ER605 L2TP Problem
I have setup L2TP/IPSec on an ER605 (v1 hardware, 1.1.1 firmware) connected to a Huawei gateway with UDP Ports 500 & 4500 forwarded to the ER605.
With no other changes, (ALG IPSec is on by default) a test connection from an Android phone connects to the VPN without any apparent difficulty or problems.
However, when I try to limit the inbound WAN traffic, I do not see the expected results:
1. Without any Access Control rules, the connection works - so I assume there is no default Block ALL on the inbound WAN if no rules are present. I am familiar with other devices where there is a default block ALL for WAN-IN, but no problem as long as I know.
2. With ALLOW rules for WAN-IN on UDP 500 & 4500, the VPN connection still works. I have assumed that having any ALLOW rules would now trigger a default, and possibly hidden, final Block-All on the WAN-IN route. If so, and the VPN still works, the implication is that no other ALLOW rules are required.
3. If I now add an explicit final BLOCK-ALL on WAN-IN, after the ALLOW rules for 500 & 4500, the VPN fails to connect at all.
It is, as if, the BLOCK-ALL is over-riding the ALLOW rules - which makes no sense.
The only other possibility would be that there is a default ALLOW-ALL on the WAN-IN and my rules in [2] above are effectively redundant and there is, in fact, other traffic on the WAN-IN that (a) doesn't require Port-Forward from the modem but (b) is being permitted by this default ALLOW-ALL setup.
- In which case, can anybody suggest what this traffic is, and the rules needed before the final BLOCK-ALL ?
I have tried adding both WAN-IN and LAN-WAN ALLOW rules for both EPS (50) and AH (51) protocols but this did not make any difference.
Thank you.