Firewall Configuration Assistance

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
bluegravy
Posts: 29
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Firewall Configuration Assistance

Post by bluegravy »

Hi all...I need some help setting up a fw restriction and/or exception in the GUI. Here is the scenario:
I need to access Local Host 192.168.10.1:3389 remotely from a specific /24 block. I currently have port forwarding setup to forward traffic from remote port 80 (I need to get thru a firewall/proxy on a corporate network) to port 3389 on the local lan 192.168.10.1 host. That works fine now, unfortunately that allows the rest of the world to do the same. I would like to restrict access on my WRT1900AC router to be able to reach the 192.168.10.1:3389 local host only from one /24 block on the remote side. I want no other IP address outside of that /24 block to be able to access that host remotely. I still need to get to that host on port 3389 from any host within the lan, too. How would I go about configuring that? Thank you in advance.

ispyisail
Moderator
Posts: 4737
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Firewall Configuration Assistance

Post by ispyisail »

I'm not sure you can via GUI?

Why don't us use OpenVPN? This is what it is designed for

bluegravy
Posts: 29
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Firewall Configuration Assistance

Post by bluegravy »

I am unable to install a vpn client on my work computer, so I can't use it. I am willing to configure this via CLI as a firewall rule, if someone can figure out how to write the syntax or point me to an example page that shows a similar setup. I absolutely suck figuring out fw rules, and don't want to kill my access by misconfiguration.

ispyisail
Moderator
Posts: 4737
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Firewall Configuration Assistance

Post by ispyisail »

I am unable to install a vpn client on my work computer


Purchase a cheap gargoyle router and put it between your PC and the internet and your problems will be solved.

Unless they (work) are doing deep packet inspection and blocking openVPN?

But if that is the case I'm not sure why they will open ports?

ispyisail
Moderator
Posts: 4737
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Firewall Configuration Assistance

Post by ispyisail »

I re-read your original post

I am unable to install a vpn client on my work computer


You have access to open up your network to the world but not to install software on your PC?

OpenVPN router to router

bluegravy
Posts: 29
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

SOLVED - Re: Firewall Configuration Assistance

Post by bluegravy »

I figured it out...here's how to do it:

-ssh to your-gargoyle-router from putty as root & authenticate.
-At CLI run 'vi /etc/config/firewall'
-Look for the following port forwarding rules there:

config redirect 'redirect_enabled_number_0'
option name 'Remote Desktop'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option src_ip 'x.x.x.x/24'
option dest_ip 'x.x.x.x'
option target 'DNAT'
option dest_port '3389'

config redirect 'redirect_enabled_number_1'
option name 'Remote Desktop'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option src_ip 'x.x.x.x/24'
option dest_ip 'x.x.x.x'
option target 'DNAT'
option dest_port '3389'

-Change the x to whatever your setup is, esc, :wq to save/exit vi.
-Run '/etc/init.d/firewall restart' command to restart the firewall process.
-Watch for any errors on the first few lines of the output.
-Rules should now be in place. If you are really anal about them working, reboot the router with the 'reboot' command from the CLI.
-Test it out. You should be good, provided your IP addressing is correct.

Problem solved.

ispyisail
Moderator
Posts: 4737
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Firewall Configuration Assistance

Post by ispyisail »

Thanks for reporting

JohnPeterson
Posts: 16
Joined: Sun Nov 04, 2018 10:06 am

Re: Firewall Configuration Assistance

Post by JohnPeterson »

Hi,
I have used your answer for a long time - thanks so much.

Now it seems that in Gargoyle Version:1.12.0 (maybe earlier?)
just touching any port forwards in the gui - - wipes out the following:

option src_ip 'x.x.x.x/24'
option target 'DNAT'

in the firewall file - - I found this when my event viewer was full of brute force attempts.. Its not the upgrade that resets it - just enable/disable a different forward.

jp

Lantis
Moderator
Posts: 5388
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Firewall Configuration Assistance

Post by Lantis »

Because the options aren't recognised by the GUI, they're not preserved.
Ultimately, when you start modifying things via the CLI, there will be aspects of the GUI which may begin to cause you trouble.

If you want to enable/disable forwarding rules, you can do that via the CLI as well by renaming the config name.
Note that sequential numbering of the rules should be maintained (because i don't know if the code works with skipped numbers or not).
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply