Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Dannermax]

hi all.

I would like to know, how i block all outgoing internet traffic in my router, (exept VPN traffic) from my NAS. My nas is connected to a VPN service with OPENVPN. As far as i know, the VPN traffic is on port 1194.

Can this be achieved from "access control"? And if so, how do i enter this??
I want to achieve this, because sometimes the vpn tunnel fails, and my real IP is exposed..

Thanks for your time! Hope to hear from you

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under the router case.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?

Additional Info:
How to Block a specific port using Access Control: http://forums.dlink.com/index.php?topic=58731.0
How to set up Web Filters: http://www.dlink.cc/d-link-wireless/how-to-setup-website-filter-on-d-link-dir-series-router-dir-655.htm
How to Block FB: http://forums.dlink.com/index.php?topic=50490.0
Web Filter How To: http://forums.dlink.com/index.php?topic=5509.0

Specific Port Blocking: Use Block Some Access/Apply Advanced Port Filters
[/list]

[Dannermax]

Hello Furry, and thanks for your reply.

Here is some information on my system:

DIR-655 - Hardware version A4 - Firmware version 1.37NA

Here is a screenshot of the Access Control of my router, which i have added a policy to my NAS:



As you can see, i have blocked all ports except port 1194 (which is openvpn) But i have run into an issue. I am also using a program called Flexget, which runs a script, many times a day. And i can see in its log file, that it cant do URL lookups. So i am guessing that i am blocking dns requests? So how do I, let's say, allow VPN traffic, and googles DNS (8.8.8.? (and perhaps something else for it to function properly??)

Again, i am interrested in only letting VPN traffic through, to the internet, all the time. My ip pool is from 192.168.1.2 to 192.168.1.199

Thanks ALOT for your help!!

Regards

[FurryNutz]

Eeeks, I think your Dest Start and End IPs need to be more specific to just the IP address of the NAS. Your using a wide range which would included any other devices connected to the router. I believe Start and End IPs should be just the IP address of the NAS. I would start with using all ports then narrow down to specific ports while testing to see if the rule configuration works or not.

[Dannermax]

I don't really understand..

This policy i have added, is specific for ONLY 192.168.1.52 which is my NAS. further along the wizard i get to the attached picture above, where i have specified which IP's and ports are blocked, for that particulaly IP, så that it cannot access them on the internet. I have selected IP's that are outside of the port range of my router, so i do not understand your reply.

you said:

I believe Start and End IPs should be just the IP address of the NAS.

But, dest start and end ip, are the IP's that is blocked from the outside of my LAN...not my local IP...right?

once again, thanks. I know this is not your NORMAL kind of support question.

[FurryNutz]

Ok, Let me see if we can get some additional help on this...

[Dannermax]

Ok. Cant wait!!

[PacketTracer]

Hi,

Google's DNS 8.8.8.8 on port 53/udp is blocked by your syno3 rule because 8.8.8.8 lies within the destination range 0.0.0.0 - 192.168.0.255 for which you blocked any outgoing traffic from your NAS device.

As far as I understood your scenario, you want to allow your NAS device (192.168.1.52) to talk to

• your LAN = 192.168.1.0/24
• to Google's DNS on 8.8.8.8 (53/udp)
• some unknown external address w.y.x.z (1194/udp) which represents the external OpenVPN tunnel endpoint

Hence you have to block anything else except the above. And this only works if w.x.y.z is a fixed known address, because you have to build your rules around this address.

From your current rules syno1 and syno2 which seem to allow the OpenVPN connection, I draw the conclusion that "w.x" in w.x.y.z is greater than 192.168. Hence the following set of filter rules should work, given you selected 192.168.1.52 in the wizard's step 3 and "Block Some Access" + "Apply Advanced Port Filters -> checked"  in the wizard's step 4:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 192.168.0.255 TCP 0 65535
Checked syno2 192.168.2.0 255.255.255.255 TCP 0 65635
Checked syno3 0.0.0.0 8.8.8.7 UDP 0 65535
Checked syno4 8.8.8.9 192.168.0.255 UDP 0 65535
Checked syno5 192.168.2.0 w.x.y.(z-1) UDP 0 65535
Checked syno6 w.x.y.z w.x.y.z UDP 0 1193
Checked syno7 w.x.y.z w.x.y.z UDP 1195 65535
Checked syno8 w.x.y.(z+1) 255.255.255.255 UDP 0 65535

This ruleset is not exactly what you really want because it still allows ICMP to any address and UDP to all ports at 8.8.8.8 (instead of 53 only), but unfortunately this would need additional rules and you cannot specify more than eight.

PT

 

[FurryNutz]

Thank you PT. 

[PacketTracer]

Hi again,

my assumption above includes an error in reasoning: Of course LAN internal traffic bypasses the routing/filter process in your router, hence 192.168.1.0/24 doesn't have to be excluded in the filter rules. As a consequence you can use the following filter set:

 [Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 8.8.8.7 UDP 0 65535
Checked syno3 8.8.8.8 8.8.8.8 UDP 0 52
Checked syno4 8.8.8.8 8.8.8.8 UDP 54 65535
Checked syno5 8.8.8.9 w.x.y.(z-1) UDP 0 65535
Checked syno6 w.x.y.z w.x.y.z UDP 0 1193
Checked syno7 w.x.y.z w.x.y.z UDP 1195 65535
Checked syno8 w.x.y.(z+1) 255.255.255.255 UDP 0 65535

syno1 disallows your NAS to send TCP to any external IP address.
syno2-8 restrict your NAS to talk UDP to port 53 at 8.8.8.8 and port 1194 at w.x.y.z only.

ICMP isn't blocked, but in genereal it is a good idea to allow ICMP error messages to be sent from you NAS to external addresses (e.g. to w.x.y.z).

PT

[Dannermax]

Wow!! This is just what i was looking for.. But when i enter the rules, my vpn client disconnects after 10 seconds. Telling me that it cannot establish a connection. And i can see that the vpn server that i use, have 4 different IP addresses. But when connected to the vpn server, i could see the IP address i had, and i entered it in the rules..but this just made it disconnect..pretty strange.. I dont REALLY need googles DNS.. couldent i just write 192.168.1.1 in the DNS fiels of my network setup? instead of the google DNS? And then delete the google dns rules in my router?

Again.. WOW this is an awesome piece of work you done here.. i really apprechiate it!!

[PacketTracer]

Hi,

yes, if you configure your NAS to use 192.168.1.1 for DNS resolution (given you activated DNS relay function in your router), you wouldn't have to write filters for Google's DNS server 8.8.8.8 - this frees up limited rule space for other purposes.

Can the 4 vpn server addresses be aggregated to some minimum sized IP range encompassing those four addresses, say w.x.0.0/16 ? If so, try the following rule set:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 w.(x-1).255.255 UDP 0 65535
Checked syno3 w.x.0.0 w.x.255.255 UDP 0 1193
Checked syno4 w.x.0.0 w.x.255.255 UDP 1195 65535
Checked syno5 w.(x+1).0.0 255.255.255.255 UDP 0 65535

Here syno1 disallows your NAS to send TCP to any external IP address.
syno2-5 restrict your NAS to talk UDP to port 1194 at any destination address in the range w.x.0.0/16, including the 4 possible OpenVPN servers.

Of course, if another port (instead of 1194) or protocol (TCP instead of UDP) is used to constitute the OpenVPN connection, or if additional communication is in place between OpenVPN client and servers (which you might find out doing a packet trace?) above rules must be adjusted accordingly.

For OpenVPN basics see

• OpenVPN HOWTO
• OpenVPN and the SSL VPN Revolution

But when connected to the vpn server, i could see the IP address i had, and i entered it in the rules..but this just made it disconnect..pretty strange..

When saying "the IP address i had", you obviously mean the IP address your NAS is using inside the OpenVPN tunnel. But this address is irrelevant to the configuration of your router's filter list, because it belongs to IP packets encrypted via SSL inside the VPN tunnel. Hence it is invisible to your router. Your router only sees the "outer" IP packets transmitted from/to your NAS's address 192.168.1.52 to/from the VPN server's IP address which may be one of 4, if I understood you properly.

Your NAS's OpenVPN client might have some configuration file as specified here. If so, look at "remote" entries that list the possible VPN server addresses (or DNS names that you have to resolve to find the addresses).

PT

[Dannermax]

ok, it will take me some days to wrap my head around this... So your telling me to find out wether or not, my vpn provider have a server which have 4 IP addresses within the same range..  x.y.0.0 (where 0 are the range they are within...?

ok, my VPN provider have several servers through out the world, so i will go search for the ones i can use...but you were telling me that:

When saying "the IP address i had", you obviously mean the IP address your NAS is using inside the OpenVPN tunnel.

What i ment, was the external IP addresses of the VPN server i am connected to.. which can be 1 or more.. which is what you are telling me to look up, and write into the rules right?


Thanks again for your patience!!

[PacketTracer]

Hi,

What i ment, was the external IP addresses of the VPN server i am connected to.. which can be 1 or more.. which is what you are telling me to look up, and write into the rules right?

Exactly! Because this is the only relevant information you need to specify the filter rule set.

But to make things easy, if you don't know what the VPN server addresses exactly are, or if they might change in an unpredictable manner or if they lie widespread in IP address space, so they can't be aggregated to some ip range significantly smaller than the whole IPv4 space, I'd suggest you try the following simple ruleset:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 255.255.255.255 UDP 0 1193
Checked syno3 0.0.0.0 255.255.255.255 UDP 1195 65535

Here syno1 disallows your NAS to send TCP to any external IP address.
syno2-3 restrict your NAS to talk UDP to port 1194 at any external address, including any possible OpenVPN server address.

If this ruleset works, in a next step find out and report what IP addresses the OpenVPN servers use, so I can try to further narrow down the rules.

PT

[Dannermax]

Excellent...Ok. I will try it out, and report back when i have the relevant ip addresses!!