Hello,

I need help with controlling access on my Main LAN1 from DMZ.

We have a web server on 172.16.1.1 and Inter-LAN routing is off between DMZ port and main lan (LAN1) 92.168.10.0 but I need to allow one TCP port from 172.16.1.1 to port 5555 to a server on main lan 192.168.10.9 network.

I have tried various rules but I can't get it to work without Inte_LAN enabled but this allows access from 172.16.1.1 to all ports and resources on main lan 192.168.10.xx and I won't want that.

I assume Inter-Lan routing needs to be enabled and I need to add some allow and block rules but I can't seem to get it work without allowing all access from 172.16.1.1 to all things on 192.168.10xx subnet.

Please can anyone help?

Thanks,
Simon

Hi Simon,

Yes, you need to setup a block, in both directions, first. Then activate the inter-LAN.

This blocking rule needs to be AFTER the allow rule(s) you will later implement, the one to open up port 5555.

To allow communication between the two networks you MUST enable the inter-LAN connection (tick box). Once that is ticked the connection is wide open between the two LANs, that’s why you MUST lock-down your inter-LAN connections with firewall rules.

The firewall rules work in order. They start from Rule Set#1 and progress through each rule set page until no more rules are left to process.

Each page has a “NEXT SET#” specifier in the lower right corner, make sure this is set if you want another rule-set page to be processed, this is very important as people often miss this setting and sometimes don’t start their rules from page#1, so their rules never even come into play.

Setup a blocking rule so that you tick both your MAIN lan and your DMZ lan, in both directions, you only need to set one rule for both directions. Don’t be put-off by thinking you’re creating a block between your MAIN lan and your MAIN lan itself, this isn’t possible, the firewall will not block traffic of the same LAN, you can’t use the firewall to do that, it ONLY functions between different networks LANs/WANs/VPNs etc, but not between nodes on the same network(subnet).

Blocking rules cause the packets to be dropped instantly so that rule must be processed AFTER an allow rule. This is important, if you don’t do this, and you place the block rule BEFORE the allow rule(s), none of your packets will ever reach the allow rule; they’ll be dropped before they get a chance to be allowed.

Thank you very much for your detailed reply.

I thought this is what I had setup but when Inter-Lan is enabled I can access all resources still on the DMZ to the main Lan.

I will detail my rules.

Web Server - 172.16.1.1
LAN Server - 192.168.10.9

Web server needs to access port 5555 only on 192.168.10.9

https://www.amazon.co.uk/photos/share/KouJWBS796rIFqij5VG1K9okVEMA835LOUjK8PE1qT1

With these rules I can still access any resoruces on the main 10.xx network from the webserver. What have I done wrong?

Many thanks!

…tick BOTH boxes!

LAN1 (on the left) -> LAN1 (on the right)
DMZ (on the left) -> DMZ (on the right)

= LAN1 -> DMZ (rule applied in this direction)
= DMZ -> LAN1 (rule applied in this direction)

So you should have a total of 4 boxes ticked, 2 on the left and 2 on the right.

At the top, between the two windows, you’ll see the “ -> “ indicator, it only operates in one direction; try not to think of it as “ <-> “, it isn’t that.

Also, your blocking rule should be exactly that - BLOCK ALL, not "Block all other". Create a blocking rule that blocks "Any" for all parameters. Then create a new rule for "Allow", which will be your 5555 port.

Make sure the block rule is later down the list of processed rules, so it functions as a "catch-all" at the end of the processing order. Anything you want to not be caught by this rule, add to the "Allow" rule you will create separately.

Hello,

I have spoken to Tech support this morning and the issue appears to be with invert selection not working. I added the reverse rule manually and it now works as expected.

I am running 4.4.3_BT which support are going to test with Invert selection.

Thanks for your help and replies.

Ok, glad you've got it working now.

For what it's worth, the use of blocking rules that also allow at the same time, doesn't really apply well to the Draytek OS Firewall. You're better off just creating rules to block and rules that allow separately.