Messy portforward

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by swe_deathvalley, Nov 7, 2006.

  1. swe_deathvalley

    swe_deathvalley LI Guru Member

    In the RV082 if I want to enable port forward with firewall rules I first have to enable portforward, then go to fw and add a deny rule for that specific forward then add a grant rule with the specific grant I want for a forward. Now this leads to 3 steps to do for each forward. In my old DLink DWL 700 I just had to add the FW rule that I wanted and that would by it self become a forward (if grant was to one specific internal IP), that's just one step!

    Wouldn't that be good to have on the RV0xx series?
  2. OpticalMan

    OpticalMan LI Guru Member

    There must be something you are not telling us. The RV082 can forward in one step without adding any additional firewall access rules. Please explain your access / deny constraints.
  3. pablito

    pablito Network Guru Member

    He's right and he's wrong. Using the Port Forward section your entries silently create the allow rules. You're done at that point. However if you add some allow/deny rules it has no effect since the packet has already passed the PF allow rule.

    If you want to control the allow/deny rules then instead put your port forward rules under the UPnP section. Don't activate UPnP (unless you're into that sort of thing..). A silent allow rule is still added but it is *after* your deny rules.

    {{hint to beta test, put the UPnP on/off and UPnP style PF rules in the PF section instead. The PF rules will still create the initial allow rule as it does now but a user has an obvious way to set allow/deny rules as required.}}
  4. swe_deathvalley

    swe_deathvalley LI Guru Member

    Could be that I'm missing some thing. What I want to do is to allow say port 4242 to be forwarded to my internal IP and only from say I have now added a port forward rule, then a deny rule then a allow rule. This seems to work at least but its 3 steps for each forward that I do.

    UPNP, cant see how this would become a one step setup.
  5. d__l

    d__l Network Guru Member

    I don't understand. You can set up one access rule that allows Source IP: access to Destination IP: on TCP and/or UDP port 4242 and even restrict it to work only at certain times during certain days.

    If you want to change service ports (ie, port translation) to say, incoming 42 to 4242 internally, then you would have to do this with multiple rules and UPnP port forwarding.

    Edited slighty to better describe port translation function.
  6. swe_deathvalley

    swe_deathvalley LI Guru Member

    Thats news to me. still messy since I really forward 4242-4247. That would mean that I would first have to add 6 service entries to the UPNP service table, then 6 UPNP rules, then a FW rule to allow. Thats 13 steps(10 steps more than my way). Also having to add to different places is flawed and will lead to human error when having more fowards. This is way inferior than just adding a allow rule in the DLINK (dlink has differnt problems but thats beside the point).
  7. pablito

    pablito Network Guru Member

    You didn't read my post. If you want to forward from one to port to another then put it in the UPnP section instead of the port forward tab. That's one step.

    If you want to limit who can connect then add your allow rule and finally a deny all rule. Can't get away from more steps if you want to limit. You need the deny all rule since the one step function adds an allow all rule (that you can't see).

    That's not a big deal at all.
  8. d__l

    d__l Network Guru Member

    I take it you didn't even look over the Access Rule addition page! You do everything I stated previously and add the range 4242 to 4247 instead of only 4242. This is still only one rule! Can't get any simpler than that.

    Don't go near the UPnP settings unless you are doing port translations.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice