Remote monitoring of router connectivity
I'd like to monitor my router connectivity so I get alerted if the home internet connection goes down/offline for some reason. Have an ER605, 2 switches and 3 EAPs. All fully adopted and maanged by a locally installed OC200.
Ideally would like to use something like UptimeRobot
I want to only enable certain public IP addresses to Ping my WAN IP and get a response, anything else should get get dropped (as though pings are ignored).
However, even when I disable the "block Ping from WAN" and add a couple of Gateway ACL entries to only permit certain hosts for UptimeRobot for ICMP and then a following rule to Deny all others, I seem to receive Pings from other addresses as well (testing via the Central Ops website)
Any suggestions from anybody who has got this to work?
So we're clear, I want to achieve:
1. A perfect stealth report from the ShieldsUP test at www.grc.com
2. Allow PINGS to come from specified IP addresses only.
Has anybody been able to make this work running their ER605 under an Omada controller (rather than amending firewall settings on an unadopted unit via it's local web GUI)?
@Clive_A
So the good news is using the Gateway Management as the DST works. The way to do it is as follows:
First comes the PERMIT rule which is the highly selective one based on source of the monitoring websites I'm enabling.
Then comes the DENY which then blocks anything that the preceding rule didn't match with/allow.
This then works as expected. I now have my connection externally monitored and pings from random other addresses are ignored so for example I still get a perfect result from the ShieldsUP tests at GRC dot com.
Highly recommend you update your customer knowledgebase articles to document this properly.
I currently have the following:
Network Security -> Attack Defense -> Packet Anomaly Defense
Block PING from WAN is unchecked (as my understanding is that it would take precedence over the Gateway ACL).
Then in Gateway ACL, I have the following as the first rule:
Status: Enable
Direction: [WAN] IN, [WAN/LAN1] IN
Policy: Permit
Protocols: ICMP
Source Type: IP Group
IP Group "UptimeRobot"
-> PERMIT
IP Group
IPGatewayGrp
IPGroup_Any
Advanced Settings -> States -> Auto
IP Group UptimeRobot currently looks like this:
Which is based on their list of monitoring locations.
Then immediately after this rule I have another Gateway ACL rule set for Deny on ICMP from any source to the same destination group as above.
Am I missing something?
I tried it with the Block ALL first and then the allow second. Didn't make any difference, I can still ping the unit from any public IP address.
Suggested next steps?? Is there anyway to configure additional logging for when a Gateway ACL rule is matched? Perhaps with remote syslog in place?
Also, why should the Block ALL come first? The documentation accessible in the controller states:
The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match.
So if I read that correctly, a PING from a non authorised address shouldn't match the PERMIT rule, in which case why does that have to come after the DENY ?? Surely in that case the inbound PING would match the DENY rule, get dropped and then no further rules evaluated??
Thanks for posting in our business forum.
TakeshiKovacs wrote
I tried it with the Block ALL first and then the allow second. Didn't make any difference, I can still ping the unit from any public IP address.
Suggested next steps??
So, the idea is to deny any IP to ping you and allow a specific CIDR or IP to ping you.
The DST in the permit is supposed your router WAN IP. Have you tried this?
1. SRC ANY DST ANY
2. SRC IP/CIDR DST GW IP
@Clive_A So to check if the Deny works first, I set up the following rule.
Using that other post as a guide.
First I'm testing the ability to block. With that rule at the top of the list, it should ignore/block any inbound PINGs, right?
It doesn't work.
So what are the next steps for trouble shooting this?