Question

HI Firstly, i have used MANY firewalls in my time, and the RUTX09 and teltonika genrally have a really weird way of doing things in the firewall. please help..! :-)

This is my RUTx09 setup:

Pyhsical LAN port (LAN1) is called LAN in the interface page. The default setup.

In then have two vlans created (or virtual interfaces) added which show up as eth0.1 eth0.2 (ifconfig)

Then in the network interfaces page, I have created two interfaces, one called HOMELAN and the other called CAM which are (in the physical settings) associated with eth0.1 an etc0.2

I have the HOMELAN set to static 192.168.1.1, and the CAM is static to 192.168.2.1

Both have DHCP servers set with thier own address space.

In the CAM interfce settings, ive created a firewall zone called CAMZONE, and on the HOMELAN i have created a HOMELAN Zone.

All i want to be able to do is simply block one or two IP's in the CAM address space, eg 192.168.2.50 and 192.168.2.51 from getting out to the WAN port.

I just dont see where i can filter packet that is coming from the CAMZONE or the CAM interface and trying to go out to the WAN (internate)

This is such a simple rule to do.

In my other firewalls, i simple have a list of outgoing rules. By default there is no outgoing filtering. However, you can turn this off, so evertything is blocked, then you add specific rules one at a time to allow outgoing traffic.

What would be the process to do that in teltonika routers??

A simple step by step to create the interface, add it to a zone, then apply the firewalling would be really useful..please help!

Thanks

Answer 1

Hi,

I have the same problem without VLAN's. I have tried to add traffic rules and iptables, but still the clients which should be dropped are allowed to access WAN. Here is my iptables. The first seven are the ones that should be blocked.

I think there is some major bug in the RUTX firewall. I have RUTX11.

[email protected]:~# iptables -t filter -L FORWARD --line-numbers -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      wwan0   10.77.20.2           0.0.0.0/0
2        0     0 DROP       all  --  *      wwan0   10.77.20.3           0.0.0.0/0
3        0     0 DROP       all  --  *      wwan0   10.77.20.4           0.0.0.0/0
4        0     0 DROP       all  --  *      wwan0   10.77.20.5           0.0.0.0/0
5        0     0 DROP       all  --  *      wwan0   10.77.20.195         0.0.0.0/0
6        0     0 DROP       all  --  *      wwan0   10.77.20.196         0.0.0.0/0
7        0     0 DROP       all  --  *      wwan0   10.77.20.197         0.0.0.0/0
8     3403 1301K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
9     3357 1289K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
11      36 11207 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
12       0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
13       0     0 zone_wan_forward  all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
14       0     0 zone_wan_forward  all  --  qmimux0 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
15      10   700 zone_openvpn_forward  all  --  tun_+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
16       0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Answer 2

@routerhead you could try to add the iptables like this "iptables -I FORWARD 1 -s 192.168.2.50 -o wwan0 -j DROP" under "Custom rules" The next client would then be  "iptables -I FORWARD 2 -s 192.168.2.51 -o wwan0 -j DROP".

Comments

Thanks for info, but if i was going to start adding custom rules via ssh etc, then i may as well just run a linux box with IP tables, and not pay for a hardware device such as this.... The whole idea of paying for a device is that it should be 'EASY' to use and add rules etc. The changing of IPtables directly is easy, and i thank you for the suggestion, but this sort of thing should be reserved for really 'weird' edge case scenarios....not a simple IP block of a client within a VLAN...