Changes

Firewall traffic rules (view source)

Revision as of 15:13, 9 August 2024

738 bytes added , 9 August

no edit summary

Line 1: Line 1: −

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads '''00.07.~~03.4~~'''] firmware version.

+

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads '''00.07.08'''] firmware version.

==Introduction==

Line 28: Line 28:

It is important to be mindful of the order of traffic rules. The rules can always be rearranged by simply clicking on the symbol on the left side of the rule and dragging the rule where it is needed. You can also change the configuration of each rule by finding your rule in the traffic rules and pressing a '''‘pencil’''' button to edit settings.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rule_order_v3~~.png|alt=firewall traffic rules rule order|border|class=tlt-border|~~715x123px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_1.png|alt=firewall traffic rules rule order|border|class=tlt-border|1000px]]

====Defining specific IP addresses and networks====

Line 97: Line 97:

*Click '''‘Add’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_1-1_v2~~.png|alt=Firewall traffic rule to block LAN network.|border|class=tlt-border|~~750 × 170px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_2.png|alt=Firewall traffic rule to block LAN network.|border|class=tlt-border|1000px]]

A new window will pop-out where you will be able to specify additional settings.

−

*In the action field choose '''~~‘Drop’~~'''

+

# '''Enable the instance''';

+

# Choose Protocol: '''All''';

+

# Choose Source zone: '''lan''';

+

# Choose Destination zone: '''wan''';

+

# In the action field choose '''Drop''';

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_1-2_v1~~.png|alt=Firewall traffic rule to deny LAN network configuration|border|class=tlt-border|~~467x422px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_3.png|alt=Firewall traffic rule to deny LAN network configuration|border|class=tlt-border|1000px]]

−

Scroll down and press '''~~‘Save~~ & ~~Apply’~~'''.

+

Scroll down and press '''Save & Apply'''.

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_1-3_v1~~.png||border|class=tlt-border|~~679x61px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_4.png||border|class=tlt-border|1000px]]

====Traffic rule to allow the host access====

Line 121: Line 125:

*Click '''‘Add’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_2-1_v1~~.png|alt=Firewall traffic rule to allow single host to web server|border|class=tlt-border|694x152px]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_5.png|alt=Firewall traffic rule to allow single host to web server|border|class=tlt-border|694x152px]]

A new window will pop-out where you will be able to specify additional settings.

−

*In the ~~protocol field, choose~~ '''TCP~~+UDP~~'''.

+

# '''Enable the instance''';

−

+

# Choose Protocol: '''UDP and TCP''';

−

*In the source IP address enter the IP address of the host in '''LAN''' that you wish to allow to access the web server. In this example, the IP address of PC2 is '''192.168.1.11'''.

+

# Choose Source zone: '''lan''';

−

*In the destination address field, enter the IP address of the web server, which is '''185.xxx.xxx.xxx''' in this example.

+

# In the source IP address enter the IP address of the host in '''LAN''' that you wish to allow to access the web server. In this example, the IP address of PC2 is '''192.168.1.11'''.

−

*In the destination port field add ports '''’80’''' and '''‘443’'''. These are '''HTTP''' and '''HTTPS''' port numbers that are used for communication with a web server.

+

# Choose Destination zone: '''wan''';

−

*In the action field choose '''~~‘Accept’~~'''.

+

# In the destination address field, enter the IP address of the web server, which is '''185.xxx.xxx.xxx''' in this example.

+

# In the destination port field add ports '''’80’''' and '''‘443’'''. These are '''HTTP''' and '''HTTPS''' port numbers that are used for communication with a web server.

+

# In the action field choose '''Accept''';

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_2-2_v3~~.png|alt=Firewall traffic rule to allow a single host to web server configuration|border|class=tlt-border|521x576px]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_6_v2.png|alt=Firewall traffic rule to allow a single host to web server configuration|border|class=tlt-border|521x576px]]

You can specify additional settings as you wish. For example, you can set times when this rule should apply. This way, the host will be able to access the web server only at certain times.

Line 140: Line 146:

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. In addition, we need to move the second rule and ensure that the second rule is above the first rule.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_2-3_v3~~.png|alt=Firewall two traffic rules to allow only a single host to access web server enabled|border|class=tlt-border|~~880x153px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_7.png|alt=Firewall two traffic rules to allow only a single host to access web server enabled|border|class=tlt-border|1000px]]

These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of '''185.xxx.xxx.xxx''' on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped.

