A few times a month I get a brute force protection warning email that someone has tried to log into a VPN account on one of my routers. According to the IP address these always come from a Chinese owned data centre somewhere in the world, usually Ucloud, but sometimes Alibaba. So I thought I'd just block the IP ranges of the data centres as a bit of extra protection in my firewall rules.

I'd set my filter rules with the direction set to "WAN -> LAN/RT/VPN" and the Source IP/Country set to an IP Group I'd called "Banned ranges" with the offending data centre IP ranges in it.

This seems to block incoming connections to servers within my local network but it appears to allow users with a banned IP address to still log into the VPN account on the router.

I then changed the rule direction to "WAN -> Localhost" and this seems to stop the banned IPs from accessing the router's VPN but now the banned IPs can access to servers within the network (I have a few ports open).

Is this expected behaviour? Do I have to set up two rules to block access to the VPN on the router and the servers within the local network?

I assume "Localhost" refers just to the router and "LAN/RT/VPN" is stuff on my local network behind the router. I'm not sure why VPN is mentioned here as I find this confusing.

Why is there not an option to block everything from an external IP address? Like a "WAN -> Localhost/LAN/RT/VPN" option.

The routers I'm using are Vigor 2962, 2865 and 2866

Hi,

Is this expected behaviour? Do I have to set up two rules to block access to the VPN on the router and the servers within the local network?

Yes, correct.

I assume "Localhost" refers just to the router and "LAN/RT/VPN" is stuff on my local network behind the router.

Yes, correct.

I'm not sure why VPN is mentioned here as I find this confusing.

Because LAN/RT/VPN are all relevant to routing internally, so to speak, as once a VPN connection is established, it is internally routable and block/allow-able via the Firewall Filter rules.

Before 'Localhost' was an option to choose, only the above option was selectable and a need for the 'Localhost' control was necessary and therefore added - where possible. The 2862 for example, cannot offer this 'Localhost' feature.

The VPN Server hosted on the router, that you connect to from the WAN-side, is a 'Localhost' service. Whereas the LAN/RT/VPN routing is locally connected subnet control.



 

Thank you, that's cleared up some doubts I had.

I started getting suspicious when I saw a blocked IP range triggering a BFP alert!