Default set of Firewall rules to start with?

Hi, not sure it’s related, but I am new to setting up firewalls rules myself and thus on my new Balance 20 wasn’t sure where to start, so this may help. If you already have broadband access check out your anti virus package, I use MacAfee and under “Web & Email Protection”->Firewall->Port and System Services" you will see all the ports that MacAfee has open and a description of what each port is for, (Windows firewall also has some useful information at program level "Control Panel->Windows Firewall-Advanced Settings), if you want to see a more complete list of ports then this link at Wikipedia has a long list of what ports are typically used for what-> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports.

Hope that helps.

I followed that link, which appears in a lot of place on peplink. That is one of the worst articles I have ever seen for anything that purports to be a tutorial of any kind. Rewrite it!!! Start with several different examples of REAL Situations. Like allowing imap emails, allow Internet traffic, Outlook to get and send eamails via POP3. Allowing Slack notifications. You don’t have to show all of the 100’s, thousands?, of different protocols, but enough to so that a newbie can get a good feel of how the your firewall rules work.

Most of the time I use the Surf SOHO where the computers on the LAN side have their own firewall rules. This is the first time I’ve tried to use the built in firewall, or even had a need to. Some things, like inbound “deny all” do not work the same on different routers. Ideally, I’d like to see a document, or thread, where “most common” rules are listed. Frankly, I was shocked at how little documentation exists for the Peplink firewalls.

I’d like to share my Balance One firewall rules, that I defined using InControl2, with the community as a best practice startup-example for beginners and a discussion basis for the experts (I’d be happy to receive professional feedback). My Balance one and is conducting NAT using two provider WANs (both provider modems do full range port forwarding to my Balance One -> = DMZ) .

  • untagged LAN: Normal Intranet (Cell phones, tablets, NAS, PCs)
  • VLAN 206: Webcam (no WAN-Access)
  • VLAN 210: IOT / Smart Home devices
  • VLAN 215: Working from Home devices
  • VLAN 250: Guest WLAN

Outbound rules:

  • First start with some country blocking,
  • then prevent Multicast-, UPNP, and private subnet-routing (Netbios and SMB rules not needed, as I blocked them with additional Application Blocking rules, already):
  • use ACL to allow some devices access to my 2 WAN provider modems 192.168.200/201.x.
  • allow only my untagged LAN and the VLANs to access WAN and
  • finally block all other networks (Default rule)

    Outbound 2
    Inbound rules:
  • Again country blocking
  • Allow Multiplayer Xbox-Access
  • Default rule “allow” to avoid trouble with blocked “Inbound answering traffic” as result of outbound client traffic from my networks to WAN.

Internal Network Rules

  • Allow some specific access between vlans (e.g. Printer in vlan to all other vlans and untagged lan to allow printing / similar for smart home bridges…)
  • Allow VLAN250 / Guest-WLAN to access Gaming devices in untagged LAN (Xboxes…) for Multiplayer
  • untagged LAN is allowed to access all vLANs
  • Block all remaining routing between VLANs by default “block all” rule

    Local Firewall Rules
  • Block all access from WAN to local service ports -> “block all” rule

Now that is an Epic set of rules! Thanks for Sharing them Christoph!

1 Like

Interesting. So you’re allowing unrestricted access from your printer to untagged LAN? Concerns with possibly putting your main network at risk with a smart printer, unless you don’t grant WAN access to the printer.

Wondering what the point of putting printer in its own vlan then having fw rule to give it access to other networks. You also had to enable inter vlan routing as well which means it all falls on your internal rules to protect your networks.

I have my Epson printer on my main LAN but block it’s access to WAN. I have a need for AirPrint.

I would love to have my AirPlay/AirPrint devices in their own vlan and leverage Bonjour forwarding in my B20x but I could never get it working.

1 Like

Hello stego,
here my Bonjour settings for your information between the uL and the VLs:

Note:
There is currently a bug regarding Bonjour forwarding and B20x discovered recently (see Forum LINK).

Regarding the printer: Good suggestion. Defined a rule to prevent the printer from internet access (I’ll just deactivate it for manual printer firmware updates). Problem remaining is, that I use the Epson WF printer to scan sheets via ADF as PDFs using the epson connect service. So I needed to exclude this (unknown URL epson uses??) from the WAN block rule or open at least port 5222 for XMPP (see LINK) for any traffic?
I’d like to discuss this topic on printer rules:

  1. IMHO, if your devices in untagged LAN are only using Air Print (like iPhones, iPads), the Bonjour forwarding usually should be enough (if PL fixes the bug soon).
  2. Until then a suitable solution could be, to add as firewall rule destination not the complete untagged LAN anymore but to define an ACL containing all AirPrint aware devices in untagged LAN to reduce the amount of devices the printer can see.
  3. A problem I never got to work is, that my Windows PC isn’t using Air Print. But defining internal firewall rules for an epson printer with all the diverse status ports and protocols it uses is a nightmare (see Epson Support Page - Required printer firewall ports). So this is why I added access to untagged LAN’s PC devices additionally by adding the PCs to the ACL mentioned in 2).
    What do you think about? Any advice?

