Member
Posts: 169
Registered: ‎07-07-2016
Kudos: 27
Solutions: 3
Accepted Solution

I don't understand WAN Local rules......added a rule, doesn't work.

I am testing an edge router on my LAN, meaning, I have the WAN port of the edge router (eth0) getting an IP from my LAN DHCP server, I have my laptop plugged into eth1. The edge router gets an IP from my DHCP server on the LAN, we'll call it 10.10.10.119 (this would be a WAN IP from the ISP, in a real world scenario). My laptop gets an IP from the edge router, 192.168.1.135.

 

I am on another PC on my LAN, 10.10.10.144, and I want to access the WAN IP of the edge router, 10.10.10.119. At first, a ping, SSH, and https session didn't work, so I logged into the edge router, from the laptop connected directly to the edge router, and created a WAN LOCAL ICMP allow rule, dragged it to the second spot (from the two default rules) and once saved, I could see replies from the laptop that I was testing from which was previously failing. Ok, great sign, that was easy enough. Now I wanted to replicate the ICMP rule and add two rules for SSH and HTTPS GUI access. I created the rules, clicked enable, allow tcp 22 and 443, respectively, but SSH and HTTPS don't work from the laptop on the 10.10.10.0 /24 network. Ping worked immedately, but SSH and HTTPS are not working.

 

Established, invalid, new, related...I left those unchecked, didn't work. Then I checked new, didn't work. After a few other variations, I gave up as I'm not sure what I am doing wrong.

 

The documents/posts I've read all stated that WAN LOCAL are for services that terminate on the router itself and WAN IN would be for incoming requests that the router needs to pass through the router, for example, a web server.

 

What am I missing/doing wrong? I assume this firewall works like other firewalls in that it processes rules in order of first match which is why I thought to drop down the invalid rule (default number 2) into the very last spot.

 

Do I need to power cycle the router after making WAN LOCAL changes/additions?

 

Thanks.


Accepted Solutions
Member
Posts: 160
Registered: ‎01-28-2016
Kudos: 41
Solutions: 9

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Rules 30 and 40 incorrectly specify the source port. You don't want that, the source port is going to be some high random numbered thing. All you need is the destination port.

View solution in original post


All Replies
Veteran Member
Posts: 7,986
Registered: ‎03-24-2016
Kudos: 2083
Solutions: 913

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Do you have "listen address" configured on GUI/CLI settings?   It might stop WAN interface for listening on 22 443.

 

Do you have port forwards in place, redirecting 22 443 ?

Member
Posts: 169
Registered: ‎07-07-2016
Kudos: 27
Solutions: 3

Re: I don't understand WAN Local rules......added a rule, doesn't work.

I'll have to confirm the 'listen address' but I am running the default settings, other than the firewall rules I created.

I thought port forward was only required for devices behind the router and/or if I were changing the port to something I wanted to use that wasn't default.

Also, in the guides I read where others were having the same issue I was having, the solution was to "add a firewall rule, add the port number or service name, enable and allow" no mention of port forwarding.

SuperUser
Posts: 8,586
Registered: ‎01-05-2012
Kudos: 2263
Solutions: 1144

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Can you connect via SSH to the router and post the output of

Spoiler
configure
show firewall

And

Spoiler
show interfaces

Use the spoiler tag, then code button.

 

 

Member
Posts: 169
Registered: ‎07-07-2016
Kudos: 27
Solutions: 3

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Spoiler

 

ubnt@ubnt# show firewall
 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
     default-action drop
     description "WAN to internal"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
 }
 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action accept
         description "Allow ICMP WAN IP"
         log disable
         protocol icmp
     }
     rule 30 {
         action accept
         description "Allow HTTPS WAN IP"
         destination {
             port 443
         }
         log enable
         protocol tcp
         source {
             port 443
         }
         state {
             established disable
             invalid disable
             new enable
             related disable
         }
     }
     rule 40 {
         action accept
         description "Allow SSH WAN IP"
         destination {
             port 22
         }
         log disable
         protocol tcp
         source {
             port 22
         }
         state {
             established enable
             invalid disable
             new enable
             related disable
         }
     }
     rule 50 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
[edit]
ubnt@ubnt# show interfaces
 ethernet eth0 {
     address dhcp
     description Internet
     duplex auto
     firewall {
         in {
             name WAN_IN
         }
         local {
             name WAN_LOCAL
         }
     }
     speed auto
 }
 ethernet eth1 {
     description Local
     duplex auto
     speed auto
 }
 ethernet eth2 {
     description Local
     duplex auto
     speed auto
 }
 ethernet eth3 {
     description Local
     duplex auto
     speed auto
 }
 ethernet eth4 {
     description Local
     duplex auto
     speed auto
 }
 loopback lo {
 }
 switch switch0 {
     address 192.168.1.1/24
     description Local
     mtu 1500
     switch-port {
         interface eth1 {
         }
         interface eth2 {
         }
         interface eth3 {
         }
         interface eth4 {
         }
         vlan-aware disable
     }
 }
[edit]
ubnt@ubnt#

Done.

Member
Posts: 160
Registered: ‎01-28-2016
Kudos: 41
Solutions: 9

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Rules 30 and 40 incorrectly specify the source port. You don't want that, the source port is going to be some high random numbered thing. All you need is the destination port.

Veteran Member
Posts: 4,128
Registered: ‎05-15-2014
Kudos: 1547
Solutions: 282

Re: I don't understand WAN Local rules......added a rule, doesn't work.

Member
Posts: 169
Registered: ‎07-07-2016
Kudos: 27
Solutions: 3

Re: I don't understand WAN Local rules......added a rule, doesn't work.

[ Edited ]

wrote:

Rules 30 and 40 incorrectly specify the source port. You don't want that, the source port is going to be some high random numbered thing. All you need is the destination port.


Right, the source is random and not a common port.....I'm not sure why/how I screwed that up in the GUI, I'll need to take a look and see how I got that mixed up.

 

Thanks, I'll report back.

 

EDIT- Yup, I need to open up my eyes....I simply went tab by tab, not paying attention to which was the source and I filled out the source port with what I wanted as the destination port. Once I removed the source port and left the box blank, saved my changes and tested, everything worked as expected (for https and ssh). I don't plan on leaving these ports open, I am simply testing.

 

Thanks again.