Register  ·  Sign In  ·  Help
Home : Routers and Access Points : Wired Routers : Re: RVL200 - SSL VPN and Firewall Rules

  Search Board       User Search  ·  Advanced  

   Reply    Reply   
 
   Message Listing    Message Listing   
   Previous Thread    Previous Thread   
   Next Thread    Next Thread   
Jump to Page:   1
RVL200 - SSL VPN and Firewall Rules
Options    Options  
HikingStick
Regular visitor
Posts: 4
Registered: 10-23-2009

HikingStick

Message 1 of 7

Viewed 282 times


Pardon my ignorance, but I've been thrust into configuring this RVL200 device to allow SSL VPN access to a remote client site, sight unseen.  I have the basics of the VPN connection set up in the config, but am now moving on to the firewall rules.  We want to block all internal devices from having any access to the Internet, but I don't want to cripple the remote clients that will be connectiong by blocking their return traffic over the SSL VPN.  This leads to my questions:

 

1) Will a blanket DENY rule for all OUTBOUND traffic prevent the primary function of the VPN (to allow remote administration of machines on the LAN)?

 

2) If the answer to #1 is "Yes", what ports/services would I need to open up from the LAN side?

 

3) Building off #2, how would I configure the allowed outbound rules to apply only to the VPN clients, rather than all LAN hosts?

 

4) Since the default INBOUND rule is to DENY ALL, do I need to create a rule to allow the VPN tunnel, or is that assumed in the router configuration?

 

Here are some other details:

  • The LAN behind the RVL200 is an otherwise isolated LAN in a manufacturing environment
  • All hosts on that network have static IP addresses on a single subnet. 
  • The RVL200 has been configured with a static, public IP address on the WAN/INTERNET side.
  • DHCP has been disabled on the RVL200 
  • Authentication to the device will use a local database.
  • No DNS servers exist on the LAN
  • The upstream device from the RVL200 is a DSL modem using PPPoE, and the device has been configured for that setting.
  • Numerous local user database accounts have been created to facilitate SSL VPN access.

 

I've worked with other aspects of IT for a long time, but limited experience with VPNs and the associated firewall rules, and none with this family of device.  Any assistance will be greatly appreciated.
Kudos!
Solved!
Go to the Solution
Go to Solution
10-23-2009 01:38 PM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
aponikikay
Level 1 Poster
Posts: 161
Registered: 03-24-2009

aponikikay

Message 2 of 7

Viewed 258 times


Answer:

 

1. Yes, it will deny the rule.

2. You can forward ports 47, 50, 500, 1723 for VPN

3. You can forward the port for the each computer that you will allow it. This is done via IP address of the said computer.

4. If you set it that way, there's no need to create another rule. The rule will be applied  already.

 

 

Hope this helps!
Kudos!
10-24-2009 03:11 PM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
Expert gv
Expert
Posts: 6112
Registered: 07-16-2006


Message 3 of 7

Viewed 248 times


I don't have a RVL200 thus I have to refer to the manual here...

Re 1. I think it should not but you should carefully test that. In principal I would say that access rules should able for the traffic from the LAN to the WAN and vice versa while the necessary firewalls regarding the router itself should be automatically set up according to your configuration. The access rules have an option to log traffic. This should also apply to filter rules allowing traffic. You could set up an allow all rule with logging and check if the SSL-VPN traffic appears in the log. Of course, the log function is sometimes broken. Ideally you should do a local test...

Re 2. It should be none.

Re 3. VPN clients receive an IP address from inside your LAN (unless you define other IP addresses for the VPN clients which you should not). They then behave like they were connected inside the LAN. There are no separated rules for the VPN clients. The VPN client will make sure that you have a working SSL-VPN connection regardless of the rules filtering the LAN traffic.

Re 4. It should be set up automatically.

Your problem is less a problem with understanding of VPN but rather a problem of a limited web interface. If the web interface would give you all the possible firewall options it would be far more complex but you would better see the rules which applies for the traffic passed/routed through the router and the traffic which goes is directed to the router...
Kudos!
10-25-2009 01:34 AM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
Expert gv
Expert
Posts: 6112
Registered: 07-16-2006


Message 4 of 7

Viewed 247 times


aponikikay, there is no port forwarding necessary for the SSL-VPN function of the RVL200.

Re 1. That's not proven. It should not do that. The router should automatically make sure that the SSL-VPN function of the router is working and accessible.

Re 2. No forwarding necessary. In addition, never forward TCP/UDP port 47 or port 50 for VPN functions. TCP port 1723 is used for PPTP. UDP 500 is used for ISAKMP. You usually also have to forward TCP/UDP port 4500 for IPSec encapsulation.

Port 47 is wrong. GRE is an IP protocol used for VPNs. It is a protocol like TCP or UDP. GRE has the IP protocol number 47. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols from GRE.

The same applies to 50: ESP is the payload for IPSec tunnels. ESP is IP protocol 50. It has nothing to do with TCP or UDP port 50.

"Forwarding" of GRE is configured with the PPTP passthrough option.

"Forwarding" of ESP is configured with the IPSec passthrough option.
1
Kudos!
Accepted Solution
Accepted Solution
10-25-2009 01:40 AM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
aponikikay
Level 1 Poster
Posts: 161
Registered: 03-24-2009

aponikikay

Message 5 of 7

Viewed 218 times


Thank you for your clarification. I learn from this and will test this as well from my end. Again thank you!
Kudos!
10-29-2009 12:00 PM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
HikingStick
Regular visitor
Posts: 4
Registered: 10-23-2009

HikingStick

Message 6 of 7

Viewed 213 times


Thanks to all for your replies.  I'll do some testing yet this afternoon or tomorrow, and will let you know how it turns out.  I'm hoping that gv has the straight dope--it would be nice that the device treats the VPN seperately and uses the connection to create a behind-the-firewall entrypoint while still allowing me to block any other outbound traffic.
Kudos!
10-29-2009 12:24 PM  

  Reply   Reply  
Re: RVL200 - SSL VPN and Firewall Rules
Options    Options  
HikingStick
Regular visitor
Posts: 4
Registered: 10-23-2009

HikingStick

Message 7 of 7

Viewed 165 times


Thanks, gv.  It worked as you described it.  With a universal deny rule in plance (deny all outbound from LAN), the VPN connection treated the remote connection on the local network, so I was able to use all necessary remote management tools.  Clients on the LAN could not get to any outside resources, but they could communicate with the client coming through the SSL VPN.
Kudos!
11-03-2009 07:52 AM  

  Reply   Reply  
Jump to Page:   1
 
   Message Listing    Message Listing   
   Previous Thread    Previous Thread   
   Next Thread    Next Thread