How to block an unknown IP address which keeps dialing VPN to Vigor Router?


As the VPN server, Vigor Router always listens to the VPN ports for accepting VPN connection from on the internet. Sometimes, we may see some unknown IP addresses keep sending VPN request to Vigor Router on Syslog, but cannot find out who the remote peer is. It is annoying and might be a security risk. This document will demonstrate how to block the unknown IP address which keeps dialing VPN to Vigor Router.

1. Go to Firewall >> Defense Setup and enable DoS Defense.

a screenshot of DrayOS DoS Defense

2. Click White/ Black IP List Option. Input the unknown peer's IP and click Add to add the IP into Black IP List, and select log if you want to see from Syslog Explorer.

a screenshot of DrayOS firewall defense setup

NOTE: For some models like Vigor2860, Vigor2925... the White/Black IP List is in Diagnostics >> DoS Flood Table.

a screenshot of DrayOS syslog and mail alert setup

Receiving the unknown IP request alert logs

1. To receive syslog alert about unknown IP request, go to System Maintenance >> Syslog / Mail Alert to set the Syslog Access.

  1. Check the Enable state.
  2. Enter the Server IP.
  3. Enable Firewall Log.
  4. Click the OK button to apply the settings.
a screenshot of DrayOS syslog and mail alert setup

2. Check the Firewall Syslog List on Draytek Syslog Utility. Network Administrator will receive an alert from the router when the IP in blacklist attempt to access.

a screenshot of DrayTek syslog utility

Then go to Diagnostics >> Syslog Explorer from Router setup page, you will also see the IP is blocked.

a screenshot of DrayOS Syslog Explorer

1. Go to Objects Setting >> IP Object page and add the unknown IP as an IP Address.

  1. Give a profile name.
  2. Select Single as Address Type.
  3. Enter the unknown peer IP as Start IP Address.
a screenshot of Vigor3900 IP Object

2. Go to Objects Setting >> Time Object page and add a Time Object.

  1. Give a profile name.
  2. Select Weekdays as Frequency.
  3. Enter Start Time, End Time and Weekdays.

Note: Please enter the Start Time which is later but closed to the current time, and the End Time is a little earlier than the Start Time. For example, if the current time is 15:55 and we can enter the start time as 16:00:00, and the end time as 15:59:59. After the firewall rule effects, this Time Object can be removed.

3. Go to Firewall >> Filter Setup page, create an IP Filter Group then click Add to create an IP Filter Rule for blocking the unknown peer IP.

  1. Check Enable.
  2. Select Block as Action.
  3. In Time Schedule >> Time Object, select the Time object created in the previous step.
  4. In Time Schedule >> Advanced Setting, select Clear Session when Scheduler is on.
  5. In Source IP, select the IP object created in the previous step.
  6. Apply the setting.
a screenshot of Vigor3900 Firewall Rule setup another screenshot of Vigor3900 Firewall Rule setup

After that, we will see such kind of Firewall log instead of the VPN log:

<13>Dec 27 17:13:02 Vigor: [Clear Session] Delete conntrack by ip_filter_set_rule : unknown
<135>Dec 27 17:13:07 Vigor: [IPF-unknown] BLOCK src ip mac 00:1d:aa:xx:xx:xx dst ip proto udp DPT=500, skbmark=10000002/0

Published On: 2019-07-08 

Was this helpful?     

Related Articles