Has anybody configured a Draytek router for multiple IP ranges?

I've spent way too much time on this but though I might have one final
try here...

I have a 2900 router in front of an email server.

The server used to receive email directly from outside but we were
getting major problems with spam and DOS attacks, and I have just
signed up with Messagelabs to filter the email.

The ML output is now routed to our email server, which has much less
work to do. It works very well.

Unfortunately a lot of spam still comes *direct* to our email server,
for various reasons (stale DNS caches, maybe port sniffing).

Messagelabs recommend setting up a firewall so that emails are
received only from their IP ranges

http://imageserver.messagelabs.com/E.../Subnet_IP.pdf

Is it possible to set this up on the 2900 router?

I can see it would be done under IP Filter / Firewall setup but I
cannot find any clear documentation, never mind examples, of how to
open up port 25 to allow 10 subnet-based addresses in, and block all
other port 25 stuff.

The 2900 has just 7 filters per set but can have a number of sets, and
it isn't clear how these interact. Somehow they need to be chained.

Logically, one should enter the ten 'allow' rules, followed by one
'block all port 25' rule. But this doesn't seem to work. That is how
the (otherwise utterly obscure) Cisco IOS rules worked.

I have tried even simpler rules, within the set of 7 so no filter
chaining involved, and the filters still don't do anything.

I have looked around the web, including the otherwise very useful
draytek.co.uk site (I bought some routers from them) without which
there would be zero hope of ever getting even a half-clever VPN config
to work on the Draytek

The other issue is reliability: obviously this config cannot be tested
(no way to get ML to send us emails from every IP they might use, even
though I can see from testing that they do vary the IPs across
consecutive emails) so the config has to be 100% right otherwise we
could be losing some emails and not others.

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I've spent way too much time on this but though I might have one final
> try here...
>
> I have a 2900 router in front of an email server.
>
> The server used to receive email directly from outside but we were
> getting major problems with spam and DOS attacks, and I have just
> signed up with Messagelabs to filter the email.
>
> The ML output is now routed to our email server, which has much less
> work to do. It works very well.
>
> Unfortunately a lot of spam still comes *direct* to our email server,
> for various reasons (stale DNS caches, maybe port sniffing).
>
> Messagelabs recommend setting up a firewall so that emails are
> received only from their IP ranges
>
> http://imageserver.messagelabs.com/E.../Subnet_IP.pdf
>
> Is it possible to set this up on the 2900 router?
>
> I can see it would be done under IP Filter / Firewall setup but I
> cannot find any clear documentation, never mind examples, of how to
> open up port 25 to allow 10 subnet-based addresses in, and block all
> other port 25 stuff.
>
> The 2900 has just 7 filters per set but can have a number of sets, and
> it isn't clear how these interact. Somehow they need to be chained.
>
> Logically, one should enter the ten 'allow' rules, followed by one
> 'block all port 25' rule. But this doesn't seem to work. That is how
> the (otherwise utterly obscure) Cisco IOS rules worked.
>
> I have tried even simpler rules, within the set of 7 so no filter
> chaining involved, and the filters still don't do anything.
>
> I have looked around the web, including the otherwise very useful
> draytek.co.uk site (I bought some routers from them) without which
> there would be zero hope of ever getting even a half-clever VPN config
> to work on the Draytek
>
> The other issue is reliability: obviously this config cannot be tested
> (no way to get ML to send us emails from every IP they might use, even
> though I can see from testing that they do vary the IPs across
> consecutive emails) so the config has to be 100% right otherwise we
> could be losing some emails and not others.

I solved the same problem by signing up to dyndns.org who filter emails and
then forward them to our server on port 2525 instead of port 25 (which is
now not forwarded on the router).

Paul

"Paulg0" <(E-Mail Removed)> wrote

>I solved the same problem by signing up to dyndns.org who filter emails and
>then forward them to our server on port 2525 instead of port 25 (which is
>now not forwarded on the router).

Fair enough and I could probably do something similar, but any port
sniffer will find an SMTP server on port 2525 only a fraction of a
second later...

It would however get around the 'stale DNS' problem

One bloke I know who runs some higher end corporate stuff has emails
to his clients' email servers delivered via a VPN. That's pretty
good...

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Paulg0" <(E-Mail Removed)> wrote
>
>>I solved the same problem by signing up to dyndns.org who filter emails
>>and
>>then forward them to our server on port 2525 instead of port 25 (which is
>>now not forwarded on the router).
>
> Fair enough and I could probably do something similar, but any port
> sniffer will find an SMTP server on port 2525 only a fraction of a
> second later...

If it's looking there. I've been using port 2525 for a few months now have
have no spam coming in direct...

Paul

Andy Blanchard <(E-Mail Removed)> wrote

>Ask MessageLabs for the IP ranges of their servers that will be used to
>relay your mail, then only allow those IP ranges to connect through your
>router's firewall on TCP port 25.

The IPs are in my original post.

The firewall on the unix email server is indeed the other option but I
need someone else to do that, whereas (in theory) the Draytek I can
admin myself; I have set it up many times.

>I've not used at 2900, but on my 2820 this would be a single rule using
>an "IP Group" to list the various MessageLabs blocks as the source and
>your mail server's TCP port 25 as the destination.

