DrayTek Vigor 165 firewall setup

How to configure DrayTek Vigor 165 firewall with strict security and separate filters for inbound and outbound traffic.

Usually, I use my DrayTek Vigor 165 as a bridge modem for a pfSense firewall/router behind it. Now I had the need to use it as a full firewall/router, thereby I had to configure its firewall as well. Coming from a pfSense background, the Vigor 165 firewall works in a somewhat different way.

In the Firewall -> General Setup page you will find the Call Filter and Data Filter settings. You may ignore the Call Filter settings. They are used when the internet connection is established on-demand, following a device request to send outbound traffic. The Call Filter allows avoiding establishing a connection if the outbound traffic is forbidden.

What matters for most users is the Data Filter. These are the rules applied to inbound/outbound traffic when an internet connection is established already.

Each Filter is mapped to a Filter Set. A Filter Set is a set of filtering rules. Filter Sets can be chained, and a rule within a filter set can jump to another Filter Set. Once processing is switched to another filter set, it won’t return back. Be careful to avoid loops.

There is also a Default Rule used when there is no match. The order of processing is as follows:

  1. Data Filter Sets and Rules
  2. Block routing connections initiated from WAN settings
  3. Default Rule

The Default Rule setting is by default set to Pass. It will pass any packet that doesn’t match a rule. As the router comes with no preconfigured rules but a simple one for NetBIOS traffic, that is what allows any other traffic when the firewall is enabled.

I don’t like it because in the current internet environment is better to block any unknown traffic initiated from the WAN side. Thereby I will show how to setup the firewall to use a Default Rule set to “Block” while allowing outbound traffic not blocked by a specific rule, and still blocking inbound traffic not allowed by a specific rule.

One issue is the Data Filter allows only one Filter Set associated, there is no concept of inbound/outbound separate settings. We could write all inbound/outbound rules here, or we can take advantage of a Filter Set being able to invoke another Filter Set.

My main Filter Set – the one invoked by the Data Filter setting – has three rules only. These will just filter on the packet direction. These rules then will invoke another Filter Set with specific settings for each kind of traffic.
One rule is for the LAN > WAN traffic, one for the WAN > LAN traffic, and one for the LAN > LAN traffic (the latter may not be useful to you if you don’t have local traffic going through the Vigor 165 firewall).

The LAN2WAN filter matches outbound traffic – LAN/RT → WAN direction – and allows any traffic that is not blocked by a more specific rule (Pass If No Further Match). This lets the Default Rule to be set to “Block” without blocking outbound traffic. Then the filter simply jumps to another Filter Set which performs the final specific filtering (look at the highlighted settings in yellow):

Filter Set #3 contains the actual outbound traffic rules:

In this case there are two rules to allow VoIP traffic immediately, to avoid waiting for processing other rules, and a rule to block outbound NetBIOS traffic (note: the default “block NetBIOS traffic” rule is wrong). Anyway, remember any traffic not explicitly blocked here is allowed by the parent Filter Set rule Pass If No Further Match.

The WAN2LAN main rule is very much alike, but of course it does block any traffic not allowed by a child rule:

The Syslog setting allows recording any packet that is blocked by the rule, for troubleshooting and/or monitoring needs. A Syslog server needs to be configured in System Maintenance -> Syslog/Mail Alert.
The Filter Set invoked contains the permitted inbound traffic, in this case an OpenVPN server on a specific IP:

I use the Vigor Object Settings for IP and Services (ports) extensively in the rules configurations. While you can easily set IP/ranges/subnets and ports directly in the firewall rules, Objects and Groups allows to create simpler rules being able to reuse settings and group them also.
For example, instead of having to declare each NetBIOS/SMB protocol (TCP/UDP) and ports separately in each rule, I could create a NetBIOS Service Type Group object and use it in a single rule:

The four selected Service Type object defines all the NetBIOS ports and protocols – UDP 137 and 138, TCP 139 and 445 (the default filter is wrong because these are the destination ports).

The Vigor 165 firewall allows filtering access also using Content Filters, for example they can match an HTTP URL. Content Filters are matched after an IP Filter passes, see for a full explanation of the Content Filters workflow, note that the Vigor 165 only supports URL Content filter. This might be the topic of a separate article, I do not have much use for them right now.

There are settings that are not well explained in the documentation. For example the Session Control setting. The manual says “The number typed here is the total sessions of the packets that do not match the filter rule configured in this page. The default setting is 60000.” But that doesn’t makes sense to me. Looking at the CLI commands, the editable values is named Max Session Limit, and the non-editable number Current Sessions. My take is this is a session limiter – the filter rule will allow up to Max Session Limit concurrent sessions, and the actual number of active sessions matching the rule is shown. The default value for the maximum session limit in the Vigor 165 is 10000, which matches the 10K NAT sessions supported by the device. Leave it at the default value if you have no reason to change it.

The Session Timeout setting under Advanced could be the lifetime of the session state.

The CLI has the ipf view command that can be used to look at the firewall statistics.

In the firewall General Setup, I recommend to activate the Enable Strict Security Firewall which should mean that any packet not matched by a rule is dropped. Block routing connections initiated from WAN is used only for non NAT connections, so it is used only if you configure the IPv4 2nd address in LAN -> General Setup “For IP Routing Usage”, or if you enable IPv6 on the WAN interface.

With the rules above in place, the Default Rule could be set to “Block”:

outbound traffic should be still flow freely (but specific rules), while not allowed inbound traffic should be blocked. Actually we could have not used the WAN > LAN root rule at all, and relied on a default block rule only for anything not matched by other filters, adding any needed rule for inbound traffic, but I believe the setup above is clearer about what it happens. The default rule may never be invoked, but it’s still there as a safe fallback.

Of course NAT would work almost the same way by itself for inbound traffic, but setting the firewall adds another layer of proper security, allows to control outbound traffic as well, and becomes necessary if IPv6 is used.

Format of a Syslog entry

When recording into a syslog is enabled, the entries have a format alike:

[FILTER][Block][WAN->LAN/RT, 44:06:54 ][@S:R=2:2,>][TCP][HLen=20, TLen=83, Flag=AP, Seq=2127413670, Ack=4109947162, Win=16385] 

The data show if the entry is a Block/Pass entry, the direction of the packet, and the system up time when the packet was logged. @S:R= indicates which Filter (S)et and (R)ule was matched, in this case Filter Set 2 and Rule 2. Followed by packet data: source and destination, protocol, header length and total packet length, and some data that depends on the protocol type – i.e. TCP will have TCP flags, sequence, acknowledgment and window size.

UDP example:

[FILTER][Block][WAN->LAN/RT, 44:27:00 ][@S:R=2:2,>][UDP][HLen=20, TLen=1228]

ICMP example:

[FILTER][Block][LAN/RT->LAN/RT, 23:08:22 ][@S:R=13:1,>][ICMP][HLen=20, TLen=84, Type=0, Code=0]

In this example note that Filter Set “13” means the Default Rule.