Figure 41-1 IP Filter Rules

41. Firewall / IP Filter This function allows user to enable the functionality of IP filter. Both inside and outside packets through router could be decided to allow or drop by supervisor. Figure 41-1 IP Filter Rules 41.1 Examples and Web Configurations Example 1 : Employees (192.168.33.32 ~192.168.33.64) are interdicted to surf Internet. Other employees (192.168.33.16~31) are permitted. 1. Enable the Data Filter Function. Figure 41-2 Vigor3300 Series Application Note V2.2 255

Figure 41-3 2. Add new rules in Pass Group. Figure 41-4 3. Add a rule about SMTP protocol. (port 25) for 192.168.33.16~192.168.33.31. Figure 41-5 256 Vigor3300 Series Application Note V2.2

4. Add another rule about port 53 ( DNS protocol ), port 80 ( Http protocol ), port 110 ( POP3 protocol ) for 192.168.33.16~192.168.33.31. 5. Finally, Add a rule in block group. Figure 41-6 Figure 41-7 6. Beside the previous rules, other connections are forbidden. Figure 41-8 Vigor3300 Series Application Note V2.2 257

Example 2 Only IP 220.220.220.220 is allowed to access my VNC server from Internet as well as only IP 220.220.220.221 is allowed to access my FTP server from Internet. (Other Internet hosts cannot access my internal servers). 1. Enable the Data Filter Function. Figure 41-9 2. Add new rules in Pass Group. Figure 41-10 Figure 42-11 258 Vigor3300 Series Application Note V2.2

3. Allow IP 220.220.220.220 to access my VNC server. (TCP port 5900) Figure 41-12 4. Allow IP 220.220.220.221 to access my FTP server. (TCP port 21) Figure 41-13 Vigor3300 Series Application Note V2.2 259

5. Finally, Add a rule in block group. Figure 41-14 6. Besides the previous rules, other incoming connections are forbidden. Figure 41-15 260 Vigor3300 Series Application Note V2.2

Example 3 Some employees (IP192.168.33.128/27) can use FTP Mail Web service, and some (IP 192.168.33.64/26) can only use Mail service. 1. Enable the Data Filter Function. Figure 41-16 2. Add new rules in Pass Group. Figure 41-17 Figure 41-18 Vigor3300 Series Application Note V2.2 261

3. Allow users with IP 192.168.33.64~192.168.33.127 to use Mail service (SMTP protocol) Figure 41-19 4. Allow users with IP 192.168.33.64~192.168.33.127 to use Mail service(pop3 protocol) Figure 41-20 262 Vigor3300 Series Application Note V2.2

5. Allow users with IP 192.168.33.64~192.168.33.127 to use DNS service. Figure 41-21 6. Allow users with IP 192.168.33.128~192.168.33.159 to use FTP, SMTP, POP3, WEB and DNS Services. Figure 41-22 Vigor3300 Series Application Note V2.2 263

Figure 41-23 7. Add a rule in block group. Figure 41-24 8. Beside the previous rules, other connections are forbidden. Figure 41-25 264 Vigor3300 Series Application Note V2.2

Example 4 Host with IP 192.168.33.10 cannot be accessed by the remote VPN network while hosts with IP192.168.33.5 and 192.168.33.6 can be accessed. 1. Enable the Data Filter Function. Figure 41-26 2. Add new rules in Pass Group. Figure 41-27 Figure 41-28 Vigor3300 Series Application Note V2.2 265

3. Allow VPN connection from 192.168.29.0 to 192.168.33.5 and 192.168.33.6. Figure 41-29 Figure 41-30 266 Vigor3300 Series Application Note V2.2

4. Add a rule in block group. Figure 41-31 5. Disallow VPN connection from 192.168.29.0 to 192.168.33.10. Figure 41-32 Vigor3300 Series Application Note V2.2 267

Example 5 Some users ( 192.168.33.33 ~ 192.168.33.36 ) can surf Internet and some ( 192.168.33.16 ~ 192.168.33.31 ) can only access the remote VPN network. 1. Enable the Data Filter Function. Figure 41-33 2. Add new rules in Pass Group. Figure 41-34 Figure 41-35 268 Vigor3300 Series Application Note V2.2

3. Allow local network 192.168.33.0 to access remote VPN network 192.168.29.0 Figure 41-36 Figure 41-37 Vigor3300 Series Application Note V2.2 269

4. Allow users with IP 192.168.33.32~192.168.33.35 to surf Internet ( DNS protocol ) Figure 41-38 5. Allow users with IP 192.168.33.32~192.168.33.35 to surf Internet ( HTTP protocol ) Figure 41-39 270 Vigor3300 Series Application Note V2.2

6. Add a rule in block group. Figure 41-40 7. Beside the previous rules, Other connections are forbidden. Figure 41-41 Vigor3300 Series Application Note V2.2 271

41.2 Firewall direction Figure 41-42 Table 42-1 Firewall /IP Filter Direction. WAN to LAN WAN to DMZ WAN to WAN LAN to WAN LAN to DMZ LAN to LAN DMZ to WAN DMZ to LAN VPN In VPN Out Any From Internet to Intranet, ex : VNC Pc Anywhere remote control From Internet to DMZ, ex : allow Internet user to browser web server in DMZ From WAN to WAN, ex: Allow WAN1 traffic redirect to WAN2 From Intranet to Internet, ex : surf Internet From Intranet to DMZ, ex: allow some employees can access DMZ. From some security issue, we can use LAN to LAN block function to prohibited LAN1 user from visiting LAN2 resource in VLAN environment. From DMZ to WAN, ex:allow DMZ using Internet resources. Form DMZ to LAN, ex: allow DMZ using inner Database. From remote VPN network to Vigor 3300 s VPN network, pass/block From Vigor3300's VPN network to remote VPN network, pass/block All direction in/out, including LAN,WAN,DMZ,VPN 272 Vigor3300 Series Application Note V2.2