firewall, inbound firewall rules and port forwarding (on RT-AX58U) clarification

[Pir]

Hi,
can someone help me clarify a few questions around the usage of the following (if possible in the context of RT-AX58U)

1. firewall
2. inbound firewall rules
3. port forwarding

I read the following articles and am drawing the following conclusions (please correct me if I am wrong)

Setup (mulit-layer network)
We have two routers - a private network ("primariy" wirth RT-AX58U - WAN 192.... - LAN 10.1.10.1) and another private network ("sub" also with RT-AX58U - Local WAN: 10.1.10.2 and LAN 10.2.10.1) within that one.

ad1

[Wireless Router] Introduction of Firewall on ASUS router | Offisiell kundestøtte | ASUS Norge

When I have no firewall on, I can reach a specific service on the subnet just fine. My undersanding thus is that without a firewall, the subnet is just "wide open". Is that correct? <-
When I turn the firewall off, I cannot reach the service anymore, so only outbound requests would go out and be answered?

If I wanted to reach the service I would need a port forwarding, correct (and not just inbound rules)? <-


ad2 - what are the IP4 inbound rules?
I didn't find any description, thus was thinking these are "allow connection" rules, but it seems that they are further "disallow" rules?
I found the following:

IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt

I'm (fairly) new to Asuswrt-Merlin and I'm a little confused by the 'Firewall' and 'Port Forwarding' configuration. I'm coming from using a Draytek Vigor router where you have to set up both firewall and port-forwarding in IPv4 to get incoming ssh and smtp connections to work. It would appear...

www.snbforums.com

with the comment from Colyn Taylor

The Firewall - General > IPv4 Inbound Firewall Rules blocks all incoming traffic from specific sources.

Normally you would only use WAN - Virtual Server / Port Forwarding if you want to expose a LAN server to the internet. You can restrict incoming connections to this server to those from specific source ranges using CIDR notation (or multiple rules).

How do I know that those rules are "disallow"? Where is some official note on that? <-


ad3 - port forwarding

[Wireless Router] How to set up Virtual Server/Port Forwarding Rules on ASUS Router? | Official Support | ASUS Global

Please note that if the router is using a private WAN IP address (such as connected behind another router/switch/modem with built-in router/Wi-Fi feature), could potentially place the router under a multi-layer NAT network. Port Forwarding will not function properly under such environment.

In terms of the multi-layer network: Does that mean, that I will not be able to use port forwarding to access devices on the sub network IN THE CASE when the firewall is on (yes, I would like to have the firewall on, as the primary network is more of a "employee" network and the "sub" has very restictive access)? <-


Thank you for helping me learn and understand!

 

[eibgrad]

You can verify the actual state of the firewall at any time by dumping it using iptables from an ssh session.

iptables -vnL
iptables -t nat -vnL

Granted, it takes some time to learn how iptables works. But that's how you KNOW what's actually happening, despite what any documentation or GUI option may be telling you. It's why when problem solving on this forum, if I think it's a firewall issue, I'll often cut to the chase and have the OP dump it to see if there are any obvious errors or conflicts.

By default, almost any router will BLOCK all unsolicited inbound traffic to the WAN. That's why you need port forwarding -- to implement any exceptions. By default, they will typically ALLOW all outbound traffic over the WAN. You could block that traffic if you wanted to, but it's assumed devices on the LAN side are secure and don't have hostile intent (may or may not be true, but that's the assumption).

In order for port forwarding to work, the WAN of the router must have a *public* IP (as opposed to a private IP like 192.168.x.x or 10.x.x.x). That's because private IPs are NOT routable across the public internet. Thus, if you stick your router behind another router upstream (e.g., the ISP provided router) (WAN to LAN respectively), it's the upstream router that gets the public IP, and your router's WAN is assigned a private IP from the upstream router's private network. Hence, port forwarding will fail on the downstream router. Not unless you also port forward on the upstream router (i.e., daisy-chain the port forwarding). OR, you could place the WAN ip of the downstream router in the DMZ of the upstream router. Now ALL unsolicited inbound traffic to the upstream router's WAN that would otherwise be blocked, will be passed to the downstream router's WAN. Use of the DMZ just makes it easier to manage.

 

[Pir]

Thank you @eibgrad

By default, almost any router will BLOCK all unsolicited inbound traffic to the WAN.

So why do I need a firewall on top?
And why do I reach the NAS in the subnetwork from the primary private network, if the firewall is not running?

