• Home
  • InControl User Guide
  • Peplink Router API Documentation
  • Peplink News
  • Home
  • InControl User Guide
  • Peplink Router API Documentation
  • Peplink News
home/Knowledge Base/Networking/Firewall Rules & Port Mapping

Firewall Rules & Port Mapping

2301 views 12 11/12/2020 Martin Langmaid

Peplink products take an usual approach to how they manage firewall rules and port mapping. The underlying design principle is to make everything as easy as possible but that can obscure what is actually going on under the hood. In this article we take a quick look at firewall types, port forwarding and how everything fits together.

Peplink Firewall

The firewall on Peplink products is stateful. That means that by default (with the WAN in NAT mode) nothing is allowed in through the firewall from an external IP address unless an outbound connection has first been made to that same IP by a device on the LAN.

This stateful approach is why if you look at the default firewall rules they all say any to any is allowed:

This does not mean that no inbound traffic is blocked – all inbound traffic that is non stateful and is not addressed to an active service or forwarded port is blocked by default.
Instead it means that when traffic is sent to ports that have been specifically opened, that traffic is allowed to pass through the firewall as nothing is currently filtered / blocked.

In the screenshot above there are five sections:

  1. Outbound Firewall Rules – defines what traffic is allowed out of the LAN networks via the WAN ports.
  2. Inbound Firewall Rules – defines what traffic is allowed into the LAN networks via the WAN ports.
  3. Internal Network Firewall Rules – defines what traffic is allowed to pass between the internal LAN networks and over the VPN tunnels.
  4. Intrusion Detection – Enabled or disabled – provides protection against common denial of service attacks and port scanning.
    (Port Scan, NMAP ,FIN/URG/PSH, Xmas Tree, Another Xmas Tree, Null Scan, SYN/RST, SYN/FIN, SYN Flood Prevention ,Ping Flood Attack Prevention)
  5. Local Service Firewall Rules – lets custom rules be defined for the following internal services:

Port forwarding

When we open a port on the WAN of a Peplink device the firewall port state is updated to open to allow inbound traffic on the defined ports to pass. The firewall rules then add any additional filtering as needed.

So If I add a port forward for port 8080 TCP to a LAN Server IP of 192.168.50.100 I don’t need to go and create a rule in the firewall section of the Peplink – the existence of the port forwarding rule means that traffic is allowed in (unless you have changed the default inbound rule from any to any : allowed, in which case you will need to modify your firewall rules to allow the traffic to pass from WAN to LAN).

Rule Precedence and relationships

Lets look at how these things work together.

  1. In NAT mode, WAN port states are controlled by two processes.
    The firmware opens ports for services that are active on the router (eg web admin, inbound DNS requests, and SpeedFusion VPN).
    The User can open additional inbound ports by adding port forwarding rules.
  2. Once a port is opened, the inbound traffic flow it allows can be filtered using firewall rules.
    Inbound traffic allowed by port forwarding is managed in the Inbound Firewall rules section.
    Inbound traffic to ports opened by the firmware is managed by Internal Services Firewall Rules Section.
  3. Traffic between LAN (and VPN) subnets routed through the Peplink device can be managed by the Internal firewall rules section.

Of note is that if the WAN is set to IP Forwarding instead of NAT then all inbound traffic from WAN to LAN will be allowed by default. This is often desired as we tend to use IP forwarding when there is another NAT Gateway upstream of us providing the protection, but it is something to be aware of.

Tags:firewallsecurity

Was this helpful?

12 Yes  1 No
Related Articles
  • Port Forwarding to a LAN Device From A Peplink Router
  • Can wi-fi Users Be Prevented from Logging into Peplink’s Web Admin Interface?
  • Port Forwarding to a LAN Device From A Fusionhub
  • Controlling Bandwidth to Users with QoS and User Groups
  • LAN Port VLAN Mapping
  • What are the default WAN MTU sizes used by Peplink routers?
Leave A Comment Cancel reply

Popular Articles
  • Obtaining IP Address
  • Firewall Rules & Port Mapping
  • How to connect using WiFi-WAN in new locations
  • What’s the difference between ‘Access’ and ‘Trunk’ Ports?
  • Port Forwarding to a LAN Device From A Peplink Router
KB Categories
  • Installation & Setup
  • InControl
  • Cellular
  • WiFI
  • Switches
  • Networking
  • General
Popular Articles
  • Obtaining IP Address
  • Firewall Rules & Port Mapping
  • How to connect using WiFi-WAN in new locations
  • What’s the difference between ‘Access’ and ‘Trunk’ Ports?
  • Port Forwarding to a LAN Device From A Peplink Router
KB Categories
  • Installation & Setup
  • InControl
  • Cellular
  • WiFI
  • Switches
  • Networking
  • General
Have an idea for an article?

    About This Site
    ninja.knowhow is an independent training and documentation rescource for Peplink products and technologes. This site is owned and operated by Slingshot6.
    Resources
    • Support Forum
    • Design Lab
    • Peplink on Youtube
    Have a Request?
    Are you looking to answer a specific question? Do you want to learn about something not covered here?
    Get In Touch
    • Privacy Policy
    • Terms of Use
    • Copyright 2020 Slingshot6 Ltd. All Rights Reserved.