Line 153: Line 159:

*Press the '''‘Add’''' button.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_3-1_v1~~.png|alt=Firewall traffic rule to open a port of a device||border|class=tlt-border|~~708x155px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_8.png|alt=Firewall traffic rule to open a port of a device||border|class=tlt-border|1000px]]

A new window will pop-out where you will be able to specify additional settings. For the purpose of just opening a port, no additional settings are required. Scroll down and press '''‘Save & Apply’'''.

Line 159: Line 165:

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_3-2_v1~~.png|alt=Firewall traffic rule to open a port on a device enabled||border|class=tlt-border|~~677x56px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_9.png|alt=Firewall traffic rule to open a port on a device enabled||border|class=tlt-border|1000px]]

Here we can see that a new rule was created. It accepts '''TCP, UDP''' traffic from any host in '''WAN''' coming to the router on port '''8080'''. The slider on the right side is set to '''‘on’''' indicating that the rule is enabled.

Line 176: Line 182:

*Click '''‘Add’.'''

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_4-1_v1~~.png|alt=Firewall traffic rule to deny a single port for LAN network||border|class=tlt-border|~~697x155px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_10.png|alt=Firewall traffic rule to deny a single port for LAN network||border|class=tlt-border|1000px]]

A new window will pop-out where you will be able to specify additional settings.

−

+

*'''Enable the instance'''

*Choose '''LAN''' as the source zone.

*Leave the source IP field '''‘any’''' or specify a LAN network to block.

*In the action field choose '''‘Drop’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_4-2_v1~~.png|alt=Firewall traffic rule to deny single port for LAN network configuration|border|class=tlt-border|~~470x516px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_11.png|alt=Firewall traffic rule to deny single port for LAN network configuration|border|class=tlt-border|1000px]]

Scroll down and press '''‘Save & Apply’'''.

Line 201: Line 207:

*Click '''‘Add’.'''

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_5-1_v1~~.png|alt=Firewall traffic rule to allow a single host on one port|border|class=tlt-border|~~696x156px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_12.png|alt=Firewall traffic rule to allow a single host on one port|border|class=tlt-border|1000px]]

* set the source IP address to the IP address of the host.

*In the action field choose '''‘Accept’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_5-2_v1~~.png|alt=Firewall traffic rule to allow a single host on one port configuration|border|class=tlt-border|~~470x515px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_13.png|alt=Firewall traffic rule to allow a single host on one port configuration|border|class=tlt-border|1000px]]

Scroll down and press '''‘Save & Apply’'''.

Line 212: Line 218:

The new rules are created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. These rules indicate that any traffic coming from host '''192.168.1.11''' in the '''LAN''' to port '''5000''' on the device will be accepted. The slider on the right side shows that the rule is enabled. Drag the second rule to be above the first rule, so the traffic from the host is matched against it and is allowed to access the device on port 5000. All other traffic from the local network coming to port 5000 on the router will be dropped because it will match the second rule. For example, if port is set to 53 (a port used by DNS), only this host would be allowed to use DNS service running on the device. Similarly, if the ports are set to 80 and 443, only that specific IP address will be able to access the WebUI of the device.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_5-3_v1~~.png|alt=Firewall two traffic rules to allow only a single host on one port enabled|border|class=tlt-border|~~692x119px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_14.png|alt=Firewall two traffic rules to allow only a single host on one port enabled|border|class=tlt-border|1000px]]

Line 224: Line 230:

*In the external port field, enter ports '''80''' and '''443 (HTTP(S))''' so that only the access to the WebUI is allowed. Click '''‘Add’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_6-1_v1~~.png|alt=Firewall traffic rule to allow web access from WAN|border|class=tlt-border|~~708x157px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_15.png|alt=Firewall traffic rule to allow web access from WAN|border|class=tlt-border|1000px]]

Line 234: Line 240:

*In the action field choose '''‘Accept’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_6-2_v1~~.png|alt=Firewall traffic rule to allow web access from WAN configuration|border|class=tlt-border|~~471x517px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_16.png|alt=Firewall traffic rule to allow web access from WAN configuration|border|class=tlt-border|1000px]]

Line 243: Line 249:

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_6-3_v1~~.png|alt=Firewall traffic rule to allow web access from WAN enabled|border|class=tlt-border|~~679x54px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_17.png|alt=Firewall traffic rule to allow web access from WAN enabled|border|class=tlt-border|1000px]]

Line 259: Line 265:

*Click '''‘Add’'''.

