(SOLVED) Peplink Balance 20 Internal Network Firewall Not Doing Anything?

I’m trying to set up a firewall rule that’ll block incoming WIFI connections from another router.

I have a router at 10.0.1.1, that assigns hosts behind it the range of 192.168.100.x
There is a laptop at 192.168.100.118.

It’s connected to my Peplink Balance 20 on a LAN port. The Peplink is 10.0.0.254.

I have a computer at 10.0.0.1.

I can happily ping 10.0.0.1 from 192.168.100.118. I can mount shared folders. As far as I can tell, the firewall rule is doing absolutely nothing whatsoever.

I’ve tried using the MAC address of the second router and the laptop, to test. Doesn’t matter. The Peplink still just happily sends it anyway. Is there some setting that actually enables the firewall? What am I doing wrong?
(See attached image for rules.)

Edit: For grins, I changed the default policy to deny (for any protocol, any source and any destination) and I can still mount shares and ping from systems on the other side of the second router. What the hell?
Firmware is 7.1.1 build 3548.

*** This post has been heavily edited from the original version which was incorrect. In my defense I did it in the early hours of the morning - so not my best work… *** :slight_smile:

LAN Firewall rules can only apply to traffic routed through the Balance. If the firewall rules are not blocking the traffic then the balance might not be in the traffic flow.

If I understand your topology correctly, you have a static route on the balance for the 192.168.100.0 network with the router (10.0.1.1) as the next hop. If so then traffic between the PC (10.0.0.1) on the LAN of the Balance and the Laptop (192.168.100.118) on the LAN of the other router would absolutely pass through the balance and then the other router. So the firewall rules should indeed work.

Explanation

  • When the PC wants to route traffic to the laptop on the other network since it is not local to it, it forwards the traffic to its default gateway (the balance).
  • The balance has a static route on it so it knows to send the traffic on to the next hop (the other router) and so does this.
  • Throughout the communication between the PC and the laptop, traffic always passes via both the balance and the other router. So LAN firewall rules on the balance can block these flows if desired.

So when would the LAN rules on the Balance have no effect? When the PC already knows a route.

If a static route is added on the PC for the 192.168.100.0 network with 10.0.1.1 as the next hop then it will just send the traffic direct to 10.0.1.1 (since its on its local LAN segment) - that traffic would not go near the balance.

If you want to make sure that all traffic always has to go via the balance (so stopping the ability for local routes on the PC to bypass it), then you need to put the other router in its own VLAN. This way the PC has no option but to go via the balance since the interface of the other router in this new VLAN (172.16.10.1 in the example) is not accessible by the balance in any other way…

4 Likes

Thanks for the awesome response! What do you use to create those layouts? They’re great!

So, the WAN ports on the Balance go to the Internet.

To make sure we’re definitely on the same page:
Port 1 on the Balance is 10.0.0.0/22, which goes to a switch with hosts 10.0.0.1, 10.0.0.2 and so on.
Port 4 has a wifi router. It has an ip of 10.0.1.1, which unless I’m mistaken is also part of the 10.0.0.0/22 subnet, correct?

When 10.0.1.1. assigns DHCP to what connects to it, it’s in the 192.168.100.x range. (Yes, I set up a static route showing 10.0.1.1 as the next hop for 192.168.100.x)

Given that both segments are connected only to the Peplink’s LAN ports, am I understanding correctly that it’s not ‘between’ it still? I’m obviously very ignorant here.

To restate and make sure I understand this correctly, the internal network firewall can’t apply any rules at all to any packets going through the LAN ports?

To simplify, if I had 10.0.0.1 on port 1 and 10.0.0.2 on port 2, and I wanted no communication possible between them, this would not be possible, without creating separate VLANs?

And, if I change it, so i have 10.0.0.0/22 on port 1, and 192.168.100.0/24 on port 2, the balance will still route all traffic between these without any filtering, at all?

If so, that seems very non-intuitive, especially that it’s impossible to filter MAC addresses between adjacent LAN ports.

Does the Balance only act as a switch? You said this is one of the ways to do this; perhaps a better question might be, what’s the most correct way of doing this?

(And it’s naivete that informed me in the first place: I thought I needed the second router on the same subnet, so I could reach its configuration interface.) This second router is a cheap thing solely to provide internet access to some IoT and other low priority devices. I want to make sure nothing at all coming from it can access any of the machines on the LAN.

Anyway, thank you so much for the helpful response – at least I know nothing’s wrong with the Peplink! (I only just updated to the current FW).

Thanks, but Sadly it wasn’t accurate at all - I must have been drunk when I wrote this :slight_smile: Have fixed the original post above.

its all the same subnet yes.

No actually I was mistaken too so have confused things a little. Let me clarify:
The LAN ports on the balance effectively act as a layer 2 switch - unless:

  • There are multiple VLANs in place (either tagged, or with VLANs allocated to specific LAN ports for access)
  • There are static routes configured on the balance to route to a different subnet.

As per above, LAN Firewall rules can be applied to new internal network IP sessions so sessions between LAN / VLAN / Static Routed Networks /PepVPN Networks / IPsec Networks / remote VPN clients.

Network traffic between devices on the same subnet can not be blocked by firewall rules as no routing (Layer 3) is happening - the devices are taking directly to each other over Layer 2.

To configure this example you would need a new VLAN on port 2 for the new subnet. LAN firewall rules do work between VLANs / subnets.

‘Correct’ is at times subjective.This is what I would do. I would create a new VLAN for the IOT devices, get rid of the other router and just use a switch, then turn off inter vlan routing on the balance so that traffic can’t flow between the devices on the existing untagged LAN and the VLAN.

2 Likes

Awesome!

Between your edit of your first post (why it was still seeing it; I haven’t rebooted my systems!) and the second, I think I’ve got it.

Really appreciate the detailed and helpful posts. Thanks so much!