Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Draytek firewall question
357 views
Skip to first unread message
Chris Green
Feb 3, 2022, 5:48:05 AM2/3/22
to
I have a Draytek Vigor 2860n+ as my VDSL modem/router.
I think one of the firewall rules has got mis-configured but I just
want to check first.
It's the default rule that is supposed to block netBios queries, it's currently:-
Comments: xNetBios -> DNS
Direction: LAN/DMZ/RT/VPN -> WAN
Src IP: Any
Dest IP: Any
Service type: TCP/UDP, Port: from 137~139 to 53
Action: Block Immediately
That seems to me to be in the wrong direction. It also seems to be
blocking DHCP from WiFi connected devices at the moment (which it
shouldn't do whichever direction it's configured but it's an issue
I've come across before using a separate DHCP/DNS server)
Can anyone tell me how this rule (that tends to come pre-configured,
but I may have changed it inadvertently) should be set up?
Apart from the above rule the firewall is set up to block everything except:-
Incoming ssh connections from some specific IP addresses
Incoming smtp connections from my hosting provider
All outgoing connections
So it should block any incoming NetBios attempts anyway. Thinking
about it now I think the above rule is/was supposed to stop random
netBios queries going around the home LAN, not to stop things from
outside but disabling it certainly allows my DHCP server to work from
WiFi connected systems. I'm sure this *used* to work OK, that's what
is confusing me.
--
Chris Green
·
I think one of the firewall rules has got mis-configured but I just
want to check first.
It's the default rule that is supposed to block netBios queries, it's currently:-
Comments: xNetBios -> DNS
Direction: LAN/DMZ/RT/VPN -> WAN
Src IP: Any
Dest IP: Any
Service type: TCP/UDP, Port: from 137~139 to 53
Action: Block Immediately
That seems to me to be in the wrong direction. It also seems to be
blocking DHCP from WiFi connected devices at the moment (which it
shouldn't do whichever direction it's configured but it's an issue
I've come across before using a separate DHCP/DNS server)
Can anyone tell me how this rule (that tends to come pre-configured,
but I may have changed it inadvertently) should be set up?
Apart from the above rule the firewall is set up to block everything except:-
Incoming ssh connections from some specific IP addresses
Incoming smtp connections from my hosting provider
All outgoing connections
So it should block any incoming NetBios attempts anyway. Thinking
about it now I think the above rule is/was supposed to stop random
netBios queries going around the home LAN, not to stop things from
outside but disabling it certainly allows my DHCP server to work from
WiFi connected systems. I'm sure this *used* to work OK, that's what
is confusing me.
--
Chris Green
·
Graham J
Feb 3, 2022, 7:02:36 AM2/3/22
to
Default Call Filter:
Enabled
Comments: Block NetBios
Direction: LAN/DMZ/RT/VPN -> WAN
Source IP: Any
Dest IP: Any
Service type: TCP/UDP, Port: from 137~139 to any
Action: Block Immediately
Default Data Filter:
Enabled
Comments: xNetBios -> DNS
Direction: LAN/DMZ/RT/VPN -> WAN
Source IP: Any
Direction: LAN/DMZ/RT/VPN -> WAN
Dest IP: Any
Service type: TCP/UDP, Port: from 137~139 to 53
Action: Block Immediately
This seems to be the same as yours
Service type: TCP/UDP, Port: from 137~139 to 53
Action: Block Immediately
This is unchanged from the manufacturer's default. It's supposed to
prevent NetBIOS traffic from appearing on the WAN. Incoming traffic
should not contain NetBIOS packets, but if it does it should be blocked
by virtue of NAT. Do you have the default NAT configuratiion?
NetBIOS traffic would normally be expected to appear on your LAN unless
you have a good reason to block it.
My router has no Defense Setup at present. However, if DoS Defense is
enabled some functions that you would expect to work do fail. I've seen
DNS fail (can't now remember why), and specifically where a V2860
connects its WAN2 to a V130 it is supposed to shows the V130 line status
under "Remote ADSL Information From WAN 2" - I've seen this fail -
again, I can't remember why.
You could enable Syslog to see what traffic your filter is blocking.
I can't see why the firewall would affect traffic on the LAN between
wired and wireless ports - it should not be looking at that traffic.
But the wireless settings do provide separate control which may cause
your problem.
Does your DNS/DHCP problem arise when wireless clients connect to the
router? Or only when those clients connect via a third party access point?
--
Graham J
Chris Green
Feb 3, 2022, 7:48:06 AM2/3/22
to
separate DHCP server, the 2860n has its DHCP turned off).
> This is unchanged from the manufacturer's default. It's supposed to
> prevent NetBIOS traffic from appearing on the WAN. Incoming traffic
> should not contain NetBIOS packets, but if it does it should be blocked
> by virtue of NAT. Do you have the default NAT configuratiion?
>
getting out *to* the outside world?
> NetBIOS traffic would normally be expected to appear on your LAN unless
> you have a good reason to block it.
>
> My router has no Defense Setup at present. However, if DoS Defense is
> enabled some functions that you would expect to work do fail. I've seen
> DNS fail (can't now remember why), and specifically where a V2860
> connects its WAN2 to a V130 it is supposed to shows the V130 line status
> under "Remote ADSL Information From WAN 2" - I've seen this fail -
> again, I can't remember why.
>
> You could enable Syslog to see what traffic your filter is blocking.
