Category     

Manual: Network Settings → Firewall

« Go Back

Information

 
Content

Firewall


The router automatically provides a firewall. Unless you configure the router to the contrary, the router does not respond to unsolicited incoming requests on any port, thereby making your LAN invisible to cyber attackers.

However, some network applications cannot run with a tight firewall. Those applications need to selectively open ports in the firewall to function correctly. The options on this page control ways of opening the firewall to address the needs of specific types of applications.

**NOTE** Devices on firmware versions prior to 5.2.0 utilized our Global Firewall.  In firmware version 5.2.0 we introduced our Zone Firewall.  When upgrading from a pre-5.2.0 firmware to firmware 5.2.0 or later, existing firewall rules will be migrated into an “ALL” zone, which behaves the same as the Global Firewall in pre-5.2.0 firmware.  We highly recommend that you delete these rules and recreate your firewall policies using the Zones, Filter Policies, and Forwardings now available in the Zone Firewall.  This is especially critical when utilizing Enterprise Cloud Manager to manage your firewall rules in a group configuration.

image

Select from the following tabs to edit your firewall configuration:

Port Forwarding Rules

A port forwarding rule allows traffic from the Internet to reach a computer on the inside of your network. For example, a port forwarding rule might be used to run a Web server.

image

NOTE: Exercise caution when adding new rules as they impact the security of your network.

Click Add to create a new port forwarding rule, or select an existing rule and click Edit.

image

Add/Edit Port Forwarding Rule

  • Name: Name your rule.
  • Enabled: Toggle whether your rule is enabled. Selected by default.
  • Use Port Range: Changes the selection options to allow you to input a range of ports (if desired).
  • Internet Port(s): The port number(s) as you want it defined on the Internet. Typically these will be the same as the local port numbers, but they do not have to be. These numbers will be mapped to the local port numbers.
  • Local Computer: Select the IP address of an attached device from the dropdown menu, or manually input the IP address of a device.
  • Local Port(s): The port number(s) that corresponds to the service (Web server, FTP, etc) on a local computer or device. For example, you might input “80” in the Local Port(s) field to open a port for a Web server on a computer within your network. The Internet Port(s) field could then also be 80, or you could choose another port number that will be used across the Internet to access your Web server. If you choose a number other than 80 for the Internet Port, connections to that number will be mapped to 80 – and therefore the Web server – within your network.
  • Protocol: Select from the following options in the dropdown menu:
    • TCP
    • UDP
    • TCP & UDP
  • Click Submit to save your completed port forwarding rule.

Port Proxying Rules

A port proxy rule allows traffic from the local LAN to be redirected to a specific computer/IP address on the Internet.

image

Click Add to create a new port proxying rule, or select an existing rule and click Edit.

image

Add/Edit Port Proxying Rule

  • Name: Name your rule.
  • Enabled: Toggle whether your rule is enabled. Selected by default.
  • Use Port Range: Check this box to create a rule which proxies a contiguous range of ports instead of a single port. The remote port(s) will require the same number of contiguous ports.
  • Local Port(s): Specify the IP port(s) on the LAN to proxy to a remote computer.
  • Remote Computer: Specify the remote computer to receive proxied traffic.
  • Remote Port(s): Specify the IP port (first if a range) on the remote computer to receive proxy traffic.
  • Protocol: Select the IP protocol traffic to proxy from the following options in the dropdown menu:
    • TCP
    • UDP
    • TCP & UDP
  • Click Submit to save your completed port proxying rule.

Network Prefix Translation

Network Prefix Translation is used in IPv6 networks to translate one IPv6 prefix to another. IPv6 prefix translation is an experimental specification (RFC 6296) trying to achieve address independence similar to NAT in IPv4. Unlike NAT, however, NPT is stateless and preserves the IPv6 principle that each device has a routable public address. But it still breaks any protocol embedding IPv6 addresses (e.g. IPsec) and is generally not recommended for use by the IETF. NPT can help to keep internal network ranges consistent across various IPv6 providers, but it cannot be used effectively in all situations.

The primary purpose for CradlePoint’s NPT implementation is for failover/failback and load balancing setups. LAN clients can potentially retain the original IPv6 lease information and may experience a more seamless transition when WAN connectivity changes than if not utilizing NPT.

image

Mode:

  • None – No translation is performed
  • Load Balance Only – (Default) Only translate networks when actively load balancing
  • First – Use the first IPv6 prefix found
  • Static – Always use a static IPv6 translation (input the prefix here)

Transitioning from short prefix to a longer prefix (such as from /48 to /64) is not without problems, as some of the LANs may lose IPv6 connectivity.

