Firewall - Outbound rules

[ITguy]

I know the firewall has inbound filtering, however, I don't see the capability to further custom lockdown the firewall.
Does anyone know how to setup custom outbound rules using the Network Services Filter ?

At the bottom of the image below, you have Source IP and Destination IP listed. (ie. 192.168.0.2 - 192.168.0.254)
I'd like to specify an IP range in the box. I already know how to specify a port range.

 

[fryedchikin]

You can enter a value CIDR format to specify a range of addresses.

 

[ColinTaylor]

@ITguy You haven't said what router or firmware version you're using. Your image is of the stock firmware from the Asus FAQ. As such it probably doesn't support CIDR notation. Try moving your mouse pointer over "Source IP" and seeing if there's a popup help balloon.

 

[bennor]

As others indicated, click on the text "Source IP" and "Destination IP" to see the tooltip information for each field. For example:
Source IP Tool Tip:

Destination IP Tool Tip:

 

[ITguy]

Thanks everyone.

Specifically, I was looking to cover something along this range of .2 - .254.
(as an example 192.168.0.2 - 192.168.0.254)

I wanted to leave .1 out of the range.

 

[ColinTaylor]

Thanks everyone.

Specifically, I was looking to cover something along this range of .2 - .254.
(as an example 192.168.0.2 - 192.168.0.254)

I wanted to leave .1 out of the range.

Is the .2 - .254 range the destination or the source? It sounds like it's the destination addresses of an upstream router that you're NATed behind. In other words you're trying to block access to that subnet apart from that router's admin interface. Correct?

What router model and firmware version is the Asus?

 

[ITguy]

Is the .2 - .254 range the destination or the source? It sounds like it's the destination addresses of an upstream router that you're NATed behind. In other words you're trying to block access to that subnet apart from that router's admin interface. Correct?

Correct.

Actually, it could be either dest or source ip depending on how far you want to lock things down with deny rules.

AX 88 Pro

 

[ColinTaylor]

RT-AX88U Pro

Firmware? Stock or Merlin?

 

[ITguy]

RT-AX88U Pro

Firmware? Stock or Merlin?

What difference does it make. Seems to me that most routers in this Asus class use firmware that functions identical/almost identical to other in the class.

 

[ColinTaylor]

What difference does it make. Seems to me that most routers in this Asus class use firmware that functions identical/almost identical to other in the class.

See post #3. Merlin supports CIDR notation which AFAIK stock firmware doesn't. Merlin also contains other enhancements like custom firewall scripts.

Stock firmware for this model is based on the 3.0.0.6.102 branch whereas Merlin's is based on the older 3.0.0.4.388 branch. There are major differences between these two branches.

 

[ITguy]

See post #3. Merlin supports CIDR notation which AFAIK stock firmware doesn't. Merlin also contains other enhancements like custom firewall scripts.

Stock firmware for this model is based on the 3.0.0.6.102 branch whereas Merlin's is based on the older 3.0.0.4.388 branch. There are major differences between these two branches.

I don't have Merlin. Even with CIDR, the range I'm looking to cover generates many entries if I'm not mistaken.

Something weird that I did notice is that TCP and TCP ALL, do not function the same way meaning TCP will do the block (deny) and TCP ALL won't.

I'm currently making use of asterisk (ie 192.168.0.*) when specifying IP addresses but I'd like to be more precise as per post #6

Whats fustrating is the fact there are some other cheap routers out there that have a more flexible firewall configuration.

 

[ColinTaylor]

Something weird that I did notice is that TCP and TCP ALL, do not function the same way meaning TCP will do the block (deny) and TCP ALL won't.

TCP ALL refers to the TCP flags, SYN, ACK, etc. So the "ALL" part means "when all flags are set". This is a situation that never occurs making that option completely pointless. Hence that option was removed from Merlin's firmware.