Question

Hello.

I have tried to find some answer but without luck.

What I would like to achieve:

I have RUT240.

I have eth0 as LAN (default) and eth1, which is the WAN port used as interface LAN1.

WAN and WAN6 - disabled of course. No other changes on those interfaces.

IP network of LAN = 192.168.1.0/24 and IP network of LAN1 = 192.168.15.0/10

I want to have devices in LAN1 with specific IPs (A,B,C) that should only communicate with specific devices (that have static IPs too - X,Y,Z) in LAN.

I have tried to assign each interface (LAN, LAN1) to separate Firewall zones. That means interface LAN belongs to fw zone "lan". And interface LAN1 belongs to fw zone "LANz".

I have set firewall traffic rules. Basically 3 traffic rules for IPv4 tcp/udp source zone "lan" to destination zone "LANz", source IP X, destination IP A, accept forward. (the other 2 rules are for Y to B, and Z to C)

Then another 3 rules for IPv4 tcp/udp source zone "LANz" to destination zone "lan", source IP A, destination IP X, accept forward. (the other 2 rules are for B to Y, and C to Z)

Then another 2 rules for IPv4 ICMP source zone "LANz" to destination zone "lan", source IP (A,B,C + notebook IP) to destination IP (X,Y,Z) - and vice versa - this is to test if it works or not.

The general fw settings are = reject, accept, reject

The 2 zones (lan and LANz) - are accept, accept, reject (or accept - I have tried both) - I have added the opposite destination zone for interzone forwarding.

The problem is that this doesn´t really work. If I set the zone forward settings on both zones to accept - it works, if I set it to reject it doesn´t work (ping). The traffic rules doesn´t seem to do anything.

Am I doing something wrong or missing something?

Answer 1

Hello, this is Martín, Tech Support Engineer for Teltonika Networks.

Can you please provide us with a network diagram of your topology, as well as screenshots of the Firewall configurations and a Backup file of the device? Instructions on how to get the Backup file can be found here.

For complex network deployments you can also use Custom Rules in the Firewall through IPTables, which allow a more detailed approach to setting up scenarios like yours.

I remain attentive to any further comments.
Best regards.

Comments

Hello Martín.

Let me update the current situation.

Currently the setup I have mentioned in my original post works. It works the way I have intended it to work. There was no mistake in my assumptions.

The thing is that when I have had to set this up, it was already in a production environment and i did not have the ability to reboot the device at will. Also I made the mistake of continious ping while setting up the rules. While activating such rules I was assuming that I should see echo replies to stop but that was not the case. In such situation the communication was still working - the firewall remained open for this specific stream. So that confused me and I was not able to tell without complete reboots what is going on.

I had to set the production configuration on a test device and troubleshoot - only to find out that everything worked as I thought it should...

This can be closed. Thank you.

P.S.: and also there was a problem with the zones. I wasn´t able to tell what is the default behaviour in the inter-zone communication and such.

For those who would read this: if you want to block communication and only allow specific IPs to communicate between 2 networks you cannot make the other zone a target of inter-zone communication - because in such case you basically create an accept rule all - at least that what I think - it is already 13 days since my post so my memory is hazy.

The real problem is that as teltonika company your documentation is subpar. You should look at cisco or even zyxel on how to do correct explanations. Nobody really needs just features descriptions in your FAQ - provide real-life working setups with intent explanation and theory of operation please.