I've just been reading a pragmatic but interesting article concerning good techniques to harden a home network, which, if you're interested, you can find here:

https://ben.balter.com/2020/12/04/over-engineered-home-network-for-privacy-and-security/

The author, Ben, uses a "UniFi Dream Machine" for his home router... and one of the security challenges he discusses in his article is that an increasing number of devices are now hard-coding DNS IP addresses in to their configurations, which means that a DNS sink like PiHole [which he also uses] can be circumvented. His solution to this is to block all outbound requests via TCP/53 [DNS]... Obviously that isn't perfect - to strengthen his approach further still he should also disable all outbound use of TCP/853 [which is DNS over TLS] but then open up that traffic from his local PiHole DNS.

Although I have some very trivial modifications to the base configuration of my Vigor2862, one of the features I've [intentionally] not customised has been the firewall.

But I'm very intrigued by this approach.

So I thought I would ask for some advice about a ruleset for the Draytek inbuilt firewall that might be able to achieve the desired result. I've had a look at the Firewall>>Filter Setup >> Edit Filter Set pages in my router... and I've reviewed this article : https://www.draytek.co.uk/support/guides/kb-vigor-filtering   in the Draytek Knowledgebase.

From what I've read it seems as though I should be able to set up a "Filter Set 3" [my 2862 already has rulesets 1 and 2 configured] dedicated to controlling access to remote DNS from my local network... Next, looking at the rule parameters that my 2862 employs, it seems as though a something similar to the following rules [using "TCP/53" and "TCP/853" for plaintext and TLS-encrypted DNS traffic, respectively, and noting that my home network is Class B, network address 172.16.0.0] might do the trick... [172.16.100.1 and 172.16.100.2 are my PiHole DNS Servers]

From: 172.16.100.1 to "Any" - Service Type "TCP/853" - Action - "Pass Immediately"
From: 172.16.100.2 to "Any" - Service Type "TCP/853" - Action - "Pass Immediately"
From: "Any" to "Any" - Service Type "TCP/53" - Action: "Block Immediately"
From: "Any" to "Any" - Service Type "TCP/853" - Action: "Block Immediately"

I'd be very grateful for any feedback or advice concerning either this approach in general and the more specific implementation that I've set out here. In particular, I'd like to understand how the rules engine parses the rules in a ruleset. I suspect - I don't know as I haven't yet found any documentation  covering this - that the firewall rule parser will start with "ruleset 1, rule 1" and work its way down the list until it gets a match, then when it finds a rule that matches its input pattern, the data is processed. If that is the case, then I will need to put my "allow" rules for my PiHole DNS before my "block" rules...

If this looks as though it might be a reasonable approach, then the only remaining task would be to modify my PiHole servers to use "cloudflared" DNS of HTTPS [DoH] instead of the plaintext port 53...

I'm completely inexperienced when it comes to using my router's firewall... and I don't really have any experience of setting up a firewall with specific filtering rules... so any general advice and/or Draytek specific suggestions would be most welcome.

Thanks in advance.

 

Hi ytene ,

Yes, you are correct with your understanding of the rules order, although, you can place the 'Block' rule before or after the 'Pass' rule.

If you want to place your "Blocks" before your pass rules then you need to select:
Firewall >> Edit Filter Set >> Edit Filter Rule >> Application>>Filter Action/Profile = "Block If No Further Match"

If you want to place your "Blocks" after your pass rules then you need to select:
Firewall >> Edit Filter Set >> Edit Filter Rule >> Application>>Filter Action/Profile = "Block Immediately"

• When it states "Immediately" it means the packet being processed will be dropped immediately at that matching criteria point.
• When it states "Block If No Further Match" it means it will earmark the packet for dropping but quickly run through all the following rules (including all active sets) to make sure there are no further criteria matches, if there are further matches, it will clear the earmark and process the packet with that new matched criteria, otherwise it will drop the packet.
• Rule sets start from Set 2 on routers with a built-in modem, but you can easily change this to Set 1 if you're not using the modem part of your router, otherwise most routers will start from Set 1.
• Each Rule set has a "Next Filter Set" option in the lower righthand corner, this must be defined on the starting set page (and so on) for ANY other sets to be processed after the first set has been processed. If this isn't defined, only your starting set (or as far as where "None" is defined in the "Next Filter Set" option) will be processed and none of the other sets will be taken into consideration.

When you explain your processing of the DNS address(es), do you mean you want to catch-and-forward hard-coded DNS addresses reaching your Vigor router on to your Pi-Hole, or do you mean you simply want to block all devices from directly connecting to external DNS servers via the Vigor router and only allow the Pi-Hole to have external DNS access?
 

Firstly, thanks so much for taking the time to give such a detailed response - it is very much appreciated...

To answer your questions, I think I like the idea of employing "block immediately", since that means I can sequence my rules in a way that helps me reduce the load on the firewall / CPU by limiting the number of rules I ask the engine to parse for each packet... So on that basis I had the idea that I would put in place a couple of "Pass Immediately" rules to allow 853 traffic from my Active-Active pair of PiHole DNS sinks to DNS [and following the linked article, I've just switched from Google DNS to Cloudflare] and then follow that up with a complete "Block" of any/all TCP/53 and TCP/853 traffic from any other host on my home network.

Since posting the question I've also used "System Maintenance>Syslog/Mail Alert" to configure my 2862 to push all firewall event traffic to one of my QNAP NAS servers, where I've enabled a Syslog capture daemon... which has been educational. I'm currently seeing about 12Mb/day of log traffic being generated - no idea whether that is a normal volume or unusual in any way.

It is quite amazing/sobering to see just how much malicious traffic is being blocked by the firewall... I think it might be a nice little project to write a python script to load these log files in to a TimeSeries database and then wrap a little Grafana front end around it, just to see if I can get a handle on what is going on and to spot anything particularly dangerous.

So many thanks for the guidance and advice - extremely helpful. I will see how I get on putting a bit of intelligence around the output.

I am currently trying out zeek (bro) , connected to the mirror port of my 2860. reading the various logs with telegraf,
adding spatial, asn, rdns and port service, feeding an influxdb temporal database, and fronting it up with grafana.