DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2962 firmware 4.3.1.1 and VLAN firewall rules?

  • richjg
  • Topic Author
  • Offline
  • New Member
  • New Member
More
20 Jun 2022 11:42 #101287 by richjg
Hi there,

I recently upgraded my 2962 to the 4.3.1.1 firmware (from 3.9.7.2) as I wanted to try the new WireGuard feature, but have subsequently hit some problems with the firewall and passing selected traffic between VLAN's.

Summary of the routing is that I enable the inter-LAN option between required subnet(s) on the LAN settings.
I then use a set of Firewall Filters to allow specific traffic, say 80 & 443 to a specific web server, then finish with a rule blocking all traffic from say LAN 1 to LAN 2, and back the other way.
This was working fine for many months on previous firmware's.

I've rolled back (with config) to 3.9.7.2 and all works as expected again. So it does seem to be specific to the newer firmware. I did notice that on 4.3.1.1 the Call Filter set of options seems to have disappeared, only showing Data Filter on Firewall -> General Setup. Are there any fundamental changes I should be aware of, or has anyone else noticed this, or resolved it?

Cheers!

Please Log in or Create an account to join the conversation.

More
20 Jun 2022 12:11 #101288 by piste basher
Replied by piste basher on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
I've noticed on my 2927ax with the latest 4.4.0 that the Call filter options have disappeared, and the release notes refer to some significant changes to the firewall, which I haven't quite got my head around. Maybe the release notes for your model will help?

Please Log in or Create an account to join the conversation.

  • richjg
  • Topic Author
  • Offline
  • New Member
  • New Member
More
21 Jun 2022 10:07 #101289 by richjg
It's a good call, and I went back to re-check the release notes. There are a couple of mentions of fixes and improvements around the firewall, but no real details unfortunately, or mentions of the missing Call filter. E.g.:

Mainline - 4.3.1.1 - Adds new improvements including improved security related to CVE-2022-0778 (OpenSSL), firewall and VPN updates.



I've rolled back to 3.9.7.2 and will wait a bit longer for the bugs to get ironed out or maybe the docs to get updated on the changes. I don't really fancy doing a clean install of 4.3.1.1 and rebuilding the firewall rules from scratch just to see if that fixes it! :)

Please Log in or Create an account to join the conversation.

More
21 Jun 2022 10:14 #101290 by piste basher
Replied by piste basher on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
If it helps at all, this is what they say for mine:-

The firewall is now able to block inbound requests to the routers management and services
interfaces such as the Web UI and VPN Services. The firewall treats these as [WAN to LocalHost] for
direction purposes.
If your [Firewall] > [General Setup] > Default Rule is set to Block, you must set it to Pass before
upgrading the firmware.
If you want to set the default rule to block, then after upgrade, create pass rules with a direction to
[WAN to LocalHost] so that the Web UI (typically TCP 443) is exempt by creating a Pass rule first.
Other common services used by the router are:
HTTPS & SSL VPN – TCP 443
SSH – TCP 22
IPSEC – UDP 500
IPSEC NAT-traversal – UDP 4500
New Features
1. Firewall can restrict/drop unwanted inbound WAN traffic such as VPN requests. Use the new
direction option [WAN -> Localhost] to apply

Please Log in or Create an account to join the conversation.

More
22 Jun 2022 15:37 #101292 by pharcyder
This is a very welcome addition to the FW. Finally can Country Block everyone away for VPN services.

Please Log in or Create an account to join the conversation.

More
26 Aug 2022 13:39 #101661 by jhtwu
For those who had VLAN/firewall issue, you can test new 432 RC version
https://www.draytek.com/products/vigor2962/#resource

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami