Speedtouch 716WL router - firewall setup - how?

I have a Speedtouch 716WL router which works well. However I want to
set up the firewall to block ssh except from specified IP addresses
and I just can't get it to work.

I have added a custom Firewall "Security Level" which allows me to add
firewall rules to the default ones.

I have then added a rule which looks like it should allow ssh
connections from a specified IP address on the WAN to my ssh server on
the LAN but it doesn't work.

If I enable SSH using "Game & Application Sharing" on the Speedtouch
it works perfectly though, thus I think I have my ssh set up right, I
just can't get the Speedtouch firewall set up correctly.

There's little clue in the documentation, apart from anything else it
doesn't tell you anything about how the Firewall and "Game &
Application Sharing" interact. I have even delved into the CLI
interface of the Speedtouch and discovered a bit more but I still
can't make it work.

Can anyone help or point me in the direction of where I might get some
help?

--
Chris Green

(E-Mail Removed) wrote:
> I have a Speedtouch 716WL router which works well. However I want to
> set up the firewall to block ssh except from specified IP addresses
> and I just can't get it to work.
>
> I have added a custom Firewall "Security Level" which allows me to add
> firewall rules to the default ones.
>
> I have then added a rule which looks like it should allow ssh
> connections from a specified IP address on the WAN to my ssh server on
> the LAN but it doesn't work.
>
> If I enable SSH using "Game & Application Sharing" on the Speedtouch
> it works perfectly though, thus I think I have my ssh set up right, I
> just can't get the Speedtouch firewall set up correctly.
>
> There's little clue in the documentation, apart from anything else it
> doesn't tell you anything about how the Firewall and "Game &
> Application Sharing" interact. I have even delved into the CLI
> interface of the Speedtouch and discovered a bit more but I still
> can't make it work.
>
> Can anyone help or point me in the direction of where I might get some
> help?
>
Typical - almost immediately after posting this message I realised
what the problem was.

Setting up a Firewall Rule allows the connection through but it
*doesn't* specify the NAT mapping. When you use "Game & Application
Sharing" it sets up a firewall rule *and* a NAT mapping (but sadly
doesn't allow you to tune the firewall rule).

The Firewall Rules setup doesn't set up a port/IP mapping, you have to
use the CLI to do that and then it works. It means the web interface
to the firewall set up is essentially useless as far as I can see.

Anyway I have it working now, all I have to do is write down all the
necessary stages so if/when I reset the router I can set it up again.

--
Chris Green

On Jan 6, 1:55*am, tinn...@isbd.co.uk wrote:
> tinn...@isbd.co.uk wrote:
> > I have a Speedtouch 716WL router which works well. *However I want to
> > set up the firewall to block ssh except from specified IP addresses
> > and I just can't get it to work.
>
> > I have added a custom Firewall "Security Level" which allows me to add
> > firewall rules to the default ones.
>
> > I have then added a rule which looks like it should allow ssh
> > connections from a specified IP address on the WAN to my ssh server on
> > the LAN but it doesn't work.
>
> > If I enable SSH using "Game & Application Sharing" on the Speedtouch
> > it works perfectly though, thus I think I have my ssh set up right, I
> > just can't get the Speedtouch firewall set up correctly.
>
> > There's little clue in the documentation, apart from anything else it
> > doesn't tell you anything about how the Firewall and "Game &
> > Application Sharing" interact. *I have even delved into the CLI
> > interface of the Speedtouch and discovered a bit more but I still
> > can't make it work.
>
> > Can anyone help or point me in the direction of where I might get some
> > help?
>
> Typical - almost immediately after posting this message I realised
> what the problem was.
>
> Setting up a Firewall Rule allows the connection through but it
> *doesn't* specify the NAT mapping. *When you use "Game & Application
> Sharing" it sets up a firewall rule *and* a NAT mapping (but sadly
> doesn't allow you to tune the firewall rule).
>
> The Firewall Rules setup doesn't set up a port/IP mapping, you have to
> use the CLI to do that and then it works. *It means the web interface
> to the firewall set up is essentially useless as far as I can see.
>
> Anyway I have it working now, all I have to do is write down all the
> necessary stages so if/when I reset the router I can set it up again.
>
> --
> Chris Green- Hide quoted text -
>
> - Show quoted text -

Hi Chris

having problems of a similar nature. could you copy the CLI commands
to me?
not sure if you tried, but you can actually save/restore configuration
for the SpeedTouch modem.
you need to access the GUI, click on "SpeedTouch" then 'Configuration"
and under "Pick a Task" section, select 'Backup or restore
configuration".

