Hi there,

I recently upgraded my 2962 to the 4.3.1.1 firmware (from 3.9.7.2) as I wanted to try the new WireGuard feature, but have subsequently hit some problems with the firewall and passing selected traffic between VLAN's.

Summary of the routing is that I enable the inter-LAN option between required subnet(s) on the LAN settings.
I then use a set of Firewall Filters to allow specific traffic, say 80 & 443 to a specific web server, then finish with a rule blocking all traffic from say LAN 1 to LAN 2, and back the other way.
This was working fine for many months on previous firmware's.

I've rolled back (with config) to 3.9.7.2 and all works as expected again. So it does seem to be specific to the newer firmware. I did notice that on 4.3.1.1 the Call Filter set of options seems to have disappeared, only showing Data Filter on Firewall -> General Setup. Are there any fundamental changes I should be aware of, or has anyone else noticed this, or resolved it?

Cheers!

I've noticed on my 2927ax with the latest 4.4.0 that the Call filter options have disappeared, and the release notes refer to some significant changes to the firewall, which I haven't quite got my head around. Maybe the release notes for your model will help?

It's a good call, and I went back to re-check the release notes. There are a couple of mentions of fixes and improvements around the firewall, but no real details unfortunately, or mentions of the missing Call filter. E.g.:

Mainline - 4.3.1.1 - Adds new improvements including improved security related to CVE-2022-0778 (OpenSSL), firewall and VPN updates.

I've rolled back to 3.9.7.2 and will wait a bit longer for the bugs to get ironed out or maybe the docs to get updated on the changes. I don't really fancy doing a clean install of 4.3.1.1 and rebuilding the firewall rules from scratch just to see if that fixes it!

If it helps at all, this is what they say for mine:-

The firewall is now able to block inbound requests to the routers management and services
interfaces such as the Web UI and VPN Services. The firewall treats these as [WAN to LocalHost] for
direction purposes.
If your [Firewall] > [General Setup] > Default Rule is set to Block, you must set it to Pass before
upgrading the firmware.
If you want to set the default rule to block, then after upgrade, create pass rules with a direction to
[WAN to LocalHost] so that the Web UI (typically TCP 443) is exempt by creating a Pass rule first.
Other common services used by the router are:
HTTPS & SSL VPN – TCP 443
SSH – TCP 22
IPSEC – UDP 500
IPSEC NAT-traversal – UDP 4500
New Features
1. Firewall can restrict/drop unwanted inbound WAN traffic such as VPN requests. Use the new
direction option [WAN -> Localhost] to apply

This is a very welcome addition to the FW. Finally can Country Block everyone away for VPN services.

For those who had VLAN/firewall issue, you can test new 432 RC version
https://www.draytek.com/products/vigor2962/#resource