Re: Firewall access rules conf and IGMP proxy

Alex Johnson · ‎02-03-2019

Hello,

On my cisco router ( model RV340W ) I have a TV decoder from my internet service provider. It is connected on my cisco router ( LAN4/VLAN3 ). Itself ( cisco router ) connected to my internet service provider router ( by WAN1 and WAN 2 ).

Configuration of vlan3 and wan2 adress attribution : dhcp

Routing parameters : IGMP proxy -> upstream WAN2 -> downstream Vlan3

The Vlan3/Wan2 are only dedicated to the IP multicast ( TV flux ).

All works perfectly. I wanna apply a firewall access rules to denied acces into Vlan3 and WAN2 at some hours by day to cut the TV flux. Problem, the rules don't work.

I choose to denied : VLAN3 -> WAN2 ( service : all traffic, source and destination : all, time : alway, rules : enabled ).

Same rules to : WAN2 -> VLAN3

Can you explain, why the acces rules don't work? ( TV flux is never cut ) and how fix that if its possible plz?

Regards,

Rei

Marius Gunnerud · ‎02-03-2019

Could you post the ACL configuration you are tyring to implement? I am assuming that this is being configured on the router and not on an actual firewall?

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎02-03-2019

Just noticed that you are using RV340W.

I choose to denied : VLAN3 -> WAN2 ( service : all traffic, source and destination : all, time : alway, rules : enabled )

You have set the time to Always. You need to change this to your desired time range.

1. Go to System Configuration > Schedule and click Add Enter a meaningful name, the desired time range and days the rule should apply to.

2. Go to Firewall > Access Rules and either edit an existing rule or add a new rule. Under Scheduling > Schedule Name select the name you just created and apply the changes.

--
Please remember to select a correct answer and rate helpful posts

Alex Johnson · ‎02-04-2019

Firstly, thanks for your help Marius Gunnerud, really appreciated.

I have make some acces rules with some schedules examples :

VLAN3 -> WAN2 ( denied service : all traffic, source and destination : all, time : morning rules : enabled ) ( morning = 10:30AM/12:00AM )

VLAN3 -> WAN2 ( denied service : all traffic, source and destination : all, time : afternoon rules : enabled ) ( afternoon = 14:30PM/16:30PM )

VLAN3 -> WAN2 ( denied service : all traffic, source and destination : all, time : evening rules : enabled ) ( evening = 19:30PM/21:30PM )

But for unknow reason, the TV decoder is always active and transmit flux at the TV.

Marius Gunnerud · ‎02-04-2019

Is by any chance the IP address of the TV decoder part of the subnets configured for all three rules?

--
Please remember to select a correct answer and rate helpful posts

Alex Johnson · ‎02-04-2019

The IP adress of the TV decoder is an integral part of VLAN3. ( checked on ARP table ) exemple :

- TV decoder IP : 194.168.4.xxx --> MAC : xx:xx:xx:xx..... --> VLAN3

I hope, I understood the meaning of your question?

Marius Gunnerud · ‎02-04-2019

What I am trying to get at is if the TV decoder IP is part of the VLAN3 subnet, and you are defining the whole VLAN3 subnet in the access rule, then the TV3 decoder will always be matched. You would need to add an access rule above the three existing rules specifically for the TV decoder that denies the traffic during the required timeframe.

--
Please remember to select a correct answer and rate helpful posts

Alex Johnson · ‎02-04-2019

When you say "add an access rule above the three existing rules" this rules is ok for you?

192.168.4.xxx -> ANY ( denied service : all traffic, source and destination : all, time : always rules : enabled )

( replaced WAN2 by ANY and VLAN3 by TV decodeur IP and time : always above my 3 rules)?

Otherwise, no, I do not understand. Can you send me an example plz?

Marius Gunnerud · ‎02-05-2019

That rule has time: always which is not what you are after...or is it?

in any case, I suggest placing the rule at the top of the list. There are buttons on the left that say up and down, click up until the rule is at the top of the list.

--
Please remember to select a correct answer and rate helpful posts

Alex Johnson · ‎02-06-2019

The problem, I have try a rules to block all packets.

( All port, all stuff crossing the router, anytime in first position of rules ect .... ).

With this rules all my stuff : computer, wifi, smartphone are blocked but the TV decoder no. It is always active.

Marius Gunnerud · ‎02-10-2019

it is possible the router is not able to match on the traffic type from the TV decoder. That is if there is not an issue with the cabling in your network.

--
Please remember to select a correct answer and rate helpful posts

Alex Johnson · ‎02-11-2019

Hmm. The TV flux use RTP protocol. Its a bit strange but maybe...

krishna_c · ‎02-21-2019

Hey, RTP protocol over unicast or multicast IP?

Alex Johnson · ‎02-26-2019

Hmmm. You wanna say, I try to connect tv decoder ( VLAN4 ) to my internet service provider ( WAN 2 ) only with static routing rules? and without igmpproxy?

Alex Johnson · ‎02-26-2019

If I believe the technical specifications of the TV decoder, multicast IP.