Hence, port forwarding will fail on the downstream router

so that means I cannot have a firewall on the downstream (private sub net) router, because I cannot use port forwarding?
(I succeeded in dumping the rules, but first didn't understand a thing and second, there is no use to interpret them, if there are some basics why it won't work anyhow - so I am trying to understand the basics first please)

Use of the DMZ just makes it easier to manage.

I do not want to open the NAS in the subnet to the internet, just to a device in the primary private lan network. Would that still be something of use?



Any idea on the interpretation of the IP4 inbound rules?

 

[eibgrad]

So why do I need a firewall on top?

On top? You mean the primary router? Because we assume any unsolicited inbound traffic coming from the primary router's WAN is potentially hostile.

When dealing w/ traffic that is ONLY routed internally (i.e., from one internal network to another internal network), that's a completely different situation, assuming YOU can control both networks. Presumably each network trusts the other. And in that case, while you could continue to use a firewall and port forwarding between them, it would probably make more sense to NOT have a firewall, thus eliminating the need for port forwarding, and route directly between the two networks. However, you'd typically need to add static routes to the upstream router in order for it to know how to route to the downstream router's network.

And why do I reach the NAS in the subnetwork from the primary private network, if the firewall is not running?

If the firewall is OFF on the router between the two subnets, then there's nothing to deny the access. That's the point of having it ON; to deny the WAN->LAN access by default. You then add your port forwards as a means to define your exceptions.

so that means I cannot have a firewall on the downstream (private sub net) router, because I cannot use port forwarding?

Explained above.

I do not want to open the NAS in the subnet to the internet, just to a device in the primary private lan network. Would that still be something of use?

Explained above.

 

[Pir]

On top? You mean the primary router? Because we assume any unsolicited inbound traffic coming from the primary router's WAN is potentially hostile.

I mean on top of the following statement:

By default, almost any router will BLOCK all unsolicited inbound traffic to the WAN.

In other words, why a firewall if a router blocks unsolicited trafic by default. Or did you mean, that the firewall is on by default and that blocks the trafic?

Would that still be something of use?

That was in regard to the DMZ. I didn't explain myself properly, sorry. Could I use DMZ (I didn't find a good explanation what it is besides, opening a device to the internet).
In regard to the subnet: If I would use DMZ on the downstream router for the one device in the subnet and still have firewall on the downstream router, would that make sense (be equal to firewall and a port forwarding, only that the later does not work in private network)?

 

[eibgrad]

I mean on top of the following statement:


In other words, why a firewall if a router blocks unsolicited trafic by default. Or did you mean, that the firewall is on by default and that blocks the trafic?

When I said the router blocks unsolicited traffic by default, I was referring specifically to its firewall, which is enabled by default. And when enabled, the firewall, by default, will block unsolicited inbound traffic. If, however, you disable the firewall, then naturally there is nothing to prevent the inbound access.

That was in regard to the DMZ. I didn't explain myself properly, sorry. Could I use DMZ (I didn't find a good explanation what it is besides, opening a device to the internet).
In regard to the subnet: If I would use DMZ on the downstream router for the one device in the subnet and still have firewall on the downstream router, would that make sense (be equal to firewall and a port forwarding, only that the later does not work in private network)?

As I said, normally the router's firewall is ON by default, and that firewall will, by default, block all unsolicited inbound traffic to the WAN. However, there are times when you might want to allow that same traffic to be passed to a secondary router for handling by *its* firewall. You do that by specifying the WAN ip of the downstream router in the DMZ of the upstream router. Now it's just as if the downstream router was acting as the upstream router, at least as far as unsolicited inbound traffic. You're effectively passing responsibility for that traffic from one router to another router. It's particularly convenient when the upstream router is facing the public internet and you need to port forward through the primary router to a secondary/downstream router for remote access purposes. Without the DMZ, you would have establish port forwards on *each* router! While that will work, it's usually easier to configure the DMZ instead.

All that said, for traffic that originates *internally* from one router's subnet to another router's subnet, you probably don't need to use a firewall or DMZ. Although you could, if you wanted to, particularly if you had some reason to NOT trust access of one subnet from/to the other. But in most cases, you probably do. And when you do disable the firewall, there's no need for port forwarding. You just reference the subnets directly (e.g., 192.168.1.x <-> 192.168.2.x). Just beware that this will likely require establishing static routes on the upstream router that point to the WAN ip of the downstream router as the gateway to the latter's subnet. If you don't, then you will likely have access problems, but it will be due to routing issues, NOT firewall issues.