Firewall Internal Network Rules


#1

The newer firmware has another group on the firewall page, “internal network rules”. What is the difference in this section and the Inbound group just above that we always used? Is this just a way to organize things for user maintenance? No difference which segment has the rule in it?

I currently have LAN-based rules that are in the Inbound section, such as allowing all LAN users access as is necessary for VPN. Should that rule be moved to the Internal section?

It appears the default in the Internal section is Allow All. If that default is applied to inbound connections, it is of course unwise. I don’t think it works that way as I can test inbound connections that are blocked even though this default is Allow All. I’m trying to understand what that internal section does, and whether I should change the default away from Allow All.


#2

Hi Don Ferrario,

There are 3 kinds of firewall rules:

  • Outbound firewall rules
  • Inbound firewall rules
  • Internal network firewall rules

Outbound firewall rule is used to control LAN, VLAN and internal users to go out to the internet. The direction will be from internal LAN to external WAN. For example, administrator would only allow LAN user (192.168.1.100) to access to internet using TCP/80. This kind of rule needs to be created at Outbound firewall rule.

Inbound firewall rule is used to control external WAN IP addresses to come into the internal LAN network. The direction will be from external WAN to internal LAN. It is used to control the port forwarding and NAT mapping access. For example, the administrator configured a NAT mapping from WAN (1.1.1.1) to internal server (192.168.1.50). By default, the NAT mapping will allow all ports to the internal server (192.168.1.50). The administrator can set up inbound firewall rule to only allow few ports to the internal server (192.168.1.50).

Internal network firewall rule is used to control sessions between LAN, VLAN, Static route networks, PepVPN networks, L2TP with IPsec clients and PPTP clients. For example, administrator would like to only allow PPTP client to access to internal server (192.168.1.50). This rule need to be created at here.

Thanks.

Regards,
Yaw Theng


#3

Yaw Theng:

Does this also apply to IPSec VPN profiles / Lan-to-Lan VPN’s? For example, can I create a VPN from:

Source LAN : 10.0.1.0/24 (Hardware is PEPLINK)
Dest LAN: 10.0.2.0/24 (Hardware is non-PEPLINK)
VPN Setup: Setup to allow all source 10.0.1.0/24 access to all destination 10.0.2.0/24 (typical VPN setup)

  • Firewall rules on PEPLINK: Add rule such that source 10.0.2.0/24 can only access ip host 10.0.1.100/32 (even though the entire LAN subnet is configured in the VPN profile)

Let me know if this would apply? And if so, does this go in INTERNAL NETWORK FIREWALL rule or INBOUND FIREWALL rule?

Thanks!
-Joe Keegan


#4

Hi Joe,

Yes, you can create such access control rule to control the traffic from 10.0.2.0/24 network.

The access rule needs to be created at INTERNAL NETWORK FIREWALL.

Thanks.

Regards,
Yaw Theng