>
> I can't see why the firewall would affect traffic on the LAN between
> wired and wireless ports - it should not be looking at that traffic.
> But the wireless settings do provide separate control which may cause
> your problem.
>
> Does your DNS/DHCP problem arise when wireless clients connect to the
> router? Or only when those clients connect via a third party access point?
>
2860n's WiFi, it works fine when connecting to other APs on the LAN
using WiFi. This is why I may not have noticed the problem for a
while as the 2860n is upstairs and its WiFi is rarely used.
--
Chris Green
·
Graham J
Feb 3, 2022, 8:23:28 AM2/3/22
to
Chris Green wrote:
[snip]
>> This seems to be the same as yours
>>
> Yes it is, and it blocks DHCP requests on the 2860n's WiFi (I have a
> separate DHCP server, the 2860n has its DHCP turned off).
There's nothing in the description of this filter that suggests it is
placed between the WiFi port and a wired port. So I suspect it is a
bug. Have you reported it to Draytek?
[snip]
>> You could enable Syslog to see what traffic your filter is blocking.
[snip]
> The DHCP/DNS fails to configure when connecting directly to the
> 2860n's WiFi, it works fine when connecting to other APs on the LAN
> using WiFi. This is why I may not have noticed the problem for a
> while as the 2860n is upstairs and its WiFi is rarely used.
Given that the location of a router needs to be optimised for the VDSL
connection, it makes sense to disable its WiFi and use a wireless access
point (or several) located where you require the wireless coverage.
That doeas of course mean that the AP(s) have to connect to the router
by wire.
--
Graham J
[snip]
>> This seems to be the same as yours
>>
> Yes it is, and it blocks DHCP requests on the 2860n's WiFi (I have a
> separate DHCP server, the 2860n has its DHCP turned off).
placed between the WiFi port and a wired port. So I suspect it is a
bug. Have you reported it to Draytek?
[snip]
>> You could enable Syslog to see what traffic your filter is blocking.
> The DHCP/DNS fails to configure when connecting directly to the
> 2860n's WiFi, it works fine when connecting to other APs on the LAN
> using WiFi. This is why I may not have noticed the problem for a
> while as the 2860n is upstairs and its WiFi is rarely used.
connection, it makes sense to disable its WiFi and use a wireless access
point (or several) located where you require the wireless coverage.
That doeas of course mean that the AP(s) have to connect to the router
by wire.
--
Graham J
Chris Green
Feb 3, 2022, 8:48:14 AM2/3/22
to
Graham J <nob...@nowhere.co.uk> wrote:
> Chris Green wrote:
>
> [snip]
>
> >> This seems to be the same as yours
> >>
> > Yes it is, and it blocks DHCP requests on the 2860n's WiFi (I have a
> > separate DHCP server, the 2860n has its DHCP turned off).
>
> There's nothing in the description of this filter that suggests it is
> placed between the WiFi port and a wired port. So I suspect it is a
> bug. Have you reported it to Draytek?
>
Not yet, but I think I will, it's easily reproducible.
> Chris Green wrote:
>
> [snip]
>
> >> This seems to be the same as yours
> >>
> > Yes it is, and it blocks DHCP requests on the 2860n's WiFi (I have a
> > separate DHCP server, the 2860n has its DHCP turned off).
>
> There's nothing in the description of this filter that suggests it is
> placed between the WiFi port and a wired port. So I suspect it is a
> bug. Have you reported it to Draytek?
>
> [snip]
>
> >> You could enable Syslog to see what traffic your filter is blocking.
>
> [snip]
>
> > The DHCP/DNS fails to configure when connecting directly to the
> > 2860n's WiFi, it works fine when connecting to other APs on the LAN
> > using WiFi. This is why I may not have noticed the problem for a
> > while as the 2860n is upstairs and its WiFi is rarely used.
>
> Given that the location of a router needs to be optimised for the VDSL
> connection, it makes sense to disable its WiFi and use a wireless access
> point (or several) located where you require the wireless coverage.
> That doeas of course mean that the AP(s) have to connect to the router
> by wire.
>
most WiFi use is downstairs.
--
Chris Green
·
grinch
Feb 4, 2022, 7:14:20 AM2/4/22
to
you have to allow everything else. Cisco kit works like that.
Graham J
Feb 4, 2022, 11:25:13 AM2/4/22
to
grinch wrote:
[snip]
>>
> Is it the implicit deny function, ? If you add a rule blocking something
> you have to allow everything else. Cisco kit works like that.
to another wired port, and as far as we are told this does not happen.
So far as I understand there is no logical difference between a wired
port and a wireless port - both types are connected to a switch on the
LAN, before any routing function.
Further, if one needed to create an "allow" rule there should be a
setting for wired LAN port (number 1,2,3, etc.) to wireless port, but in
my V2860 the only available "Direction" choices are:
1) LAN/DMZ/RT/VPN -> WAN
2) WAN -> LAN/DMZ/RT/VPN
3)LAN/DMZ/RT/VPN -> LAN/DMZ/RT/VPN
Further, under the "Advanced" setting for direction,
the group LAN/DMZ/RT/VPN
can have any of the following selected:
LAN1
LAN2
LAN3
LAN4
LAN5
LAN6
DMZ
IP Routed Subnet
VPN
and the WAN group can be any of WAN1 through WAN7
So there's no way to select the WiFi port.
--
Graham J
0 new messages