Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
DrayTek

Vigor 3900 Firewall - IP Filter Basics

Products:
Vigor 300B
Vigor 2960
Vigor 3900
Keywords:
3900
block
firewall
nat
Show all

 

The DrayTek Vigor 3900, 2960 and 300B routers have an object-based IP and application firewall which allows for many different IP filter rules in many different groups. This can be used to control access to services or IP addresses passing through the router for incoming or outgoing internet traffic, NAT port forwards, UPnP port forwards, VPN traffic and Inter-LAN routing traffic.

This knowledge base article describes how the Vigor 3900 firewall functions and interacts with other functionality of the router.

For a setup guide please refer to the IP Filter Setup example, which demonstrates how to use the IP filter to control which internet IP addresses can access an SMTP server behind the router which is available externally using a NAT Port Forward.


Note: The 1.2.0 Firmware makes significant changes to how Filter Rule Actions operate, please check the Filter Rule Actions tab for more information.


 

There are three main elements that make up a filter rule, highlighted in the image to the left.

The IP Filter checks each session of incoming, outgoing, VPN and Inter-LAN traffic.

When it does this, the firewall checks whether that session matches the Criteria and the Direction of the first enabled Filter Rule, processing the next rule in order if there is no match. When the router finds a rule that matches those details, it performs the Action specified in that filter rule, either passing or blocking the session.

If the Matching Criteria and Direction do not match any enabled Filter Rules, the IP Filter will perform the Action specified in the Default Policy tab.

This is processed after the router's NAT rules, so it is necessary to configure firewall entries to limit access to a port forward configured on the router such as an SMTP server. If using Port Redirection with a different external port from the internal port, the router's IP filter would use the internal port for firewall rule matching.


This flowchart demonstrates how the IP Filter processes an incoming session:

 


Object Based Firewall

The firewall of these routers uses objects for IP addresses and ports to allow grouping of objects in a single filter rule allowing for easier management. If there is a filter rule that links to an IP address group for all PCs in the Sales department for instance, modifying the IP address objects in that IP Group would immediately affect that filter rule without needing to change the filter rule's configuration.

Groups & Rules

Under [Firewall] > [Filter Setup], the IP Filter tab has a listing of Groups, which allows for a maximum of 12 groups, each group can have 20 filter rules in total. The groups are processed in order, but they can be processed out of orderby using the "If No Further Match" action, which allows a filter rule to point to a specific group. When processing groups out of order, it is important to avoid causing a loop, which could cause issues with firewall functionality.

In this example, the router would process filter rules in the order of Group 1 - Rule 1 > Group 1 - Rule 2 > Group 2 - Rule 1 > Group 3 and so on.

The router does not allow two filter rules or filter groups to have the same name.


Filter rules with the action of Allow must be placed before filter rules with an action of Block, otherwise the router would, when processing rules in order, find a match with the Block rule first and finish processing the session with that, resulting in the session being blocked.

Putting Allow rules first, for instance a rule allowing a single IP address to access a service, allows the router to match that IP address with the filter rule that has an action of Allow for that IP address, then allow the session for that IP address to pass through the firewall.
Any IP addresses not matching that allow rule would continue to be checked against filter rules further down in the list and would match with the Block rule, which would block the session for those IP addresses.


The behaviour of Filter Rule Actions has changed with firmware version 1.2.0 to make it possible to exempt traffic from the Application Filter and URL / Web Category Filter using the Accept action.

When upgrading a router with existing filter rules to 1.2.0 or later firmware, to match the behaviour of the previous firmware; change "Accept" actions to "Accept If No Further Match" with no Next Group specified.

This flow-chart defines how filter rules are processed based on the Action specified with firmware up to 1.1.0.1. Further explanations are available in the table below.


Action Behaviour
Accept
  • Passes a session that has details matching the filter rule
  • Bypasses the Application Filter and URL / Web Category Filters
Accept If No Further Match with Next Group specified
  • Checks the linked Group's filter rules for matches
  • If a match is found that would block the session, processes using that match instead
  • If no match is found, the session is passed and is processed by the Application Filter and URL / Web Category Filters
Accept If No Further Match without Next Group specified
  • Passes a session that has details matching the filter rule
  • Passed to the Application Filter and URL / Web Category Filters
   
Block
  • Blocks a session that has details matching the filter rule
Block If No Further Match with Next Group specified
  • Checks the linked Group's filter rules for matches
  • If a match that would allow the traffic is found, processes using that match instead
  • If no match is found, the session is blocked
Block If No Further Match without Next Group specified
  • Checks the Application Filter and URL / Web Category Filters for Whitelist entries
  • If a match that would allow the traffic is found, processes using that match instead
  • If no match is found, the session is blocked
   
Connection Limit
  • This is a session limit, if the number of sessions matching this rule exceeds the number specified, new sessions matching this rule will be blocked

 

This flow-chart defines how filter rules are processed based on the Action specified with firmware up to 1.1.0.1. Further explanations are available in the table below.

Action Behaviour
Accept
  • Passes a session that has details matching the filter rule
  • Passed to the Application Filter and URL / Web Category Filters
Accept If No Further Match with Next Group specified
  • Checks the linked Group's filter rules for matches
  • If a match is found that would block the session, processes using that match instead
  • If no match is found, the session is passed and is processed by the Application Filter and URL / Web Category Filters
   
Block
  • Blocks a session that has details matching the filter rule
Block If No Further Match with Next Group specified
  • Checks the linked Group's filter rules for matches
  • If a match that would allow the traffic is found, processes using that match instead
  • If no match is found, the session is blocked
   
Connection Limit
  • This is a session limit, if the number of sessions matching this rule exceeds the number specified, new sessions matching this rule will be blocked

 

 

Direction - Input Interface & Output Interface

The direction of a filter rule is decided by the Input Interface and Output Interface, for instance a rule for incoming traffic would have the Input Interface set to ALL WANS and the Output Interface set to ALL LANS. It is possible to specify which WAN or LAN interface is used.


Time Schedule

Specifying a Time object makes the filter rule operate on a timer, during the period of time that the time object(s) specifies, the filter rule will be active. It will be inactive at all other times.

Service Protocol - Ports

This is the protocol that the filter rule will apply to, the router has a number of protocols pre-configured:

SMTP for instance uses TCP Port 25, this is specified here as the Destination Port while the Source Port is entered as 1 - 65535 due to the way in which NAT operates.

When creating new Service Type Objects, please ensure that the Source Port is specified in this way, otherwise the router may not match the traffic to the protocol specified as expected.

Country Filter

This uses ISO 3166 country codes for IP address matches, the setup of this is described in this guide.

Source - Input Interface

This checks for a matching IP address as specified in an IP Object or IP Group, a User Profile / Group which applies when using User Management or an LDAP group. For an incoming filter rule, this would be the internet IP address(es).

Destination - Output Interface

This checks for a matching IP address as specified in an IP Object or IP Group, a DNS object (for HTTPS or general DNS filtering), a User Profile / Group which applies when using User Management or an LDAP group. For an incoming filter rule, this would be the local IP address.

 

 


 

How do you rate this article?

1 1 1 1 1 1 1 1 1 1




Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)


NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.