Inbound Firewall Rules interactions

firewall

#1

I hope this is an easy one…

The Peplink boxes by default have an “allow all” inbound rule on the WAN, but this generally doesn’t have any type of effect until you enable something like port forwarding.

My question is how do these rules interact with other settings in the UI?

I’d like to generally setup a “block all” inbound, as usually when we do a port-forward, it’s to reach some internal device that’s not for general public access. So how do these things below interact with the firewall rules?

  • WAN management rules (System -> Admin Security -> Allowed Source IP Subnets)
  • Allow ping (and hopefully other necessary traffic for MTU path discovery) under (Network -> WAN -> connection -> Reply to ICMP)
  • PepVPN - not even sure what port this uses
  • Stateful NAT entries - do I need to deal with this at all or are replies to my outbound LAN traffic allowed back in before these rules?
  • Other traffic that should be allowed (ie: ICMP needed for PMTU to work, etc.)

Is my question clear? Basically can I assume that my manual inbound rules are sort of “after” whatever default rules are already there to make all of the above function, or do I need to manually allow things like https management, pepvpn, etc.?


#2

You are correct the “allow all” inbound firewall rule doesn’t have any type of effect with NAT routing mode on the WAN until you enable port forwarding.

WAN management rules, reply to ICMP on the WAN interface, and PEPVPN rules are automatically added according to the configuration.

Replies to outbound LAN traffic are allowed back in as the session is established outbound. Inbound firewall rules typically match your port forwarding rules unless there is a 1-1 NAT map.

To “block all” inbound traffic set the default rule to deny. To configure inbound rules that allow specific ports, configure the destination port but leave the source port as “Any Port” in case the source is behind a NAT router.