I have an EdgeRouter Pro-8 setup in the datacenter as an edge device and the past policy was essentially to block everything by default and then open up specific ports;
- allow esatablished sessions
- allow tcp_udp ports (22, 80, 443, 161)
- allow ping
- drop invalid state
- drop all
Recently we decided to change to try and allow all, and block only specific ports, so essentially;
- allow established sessions
- block tcp_udp (25,67,80,135-139,161-162,445,520,549,593,1080,1900)
- block p2p
- allow tcp_udp
- drop invalid state
- drop all
This changed solved a few issues we were having but in the last day or two we started having a problem with packet loss in the network that was also noticeable by clients. At first we couldn't figure out what was causing the issue as everything appeared to be working well, however, what we finally decided to try was reversing the firewall rules to "block all and only only specific ports" instead of the other way and suddenly no more packet loss.
Here's a quick report showing the before and after change to the firewall - and once we started blocking all again no more packet loss.
It's a quick fix to lock the firewall back down, bu twe'd prefer to be more open and simply eliminate/block the traffic that was causing the issue but not really sure how best to approach that issue.
Looking for ideas/suggestions on what other WISPs/network engineers do to try and secure their network from issues while still allowing it to be more open for client needs.