cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
8075
Views
0
Helpful
19
Replies
Highlighted
Beginner

Port forwarding on RV320 bypasses firewall rules!

After forwarding a port to an internal box and setting up a firewall rule, to only allow connections from a specific IP, I was shocked to see hundreds of login attempts from various unauthorized IP addresses.

It seems as soon as your forward a port, it completely bypasses the firewall rules! So it seems you cannot apply any restrictions for port forwarding what so ever.

Please tell me I'm wrong, as this would make the router absolutely unsuitable for, well... anything!

19 REPLIES 19
Highlighted
Beginner

I have this problem too.

What's the point of having a Firewall that don't work?!?!

 

Highlighted

So, with the latest firmware v1.4.2.17 (2017-10-30) on the RV325, the Access Rules work as expected, but you must create an ALLOW rule for each forwarded port [source: your IPs], followed by a DENY rule for each forwarded port [source: ANY]

 

For example here is our setup for VOIP calls through our Twilio SIP Trunk, with all their IP ranges whitelisted, followed by all other sources blacklisted.

 

You can test it works by moving the DENY lines to the top, and Twilio will stop working, meaning it just denied all IPs.

 

twilio-RV325.gif

Highlighted
Contributor

Hello, 

I'm sorry to hear about your issue but I think this is all just a misunderstanding.

When you create a port forward rule on this router, you are opening the port to anyone on the internet who knows your public IP address and the port, there are no restrictions, it is completely opened. Now if after that you create an allow rule on the firewall for an specific IP address, that is still no stopping any traffic because the port is already opened to anyone. In order for the rules to be effective, you no only have to create an Allow rule but also a Deny rule so that only the intended traffic will be allow and everything else will be denied.

Here is an example:

If you create a port forward for port 80 going to IP address 192.168.1.100 then the rules should be as follows:

Allow XXX.XXX.XXX.XXX port 80 to 192.168.1.100

Deny ANY port 80 to 192.168.1.100

Please make sure that the deny rule goes below the allow rule so that it will permit the intended traffic and block anything else.

I hope this was helpful

Highlighted

Hi cchamorr,

Thanks for your reply.

I already have four (factory default) "deny all" rules at the bottom of my firewall rules list:

  • Service: All Traffic
  • Interfaces: One rule for each of USB1, USB2, WAN1 and WAN2
  • Source: Any
  • Destination: Any
  • Time: Always

So I would expect any traffic not explicitly allowed, to be blocked.

While I do want to open for VPN/SSH traffic from known sites, I'm less interested in opening the ports to the world.

Please advise.

Highlighted

Thank you for the reply.

On this router, when you create a port forwarding rule you are allowing everybody to connect that's why you have to create an Explicit Deny rule to block the traffic that you allowed when you created the port forward.

Please give it a try, you will see that it works and it is the right way to configure this unit.

Highlighted

Can you explain again, but this time in English? ...

Highlighted

Hello,

 

When you create a port forwarding/NAT rule, that just creates the forwarding rule on the router. This rule is telling the router that any traffic hitting the WAN interface of the router on the specific port should be forwarded to the internal server specified. However, it does not dictate who is allowed to access that Service. By configuring the Access Rules to allow only certain internet hosts/networks to access the Service (and your default policy is to block everybody else) you are explicitly telling the Router that only the hosts configured via the access rules are allowed to access the internal server on the configured port and every one else is blocked.

As far as the firewall on the Router is concerned, it will block all other traffic initiated from internet destined towards your network but does not have any forwarding rule or explicit allow access rule. In addition, it also protects your network from attacks by inspecting packets going through and allowing only those that belong to an active session (Statefull Packet Inspection).

 

Hope this helps.

 

Nagaraja

Highlighted

As I wrote, I already have "deny all" rules under the rules where I allow specific traffic through.

Please advise.

Highlighted

Hello,

 

Are you configuring port forwarding to the primary IP of the WAN interface or secondary IP? Would you be able to send me a screenshot of the Port Forwarding page and Access List Page via PM?

 

Nagaraja

Highlighted

Hi Nagaraja,

Thank for your reply.

I have sent you a PM with the requested screenshots.

Thanks.

Highlighted

Hi there,

I am having little bit different issue on an RV082. I have created a rule for RDP but, it is not working. Destination system firewall is disabled. The allow rule I created is:

Source IP: (public) -> Port 3389 -> system (192.168.1.5)

do I have to create a deny rule also ? if not, any idea why I can't RDP to a system.

Thanks,

Highlighted

Hello, 

I'm very sorry I didn't see this before, I think it just got lost under the other replies.

In case that you still need an answer for this, here is what I think it is happening:

On the RV082, in order for you to open a port you will need to configure port forward under Setup. Furthermore, you DO NOT need to create a firewall rule to allow for the traffic as the firewall rule will be useless if port forwarding hasn't been configured.

I hope this helps, and please, let us know.

Highlighted

Hi,

More than the 4 default deny rules, a default rule exist that I can't delete:

Allow All Traffic From LAN Interface, Source: Lan Network, Destination: All, Time: Always.

 

Does this rule can cause the problem described before ?

Is there a way to delete this rule without creating the axactly same with Deny ?

 

Highlighted

Hello, 

Im sorry you are having issues with the unit.

The default rules cannot be modified or deleted, they need to be in place for the router to work correctly.

Can you elaborate on the particulars of your issue? Maybe we can give you some ideas as to what to do.

please let us know.