RV320 letting port scans through firewall...

Scott Frank · ‎04-14-2019

I am playing around with Snort on a router behind an RV320 router. Funny thing is that it is getting port scanned from IPs from out on the WAN.

So the big question is, why are port scans getting through the RV320 firewall?

Everything is up to date...

Jaderson Pessoa · ‎04-14-2019

Hello,

What port you are getting from your firewall?

Jaderson Pessoa
*** Rate All Helpful Responses ***

Scott Frank · ‎04-14-2019

The alert only indicates it was a scan of UDP ports. And it lists the source, which are internet IPs not lan IPs.

Jaderson Pessoa · ‎04-15-2019

scan from out side its normally, all the time there are someone that trying access ours data, but you need know what kind of services are allowed to external side.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Scott Frank · ‎04-15-2019

There is no forwarding set up on this router. There are no ports open.

Tried one of those firewall testers and it said everything was ok. Makes no sense.

Have no idea how this traffic is getting in. Could it be leaking though someone on a VPN or an IOT device.

No real tweaks besides a couple of vlans.

Scott Frank · ‎04-15-2019

Update:

Did more investigating with some other tools. I always noticed with snort that there would be a couple of scans and then nothing for a long while. What I just noticed with another tool is that when something new comes on the LAN there is a flood from the WAN right after that.

From what I can gather is that for some reason the firewall goes down, for a short while, when something connects to the LAN (VLAN to be exact).

Jaderson Pessoa · ‎04-16-2019

@Scott Frank hello,

You can user a logs to know what address was sending a lot of packets to your wan interface on your firewall and try block it. To do same for the lan you can use a wireshark to mitigate what device do it.

Jaderson Pessoa
*** Rate All Helpful Responses ***