No Default ACLs?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

No Default ACLs?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
No Default ACLs?
No Default ACLs?
2023-03-27 06:27:15
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.02

1, Installed the ER7212

2, Configured WAN checked for internet access ok

3, Updated firmware to latest

 

Looking at the ACLs there are no default Deny rules on Gateway?

 

Is there a magic hidden rule set that blocks all traffic from the internet or is this thing wide open by default?

 

The Gateway ACL configure page says that only traffic sourced from LAN to WAN are blocked by Gateway ACLs. Does this make any sense?

 

How does one block all traffic from WAN>LAN given that the Gateway rules are only for LAN > WAN?

 

A,.

  0      
  0      
#1
Options
3 Reply
Re:No Default ACLs?
2023-03-28 06:19:03

  @Ortofan 

 

ER7212 itself is a NAT device. As long as you don't set port forwarding entry, the device is not accessible from the WAN side by default, which is what NAT is for.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:No Default ACLs?
2023-03-28 06:27:54

  @Virgo Thanks for the info however.

In the past I worked with CISCO and SONICWALL Routers/Firewalls/VPN solutions.

I totally understand what NAT is and how it works, However there should be a block on all ports by default on the WAN interface for added security.

Packets should be dropped right at the door and not in house so to speek. 

 

And if you look at my other post, this is indeed doable. 

Added a Block all on WAN In and have a few allow only ports needed for Open VPN and IPSec.

Sadly the IPSec allow rule does not work no matter what I do. Thus I have to have the WAN interface open and unprotected.

 

This may be ok for an average home network, but certainly not an option for business users. 

 

There should be a default block all traffic on WAN In and There should be a detailed document on how to setup Allow rules for IPSec otherwise this is no "bussiness" router.

  0  
  0  
#3
Options
Re:No Default ACLs?
2023-03-28 06:32:08

  @Ortofan Also super confusing.

 

In the UI it says when selecting direction for Gatway ACL it says "WAN in" is an option. 

The documentation says it is for LAN to WAN traffic only (Doesnt make any sense).

Then I also found a set of instructions on OMADA setup where it also lists "VPN networks" as an option for allow networks, and this is NOT listed in my firmware 1.02 for the 7212

 

Very very confusing, specially because with a block all rules it does seem to work and if I put an allow rule front of it the Gatway ACLs works as expected, with the Excpetion of IPSEC!

  0  
  0  
#4
Options