Default set of Firewall rules to start with?

The link to Sit Lonng is referring back to this page…

No I don’t know a local partner. My supplier (3G Store) referred me to this forum.

ScooterIT,

It looks like you haven’t recently contacted us for support since February. We provide all our Peplink support in house by phone and e-mail for our customers. I’ve got your order information and we’ll reach out to you directly.

Thanks!

1 Like

There are many of use that have not used routers with this type of depth and complexity who are not complete noobs either.

I think a simple request to be able to view a sample set of complex firewall AND routing rules that we can look at and analyze how they work - and no doubt we could learn something - as opposed to saying “put one in when you find out you need it”. That is a non-answer where nothing is learned, and not very helpful - imo.

Indeed it has been a while on my todo list.
I called a while ago asking about how to set the firewall and was told there was a list with settings. When I called back in February to get more details I did not get much of an answer.
Happy to see that Valery reached out to me earlier today.

I do understand that every environment is different but there should be a tutorial of some form to get started.
For example when I will in the smtp server with port number etc to allow to send traffic out I am still not able to send email to that server. Clearly I am missing something very basic.
Its frustrating that there is no help for solving basic problems like that.

Looking forward to your advice.

Rogier

Thanks!

I love Peplink products for their excellent easy to understand UI.
Not a complete noob myself but getting stumped from the beginning with something basic and having to beg for advice is frustrating.

Hello,

Thank you all for the informational feedback. If it hasn’t been mentioned before we do have a Knowlebase that goes more in depth then the manual. For example see link below specifically for FW setup:
http://www.peplink.com/knowledgebase/properly-configuring-your-firewall-rules/

We will take this feedback into consideration moving forward on improving our KB regarding our various features.

1 Like

Why is it so hard to post a very complex set of fireware and outbound rules as a reference?

Agreed

Frankly this is a very minimal explanation about setting firewall rules.
How about only allowing regular web traffic + Email via IMAP / SMTP with and without SSL to the most common email providers. Say Gmail and MS 365 Exchange. My understanding is that by not setting any firewall rules our doors are wide open…

Hi,

Details guide on how to define the firewall rules can be found in the product user manual (Pages 173-177).

You can download the user manual using the URL below:

If you go through to the user interface for the firewall access rules, you will find that the UI is easy to understand & easy to use. There are only 3 type of firewall rules that you need to define:

1. Outbound Firewall Rules

This table displays all the configured outbound firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new outbound IP session (i.e. sessions going to WAN side), rules will be matched from the top to bottom. The matching process stops when a rule is found to be matched.

If an outbound IP session does not match any of the rules listed, the Default rule will be applied.

2. Inbound Firewall Rules

This table displays all the configured inbound firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new inbound IP session routed to a host on the LAN (i.e. sessions coming from WAN side), rules will be matched from the top to bottom. The matching process stops when a rule is found to be matched.

The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings

If an inbound IP session does not match any of the rules listed, the Default rule will be applied.

3. Internal Network Firewall Rules

This table displays all the configured internal network firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new internal network IP session (i.e. sessions between LAN / VLAN / Static route networks / PepVPN networks / IPsec networks / L2TP with IPsec clients / PPTP clients), rules will be matched from top to bottom. The matching process stops when a rule is found to be matched.

If an internal network IP session does not match any of the rules listed, the Default rule will be applied.

Note: The device WebUI help menu have actually explain the above type of rules & when you need to define each of the rules.

The complex parts is actually not on how to defined the firewall rules and it’s IT knowledge on the applications that running on the networks. As explain earlier, you need to fully understand the requires service ports for the application in order for you to allow the connections. There are more than millions type of application running in the internet so there is not general guide for this. As mention, you should to get those info from the application support.

Let’s further discuss the posted questions:
web traffic + Email via IMAP / SMTP with and without SSL to the most common email providers. Say Gmail and MS 365 Exchange.

  1. To allow Web Traffic:

Default Ports: DNS (UDP 53), HTTP (TCP 80), HTTPS (TCP 443)
Customize servers: other ports base on the servers
Firewall Rules Type: Outgoing firewall rules

  1. Email
    Gmail: Add Gmail to another email client - Gmail Help
    Office 365: Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn
    Firewall Rules Type: Outgoing firewall rules

My understanding is that by not setting any firewall rules our doors are wide open…

This is not correct.

