Hello,
I'm using UAP lite in conjunction with the ERL. Currently I have 4 zones - LOCAL, GUEST, LAN & WAN being my FW presented as follows:
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name GUEST-LAN {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name GUEST-LOCAL {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 53 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 6768 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
name GUEST-WAN {
default-action drop
rule 1 {
action accept
description "Allow all connections"
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name LAN-GUEST {
default-action drop
rule 1 {
action accept
description "Allow all connections"
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name LAN-LOCAL {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 22 {
action accept
description "Allow SSH/SFTP"
destination {
port 22
}
protocol tcp
}
rule 23 {
action accept
description "Allow TELNET"
destination {
port 23
}
protocol tcp
}
rule 53 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 80 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 100 {
action accept
description "Allow PING"
protocol icmp
}
rule 123 {
action accept
description "Allow NTP"
destination {
port 123
}
protocol udp
}
rule 6768 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
name LAN-WAN {
default-action drop
rule 1 {
action accept
description "Allow all connections"
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name LOCAL-GUEST {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 53 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 100 {
action accept
description "Allow PING"
protocol icmp
}
rule 6768 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
name LOCAL-LAN {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 53 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 100 {
action accept
description "Allow PING"
protocol icmp
}
rule 123 {
action accept
description "Allow NTP"
destination {
port 123
}
protocol udp
}
rule 6768 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
name LOCAL-WAN {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 22 {
action accept
description "Allow SSH/SFTP"
destination {
port 22
}
protocol tcp
}
rule 23 {
action accept
description "Allow TELNET"
destination {
port 23
}
protocol tcp
}
rule 25 {
action accept
description "Allow SMTP"
destination {
port 25
}
protocol tcp
}
rule 53 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 80 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 100 {
action accept
description "Allow PING"
protocol icmp
}
rule 123 {
action accept
description "Allow NTP"
destination {
port 123
}
protocol udp
}
rule 2021 {
action accept
description "Allow FTP"
destination {
port 20,21
}
protocol tcp
}
}
name WAN-GUEST {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name WAN-LAN {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 1 {
action accept
description "Allow established connections"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
state {
invalid enable
}
}
rule 6768 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
Alhought I'm able to ping the GUEST zone from the LAN and also able to ping my LAN from LOCAL. I'm not able to ping my GUEST network from LOCAL despite the allowance of ICMP on the firewall LOCAL-GUEST:
rule 100 {
action accept
description "Allow PING"
protocol icmp
}The tcpdump on one of of the hosts in the GUEST network shows me that the echo request is arriving from the router and the host is replying with the echo reply as expected:
01:09:43.795723 IP 172.16.2.1 > 172.16.2.11: ICMP echo request, id 3331, seq 1, length 64 01:09:43.795920 IP 172.16.2.11 > 172.16.2.1: ICMP echo reply, id 3331, seq 1, length 64 01:09:44.799955 IP 172.16.2.1 > 172.16.2.11: ICMP echo request, id 3331, seq 2, length 64 01:09:44.800153 IP 172.16.2.11 > 172.16.2.1: ICMP echo reply, id 3331, seq 2, length 64
On the LOCAL (router) end when I ran the tcpdump I see that the echo reply is not reaching the router:
01:17:28.864902 IP 172.16.2.1 > 172.16.2.11: ICMP echo request, id 3789, seq 1, length 64 01:17:29.866648 IP 172.16.2.1 > 172.16.2.11: ICMP echo request, id 3789, seq 2, length 64 01:17:30.866650 IP 172.16.2.1 > 172.16.2.11: ICMP echo request, id 3789, seq 3, length 64
So I assume that probably a return path is needed from the GUEST-LOCAL policy, which made me add this config to the policy
rule 100 {
action accept
protocol icmpHowever this hasn't produce any results. The reponse is still not reaching the router. The only other possible culprit is the UAP lite, but before I start to diagnose this I want to be sure that I'm not missing anything.
Is anyone able to confirm if that's the case?