Firewall Rules in BR1

Naseem_Urrahman · January 8, 2024, 10:42am

Hey Everyone,
We are using a BR1 router, I want to block the server IP so that the other devices connected to the BR1 should not communicate with the server.
We created firewall inbound and outbound rules, but the devices still communicate with the server. How can we block this communication?

Laurynas · January 8, 2024, 11:13am

Hello Naseem,

Do you mind sharing where the server is located (LAN or WAN side)? And how does your firewall rules look like?

Regards,
Laurynas

Naseem_Urrahman · January 8, 2024, 11:25am

Servers on the LAN side, and We created outbound rules so that other devices that are connected to the BR1 should not communicate with the server. However, the firewall rules do not block the communication of the devices and server.

Laurynas · January 8, 2024, 12:36pm

The server and other BR1 connected devices are on the same IP network?

Regards,
Laurynas

Naseem_Urrahman · January 8, 2024, 12:39pm

Yes, All devices are on the same network.

Naseem_Urrahman · January 8, 2024, 1:33pm

We created firewall rules in the “Internal network firewall Rules”. But the communication is not blocked.

Laurynas · January 8, 2024, 1:58pm

Hi Naseem,

I don’t think that it would be possible to block communication between devices when they are on the same network since clients on same subnet do not need to be routed so they are not hitting the firewall.

I would suggest to create separate network for the server with disabled: Inter-VLAN routing.

Regards,
Laurynas

Naseem_Urrahman · January 8, 2024, 2:04pm

Hey Laurynas1
We are using “Internal network firewall Rules”. This firewall rule can block specific IPs in the same network. But in our case, this firewall is not blocking the IPs. Can you suggest another solution for this, because we can’t change the network for servers?

Kind Regards,
Naseem

Jonathan_Pitts · January 8, 2024, 2:55pm

If they are wired and on the same network it doesn’t go thru the router, if you had they on wifi you could use the wifi firewall.

Rick-DC · January 8, 2024, 6:18pm

Hi @Naseem_Urrahman . I too have taken a look at this. I think the comments from @Laurynas and @Jonathan_Pitts are right. The internal firewall has no effect on packets that are not routed. Indeed, I don’t think it “sees” them. I conducted a test with one of our Balance 310Xs and I think I have confirmed this. If the clients are connected wi-fi you have some options and if you are able to place either the target device to which you want to restrict access, or the client(s), on their own VLAN the solution is relatively simple.

I’d love to be challenged on this – but I think Jonathan and Laurynas are correct.

Jonathan_Pitts · January 8, 2024, 6:38pm

The traffic is routed locally on switches within the same subnet even if the router was powered off.
You could do this on a managed switch with mac address access control lists.
You may also be able to do this if the each device is connected directly to the ports on the peplink and you use internal firewall mac address filtering, but I haven’t tried.

Rick-DC · January 8, 2024, 6:40pm

Sure could – good point. if such switches are part of the architecture. That could provide an opportunity.

Naseem_Urrahman · January 9, 2024, 5:42am

Hey @Rick-DC,
Thank you for your suggestions, and yes @Laurynas and @Jonathan_Pitts are right, we tested on the internal network firewall but the devices’ communications weren’t blocked.

Naseem_Urrahman · January 9, 2024, 5:45am

Hi @Jonathan_Pitts!
Yes, We will test this on the switch using Mac address access control lists (ACL).
Thank you for your suggestion.

Regards,
Naseem