DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor 2820 Firewall blocks outgoing port 1723
- kieran007
- Topic Author
- User
-
26 Jan 2011 16:45 #7
by kieran007
Replied by kieran007 on topic Vigor 2820 Firewall blocks outgoing port 1723
Many thanks for your help, I have found the issue.
It's worth noting that I need the blanket block on WAN->LAN traffic as I have a routed public IP block for my LAN and thus am not using NAT which would normally block all incoming traffic by default unless port forwards were enabled. Without this rule, every machine LAN side is wide open on all ports. Having such a rule to mitigate this doesn't seem to be a problem however (except port 1723) as I'll explain below.
For other outgoing connections on the Draytek the connect track rule that usually has to be applied specifically in Linux when blocking all incoming traffic seems to be implied, which means I've been able to safely block all traffic incoming and still have two way communication provided the connection is initiated LAN side. This works for HTTP, HTTPS, SSH etc. etc.
For port 1723 though I've had to add a rule that accepts all traffic from port 1723 into the LAN, despite the fact that my connection was initiated LAN side. Now when I establish a connection LAN side, incoming traffic in response to my connection is explicitly allowed.
I'd expect rules to be consistent across all ports so I'd say this was a bug. I understand why you say that my incoming traffic block should stop LAN side connections as well, but in a router which doesn't permit rules such as connect track as you would use in IP Tables, I'd expect that to be applied by default and indeed it seems to be for all usual LAN initiated traffic.
I've screen shot the rule I had to add in case other people need a solution to this
Clearly this could (and in my case will) be tightened up a lot (assuming your LAN side machines requiring VPN access are limited and the VPN server(s) are known)
I'll freely admit to being a Draytek n00b but I do have experience of IP tables and thus I expected the rules in the router to work in a similar way. If I'm completely barking up the wrong tree let me know where I've gone wrong
Oh and I haven't removed that XNetBios rule, I had merely put it below a couple of others but they would not have affected it's operation.
It's worth noting that I need the blanket block on WAN->LAN traffic as I have a routed public IP block for my LAN and thus am not using NAT which would normally block all incoming traffic by default unless port forwards were enabled. Without this rule, every machine LAN side is wide open on all ports. Having such a rule to mitigate this doesn't seem to be a problem however (except port 1723) as I'll explain below.
For other outgoing connections on the Draytek the connect track rule that usually has to be applied specifically in Linux when blocking all incoming traffic seems to be implied, which means I've been able to safely block all traffic incoming and still have two way communication provided the connection is initiated LAN side. This works for HTTP, HTTPS, SSH etc. etc.
For port 1723 though I've had to add a rule that accepts all traffic from port 1723 into the LAN, despite the fact that my connection was initiated LAN side. Now when I establish a connection LAN side, incoming traffic in response to my connection is explicitly allowed.
I'd expect rules to be consistent across all ports so I'd say this was a bug. I understand why you say that my incoming traffic block should stop LAN side connections as well, but in a router which doesn't permit rules such as connect track as you would use in IP Tables, I'd expect that to be applied by default and indeed it seems to be for all usual LAN initiated traffic.
I've screen shot the rule I had to add in case other people need a solution to this
Clearly this could (and in my case will) be tightened up a lot (assuming your LAN side machines requiring VPN access are limited and the VPN server(s) are known)
I'll freely admit to being a Draytek n00b but I do have experience of IP tables and thus I expected the rules in the router to work in a similar way. If I'm completely barking up the wrong tree let me know where I've gone wrong
Oh and I haven't removed that XNetBios rule, I had merely put it below a couple of others but they would not have affected it's operation.
Please Log in or Create an account to join the conversation.
- nc1402
- Offline
- New Member
-
18 Feb 2011 14:32 #8
by nc1402
Replied by nc1402 on topic Vigor 2820 Firewall blocks outgoing port 1723
When you place a VPN server behind your firewall, be sure to enable IP protocol 47 (GRE) and TCP port 1723
Please Log in or Create an account to join the conversation.