Firewall Help

[Edward Perez]

How can I tell an ASUS AC3200 running Merlins 380.57 to let anything from a certain subnet on the WAN side to pass to the LAN side without dropping anything?

An example:

Feb 15 11:27:34 kernel: DROP IN=eth0 OUT=eth0 SRC=1.2.3.4 DST=5.6.7.8 LEN=108 TOS=0x00 PREC=0x00 TTL=243 ID=6516 PROTO=UDP SPT=4500 DPT=4500 LEN=88

I want the entire subnet of 1.2.x.x to be allowed to be able to pass anything back and forth to 5.6.7.8.

Thanks!

 

[ColinTaylor]

Given that the dropped packet you're showing is for UDP port 4500 it looks like you're trying to connect a VPN.

There are various ways of connecting VPN's but you'll have to provide more information about the remote network.

 

[Edward Perez]

I'm not sure what you need to know.

I don't have a lot of info on the remote network. I am connecting a PC via VPN and there is also an Avaya IP phone that creates a VPN tunnel and then connects to a call server, it is a Cisco VPN concentrator from what I do know. Both are experiencing the same issue where every few minutes there is a 10-20 second lapse in data / silence on a call. At the same time that happens I see that dropped message in the log. Since this network that is being connected to is trusted, I just want to tell the firewall to leave things coming and going to it alone.

 

[ColinTaylor]

The only thing obvious to check on the router is at WAN > NAT Passthrough and make sure they are all enabled apart from PPPoE Relay.

Because you are connecting to a Cisco VPN concentrator, their IT department will normally provide you with the Cisco VPN client for your PC or a dedicated router that is pre-configured for LAN to LAN. What are you using?

 

[Edward Perez]

Thank You for your help, but all I really want to know is how can I tell the router firewall to pass all traffic from a certain subnet.... period, never touch anything from that subnet. Does not matter what the traffic is, just leave it alone. In other words, turn off the firewall for (made up network for example) 204.56.201.0/20.

 

[ColinTaylor]

Thank You for your help, but all I really want to know is how can I tell the router firewall to pass all traffic from a certain subnet.... period, never touch anything from that subnet. Does not matter what the traffic is, just leave it alone. In other words, turn off the firewall for (made up network for example) 204.56.201.0/20.

That's impossible. Your subnet and that of the remote site will be using a private address range, i.e. 192.168.*.* or 10.*.*.*. Private IP addresses are not routable over the public internet.

To get around this each end has to NAT their internal network to a public, routable IP address. VPN's use NAT traversal to create a tunnel between to the two sites. The client sees his end of the tunnel as a virtual network interface attached to the remote network. Your router doesn't see any of this because the traffic is encrypted as it flows through the tunnel. The only thing the router sees is a single port (in your case, port 4500) connected to the public IP address of the remote site.