Re: RV130 ACL problem

Kim Holburn · ‎03-23-2018

I have an internal host that I want to restrict to allow access to only one external site.

I put in the following Firewall>Access Rules:

Always allow    All Traffic    Enabled    Outbound (LAN > WAN)    192.168.1.25    X.X.X.X    Always     
Always block    All Traffic    Enabled    Outbound (LAN > WAN)    192.168.1.25    Any    Always

But in my logs I see:

2018-03-23 19:52:11 RV130 kern.warning ACL Allow  src=192.168.1.25 Dst=X.X.X.X Protocol=TCP SrcPort=59891 DestPort=443
2018-03-23 19:52:11 RV130 kern.warning ACL Drop  src=192.168.1.25 Dst=X.X.X.X Protocol=TCP SrcPort=59891 DestPort=443

The connection starts and then is dropped. The external site reports no connections.

This is not what I expect to happen. How can I get what I want, the internal host to only access one external site?

santsha3 · ‎03-31-2018

Hi,

Thank you for writing to Support Forum.

Request you to follow below article in order to configure Access Rules on RV130 and RV130W

Add and Configure an Access Rule

Setting Default Outbound Policy

Step 1. Log in to the web configuration utility and choose Firewall > Access Rules. The Access Rules page opens:

Step 2. In the Default Outbound Policy area, click the desired radio button to choose a policy for outbound traffic. The policy is applied whenever there are no access rules or Internet access policies configured. The default setting is Allow, which allows all traffic to the Internet to pass through.

The available options are defined as follows:

• Allow — Permit all types of traffic going out from the LAN to the Internet.

• Deny — Block all types of traffic going out from the LAN to the Internet.

Step 3. Click Save to save the settings.

Adding an Access Rule

Step 1. Log in to the web configuration utility and choose Firewall > Access Rules. The Access Rules window opens:

Step 2. Click Add Row in the Access Rule Table to add a new access rule.

The Add Access Rule page opens:

Step 3. From the Connection Type drop-down list, choose the type of traffic for which the rule applies.

The available options are defined as follows:

• Outbound (LAN > WAN) — The rule affects packets that come from the local network (LAN) and go out to the Internet (WAN).

• Inbound (WAN > LAN) — The rule affects packets that come from the Internet (WAN) and go into the local network (LAN).

• Inbound (WAN > DMZ) — The rule affects packets that come from the Internet (WAN) and go into the demilitarized zone (DMZ) subnetwork.

Step 4. From the Action drop-down list, choose the action to be taken when a rule is matched.

The available options are defined as follows:

• Always Block — Always deny access if the conditions are matched. Skip to Step 6.

• Always Allow — Always permit access if the conditions are matched. Skip to Step 6.

• Block by schedule — Deny access if the conditions are matched during a preconfigured schedule.

• Allow by schedule — Permit access if the conditions are matched during a preconfigured schedule.

Step 5. If you chose Block by schedule or Allow by schedule in Step 4, choose the appropriate schedule from the Schedule dropdown list.

Note: To create or edit a schedule, click Configure Schedules. Refer to Configuring Schedules on the RV130 and RV130W for more information and guidelines.

Step 6. Choose the type of service the access rule applies for from the Services drop-down list.

Note: If you want to add or edit a service, click Configure Services. Refer to Service Management Configuration on the RV130 and RV130W for more information and guidelines.

Configuring Source and Destination IP for Outbound traffic

Follow the steps in this section if Outbound (LAN > WAN) was selected as the Connection Type in Step 3 of Adding an Access Rule.

Note: If an inbound Connection Type was selected in Step 3 of Adding an Access Rule, skip to the next section: Configuring Source and Destination IP for Inbound traffic.

Step 1. Choose how you would like to define the Source IP from the Source IP drop-down list. For outbound traffic, the Source IP refers to the address or addresses (in the LAN) to which the Firewall rule would apply.

The available options are defined as follows:

• Any — Applies to traffic originating from any IP address in the local network. Therefore, leave the Start and Finish fields blank. Skip to Step 4 if you choose this option.

• Single Address — Applies to traffic originating from a single IP address in the local network. Enter the IP address in the Start field.

• Address Range — Applies to traffic originating from a range of IP addresses in the local network. Enter the starting IP address of the range in the Start field and the ending IP address in the Finish field in order to set the range.

Step 2. If you chose Single Address in Step 1, enter the IP address that will be applied to the access rule in the Start field, and then skip to Step 4. If you chose Address Range in Step 1, enter a starting IP address that will be applied to the access rule in the Start field.

Step 3. If you chose Address Range in Step 1, enter the ending IP address that will encapsulate the IP address range for the access rule in the Finish field.

Step 4. Choose how you would like to define the Destination IP from the Destination IP drop-down list. For outbound traffic, the Destination IP refers to the address or addresses (in the WAN) to which traffic is permitted or denied from the local network.

The available options are defined as follows:

• Any — Applies to traffic headed towards any IP address in the public Internet. Therefore, leave the Start and Finish fields blank.

• Single Address — Applies to traffic headed towards a single IP address in the public Internet. Enter the IP address in the Start field.

• Address Range — Applies to traffic headed towards a range of IP addresses in the public Internet. Enter the starting IP address of the range in the Start field and the ending IP address in the Finish field in order to set the range.