Outgoing firewall rules

  • This only control LAN users access internet (Not Applicable)

Inbound firewall rules
The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings
    Note: If you doesn’t have the above defined, basically no inbound access are allowed.

InterVLANs
InterVLAN traffics and other (Not Applicable)

Thank You

1 Like

I still find it amazing that you are unwilling to show a complex set of rules for firewall and outgoing that one can read through to understand the capabilities - as well as those not thought of.

A picture is worth a thousand words.

As sitloongs stated the hard part is not setting up the firewall rule in the Peplink, its finding out all the ports and protocols you’ll need to allow out of or into the network. There is no one master list of rules that you can be referred to that says ‘block x, allow x for gmail’ or ‘block x, allow x for VoIP.’ Below is an example of how we can allow outbound VoIP traffic, but this wont apply to everybody since your provider may be different with different ports and destination servers. This rule essentially says any IP address on our network that is going to use port 5060 with a destination address of 8.23.x.x (ip removed by me) and port 5060, allow that traffic.


We had to reference our VoIP providers documentation in order to get those values. Hopefully that helps!

1 Like

Hi, not sure it’s related, but I am new to setting up firewalls rules myself and thus on my new Balance 20 wasn’t sure where to start, so this may help. If you already have broadband access check out your anti virus package, I use MacAfee and under “Web & Email Protection”->Firewall->Port and System Services" you will see all the ports that MacAfee has open and a description of what each port is for, (Windows firewall also has some useful information at program level "Control Panel->Windows Firewall-Advanced Settings), if you want to see a more complete list of ports then this link at Wikipedia has a long list of what ports are typically used for what-> List of TCP and UDP port numbers - Wikipedia.

Hope that helps.

1 Like

I followed that link, which appears in a lot of place on peplink. That is one of the worst articles I have ever seen for anything that purports to be a tutorial of any kind. Rewrite it!!! Start with several different examples of REAL Situations. Like allowing imap emails, allow Internet traffic, Outlook to get and send eamails via POP3. Allowing Slack notifications. You don’t have to show all of the 100’s, thousands?, of different protocols, but enough to so that a newbie can get a good feel of how the your firewall rules work.

Most of the time I use the Surf SOHO where the computers on the LAN side have their own firewall rules. This is the first time I’ve tried to use the built in firewall, or even had a need to. Some things, like inbound “deny all” do not work the same on different routers. Ideally, I’d like to see a document, or thread, where “most common” rules are listed. Frankly, I was shocked at how little documentation exists for the Peplink firewalls.

I’d like to share my Balance One firewall rules, that I defined using InControl2, with the community as a best practice startup-example for beginners and a discussion basis for the experts (I’d be happy to receive professional feedback). My Balance one and is conducting NAT using two provider WANs (both provider modems do full range port forwarding to my Balance One → = DMZ) .

  • untagged LAN: Normal Intranet (Cell phones, tablets, NAS, PCs)
  • VLAN 206: Webcam (no WAN-Access)
  • VLAN 210: IOT / Smart Home devices
  • VLAN 215: Working from Home devices
  • VLAN 250: Guest WLAN

Outbound rules:

  • First start with some country blocking,
  • then prevent Multicast-, UPNP, and private subnet-routing (Netbios and SMB rules not needed, as I blocked them with additional Application Blocking rules, already):
  • use ACL to allow some devices access to my 2 WAN provider modems 192.168.200/201.x.
  • allow only my untagged LAN and the VLANs to access WAN and
  • finally block all other networks (Default rule)

    Outbound 2
    Inbound rules:
  • Again country blocking
  • Allow Multiplayer Xbox-Access
  • Default rule “allow” to avoid trouble with blocked “Inbound answering traffic” as result of outbound client traffic from my networks to WAN.

