XII. Firewall/Security Features

Vigor 3900 Firewall - IP Filter Basics

Vigor 2960
Vigor 3900
Show all

The DrayTek Vigor 3900, 2960 and 300B routers have an object-based IP and application firewall which allows for many different IP filter rules in many different groups. This can be used to control access to services or IP addresses passing through the router for incoming or outgoing internet traffic, NAT port forwards, UPnP port forwards, VPN traffic and Inter-LAN routing traffic.

This knowledge base article describes how the Vigor 3900 firewall functions and interacts with other functionality of the router.

For a setup guide please refer to the IP Filter Setup example, which demonstrates how to use the IP filter to control which internet IP addresses can access an SMTP server behind the router which is available externally using a NAT Port Forward.

Note: The 1.2.0 Firmware makes significant changes to how Filter Rule Actions operate, please check the Filter Rule Actions tab for more information.

Firewall Logic

There are three main elements that make up a filter rule, highlighted in the image to the left.

The IP Filter checks each session of incoming, outgoing, VPN and Inter-LAN traffic.

When it does this, the firewall checks whether that session matches the Criteria and the Direction of the first enabled Filter Rule, processing the next rule in order if there is no match. When the router finds a rule that matches those details, it performs the Action specified in that filter rule, either passing or blocking the session.

If the Matching Criteria and Direction do not match any enabled Filter Rules, the IP Filter will perform the Action specified in the Default Policy tab.

This is processed after the router's NAT rules, so it is necessary to configure firewall entries to limit access to a port forward configured on the router such as an SMTP server. If using Port Redirection with a different external port from the internal port, the router's IP filter would use the internal port for firewall rule matching.

This flowchart demonstrates how the IP Filter processes an incoming session:

Object Based Firewall

The firewall of these routers uses objects for IP addresses and ports to allow grouping of objects in a single filter rule allowing for easier management. If there is a filter rule that links to an IP address group for all PCs in the Sales department for instance, modifying the IP address objects in that IP Group would immediately affect that filter rule without needing to change the filter rule's configuration.

Groups & Rules

Under [Firewall] > [Filter Setup], the IP Filter tab has a listing of Groups, which allows for a maximum of 12 groups, each group can have 20 filter rules in total. The groups are processed in order, but they can be processed out of orderby using the "If No Further Match" action, which allows a filter rule to point to a specific group. When processing groups out of order, it is important to avoid causing a loop, which could cause issues with firewall functionality.

In this example, the router would process filter rules in the order of Group 1 - Rule 1 > Group 1 - Rule 2 > Group 2 - Rule 1 > Group 3 and so on.

The router does not allow two filter rules or filter groups to have the same name.

Filter rules with the action of Allow must be placed before filter rules with an action of Block, otherwise the router would, when processing rules in order, find a match with the Block rule first and finish processing the session with that, resulting in the session being blocked.

Putting Allow rules first, for instance a rule allowing a single IP address to access a service, allows the router to match that IP address with the filter rule that has an action of Allow for that IP address, then allow the session for that IP address to pass through the firewall.
Any IP addresses not matching that allow rule would continue to be checked against filter rules further down in the list and would match with the Block rule, which would block the session for those IP addresses.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1