Home/Support/Support Forum/How do i block all traffic except DNS and Mqtt through the ppp connection but allow admin on eth0?
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

How do i block all traffic except DNS and Mqtt through the ppp connection but allow admin on eth0?

0 votes
I want to close the firewall to all traffic on a WR11 with the only exceptions being

1. MQTT standard port is 1883 and ssl is 8883.
2. allow DNS lookup and....
3. only allow my laptop which would have a 192.168.100.100-109 ip to access the DIGI configuration.

I will not be using remote management or anything like that.

firewall scripts are greek to me.

thanks
travis
asked Jan 30, 2020 in Digi TransPort Cellular by trsimmons7 New to the Community (2 points)

Please log in or register to answer this question.

2 Answers

+2 votes
Hi Travis and welcome to Digi Forum.

In order to block/allow specific traffic on a WR11, you can add specific firewall rules on top of the default ones (or in substitution of those).

As an example of a rule to allow specific traffic:

pass in break end on PPP 1 proto tcp from any to any port=1883

And you can specify also specific source/destination addresses if needed and replicate the rule for different ports depending on the protocols you want to allow.

If you enable the firewall only on the PPP 1, then you will be able to access it via ETH 0 without any restrictions. If instead you want to block all also on ETH 0 except for the management, you need to enable the firewall also on ETH 0 and add a rule like this (example for HTTP management):

pass in break end on eth 0 from 192.168.1.0/24 to addr-eth 0 port=80

The above are general examples, but you can find more details on the SarOS user guide, Firewall section: https://www.digi.com/resources/documentation/digidocs/90001019/Default.htm#references/r_firewall.htm

For any further help, please review our support options on our website: https://www.digi.com/support.

Regards

Anny
Digi Technical Support Team
answered Jan 30, 2020 by annydigi Community Contributor (96 points)
I am having zero luck at getting this to work. I thought I had it after a support ticket a month ago but realized i enabled the firewall on the wrong interface (ppp0 instead of ppp1) I enabled it and nothing worked.
So more details --
Device 1 at 192.168.100.2 needs to execute a dns lookup then send a mqtt message across port 1883 or 8883 to the internet . It will also receive mqtt messsages on the same port from the internet.
Device 2 is a laptop with a dhcp address from the wr11 in the range of 192.168.100.100 thru .109.
Device 2 only needs access to the management of the wr11.
The LAN port is assigned 192.168.100.1.

SO the DNS lookup fails 100% of the time when the firewall is on - ppp1 or eth0 makes no difference. When the firewall is off it works properly but I only have a couple of mb a month data and without the firewall i would go through that in about 15 seconds!

thanks
travis
commented Jan 31, 2020 by trsimmons7 New to the Community (2 points)
0 votes
I am having zero luck at getting this to work. I thought I had it after a support ticket a month ago but realized i enabled the firewall on the wrong interface (ppp0 instead of ppp1) I enabled it and nothing worked.
So more details --
Device 1 at 192.168.100.2 needs to execute a dns lookup then send a mqtt message across port 1883 or 8883 to the internet . It will also receive mqtt messsages on the same port from the internet.
Device 2 is a laptop with a dhcp address from the wr11 in the range of 192.168.100.100 thru .109.
Device 2 only needs access to the management of the wr11.
The LAN port is assigned 192.168.100.1.

SO the DNS lookup fails 100% of the time when the firewall is on - ppp1 or eth0 makes no difference. When the firewall is off it works properly but I only have a couple of mb a month data and without the firewall i would go through that in about 15 seconds!

thanks
travis
answered Jan 31, 2020 by trsimmons7 New to the Community (2 points)
Hi Travis,

so if the DNS and MQTT are initiated in the LAN, maybe it is better the following:

pass break end proto tcp from 192.168.100.2 to any port=1883

So is more general and is applied bot on ETH 0 and PPP 1.

And same for DNS.

Then for management you could do similar:

pass break end on eth 0 from 192.168.1.0/24 to addr-eth 0 port=80

And apply the firewall both on ETH 0 and PPP interface.

If still no luck, I would suggest to open a new case for this as this is not something we can troubleshoot via Forum. We would need to see debug, traces and logs of both cases in order to better help you. As it also depend on other rules you may have in the firewall and the order of those.

Best Regards,

Anny
Digi Technical Support Team
commented Feb 7, 2020 by annydigi Community Contributor (96 points)
...