WAN based Firewall Rules

[drewski22785]

So I am trying to setup custom Firewall rules for the incoming WAN port but dont see anywhere in the GUI to do so, and not sure if editing iptables is the best route. Here is my goal:

Allow remote access for my ip only preferably am FQDN as that ip could change (ISP DHCP) and I have DDNS setup for the routers that need to access this remote rt-ax58u

Allow ICMP only from the same IP as above.

I think I can restrict the remote access to a single IP via the "Enable Access Restrictions" although my first attempt locked everyone out and had to do a hard reset and reconfigure from backup. My preference would be to allow WAN ICMP and WEB UI via my FQDN address. Any thoughts? Thanks!

 

[RMerlin]

Configure a VPN server.

 

[drewski22785]

Configure a VPN server.

Hi Merlin, That is actually why i want remote management. To manage the vpn between our devices. The concern is the vpn will go down and not come back up. I have run into issues with NTP and certs and have to get access outside of the vpn to do so.

 

[ColinTaylor]

My preference would be to allow WAN ICMP and WEB UI via my FQDN address. Any thoughts? Thanks!

The problem with any script/function that ends up generating iptables rules is that any domain names will be converted to their IP addresses as at that point in time. So if the IP address associated with a DDNS name changes the iptables rule will no longer be correct. So you end up having update the rules periodically just in case there's a change.

Consider using SSH instead of the web interface if possible. It's much more secure than the web interface and if you move it to a non-standard port you won't be bothered by bots. You could probably tunnel HTTP through it if needed.

 

[drewski22785]

The problem with any script/function that ends up generating iptables rules is that any domain names will be converted to their IP addresses as at that point in time. So if the IP address associated with a DDNS name changes the iptables rule will no longer be correct. So you end up having update the rules periodically just in case there's a change.

Consider using SSH instead of the web interface if possible. It's much more secure than the web interface and if you move it to a non-standard port you won't be bothered by bots. You could probably tunnel HTTP through it if needed.

Hi Colin you are very insightful on this forum I appreciate that. I see that merlin code allows cron jobs, this vpn router is using the base firmware but I have been debating switching to merlin. The reason I haven't on this router is I have found the latest firmware releases from july to be more stable with losing DNS than the older versions including the base code merlin has been forced to use.

That being said, if I do switch it out to Merlin code, what about a script on a 24hr cron that refresh's the iptables entry daily or something a long those lines? I am probably over thinking this just my Mom isn't very good technically so it is a challenge sometimes getting her to do stuff like updating an IP. I also hate the idea of leaving any remote connectivity open so trying to find what would be the best solution. Thanks!

 

[ColinTaylor]

That being said, if I do switch it out to Merlin code, what about a script on a 24hr cron that refresh's the iptables entry daily or something a long those lines? I am probably over thinking this just my Mom isn't very good technically so it is a challenge sometimes getting her to do stuff like updating an IP. I also hate the idea of leaving any remote connectivity open so trying to find what would be the best solution. Thanks!

Yes it would be very simple to setup a cron job by putting a "cru" statement in services-start.

 

[Maverickcdn]

I would write a script that uses cron every hour or whatever you need to see if the remote FQDNs have been updated to new IPs and if so update with sed the firewall-start iprules with new and restart the firewall, I have similar script if you're interested.

Like mentioned SSH is better off on an obscure port vs webgui. Ive never seen the rules when WAN SSH is enabled but Id venture to guess your firewall-start could be as little as, the number of remote clients IPs and a drop rule for everything else coming in on that port