Hi to all, back to use my RUT230....
Ok, let's say:
basically I need to give access only from specific network (let's say 92.145.15.15/24) to RUT230 (input) and to LAN devices (forward).
I need to access to RUT230 (let's say on port 22 for SSH), so rules are;
1) "allow myself input":
- protocol = ALL
- source = from IP 92.145.15.0/24 in wan
- destination = To any router IP on this device
- action = accept input
- status = enabled
2) "allow myself forward":
- protocol = ALL
- source = from IP 92.145.15.0/24 in wan
- destination = To any host in any zone
- action: accept forward
- status = enabled
3) "drop all input":
- protocol = ALL
- source =From any host in wan
- destination = To any router IP on this device
- action = discard input
- status = enabled
3) "drop all forward":
- protocol = ALL
- source =From any host in wan
- destination = To any host in any zone
- action = discard forward
- status = enabled
This configuration is working, ok.
Now I add devices on LAN (let's say 192.168.1.2/24 and 192.168.1.3/24), so I add NAT rule to access on web interface:
Public port 84 -> 192.168.1.2:80
Public port 85 -> 192.168.1.3:80
In this case I don't need to add firewall rule due I can access to device from 92.145.15.0/24.
If I need to give access (but ONLY to 192.168.1.2) to everyone (let's say for maintenance), while keep 192.168.1.3 available ONLY from 92.145.15.0/24.
So I added firewall rule before "drop all forward":
"allow 84":
- protocol = ALL
- source = From any host in wan
- destination zone = To any zone (forward) or LAN
- destination = 192.168.1.2
- port = 80
I supposed to write firewall rule only for port 84 (forward chain), not for specific IP and specific PORT.
It looks such if firewall rules are behind NAT rules: is this from Teltonika or from OpenWRT?
By the way, this rule works for both "To any zone" and "Lan" settings, are there differences?
Thanks.