(Firewall) rule creating by map single IP to Autonomous System


#1

Often we create firewall rules by for the whole network of an internet provider, not by IP address, not by hostname, but by looking up all IP ranges used by the ASN (Autonomous System Number). Only when the ISP is large, we only include the large blocks (which most often times contain the customer assigned IP addresses) and limit the network ranges to the required country (for example include NL and exclude EU), exclude the small blocks (which are often used by routers and other internal equipment of the ISP).

It would be nice if this process could be speed up (improve workflow) by having in input field at the Balance router, which looks up all IP ranges in the AS. Presenting that list to the Peplink administrator to select the desired ranges, having:
00. the list displayed in a table view,
0. columns for size of the block and country assignment,

  1. a check box in front of each IP range (to select/deselect),
  2. having one check box to mark select/deselect all network ranges,
  3. having sortable column headers (net block size, country assignment),
  4. keep the created rule grouped together,
  5. a memory which net ranges were select and which are not, when re-opening this rule, to have a update mechanism that even shows new and deleted ranges in the ASN.

An example: allow Tele2 Netherlands customers.

We have one of Tele2’s customers assigned IP addresses, which is: 87.209.133.24

We use that IP as an input, press Lookup ],

which returns that this IP is within AS13127,
which ASN is owned by Tele2 Nederland B.V.,
which consists of these netblocks:


Match	Type	Size	Country	Start IP	End IP
1	/15	131,071	EU	62.58.0.0	62.59.255.255
2	/16	65,535	EU	62.166.0.0	62.166.255.255
3	/16	65,535	EU	62.250.0.0	62.250.255.255
4	/15	131,071	BE	81.58.0.0	81.59.255.255
5	/14	262,143	NL	82.172.0.0	82.175.255.255
6	/13	524,287	NL	87.208.0.0	87.215.255.255
7	/14	262,143	EU	143.176.0.0	143.179.255.255
8	/20	4,095	NL	145.219.0.0	145.219.15.255
9	/16	65,535	NL	159.46.0.0	159.46.255.255
10	/21	2,047	NL	212.19.224.0	212.19.231.255
11	/23	511	NL	212.19.232.0	212.19.233.255

source: http://www.fixedorbit.com/cgi-bin/cgirange.exe?ASN=13127

Now the wish is to create a rule by selecting:


Match	Type	Size	Country	Start IP	End IP
5	/14	262,143	NL	82.172.0.0	82.175.255.255
6	/13	524,287	NL	87.208.0.0	87.215.255.255
9	/16	65,535	NL	159.46.0.0	159.46.255.255


#2

Sounds like this is for a large operation you are planning?

We definitely want to learn more of this project. You can email us separately if you want a more private conversation.


#3

This is not for a large operation.

Just explaining our most common workflow, enhanced with suggestion how the Balance can be improved for handling our (and possibly others their) workflow.


#4

Got it. At this point I am not sure if many of our customers will need this on Peplink firewall. But we will take a closer look at this request. Thanks.


#5

When there are customers needing to give employees at their home addresses access to the corporate system, from their private/home DSL lines with IP-addresses assigned by DHCP, and not willing to update their firewall configuration every once in a while when the IP address is changed (and possibly assigned from another netblock), this feature request helps to quickly identify the most likely netblocks that will be dynamically assigned.


#6

In firmware 7.0.0 build 3310 ASN based firewall allow rules are not there (yet).