Banner
Draytek Routers – limiting port forwarding to defined IP addresses
This is my site Written by Grant on July 16, 2012 – 10:23 pm

I use Draytek routers almost exclusively as they have a great feature set and excellent hardware reliability (except the cheap Chinese ac-adaptors they supply – they still suck!) – these features outweigh their main problems, which I document here: Draytek Weirdness

One problem I find is that I always like to leave myself a few ways into a network: for example, if  the main Windows server that terminates PPTP VPN is down I cannot PPTP in to the network to then connect to a  server’s ILO/DRAC card and diagnose from there.  Having direct port forwarding through to an ILO card,  or the IP-KVM switch of a multi-server customer suddenly becomes important.  While I could login to the Draytek router and add the port forward, do my work, then delete the port forward later, I’ll probably forget! Besides,  it would be nice to have the port forward active 24*7 and have it locked down to just my IP address so it cannot be exploited as easily.

And this technique is useful for other “dangerous”  port forward you may like to do but dont really trust the hardness of the application/service to defend itself from attack- VNC, FTP, basic single-purpose Web site, telnet access to a SCADA network at a nuclear facility….

With the Draytek firewalls you can add a data filter to block all IPs to a certain host/port combination *EXCEPT* your IP address.  This is a neat trick and not well documented and different between many  models of Draytek routers.

The key is to defining “all IP addresses EXCEPT MINE”, and to realise that some Draytek routers have a selectable “NEGATION” option while those that don’t allow you to prepend “!” operator to your IP address – as is usual in the IT world, the “!” /bang operator ‘negates’/’inverts’ the IP address, in this case “!203.206.169.114” means “all ip addresses EXCEPT 203.206.189.114” – so using this logic a simple filter to block everythign *except* our IP address suddenly becomes possible

So lets take an example – I want to forward RDP (tcp/3389) to my customers server (192.168.10.10) but only from one of my offices IP addresses (203.260.269.114)

V2800

This example is being done on a Draytek V2800 router.  As I use this technique at every customer site from now on, if  I notice significantly different router interfaces I will document the same procedure for them here.

1) OK First you define the standard port forwarding just as you normally would. This opens up a forward from *all* external WAN IPs to internal host IP for defined port(s)

This can now be locked down to a certain WAN IP address by adding a simple Data Filter Rule…

2) Go Into FIREWALL | Filter Setup – the Default config will show 2 pre-defined FIlter Sets – 1 is a Call filter and 2 is a Data FIler – we want to select “2 – Default Data Filter”  The default config will now show one rule already active, so we hit the “2” button to open the Second Filter Rule

3)  You give this rule a name, such as “Lock Down RDP”

4) Check the box to ENABLE to rule

5) Set the BLOCK/PASS to “BLOCK IMMEDIATELY”

6) Set DIRECTION to “IN”;  Protocol to “TCP”

7) Set the SOURCE IP Address to “!203.260.169.114” and MASK to /32; leave any “source ports” blank or set to any as these are dynamic  – note the “!” NEGATION here! This is vital

8) Set the DESTINATION IP to match your SERVERS’s IP (same as you used in the port forwarding); Destination Mask is /32; Destination ports FROM=1-65535(any)/TO =3389-3389

9) If you have Keep State or Fragments, leave them (and any thing else!) default

Thats it – click to save and now test by trying to telnet into that WAN IP on port 3389 from your IP address (it should ‘connect’ with blank screen) and a different public IP to yours (it should not connect)

You can also limit to *multiple* public addresses – to do this you chain (“Branch Out” Draytek call it) a few data filters, and also set some to “Block unless further match found”

Example Data Filter for V2820

Newer Draytek Models – IP Groups and “negation” is broken

We see above in step 7 that we need to “NEGATE” our Source IP address — this is so the firewall logic will apply to all IP addresses that match the rule “EXCEPT” our defined (and negated) IP Address