Step 5. If you chose Single Address in Step 4, enter the IP address that will be applied to the access rule in the Start field. If you chose Address Range in Step 4, enter a starting IP address that will be applied to the access rule in the Start field.

Step 6. If you chose Address Range in Step 4, enter the ending IP Address that will encapsulate the IP Address range for the access rule in the Finish field.

Configuring Source and Destination IP for Inbound traffic

Follow the steps in this section if Inbound (WAN > LAN) or Inbound (WAN > DMZ) was selected as the Connection Type in Step 3 of Adding an Access Rule.

Step 1. Choose how you would like to define the Source IP from the Source IP drop-down list. For inbound traffic, the Source IP refers to the address or addresses (in the WAN) to which the Firewall rule would apply.

The available options are defined as follows:

• Any — Applies to traffic originating from any IP address in the public Internet. Therefore, leave the Start and Finish fields blank. Skip to Step 4 if you choose this option.

• Single Address — Applies to traffic originating from a single IP address in the public Internet. Enter the IP address in the Start field.

• Address Range — Applies to traffic originating from a range of IP addresses in the public Internet. Enter the starting IP address of the range in the Start field and the ending IP address in the Finish field in order to set the range.

Step 2. If you chose Single Address in Step 1, enter the IP address that will be applied to the access rule in the Start field, and then skip to Step 4. If you chose Address Range in Step 1, enter a starting IP address that will be applied to the access rule in the Start field.

Step 3. If you chose Address Range in Step 1, enter the ending IP address that will encapsulate the IP address range for the access rule in the Finish field.

Step 4. Enter a Single Address for the Destination IP in the Start field below the Destination IP drop-down list. For inbound traffic, the Destination IP refers to the address (in the LAN) to which traffic is permitted or denied from the public Internet.

Note: If Inbound (WAN > DMZ) was selected as the Connection Type in Step 3 of Adding an Access Rule, the Single Address for the Destination IP is automatically configured with the IP address of the enabled DMZ host.

Logging and Enabling the Access Rule

Step 1. Select Always in the Log drop-down list if you want the router to create logs whenever a packet matches a rule. Select Never if want logging to never occur when a rule is matched.

Step 2. Check the Enable checkbox to enable the access rule.

Step 3. Click Save to save your settings.

The Access Rule Table is updated with the newly configured access rule.

Kim Holburn · ‎03-31-2018

That is a general guide to using firewall access rules. But it is not what I asked. I know how to add rules and use rules. I am familiar with Cisco IOS. The RV130 appears to have a very restricted set of ACLs.

What I want to know is: I have a device on my network and I want to restrict it to only accessing one external host. I don't want to restrict other internal hosts in any way.

I assume the ACLs are stepped through one at a time and a matching rule means the stepping is stopped at the matching rule. It is not clear from the documentation whether the rules are stepped through from the top down or bottom up. It does not appear to work as in this case, both rules apply and all traffic is blocked. There is no way to apply a negated IP address in a rule.

How do I block all outgoing traffic from one device except to one external host without affecting any other internal machines?

Kim Holburn · ‎05-13-2018

In your example, the default policy is "Allow" and you have created a rule to "Allow by schedule".

So when the "Allow by schedule" rule is not applied, (ie it is not a scheduled time) the traffic is allowed anyway. So the "Allow by schedule" rule is completely pointless.

Explain to me how I'm wrong about that please?

royrodgers · ‎05-11-2018

Kim -

Did you ever get this answered satisfactorily? I have the same issue and understand ACLs are applied the same way you do: top to bottom. As you have witnessed - no traffic goes through when you set the ACLs the way we would assume.

Russ

Kim Holburn · ‎05-13-2018

No, I never got an answer for this.

Kim Holburn · ‎07-15-2018

I think I have worked out an answer to this but it is complicated and I haven't tested it yet. I was hoping Cisco might update the ACLs so they worked but apparently not.

Here is my solution. It requires a separate VLAN and one of the LAN ports on your router to be dedicated to that VLAN but it could be used by a number of untrusted devices. The networking connections to the restricted device have to be separated from the rest of the network.

On that separate VLAN you must declare all connections blocked by default. Then allow the internal host you want to restrict to connect to the specific external host. Additionally, you might have to allow special infrastructure protocols like DNS and NTP etc. I will test it and see if it works and click on the "answered" button if it does.

One advantage of this solution is it separates untrusted IOsT (internet of **bleep**ty things) from the rest of your SOHO network.

royrodgers · ‎07-16-2018

I actually took care of this by "downgrading" the IOS on the router. The previous version of the IOS works fine and I'm now able to use the ACLs as you'd expect. Too bad CISCO can't release new IOS without breaking the old! It's not a "healthy" solution - but when they break things in the new firmware you have to do what you have to do...

Kim Holburn · ‎07-26-2018

Unfortunately there is only one outbound policy setting. So although I am happy separating my one IoT black box from the rest of my network, the problem remains.

I think I might be able to kludge this by changing the outbound policy to deny and adding specific rules to allow. Because of my setup this would be a major hassle to rework every rule and change all the schedules, and I am not sure if I wouldn't ultimately hit a similar problem.

The basic problem seems to be that a specific "allow" rule should end processing of rules but it currently doesn't, it continues to the "drop" rule.