Peplink products take an usual approach to how they manage firewall rules and port mapping. The underlying design principle is to make everything as easy as possible but that can obscure what is actually going on under the hood. In this article we take a quick look at firewall types, port forwarding and how everything fits together.
The firewall on Peplink products is stateful. That means that by default (with the WAN in NAT mode) nothing is allowed in through the firewall from an external IP address unless an outbound connection has first been made to that same IP by a device on the LAN.
This stateful approach is why if you look at the default firewall rules they all say any to any is allowed:
This does not mean that no inbound traffic is blocked – all inbound traffic that is non stateful and is not addressed to an active service or forwarded port is blocked by default.
Instead it means that when traffic is sent to ports that have been specifically opened, that traffic is allowed to pass through the firewall as nothing is currently filtered / blocked.
In the screenshot above there are five sections:
- Outbound Firewall Rules – defines what traffic is allowed out of the LAN networks via the WAN ports.
- Inbound Firewall Rules – defines what traffic is allowed into the LAN networks via the WAN ports.
- Internal Network Firewall Rules – defines what traffic is allowed to pass between the internal LAN networks and over the VPN tunnels.
- Intrusion Detection – Enabled or disabled – provides protection against common denial of service attacks and port scanning.
(Port Scan, NMAP ,FIN/URG/PSH, Xmas Tree, Another Xmas Tree, Null Scan, SYN/RST, SYN/FIN, SYN Flood Prevention ,Ping Flood Attack Prevention)
- Local Service Firewall Rules – lets custom rules be defined for the following internal services:
When we open a port on the WAN of a Peplink device the firewall port state is updated to open to allow inbound traffic on the defined ports to pass. The firewall rules then add any additional filtering as needed.
So If I add a port forward for port 8080 TCP to a LAN Server IP of 192.168.50.100 I don’t need to go and create a rule in the firewall section of the Peplink – the existence of the port forwarding rule means that traffic is allowed in (unless you have changed the default inbound rule from any to any : allowed, in which case you will need to modify your firewall rules to allow the traffic to pass from WAN to LAN).
Rule Precedence and relationships
Lets look at how these things work together.
- In NAT mode, WAN port states are controlled by two processes.
The firmware opens ports for services that are active on the router (eg web admin, inbound DNS requests, and SpeedFusion VPN).
The User can open additional inbound ports by adding port forwarding rules.
- Once a port is opened, the inbound traffic flow it allows can be filtered using firewall rules.
Inbound traffic allowed by port forwarding is managed in the Inbound Firewall rules section.
Inbound traffic to ports opened by the firmware is managed by Internal Services Firewall Rules Section.
- Traffic between LAN (and VPN) subnets routed through the Peplink device can be managed by the Internal firewall rules section.
Of note is that if the WAN is set to IP Forwarding instead of NAT then all inbound traffic from WAN to LAN will be allowed by default. This is often desired as we tend to use IP forwarding when there is another NAT Gateway upstream of us providing the protection, but it is something to be aware of.