayTek>


If I use the diagnostic tool on 188.162.199.76 it blocks on Set 1, Rule 3 (note that rules 2 & 3 are identical). If I then disable rule 3 from set 1 using the WebGUI:

Code:
DrayTek> ipf view -r ------ LAN/DMZ/RT/VPN -> WAN Data Filter Rules ------ [Set 1 Rule 1] Schedule: Source IP: Any Destination IP: Any Service Type: TCP/UDP port from 137-139 to 53 Fragments: Don't Care Action: Block immediately ------ WAN -> LAN/DMZ/RT/VPN Data Filter Rules ------ [Set 1 Rule 2] Schedule: Source IP: 188.162.199.76 ~ 188.162.199.76 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately [Set 1 Rule 4] Schedule: Source IP: 212.70.149.71 ~ 212.70.149.71 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately [Set 1 Rule 5] Schedule: Source IP: 84.69.132.197 ~ 84.69.132.197 Destination IP: Any Service Type: any Fragments: Don't Care Action: Block immediately ------ LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN Data Filter Rules ------ empty! DrayTek>


This time, if I use the diagnostic tool with exactly the same 188.162.199.76 address (and all the same other parameters) the tool reports a pass on Default Set, Default Rule. Rule 2 has not been triggered. The IP addresses in Set 1 Rules 4 and 5 don't work either, unless I put those IP addresses into Rule 3. If they're in rule 3 the firewall will then block them.

Go figure!

Edit: I was using 188.162.199.76 with the diagnostic tool. Not 212.70.149.71. Post updated to reflect this!

Please Log in or Create an account to join the conversation.

More
16 Mar 2021 17:20 #11 by piste basher
Replied by piste basher on topic Re: 2927 Firewall not working
As I have a 2927 I thought I'd see if I could assist...

I set up a Rule 2 as per the OP's first post.

But even if I put my WAN address as the destination in the Diagnose tool I still get the "This packet is not handled by the Firewall" message.

I added an identical Rule 3 but that didn't make any difference.

Maybe I'm missing something, but I can't get it to block at all.

Please Log in or Create an account to join the conversation.

  • chaser
  • Topic Author
  • User
  • User
More
16 Mar 2021 17:55 #12 by chaser
Replied by chaser on topic Re: 2927 Firewall not working

Piste Basher wrote:
As I have a 2927 I thought I'd see if I could assist...

I set up a Rule 2 as per the OP's first post.

But even if I put my WAN address as the destination in the Diagnose tool I still get the "This packet is not handled by the Firewall" message.

I added an identical Rule 3 but that didn't make any difference.

Maybe I'm missing something, but I can't get it to block at all.


This is how I set up the Diagnose tool, and that now seems to work for me. I no longer get the message 'This packet is not handled by the Firewall':

Mode: TCP IPV4
Direction: From WAN
Dest IP: My WAP IP4 address
Dest Port: 465 (needs to be a valid port that is open or redirected on your router) <--- Updated based on discussions further down on this thread
Src IP: 212.70.149.71
Src Port: 1234 (but can be anything)

Please Log in or Create an account to join the conversation.