DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek 2927 - ability to see device on WAN2 via LAN to LAN VPN

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
20 Dec 2023 20:08 #103063 by neil201
I've just had a bit of a play with this but can't get my head around the rules required.

If I have a network, let's say 10.120.1.0/24 which is now visible via the VPN to VPN (Router A <> B and B <> C), I'm now at the C end and want to restrict traffic from this VPN, which is going in to the B Router from the A, so it only goes to a subnet on 192.168.6.0/24 locally (my sixth LAN). Currently it can be pinged from any LAN, I tried a block all rule initially which locked me out of the Router!

Please Log in or Create an account to join the conversation.

More
20 Dec 2023 21:49 #103065 by HodgesanDY
Ok, yep, it can be easy to lock yourself out during setup.

I would say first, you need to create a ‘Remote dial-in user’ VPN connection to each remote site, so you can always get back in and undo anything you have accidentally changed; like you did when testing.

You can always use your phone to do this and have each router in a list that you can simply click-on, establish a connection, make amendments and then disconnect. (You may need to disable your phone’s wifi connection before dialling in though; to place you outside your local VPN bubble)


Firewall:
The FW rules work in order, starting from Set#1 Rule#1 through to Set#12 Rule#7 (for the 2927), so if you place a rule in Set#1 Rule#1 that blocks everything immediately, any rules after that rule will never run. Although, if you choose to ‘Block if no further match’, then the block will only happen if there are no ‘Allow’ rules thereafter.

I prefer to use the firewall in a slightly differently way from that one. Instead, I place a ‘Block immediately’ rule, in say, position Rule#7 of Set#1 and any rules earlier than that rule are my allow rules, if you want more allow rules, you can place the block rule at position Set#2 Rule#7, giving you 13 earlier allow rules to use.

One thing to note here, the sets aren’t all active by default, you have to add them to the order of play.
In the ‘General setup’ page of the Firewall, you will see the ‘Data Filter’ enable/disable radio buttons and the ‘Start Filter Set’ preference. That selected Set# is where the rules will start in order from. Once a Set has run, it jumps to the next Set, which is selected at the bottom of each Set page; see bottom right-hand corner of each Set page. If no “Next Set#” is specified, the Data Filter rules finish there and the ‘Default Rule’ then runs.

So you could have just two rules in place, say Set#7 Rule#1 configured and be the first rule to ever run and then maybe Set#4 Rule#7 as the next rule that is reached and run.

Simply put, the order matters. If you lose track of the order that the rules run in, you’ll get tied up in knots and mis-configure the Firewall.

In each rule that you setup, be aware that rules execute in one direction (left pane to right pane) see ‘Direction’ ->> ‘Advanced’ button, if you don’t grasp this, you won’t understand why it’s not working. Also, you CAN’T block traffic between nodes on the same LAN#; unless it is a dial-in VPN user joining a LAN#, in which case, it’s then actually a VPN connection rather than a LAN connection so rules can be applied.

The reason I mention not being able to set a rule on the same LAN, is because you may want to create a single block rule for ALL LANs, or a selection of LANs (and the VPN) in one rule and you’ll be ticking say LAN1 to LAN2 and also LAN2 to LAN1 which looks like it will also apply to LAN1 to LAN1 and LAN2 to LAN2, but it won’t, as that can’t happen, so don’t be put-off by seeing this and thinking that.

Please Log in or Create an account to join the conversation.

More
20 Dec 2023 22:08 #103066 by HodgesanDY
…Once you get it working, you’d be wise to also start using the ‘Objects’ feature to assign devices, locations, service types etc into easily selectable objects and groups of objects!

Please Log in or Create an account to join the conversation.

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
20 Dec 2023 22:40 #103067 by neil201
Cheers for this, I've just had another play but can't get my head around it.

So I've six networks on Router C (the one I want to see the LAN to LAN VPN's via Router B); Router C's traffic is proxied all through Router B, via the LAN to LAN VPN, of which the traffic from the other VPN's also traverse. Two of the networks aren't proxied back to Router B but the rest are, each being 10.188.230.0/24 to 10.188.234.0/24, the sixth network (10.188.237.0/24) is the only one I'd like only the remote VPN traffic visible on, from LAN subnet 10.121.1.0/24 on Router A.

If I set a block rule to block source IP subnet 10.121.1.0/24 to destination IP range 10.188.230.0 - 10.188.234.255 I can still ping the 10.120.1.0/24 Router from the other networks and would have expected this to be blocked?

Please Log in or Create an account to join the conversation.

More
22 Dec 2023 08:54 #103071 by HodgesanDY
So you’ve created a block rule:

10.121.1.0/24 to destination IP range 10.188.230.0 - 10.188.234.255

Which blocks left to right, but, then you’re pinging right to left!

Rather than focussing on pinging the router, as that is a special node in this scenario, ping a node on the destination subnet that isn’t the router, and also in the correct direction. Your test-ping is not going to be blocked by your above rule(direction), although, if you ping from the other end, it should be blocked.

Also, “pings” are ICMP type, so make sure you have blocked ICMP (or just use ‘Any’), rather than specifying a TCP/UDP type; for example.

Please Log in or Create an account to join the conversation.

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
22 Dec 2023 12:16 #103074 by neil201
Cheers, I'm getting my head around this now. I've just been on to one of the remote routers (10.120.1.0) and pinged via the Router Diagnosis ping tool to the 10.188.230.0 network and I can't get a response from any devices on that network so my block rule there is working, I'd not given thought to the direction I was going, should have done, but if I wanted to block traffic both ways then two separate rules are needed, the existing inbound (to the 10.188.230.0) network and one outbound from that same network.

From a security perspective, blocking incoming connectivity to the other subnets on the 10.188.230.0 network should provide adequate security to these networks I'm assuming.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami