IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt

[chrisisbd]

I'm (fairly) new to Asuswrt-Merlin and I'm a little confused by the 'Firewall' and 'Port Forwarding' configuration. I'm coming from using a Draytek Vigor router where you have to set up both firewall and port-forwarding in IPv4 to get incoming ssh and smtp connections to work.

It would appear that in Asuswrt[-Merlin] one only needs to set up port forwarding in the Advanced->Wan section and that's all, have I got this right?

Also, is it only possible to set single source IP addresses in the port forwarding list? It would be handy to be able to specify a range of addresses or a number of individual addresses. Presumably one **can** set up more than one rule for a given service that would allow incoming connections from more than on IP address.

Finally, can one 'tune' the port forwarding from the command line, i.e. does asuswrt use iptables (or something similar) internally?

 

[ColinTaylor]

The Firewall - General > IPv4 Inbound Firewall Rules blocks all incoming traffic from specific sources.

Normally you would only use WAN - Virtual Server / Port Forwarding if you want to expose a LAN server to the internet. You can restrict incoming connections to this server to those from specific source ranges using CIDR notation (or multiple rules).

 

[bennor]

I'm (fairly) new to Asuswrt-Merlin and I'm a little confused by the 'Firewall' and 'Port Forwarding' configuration.

You may want, if you haven't done so already, to read the following from Asus to gain an understanding of what a Firewall is and what Port Forwarding is and how they work on Asus routers.
[Wireless Router] Introduction of Firewall on ASUS router
[Wireless Router] How to set up Virtual Server/Port Forwarding Rules on ASUS Router?

 

[chrisisbd]

The Firewall - General > IPv4 Inbound Firewall Rules blocks all incoming traffic from specific sources.

Of course! However on my DSL-AC68U it doesn't have any reference to IPv4 there and as much of the rest of the section is all about IPv6 it wasn't immediately clear.

Normally you would only use WAN - Virtual Server / Port Forwarding if you want to expose a LAN server to the internet. You can restrict incoming connections to this server to those from specific source ranges using CIDR notation (or multiple rules).

OK, thanks. CIDR notation may help a bit for the SMTP port forwarding because my SMTP server receives incoming mail from only one ISP's site so I think a range of addresses may well help reducing the unwanted connections. For ssh I need two or three single addresses as I only allow incoming ssh from a few sites where I have ssh access and use them as proxies to reduce ssh attacks.

It's all looking good for my move from the old Draytek to the Asus. I'm really looking forward to having command line access to the router, I'm a command line junkie on my (all Linux) home systems already.

 

[chrisisbd]

You may want, if you haven't done so already, to read the following from Asus to gain an understanding of what a Firewall is and what Port Forwarding is and how they work on Asus routers.
[Wireless Router] Introduction of Firewall on ASUS router
[Wireless Router] How to set up Virtual Server/Port Forwarding Rules on ASUS Router?

I've read through them but they are fairly beginner oriented (none the worse for that though). My question was specifically because on all other routers I've configured (not just the Draytek Vigor, also some D-Link and others) the port forwarding and firewall are managed entirely separately. In fact this confused me the first time I wanted to port forward because it didn't work until I **also** opened up the firewall for that port/address. I have to say that the 'doing it in one place' approach makes much more sense though!