XII. Firewall/Security Features

Vigor 3900 Firewall - Port Forwarding and Filtering

Vigor 2960
Vigor 3900
Show all

The DrayTek Vigor 3900, 2960 and 300B routers have an object-based IP and application firewall which allows for many different filter rules in up to 12 filter sets. This makes it possible to control access to services that have been set up to be accessible from the internet using port forwards or IP routing.

This guide will provide an example of how to allow only a specified IP address to access a server, with a port forward configured for HTTPS (TCP port 443) to an internal server so that it is accessible from the internet.

This will require configuring the port forward, then configuring the firewall so that there are two Filter Groups, one to allow specific traffic and another to block traffic, the firewall processes the Allow group of rules, followed by the Block group of rules.

It is necessary to configure the port forward first, to do that, go to [NAT] > [Port Redirection] and click Add to create a new entry:

  • Give the port redirection entry a suitable name
  • Enable it
  • Set the Port Redirection Mode to One to One
  • Set the WAN Profile to the correct WAN interface (if necessary)
  • Set the Protocol, this example will use HTTPS so the protocol can be set to TCP
  • The Public Port is the port that will be accessible from the internet, this can be used to translate the port to a different port number, set this to port 443
  • The Private IP is the IP address of the internal server, which in this example is
  • The Private Port is the port that the internal server uses for the service, in this example the port is 443

Click Apply to save and apply that port forward; the server should now be accessible from the internet using the router's WAN IP on the default HTTPS port.

The port forward allows the internal server to be accessed from the router's WAN IP(s) from any remote IP address. To limit which internet IP addresses can access it, it is necessary to make two filter rules, the first rule allows traffic from the specified internet IP address, IP addresses or subnets and the second rule blocks all remaining traffic, which results in only the specified IP addresses being able to access the forwarded port.

To set up the filter rules, go to [Firewall] > [Filter Setup] and go to the IP Filter tab. On there, click Add to create a new Filter Group:

Set the name of the group to Allow and click Apply:

Click Add again to create a second filter Group called Block:

Expand the Allow group by clicking the triangle icon, then click Add to create a new filter rule in that group:

In the filter rule, configure these settings:

  • Set the Profile Name to indicate the purpose of the filter rule
  • Enable the filter rule
  • Set the Action to Accept
  • Set the Input Interface to ALL WANS so that this affects all incoming traffic
  • Scroll down to Service Protocol and expand the Service Type Object menu and select the traffic type to allow from the list.

If the port isn't present in the list, click the + icon to add a new entry. When creating a new entry, select the Protocol for the type of traffic, set the Source Port Start to 1 and the Source Port End to 65535, set the Destination Port Start and Destination Port End to the port to allow i.e. 5060.

Scroll down to the Source IP section and expand that:

Click the "+" icon to create a new IP Object, give the IP Object a suitable name, set the address type and enter the IP address that would be allowed through the firewall:

Click Apply to save that IP Object.

Select the IP Object just created in the list by selecting its tickbox:

Click Apply to complete that filter rule, which will go back to the filter rule list and display like so:

To create the block rule, expand the Block filter group and click Add to make a new filter rule:

Configure the following settings:

  • Give the profile a suitable name
  • Enable the profile
  • Set the Action to Block
  • It may be useful to enable Syslog so that syslog reports attempts to access this port when blocking the traffic
  • Set the Input Interface to ALL WANS so that the rule affects incoming traffic
  • Expand the Service Protocol section and select the Service Type Object for the type of inbound traffic to block, in this case, HTTPS

Click Apply to save and apply that filter rule.

With both rules configured and enabled, the router will block any incoming HTTPS traffic that does not originate from the IP address that has been allowed in the Allow rule:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1