Solved

Draytek Filter Problems

Posted on 2014-04-12
13
404 Views
Last Modified: 2014-04-12
Hi folks,

I was wondering if someone with some experience with Draytek Data Filters could assist me for a moment as I have been struggling trying to block and allow certain ports and IP addresses and its now doing my head in, I am not sure what I am doing wrong.

I am basically trying to create a firewall rule to block all WindowsXP computers from accessing the external internet traffic unless specifically permitted. All XP computers are on the range 192.168.100.190-196 and I have setup the following Block All rule:

Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block Immediatley

This rule works fine. Above this I then define the allow rules which are:

Rule Name: Email
Direction: WAN - LAN
Source IP: Any
Destination IP: Any
Service Type: TCP 25
Filter: Block Pass Immediatley

Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Block Pass Immediatley

For some reason when I then check the syslog for the Draytek, I still see the above access rule and a few other rules still being blocked when they have been defined to be permitted.

Can someone tell me why this may be occurring?

Thanks
0
Comment
Question by:Tahir2008
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39995893
You're sure it's
Filter: Block Pass Immediately ?

I would expect
Filter: Pass Immediately
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995901
Ya sorry, pass immediately for the rest, just a typo.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39995906
I would do it like this:

Rule 1:
Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block if no further match

Rule 2:
Rule Name: Email
Direction: WAN -> LAN  //you're sure you want this? You have an internal mail server?
Source IP: Any               // or are your XP boxes connecting to an external SMTP?
Destination IP: Any
Service Type: TCP 25
Filter: Pass Immediately

Rule 3:
Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Pass Immediately

BTW, rule no 3 will allow your Remote Access server to connect out, not for outside connections to it. If you need to connect to it from outside your LAN, you'll need something like:

Rule 4:
Rule Name: Remote Access wan-lan
Direction: WAN -> LAN
Source IP: Any (or a set of predetermined IP addresses)
Destination IP: Remote Access Server IP
Service Type: TCP Port ranges
Filter: Pass Immediately
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 1

Author Comment

by:Tahir2008
ID: 39995908
Thanks Dan, let me give that a try and see how it goes.
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995920
Hi Dan,

Tried that and it seems to block everything and not allow anything else through the permit rules.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39995922
OK, that rule says "Block if no further match", which means the firewall found no other matches and chose to block.

What traffic have you tried and was blocked?
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995923
We use a remote access program like Logmein and it works on TCP port 8040-8041 but even with both LAN-WAN / WAN -LAN rules in place it wont allow this traffic.
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995925
Could it be because its Rule 1 and is set to block everything that could be the problem and its not allowing the rules below because its matching any?
0
 
LVL 35

Accepted Solution

by:
Dan Craciun earned 500 total points
ID: 39995931
First, remove Rule no 1 and see if Logmein can connect.
If it can't connect, then you have other rules that deny it. Fix those.

If it can connect without Rule no1, but not with it, this means Logmein traffic does not match any of the rules 2 to 4. Post them here (I think screenshots are faster than manually copying), maybe we can spot the problem.
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995935
Ok leave with me let me have a dig around, really appreciate the help so far.
0
 
LVL 1

Author Comment

by:Tahir2008
ID: 39995952
Hi Dan,

I have managed to get it to work, it did not like the fact I was allowing certain ports so I have had to allow the full IP address unfortunately otherwise it fails. This is not really a problem as various services should be allowed and should be safe from those 3 IP addresses.

Thanks for all the help.
0
 
LVL 1

Author Closing Comment

by:Tahir2008
ID: 39995953
Great help.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39995959
Glad I could help!
0

Featured Post

Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question