After forwarding a port to an internal box and setting up a firewall rule, to only allow connections from a specific IP, I was shocked to see hundreds of login attempts from various unauthorized IP addresses.
It seems as soon as your forward a port, it completely bypasses the firewall rules! So it seems you cannot apply any restrictions for port forwarding what so ever.
Please tell me I'm wrong, as this would make the router absolutely unsuitable for, well... anything!
So, with the latest firmware v220.127.116.11 (2017-10-30) on the RV325, the Access Rules work as expected, but you must create an ALLOW rule for each forwarded port [source: your IPs], followed by a DENY rule for each forwarded port [source: ANY]
For example here is our setup for VOIP calls through our Twilio SIP Trunk, with all their IP ranges whitelisted, followed by all other sources blacklisted.
You can test it works by moving the DENY lines to the top, and Twilio will stop working, meaning it just denied all IPs.
I'm sorry to hear about your issue but I think this is all just a misunderstanding.
When you create a port forward rule on this router, you are opening the port to anyone on the internet who knows your public IP address and the port, there are no restrictions, it is completely opened. Now if after that you create an allow rule on the firewall for an specific IP address, that is still no stopping any traffic because the port is already opened to anyone. In order for the rules to be effective, you no only have to create an Allow rule but also a Deny rule so that only the intended traffic will be allow and everything else will be denied.
Here is an example:
If you create a port forward for port 80 going to IP address 192.168.1.100 then the rules should be as follows:
Allow XXX.XXX.XXX.XXX port 80 to 192.168.1.100
Deny ANY port 80 to 192.168.1.100
Please make sure that the deny rule goes below the allow rule so that it will permit the intended traffic and block anything else.
I hope this was helpful
Thanks for your reply.
I already have four (factory default) "deny all" rules at the bottom of my firewall rules list:
So I would expect any traffic not explicitly allowed, to be blocked.
While I do want to open for VPN/SSH traffic from known sites, I'm less interested in opening the ports to the world.
Thank you for the reply.
On this router, when you create a port forwarding rule you are allowing everybody to connect that's why you have to create an Explicit Deny rule to block the traffic that you allowed when you created the port forward.
Please give it a try, you will see that it works and it is the right way to configure this unit.
When you create a port forwarding/NAT rule, that just creates the forwarding rule on the router. This rule is telling the router that any traffic hitting the WAN interface of the router on the specific port should be forwarded to the internal server specified. However, it does not dictate who is allowed to access that Service. By configuring the Access Rules to allow only certain internet hosts/networks to access the Service (and your default policy is to block everybody else) you are explicitly telling the Router that only the hosts configured via the access rules are allowed to access the internal server on the configured port and every one else is blocked.
As far as the firewall on the Router is concerned, it will block all other traffic initiated from internet destined towards your network but does not have any forwarding rule or explicit allow access rule. In addition, it also protects your network from attacks by inspecting packets going through and allowing only those that belong to an active session (Statefull Packet Inspection).
Hope this helps.
I am having little bit different issue on an RV082. I have created a rule for RDP but, it is not working. Destination system firewall is disabled. The allow rule I created is:
Source IP: (public) -> Port 3389 -> system (192.168.1.5)
do I have to create a deny rule also ? if not, any idea why I can't RDP to a system.
I'm very sorry I didn't see this before, I think it just got lost under the other replies.
In case that you still need an answer for this, here is what I think it is happening:
On the RV082, in order for you to open a port you will need to configure port forward under Setup. Furthermore, you DO NOT need to create a firewall rule to allow for the traffic as the firewall rule will be useless if port forwarding hasn't been configured.
I hope this helps, and please, let us know.
More than the 4 default deny rules, a default rule exist that I can't delete:
Allow All Traffic From LAN Interface, Source: Lan Network, Destination: All, Time: Always.
Does this rule can cause the problem described before ?
Is there a way to delete this rule without creating the axactly same with Deny ?