DMZ (DeMilitarized Zone)

A DMZ host is effectively not firewalled in the sense that any computer on the Internet may attempt to remotely access network services at the DMZ IP address. Typical uses involve running a public Web server or sharing files.

image

Input the IP Address of a single device in your network to create a DeMilitarized Zone for that device. To ensure that the IP address of the selected device remains consistent, go to the “Reservations” section under Network Settings → DHCP Server and reserve the IP address for the device.

Use caution when enabling the DMZ feature, as it can threaten the security of your network. Only use DMZ as a last resort.

Remote Admin. Access

Enable Remote Administration Access Control: Selecting this option allows you to make remote administration tools available to only the specified IP addresses. Access from all other IP addresses will be blocked. This option only filters IP addresses: you must enable Remote Management separately (System Settings → Administration).

The services affected by this include remote HTTP, HTTPS, SNMP, and SSH configuration tools. This does not impact LAN-based administration, i.e., devices within your network still have administration access. The individual remote administration services can be enabled under System Settings → Administration: select the Remote Management tab.

image

Add/Edit Allowed Remote Access Addresses

image

IP Address: The IP address that will be allowed to access administrative services through the WAN.

Netmask (Optional): The netmask allows you to specify what IP address sets will be allowed access. If this field is left empty a netmask of 255.255.255.255 is used, which means that only the single specified IP address has remote administration access.

Application Gateways

Enabling an application gateway makes pinholes through the firewall. This may be required for some applications to function, or for an application to improve functionality or add features.

Exercise caution in enabling application gateways as they impact the security of your network.

image

Enable any of the following types of application gateways:

  • PPTP: For virtual private network access using Point-to-Point Tunneling Protocol. This is enabled by default.
  • SIP: For VoIP (voice over IP) using Session Initiation Protocol.
  • TFTP: Enables file transfer using Trivial File Transfer Protocol.
  • FTP: To allow normal mode when using File Transfer Protocol. This is not needed for passive mode. This is enabled by default.
  • IRC: For Direct Client to Client (DCC) transfer when using Internet Relay Chat. You may wish to forward TCP port 113 for incoming identd (RFC 1413) requests.

Firewall Options

image

Anti-Spoof: Anti-Spoof checks help protect against malicious users faking the source address in packets they transmit in order to either hide themselves or to impersonate someone else. Once the user has spoofed their address they can launch a network attack without revealing the true source of the attack or attempt to gain access to network services that are restricted to certain addresses.

Log Web Access: Enable this option to create a syslog record of web (IP port 80) access. Each entry will contain the IP address of the server and the client. Note that this may create a lot of log entries, especially on a busy network. Sending the system log to a syslog server is recommended.

To view the logs, go to Status → System Logs. For configuration options, including syslog server setup, go to System Settings → Administration and select the System Logging tab.

Zone Firewall

A zone is a group of network interfaces. By default, all interfaces within a zone are allowed to initialize network communication with each other, but any network traffic initialized outside of a zone to the interfaces within the zone is denied. Forwardings are used to allow traffic to traverse zones. Filter Policies are used to define how traffic passing through a zone forwarding is filtered. Zones can be added, edited, or removed (except for the All and Router zone).

Zones

Create, edit, and remove zones (i.e., groups of network interfaces). Once you have defined zones, add rules to the Filter Policies and Forwardings sections to define what traffic is allowed between zones.

image

  • The All zone is a special zone used to support legacy firewall configurations. This zone cannot be removed and is reserved for forward-migration of IP Filter Rules from previous firmware versions. The All zone matches any traffic handled by the router. User defined zones are preferred.
  • The Router zone is a special zone used to filter traffic initialized from the router (e.g., Enterprise Cloud Manager connection) or destined to the router (e.g., SNMP) as part of a router services setup. (Set up This zone cannot be removed and can only be altered by router services.

Click Add to create a new zone.

image

Choose a Name meaningful to you and then click on the Add button to reveal options for attaching interfaces (WAN, LAN, or GRE) to this zone.

image

LAN and GRE Interfaces

Attach LAN and GRE interfaces to a zone by selecting the Config Name for those interfaces. For LANs, these names are defined in Network Settings → WiFi / Local Networks; for GRE tunnels, these names are defined in Internet → GRE Tunnels.

Sample zone interface assignments: LAN & GRE
LANConfig NameisPrimary LAN
LANConfig Nameisn'tGuest LAN
GREConfig Nameisoffice_tunnel

The third field defaults to “is,” but you can also select “is not,” “starts with,” “contains,” or “ends with” to define the zone.

WAN Interfaces

Attaching WAN interfaces to a zone includes many more options. Select “WAN” in the first field, and then select from each of the following fields to create a statement that defines which WAN interfaces to attach to this zone.

Field 2: Choose one of the following:

  • Port – Select by the physical port on the router (e.g., "Modem 1").
  • Manufacturer – Select by the modem manufacturer (e.g., "CradlePoint Inc.").
  • Model – Select according to the specific model of modem.
  • Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
  • Serial Number – Select a 3G or LTE modem by the serial number.
  • MAC Address – Select from a dropdown list of attached devices.
  • Unique ID – Select by ID. This is generated by the router and displayed when the device is connected to the router.

Field 3: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition.

Field 4: If the desired values are available, select from the dropdown list. You may need to manually input the value.

Sample zone interface assignments: WAN
WANTypeisEthernet
WANPortisn'tModem 1

Filter Policies

A Filter Policy is a one-way filter applied to initialized network traffic flowing from one zone to another. A Filter Policy needs to be assigned to a Forwarding for it to take effect. Filter Policies can either be Added, Edited, Removed, or Cloned. Cloning a Policy will copy the entire policy. The name of the cloned policy will include the name plus “Clone”.

image

  • Default Allow All is a preconfigured policy to allow all traffic initialized from one zone to flow to another zone. The state of the connection is tracked to allow responses to traverse the zones back to the source. LAN to WAN forwardings use this policy by default. The policy can be removed or altered to filter the traffic flow.
  • Default Deny All is a preconfigured policy to deny all traffic initialized from one zone to be blocked to another zone. WAN to LAN forwardings use this policy by default. The policy can be removed or altered to filter the traffic flow.

Click Add to create a new filter policy, or select an existing policy and click Edit to open the filter policy editor.

image

  • Name: Create a name meaningful to you.
  • Default Action: Choose either Allow or Deny. This is the action taken by the firewall if none of the filter policy rules match the traffic being filtered.

Click Add to create a new rule for this filter policy.

Rule Editor

image

  • Log: When checked each packet matching this filter rule will be logged in the System Logs.
  • Action: “Allow” or “Deny”.
  • Protocol: Any, ICMPv4, TCP, UDP, GRE, ESP, ICMPv6, or SCTP.
  • IP Version: Any, IPv4, or IPv6.

IP Source / IP Destination

  • IP Negation: Match on any IP address that is NOT in the specified IP network range.
  • Network IP: Optional field to specify a matching network IP address for this rule to match against.
  • Netmask: Use this to define a subnet size this rule will match against.
  • Port Negation: Match on any port that is NOT in the specified port range.
  • Port(s): Use for a single port or a range of ports. Fill in the left side for a single port.

Use Network IP, Netmask, and Port(s) to specify the ports and addresses for which the rule applies. You can specify a range of ports or a single port. Similarly, the netmask can be used to define either a range of addresses (i.e. 255.255.255.0) or a single address (255.255.255.255).

If you leave these values blank, then all IP addresses and ports will be included. IP Source and IP Destination options can be used to differentiate between the directions that packets go. You could permit packets to come from particular IP addresses but then not allow packets to return to those addresses.

Forwardings

Forwardings define how Filter Policies affect traffic flowing between zones in one direction. Simply select the Source Zone, Destination Zone, and Filter Policy to define a Forwarding. Forwardings can either be Added, Edited, Removed, or Toggled. Toggling a Forwarding will either enable or disable the Forwarding.

image

Click Add to create a new Forwarding, or select an existing Forwarding and click Edit to open the Forwardings editor.

image

  • Enabled: Selected by default. Click to deselect.
  • Source Zone: Select from the dropdown list of your defined zones.
  • Destination Zone: Select from the dropdown list of your defined zones.
  • Filter Policy: Select from the dropdown list of your filter policies.
 

Use Cases

For a list of examples describing the possible uses of the Zone Firewall, click here.

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 

 
Knowledge Home | Product