−

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7~~-1_v2~~.png|border|class=tlt-border|~~699x156px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_18.png|border|class=tlt-border|1000px]]

Line 265: Line 271:

*Select '''<nowiki/>'TCP+UDP'''' as protocol.

+

*Select source zone '''lan'''.

*In the destination port field enter the range of ports you wish to deny (For example, '''‘1500-1700’'''), or list specific ports by leaving spaces in-between port numbers (For example, '''‘80 443'''’).

*In the action field choose '''‘Drop’'''.

−

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7~~-2_v2~~.png|alt=Firewall traffic rule to block a range of ports|border|class=tlt-border|~~473x521px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_19.png|alt=Firewall traffic rule to block a range of ports|border|class=tlt-border|1000px]]

You can specify additional settings as you wish.

Line 275: Line 282:

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.

−

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7~~-3_v2~~.png|alt=Firewall traffic rule to block a range of ports enabled|border|class=tlt-border|~~677x58px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_20.png|alt=Firewall traffic rule to block a range of ports enabled|border|class=tlt-border|1000px]]

Line 287: Line 294:

* Choose '''WAN''' as destination zone.

*Click '''‘Add’'''.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_8-1_v2~~.png|alt=Firewall traffic rule to block host MAC on certain times|border|class=tlt-border|~~696x152px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_21.png|alt=Firewall traffic rule to block host MAC on certain times|border|class=tlt-border|1000px]]

A new window will pop-out where you will be able to specify additional settings.

−

*In the ~~source~~ '''~~MAC~~''' ~~address choose the~~ '''~~MAC~~''' ~~address of the~~ host ~~to who~~ the ~~rule~~ will ~~apply~~. ~~You can enter a custom~~ MAC address.

+

#'''Enable the instance''';

−

*In the action field choose '''~~‘Drop’~~'''.

+

#Choose Protocol: '''All''';

−

*On weekdays you can choose on which days the ~~rule will apply (The device~~ will ~~not be able~~ to ~~communicate). You can choose days of~~ the ~~month, start and stop times, and other~~ time ~~settings~~.~~ ~~

+

#Choose Source zone: '''lan''';

+

#Choose Action: '''Drop''';

+

#Open '''Advanced Settings''' section;

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_22.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]]

+

+

In the Advanced settings we will need to add Specific Source MAC address.

+

#Choose Source MAC address '''Which you want to block on certain times''';

+

#Open '''Time Restrictions''' section;

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_23.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]]

+

+

In the Time Restrictions section we will need to specify the time when to block access.

−

~~[[File:Networking_rutos_configuration_example_firewall_traffic_rules_8-2_v2.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|419x606px]]~~

+

#Choose Week Days;

+

#Choose Start Time;

+

#Choose Stop Time;

+

#Choose Start Date;

+

#Choose Stop Date;

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_24.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]]

+

You can specify additional settings as you wish. Scroll down and press '''‘Save & Apply’'''.

The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.

−

[[File:~~Networking_rutos_configuration_example_firewall_traffic_rules_8-3_v2~~.png|alt=Firewall traffic rule to block host MAC on certain times enabled|border|class=tlt-border|~~679x60px~~]]

+

[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_25.png|alt=Firewall traffic rule to block host MAC on certain times enabled|border|class=tlt-border|1000px]]

−

This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''~~‘Discard~~ forward’''' indicates the action (drop). The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the ~~12th~~ of ~~February~~, ~~2023~~. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC will not be able to send traffic to '''WAN'''.

+

This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''‘Drop forward’''' indicates the action (drop). The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 9th of August, 2024. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC will not be able to send traffic to '''WAN'''.

Dziugas.Syminas

Administrators

405

edits

Namespaces

Variants

Views

More

Search

Changes

Firewall traffic rules (view source)

Revision as of 15:13, 9 August 2024

Navigation menu

Personal tools

NAVIGATION

Tools

Categories