WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUTX09 Firewall settings have no effect and not saving when set

0 votes
260 views 1 comments
by anonymous

Hi,

I'm using Firmware version version RUTX_R_00.07.00 on my RUTX09.

I'm experiencing several issues, specifically with the firewall. 

  1. Firewall Traffic Rules have no effect: To ensure I understood how the firewall should work I tried blocking all https ports from Lan to WAN by setting the following, Protocol=>TCP, source zone=>lan, Source IP + Port => Any, Destination zone=> wan, destination address=> any, destination port=> 443, Action=> Reject. This had no effect and all traffic was accepted.
  2. Firewall Traffic Rules are not saved properly: When I save the settings above, the match reads "Any TCP, From IP in lan to IP port 443 this device (Should it be WAN?).
  3. General Settings not functioning: I noticed that the only way to obtain an internet connection is if the Masquerading is set to "ON" for the "wan => lan" zone forwards. All other general settings disable the internet altogether.

This all seems very odd. I'd appreciate help on this as correct firewall settings is vital to my application.

All help greatly appreciated. 

2 Answers

0 votes
by anonymous

Hello Bearslumber,

Thank you for your query.

I have tested firewall on my RUTX device with  7.0FW it seems to be functioning as expected, I will go step by step through each of your question.

1) Firewall Traffic Rules have no effect: The rule you have described looks to be correct, I have configured such rule on my router and it works fine. I would like to elaborate that HTTPS uses 443 port, so you are currently blocking internet access from LAN to WAN on port 443. But this rule rule still allows internet access on other ports, for example, with this rule I am still able to access websites via HTTP(port 80).

2) Firewall Traffic Rules are not saved properly: A couple things: firstly, there is no problem that it says port 443 as the destination is specified as WAN. I am unsure why your rule differs form mine, it should say: Any traffic from any host in lan to any host, port 443 in wan. Should look like this on your WEBUI:

This is how it should look when you are configuring it:

Please note that I am using Drop action, it does not really matter whenever you would use reject. As the only difference would be that in the case of using reject, an ICMP package would be sent after the package is being dropped. But it would not change the functionality itself. In addition, your goal was to block all internet access from LAN to WAN. This rule that you have specified and I have displayed above does not do that, it blocks access only to 443 port in WAN.( blocks HTTPS access). In order to block all internet access you would have to select Destination port: any.

3) General Settings not functioning:  Let me begin, by explaining the whole idea of masquerading. In Simple words masquerading is used when you are trying to reach devices, that have different default gateways than your router. So the functionality that you have described is correct, you are trying to access the internet, those devices on the internet will have a different default gateway than your router, automatically, if masquerading is turned off this would result in you not being to reach it.(Not having internet connection)

To answer more specifically, could use please use screen shots or someone other way to exactly pin point what you are trying to test in the general settings, similar to this:

Best Regards,

Dziugas

by anonymous

Hi Dziugas

Thank you for your response. I am an experienced software architect so I know how to set a firewall. The problem was that the unit was not responding to any settings that I made.

We found the issue.

Following an update to the latest the firmware version, any settings previously established settings were unrecognisable, but also any new settings were not recognised by the firewall and therefore did not respond.

That was until we carried out a factory reset (backup - Factory reset). The factory reset deleted the established settings and crucially recognises any firewall settings following the factory rest.

I can confirm the router now behaves as expected.

There is a lesson in this story. 

When upgrading to a new firmware, you have to carry out a factory reset and apply all your settings from scratch. 

Note that you can't apply a saved settings file from a previous firmware version because it seems that any existing settings from previous firmware versions are incompatible actually altogether corrupt the settings to the system.    

It would be useful if TK kept some backward compatibility in their settings format so that settings can remain applicable through firmware upgrades.

I hope that helps anyone who encounters such a problem in future.    

0 votes
by anonymous
Hi,

Thank you so much for sharing this, we appreciate it. Hopefully this will help out anyone who might encounter such problems in the future.

Best Regards,

Dziugas