1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Interpreting / using the RV042 Firewall settings

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Mar 22, 2007.

  1. fred3

    fred3 Network Guru Member

    I've got an RV042 with firewall settings such that:

    1) Allow certain services from a particular WAN IP address as the source
    to a particular LAN address.
    2) Allow certain services from a particular LAN IP address as the source
    to a particular WAN IP address.

    At the bottom of the list is a grayed out entry (i.e. can't be changed) that says:
    3) Allow all traffic with the LAN as the source from any IP to any IP.
    4) *Deny* all traffic with the WAN as the source from any IP to any IP.

    Does #3 override #2?
    Or, does the order of the rules act something like a routing table and have an effect on what happens?

    Surely 1 and 4 can be interpreted like this can't they:

    4) *Deny* all traffic with the WAN as the source from any IP to any IP.
    *except*
    1) Allow certain services from a particular WAN IP address as the source
    to a particular LAN address.
    ?

    Does that imply:
    3) *Deny* all traffic with the LAN as the source from any IP to any IP.
    *except"
    2) Allow certain services from a particular LAN IP address as the source
    to a particular WAN IP address.

    Note the inversion of the rule in 3 here as implied by the existence of 2.

    Is there anyplace anyone can recommend where figuring out the "rules" for these firewall settings can be found?

    Thanks
     
  2. pablito

    pablito Network Guru Member

    The rules are analyzed in the order you see them. First rule that applies to a request is used. Understand however that any port forwards you might have will create an Allow All firewall rule that you don't see and is at the top meaning that any Deny rules you might have pertaining to the port forward are never hit. In cases where you want to limit access you should put your port forwards in the UPnP section instead (leave UPnP turned off). That way your deny rules are effective.
     
  3. fred3

    fred3 Network Guru Member

    Clarification

    Thanks.

    Can you clarify what you mean by:
    "Understand however that any port forwards you might have will create an Allow All firewall rule that you **don't see** and is at the top"
    ?

    Thanks again.
     
  4. fred3

    fred3 Network Guru Member

    And, #2 is redundant because anything that would be handled by #2 would be handled by #3 anyway. Is that right?

    Or, alternately, #2 serves to route LAN sourced things on those allowed ports TO the specified WAN IP - which is more than #3 will do?????
     
  5. pablito

    pablito Network Guru Member

    If you for example put in a port forward and then add firewall rules that should only allow a specific IP while denying the rest you'll find that everyone can get in anyway. If you put the same port forward in via the UPnP page you'll find that the firewall rules work as expected.
     
  6. fred3

    fred3 Network Guru Member

    Thanks pablito. I'm still working toward developing a clear set of rules and this is very helpful! Let me rephrase your last to see if I understand:

    I see a number of places that Sevices (ports and protocols) can be entered:
    Setup / Forwarding
    Setup / UPnP
    Firewall / Access Rules
    System / Bandwidth Management
    I will ignore Bandwidth Management for now....
    I'm not using any Forwarding rules.... yet
    I'm not using any UPnP rules .... yet
    I just have Firewall rules.

    So, I understand that the firewall rules are applied in order like a routing table would be. Good enough.
    So, to confirm my understanding, I'll repeat the questions I've asked and try to answer them:

    GIVEN: the 4 firewall rules in the earlier post, in the order given:

    Q: Does this work this way:
    1) Allow certain services from a particular WAN IP address as the source
    to a particular LAN address.
    otherwise:
    4) *Deny* all traffic with the WAN as the source from any IP to any IP.
    A: Yes.

    Q: Is #2 redundant?
    2) Allow certain services from a particular LAN IP address as the source
    to a particular WAN IP address.
    otherwise:
    3) Allow all traffic with the LAN as the source from any IP to any IP.
    So: Any LAN traffic allowed by #2 will be allowed and won't reach #3.
    Any LAN traffic not specifically allowed by #2 will reach #3 and will be allowed. Thus #2 does nothing more than #3 does.
    A: #2 is redundant.

    Then, to pick up on your comments about port forwarding and UPnP:

    Q: Does Forwarding override Firewall?
    A Forward (service) implies WAN to LAN.
    A Forward (service) directs traffic to a specific LAN IP by definition.
    If there's a Firewall rule for the same service that would limit the WAN source IP address to a particular range, this will be overridden by the Forward.
    Q: Forwarding rules supercede Firewall rules.

    UPnP rules implies WAN to LAN (?).
    UPnP rules supercede Firewall rules.
    Forwarding rules supercede UPnP rules (?).
    A UPnP rule directs all traffic for the service (port) to a specific LAN IP.
    If UPnP is not enabled then the traffic dies.

    So: If
    there's no Forwarding rule
    and, if
    there's a UPnP rule for a service and it's disabled
    Then
    the traffic for that service is denied.
    Any firewall rules for that service are bypassed
    ??

    Summary:

    Forwarding supercedes UPnP and Firewall
    UPnP supercedes Firewall
    All rules are applied in order in every case.
     
  7. pablito

    pablito Network Guru Member

    That's a lot to try to figure out... You might be making it more complicated but here it goes:

    1- correct, if a matching rule says deny then it is denied.

    2- correct, the first rule that matches will apply so in this case you are allowing all LAN IPs to go anywhere (same as the default rules)

    In a sense port forwarding does trump firewall rules. Use UPnP rules instead.

    Think of the UPnP rules as exactly the same as port forward except that you can apply firewall rules and they will be obeyed. Don't use both, use one or the other for any desired forward.
    No, UPnP rules and the UPnP service are not related in any way. It was just a dumb place for Linksys to put those rules. Again, pretend that UPnP rules *are* port forward rules and ignore the port forward tab. Unless you actually want to use UPnP (heaven knows why) then don't enable the service, it won't affect the UPnP rules in any way.

    In summary, use UPnP rules as you would port forward rules. Don't enable the UPnP service. If you don't add any firewall rules then the UPnP rules behave just like a port forward rule. If you want to limit who can use the port forward (UPnP rule) then add the Allow Rule(s) in the firewall followed by a Deny All rule.

    enjoy.
     
  8. fred3

    fred3 Network Guru Member

    thanks and another question

    Thanks to pablito for the thoughtful reply!

    One thing I'm trying to figure out how to do - IF it's possible:

    One RV042 (#1) WAN is the internet connection.
    Other RV042s (#2 and #3) (their WAN sides) are connected to the LAN side of #1.

    Can I set up #1 so that it will allow *both* #2 and #3 to be VPN end points?

    It certainly appears that this can be done with *one* VPN in this configuration (i.e. on #2). This is done with Firewall Access Rules for ports 50, 500 and Ping 255 that direct these services from that public IP to the IP of #2. This type of rule would appear to work for any number of devices behind #1.

    However, this is also done by port forwarding in #1 from particular public IP addresses to the IP of #2. But, these are specific port 500 and port 50 forwards to the IP of #2. It appears that these port forwards to #2 can't be repeated for a (new) #3 because one would precede and, thus, overrule the other. Is there another way so that one can have more than one VPN end point behind the first RV042?

    Thanks!
     

Share This Page