I want to lock down access from our remote Peplink modem to only allow access to our cloud server’s IP address, what is the best method to do so?
I don’t understand the question. And Peplink does not make modems.
Speaking generally, a Peplink router will have no open WAN side ports, at least not out of the box. If you open a port with port forwarding, you can make a inbound firewall rule that limits the source IP address(es) that can use the open port.
Peplink BR1MAX is a Router with an integrate Cellular modem. That is the device I am working with.
I have devices connected wired and wirelessly to it. I want to limit inbound and outbound traffic to a single IP address.
I think you’ll find the firewall rules in the Peplink router to suit your needs.
You can find the firewall settings under Advanced → Access Rules
What you’d end up with is default deny rules for both inbound and outbound and then allow rules set up to allow outbound traffic as long as it is destined to your cloud server IP, and another allow rule for inbound traffic as long as the source is that cloud server’s IP. Outbound traffic destined for anywhere but your cloud server or inbound traffic that originates from somewhere other than the server would be denied access through the firewall.
Hi Chris. First, @Michael234 is right. Inbound traffic is not going to reach you for two reasons: (1) You are behind a NAT firewall which is on by default, and (2) when using a cellular modem you will be behind the carrier’s carrier-grade NAT..
Outbound traffic is a bit different and I can think of a couple of ways to restrict that. I’d probably use your router’s firewall to do that. Here’s an example from a Balance 305:
In this case I changed the default outbound rule from permit to reject and added an outbound rule to allow DNS and for connections to 100.100.100.100. (Sorry – I don’t have easy access to a MAX router at the moment but the principle is exactly the same – it’s just the path to get there via the GUI that is slightly different between MAX and Balance devices.)
I’d be sure to give my settings a good test before putting the router into production. When you change the default firewall rule to “deny” the danger is that you lock down too much and break stuff. One needs to permit DNS and health checks, for example.
My mistake, your device does include a modem. I only use wired ISPs, forgot about the 4G modems.
As the previous comments point out, you can do what you want quite easily. I would add that if you want, you can also log any attempted outbound requests that are not to your one specific IP address. Never know what this type of audit might show. To do this in the example above, change the default outbound firewall rule at the bottom to Deny and Log.