Newer routers from Draytek move towards IP Objects and IP Groups- these allow you to easily setup multiple IP addresses (IP Objects) into a single IP Group, and then use that IP Group in a rule — however this does not work when you are relying on the NEGATION or INVERSION – even just adding two IP Objects that are negated wont work — the logic inside the routers is faulty it seems and cannot handle ‘double negation’

I believe in this situation you need to create multiple, sequential  Data Filter rules, one for each IP address you wish to pass, with the final one being the BLOCK rule  – really messy – Draytek could have allowed using IP Groups

 

 

6 Responses »

  1. Thanks – very helpful, it set me on the right track.

    Just to make it clearer for those with later models of routers/firmware:

    When editing “Source IP” you need to tick the box labelled “Invert Selection”

    This will then add the exclamation mark at the beginning of the IP address.

    In “Service Type” Source port = 1 ~ 65535
    Destination Port = 3389 ~ 3389

    Hope this helps.

  2. Hello,
    I have also used Draytek routers for a long time and like the features that they include. I have used the firewall before to block access to a single IP for RDP etc but now i need to allow two IP’s access to RDP (3389) but i have never been able to get this to work on the 2830.
    Is there a way that you know to allow two IP addresses only to get through the firewall to use Remote Desktop?
    Any help would be appreciated.

    Regards

  3. Hi Shane

    The issue is trying to put two “negated” IP addresses in one fireall rule field.

    The only thing I can think of is using IP Objects and IP Groups. Of course the router would need to support these – again, some models dont – I know the newer Drayteks do (V3200 for example, and I checked a customers V2830 and i has IP Objects/Groups too)

    The ideas is you create two IP Objects, one for each external IP address == note that they should be “NEGATE” IP Objects (Negate options selected or use a exclamation mark ” !xxx.xxx.xxx.xxx “).

    You then add these two IP Objects into an IP Group. You then use the IP Group in the firewall Data Filter

    Ive used this concept of IP Groups and it works well

    Good luck,
    Grant

  4. Hello all,

    The way I solve the the problem to allow multiple IP addresses to a specific server is to add a rule for every IP address to ALLOW access and then add a final rule to BLOCK everything else.

    For example:
    – navigate to Firewall >> Filter Setup >> Default Data Filter
    – edit filter rule 2 and name it “Allow IP1” for example
    – set direction WAN->LAN
    – select source IP, do NOT use the “invert selection” option
    – select destination IP and service type
    – set action to “Pass immediately”

    – edit filter rule 3 in the same way as rule 2 with the second source IP you want to allow access selected

    – edit filter rule 4 and name this “Block ALL”
    – set direction WAN->LAN
    – set source, destination and service type to ANY
    – set action to “Block immediately”

    If you need to add more rules, simply shift the last “Block ALL” rule down and insert a new filter to allow another source IP.

    Regards

  5. On a Vigor 2760n I had to setup a little differently.
    Using previously mentioned methods I either ended up with all be passed or all being blocked.
    This is what worked for me to allow access only to my SQL server and only from one public IP.

    Rule 2: Block SQL
    Direction: Wan > LAN
    Source IP: Any
    Destination IP: Any
    Service Type: Protocol TCP, Source Port 1 ~ 65535, Destination Port 1433 ~ 1433
    Filter: Block if no further match

    Rule 3: Pass SQL
    Direction: Wan > LAN
    Source IP: x.x.x.x (Public address to allow)
    Destination IP: 192.168.0.10
    Service Type: Protocol TCP, Source Port 1433 ~ 1433, Destination Port 1433 ~ 1433
    Filter: Pass immediately

    A port scan for port 1433 from a public online scanner showed the port as closed.
    A test from the allowed address showed as 1433 accessible.

  6. Thanks for the update – my fleet of 2760’s is starting to grow at my smaller sites, so having some info on their firewall settings is very useful! – Grant

Leave a Reply

PLEASE COMPLETE THIS CAPTCHA QUESTION *