Security |
 |
|
Add LAN WAN Service |
Outbound Service |
This page is used for setting up a
firewall rule for traffic going from the LAN to the WAN. Outbound
traffic for a service can be configured to be blocked or allowed at all
times, or set per a schedule (defined on the Schedule
page under the Security menu).
To add an outbound rule, input the following fields: |
Service Name:
This is a unique name assigned to the service. The name usually
indicates the type of traffic the rule covers such as ftp, ssh, telnet,
ping, etc. Services not already in the list can be added on the Services page under the Security
menu. |
Filter:
Defines an action to be taken on the enabled rule. It can be: |
v |
Block Always:
Block selected service at all times. |
v |
Allow Always:
Allow selected service to pass through at all times. |
v |
Block by
schedule, otherwise allow: Works in conjunction with a schedule
defined in the Schedule 1/2/3 pages. The
selected service will be blocked during the scheduled interval and will
be allowed to pass through at other times. |
v |
Allow by
schedule, otherwise block: Works in conjunction with a schedule
defined in the Schedule 1/2/3 pages. The
selected service will be allowed to pass through during the scheduled
interval and will be blocked at other times. |
|
LAN Users:
Specifies whether one or more IP addresses on the LAN will be affected
by the rule. This rule will affect packets for the selected service
from the defined IP address or range of IP addresses on the LAN side. |
v |
Any:
All computers on the LAN will be affected by the rule. |
v |
Single Address:
A single LAN IP address will be affected by the rule. |
v |
Address Range:
A range of LAN IP addresses will be affected by the rule. |
v |
Group:
Computers that are part of the Group defined in the Network Database
will be affected by the rule (groups are defined under the Network Configuration menu, LAN Groups page, Edit
Group Names link). |
|
WAN Users:
Specifies whether one or more IP addresses on the WAN will be affected
by the rule. This rule will affect packets for the selected service to
the defined IP address or range of IP addresses on the WAN side. |
v |
Any:
All IP addresses on the WAN will be affected by the rule. |
v |
Single Address:
A single WAN IP address will be affected by the rule. |
v |
Address Range:
A range of WAN IP addresses will be affected by the rule. |
|
Priority: The priority assigned to IP packets of
this service. The priorities are defined by “Type of Service (TOS) in the
Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0. |
v |
Minimize-Cost: Used when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 2.
|
v |
Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 4.
|
v |
Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 6. |
v |
Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 16. |
|
Log:
Specifies whether the packets for this rule should be logged or not. To
log details for all packets that match this rule, select Always. Select Never
to disable logging.
For example, if an outbound rule for a schedule is selected as Block Always, then for every packet that tries to
make an outbound connection for that service, a message with the
packet’s source address and destination address (and other information)
will be recorded in the log. Enabling logging may generate a
significant volume of log messages and is recommended for debugging
purposes only. |
Bandwidth Profile: Specifies the name of the
bandwidth limiting profile. Using a bandwidth profile, bandwidth consumed by
different connections can be limited. If there are multiple connections
corresponding to the same firewall rule, they will share the same bandwidth
limiting. |
NAT IP: Specifies
whether the source address of the outgoing packets on WAN should be
assigned WAN interface address or different one. |
NAT single IP is on: The
Interface to which the NAT IP belongs to. All the outgoing packets on WAN will
be routed through the specified WAN interface only. |
v |
WAN Interface Address:
All the outgoing packets on WAN will be assigned WAN interface address. |
v |
Single Address: All the outgoing packets on WAN
will be assigned the specified IP address. |
|
Note:
This option will be available only when WAN mode is "NAT". The IP
address specified should fall under the WAN subnet. |
Click Apply
to save the settings. |
Click Reset
to revert to the previous settings. |
Add LAN WAN Service |
Inbound Service |
This page is used for setting up a
firewall rule for traffic coming from the LAN to the WAN. Inbound
traffic for a service can be configured to be blocked or allowed, by
default, or set per a schedule (defined on the Schedule page under the
Security menu).
To add an inbound rule, input the following fields: |
Service Name:
This is a unique name assigned to the service. The name usually
indicates the type of traffic the rule covers such as ftp, ssh, telnet,
ping, etc. Services not already in the list can be are added to the Services page under the Security
menu. |
Filter:
Defines an action to be taken on the enabled rule. It can be: |
v |
Block Always:
Block selected service at all times. |
v |
Allow Always:
Allow selected service to pass through at all times. |
v |
Block by
schedule, otherwise allow: Works in conjunction with a schedule
defined in the Schedule 1/2/3 pages. The
selected service will be blocked during the scheduled interval and will
be allowed to pass through at other times. |
v |
Allow by
schedule, otherwise block: Works in conjunction with a schedule
defined in the Schedule 1/2/3 pages. The
selected service will be allowed to pass through during the scheduled
interval and will be blocked at other times. |
|
Send to LAN IP
Address: Specifies an IP address and port number of a machine on
the LAN which is hosting the server. Select the port number checkbox
only if the server is listening on a port other than the default. For
example, if a machine on the LAN side is running a telnet server on
port 2000, then select the Translate to Port
Number checkbox and type 2000 in the Port
field. if it is listening on the default port 23, then the box can be
left unchecked.
Note: This option is only
available when the router is in NAT mode (see the Network
Configuration menu, WAN Mode page.)
Destination: The WAN IP address that will map to the incoming server.
It can either be the address of the WAN port or another WAN
IP address. This field is only enabled under NAT mode because the
router needs to map traffic coming from a particular WAN port to a LAN
machine. |
LAN Users:
Specifies whether one or more IP addresses on the LAN will be affected
by the rule. This field is only enabled in routing mode since the LAN
is accessible only in this mode. |
v |
Any:
All computers on the LAN will be affected by the rule. |
v |
Single Address:
A single LAN IP address will be affected by the rule. |
v |
Address
Range: A range of LAN IP
addresses will be affected by the rule. |
v |
Group:
Computers that are part of the Group defined in the Network Database
will be affected by the rule (groups are defined under the Network
Configuration menu, LAN Groups page, Edit Group Names link). |
|
WAN Users:
Specifies whether all addresses or specific IP addresses on the WAN
will be affected by the rule. This rule will affect packets for the
selected service to the defined IP address or range of IP addresses on
the WAN side. |
v |
Any:
All IP addresses on the WAN will be affected by the rule. |
v |
Single Address: A single WAN IP address will be
affected by the rule. |
v |
Address
Range: A range of WAN IP
addresses will be affected by the rule. |
|
Priority: The priority assigned to IP packets of
this service. The priorities are defined by “Type of Service (TOS) in the
Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0. |
v |
Minimize-Cost: Used when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 2.
|
v |
Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 4.
|
v |
Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 6. |
v |
Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 16. |
|
Log:
Specifies whether the packets for this rule should be logged or not. To
log details for all packets that match this rule, select Always. Select Never
to disable logging.
For example, if an inbound rule for a schedule is selected as Block Always, then for every packet that tries
to make an outbound connection for that service, a message with the
packet’s source and destination addresses (and other information) will
be recorded in the log. Enabling logging may generate a significant
volume of log messages and is recommended for debugging purposes only.
|
Bandwidth Profile: Specifies the name of the
bandwidth limiting profile. Using a bandwidth profile, bandwidth consumed by
different connections can be limited. If there are multiple connections
corresponding to the same firewall rule, they will share the same bandwidth
limiting. |
|
Click Apply
to save the settings. |
Click Reset
to revert to the previous settings. |
|