DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 Firewall Filter Port 25

More
16 Jul 2014 11:10 #80684 by agtcs
2860 Firewall Filter Port 25 was created by agtcs
Hi guys,

so im trying to lock down port 25 to only receive data from a specific set of IP ranges on-line.

Iv port forwarded via NAT to the local server ip, this works fine, iv created a rule in the default data filter to lock down inverted ip range online to internal ip address on ports any to 25, this seems to work perfect, however i have 3 ip ranges, iv created the 3 ranges as ip objects including the invert check box, then created a ip group and added the 3 ip objects to the group. updated the firewall rule to use the group as a source instead of a specific ip range and it dosent work.

has anyone come across this on 2860's or in fact any draytek product?

Thanks in advance

Paul

Please Log in or Create an account to join the conversation.

More
16 Jul 2014 11:20 #80685 by sicon
Replied by sicon on topic Re: 2860 Firewall Filter Port 25
I would use open ports to the local mail server instead of port forwarding.
With regards to the filter then it would be something like this

Direction: WANWAN -> LAN/DMZ/RT/VPNLAN/DMZ/RT/VPN
Source IP: Your Smart host address (inverted)
Destination IP: IP address of Mail Server
Service Type: 25
Action Block Immediately

Please Log in or Create an account to join the conversation.

More
16 Jul 2014 11:24 #80686 by agtcs
Replied by agtcs on topic Re: 2860 Firewall Filter Port 25

sicon wrote: I would use open ports to the local mail server instead of port forwarding.
With regards to the filter then it would be something like this

Direction: WANWAN -> LAN/DMZ/RT/VPNLAN/DMZ/RT/VPN
Source IP: Your Smart host address (inverted)
Destination IP: IP address of Mail Server
Service Type: 25
Action Block Immediately



Hi Sicon,

Thanks for the reply, iv had that set-up plumbed in and it does work that way round, its when i want more than one "smart host" our spam system has a range of 3 trusted ip sets that i need to input to be allowed through, when i put the ranges in a group and apply the group in place of the source ip single address it dosent work.

Please Log in or Create an account to join the conversation.

More
16 Jul 2014 12:02 #80687 by sicon
Replied by sicon on topic Re: 2860 Firewall Filter Port 25
does it work if you specify the IP ranges individually and not as part of a group?

Alternatively you could try a Rule ate the Top that Blocks port 25 form ANY to ANY but the ACTION is Block unless further match.
Then underneath that rule create rules that pass the SMTP traffic when the source it the address of the trusted IPs - its a bit messy but it does work

Please Log in or Create an account to join the conversation.

More
16 Jul 2014 12:21 #80688 by agtcs
Replied by agtcs on topic Re: 2860 Firewall Filter Port 25

sicon wrote: does it work if you specify the IP ranges individually and not as part of a group?

Alternatively you could try a Rule ate the Top that Blocks port 25 form ANY to ANY but the ACTION is Block unless further match.
Then underneath that rule create rules that pass the SMTP traffic when the source it the address of the trusted IPs - its a bit messy but it does work



Hi Sicon,

Yes as said in both my messages above it works if i specify the first ip range in the source ip box, if i swap it over to use a group as a source it fails to work.

to me its either a bug in the firmware or its not the way its supposed to be done.

Please Log in or Create an account to join the conversation.

More
16 Jul 2014 16:10 #80690 by sicon
Replied by sicon on topic Re: 2860 Firewall Filter Port 25
what firmware is it on?

Please Log in or Create an account to join the conversation.

Moderators: Sami