Linksys LRT214 Firewall

We are deploying these units in small offices, and we have noticed in the configuration that the units have:

Port Forwarding, like classic home routers
Firewall Access Rules, like Sonicwall and other advanced security routers

The access rules do not seem to make any difference whereas the port forwarding rules allow the correct traffic.  Anyone have experience with these?  Are these 'either or', do they work in conjunction with one another?  For now, we are simply ignoring the Firewall access rules, and the routers are functioning as we need them to.
LVL 1
BullfrogSoftwareAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
> The access rules do not seem to make any difference whereas the port forwarding rules allow the correct traffic.

could you please be specific or simply post a screenshot of the configuration to clarify the issue?
0
AkinsdNetwork AdministratorCommented:
Port forwarding = Static NAT

Implementation depends on goals.

You can use both, or use none, or just use one. It all depends on your goal. They do not perform the same function though.
Port forwarding is like traffic warden, while the firewall is like a bouncer.
Example.
Traffic to public IP 172.32.16.100 on port 80, should be directed to the web server's local IP address eg 10.10.10.1
That is port forwarding. You are forwarding traffic to a device based on triggered ports.
Traffic to public IP 172.32.16.100 on port 3389, may be directed to the SQL server's local IP address eg 10.10.10.2 to remote desktop into it.
I may then filter which addresses I want to grant access to for the RDP. I can cay only allow traffic from 198.10.10.0/22 network going to 172.32.16.100 on port 3389 to be forwarded to the SQL's local address 10.10.10.2.
This way, I will apply bot static NAT rule and Firewall rule (or ACL) to accomplish that task
0
BullfrogSoftwareAuthor Commented:
Ok, here is where I am getting confused.  Even if we have a single firewall rule

WAN -> LAN Block ALL

Then set port 80 forward to 10.x.x.3

The port 80 traffic is allowed.  Does the port forward supercede the firewall on this unit?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AkinsdNetwork AdministratorCommented:
No, it just means you're applying the ACL in the wrong direction and the traffic never hit it.
To verify, check the access-list for hits. There should be record counts for  blocked or allowed or both.
0 means no traffic went through the ACL

Remember that both are completely 2 different things. They can be configured to interact, eg by referencing addresses for NAT via an ACL but that's not what you're doing here
0
bbaoIT ConsultantCommented:
>> Does the port forward supercede the firewall on this unit?

Not exactly, it just means Port Forwarding has a higher PRIORITY than the system firewall rule blocking everything from WAN to LAN, which means only HTTP traffic on Port 80 will be forward to the specific internal host, any OTHER traffic from WAN to LAN will be denied.

> No, it just means you're applying the ACL in the wrong direction and the traffic never hit it.

i dont think it is in wrong direction. Port Forwarding on consumer routers always applies to WAN -> LAN direction, the same direction as the system default rule blocking everything from WAN to LAN.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
iptables is easier to manage:
http://wiki.openwrt.org/toh/linksys/wrt610n
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.