Hello,

Looking to get a DrayTek router so that I can set up VLANs and isolate IoT, devices etc. within the network - will probably use my current Netgear router as an AP for the time being until I get things up and running and then look to get a switch and a dedicated AP further down the line.

I just wanted to check a few things about the configuration on the DrayTek routers as I couldn't find any documentation that answered the following (if there are, please let me know):

1 - Is there already a default "deny all" firewall rule enabled? Or would I have to add that myself and ensure that any new rules I add are placed above that in the running order?
2 - Right out of the box, is all WAN -> LAN traffic blocked without the need to create a firewall rule? (I would assume so since that would not be best security practice)
3 - I see that you can generate certificates on the DrayTek - could I generate a certificate, install that onto a client device browser in order to bypass the "connection not secure page" warning for content filtering, so that the custom block page is displayed straight away instead?

Thanks in advance!
StormL.

1 - Is there already a default "deny all" firewall rule enabled? Or would I have to add that myself and ensure that any new rules I add are placed above that in the running order?

Yes there is, usually to be found at "Firewall >> General Setup" | "Default Rule". (I can't remember the actual default; mine is set to "Pass")

2 - Right out of the box, is all WAN -> LAN traffic blocked without the need to create a firewall rule? (I would assume so since that would not be best security practice)

It's inherent in NAT - the only inbound traffic that is accepted, is the response to traffic that went out. Nat Mapping/Open Ports/DMZ host or Port Redirection would have to be configured to allow traffic in. I suppose if you have multiple Public IP addresses and want a server directly accessible from the Internet, then things change.

3 - I see that you can generate certificates on the DrayTek - could I generate a certificate, install that onto a client device browser in order to bypass the "connection not secure page" warning for content filtering, so that the custom block page is displayed straight away instead?

Looks plausible - though anything to do with certificates is fraught with difficulty, in my experience :wink:

I've configured mine the "other way round" and have installed the Root certificate from my "Certificate Authority" and generated a certificate for the Vigor, which I imported as well. (I've just noticed that it expires in October, so I shall to try and remember how on earth I did it )

Thanks for the response and answers to my questions!

I managed to get time after work to sit down and read the setup guide for the DrayTek router I am thinking of purchasing (the 2765) and found that the default rule applies to all users and is set to "pass"; so that's fine.

I thought NAT would be the case; thankfully this is for home use so I only have the one (dynamic) IP address - so that answers that.

With the web certificates - guess I will have to try that one out myself. Though from what you have said, a Root Cert from Lets Encrypt would work...

the cert on the draytek with letscert would be the best option IMO.

Also since you are looking at VLANs and more complex things be aware that the 2765 can only have one WAN up at a time and has other limitations like amount of connected VPNs etc.