DrayTek 2820 firewall filter rules seem to be ignored

I am unable to use SIP/VOIP over NAT reliably with my VOIP provider (or in fact any VOIP provider) despite trying numerous configurations. I was able to to obtain a /29 block of public IP addresses from my ISP.

My IP range is:

xx.xx.94.16 -> xx.xx.94.23

This gives a usable range of:

xx.xx.94.17 -> xx.xx.94.22

My router's public IP address is: xx.xx.94.17, the SIP VOIP handset is allocated xx.xx.94.18 (I am going to add others).

This is working great and all of my SIP/VOIP issues have gone away. However I can't seem to block access to non-SIP ports on the public IP range. In particular I want to block access to port 80 which is the administration web interface for the handset.

I added a filter rule to block:

Direction: WAN -> LAN
Source IP: Any
Destination IP: Any
Service Type: TCP Port 80
Filter Action: Block Immediately

However this is totally ignored.

I then tried the approach of setting the default rule in General Setup to block everything and then added rules to allow full access from LAN to WAN and then open specific WAN -> LAN ports for SIP. That seems to be totally ignored as well and disabled outbound internet access from the NAT'd LAN.

I also tried following this guide (obviously changing the ports to suit my own needs) but again the filters are just ignored:

IP Filter/Firewall - IP Filter Samples - FTP server.

I am running the very latest firmware (3.3.5.1_211801).

If this was a "normal" router or firewall device I'd have no problems (I've worked with Cisco, Summit, Linux IPTables etc), but the DrayTek config is driving me up the wall.

Is the DrayTek firewall just fundamentally broken in some way?

On the "Firewall > General Setup" page you need to point the data filter at one of the filter sets.

Once the first filter is set up, and pointed at (default is filter set 2 which is named "Default Data Filter" by default) any subsequent filter sets that you wish to use need to be pointed at within the filter set (on the "Firewall > Filter Setup > Edit Filter Set" page is a "Next Filter Set" option on the bottom of the page)

Also, as I understand it, (and I haven't done extensive testing here) if the option is set to Block Immediately it doesn't matter if it is in any further rules, and should be set to Block if no further match instead.

I hope this helps, and apologise if this is not helpful, or if you have already tried this with no joy.

It sounds simple doesn't it.

But, I have never made it work on any of my 2600 series routers - or my 2820.

Klev and I are missing something - but what?

Aren't you assigning public IP addresses to your handsets?

If you are, firewall rules won't work at all, as they are outside the firewall.

Edit...

Acid test, set up a firewall rule for WAN -> LAN, blocking *everything*.

My bet is your phones will still work.

I would be looking at putting the phones on the LAN side with a fixed IP, and using port forwarding to sort out any problems you get.

Edited by deleted (Wed 06-Apr-11 13:24:48)

In reply to a post by shtu:

Aren't you assigning public IP addresses to your handsets?

If you are, firewall rules won't work at all, as they are outside the firewall.

In my case, the VoIP handsets are plugged straight into the 2600VG router using Public IP addresses - and you are right; I would not expect firewall rules to achieve anything.

In reply to a post by shtu:

I would be looking at putting the phones on the LAN side with a fixed IP, and using port forwarding to sort out any problems you get.

Again, I agree with you - that is a way round most of the issues (and works well - all my servers use port forwarding).


But overall, it still leaves the basic point made by the OP, which is that any filter rules created just seem to be ignored.

In reply to a post by Klev:

My IP range is: xx.xx.94.16 -> xx.xx.94.23

My router's public IP address is: xx.xx.94.17

the SIP VOIP handset is allocated xx.xx.94.18 (I am going to add others).

Reading this, the OP's phone is connected directly to the internet, ie, outside the firewall.

If you or I put in the IP address of that phone into a browser, we would get its web interface, as it's on the public side of the router.

(Unless I'm missing something here?)

Logically it is outside the firewall, but physically it is not. I would expect a router that claims to have a "Robust & Comprehensive Firewall" to be able to handle this set up.

Unfortunately I haven't got multiple IP's available to test this properly.

The phone is not on the LAN. Ergo, the firewall has no say in the matter - it sits between LAN and WAN. The phone is outside what the firewall can control.

What you have done is not the recommended approach - the phone is sat as a public device on a publlic IP range with no protection whatsoever. This is why your port forwarding and firewall woes have stopped - it's no longer behind the firewall.

(I'm guessing you don't want to go to a seperate modem, plus inner and outer DMZ firewalls, so,)

With the kit you have, the approach that will work would be to.

Use one of the public IPs as your phone IP.

Put the phone on the LAN IP range, and use port forwarding to push the traffic to the phone from the public IP. You can then implement firewall rules to restrict what passes through (though technically, the forwarding rules would do much the same - no defined forward = no traffic through to LAN IP.)

Your trouble, as always, is getting a good list of the ports and types to set up your rules properly. What phone, and what provider?

EDIT - you clearly know this already, I'm not trying to start a fight here. The Draytek doesn't contain multiple firewalls so you are limited to port forwarding, which is usually fine once it's right.

Edited by deleted (Thu 07-Apr-11 12:00:28)

I just had the same problem, the reason is in your filter rules, you shouldnt specify the "Source ports" only the destinations, set the source ports to 1 to 65536 and all should be well.

Edited by deleted (Wed 01-Jun-11 11:54:17)

Try the latest firmware - Firmware Version : 3.3.5.2_232201

It's on the Draytek website