Packet Filtering

IP packet filtering helps to maintain security and productivity by selectively limiting traffic between LAN and WAN.

Assumption

LAN is using virtual IP.
LAN only has one gateway.
Router is sharing one ISP account within private LAN.

Key Configuration

• EZRider Manager > Configuration > General Configuration > IP packet filtering table > Add
• Enter the following information:
  
  1. Source IP address
  2. Source subnet mask
  3. Source TCP/IP port
  4. Protocol type
  5. Destination IP address
  6. Destination subnet mask
  7. Destination TCP/IP port
  8. Select either If True Then or If False Then option
  9. Hit Ok, follow by Apply and Finish to save configuration

Example Configurations

• Block Outgoing Access

  1. Block one workstation outgoing access.

Scenario

If network IP range is from 192.168.1.1 to 192.168.1.254 with subnet mask 255.255.255.0 and would like to block workstation with IP address 192.168.1.8

Tips

• The filter setup will be the same if the IP address range is smaller, such as 192.168.1.33 to 192.168.1.38 with subnet mask 255.255.255.248.
• If the above filter is entered, this workstation will not have any outgoing accessibility. If the purpose of the filter is to stop triggering Dial-On-Demand (if one of the profile has been defined as DOD profile) by this particular workstation but it's outgoing accessibility is still preferred, change the "If True" field from "Discard" to "Restrict".
  

2.Block a range of workstations outgoing access

Scenario

If network IP range is from 192.168.1.1 to 192.168.1.254 with subnet mask 255.255.255.0 and would like to block workstation with IP address 192.168.1.8 to 192.168.1.15

Tip

• Packet filtering calculation is based on the Mask THEN the IP address, other word, in the above example if Mask 255.255.255.248 has been entered, the Source IP can be entered any address between 192.168.1.8 to 192.168.1.15 (both 8 and 15 are included) and this 8-15 range will be blocked.
  
• If only a few workstations such as 2 or 3 wish to be blocked, a simpler way to implement packet filtering is having entry for each workstation. However, if a large number of workstations wish to be blocked, specifying Mask range is preferred.

  3. Block One workstation outgoing Web (HTTP) access

Scenario

If network IP range is from 192.168.1.1 to 192.168.1.254 with subnet mask 255.255.255.0 and would like to block workstation with IP address 192.168.1.8

Tip

• Other packets such as FTP and ICMP (ping) can still get through.
• If blocking particular web sites such as adult site is preferred, enter the site's IP address in Destination IP filed and 255.255.255.255 in Mask field.
• Finding out certain web site's IP address can be done by going to MS-DOS mode and ping the site's domain name. The site's IP address will appear in the reply messages.
  

  
  4. Block Incoming Access

Scenario

Block all incoming access from the Internet to an FTP server on the LAN except specified. Network IP range is from 192.168.1.1 to 192.168.1.254 with subnet mask 255.255.255.0. An FTP server has IP 192.168.1.2 and would like to be accessed only by range of 100.100.100.1 to 100.100.100.63 workstations.

Tip

Keep in mind at the "Source IP" is the "From" IP and the "Destination IP" is the "To" IP. In this example the packets "From" 100.100.100.1 to 100.100.100.63 are allowed "To" 192.168.1.2