Implementing IP block-list on WR21

dansaund · October 28, 2015, 2:51pm

I would like to implement an IP block-list on multiple WR21 routers, as we are getting hundreds of hits captured by the firewall. What would be the fastest way of doing this, as there are too many addresses to enter as separate rules in the firewall.

James.Wilson · October 29, 2015, 7:22am

the correct way if you have public addressable address would be to block by default and allow by exception.

so put permit rules that are more specific to the connecting device’s

so use the source address instead of any.

this is the main issue when using firewalls people let everything in and then try to block specific traffic

dansaund · October 29, 2015, 10:23am

Thanks - that would be my usual plan however in this case the routers are used in mobile monitoring equipment and we will not know the source IP address to block (plus they may change). I suppose we could allow via UK allocated IP ranges, but same question then applies - how to enter multiple IP ranges in the firewall script.

James.Wilson · October 29, 2015, 10:31am

this is why in this sort of situation is to use a private APN and a private VPN in to the operator or the monitoring station also uses cellular APN

second way would be to use vpn tunnels from the remote sites to a centrel point and do management from there over VPN

if you want to go the other way there are tables on the internet on ranges of IP in each country at least that will reduce the number of attampts.

dansaund · October 29, 2015, 1:59pm

Thanks again James, wherever possible I always use a VPN into the device but sometimes it’s not possible, then and only then as a last resort does a public IP get used.

I’d found the IP range tables on the internet, and my question was how to physically enter these multi-IP range tables into the firewall. When I tried using the “|” character as “or” (as shown in the manual - example block in log break end from 1.80.0.0/13 | 1.92.0.0/14…) the firewall rejects this.

So, just to clarify my question is physically how do I enter multiple IP ranges into firewall scripts?

James.Wilson · October 29, 2015, 4:59pm

Ok you would have to use a rule per block but you could also use the label feature too

pass in break Ports from 1.80.0.0/13 to any
pass in break Ports from 1.92.0.0/14 to any
pass in break Ports from y.y.y.y/x to any

block break end

Ports:
Pass break end from any to any port=22

regards

maria1 · September 14, 2018, 8:24am

The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address

if you face issue with your router get help from this
www.belkinroutersupportnumber.com/

Topic		Replies	Views
Firewall Digi wr21 Digi TransPort WR (Series) wr21 , firewall	1	515	March 19, 2018
I have a fleet of Digi WR31 and 21, and I need to whitelist some IPs. Digi TransPort WR (Series) samm	1	235	March 31, 2021
Firewall Script Help - WR31 Digi TransPort WR (Series) wr31 , firewall-script	1	541	January 26, 2016
How to NAT - WR21 Digi TransPort WR (Series) nat , ip , address , ip-address , wr21	1	691	December 19, 2018
WR41 Schedule Firewall Rule Digi TransPort WR (Series)	3	923	August 13, 2012

Implementing IP block-list on WR21

Related Topics