Effect of internal network firewall rule changed from “allow” to “deny”


#1

Starting with a default firewall configuration in SURF SOHO (SS) fw 7.1.1, what is the effect of a change in the default internal network firewall rule changed from “allow” to “deny” (any protocol, any source, any destination)?

In an example of 2 iPhones connected to SS over wifi (e.g. PEPWAVE_34A9) and a laptop wired into LAN1 of the same SS: - Is this true that none of 3 SS clients can communicate with each other, but all can have outbound and inbound internet access via WAN?

My goal is to isolate all SS clients from each other, but give them internet access via WAN interface.

Thanks,


#2

Although I’ve had a surf soho for over 3 years now, i still consider myself a noob. So take what I say with a grain of salt. Per your question, I unfortunately can’t confirm or deny the inner workings of the internal firewall. I’m not sure on that either. However, if you are looking to isolate all of your appliances from each other, you should look into layer 2 isolation in your network settings. I haven’t used Layer 2 in a while, so I can’t fully remember where those settings are, but if you search the forums and explore the web gui, I’m sure you will find some isolation settings somewhere nearby. Good luck. Sorry I can’t be of more help! Let me know when you get your answer about the internal firewall. i am curious myself.

Dan


#3

Thank you, Dan. I agree that there are other ways to separate Surf SOHO clients, such as VLANs, but in this case I’d like to understand the meaning of the admin GUI “internal network firewall rule” - deny all. I downloaded the newest available “Pepwave Surf SOHO User Manual” Firmware 7 January 2017 and find there nothing about “internal network firewall rules” - only “Outbound and Inbound firewall rules” are mentioned. Is there any other documentation describing “internal network firewall rules”? If not, perhaps a developer could comment and make his response a part of the knowledge database?


#4

The internal firewall controls routed traffic / sessions between LAN / VLAN / Static route networks / PepVPN networks / IPsec networks / L2TP with IPsec clients / PPTP clients.

No that’s not typically the case as normally wifi and wired devices are all on the same network so talk directly to each other and not via the router. If you set up a VLAN for your wifi users and set deny all on the internal firewall, then the users on that VLAN would not be able to send traffic to users connected to the wired ports on the untagged / default network.

You can isolate the wireless clients by turning on Layer 2 isolation in the wireless profile. To isolate the wired clients I have only ever done this with a managed switch and isolated the device ports from each other.


#5

I haven’t tried this in awhile, but I think simply selecting deny in the default rule setting in the internal network firewall rules will separate soho clients from each other while allowing web access.


#6

Only if those clients are in different vlans. Traffic between clients on the same subnet goes direct over layer 2 from one client to another and never touches the SOHO (or whatever default gateway you have) unless those clients are on different networks and so need to be routed by the gateway (layer 3) which is when a firewall can take effect.


#7

Following Dan_Ran suggestion, in the “internal network firewall rules” I found the ability to “deny” (block) traffic sourced from any specific MAC address.
Therefore in my example above would it be possible to drop any packets from a laptop wired into LAN1/MAC1 with a destination to any of 2 iPhones on PEPWAVE_34A9-wifi by adding an “internal network firewall rule” to “deny” “any protocol” trying to enter Surf SOHO “internal firewall” through MAC1/LAN1?

Would such “internal network firewall rule” achieve the goal of disallowing the LAN1/MAC1 laptop to send packets to iPhones on PEPWAVE_34A9-wifi while allowing the LAN1/MAC1 laptop to access the WEB?


#8

Not unless you create a VLAN and assign it to the wiresless SSID. If the wireless clients are in a sifferent subnet than the wired clients (Layer 3), firewall rules can take affect. Otherwsie you can turn on Layer 2 isolation on the wifi which should isolate all wifi clients from each other and the wired clients too.


#9

Thank you, Martin. Layer 2 isolation on wifi satisfies my objective of isolating iPhones on wifi from the wired laptop on LAN1.