Been out of draytek game for a good while.

Just taken over a site with a 2865 and we noticed that "default rule is to pass" this seems crazy as NAT devices are hit quite hard by script kiddies. While we work out with client putting in our network stack we would like to lock this down more. More like how pfsense/fortigate does things.

After a bit of reading and head scratching it was decided to have default data filter with 3 Rules. WAN to LAN and LAN to WAN with direction set accordingly sort of like this useful guide.
https://www.sandon.it/2022/07/13/draytek-vigor-165-firewall-setup/#:~:text=The%20Default%20Rule%20setting%20is,when%20the%20firewall%20is%20enabled.

LAN to WAN was easy (lan/dmz/rt/vpn > wan) any any any Pass if no further match and then points to another filter set to add any outbound blocks. works fine so far.

WAN to LAN however stops the VPN working on the Draytek. Tried lots of combos of Ports,IPs of router etc but until i turn default rule to allow it just will not work. these are L2TP/IPsec so played with usual ports/protocols 1701,500,4500 grouped etc.

Any idea how to get the internal Draytek VPN working with default rule to block ?

Worked it out had to add an extra rule WAN to Localhost in my "Zone" filter set and define my VPN_Ports (1701,500,4500) in an IP Group from IP Objects.

Zones - Data Filter 1
1. WAN2LAN WAN -> LAN/DMZ/RT/VPN Any Any Any Block If No Further Match
2.VPN to Router WAN -> Localhost Any Any Any Block If No Further Match then passes to a filter set with an Any Any VPN_Ports Pass immediately rule.
3. LAN2WAN LAN/DMZ/RT/VPN-> WAN Any Any Any Pass If No Further Match
4. LAN2LAN LAN/DMZ/RT/VPN-> LAN/DMZ/RT/VPN Any Any Any Pass Immediately
Then my default rule is Block in General Setup

Must say this feels like a better way of configuring everything. Crazy the way they do things.

Actually, your reference to the external source has confirmed my concerns that I had when I had Draytek: I was never sure if my firewall worked correctly or not. Enabling 'Strict Security Firewall' kind of put my mind at ease but at the back of my mind, I was always weary.

Now, Draytek makes SOHO products, too, and their GUI is very much the same as that of business products. The only difference between such products was the implementation of improved components, such as bigger RAM, faster processor etc.

Not sure why their SOHO products can't have a simpler version of gui where an average Joe would be able to configure everything with ease. I suppose this would also increase their sales, especially that a number of reviews point out the complexity of setting things up on Drayteks, and let's be honest: other makes do what Drayteks do, yet the configuration is done in a much more user friendly way.

So, I found setting up firewall rules unnecessary confusing on Draytek, and crazy indeed, and the guides provided by Draytek weren't that much helpful.

How long did it take you to work out the rules?

For the above reason, but mainly others associated with the DSL and WiFi side of things, I'm glad I'm not longer a Draytek user.

I think this comes down to how other vendors do things, Which frankly is better. I suppose my school of thought is more from zone based perspective. In my head nothing should pass unless I say so and the ambiguity of the rules and sets is a head scratcher. So that default rule at end of chain just feels wrong.

I managed to get through to 2nd line support and they did assure me that things were being blocked even though I could see things passing in logs and some things which just made my head like which rule was actually acting or not. I did get to point that I was happy that a stateful firewall was blocking traffic and ports where protected with ACLs by IP etc.

So, exactly: things get past the firewall, but actually they don't. God knows what's going on.