Expired

XII. Firewall/Security Features

Expired

Firewall - Limit access to Port Forwarding with Firewall Rules

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2763
Show all

Keywords:
Firewall
IP Filter
SMTP
Services

The firewall on DrayTek routers can be used to limit access to internet-facing services on the router, such as a mail server or computers that would be remotely managed using RDP. This is done using filter rules on the router to firstly block incoming traffic for that service, then allow access to the service for the IP addresses specified.

This example explains how to allow specific IP Addresses through the firewall for a Simple Mail Transfer Protocol (SMTP) server which most commonly uses TCP port 25. Connections to this server can be restricted to a list of allowed servers (for instance when using an external mail filtering service) to prevent just anyone being able to communicate with the SMTP server.

After forwarding TCP port 25 via [NAT] > [Port Redirection] or [NAT] > [Open Ports] (further information here) for the local IP address, all external IP addresses are allowed to connect to it. The firewall is then used to limit access. If using Port Redirection with a different external port (internet-facing) from the internal port (local server port), the firewall would need to block access to the internal port and the local IP address of the server, rather than the public IP / port.

There are two ways that this can be configured:

Filter Rule Setup using Objects: This is best to use where multiple IP addresses need to be allowed access to the local server, for instance when using a mail filtering service. This also makes managing filter rules in future easier; if the IP addresses used change, they can be edited as IP objects, which then updates the filter rule.

Filter Rule Setup using IP Address: This is best to use where only a single IP address would be allowed access to the local server.

Please note that any changes to the firewall take effect immediately so if this is being configured in a live environment, leave the filter rules disabled until fully configured as described in this guide and enable them once the settings are confirmed to be correct.

Filter Rule Setup using Objects

The first step is to set up the IP address objects, these would be the IP addresses on the WAN side that would be allowed access to the incoming service.

Go to [Object Settings] > [IP Object] and click on the first available index number:

In the IP Object, there are three Address Type settings:

Single Address - This sets a single IP address for the IP object.

Range Address - This sets a range of IP addresses in the IP object, such as this example:

Subnet Address - This sets the IP range according to a subnet, the Start IP Address is the Network Address of the subnet and the Subnet Mask defines how large the subnet is. In this example, the 198.51.100.104 address is the network address, 255.255.255.248 is the subnet address and this results in an IP range from 198.51.100.104 to 198.51.100.111.

Click OK to save the IP Object once configured and configure as many as needed. Once those are set up, go to [Object Setting] > [IP Group] and click the first available index number:

In there, give the IP Group a suitable name, move the IP Objects needed into the Selected IP Objects box by clicking the highlighted button, then Click OK to save that:

The next step is to configure the filter rules, this will be using two rules, one rule to block incoming traffic and another to allow incoming traffic matching the specified criteria.

To set up the filter rules, it's recommended to check that the router's firewall is enabled under the [Firewall] > [General Setup] section on the General Setup tab. The Data Filter must be enabled for the firewall to work. This guide also assumes that the Start Filter Set is set to Set#2. Click OK on that page to save changes if it's necessary to enable the firewall.

Go to [Firewall] > [Filter Setup] and select the Default Data filter, Click on the number for Set #2:

In there, there is a pre-defined rule which can be ignored, select the first available rule, which will usually be Filter Rule 2:

This will present a blank filter rule, this rule will be set up to block incoming SMTP traffic:

Check the tickbox to Enable the filter rule.

Give the Filter Rule a suitable name in the Comment field, for instance BlockSMTP.

Set the Direction to WAN -> LAN/DMZ/RT/VPN so that the filter rule covers inbound traffic. This means that the Source IP is an internet address and the Destination IP is the local server.

Leave the Source IP set to Any as this rule will be blocking general internet access to the SMTP server.

For the Destination IP, click Edit and configure the IP address of the local server, which in this example is 192.168.1.10. Click OK in the pop-up window once that is set to go back to the filter rule.

For the Service Type, click Edit and configure as shown. Only the Destination Port range is set because the Source Port will normally be a dynamically assigned port number. Click OK to close the pop-up window and go back to the filter rule.

Under the Action/Profile for the Filter setting, set it to Block if No Further Match, this means that the router will check filter rules after this one for other matches, if another rule matches, it will take the action of that rule instead.

The rule should then look like this:

Click OK to save that filter rule which will go back to the Filter Set 2 list, click on the next available rule which should be Filter Rule 3.

The setup of the rule to pass specified traffic is similar to the block rule:

Check the tickbox to Enable the filter rule.

Give the Filter Rule a suitable name in the Comment field, for instance AllowSMTP.

Set the Direction to WAN -> LAN/DMZ/RT/VPN so that the filter rule covers inbound traffic. This means that the Source IP is an internet address and the Destination IP is the local server.

For the Source IP, click Edit and configure the IP address or IP Objects / Groups to allow through. Set the Address Type to Group and Objects then select the IP Group "MailFilter" created earlier:

Click OK in the pop-up window once that is set to go back to the filter rule.

For the Destination IP, click Edit and configure the IP address of the local server, which in this example is 192.168.1.10. Click OK in the pop-up window once that is set to go back to the filter rule.

For the Service Type, click Edit and configure as shown. Only the Destination Port range is set because the Source Port will normally be a dynamically assigned port number. Click OK to close the pop-up window and go back to the filter rule.

Under the Action/Profile for the Filter setting, set it to Pass Immediately, which will pass the traffic that meets the criteria of this filter rule. It should look like this once configured:

Click OK to save that filter rule, the traffic from that IP address will be allowed through to the server. The Filter Set 2 filter rule list should now look like this:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

First Published: 05/08/2014
Last Updated: 22/04/2021