Hi, not sure it’s related, but I am new to setting up firewalls rules myself and thus on my new Balance 20 wasn’t sure where to start, so this may help. If you already have broadband access check out your anti virus package, I use MacAfee and under “Web & Email Protection”->Firewall->Port and System Services" you will see all the ports that MacAfee has open and a description of what each port is for, (Windows firewall also has some useful information at program level "Control Panel->Windows Firewall-Advanced Settings), if you want to see a more complete list of ports then this link at Wikipedia has a long list of what ports are typically used for what-> List of TCP and UDP port numbers - Wikipedia.
I followed that link, which appears in a lot of place on peplink. That is one of the worst articles I have ever seen for anything that purports to be a tutorial of any kind. Rewrite it!!! Start with several different examples of REAL Situations. Like allowing imap emails, allow Internet traffic, Outlook to get and send eamails via POP3. Allowing Slack notifications. You don’t have to show all of the 100’s, thousands?, of different protocols, but enough to so that a newbie can get a good feel of how the your firewall rules work.
Most of the time I use the Surf SOHO where the computers on the LAN side have their own firewall rules. This is the first time I’ve tried to use the built in firewall, or even had a need to. Some things, like inbound “deny all” do not work the same on different routers. Ideally, I’d like to see a document, or thread, where “most common” rules are listed. Frankly, I was shocked at how little documentation exists for the Peplink firewalls.
I’d like to share my Balance One firewall rules, that I defined using InControl2, with the community as a best practice startup-example for beginners and a discussion basis for the experts (I’d be happy to receive professional feedback). My Balance one and is conducting NAT using two provider WANs (both provider modems do full range port forwarding to my Balance One → = DMZ) .
untagged LAN: Normal Intranet (Cell phones, tablets, NAS, PCs)
VLAN 206: Webcam (no WAN-Access)
VLAN 210: IOT / Smart Home devices
VLAN 215: Working from Home devices
VLAN 250: Guest WLAN
Outbound rules:
First start with some country blocking,
then prevent Multicast-, UPNP, and private subnet-routing (Netbios and SMB rules not needed, as I blocked them with additional Application Blocking rules, already):
Allow some specific access between vlans (e.g. Printer in vlan to all other vlans and untagged lan to allow printing / similar for smart home bridges…)
Allow VLAN250 / Guest-WLAN to access Gaming devices in untagged LAN (Xboxes…) for Multiplayer
untagged LAN is allowed to access all vLANs
Block all remaining routing between VLANs by default “block all” rule
Interesting. So you’re allowing unrestricted access from your printer to untagged LAN? Concerns with possibly putting your main network at risk with a smart printer, unless you don’t grant WAN access to the printer.
Wondering what the point of putting printer in its own vlan then having fw rule to give it access to other networks. You also had to enable inter vlan routing as well which means it all falls on your internal rules to protect your networks.
I have my Epson printer on my main LAN but block it’s access to WAN. I have a need for AirPrint.
I would love to have my AirPlay/AirPrint devices in their own vlan and leverage Bonjour forwarding in my B20x but I could never get it working.
Note: There is currently a bug regarding Bonjour forwarding and B20x discovered recently (see Forum LINK).
Regarding the printer: Good suggestion. Defined a rule to prevent the printer from internet access (I’ll just deactivate it for manual printer firmware updates). Problem remaining is, that I use the Epson WF printer to scan sheets via ADF as PDFs using the epson connect service. So I needed to exclude this (unknown URL epson uses??) from the WAN block rule or open at least port 5222 for XMPP (see LINK) for any traffic?
I’d like to discuss this topic on printer rules:
IMHO, if your devices in untagged LAN are only using Air Print (like iPhones, iPads), the Bonjour forwarding usually should be enough (if PL fixes the bug soon).
Until then a suitable solution could be, to add as firewall rule destination not the complete untagged LAN anymore but to define an ACL containing all AirPrint aware devices in untagged LAN to reduce the amount of devices the printer can see.
