Skip to main content

L3 Firewall

Last Updated: November 11, 2024

s
Written by shuochun su
Updated over 11 months ago

Layer 3 firewall rules are essential for network security, controlling data flow based on IP addresses and protocols to ensure only authorized traffic passes through. These rules examine each packet’s source and destination IPs and protocol type (Such as TCP, UDP, or ICMP), allowing administrators to manage access to network resources effectively.

Key features include:

  • IP-Based Filtering: Allows or blocks traffic based on source and destination IPs.

  • Protocol Control: Enables control over traffic types.

  • Network Segmentation: Segments network, applying rules across subnets for enhanced security and performance.

  • Access Control: Specifies which devices or users can access network resources.

Layer 3 firewall rules are essential for network security, providing a robust mechanism to control traffic flow and protect network integrity. There are 3 major functions of the Layer 3 firewall:

  • Outbound Rule

  • Site-to-Site VPN Firewall Rule

  • Allowed Service

When gateway running in NAT/Routed mode, all inbound connections are denied by default. To permit additional inbound traffic, you must create a new port forwarding rule or NAT policy.

Note: All L3 firewall rules are flow-based. Once a rule is changed, only subsequent flows are affected and all existing flows continue until their sessions time out.

Outbound Rules

The Outbound Rules permit or deny specific traffic between VLANs or from LAN to the Internet. These outbound rules can be based on protocol, source IP address and port, and destination IP address and port.

Note:

  • All outbound traffic are permitted by default.

  • Outbound rules do not apply to VPN traffic. Refer to Site-to-site VPN Firewall Rule to control traffic between VPN peers.

Outbound rule example

To add a new outbound firewall rule, click Add Rule.

  • Policy : Determines whether the rule statement permits or blocks traffic that matches the specified criteria.

  • Description: Allows you to add additional information or comments about the rule, making it easire to be identify.

  • Protocol : Specify the type of traffic (TCP, UDP, ICMP, or Any).

  • Source IP : Supports individual IPs or CIDR subnets. Multiple entries can be comma-separated. Using "Any" specifies all networks. The source IP or CIDR subnet must be from the subnets configured in Gateway > Interfaces > LAN. "Any" covers all subnets configured in this section.

  • Destination : Supports individual IPs, CIDR subnets, or FQDNs. Multiple entries can be comma-separated. Using "Any" specifies all networks.

  • Src Port and Dst Port : Supports individual port numbers or port ranges. Multiple ports can be entered comma-separated, but port ranges cannot be entered comma-separated.

FQDN Support

FQDN-based L3 firewall rules are implemented by monitoring DNS traffic. When a client device tries to access a web resource, the ESG tracks the DNS requests and responses to identify the IP of the web resource. Important considerations include:

  1. The ESG must see both the client DNS request and the server's response to map the IP accurately. This applies to all DNS requests, not just from specific clients. DNS communication within the same VLAN is not monitored.

  2. If a client has cached DNS information or static DNS entries, the ESG may not block or allow traffic correctly if no new DNS request is generated for inspection.

Site-to-site VPN Firewall Rule

Administrators can add firewall rules to control traffic through the VPN tunnel for an ESG gateway. This stateful firewall will block traffic only if it does not match an existing flow. These rules apply to all networks in the organization that use site-to-site VPN, including both AutoVPN and non-EnGenius networks.

To create a site-to-site VPN firewall rule, follow the steps below.

  1. Navigate to Configure > Gateway > Site-to-site VPN.

  2. Select Add a rule in the VPN Outbound Rules.

  3. Fill in the parameters for the rule

VPN outbound rule example

Considerations for VPN Firewall Rules

When configuring VPN firewall rules, it’s crucial to block traffic as close to the originating client device as possible to minimize VPN tunnel traffic and enhance network performance. Therefore, site-to-site firewall rules are applied only to outgoing traffic. Consequently, the ESG cannot block VPN traffic initiated by non-EnGenius peers.

The following example illustrates a misconfigured site-to-site firewall rule: Site-to-site firewall rules apply only to outbound traffic. This rule is ineffective because the source subnet is not a LAN subnet on the ESG.

Incorrect VPN firewall rule

In contrast, the following rule is correctly configured: Traffic from the 10.0.1.0/24 subnet will be blocked from reaching the 10.0.2.0/24 subnet because 10.0.1.0/24 is a LAN subnet on the ESG.


Correct VPN firewall rule

Allowed Services

Allowed Services lets you configure which network services the EnGenius Gateway will respond to.

Allow service

ICMP Ping: Use this setting to allow the EnGenius Gateway to reply to inbound ICMP ping requests coming from the specified address(es). Supported values for the remote IP address field include None, Any, or a specific IP range (using CIDR notation). You can also enter multiple IP ranges separated by commas.

Both Routed mode and Passthrough mode are supported.

Related Articles
NAT & Port Forwarding
Layer 7 Application Firewall Rule
Auto-VPN
SecuPoint client VPN tool
Business Offices
Did this answer your question?