I added a general “mDNS allow” rule to internal network firewall rules, as this helps to make Apple HomeKit working (having my Apple TVs and Homepods moved to VLAN 210).mDNS rule.
In addition, I had to change AP configuration of VLAN 215’s corresponding SSID “…G#”, too, to make HomeKit running by disabling “Guest Protect” -> “Block All Private IP” setting (was to much restricted as the HomeKit devices need to be able to connect to each other):


I assumed that the “Layer 2 Isolation setting” prevents WIFI clients (like HomePod) to connect to wired LAN clients (like Smart Home Bridges e.g. Philips Hue) in VLAN 210, but leaving it enabled didn’t lead to issues with smart home. Any advice?
Inter-VLAN routing needs to be enabled for VLAN 210 -> see the corresponding LAN settings of VLAN 210 as maybe helpful example for you:

I could get HomeKit working by enabling inter vlan routing and allow any traffic from my HomeKit hub on the vlan to my untagged lan.

Later 2 isolation and guest protect both have to be disabled on the vlan yes otherwise the HomeKit hub can’t see the other HomeKit enabled devices.

I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.

Your rule about the mDNS sounds like a good idea. Does it get AirPlay working? I believe it requires more than an allow rule and needs software in the router to « forward » that traffic out of the subnet since multicast is by design constrained to its subnet to avoid flooding other subnets with packets. (Which I think is what they call Storm control)

Looking forward to the bug fix on the B20x!

This just occurred to me. Layer 2 isolation will isolate your wifi clients but not wired ones.

I have my hue bridge wired into my vlan. Hue bridge uses the ZigBee protocol to connect to its hue devices. If the HomeKit hub is also wired into the same vlan, it should work.I haven’t tested this though. One thing to note, I had to connect the Hue app via cloud to use it from my iPhone. Which is a nice option.

Enabling guest protect however should isolate wired devices so the above would no longer work.

1 Like

I now tested some additional configurations and firewall rules. Finally, I found a good working solution with Homepods, Apple Watch and AppleTV located in VLAN and access from iPhones / iPADs in untagged LAN (including AirPlay). I will publish the new fw ruleset in the next days as best practice examples.
I assume having bonjour routing enabled plus the mDNS fw rule leads to routing of mDNS over VLANS (mDNS reflector) on peplink routers (as it works for me).
Tried some suggestions from:
https://forum.peplink.com/t/homekit-vlan-guest-wifi-setup-for-iot-security-on-peplink-balance-one/25515,
https://medium.com/@gepeto42/using-homekit-devices-across-vlans-and-subnets-aa5ae1024939
(I don’t use Avahi),
https://community.ui.com/questions/HomeKit-on-Isolated-VLAN/2fd20346-59df-4662-9559-0ecac7ec83cb
(see step 6) pinhole rule), and
https://vninja.net/2019/08/12/unifi-iot-networks/

I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.

I solved this with specific internal firewall rules blocking all access from IOT subnet to each of this devices and between them (example (x=concrete device ip): block 192.168.210.0/24 to 192.168.210.x). Increased safeguarding of the epson printer with this as you recommended, too. :joy:

1 Like

As I enabled Peplink Bonjour Forwarding (Network -> LAN -> Network Settings -> Bonjour Forwarding Settings), no separate firewall rules to forward Ports UDP:1900 (Bonjour, UPnP), UDP:5350 + UDP:5351 (both NAT Port Mapping) and 5353 (mDNS) are needed from IOT/Homekit VLAN (VLAN 210 in my example) to my untagged LAN.
I testet around quite a while with more specific firewall settings (considering Ports used by Apple products) between IOT VLAN and untagged LAN to restrict Homekit traffic to pinholes.
Finally my conclusion is, that is not really working to restrict traffic to certain ports like APNS, HTTPS, HTTP, HomeKit, 3722, etc. as Apple is using a whole bunch of other ports as well. So I ended up in reducing the traffic to a restrictively defined ACL / Network group of devices in both networks that need to communicate with each other. Therefore like @soylentgreen I ended up granting a single firewall rule to allow ANY <-> ANY communication between both groups. (https://forum.peplink.com/t/homekit-vlan-guest-wifi-setup-for-iot-security-on-peplink-balance-one/25515/8?u=ckirch) :slight_smile:

Question to @MartinLangmaid and @stego:
I am thinking about a more “general block” internal network firewall rule to protect my network devices (Peplink Balance One and 2 APs) of access from and from acccessing all other network client devices (that are no admin devices).
What do you think about the following 2 general BLOCK rules (keeping in mind, that I set some additional allow rules for the admin computers to access the network devices via HTTPS for example)?


I am unsure, if the standard router and AP traffic is ensured by Peplink anyway despite internal firewall rules like that.
Alternatively, I would only block access to the network devices control ports (https, ssh…) and let them access any client. Example:

Do you think this will slow down the network (as it affects traffic, DNS, ntp) and would you advise against it?