Menu
What's new
By:
Filters Better Search

firewall on Cisco RV042

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ron C said:
Right .. that makes sense, it's just linear, without objects/groups etc. I actually noticed that latency can be an issue, especially with more devices (I have a bunch of that smart-home stuff, and some robotics hobbies. If you can keep them contained to their own subnet, latency seems to be better, but one will run into issues (like you mentioned.) I hope that RV320 does better there, we'll see.
Click to expand...


Maybe in newer versions of the firmware they fixed the "can't use https on 443 problem too
 
I don't open my remote port for anybody. You will need to research that. There have been so many router hacks I am not sure what has been effected.
 
coxhaus said:
I don't open my remote port for anybody. You will need to research that. There have been so many router hacks I am not sure what has been effected.
Click to expand...

Actually mine is off too, BUT the 'local' one has that default setting too... which is annoying
 
hello,

so my RV320 arrived today, the latency is indeed a lot less, and some of the screens seem a bit more intuitive (to me mostly doing command line stuff).

Still looking how to best setup access rules etc. and some other stuff.

So far, it seems like a good choice (oh and I did update the firmware, before getting started).

thanks,

Ron
 
Been messing with the firewall rules.. I added a screen shot.

These three rules would:
-allow all traffic originating from 192.168.2.0 subnet to any destination, allow all 'local' traffic to go to the 192.168.2.0 subnet and deny all traffic from any source to the 192.168 subnet, right.
(I want hosts in 192.168.2.0 to connect to initiate a connection to anywhere, local hosts to be able to connect to anything on the 192.168.2.0 subnet but anything coming from the outside/internet being blocked.

Ron
 

Attachments

  • 3-rules.png
    3-rules.png
    61.8 KB · Views: 532
I am glad it is working for you. I like the RV320. It is as good as any router I have run. Way less maintenance than one of the software PC routers.

I would add ACLs to block all DNS servers except the ones you use by allowing only your preferred DNS servers.. It keeps your DNS from being hijacked.
 
Is tehre a place that shows examples for Cisco firewall access rules? I think I am a little too iptables minded.
 
Ron C said:
Is tehre a place that shows examples for Cisco firewall access rules? I think I am a little too iptables minded.
Click to expand...

They process top to bottom. When it is satisfied it stops.

I am sure you can google ACLs for what ever. I have a picture of the RV320 ACLs on this site where I lock down DNS. Somewhere in my threads. Here it is.
https://www.snbforums.com/threads/i-quit-using-pfsense.41488/page-2

You need to be careful you do not get ACL backwards. It is easy to do when you only do them once or twice a year. I made an OOPs. I had them backwards but straighten it out. Look for the picture of the RV320 ACL web page. It is correct for locking down DNS.

Here is just the capture.
https://www.snbforums.com/attachments/capture10-png.10645/
 
Last edited:
Well, I do this fairly often, just with iptables etc.

(I have a bunch of smart devices (wemo etc) on 192.168.2.0/24)

- 1st: allow source 192.168.2.0/24 to go anywhere
- 2nd: allow source LAN to go to 192.168.2.0/24
- 3rd: deny any src any interface to go to 192.168.2.0/24

so if it doesn't apply to 1 nor 2, it should drop on the floor.

BUT, when I use my phone with an app that goes to a wemo server and says "switch Ron's device on (or off) it actually happens...

I showed the rules to some colleagues, they are surprised too.

Ron
 
Your phone has a local IP address so it should be allowed to access 192.168.2.0.

You can do things like only allow access to the first 4 or 6 IP addresses in network 192.168.2.0 and exclude all the rest by changing the mask. It just depends on what you want to do.

ACLs are the best and easiest compared to iptables.
 
Last edited:
coxhaus said:
Your phone has a local IP address so it should be allowed to access 192.168.2.0.

You can do things like only allow access to the first 4 or 6 IP addresses in network 192.168.2.0 and exclude all the rest by changing the mask. It just depends on what you want to do.

ACLs are the best and easiest compared to iptables.
Click to expand...

Actually I turned the WIFI on the phone off before I tried that.
 
Then I would think your smart devices are registering outside the firewall. There is no way your phone is coming in from the outside. You need to add a block to your smart devices going out.

deny source 192.168.2.0/24 destination 0.0.0.0

Network blocks are faster than individual IP addresses.
 
Last edited:
coxhaus said:
Then I would think your smart devices are registering outside the firewall. There is no way your phone is coming in from the outside. You need to add a block to your smart devices going out.

deny source 192.168.2.0/24 destination 0.0.0.0

Network blocks are faster than individual IP addresses.
Click to expand...

I am pretty sure that is the case, in order to get them going you need their app. Also, if they cannot "reach out for firmware updates so now and then, they start acting up.

Thanks, I'll try that.. (I had something similar).

Ron
 
You may have to rethink your rules. It is all a learning process. Maybe they need outside access.
 
coxhaus said:
You may have to rethink your rules. It is all a learning process. Maybe they need outside access.
Click to expand...

Oh I am playing with this a bit, I don't think they 'need' access really, but for some reason contact the manufacturers site frequently. Not necessarily an issue, I just don't want to give access to get hacked into.
 
Ron C said:
Oh I am playing with this a bit, I don't think they 'need' access really, but for some reason contact the manufacturers site frequently. Not necessarily an issue, I just don't want to give access to get hacked into.
Click to expand...

They go outside so they will work with a firewall without having to change it for outside access. It also puts the security on the manufacture instead of your firewall. I am sure updates are some where in there.
 
you can do a filtered access, drop traffic from your smart devices to and from blacklist or only allow whitelist under forwarding. I mean isnt this why we have firewalls in the first place?
 
I think he is going to find the smart devices need to go to the manufacturing to get updates and to allow his phone outside his network to work. He probably needs to create an ACL to lock his smart device to the manufacture's IP network only for outside the firewall network.
 
Last edited:
You must log in or register to reply here.

Similar threads

R
One router, two segments desired.
Replies
4
Views
405
Rombo
R
B
Allow traffic between specific IP in the Guest WiFi
Replies
13
Views
1K
bortek
B
J
Reverse internet access through Asus-Merlin OpenVPN client.
Replies
0
Views
457
Johnco2
J
P
Connect OpenVPN server with Client networks
Replies
3
Views
619
L&LD
L&LD
B
Firewall lan - vpn?
Replies
0
Views
284
blast
B
Similar threads
Thread starter Title Forum Replies Date
N Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist? Routers 17
Maverick009 Upgraded Opnsense Firewall Router hardware Routers 36
B Long shot but worth a shot? WFH using CISCO phone audio delay 5-10 seconds Routers 1
P Airscale ASIB to Router Cisco Routers 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 901 (members: 24, guests: 877)
Top