Re: RVxxx routers: Any way to enter a longggg list of IP ranges to block in Firewall? - Cisco Community

967

Views

0

Helpful

6

Replies

I have a RV260P router and I'm trying to figure out how to block many IP ranges (inbound). All I see is a very limited feature called Access Rules (under Firewall) - but it seems that one would have to create one rule for EACH IP range to be blocked. I did see there's an IP Address Groups (under System Configuration), but the very limited docs/help seems to indicate that is only useful for web filtering?

My goal: since I see thousands of brute force attacks every day (many RDP), I'd like to block whole countries from getting past my "front door" (router). All right, I know that's not realistic since, for example China, would require over 6000 IP ranges. But, since I do have a database of IPs by country (sorted by IP counts), I could create a China list that blocks the vast majority of their IPs (maybe 30 IP ranges)... BUT it doesn't seem like one can create a list-type group of IP ranges (e.g. call it CHINA), then create an Access Rule to block the list group.

If I'm right that the RV series routers have such limited blocking capabilities, can anyone suggest a more robust router that allows for more robust blocking/definitions?

TIA,

Mike

6 Replies 6

Seeing the continuous stream of port scans and other malicious traffic at all my client offices (and my own), I've been thinking lately about how to better protect them/me. Some random thoughts:

- wouldn't it be cool if computers (e.g. a Windows server or workstation) could communicate with the router to block malicious activity? e.g. several RDP brute force attacks with incorrect credentials are detected at a server (or plain old workstation). The computer could tell the router "hey, add this IP address to your block list". And we could configure whether the router blocks just that specific IP, or the entire IP range it belongs to. The block could be permanent, or of a specified duration etc.

- I'd gladly pay my ISP to apply some intelligence as to what traffic they forward to me. e.g. I don't want any traffic from IPs that I see a lot of malicious activity from (or that I simply don;t have any involvement/activity with). e.g. block all of China and Russia... ISPs could also partner with AV companies and maintain a list of know malicious IPs - and block them.

- with such limited Firewall designs as these Rvxxx routers seem to offer, and the fact that most ISP provided routers are even less capable - it's just no surprise that data breaches, ransomware etc. happen WAY too frequently.

You can consider implementing/enabling Cisco Umbrella and/or the enhanced security features like Dynamic Web Filter, Application Visibility, Client Identification and Statistics, Gateway Antivirus, and Intrusion Prevention System IPS on RV34x series routers.

More information is available on the following links:

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring-Cisco-Umbrella-RV340.html

https://community.cisco.com/t5/small-business-technical/cisco-rv340-series-and-cisco-umbrella-introduction-and-feature/tac-p/4040103#M425

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1332-how-to-purchase-and-setup-web-filter-licensing-on-the-rv340.html

Regards,

Martin

I guess the answer to my question is that Cisco has not put much thought into basic firewall design in these SMB routers?

In general if you are not looking any port-fowarding to internal network, outside to inside by default should be denied - that is the basic rule to put in place.

most of the traffic orginate from Lan, so you have control what to allow and what not.

yes you do see lot of logs on outside interface dropped due to scan and ping or trying to get in, that is normal and FW doing its job to drop.

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I do have port forwarding set up (e.g. some external port #'s that forward to internal port 3389/RDP to different computers on my LAN).

BUT, there seems to be a serious flaw (or limitation?) in how Port Forwarding and Access Rules interact. e.g. Assume we define a Port Forwarding rule for port 3389 (external&internal) that forwards to an IP on my LAN, I can't restrict it in any way. ANY external IP that has scanned/discovered this port 3389 gets forwarded to my LAN computer. I tried setting up 2 Access Rules that I thought would only allow some trusted IPs:

1) Allow port 3389 traffic from my trusted IPs (hoping it would then get passed on to Port Forwarding rules)

2) Deny port 3389 traffic on ALL IPs (stop the insane quantity of RDP attacks that we all experience)

BUT, my RV260P apparently prioritizes Port Forwarding over Access Rules, so the above rules accomplish nothing

Not very well thought out IMO. No wonder we are besieged by cyberattacks!

To be clear - I do NOT use port 3389 on the external side