DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2820 Firewall : Testing to block port 80 (Web test on Win7)

More
28 Mar 2010 17:36 #61422 by njh
I don't know your router, but you want to play around with it with the purpose of getting it to automatically hand out its own IP address and the DNS server for your LAN PC's.

My Drayteks exhibit different behaviours so there is not always a one size fits all solution. Typically (especially if you are using your own ISP's servers), you want all the settings relating to DHCP and DNS set to automatic. Don't manually input the DNS servers anywhere. On my routers these can be held in 2 places, Basic Setup > LAN TCP/IP and DHCP Setup and Quick Setup > Internet Access Setup. First of all try making sure both are clear. Once you have done that, refresh your network connection with an "ipconfig /release" and an "ipconfig /renew", then see your PC settings again with an "ipconfig /all".

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 18:12 #61423 by zgap111
I've blanked the LAN > General Setup's DNS numbers

Under WAN > Internet Access > WAN1:
WAN IP Netowkr Settings = Obtain IP Address Automatically
DNS Server IP Address = both blank

I've done the ipconfig things, and /all gives the same last result: DNS = 192.168.88.1

Firewall is still set to blocking 80 to 51000

& I've rebooted the router.

And I'm still able to reply to this forum.

I'm curious how DNS is linked to what I want to do - I want to block all ports except web & mail, and since it's not working, I'm just testing on the direct opposite = I want to block web access. Surely any packet for port 80 (= http) should be blocked, right?

Hope there's more suggestions!

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 18:22 #61424 by zgap111
Update:
I realised I have a VPN connection from the router to my work, I've now disabled it, and still have the same problem

I thought maybe the web traffic is blocked at WAN and re-routed via VPN connection, well it's not since I'm still able to reply on this forum...

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 18:35 #61425 by zgap111
Update:

I acutally have VMWare on this Win7 Machine.
So I've loaded up WinXP Pro (SP3), and did the web access tests under IE8.

I can confirm that:
Block 80-51000 = ON = Web Access = NO
Block 80-51000 = OFF = Web Access = YES

Port blocking works on WinXP.

This must mean it MUST be Windows 7 doing something in the background.

Can anyone test to confirm my findings?

Please Log in or Create an account to join the conversation.

More
28 Mar 2010 19:24 #61426 by njh
The purpose of the "DNS thing" was to stop you blocking it. DNS is the mechanism which converst URL's (e.g. www.google.co.uk) to an IP address (e.g. 216.239.59.104). The way you were going was going to block this and, therefore, just about kill everything.

I cannot see that IE8 would be doing anything. Access is being blocked outside the reach of IE8 i.e. the blocking is not happening on the PC so the program you are using should not matter.

On your PC can you clear your DNS cache (ipconfig /flushdns) and try your tests again from IE8?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 19:34 #61427 by zgap111
I wanted to be sure...

So I test for port 80, and FAILED on WinXP.
I then tried my method before on the port ranges.
Same thing happen, but it was from range 80-1000, then it started to creep upwards.

### I've solved it ###

My Service type were always matched, say:
Protocol = TCP/UDP
Source Port = 80 - 51000
Destination Port = 80 - 51000

I think this is wrong.

========
Web (http) blocking seems to work with:

Source = 1 - 65535
Destination = 80 - 80

http = blocked
https = allowed
========

Hope this info helps someone... took me a day to figure it out! :)

Now that it works, I can go back to my original plan...

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami