Newbie Firewall Question


#1

Greetings. If you make absolutely no additions or changes to the Balance One firewall rules as it is shipped, is your Balance One:

A) Wide Open & Unsafe
B) Restrictive and really safe
C) Something in between

Thank you,

Colorado Newbie


#2

Security in relation to firewalls and vlans in particular are topics that have already generated a large number of very detailed and lengthy posts on this forum (there are lots of very security minded SOHO owners on here - look for their posts).

As with many things in life, if you have the need, time, and are prepared to put in the effort, you can make peplink devices more secure than they are out of the box.Sure there are things we should all do - change admin usernames and passwords, use obscure ports and enable https (Michael Horowitz has a great guide), but there are lots of other things that only those who really need a heightened level of security will want to do - or can justify doing.

For me at home (and in many of my production deployments) I leave the peplink firewall in its default settings ‘any to any’ allowed. This freaks people out when they first see it as it looks like the router is wide open - its not. Since the default settings of a Peplink device are for all WANs to be in NAT mode, traffic is only allowed inbound to the WAN on ports that have been specifically opened by you (ie ports forwarded to internal servers etc), or in response to traffic you have sent out via the firewall (it is stateful). Yes there are other ports that are open on the WAN (like those for inbound VPN traffic, web admin etc) but these services do not allow traffic LAN side (without authentication) so I don’t personally care much about them (so long as I have taken sensible precautions like changing the admin username/password).

The disadvantage of allowing any:any WAN to LAN is when you using IP forwarding on the WAN as any device on any network will be allowed to route traffic via your WAN to your LAN. In those cases, locking down the firewall rules can be a prudent decision, but even then in my experience you tend to use IP forwarding when you’re already behind another firewall so I don’t think its very worrying as a default setting.

The biggest advantage of the any:any rules for me as a MSP is for remote management. I can get a customer to factory reset a Peplink device and plug its WAN into any internet connection. Once they do that I can then remotely access it over InControl2 (as its my device so registered under my account) and either manually rebuild the configuration or push a complete backup configuration down to the router.

That ability alone is why the current default firewall configuration (the ANY:ANY ruleset) is of value to me.

If I had to pick from your ABC options, I would say B) Restrictive and really safe with the caveat that your do the other work to secure your routers services/webui.

Others on here will likely say A or C but that is because of their specific needs and demands of their router configuration. We can all be right on this depending on our own use cases and requirements.