In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!
Draytek Filter Problems
Hi folks,
I was wondering if someone with some experience with Draytek Data Filters could assist me for a moment as I have been struggling trying to block and allow certain ports and IP addresses and its now doing my head in, I am not sure what I am doing wrong.
I am basically trying to create a firewall rule to block all WindowsXP computers from accessing the external internet traffic unless specifically permitted. All XP computers are on the range 192.168.100.190-196 and I have setup the following Block All rule:
Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block Immediatley
This rule works fine. Above this I then define the allow rules which are:
Rule Name: Email
Direction: WAN - LAN
Source IP: Any
Destination IP: Any
Service Type: TCP 25
Filter: Block Pass Immediatley
Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Block Pass Immediatley
For some reason when I then check the syslog for the Draytek, I still see the above access rule and a few other rules still being blocked when they have been defined to be permitted.
Can someone tell me why this may be occurring?
Thanks
I was wondering if someone with some experience with Draytek Data Filters could assist me for a moment as I have been struggling trying to block and allow certain ports and IP addresses and its now doing my head in, I am not sure what I am doing wrong.
I am basically trying to create a firewall rule to block all WindowsXP computers from accessing the external internet traffic unless specifically permitted. All XP computers are on the range 192.168.100.190-196 and I have setup the following Block All rule:
Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block Immediatley
This rule works fine. Above this I then define the allow rules which are:
Rule Name: Email
Direction: WAN - LAN
Source IP: Any
Destination IP: Any
Service Type: TCP 25
Filter: Block Pass Immediatley
Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Block Pass Immediatley
For some reason when I then check the syslog for the Draytek, I still see the above access rule and a few other rules still being blocked when they have been defined to be permitted.
Can someone tell me why this may be occurring?
Thanks
Asked:
-
8
5
1 Solution
I would do it like this:
Rule 1:
Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block if no further match
Rule 2:
Rule Name: Email
Direction: WAN -> LAN //you're sure you want this? You have an internal mail server?
Source IP: Any // or are your XP boxes connecting to an external SMTP?
Destination IP: Any
Service Type: TCP 25
Filter: Pass Immediately
Rule 3:
Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Pass Immediately
BTW, rule no 3 will allow your Remote Access server to connect out, not for outside connections to it. If you need to connect to it from outside your LAN, you'll need something like:
Rule 4:
Rule Name: Remote Access wan-lan
Direction: WAN -> LAN
Source IP: Any (or a set of predetermined IP addresses)
Destination IP: Remote Access Server IP
Service Type: TCP Port ranges
Filter: Pass Immediately
Rule 1:
Rule Name: WinXP Block
Direction: LAN -> WAN
Source IP: 192.168.100.190-196
Destination IP: Any
Service Type: Any
Filter: Block if no further match
Rule 2:
Rule Name: Email
Direction: WAN -> LAN //you're sure you want this? You have an internal mail server?
Source IP: Any // or are your XP boxes connecting to an external SMTP?
Destination IP: Any
Service Type: TCP 25
Filter: Pass Immediately
Rule 3:
Rule Name: Remote Access
Direction: LAN -> WAN
Source IP: Remote Access Server IP
Destination IP: Any
Service Type: TCP Port ranges
Filter: Pass Immediately
BTW, rule no 3 will allow your Remote Access server to connect out, not for outside connections to it. If you need to connect to it from outside your LAN, you'll need something like:
Rule 4:
Rule Name: Remote Access wan-lan
Direction: WAN -> LAN
Source IP: Any (or a set of predetermined IP addresses)
Destination IP: Remote Access Server IP
Service Type: TCP Port ranges
Filter: Pass Immediately
Hi Dan,
Tried that and it seems to block everything and not allow anything else through the permit rules.
Tried that and it seems to block everything and not allow anything else through the permit rules.
OK, that rule says "Block if no further match", which means the firewall found no other matches and chose to block.
What traffic have you tried and was blocked?
What traffic have you tried and was blocked?
We use a remote access program like Logmein and it works on TCP port 8040-8041 but even with both LAN-WAN / WAN -LAN rules in place it wont allow this traffic.
Could it be because its Rule 1 and is set to block everything that could be the problem and its not allowing the rules below because its matching any?
First, remove Rule no 1 and see if Logmein can connect.
If it can't connect, then you have other rules that deny it. Fix those.
If it can connect without Rule no1, but not with it, this means Logmein traffic does not match any of the rules 2 to 4. Post them here (I think screenshots are faster than manually copying), maybe we can spot the problem.
If it can't connect, then you have other rules that deny it. Fix those.
If it can connect without Rule no1, but not with it, this means Logmein traffic does not match any of the rules 2 to 4. Post them here (I think screenshots are faster than manually copying), maybe we can spot the problem.
Hi Dan,
I have managed to get it to work, it did not like the fact I was allowing certain ports so I have had to allow the full IP address unfortunately otherwise it fails. This is not really a problem as various services should be allowed and should be safe from those 3 IP addresses.
Thanks for all the help.
I have managed to get it to work, it did not like the fact I was allowing certain ports so I have had to allow the full IP address unfortunately otherwise it fails. This is not really a problem as various services should be allowed and should be safe from those 3 IP addresses.
Thanks for all the help.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Filter: Block Pass Immediately ?
I would expect
Filter: Pass Immediately