I don't see the 2900 supporting IP groups... maybe it is too old. The
firmware is the latest version though.

The ML IPs are also too spread to be input as one range.

One could cover most of it with say 3 ranges (avoiding me having to
use more than 7 filters and avoiding the Q of how to chain the filter
sets) but actually I was unable to get the filters to work at all.

There are loads of examples out there showing outbound filters e.g. to
stop some user accessing HTTP.

On Sun, 28 Mar 2010 08:41:29 +0100, Peter wrote:
{snip}
Answer: GIVE UP WITH YOUR DRAYTEK - you can't expect it to do what a £10
Solwise-come-ebuyer gateway will do!!!

Draytek are synonymous with bodged, broken, half working shit with piss
poor technical support. Throw your toy router away and buy something
suitable, or drop in a simple firewall in front of it.

On 27/03/10 20:58, Peter wrote:

> One bloke I know who runs some higher end corporate stuff has emails
> to his clients' email servers delivered via a VPN. That's pretty
> good...

If you've got a VPN already then yeah, fair enough, but setting up a VPN
when an ACL will do the job is nuts.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
12:03:18 up 52 days, 14:44, 2 users, load average: 0.04, 0.23, 0.29
It is better to have been wasted and then sober
than to never have been wasted at all

Vicktor Whieste <(E-Mail Removed)> wrote

>On Sun, 28 Mar 2010 08:41:29 +0100, Peter wrote:
>{snip}
>Answer: GIVE UP WITH YOUR DRAYTEK - you can't expect it to do what a £10
>Solwise-come-ebuyer gateway will do!!!
>
>Draytek are synonymous with bodged, broken, half working shit with piss
>poor technical support. Throw your toy router away and buy something
>suitable, or drop in a simple firewall in front of it.



I think you are thinking of BELKIN...

The Drayteks have worked fine for us; home and office, with an uptime
of months if not years.

But you are right about crap support... but but

All consumer gear has crap support, and I had some Cisco routers which
cost a fortune (£1000 for a 64MB RAM upgrade, etc) which nobody could
configure, because Cisco are running a job protection scheme known as
IOS.

And I speak as a ex CP/M, Z80, etc hardware/software developer so
obscure user interfaces are not an issue for me The Cisco stuff
worked in the sense that it didn't crash but if one defines
reliability as a box which does what you want the whole time, they
were the biggest load of sh*t ever. Basically you have to chuck a few
hundred quid at somebody, each time you want the config changed. Cisco
stuff is fine if you have a specialist in-house; for every other case,
somebody has got you over a barrel.

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Andy Blanchard <(E-Mail Removed)> wrote
>
>>Ask MessageLabs for the IP ranges of their servers that will be used to
>>relay your mail, then only allow those IP ranges to connect through your
>>router's firewall on TCP port 25.
>
> The IPs are in my original post.
>
> The firewall on the unix email server is indeed the other option but I
> need someone else to do that, whereas (in theory) the Draytek I can
> admin myself; I have set it up many times.
>
>>I've not used at 2900, but on my 2820 this would be a single rule using
>>an "IP Group" to list the various MessageLabs blocks as the source and
>>your mail server's TCP port 25 as the destination.
>
> I don't see the 2900 supporting IP groups... maybe it is too old. The
> firmware is the latest version though.
>
> The ML IPs are also too spread to be input as one range.
>
> One could cover most of it with say 3 ranges (avoiding me having to
> use more than 7 filters and avoiding the Q of how to chain the filter
> sets) but actually I was unable to get the filters to work at all.
>
> There are loads of examples out there showing outbound filters e.g. to
> stop some user accessing HTTP.

Looking at my 2910 ...

Objects setting:

Create an IP object for each distinct IP address
Create an IP group group containing all the relevant objects

Firewall:

Create a firewall rule:
Under Source IP you can specify the IP group.

It may be that the 2900 is different.

Also, I tried to set up the firewall on a 2820 to control users accessing
facebook and the like - but it didn't behave as the configuration screens
suggested - I could block access totally, but could not use a timed schedule
to block at only certain times of the day. The general adverse comments
about Draytek support and capability would seem to apply where their
firewall is concerned. But I've had no problems using them to set up VPNs.

--
Graham J

In article <(E-Mail Removed)>,
Peter <occassionally-(E-Mail Removed)> wrote:
>The 2900 has just 7 filters per set but can have a number of sets, and
>it isn't clear how these interact. Somehow they need to be chained.
>
>Logically, one should enter the ten 'allow' rules, followed by one
>'block all port 25' rule. But this doesn't seem to work. That is how
>the (otherwise utterly obscure) Cisco IOS rules worked.
>
>I have tried even simpler rules, within the set of 7 so no filter
>chaining involved, and the filters still don't do anything.

That's basically how it works...

.... but you need to make sure your rules are being executed - start in
the "General Setup" page and make sure the first filter rule is one of
your own rules. The default call & data filters are basically useless
if you're using NAT though, so can usualy be ignored.

And make sure each individual rules is enabled.

I use Drayteks a lot myself, but don't do too much firewalling on them
as it's not usually needed in my situations, (easier for me to use Linux
firewalling) but the few I have done do basically work.

Gordon