Hi,

I know the Vigor 2850 allows port redirection and open ports,
but can it be setup so that it only allows access to ports
listed in the port redirection or open ports, from specific
external IP addresses?

eg say I only wanted to allow RDP 3389 for the following 3 external IP addresses?

204.233.45.22

---

\
12.44.33.4

---

WAN:Vigor-2850:LAN

---

>Host PC.
53.33.4.235

---

/

If it's can do this then how?

Thank

PT

If i understand what youre asking for it should be achievable using the firewall rules.

Firstly you open the ports using the NAT menu.

Then you use the firewall to restrict access so only some public IP addresses can access those services.

You will need to configure 2 rules under the Default Data filter.

RULE 1
Direction WAN-LAN
Source: Trusted IP addresses
Destination: Any
Service: Any to 3389
Action: Pass Immediately

RULE 2
Direction WAN-LAN
Source: Any
Destination: Any
Service: Any to 3389
Action: Block Immediately

The first rule will allow all traffic from your trusted addresses through the firewall and the second rule will block all other public IP addresses. Amend these settings to suit the deployment.

Thanks

Frag wrote: If i understand what youre asking for it should be achievable using the firewall rules.

Firstly you open the ports using the NAT menu.

Then you use the firewall to restrict access so only some public IP addresses can access those services.

You will need to configure 2 rules under the Default Data filter.

RULE 1
Direction WAN-LAN
Source: Trusted IP addresses
Destination: Any
Service: Any to 3389
Action: Pass Immediately

RULE 2
Direction WAN-LAN
Source: Any
Destination: Any
Service: Any to 3389
Action: Block Immediately

The first rule will allow all traffic from your trusted addresses through the firewall and the second rule will block all other public IP addresses. Amend these settings to suit the deployment.

Did this work?

Hi

Unfortunaltley no. Does anyone have any other ideas how to do this. On other firewalls it is straight forward.

Any ideas?

Thanks

The firewall on the Draytek is very odd - here's how I set this up.

• Remove 3389 from open ports


• Under 'Object Settings', 'IP Object', create an entry for each of the source addresses. I call these entries by their public IP, i.e. Host-15-133-121-2 (random address)


• Under 'Object Settings, 'IP Group', create an entry containing the IP Objects just created. Call it something logical e.g. RDP-Allowed-Hosts


• Under Nat, Port Redirection, create an entry Mode: Single, Service Name RDP, Protocol TCP, WAN IP All, Public Port 3389, Private IP (internal address), Private Port 3389. Configuring it here means you can easily change the port later if you need to, for example to provide access to another server on a different port etc.


• Under Firewall, ensure Call and Data Filters are enabled. Call filter is used to create rules that will cause a dial-up (e.g. if using 3G), and can essentially be ignored for always-on connections like DSL.


• Under Firewall, Filter Setup, under Data Filter (if there is space) create a rule: Comment RDP-Access, Direction WAN->LAN/RT/VPN, Source IP: Group, Select the group from the IP Group list, Destination IP: Internal server IP, Service Type from any to 3389, Action Pass Immediately. Ensure the rule is enabled.


• Create a block all rule further next below the RDP allow rule (WAN->LAN/any/any/any/block immediate)

If you have run out of entries in the Data Filter list, you can chain the rules onto another set. Personally I tend to have separate filter sets for Inbound and Outbound then the Data set (set 2) becomes just 1. xNetBIOS->DNS, 2. Inbound Rules, 3. Outbound Rules. But that's purely personal preference

The above posting should basically do the same but I've not tried it with open ports instead.

Hope that helps.