Firewall Configuration Assistance

[bluegravy]

Hi all...I need some help setting up a fw restriction and/or exception in the GUI. Here is the scenario:
I need to access Local Host 192.168.10.1:3389 remotely from a specific /24 block. I currently have port forwarding setup to forward traffic from remote port 80 (I need to get thru a firewall/proxy on a corporate network) to port 3389 on the local lan 192.168.10.1 host. That works fine now, unfortunately that allows the rest of the world to do the same. I would like to restrict access on my WRT1900AC router to be able to reach the 192.168.10.1:3389 local host only from one /24 block on the remote side. I want no other IP address outside of that /24 block to be able to access that host remotely. I still need to get to that host on port 3389 from any host within the lan, too. How would I go about configuring that? Thank you in advance.

[ispyisail]

I'm not sure you can via GUI?

Why don't us use OpenVPN? This is what it is designed for

[bluegravy]

I am unable to install a vpn client on my work computer, so I can't use it. I am willing to configure this via CLI as a firewall rule, if someone can figure out how to write the syntax or point me to an example page that shows a similar setup. I absolutely suck figuring out fw rules, and don't want to kill my access by misconfiguration.

[ispyisail]

I am unable to install a vpn client on my work computer

Purchase a cheap gargoyle router and put it between your PC and the internet and your problems will be solved.

Unless they (work) are doing deep packet inspection and blocking openVPN?

But if that is the case I'm not sure why they will open ports?

[ispyisail]

I re-read your original post

I am unable to install a vpn client on my work computer

You have access to open up your network to the world but not to install software on your PC?

OpenVPN router to router

[bluegravy]

I figured it out...here's how to do it:

-ssh to your-gargoyle-router from putty as root & authenticate.
-At CLI run 'vi /etc/config/firewall'
-Look for the following port forwarding rules there:

config redirect 'redirect_enabled_number_0'
option name 'Remote Desktop'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option src_ip 'x.x.x.x/24'
option dest_ip 'x.x.x.x'
option target 'DNAT'
option dest_port '3389'

config redirect 'redirect_enabled_number_1'
option name 'Remote Desktop'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option src_ip 'x.x.x.x/24'
option dest_ip 'x.x.x.x'
option target 'DNAT'
option dest_port '3389'

-Change the x to whatever your setup is, esc, :wq to save/exit vi.
-Run '/etc/init.d/firewall restart' command to restart the firewall process.
-Watch for any errors on the first few lines of the output.
-Rules should now be in place. If you are really anal about them working, reboot the router with the 'reboot' command from the CLI.
-Test it out. You should be good, provided your IP addressing is correct.

Problem solved.

[ispyisail]

Thanks for reporting

[JohnPeterson]

Hi,
I have used your answer for a long time - thanks so much.

Now it seems that in Gargoyle Version:1.12.0 (maybe earlier?)
just touching any port forwards in the gui - - wipes out the following:

option src_ip 'x.x.x.x/24'
option target 'DNAT'

in the firewall file - - I found this when my event viewer was full of brute force attempts.. Its not the upgrade that resets it - just enable/disable a different forward.

jp

[Lantis]

Because the options aren't recognised by the GUI, they're not preserved.
Ultimately, when you start modifying things via the CLI, there will be aspects of the GUI which may begin to cause you trouble.

If you want to enable/disable forwarding rules, you can do that via the CLI as well by renaming the config name.
Note that sequential numbering of the rules should be maintained (because i don't know if the code works with skipped numbers or not).