Internal Network Rules

  • Allow some specific access between vlans (e.g. Printer in vlan to all other vlans and untagged lan to allow printing / similar for smart home bridges…)
  • Allow VLAN250 / Guest-WLAN to access Gaming devices in untagged LAN (Xboxes…) for Multiplayer
  • untagged LAN is allowed to access all vLANs
  • Block all remaining routing between VLANs by default “block all” rule

    Local Firewall Rules
  • Block all access from WAN to local service ports → “block all” rule
1 Like

Now that is an Epic set of rules! Thanks for Sharing them Christoph!

1 Like

Interesting. So you’re allowing unrestricted access from your printer to untagged LAN? Concerns with possibly putting your main network at risk with a smart printer, unless you don’t grant WAN access to the printer.

Wondering what the point of putting printer in its own vlan then having fw rule to give it access to other networks. You also had to enable inter vlan routing as well which means it all falls on your internal rules to protect your networks.

I have my Epson printer on my main LAN but block it’s access to WAN. I have a need for AirPrint.

I would love to have my AirPlay/AirPrint devices in their own vlan and leverage Bonjour forwarding in my B20x but I could never get it working.

1 Like

Hello stego,
here my Bonjour settings for your information between the uL and the VLs:

Note:
There is currently a bug regarding Bonjour forwarding and B20x discovered recently (see Forum LINK).

Regarding the printer: Good suggestion. Defined a rule to prevent the printer from internet access (I’ll just deactivate it for manual printer firmware updates). Problem remaining is, that I use the Epson WF printer to scan sheets via ADF as PDFs using the epson connect service. So I needed to exclude this (unknown URL epson uses??) from the WAN block rule or open at least port 5222 for XMPP (see LINK) for any traffic?
I’d like to discuss this topic on printer rules:

  1. IMHO, if your devices in untagged LAN are only using Air Print (like iPhones, iPads), the Bonjour forwarding usually should be enough (if PL fixes the bug soon).
  2. Until then a suitable solution could be, to add as firewall rule destination not the complete untagged LAN anymore but to define an ACL containing all AirPrint aware devices in untagged LAN to reduce the amount of devices the printer can see.
  3. A problem I never got to work is, that my Windows PC isn’t using Air Print. But defining internal firewall rules for an epson printer with all the diverse status ports and protocols it uses is a nightmare (see Epson Support Page - Required printer firewall ports). So this is why I added access to untagged LAN’s PC devices additionally by adding the PCs to the ACL mentioned in 2).
    What do you think about? Any advice?

I added a general “mDNS allow” rule to internal network firewall rules, as this helps to make Apple HomeKit working (having my Apple TVs and Homepods moved to VLAN 210).mDNS rule.
In addition, I had to change AP configuration of VLAN 215’s corresponding SSID “…G#”, too, to make HomeKit running by disabling “Guest Protect” → “Block All Private IP” setting (was to much restricted as the HomeKit devices need to be able to connect to each other):


I assumed that the “Layer 2 Isolation setting” prevents WIFI clients (like HomePod) to connect to wired LAN clients (like Smart Home Bridges e.g. Philips Hue) in VLAN 210, but leaving it enabled didn’t lead to issues with smart home. Any advice?
Inter-VLAN routing needs to be enabled for VLAN 210 → see the corresponding LAN settings of VLAN 210 as maybe helpful example for you:

I could get HomeKit working by enabling inter vlan routing and allow any traffic from my HomeKit hub on the vlan to my untagged lan.

Later 2 isolation and guest protect both have to be disabled on the vlan yes otherwise the HomeKit hub can’t see the other HomeKit enabled devices.

I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.

Your rule about the mDNS sounds like a good idea. Does it get AirPlay working? I believe it requires more than an allow rule and needs software in the router to « forward » that traffic out of the subnet since multicast is by design constrained to its subnet to avoid flooding other subnets with packets. (Which I think is what they call Storm control)

Looking forward to the bug fix on the B20x!

This just occurred to me. Layer 2 isolation will isolate your wifi clients but not wired ones.

I have my hue bridge wired into my vlan. Hue bridge uses the ZigBee protocol to connect to its hue devices. If the HomeKit hub is also wired into the same vlan, it should work.I haven’t tested this though. One thing to note, I had to connect the Hue app via cloud to use it from my iPhone. Which is a nice option.

Enabling guest protect however should isolate wired devices so the above would no longer work.

1 Like