As a general rule, a network is protected by a firewall whenever it is using publicly routed IP addresses. If you are using Network Address Translation (NAT), this will act like a firewall to prevent unauthorized remote access into the network. If you're using NAT, the Basic Firewall can be redundant. However, if you decide to use the Basic Firewall in addition to NAT, you still need to have the appropriate ports or static maps configured in the router. See the following technotes for port mapping in the Netopia R-series router.
CAUTION:
For firmware release 4.8.2 or later, if you are using Network Address Translation with a Public WAN IP, in order to allow telnet to the Netopia's WAN interface, you must create a filter set rule that has a Destination IP Address of the Netopia's Public WAN IP address. Set the Destination Subnet Mask to 255.255.255.255.
WARNING:
Creating and enabling a new filter set using only these instructions will stop internet traffic entirely. These instructions will work properly ONLY if they are added to the existing Basic Firewall preconfigured in the router or a similar functioning firewall filter set configuration.
This document is an extension of and is best used after reading and understanding Netopia Router Basic Firewall
Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.
Related documents:
Firmware Reference
- v8.2 R1 (and up) - 3300 Enterprise Series
- v5.3.7 (and up) - 4000 Series
- v4.8.2 (and up) - R-Series
Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).
Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.
Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.
The Esc key will take you back towards the main menu screen.
Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.
The Netopia Main Menu Interface
From the Main Menu:
---> Quick Menus...
---> IP Filter Sets...
---> Display/Change IP Filter Set...
---> Basic Firewall...
---> Add Input Filter to Filter Set...
Hit the "Enter" or "Return" key after each entry to save the change.
- Leave Enabled set to Yes
- (Tab) Forward to set to Yes
- leave Source IP Address: set as 0.0.0.0
- leave Source IP Mask: set as 0.0.0.0
- change Dest. IP Address: set as 172.20.10.216 NOTE: This address is used here as an example only. Substitute the actual IP address assigned by your ISP.
- change Dest. IP Mask: set as 255.255.255.255
- Protocol Type: (type in) TCP
- leave Source Port Compare... set as No Compare
- leave Source Port ID... set as 0
- change Destination Port Compare... to set to Equal
- change Destination Port ID... to set to 23
- leave Established TCP Conns. Only: set to No
- (Enter) ADD THIS FILTER NOW
After creating this filter rule, you should move the rule from the bottom of the list to a position above the rules allowing TCP and UDP traffic above port 1023 to enter by default. After going back into the Basic Firewall, go to:
---> Move input filter...
Hit "Enter" and highlight the filter rule you've just created. Hit "Enter" again and use the "up arrow" key to move the filter rule up two spaces. Hit enter again to save this change. Repeat this process for subsequent filters.
You have now created a filter rule to allow telnet access to your Netopia Router when you activate the Basic Firewall on your internet connection profile. When you view the filter rules in the Display/Change Input Filter..., this one will appear as follows:
| Source IP Address | Source Mask | Destination IP Address | Destination Mask | Protocol | Source Port | Destination Port | On? | Forward |
|---|---|---|---|---|---|---|---|---|
| 0.0.0.0 | 0.0.0.0 | 172.20.10.216 | 255.255.255.255 | TCP | No Compare | =23 | Yes | Yes |
You may also want to have a mail server or web server on your network, which would also need certain ports open. For the purposes of this example, we'll assume that your mail server has an address on the LAN of 192.168.1.10, and your web server is located at 192.168.1.20. In the above example you set the destination port to 23. In this example you will substitute the destination port values as 25 (SMTP), 110 (POP3) and 80 (HTTP).
The filter rules for the mail server will appear as follows:
| Source IP Address | Source Mask | Destination IP Address | Destination Mask | Protocol | Source Port | Destination Port | On? | Forward |
|---|---|---|---|---|---|---|---|---|
| 0.0.0.0 | 0.0.0.0 | 192.168.1.10 | 255.255.255.255 | TCP | No Compare | =25 | Yes | Yes |
| 0.0.0.0 | 0.0.0.0 | 192.168.1.10 | 255.255.255.255 | TCP | No Compare | =110 | Yes | Yes |
The filter rules for the web server will appear as follows:
| Source IP Address | Source Mask | Destination IP Address | Destination Mask | Protocol | Source Port | Destination Port | On? | Forward |
|---|---|---|---|---|---|---|---|---|
| 0.0.0.0 | 0.0.0.0 | 192.168.1.20 | 255.255.255.255 | TCP | No Compare | =80 | Yes | Yes |
- The Display/Change Input Filter screen will now look similar to this:
- Other ports that need to be opened for specific services are listed in a chart at the end of NIR_052.
The Netopia router incorporates a full-featured packet filter that is able to deny or allow network traffic based on source or destination network or host address, source or destination port number or IP packet type. These filter features allow the Netopia to secure the local network from unwanted access while allowing trusted users to remain productive on the network as well as allow remote access to certain services on the LAN.