Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Firewall question on system not using VLAN

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

1,745
351
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Router Firewall without VLAN question:
Why is it that a rule blocking an IP from accessing internet works, using ALL (prevents computer from accessing internet)
but a rule blocking internet from accessing an IP doesn't when ALL is substituted with INTERNET?

Is it because the computer originated the connection with internet? Not internet accessing the IP in rule?

And:

Question number 2:
Is the INTERNET setting in a firewall entry only for those with VLAN enabled? I seem to have to use ALL instead... ??

For example, I create 2 identical rules blocking this computer... one for INTERNET deny for this IP and one ALL deny for this IP
I put the INTERNET rule above the ALL RULE.... and SAVE: So INTERNET Rule will be accessed first, ALL second...
I'm blocked, yes, but only ALL rule gets "Hits" ???? Internet rule above gets no "Hits" so it seems to not be working ????
Is INTERNET a VLAN ONLY setting?

If so, which settings in firewall create are ONLY for VLAN, so I, and other's, know to avoid them in the future, if we don't use VLAN?
This is important because firewall will allow you to create rules that seem correct, but will not work, and will not report it is incorrect... It just sits there with 0 'Hits'.
Can't find this info in any docs.... Knowing which rules do not apply when you don't use VLAN would sure be helpful!!!!

Thank You!
 
I saw you posted this at the Synology forum. You seemed to be getting answers there.

The firewall applies rules at the ingress points, the interface. You define the source interface and the is where the policy acts, and on inbound connections since since this is a stateful firewall not packet router.

So if you create a rule with source being the Internet interface then matches coming to that interface will be processed. This is in fact good because you can have LAN rules for source IP using RFC 1918 addresses that cannot now be mis-used to allow those IP presenting at the WAN edge (e.g. internally used by your ISP).
 
Last edited:
Yes. I have learned it’s not LAN 2 LAN (Wouldn’t that be nice!) and some are VLAN only. Not using VLAN here.
Tested and had success with a couple operational rules. Like I said: don’t need them now, but was good learning how far I could successfully push the envelope, if needed later.
 
fredbert, Could you elaborate on this a bit further, Please?

So if you create a rule with source being the Internet interface then matches coming to that interface will be processed. This is in fact good because you can have LAN rules for source IP using RFC 1918 addresses that cannot now be mis-used to allow those IP presenting at the WAN edge (e.g. internally used by your ISP).
 
If you create a rule:
  • Source interface: LANs
  • Source IP: 192.168.0.0/16
  • Destination interface: Any
  • Destination IP: Any
  • Action: Allow
Then this rule only applies to connections attempts originating from the LAN interfaces destined for the anywhere.

This rule won’t allow 192.268.0.0/16 source IPs attempts originating from the Internet to access anywhere.

But if the interfaces are excluded, or assumed to be applied to any interface, then the second scenario will be allowed.

You might have noticed that ISPs use RFC 1918 reserved IP ranges within their private infrastructure, outside your LAN. So it might be possible for attempts originating outside the firewall to be allowed inside if interfaces are not defined in rules.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Back in the day I had to complete vendor training and certification for our firewalls. Always were things...
Replies
8
Views
211
  • Question Question
That’s good to know. 🙂 Thanks for your support and advice @Birdy. 👍
Replies
4
Views
157
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
564
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
2,079

Thread Tags

Tags Tags
firewall

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top