I want to close the firewall to all traffic on a WR11 with the only exceptions being
I will not be using remote management or anything like that.
firewall scripts are greek to me.
thanks
travis
Hi Travis and welcome to Digi Forum.
In order to block/allow specific traffic on a WR11, you can add specific firewall rules on top of the default ones (or in substitution of those).
As an example of a rule to allow specific traffic:
pass in break end on PPP 1 proto tcp from any to any port=1883
And you can specify also specific source/destination addresses if needed and replicate the rule for different ports depending on the protocols you want to allow.
If you enable the firewall only on the PPP 1, then you will be able to access it via ETH 0 without any restrictions. If instead you want to block all also on ETH 0 except for the management, you need to enable the firewall also on ETH 0 and add a rule like this (example for HTTP management):
pass in break end on eth 0 from 192.168.1.0/24 to addr-eth 0 port=80
The above are general examples, but you can find more details on the SarOS user guide, Firewall section: https://www.digi.com/resources/documentation/digidocs/90001019/Default.htm#references/r_firewall.htm
For any further help, please review our support options on our website: https://www.digi.com/support.
Regards
Anny
Digi Technical Support Team
I am having zero luck at getting this to work. I thought I had it after a support ticket a month ago but realized i enabled the firewall on the wrong interface (ppp0 instead of ppp1) I enabled it and nothing worked.
So more details –
Device 1 at 192.168.100.2 needs to execute a dns lookup then send a mqtt message across port 1883 or 8883 to the internet . It will also receive mqtt messsages on the same port from the internet.
Device 2 is a laptop with a dhcp address from the wr11 in the range of 192.168.100.100 thru .109.
Device 2 only needs access to the management of the wr11.
The LAN port is assigned 192.168.100.1.
SO the DNS lookup fails 100% of the time when the firewall is on - ppp1 or eth0 makes no difference. When the firewall is off it works properly but I only have a couple of mb a month data and without the firewall i would go through that in about 15 seconds!
thanks
travis
I am having zero luck at getting this to work. I thought I had it after a support ticket a month ago but realized i enabled the firewall on the wrong interface (ppp0 instead of ppp1) I enabled it and nothing worked.
So more details –
Device 1 at 192.168.100.2 needs to execute a dns lookup then send a mqtt message across port 1883 or 8883 to the internet . It will also receive mqtt messsages on the same port from the internet.
Device 2 is a laptop with a dhcp address from the wr11 in the range of 192.168.100.100 thru .109.
Device 2 only needs access to the management of the wr11.
The LAN port is assigned 192.168.100.1.
SO the DNS lookup fails 100% of the time when the firewall is on - ppp1 or eth0 makes no difference. When the firewall is off it works properly but I only have a couple of mb a month data and without the firewall i would go through that in about 15 seconds!
thanks
travis
Hi Travis,
so if the DNS and MQTT are initiated in the LAN, maybe it is better the following:
pass break end proto tcp from 192.168.100.2 to any port=1883
So is more general and is applied bot on ETH 0 and PPP 1.
And same for DNS.
Then for management you could do similar:
pass break end on eth 0 from 192.168.1.0/24 to addr-eth 0 port=80
And apply the firewall both on ETH 0 and PPP interface.
If still no luck, I would suggest to open a new case for this as this is not something we can troubleshoot via Forum. We would need to see debug, traces and logs of both cases in order to better help you. As it also depend on other rules you may have in the firewall and the order of those.
Best Regards,
Anny
Digi Technical Support Team