Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Klev
(newbie) Sun 03-Apr-11 22:29:01
Print Post

DrayTek 2820 firewall filter rules seem to be ignored


[link to this post]
 
I am unable to use SIP/VOIP over NAT reliably with my VOIP provider (or in fact any VOIP provider) despite trying numerous configurations. I was able to to obtain a /29 block of public IP addresses from my ISP.

My IP range is:

xx.xx.94.16 -> xx.xx.94.23

This gives a usable range of:

xx.xx.94.17 -> xx.xx.94.22

My router's public IP address is: xx.xx.94.17, the SIP VOIP handset is allocated xx.xx.94.18 (I am going to add others).

This is working great and all of my SIP/VOIP issues have gone away. However I can't seem to block access to non-SIP ports on the public IP range. In particular I want to block access to port 80 which is the administration web interface for the handset.

I added a filter rule to block:

Direction: WAN -> LAN
Source IP: Any
Destination IP: Any
Service Type: TCP Port 80
Filter Action: Block Immediately

However this is totally ignored.

I then tried the approach of setting the default rule in General Setup to block everything and then added rules to allow full access from LAN to WAN and then open specific WAN -> LAN ports for SIP. That seems to be totally ignored as well and disabled outbound internet access from the NAT'd LAN.

I also tried following this guide (obviously changing the ports to suit my own needs) but again the filters are just ignored:

IP Filter/Firewall - IP Filter Samples - FTP server.

I am running the very latest firmware (3.3.5.1_211801).

If this was a "normal" router or firewall device I'd have no problems (I've worked with Cisco, Summit, Linux IPTables etc), but the DrayTek config is driving me up the wall.

Is the DrayTek firewall just fundamentally broken in some way?

=============================
Nildram (7yrs) -> ADSL24(1yr) -> AAISP
Standard User pmb00cs
(eat-sleep-adslguide) Mon 04-Apr-11 19:13:54
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: Klev] [link to this post]
 
On the "Firewall > General Setup" page you need to point the data filter at one of the filter sets.

Once the first filter is set up, and pointed at (default is filter set 2 which is named "Default Data Filter" by default) any subsequent filter sets that you wish to use need to be pointed at within the filter set (on the "Firewall > Filter Setup > Edit Filter Set" page is a "Next Filter Set" option on the bottom of the page)

Also, as I understand it, (and I haven't done extensive testing here) if the option is set to Block Immediately it doesn't matter if it is in any further rules, and should be set to Block if no further match instead.

I hope this helps, and apologise if this is not helpful, or if you have already tried this with no joy.

happily chugging along on plusnet and Virginmedia (yes I am greedy)
My web server
Standard User Sandgrounder
(knowledge is power) Wed 06-Apr-11 11:48:14
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: pmb00cs] [link to this post]
 
It sounds simple doesn't it.

But, I have never made it work on any of my 2600 series routers - or my 2820.

Klev and I are missing something frown - but what?



Line One:- Zen - DrayTek Vigor 2600VG
Line Two:- EntaNet - DrayTek Vigor 2600


Register (or login) on our website and you will not see this ad.

Standard User shtu
(experienced) Wed 06-Apr-11 13:22:10
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: Sandgrounder] [link to this post]
 
Aren't you assigning public IP addresses to your handsets?

If you are, firewall rules won't work at all, as they are outside the firewall.

Edit...

Acid test, set up a firewall rule for WAN -> LAN, blocking *everything*.

My bet is your phones will still work.

I would be looking at putting the phones on the LAN side with a fixed IP, and using port forwarding to sort out any problems you get.

Edited by shtu (Wed 06-Apr-11 13:24:48)

Standard User Sandgrounder
(knowledge is power) Wed 06-Apr-11 16:30:58
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: shtu] [link to this post]
 
In reply to a post by shtu:
Aren't you assigning public IP addresses to your handsets?

If you are, firewall rules won't work at all, as they are outside the firewall.
In my case, the VoIP handsets are plugged straight into the 2600VG router using Public IP addresses - and you are right; I would not expect firewall rules to achieve anything.

In reply to a post by shtu:
I would be looking at putting the phones on the LAN side with a fixed IP, and using port forwarding to sort out any problems you get.
Again, I agree with you - that is a way round most of the issues (and works well - all my servers use port forwarding). smile


But overall, it still leaves the basic point made by the OP, which is that any filter rules created just seem to be ignored. frown






Line One:- Zen - DrayTek Vigor 2600VG
Line Two:- EntaNet - DrayTek Vigor 2600
Standard User shtu
(experienced) Wed 06-Apr-11 16:49:02
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: Klev] [link to this post]
 
In reply to a post by Klev:
My IP range is: xx.xx.94.16 -> xx.xx.94.23

My router's public IP address is: xx.xx.94.17

the SIP VOIP handset is allocated xx.xx.94.18 (I am going to add others).


Reading this, the OP's phone is connected directly to the internet, ie, outside the firewall.

If you or I put in the IP address of that phone into a browser, we would get its web interface, as it's on the public side of the router.

(Unless I'm missing something here?)
Standard User pmb00cs
(eat-sleep-adslguide) Wed 06-Apr-11 19:22:48
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: shtu] [link to this post]
 
Logically it is outside the firewall, but physically it is not. I would expect a router that claims to have a "Robust & Comprehensive Firewall" to be able to handle this set up.

Unfortunately I haven't got multiple IP's available to test this properly.

happily chugging along on plusnet and Virginmedia (yes I am greedy)
My web server
Standard User shtu
(experienced) Thu 07-Apr-11 11:57:57
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: pmb00cs] [link to this post]
 
The phone is not on the LAN. Ergo, the firewall has no say in the matter - it sits between LAN and WAN. The phone is outside what the firewall can control.

What you have done is not the recommended approach - the phone is sat as a public device on a publlic IP range with no protection whatsoever. This is why your port forwarding and firewall woes have stopped - it's no longer behind the firewall.

(I'm guessing you don't want to go to a seperate modem, plus inner and outer DMZ firewalls, so,)

With the kit you have, the approach that will work would be to.

Use one of the public IPs as your phone IP.

Put the phone on the LAN IP range, and use port forwarding to push the traffic to the phone from the public IP. You can then implement firewall rules to restrict what passes through (though technically, the forwarding rules would do much the same - no defined forward = no traffic through to LAN IP.)

Your trouble, as always, is getting a good list of the ports and types to set up your rules properly. What phone, and what provider?

EDIT - you clearly know this already, I'm not trying to start a fight here. The Draytek doesn't contain multiple firewalls so you are limited to port forwarding, which is usually fine once it's right.

Edited by shtu (Thu 07-Apr-11 12:00:28)

Standard User plug1
(newbie) Wed 01-Jun-11 11:53:55
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: Klev] [link to this post]
 
I just had the same problem, the reason is in your filter rules, you shouldnt specify the "Source ports" only the destinations, set the source ports to 1 to 65536 and all should be well.

Edited by plug1 (Wed 01-Jun-11 11:54:17)

Standard User gmackay1903
(newbie) Wed 01-Jun-11 12:07:39
Print Post

Re: DrayTek 2820 firewall filter rules seem to be ignored


[re: Klev] [link to this post]
 
Try the latest firmware - Firmware Version : 3.3.5.2_232201

It's on the Draytek website
  Print Thread

Jump to