cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

1689
Views
0
Helpful
8
Replies
guillaumelavaud
Beginner

[RV320] Deny all outgoing traffic

Hello,

 

Is there a way to deny all outgoing traffic on my RV320?

I want to "only accept" some services to exit from my LAN to INTERNET (Proxy HTTP, SMTP Gateway)

 

Best regards

8 REPLIES 8
guillaumelavaud
Beginner

For example, on RV120W and RV220W models, you can check a radio button that corresponds to the desired default outbound policy. (allow/deny).

stpa67001
Beginner

You could make an access rule that denies all traffic and then add access rules that allows traffic to specified sites and services, the allow rules should be above the deny rules so they are evaluated first . I attached a screenshot of firewall access rules where i denied all traffic from lan to any site and then allowed ssh connection to my other router.

Hello,

Thank you for your reply.

This rule will deny all traffic into my LAN?

Nope it will deny all traffic from your lan to your wan (internet), the traffic into your lan from the wan is already blocked by the default firewall rules. To see all firewall rules change the Show 5 items per page to show 50 items per page.

I'm disappointed with firewall of RV320....

 

Deny all traffic from any LAN IP to any IP (any include LAN) or i don't understand how it work...?

Only traffic from your LAN IP addresses to a different IP address range (another VLAN on the router, or the internet via the WAN address) can be blocked by the firewall. Packets sent from one LAN IP address to another LAN IP address do not go through the firewall on the router (they are sent directly between the hardware assigned to the LAN IP addresses, normally directed by a switch) and so the firewall cannot block this traffic as it never sees it.

If you need to block traffic between IP addresses on the same LAN you will need to install transparent firewalls that physically sit between the LAN connections for those IPs in order to block traffic. You could use firewall software on the devices/servers themselves, and this may be simpler to set up but may have some performance impact.

Note that restricting traffic between IPs on the same LAN is not an issue specific to Cisco equipment such as the RV320, it's something that has to be considered from a fundamental networking concepts point of view as in this case it has nothing to do with the router, it has to do with how hubs/switches/etc pass around packets on the network.

Dan

ok! thank you stpa67001  and dancrichton  :-D

 

Now i have deny all traffic to another subnet, i nedd to allow some services.

If i allow a port service, firewall concidere it's a SOURCE port or a DESTINATION port?

In real life, i want all http/https traffic use a squid PROXY_Cache to speak with internet.

Source Port is in a large dynamic range on server, destination port are 80/443.

 

how can i allow that?

 

Done!

 

Firewall consider port Service as Destination port!

Thank you!