Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

63 posts

Master Geek

Topic # 230648 6-Mar-2018 16:53
Send private message

Hi guys. 


Has anyone found a brand of CPE Modem for vDSL/Fibre etc that has the feature to ALLOW specific IP addresses at the WAN, and IP subnets and by default block all others?


Ideally I'd be able to enable some addreses/ subnets and all others would be blocked e.g. Romania Russia and so forth. 


Cant find this on Asus which look to have best UI and capabilities, open to any others. 











Create new topic
3447 posts

Uber Geek
+1 received by user: 1204


  Reply # 1970030 6-Mar-2018 17:09
3 people support this post
Send private message

The majority (if not all) of the consumer grade routers (Asus, TP-Link, Netcomm etc) operate with a default "DROP ALL" rule. And then generally have a a GUI for making specific "ACCEPT" rules. They pretty much all can do this when creating port forwards too.


But what are you actually trying to achieve? Remote access to the router? Or remote access through to an internal server via a port forward?


If you want more granular control you need to look to the more business-y/pro level routers like Mikrotik or Ubiquiti Edgerouter. These will ship with no default config and assumes the user knows what they are doing so the learning curve can be steep depending on your current understanding of networks and firewalls.


Personally Mikrotik wins all around for me - for me winbox must be one of the most functional GUI's around. I use Mikrotik for business clients as I know I can configure literally anything that gets asked or is required for the site/sites. Ubiquiti is maybe a little more towards the "pro-sumer" side with an OK GUI, but also things like wizards that guide through initial config etc - to do anything decent though you have to get on the command line which is just inconvenient. 

2336 posts

Uber Geek
+1 received by user: 759

Lifetime subscriber

  Reply # 1970035 6-Mar-2018 17:37
One person supports this post
Send private message

I think the feature you are looking for is to permit some IP addresses, but the "some" is hard to determine.


BGP and dynamic routing protocols could help, as could full featured routers / IDS like the Sophos UTM Firewall. Haven't played with it before but it looked promising:



63 posts

Master Geek

  Reply # 1970063 6-Mar-2018 17:43
Send private message

hi thanks for your help.

Ideally i'd still stay consumer although I really want the capability.

I have a coupl of ports port forwarded to lan devices and I want to restrict the WAN IP source address.

That way I can significantly reduce the risk opening just select addresses and subnets.

At least then i'll remove romania, russia , china from the addresses.

Just to make it one more step harder than an open port.

I might move to a VPN server on the CPe as notice the next step up on cpe from the default IsP supports it.

Just a bit of a pain vpn in from phone, AND then run TinyCamPro to view the remote survaillence.

The IP address filtering on the cameras were hopeless as it only supported an exact host address not a subnet.

So thats what im acheive.

Any further ideas? Where do i source the cpe you mentioned although still hoping for a consumer cpe solution?

Any further ideas?

63 posts

Master Geek

  Reply # 1970066 6-Mar-2018 17:48
Send private message

Thanks for your thoughts really appreciate your time.

Spent quite a few years in telco and networking & so getting something working even slightly complex is fine for me.

But the older I get I just want this stuff to work, not waste time I could be drinking my cocktail haha, nice GUIs are okay too!

3447 posts

Uber Geek
+1 received by user: 1204


  Reply # 1970120 6-Mar-2018 19:24
Send private message

Maybe look at loading a third-party firmware on to a router like one of the many OpenWRT variants (DD-WRT, Tomato, Gargoyle etc). Generally just gives better GUI access to the firewall and will allow you to do things like specify subnets.


The only thing that will hold you up there is doing that on modem/router combos as generally there is no support for the modem portion in the third party firmwares.


Personally, I think VPN is actually simpler long term - not to mention a butt load safer. Maintaining an address list of all the NZ IP ranges is annoying unless you can automate it.


If you are keen for a play, grab yourself a little baby Mikrotik, use that as a VPN server (unless you already have hardware that can handle it), and then there is just one port forward to be done on the router to the VPN server.


Oh and standard disclaimer re port forwarding to CCTV devices these days.


Edit: Also as you mention, generally the basic stuff only supports using single hosts rather than subnets in your rules.

26472 posts

Uber Geek
+1 received by user: 6027

Biddle Corp
Lifetime subscriber

  Reply # 1970344 7-Mar-2018 08:24
2 people support this post
Send private message

I won't add anything to the thread except to say that a port forward to a camera is one of the dumbest thing you can ever do on the Internet. A blacklist/whitelist of IP ranges does nothing for security unless you're locking this to a single IP that you fully control.







63 posts

Master Geek

  Reply # 1970556 7-Mar-2018 12:49
Send private message

starting to believe maybe Draytek support this?

need to try confirm if its in their pro-sumer devices.

63 posts

Master Geek

  Reply # 1970559 7-Mar-2018 12:54
Send private message

And that would indeed be why I am trying to do something about it and the cause for the thread in the first place.

Its been fine for 5 years, and only a recent problem because of a discovered backdoor issue.

Security is a balence of risk and convenience.

My view is the risk is likely mitigated stricting the access IP to subnets I use on my services.

Additional notifications for illegal login attempts etc, and lock out timers further.

I might still implement VPN bar for obvious inconvenience, two step access.

63 posts

Master Geek

  Reply # 1973391 12-Mar-2018 16:24
Send private message

Hey guys.  An update to share for  others following/ learnings and some questions. 


Anyone know an "OpenVPN" capable windows 10 software?


What's a good android based port scanner which does UDP as well - OpenVPN uses UDP 1194. I want to validate ports are indeed closed and I'm all secure. I had FING but it seems to be only for TCP?




-I ended up purchasing a ASUS DSL AC68U -


-really quite impressive CPE for reasonable cost. DOESNT do WAN IP Address filtering but does do VPN Server. 


-works on SPARK vDSL no probs ~65Mb download. 


-Good beam forming on 802.11ac and seems better WiFi coverage for sure 


-So I've tested it with VPN Server, configured for OpenVPN, generated the auth certificate generated from the Router and installed on my android on OpenVPN VPN app, will do same for windows 10 laptop.  




Works well, been testing it this week.  Enable DDNS and the generated OpenVPN Cert takes that configuration into account (DDNS Domain instead of WAN IP) , and the Client CERT just knows to resolve the DDNS Domain- like magic.


Bit of a two step process to access the internal LAN Camera network, start VPN which can be made one click, and then click on camera TinyCam etc  - but not so inconvenient that I probably wont do it. 




Seems not too many pro-sumer CPE do WAN Filter IP address amazingly - I see it in SPARKS Huawei 659B (business) but I didn't test it to see if it worked, locking down WAN IP Address subnets might be okay for some balance risk vs convenience.  SPARKs Mobile and Broadband subnets are easy to collect. 























346 posts

Ultimate Geek
+1 received by user: 68

  Reply # 1973525 12-Mar-2018 20:21
Send private message



Anyone know an "OpenVPN" capable windows 10 software?



On my Win 10 laptop I use OpenVPN's own free version, plus its GUI program:


These days the GUI program is supposed to be bundled with the client software, but it is a long time since I last updated mine, and back then it was a separate program.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08

Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03

Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27

Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13

Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00

Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12

Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52 to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34

Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07

All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21

Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54

Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12

New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17

Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.