Cheers~!

(E-Mail Removed) wrote:
> On Jan 6, 1:55*am, tinn...@isbd.co.uk wrote:
[snip]
> >
> > Typical - almost immediately after posting this message I realised
> > what the problem was.
> >
> > Setting up a Firewall Rule allows the connection through but it
> > *doesn't* specify the NAT mapping. *When you use "Game & Application
> > Sharing" it sets up a firewall rule *and* a NAT mapping (but sadly
> > doesn't allow you to tune the firewall rule).
> >
> > The Firewall Rules setup doesn't set up a port/IP mapping, you have to
> > use the CLI to do that and then it works. *It means the web interface
> > to the firewall set up is essentially useless as far as I can see.
> >
> > Anyway I have it working now, all I have to do is write down all the
> > necessary stages so if/when I reset the router I can set it up again.
> >
>
> having problems of a similar nature. could you copy the CLI commands
> to me?
> not sure if you tried, but you can actually save/restore configuration
> for the SpeedTouch modem.
> you need to access the GUI, click on "SpeedTouch" then 'Configuration"
> and under "Pick a Task" section, select 'Backup or restore
> configuration".
>
A fellow sufferer! :-)

I have my Speedtouch set up to allow ssh connections from just a
couple of trusted IP addresses. The Firewall is set up from the Web
interface (after adding a custom firewall Level of course).

Then you need to do something like the following from the CLI:-

mapadd intf=Internet outside_addr=84.45.228.40 inside_addr=192.168.1.1 outside_port=22-22 inside_port=22-22 weight =10

The "outside_addr" is my static IP address at my ISP, i.e. it is the
IP address of the WAN side of the router. I don't know what you do if
you have a dynamic IP though I'm sure there must be a way to do it. I
didn't actually explicitly set the 'weight', that must be a default
value.

I realised you can save and restore the configuration, in fact it's partly
how I found out what I have found out. I compared configurations with and
without a "Game and Application Sharing" entry added, that showed me the
'nat mapadd' entry as well as the Firewall one.

There are some useful notes etc. in a Wiki at:-

http://network.wiki.xs4all.nl/index....tle=SpeedTouch

which I was pointed to by the forums at:-

http://www.speedtouch.net.nz/forum


I hope this all helps, can continue by E-Mail if you want, my address
here will work.

--
Chris Green

On Wed, 27 May 2009 04:18:35 +0800, "John Devine"<(E-Mail Removed)> wrote:

> This answer was invaluable to me today, many thanks, I wasted a complete day
> not knowing why this rule would not work. I hope you don't mind mew asking a
> question but do you know how I can make a similar rule for remote desktop,
> its not in the default services, and I cant see how to add a service.

I don't know that router, but I presume it allows you to create and add
custom rules or services. For default Remote Desktop you only need to
forward TCP Port 3389 to the computer you wish to operate remotely (plus
poke the appropriate hole in that computer's own firewall).

If you have more than one computer running RDP that you wish to control
from the WAN, then you can easily change from the default RDP port number
in XP as is explained here: http://support.microsoft.com/kb/306759

Tony

John Devine <(E-Mail Removed)> wrote:
> Hi Chris
>
> This answer was invaluable to me today, many thanks, I wasted a complete day
> not knowing why this rule would not work. I hope you don't mind mew asking a
> question but do you know how I can make a similar rule for remote desktop,
> its not in the default services, and I cant see how to add a service.
>
Back off holiday (hence delay). If you haven't worked out the answer
and/or if the other reply hasn't helped then post again here and I'll
try and come up with an answer.

Basically you add your own 'custom' service for the remote desktop
port number I think.

--
Chris Green