DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
3900 Firewall configuration when using VLANS
- haywardi
- Topic Author
- Offline
- Member
Less
More
- Posts: 187
- Thank you received: 0
25 Nov 2023 10:36 #102999
by haywardi
Iain
3900 Firewall configuration when using VLANS was created by haywardi
I do not have a problem at the moment, but I am fairly new to configuring the 3900 and I am a little confused on the theory and would like to check before implementing something that causes more problems.
My set up is fairly straight forward, I run 4 VLANs, lets call them A,B,C,D. Vlan A, needs the strictest firewall implementation as it processes credit cards and there should only be authorised traffic accessing this VLAN from the internet. VLAN B, is the lowest of security VLANS and has all the IoT devices attached to it and I really do not care what happens on this VLAN as it will only affect IoT devices. VLAN C is an internal VLAN and VLAN D is a shared resources VLAN with things like printers attached so VLAN A & C can access the shares resources.
Now reading the knowledge base article from Draytek on the 3900 it says the first thing to do is open the ports under NAT and then configure the firewall rules for the resultant traffic and this seems logical enough and it does appear to work like this. And this is how things are configured for VLAN A.
HOWEVER, I noticed there are NO firewall rules on VLAN B and NO Open ports. Yet VLAN B works quite happily and this seems quite illogical as I would have expected to see a rule in NAT/Port redirection of all ports to VLAN B and then an allow rule in the firewall for all ports.
So my question. What am I missing? Why is VLAN B happily working with zero rules in operation. Oh, and I should have mentioned the default rule is set to "accept" under the firewall, but without the ports open under NAT, I would have thought no traffic would be presented to the firewall for processing....
I'm now a little confused about how the firewall/port redirection is actually working and reticent to change in case I screw something up in the process.
Help greatly appreciated.
My set up is fairly straight forward, I run 4 VLANs, lets call them A,B,C,D. Vlan A, needs the strictest firewall implementation as it processes credit cards and there should only be authorised traffic accessing this VLAN from the internet. VLAN B, is the lowest of security VLANS and has all the IoT devices attached to it and I really do not care what happens on this VLAN as it will only affect IoT devices. VLAN C is an internal VLAN and VLAN D is a shared resources VLAN with things like printers attached so VLAN A & C can access the shares resources.
Now reading the knowledge base article from Draytek on the 3900 it says the first thing to do is open the ports under NAT and then configure the firewall rules for the resultant traffic and this seems logical enough and it does appear to work like this. And this is how things are configured for VLAN A.
HOWEVER, I noticed there are NO firewall rules on VLAN B and NO Open ports. Yet VLAN B works quite happily and this seems quite illogical as I would have expected to see a rule in NAT/Port redirection of all ports to VLAN B and then an allow rule in the firewall for all ports.
So my question. What am I missing? Why is VLAN B happily working with zero rules in operation. Oh, and I should have mentioned the default rule is set to "accept" under the firewall, but without the ports open under NAT, I would have thought no traffic would be presented to the firewall for processing....
I'm now a little confused about how the firewall/port redirection is actually working and reticent to change in case I screw something up in the process.
Help greatly appreciated.
Iain
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 203
- Thank you received: 16
25 Nov 2023 14:09 #103000
by HodgesanDY
Replied by HodgesanDY on topic Re: 3900 Firewall configuration when using VLANS
Hi Iain,
You could always backup your config beforehand.
To be sure, make a simple change, then restore. If your simple change remains, you’ll know; I doubt it will remain after the restore!
Besides, it’s best practice to test your restore capabilities routinely, in case your hardware ever fails and you need to get back to where you left off.
Personally, I try my best not to be fearful of making changes, it leaps your learning forward massively.
(Sorry, I appreciate I have been no help here )
You could always backup your config beforehand.
To be sure, make a simple change, then restore. If your simple change remains, you’ll know; I doubt it will remain after the restore!
Besides, it’s best practice to test your restore capabilities routinely, in case your hardware ever fails and you need to get back to where you left off.
Personally, I try my best not to be fearful of making changes, it leaps your learning forward massively.
(Sorry, I appreciate I have been no help here
Please Log in or Create an account to join the conversation.
- haywardi
- Topic Author
- Offline
- Member
Less
More
- Posts: 187
- Thank you received: 0
27 Nov 2023 09:51 #103004
by haywardi
Iain
Replied by haywardi on topic Re: 3900 Firewall configuration when using VLANS
Hi,
You are of course completely correct about backing up and restoring and although I regularly back up, I am not as diligent at periodically restoring.
However, I was hoping to find out a little about how the firewall worked by my question because whilst I can make small changes, it is much hard to ensure the changes are having the desired effect unless it breaks something.
For example why is VLAN B operating with no port direction, particularly as Draytek's own Knowledgebase is very clear about setting up port redirection.
You are of course completely correct about backing up and restoring and although I regularly back up, I am not as diligent at periodically restoring.
However, I was hoping to find out a little about how the firewall worked by my question because whilst I can make small changes, it is much hard to ensure the changes are having the desired effect unless it breaks something.
For example why is VLAN B operating with no port direction, particularly as Draytek's own Knowledgebase is very clear about setting up port redirection.
Iain
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek