DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2962 firmware 4.3.1.1 and VLAN firewall rules?
- richjg
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
20 Jun 2022 11:42 #101287
by richjg
2962 firmware 4.3.1.1 and VLAN firewall rules? was created by richjg
Hi there,
I recently upgraded my 2962 to the 4.3.1.1 firmware (from 3.9.7.2) as I wanted to try the new WireGuard feature, but have subsequently hit some problems with the firewall and passing selected traffic between VLAN's.
Summary of the routing is that I enable the inter-LAN option between required subnet(s) on the LAN settings.
I then use a set of Firewall Filters to allow specific traffic, say 80 & 443 to a specific web server, then finish with a rule blocking all traffic from say LAN 1 to LAN 2, and back the other way.
This was working fine for many months on previous firmware's.
I've rolled back (with config) to 3.9.7.2 and all works as expected again. So it does seem to be specific to the newer firmware. I did notice that on 4.3.1.1 the Call Filter set of options seems to have disappeared, only showing Data Filter on Firewall -> General Setup. Are there any fundamental changes I should be aware of, or has anyone else noticed this, or resolved it?
Cheers!
I recently upgraded my 2962 to the 4.3.1.1 firmware (from 3.9.7.2) as I wanted to try the new WireGuard feature, but have subsequently hit some problems with the firewall and passing selected traffic between VLAN's.
Summary of the routing is that I enable the inter-LAN option between required subnet(s) on the LAN settings.
I then use a set of Firewall Filters to allow specific traffic, say 80 & 443 to a specific web server, then finish with a rule blocking all traffic from say LAN 1 to LAN 2, and back the other way.
This was working fine for many months on previous firmware's.
I've rolled back (with config) to 3.9.7.2 and all works as expected again. So it does seem to be specific to the newer firmware. I did notice that on 4.3.1.1 the Call Filter set of options seems to have disappeared, only showing Data Filter on Firewall -> General Setup. Are there any fundamental changes I should be aware of, or has anyone else noticed this, or resolved it?
Cheers!
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1193
- Thank you received: 7
20 Jun 2022 12:11 #101288
by piste basher
Replied by piste basher on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
I've noticed on my 2927ax with the latest 4.4.0 that the Call filter options have disappeared, and the release notes refer to some significant changes to the firewall, which I haven't quite got my head around. Maybe the release notes for your model will help?
Please Log in or Create an account to join the conversation.
- richjg
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
21 Jun 2022 10:07 #101289
by richjg
Replied by richjg on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
It's a good call, and I went back to re-check the release notes. There are a couple of mentions of fixes and improvements around the firewall, but no real details unfortunately, or mentions of the missing Call filter. E.g.:
I've rolled back to 3.9.7.2 and will wait a bit longer for the bugs to get ironed out or maybe the docs to get updated on the changes. I don't really fancy doing a clean install of 4.3.1.1 and rebuilding the firewall rules from scratch just to see if that fixes it!
Mainline - 4.3.1.1 - Adds new improvements including improved security related to CVE-2022-0778 (OpenSSL), firewalland VPN updates.
I've rolled back to 3.9.7.2 and will wait a bit longer for the bugs to get ironed out or maybe the docs to get updated on the changes. I don't really fancy doing a clean install of 4.3.1.1 and rebuilding the firewall rules from scratch just to see if that fixes it!
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1193
- Thank you received: 7
21 Jun 2022 10:14 #101290
by piste basher
Replied by piste basher on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
If it helps at all, this is what they say for mine:-
The firewall is now able to block inbound requests to the routers management and services
interfaces such as the Web UI and VPN Services. The firewall treats these as [WAN to LocalHost] for
direction purposes.
If your [Firewall] > [General Setup] > Default Rule is set to Block, you must set it to Pass before
upgrading the firmware.
If you want to set the default rule to block, then after upgrade, create pass rules with a direction to
[WAN to LocalHost] so that the Web UI (typically TCP 443) is exempt by creating a Pass rule first.
Other common services used by the router are:
HTTPS & SSL VPN – TCP 443
SSH – TCP 22
IPSEC – UDP 500
IPSEC NAT-traversal – UDP 4500
New Features
1. Firewall can restrict/drop unwanted inbound WAN traffic such as VPN requests. Use the new
direction option [WAN -> Localhost] to apply
The firewall is now able to block inbound requests to the routers management and services
interfaces such as the Web UI and VPN Services. The firewall treats these as [WAN to LocalHost] for
direction purposes.
If your [Firewall] > [General Setup] > Default Rule is set to Block, you must set it to Pass before
upgrading the firmware.
If you want to set the default rule to block, then after upgrade, create pass rules with a direction to
[WAN to LocalHost] so that the Web UI (typically TCP 443) is exempt by creating a Pass rule first.
Other common services used by the router are:
HTTPS & SSL VPN – TCP 443
SSH – TCP 22
IPSEC – UDP 500
IPSEC NAT-traversal – UDP 4500
New Features
1. Firewall can restrict/drop unwanted inbound WAN traffic such as VPN requests. Use the new
direction option [WAN -> Localhost] to apply
Please Log in or Create an account to join the conversation.
- pharcyder
- Offline
- Member
Less
More
- Posts: 165
- Thank you received: 1
22 Jun 2022 15:37 #101292
by pharcyder
Replied by pharcyder on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
This is a very welcome addition to the FW. Finally can Country Block everyone away for VPN services.
Please Log in or Create an account to join the conversation.
- jhtwu
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
26 Aug 2022 13:39 #101661
by jhtwu
Replied by jhtwu on topic Re: 2962 firmware 4.3.1.1 and VLAN firewall rules?
For those who had VLAN/firewall issue, you can test new 432 RC version
https://www.draytek.com/products/vigor2962/#resource
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek