NCOS: Zone Firewall
Products Supported: AER16x0, AER2100, AER31x0, MBR1200B, MBR1400, CBA750B, CBA850, IBR350, IBR6x0B, IBR9x0 IBR11x0. Click here to identify your router.
NCOS Version: 6.0 - 6.5 - for information on upgrading NCOS, click here.
This article explains how to configure the Cradlepoint Zone Firewall, and provides a few examples.
By default, the router's firewall will block any unsolicited traffic to protect the local network from outside threats. In some cases, it may be necessary to add some exceptions for applications to continue functioning properly, or, conversely, introduce additional restrictions to control traffic.
Configuration Difficulty: Intermediate to Advanced
A zone is a group of network interfaces. By default, all interfaces within a zone are allowed to initialize network communication with each other, but any network traffic initialized outside of a zone to the interfaces within the zone is denied. Forwardings are used to allow traffic to traverse zones. Identities are reusable groups of items that can be used multiple times throughout the firewall. Filter Policies (which can use Identities) are used to define how traffic passing through a zone forwarding is filtered. Zones can be added, edited, or removed (except for the All and Router zone).
Create, edit, and remove zones (i.e., groups of network interfaces). Once you have defined zones, add rules to the Filter Policies and Forwardings sections to define what traffic is allowed between zones.
The All zone is a special zone used to support legacy firewall configurations. This zone cannot be removed and is reserved for forward-migration of IP Filter Rules from previous NCOS versions. The All zone matches any traffic handled by the router. User defined zones are preferred.
The Router zone is a special zone used to filter traffic initialized from the router (e.g., Enterprise Cloud Manager connection) or destined to the router (e.g., SNMP) as part of a router services setup. (Set up This zone cannot be removed and can only be altered by router services.
Click Add to create a new zone.
Choose a Name meaningful to you and then click on the Add button to reveal options for attaching interfaces (WAN, LAN, or GRE) to this zone.
LAN and GRE Interfaces
Attach LAN and GRE interfaces to a zone by selecting the Config Name for those interfaces. For LANs, these names are defined in Network Settings → WiFi / Local Networks; for GRE tunnels, these names are defined in Internet → GRE Tunnels.
Attaching WAN interfaces to a zone includes many more options. Select “WAN” in the first field, and then select from each of the following fields to create a statement that defines which WAN interfaces to attach to this zone.
Field 2: Choose one of the following:
- Port – Select by the physical port on the router (e.g., "Modem 1").
- Manufacturer – Select by the modem manufacturer (e.g., "CradlePoint Inc.").
- Model – Select according to the specific model of modem.
- Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
- Serial Number – Select a 3G or LTE modem by the serial number.
- MAC Address – Select from a dropdown list of attached devices.
- Unique ID – Select by ID. This is generated by the router and displayed when the device is connected to the router.
Field 3: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition.
Field 4: If the desired values are available, select from the dropdown list. You may need to manually input the value.
Identities are reusable groups of items that are added to filter policy rules. A match on any single item in the group will cause the rule to match. Identities are referenced in rules by their name. Choosing descriptive names like "NW Sales Team" or "Engineering" will aid in understanding existing rules and in choosing identities for new rules. These rules can be applied to any associated field in the Filter Policies by using the drop down and selecting the configured Identity.
- A Host identity can contain IPv4, IPv6, and Fully Qualified Domain Name addresses. A single identity can contain a combination of IPv4 and IPv6 addresses. IPv4/6 addresses cannot be combined with FQDN addresses in the same identity.
- IP addresses are entered using CIDR notation, i.e. 18.104.22.168/32 and 0123:4567::CDEF/128. FQDN addresses are entered with at least one dot separating a top-level domain from a root zone, i.e. cradlepoint.com.
- A port identity member can be entered as a single Start port number or as a port range by entering both a Start and End port number.
- MAC addresses are entered in the form aa:bb:cc:dd:ee:ff.
- MAC addresses are only configurable to filter MAC Address sources.
- Reputation identity allows you to upload a file from a reputation service provider. For example, www.spamhaus.org/drop/. It also provides a way to maintain large lists of IPs that need firewall attributes applied to them. Files should be in the format where each line starts with an ip address or ip network and prefix length. All other lines are rejected. Currently we support adding 65535 IPs per reputation identity.
- An Application Set is a selection of possible application identifications that can be matched against in Zone Firewall policies.
- Note: Application Sets require an Extended Enterprise License (EEL) or NCM Prime.
A Filter Policy is a one-way filter applied to initialized network traffic flowing from one zone to another. A Filter Policy needs to be assigned to a Forwarding for it to take effect. Filter Policies can either be Added, Edited, or Removed.
- Default Allow All is a preconfigured policy to allow all traffic initialized from one zone to flow to another zone. The state of the connection is tracked to allow responses to traverse the zones back to the source. LAN to WAN forwardings use this policy by default. The policy can be removed or altered to filter the traffic flow.
- Default Deny All is a preconfigured policy to deny all traffic initialized from one zone to be blocked to another zone. WAN to LAN forwardings use this policy by default. The policy can be removed or altered to filter the traffic flow.
Click Add to create a new filter policy, or select an existing policy and click Edit to open the filter policy editor.
- Name: Create a name meaningful to you.
- Default Action: Choose either Allow or Deny. This is the action taken by the firewall if none of the filter policy rules match the traffic being filtered.
- Log: Enable logging at the policy level forces logging to occur on all configured rules in the policy.
Click Add to create a new rule for this filter policy.
Rule Editor There are 3 separate sections in the rule editor that can be configured for matching traffic. There is the Source, Destination, and Protocols tabs. All fields that are not filled out are ignored when matching traffic. Each of these tabs has settings that can be set individually, but each section also includes the following settings:
- Log: When checked each packet matching this filter rule will be logged in the System Logs.
- Action: “Allow”, “Deny”, or "None".
- Protocol: Any, ICMPv4, TCP, UDP, GRE, ESP, ICMPv6, or SCTP.
- IP Version: Any, IPv4, or IPv6.
- Negate: Each unique field also includes a Negate option to specify that everything but the specified value should be used.
Source / Destination
- Host: Use to specify a matching network IP address for this rule to match against.
- Port: Use for a single port or a range of ports. For a range use the format (xxxx-xxxx). *Note: These are ignored unless UDP (6) and/or TCP(17) are selected in the Protocols tab (they are by default).
- MAC: Used to filter based on source MAC address.
- Protocols: Use to specify which protocols to match traffic to. The drop down allows for some common protocols to be selected by name but any protocol number can be used.
- Application Sets: Use these to match application specific traffic to firewall rules Note: This requires an Extended Enterprise License (EEL) or NCM Prime
All IP addresses are configured using CIDR notation (eg. 192.168.0.0/24)
If you leave these values blank, then all IP addresses and ports will be included. IP Source and IP Destination options can be used to differentiate between the directions that packets go. You could permit packets to come from particular IP addresses but then not allow packets to return to those addresses.
Forwardings define how Filter Policies affect traffic flowing between zones in one direction. Simply select the Source Zone, Destination Zone, and Filter Policy to define a Forwarding. Forwardings can either be Added, Edited, Removed, or Toggled. Toggling a Forwarding will either enable or disable the Forwarding.
Click Add to create a new Forwarding, or select an existing Forwarding and click Edit to open the Forwardings editor
- Enabled: Selected by default. Click to deselect.
- Source Zone: Select from the dropdown list of your defined zones.
- Destination Zone: Select from the dropdown list of your defined zones.
- Filter Policy: Select from the dropdown list of your filter policies.
Case 1 - Add a Non-Isolated LAN to an Existing Zone
This example describes how to add a new non-isolated LAN, which will be able to pass traffic to and from other non-isolated LANs. This type of configuration would be used when you want to have multiple IP networks, to distinguish traffic, but still want clients on all networks to be able to communicate with each other.
Add a Non-Isolated LAN to an Existing Zone
Case 2 - Add a New Isolated LAN
This example shows how to add a new isolated LAN which can send traffic to the internet, but cannot communicate with other local networks.
Now the Phone Zone will be able to send traffic to the internet. Because we have not created any additional forwardings, this zone will not accept traffic from the internet, or communicate with any other zones.
Add a New Isolated LAN
Case 3 - Modify the Existing Router Zone
This example shows how to use the “Router Zone.” All traffic sourced from and destined to the router uses the “Router Zone,” including but not limited to DNS, NTP, NCM, and the Admin Pages. (Please note: the Router Zone is a special zone that can only be used by the router itself. It cannot be directly edited or removed, but we can change how other zones interact with it.)
In this example, we will create a rule to block HTTP administration of the router from all but a single LAN client.
Now only the local computer specified in the Filter Policy can access the router admin page.
Modify the Existing Router Zone
Case 4 - Create a New WAN Zone
This example shows how to create and use zones for each WAN interface the router has. For this particular setup, we will create a zone for a cellular modem, called Modem WAN, and a separate zone for the cable connection, which we will call Ethernet WAN. Then we will create Forwardings to allow the router's Primary LAN to use both the cellular and the wired WAN connections, but restrict the Guest LAN to using only the cable internet connection.
Now the Primary LAN will have access to both the Ethernet WAN and the Modem WAN. However, because we did not create any additional forwardings, all other networks besides the Primary LAN will not be able to communicate using the cellular modem interface.
Create a New WAN Zone
Case 5 - Add Forwarding Between Zones
This example shows how to add forwarding between zones. Zone forwarding determines whether traffic is allowed or denied between zones (including LAN and WAN zones). In this scenario we will be using two custom LANs with their own zones, labeled Green and Red. Traffic will pass freely from Green to Red, but will be blocked from Red to Green.
Now all traffic originating from the Green zone will pass freely to the Red zone. Because we have not added a second rule to govern traffic going from the Red to the Green zone, this traffic will be blocked by default.
Add Forwarding Between Zones
Case 6 - Modify Existing Filter Policy
This use case describes the process of adding a rule to an existing Filter Policy within the Zone Firewall. This functionality can be used to introduce exceptions to the default allow and deny policies used by the router. In this scenario, will use the existing ‘Default Allow All’ rule to block outbound SSH traffic, while continuing to permit all other traffic.
Now all outbound SSH traffic will be blocked, even between zones that normally allow all traffic.
Modify Existing Filter Policy
Published Date: 07/13/2017
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at email@example.com.