Something about this device and its firewall
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Something about this device and its firewall
Region : Italy
Model : TD-W8970
Hardware Version : V1
Firmware Version :
ISP :
Hi all.
I'm waiting for some answer in a former post (many days have passed since those spring days .. :-) ...).
Anyway, there is something you should know.
Access Point Mode (WAN on ethernet cable)
-) Firewall does not control remote management;
-) Firewall applies rules at the first match;
-) Firewall works fine in LAN to WAN direction (best choice? Usually ... DEFAULT = DENY, allow what you need);
-) Firewall does not manage LAN1 to LAN2 traffic (yep, you got two LAN subnets ...);
-) Firewall uses local-network-objects and remote-network-objects (say WAN or VPN peer): max 16 entries for each group;
-) Each object contains NAME, IP ADDRESS (only HOST or RANGE ... not S.net Mask and or CIDR) and PORTS (1 to 65535);
----) All addresses = leave blank address fields;
----) All ports = leave blank port fields;
----) Each rule has, basically, HOST - WAN - Direction (IN/OUT) - Action ( ALLOW /DENY) - PROTOCOL (UDP /TCP /ICMP /ALL).
----) If you choose ALL, firewall do not consider ports and protocols you declared in the rules;
-) Firewall filters LAN to VPN traffic, but not VPN to LAN one (or i have not understood the best way to do this. Still waiting in a former post);
ES:
default rule: DENY
WEB
(host 192.160.1.1 - 192.160.1.100 / ports 1 - 65535 | wan blank fields / ports: 80 | DIR: OUT | protocol TCP | Action ALLOW : WORKS !
VPN-RDP-OUT
(host 192.160.1.1 - 192.160.1.100 / ports 1 - 65535 | wan 192.160.117.1 - 192.160.117.100 / ports: 3389 | DIR: OUT | protocol TCP | Action ALLOW : WORKS !
VPN-RDP-IN
(host 192.160.1.1 - 192.160.1.100 / ports 3389 | wan 192.160.117.1 - 192.160.117.100 / ports: 1 - 65535 | DIR: IN | protocol TCP | Action ALLOW : IT DOES NOT WORKS ! Works if firewall is down ( ... )
--) Be careful if you can't provide static public/private IPv4 addresses for peers, the only MODE to build an IPSec VPN is agressive ...).
Is this right?
Model : TD-W8970
Hardware Version : V1
Firmware Version :
ISP :
Hi all.
I'm waiting for some answer in a former post (many days have passed since those spring days .. :-) ...).
Anyway, there is something you should know.
Access Point Mode (WAN on ethernet cable)
-) Firewall does not control remote management;
-) Firewall applies rules at the first match;
-) Firewall works fine in LAN to WAN direction (best choice? Usually ... DEFAULT = DENY, allow what you need);
-) Firewall does not manage LAN1 to LAN2 traffic (yep, you got two LAN subnets ...);
-) Firewall uses local-network-objects and remote-network-objects (say WAN or VPN peer): max 16 entries for each group;
-) Each object contains NAME, IP ADDRESS (only HOST or RANGE ... not S.net Mask and or CIDR) and PORTS (1 to 65535);
----) All addresses = leave blank address fields;
----) All ports = leave blank port fields;
----) Each rule has, basically, HOST - WAN - Direction (IN/OUT) - Action ( ALLOW /DENY) - PROTOCOL (UDP /TCP /ICMP /ALL).
----) If you choose ALL, firewall do not consider ports and protocols you declared in the rules;
-) Firewall filters LAN to VPN traffic, but not VPN to LAN one (or i have not understood the best way to do this. Still waiting in a former post);
ES:
default rule: DENY
WEB
(host 192.160.1.1 - 192.160.1.100 / ports 1 - 65535 | wan blank fields / ports: 80 | DIR: OUT | protocol TCP | Action ALLOW : WORKS !
VPN-RDP-OUT
(host 192.160.1.1 - 192.160.1.100 / ports 1 - 65535 | wan 192.160.117.1 - 192.160.117.100 / ports: 3389 | DIR: OUT | protocol TCP | Action ALLOW : WORKS !
VPN-RDP-IN
(host 192.160.1.1 - 192.160.1.100 / ports 3389 | wan 192.160.117.1 - 192.160.117.100 / ports: 1 - 65535 | DIR: IN | protocol TCP | Action ALLOW : IT DOES NOT WORKS ! Works if firewall is down ( ... )
--) Be careful if you can't provide static public/private IPv4 addresses for peers, the only MODE to build an IPSec VPN is agressive ...).
Is this right?