Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[peteS]

I'm running my VMG8324 in bridge mode as a modem for my draytek router.  All works fine.  I was wondering if there's any reason to have the firewall on the VMG8324 enabled since the draytek is actually doing the firewall/nat etc..  Does having the lan ports in separate interface groups completely isolate them from each other?

The reason I'm asking is that I'd like the router ip interface to have access to the  draytek via the default interface group - that then enables me to setup a static route to my voip provider and use the voip ports, but this doesn't work if I have the firewall enabled.  If I telnet into the router, and try and ping anything (e.g. 8.8.8.8) , I can do it if I've setup a static route for that ip via my default gateway, so long as the firewall's off.  It seems like the firewall prevents router to lan traffic and I can't see a way around it, but if the 2 interface groups are completely isolated, I can't think of a reason to have the firewall running.

[meritez]

From what you have described there's no reason to have the firewall on the VMG enabled, of course there's also no reason to disable it as you're not using the firewall on the VMG. 

[peteS]

... I'd like to have it disabled since otherwise the internal 8324 capabilities (specifically the voip ports) can't see the router via the lan ports - router to lan doesn't seem to work.  So, since it's running in bridge, if I don't disable it, I can't use the lan ports, or log syslog to my server etc.

[tonygibbs16]

I guess the question could be asked what would the firewall in the VMG be protecting PeteS?

If all your traffic from the Internet goes via the Draytek and nothing else is directly connected to the VMG, then the firewall in the VMG would only be protecting itself.

If you are happy for the VMG itself to be exposed to the Internet, then you could disable the VMG firewall.

But I wonder if you could set the VMG firewall to Enabled and LOW to have some protection of the VMG8324 and see if your desired functionality still works.

Cheers,
    Tony

[peteS]

Yep - tried Low, but it still doesn't work.  When we're bridging, the VMG doesn't have an IP address even on the bridge interface, so I don't think there's anything to protect on that interface group, but the lan interface group, which allows me to access the router via a second cable and has an ip address - i.e. it's on the LAN side of the router inside the firewall.  There shouldn't be any routing between the interface groups to my mind - and I'm not even sure the firewall would do anything as its purpose is to stop WAN to LAN routing for example, and there doesn't seem to be anything to suggest the firewall has any rules on the interface group routing. 

[j0hn]

If you are happy for the VMG itself to be exposed to the Internet, then you could disable the VMG firewall.

Disabling the firewall should not expose the VMG to the internet.

You need to add a static route in the Zyxel to get any traffic out.
You need a static route on the router to get unsolicited traffic in to the Zyxel.

[peteS]

Yes, I have the static routes defined and it all works, so long as the firewall is off, hence the question on the firewall .  I can't see how the firewall would make any difference, but just wanting to get my head around it.

[Weaver]

Is your firewall stopping you from looking at the administrative i/f, typically a web page, of the VMG in ‘bridge’ mode ie modem mode ? So you can or can’t look at the VMG’s settings or administer using http when it’s being a modem ?

[peteS]

Is your firewall stopping you from looking at the administrative i/f, typically a web page, of the VMG in ‘bridge’ mode ie modem mode ? So you can or can’t look at the VMG’s settings or administer using http when it’s being a modem ?

Hi @weaver.  No, I don't have any problems accessing the UI.  I have the 2 cable setup, with LAN1 in an interface group with the WAN port, and then LAN2, 3 and 4 in the default interface group with an IP address (192.168.1.254) from the same subnet as the main one in the router (192.168.1.x) - I have 3 vlans in the router.  No problem at all seeing the VMG via the default group (LAN2 port) from my switch.

Since the WAN port is in its own bridge and talking pppoe, I don't imagine the firewall is doing anything, but the firewall UI is so limited it's hard to see what it thinks it's doing.  I would have thought I could define a firewall rule to allow the router to route traffic via the hub, but I can't get that working, so have turned off the firewall.  Then I can allow the router to access my voip server, but also send syslog, pickup the time etc..

[burakkucat]

. . . the WAN port is in its own bridge and talking pppoe, I don't imagine the firewall is doing anything, but the firewall UI is so limited it's hard to see what it thinks it's doing.

Log into the VMG8324, from the command line, as "supervisor" - either using ssh or telnet - and, at the initial prompt (" > "), try an iptables -L command.

If that fails, invoke the BusyBox shell with an sh command and try the iptables -L command once again.

[peteS]

Log into the VMG8324, from the command line, as "supervisor" - either using ssh or telnet - and, at the initial prompt (" > "), try an iptables -L command.

If that fails, invoke the BusyBox shell with an sh command and try the iptables -L command once again.

No problem getting the iptables output.  I've attached the firewalloff and firewallhigh outputs, but don't really know how to interpret them.  I have a look a creating an ACL through the UI, but it doesn't seem to have a router to lan option (only lan to router).

[burakkucat]

Eeek!    I think I will have to leave the interpretation to others . . .

From the command line, from which you obtained those two listings, you could also issue a "iptables -F" command to completely flush all of the firewall rules. Whether that is something you would do for normal usage that depends upon how secure the VMG8324 would be from attacks by undesirables (internal or external).

[Weaver]

In my experience typically manufacturers don’t bother implementing firewalling of the WAN pipe, be it PPP or whatever. They’re too lazy to write the code to say strip the PPPoE headers and then inspect the L3/L4 headers.