We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

[Vigor3900] A Firewall example

Assuming Network Administrator would like to set different limits on Internet Access for three different user levels like below:

  • Manager: No limits. Managers can visit every website and use every application they would like to use.
  • Restricted Users: Restricted Access. Restricted Users can use only specific services such as DNS, SMTP, POP3 and HTTP. But other protocols will be blocked, HTTPS websites are also limited.
  • Users: No Internet Access

1. Create IP Objects: Go to Objects Setting >> IP Object, click Add to create a new one.

 

2. Create IP Groups to define different users: Go to Objects Setting >> IP Group, click Add to create a new one and select the IP Object of that user group. In this example, we created three IP Groups: Manager is with IP 192.168.1.10, Restricted User is with IP 192.168.1.11, and User is with IP 192.168.1.12

 

3. Create IP Filter Groups: Go to Firewall >> Filter Setup, click Add to create a new one. In this example we add two IP Filter Groups: “block” and “pass”.

 

4. Click to select Group “block” then click Add to create a IP Filter rule.

  1. Check Enable.
  2. Select Block If No Further Match for Action.
  3. Select Group “pass” for Next Group.
  4. Select Enable for Syslog.
  5. Select lan1 as Input Interface.
  6. Select wan1 as Output Interface.
  7. Do not specify Source IP, Destination IP and Service Protocol.
  8. Apply the settings.

5. Click to select Group “pass” then click Add to create a IP Filter for Manager.

  1. Check Enable.
  2. Select Accept for Action.
  3. Select lan1 as Input Interface.
  4. Select wan1 as Output Interface.
 

  1. Select “IP_Manager” as the Source IP Group.
  2. Do not specify Source IP, Destination IP and Service Protocol.
  3. Apply the settings.
 

This rule allows LAN clients with IP in IP Group “IP_Manager” to access any website and any Service Protocol.

6. Click to select Group “pass” then click Add to create a IP Filter rule for Restricted User.

  1. Check Enable.
  2. Select Accept If No Further Match for Action.
  3. Select lan1 as Input Interface.
  4. Select wan1 as Output Interface.
 

  1. Select “DNS”, “FTP”, “SMTP”, “POP3” and “HTTP” for Service Protocol.
 

  1. Select “IP_Restricted” as the Source IP Group.
  2. Apply the settings.
 

This rule allows LAN clients with IP in IP Group “IP_Restricted” to access services with DNS/FTP/SMTP/POP3/HTTP Protocols. But other protocols will be blocked by the Rule “Block” in IP Filter Group “block”.

7. Create an Application Filter Profile: Go to Firewall >> Application Filter, click Add to create a new one.

  1. Check Enable.
  2. Check Enable for Syslog.
  3. Select “IP_Restricted” for Source IP Group.
 

  1. Click Add to create APP Block profile. In this example, Skype is the Application that will be blocked.
  2. Apply the settings.
 

8. Create a URL Filter Profile: Go to Firewall >> URL/ Web Category Filter, click Add to create a new one.

  1. Check Enable.
  2. Check Disable for HTTPS Filter.
  3. Check Enable for Syslog.
  4. Select IP_Restricted for Source IP Group.
 

  1. Click Add to create Keyword Accept object. In this example, URL with keyword “draytek” will be passed.
 

  1. lick Add to create Keyword Block object. In this example, URL with keyword “.” will be blocked.
  2. Apply the settings.
 

9. After completing above configurations,

  1. Packets source from the IP in IP Group “IP_Manager” to any destination will be passed directly by Rule “Pass_Manager” in IP Filter Group “pass”.
  2. Packets source from the IP in IP Group “IP_Block” to any destination will be blocked by Rule “block” in IP Filter Group “block”.
  3. Packets source from the IP in IP Group “IP_Restricted” to Service Protocols (DNS/SMTP/POP3) will be passed directly by Rule “Pass_Restricted” in IP Filter Group “pass”, and packets to other Service Protocols will be checked by Application Filter. If it doesn't match Application Filter, it will be checked by URL/ Web Category Filter. And If it doesn't match URL/ Web Category Filter either, it will be blocked by Rule “block” in IP Filter Group “block”.
Was this article helpful?
7[Vigor3900] A Firewall example has been viewed------ 7 ------times.