Blocking internet and port forward - clarification please
Firewalla Gold as router. I forward some ports to a server, which process has operated normally for about a year. In the last week my server disappeared from the internet. Checking blocks, it showed the network-level rule "Block Internet" was responsible. This is odd because either it worked normally with this before or else I accidentally set up the block while fiddling with a Purple adjacent (but not controlling) within the network. However, my query relates to rule priority. I thought that forwarding certain ports at a device level would override a network-level incoming internet traffic block. Is this not so? Allow on Firewall is on for each forwarding rule.
Pausing the general block rule makes things visible as they should be, so it seems the port forwarding with "Allow on Firewall" is insufficient despite apparent priority.
Is the rule "Traffic from Internet"? That one is default and should be there and should allow for port forwarding as you said. I have that on along with a port forwarding rule that does work, as it should. I don't really have any idea why it would stop working, or a suggestion, since you turned it off and it works (so ports and server IP must be right). Do you allow from ANY? Maybe source IP changed?
1. Block "traffic from internet" is the default ingress firewall.
2. If you want ports to be mapped inside, you will need to create the port mapping and also "allow on the firewall" checked.
3. To be even safer, you can use this too https://help.firewalla.com/hc/en-us/articles/1500009502622
The most common issues we've see are following
1. ISP's public IP changes and the DDNS part (or your own DDNS) did not catch up.
2. Server-based restrictions, not allowing certain IP (miss configuration)
3. the device accessing the port is blocked by active protection. (rare, but happens)
If all are checked above, then send an email to firstname.lastname@example.org and we will help you
The following is my present model of how some things work within a Firewalla router (straightforward enough, but set out for clarity in my context).
~A imagine this as a top rules layer, the firewall between the internet and your systems
~B imagine this as a mid-layer where you define rules for specific LANs
~C imagine this as the rules or activity layer for individual devices, specifically a server with open ports.
~A is where you block the internet as a general-state rule, and where you open ports to the internet ("open on firewall")
~C has open ports, some of which are to be open to the internet and one (22) only locally.
Problems and results:
If you set a rule at level ~B to block the internet incoming to the ~C devices LAN it will break the link between ~A and ~C, so that the 'open' ports in ~C are not visible externally. If you remove the incoming internet blocks at both ~A and ~B then all ports at ~C are open externally whether intended or not.
The incoming internet block rule must be set at ~A for All Devices (where the FW is aware of which ports should be allowed, unlike at ~B). A corresponding incoming internet blocking rule at level ~B is superfluous or worse, in the described context.
If I have misinterpreted the messages from Firewalla support then doubtless they will be along to correct things. Either way, I feel that some of the documentation can do with some clarification.
My actual problem seems to have been that at some point while configuring a Purple I had addressed the wrong device, removing the general rule at ~A on the Gold, then quickly recreating it but at ~B, so it all broke.
Please sign in to leave a comment.