A problem I never got to work is, that my Windows PC isn’t using Air Print. But defining internal firewall rules for an epson printer with all the diverse status ports and protocols it uses is a nightmare (see Epson Support Page - Required printer firewall ports). So this is why I added access to untagged LAN’s PC devices additionally by adding the PCs to the ACL mentioned in 2).
What do you think about? Any advice?
I added a general “mDNS allow” rule to internal network firewall rules, as this helps to make Apple HomeKit working (having my Apple TVs and Homepods moved to VLAN 210)..
In addition, I had to change AP configuration of VLAN 215’s corresponding SSID “…G#”, too, to make HomeKit running by disabling “Guest Protect” → “Block All Private IP” setting (was to much restricted as the HomeKit devices need to be able to connect to each other):
I assumed that the “Layer 2 Isolation setting” prevents WIFI clients (like HomePod) to connect to wired LAN clients (like Smart Home Bridges e.g. Philips Hue) in VLAN 210, but leaving it enabled didn’t lead to issues with smart home. Any advice?
Inter-VLAN routing needs to be enabled for VLAN 210 → see the corresponding LAN settings of VLAN 210 as maybe helpful example for you:
I could get HomeKit working by enabling inter vlan routing and allow any traffic from my HomeKit hub on the vlan to my untagged lan.
Later 2 isolation and guest protect both have to be disabled on the vlan yes otherwise the HomeKit hub can’t see the other HomeKit enabled devices.
I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.
Your rule about the mDNS sounds like a good idea. Does it get AirPlay working? I believe it requires more than an allow rule and needs software in the router to « forward » that traffic out of the subnet since multicast is by design constrained to its subnet to avoid flooding other subnets with packets. (Which I think is what they call Storm control)
This just occurred to me. Layer 2 isolation will isolate your wifi clients but not wired ones.
I have my hue bridge wired into my vlan. Hue bridge uses the ZigBee protocol to connect to its hue devices. If the HomeKit hub is also wired into the same vlan, it should work.I haven’t tested this though. One thing to note, I had to connect the Hue app via cloud to use it from my iPhone. Which is a nice option.
Enabling guest protect however should isolate wired devices so the above would no longer work.
I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.
I solved this with specific internal firewall rules blocking all access from IOT subnet to each of this devices and between them (example (x=concrete device ip): block 192.168.210.0/24 to 192.168.210.x). Increased safeguarding of the epson printer with this as you recommended, too.
As I enabled Peplink Bonjour Forwarding (Network → LAN → Network Settings → Bonjour Forwarding Settings), no separate firewall rules to forward Ports UDP:1900 (Bonjour, UPnP), UDP:5350 + UDP:5351 (both NAT Port Mapping) and 5353 (mDNS) are needed from IOT/Homekit VLAN (VLAN 210 in my example) to my untagged LAN.
I testet around quite a while with more specific firewall settings (considering Ports used by Apple products) between IOT VLAN and untagged LAN to restrict Homekit traffic to pinholes.
Finally my conclusion is, that is not really working to restrict traffic to certain ports like APNS, HTTPS, HTTP, HomeKit, 3722, etc. as Apple is using a whole bunch of other ports as well. So I ended up in reducing the traffic to a restrictively defined ACL / Network group of devices in both networks that need to communicate with each other. Therefore like @soylentgreen I ended up granting a single firewall rule to allow ANY ↔ ANY communication between both groups. (https://forum.peplink.com/t/homekit-vlan-guest-wifi-setup-for-iot-security-on-peplink-balance-one/25515/8?u=ckirch)
Question to @MartinLangmaid and @stego:
I am thinking about a more “general block” internal network firewall rule to protect my network devices (Peplink Balance One and 2 APs) of access from and from acccessing all other network client devices (that are no admin devices).
What do you think about the following 2 general BLOCK rules (keeping in mind, that I set some additional allow rules for the admin computers to access the network devices via HTTPS for example)?
I am unsure, if the standard router and AP traffic is ensured by Peplink anyway despite internal firewall rules like that.
Alternatively, I would only block access to the network devices control ports (https, ssh…) and let them access any client. Example: