RV260 Port Forwarding overrides Access Rules

SteveC67771 · ‎04-06-2020

I’ve an RV260W with firmware 1.0.00.17 and trying to set up secure incoming port forwarding rules. I want a specific public IP address to have access to an internal service, all other public IP addresses else should be blocked.

I’d expect this to work by setting up the Port Forwarding rule and then adding an Access Rule to allow access, the default ACL is still DENY ALL so should block access from all addresses not explicitly specified.

As soon as I add a Port Forwarding rule from the WAN to the LAN it opens up straight away, allowing full access to that port from the Internet even though the Access Rule is still only DENY ALL.

I’ve spent a couple of hours looking into this and haven’t found an answer. One post I found suggested after the Allowed rule you need to put a specific Denied for the same Service but this didn’t work, there is still open access to the port.

Port Forwarding

ExtSvc = svc_12345

IntSvc = svc_03389

IntIP = LocalIP

Access Rules

Allow : svc_12345, SrcInt=WAN, src=RemoteIPDestInt = VLAN1, Dest=LocalIP

Denied : svc_12345, SrcInt=WAN, src=Any, DestInt = Any, Dest=Any

It seems that there is a fundamental security problem with how Port Forwarding works on this router & firewall. I really can’t see what I’m doing wrong, surely you can put an ACL on a port forwarding rule, if not then is everyone with one of these routers running wide open?

(This is a repost as there was a problem with my old account)

akashar2 · ‎04-07-2020

Hi Steve ,

Please find the link for port forwarding configuration .

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configure-Port-Forwarding-and-Port-Triggering-RV160-and-RV260.html

As per my understanding in query if you have created a rule with deny all it will be working but by default allow all traffic is working on the router so unless you manually create a deny rule it will follow default allow access rule .

If you will create deny all rule and apply port forwarding it should not work . Even if your configuration is not working as required you can open a TAC case with Cisco ,below is link .

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards ,

Akash

SteveC67771 · ‎04-07-2020

Hi Akash, thank you for the response but it looks like I wasn’t clear enough when explaining the problem I’m having.

The Firewall has two default rules

201 Allow All traffic from VLAN to WAN

202 Deny All traffic from WAN to VLAN

That should block any incoming new connections, outgoing conversations are allowed by default.

If I create a Port Forwarding rule then I would expect the Firewall rule to still apply, but it does not. As soon as the Port Forwarding rule is created then any external WAN address can access the internal service, even though the firewall is still configured to DENY ALL TRAFFIC from the WAN.

This is wrong. The firewall ACL should control access to the Port Forwarding rule but this is not the case. Once you set up a Port Forwarding rule then that port is wide open to the Internet and there seems to be no way to restrict it. Without putting in an Access Rule for that port it should not be accessible from the WAN because of the DENY.

The fact the Firewall is still configured to DENY is misleading as it is being bypassed.

This appears to be a huge security flaw, anyone who is using Port Forwarding has inadvertently opened up their network to the entire Internet because they have put their trust in the Firewall doing what the rules say they should be.

SteveC67771 · ‎04-07-2020

Duplicate post deleted, original didn't show - it was flagged as SPAM but has now appeared.

SteveC67771 · ‎08-28-2020

Just an update, Cisco investigated this and have raised a bug report. I presume they are working on resolving it.

Cang_Household · ‎09-14-2020

I believe Port Forwarding Rules take all precedence over Access Control rules.

I have used Internet Service Provider's router in the last five years, the port forwarding rules always override the access control rules.

Access Control makes the default that all inbound traffic is blocked, and Port Forwarding makes exceptions to this rule.

Boyd · ‎03-14-2021

I too was astounded by the Port Forwarding overriding the Deny All rule and still think this is a fault that should be fixed - however, I discovered that it can be overcome by adding 2 new Access Rules.
- An ALLOW rule for the required port with the Source of IP Address (or range) required
- Immediately followed by a DENY rule for the same port with Source: ANY

SteveC67771 · ‎03-22-2021

Hi Boyd, yes manually adding a DENY Any to VLAN1 solved the problem. The Port Forwarding allows WAN > VLAN1 but the default Denied is WAN > VLAN so doesn't block anything. It gives a false sense of security and defaults to being open.

The problem hasn't been resolved as far as I can tell, Cisco kept going round in circles and didn't seem to get a grasp on what the problem was. I'm going to be getting rid of the router soon, I can't trust it not to do something else silly in the future.

nagrajk1969 · ‎05-15-2021

Hi

I think the fix should be NOT to make the bottom-most firewall rule DENY-ALL override the user-defined rule above it..instead

cisco should fix the portforwarding config page with adding the provision for the user to add a rule like below:

"from-src-host/network(or even a bunch of subnets using ipgroups" - <external service> - <internal-service> - <internal-host/server> <interface-WANx>

so that this above with even the from-source also included will make it very specific to permit and will continued to be placed above the default denyall rule...which will now deny all traffic other than the "from-source-address" in the port-forwarding rule...

Ofcourse if the user wants to publish his/her server to all internet, there should be provision for giving the src-address as ANY(0.0.0.0/0) too...else then it becomes another problem for such scenarios if required...