Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


21 posts

Geek


Topic # 242191 15-Oct-2018 16:12
Send private message quote this post

Hey all
I have a issue with my firewall on my USG

I have two vlans setup, Vlan 10 and 40
I have a PC on vlan 10 and a server on vlan 40

I have a rule setup to stop cross talk between the vlans, which works fine.
I then went to set a rule to allow ssh and http between the PC and the server.

First I found that I had to set a rule for both directions, PC->Server and then a reply back from Server -> PC
So I created a group with both the server and the PC's IP addresses and set a single rule from group to group
Rather than having two rules for each direction.
This worked fine.

I then went to add a port group to the rule to limit it to just ssh (22), and applied it to the firewall.
Broken.

If I allow any traffic it works fine, but the moment I add a port restrction it breaks.

Screenshots attached for reference.


Create new topic
defiant
676 posts

Ultimate Geek
+1 received by user: 310

Lifetime subscriber

  Reply # 2108303 15-Oct-2018 16:35
Send private message quote this post

I think the problem is due to the fact that the source port is usually a random high port, as opposed to being the same as the destination port so the return traffic is being blocked. You want to allow related and established packets through your vlan in/local interface.

 

I use an edgerouter, and the below is how I have setup my vlan's:

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

The default action on both GWN_IN and GWN_LOCAL is drop, so you'll see I allow specific things like DNS and DHCP. In addition I allow GWN to talk to anything apart from 192.168.0.0/16 so that it can access the internet, but not access anything in other vlans unless I've specified it above.

 

Not sure how that translates to USG but hopefully that'll help




21 posts

Geek


  Reply # 2108310 15-Oct-2018 16:49
Send private message quote this post

dfnt:

 

I think the problem is due to the fact that the source port is usually a random high port, as opposed to being the same as the destination port so the return traffic is being blocked. You want to allow related and established packets through your vlan in/local interface.

 

I use an edgerouter, and the below is how I have setup my vlan's:

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

Click to see full size

 

The default action on both GWN_IN and GWN_LOCAL is drop, so you'll see I allow specific things like DNS and DHCP. In addition I allow GWN to talk to anything apart from 192.168.0.0/16 so that it can access the internet, but not access anything in other vlans unless I've specified it above.

 

Not sure how that translates to USG but hopefully that'll help

 




I already have related and established enabled on the rule
Could it be getting confused as the fact its only one rule for both directions?
Trying to be clever and reduce the number of rules, but trying to do too much


334 posts

Ultimate Geek
+1 received by user: 79


  Reply # 2108324 15-Oct-2018 17:15
Send private message quote this post

With a "normal" firewall we usually only talk about stateful connections. The firewall usually maintains a state table, so any returning traffic is automatically allowed. So only a single rule is required. That whole new/related/established stuff is quite odd from a 100% firewall point of view. 

 

I'd wager its to do with your "Test IP" using both addresses in the source and destination parts of the rule. Then that weird ass statefulness check is screwing the return traffic up (due to it being on a port > 1024).

 

Make your address objects individual, that or get a real firewall :D

 

 

 

 


defiant
676 posts

Ultimate Geek
+1 received by user: 310

Lifetime subscriber

  Reply # 2108421 15-Oct-2018 19:24
Send private message quote this post

Have you got any firewall rules on your main lan interface? I don't.

 

Also, you don't specify source ports, just leave that as ANY and the destination ports will be whatever you want

 

And put the established/related as its own rule at the very top as having it combined with your attempted rule isnt going to match any reply traffic

 

e.g.:

 

Click to see full size


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.