cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1418
Views
0
Helpful
8
Replies

RV260 Port Forwarding overrides Access Rules

SteveC67771
Beginner
Beginner

I’ve an RV260W with firmware 1.0.00.17 and trying to set up secure incoming port forwarding rules. I want a specific public IP address to have access to an internal service, all other public IP addresses else should be blocked.

 

I’d expect this to work by setting up the Port Forwarding rule and then adding an Access Rule to allow access, the default ACL is still DENY ALL so should block access from all addresses not explicitly specified.

 

As soon as I add a Port Forwarding rule from the WAN to the LAN it opens up straight away, allowing full access to that port from the Internet even though the Access Rule is still only DENY ALL.

 

I’ve spent a couple of hours looking into this and haven’t found an answer. One post I found suggested after the Allowed rule you need to put a specific Denied for the same Service but this didn’t work, there is still open access to the port.


Port Forwarding

ExtSvc = svc_12345

IntSvc = svc_03389

IntIP = LocalIP

 

Access Rules

Allow : svc_12345, SrcInt=WAN, src=RemoteIPDestInt = VLAN1, Dest=LocalIP

Denied : svc_12345, SrcInt=WAN, src=Any, DestInt = Any, Dest=Any

 

It seems that there is a fundamental security problem with how Port Forwarding works on this router & firewall. I really can’t see what I’m doing wrong, surely you can put an ACL on a port forwarding rule, if not then is everyone with one of these routers running wide open?

 

(This is a repost as there was a problem with my old account)

8 Replies 8

akashar2
Cisco Employee
Cisco Employee

Hi Steve ,

 

Please find the link for port forwarding configuration .

 

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configure-Port-Forwarding-and-Port-Triggering-RV160-and-RV260.html

 

As per my understanding in query if you have created a rule with deny all it will be working but by default allow all traffic is working on the router so unless you manually create a deny rule it will follow default allow access rule .

 

If you will create deny all rule and apply port forwarding  it should not work . Even if your configuration is not working as required you can open a TAC case with Cisco ,below is link .

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

 

Regards ,

Akash 

 

Hi Akash, thank you for the response but it looks like I wasn’t clear enough when explaining the problem I’m having.

 

The Firewall has two default rules

201 Allow All traffic from VLAN to WAN

202 Deny All traffic from WAN to VLAN

 

That should block any incoming new connections, outgoing conversations are allowed by default.

 

If I create a Port Forwarding rule then I would expect the Firewall rule to still apply, but it does not. As soon as the Port Forwarding rule is created then any external WAN address can access the internal service, even though the firewall is still configured to DENY ALL TRAFFIC from the WAN.

 

This is wrong. The firewall ACL should control access to the Port Forwarding rule but this is not the case. Once you set up a Port Forwarding rule then that port is wide open to the Internet and there seems to be no way to restrict it. Without putting in an Access Rule for that port it should not be accessible from the WAN because of the DENY.

 

The fact the Firewall is still configured to DENY is misleading as it is being bypassed.

 

This appears to be a huge security flaw, anyone who is using Port Forwarding has inadvertently opened up their network to the entire Internet because they have put their trust in the Firewall doing what the rules say they should be.

Duplicate post deleted, original didn't show - it was flagged as SPAM but has now appeared.