Series 3: How do I customize IP Filter Rules to achieve greater security levels?

QUICK LINKS:

SUMMARY:

This document is intended to guide the Cradlepoint Administrator  in the best ways to craft IP Filter Rules to achieve the desired level of security.

In order to exert more control over your network, you may decide to limit access to the Internet from your LAN, or limit what IP addresses or networks have access to your CradlePoint from the Internet.  In order to assist with this CradlePoint has added the feature IP Filter Rules to all Series 3 routers.

This article was written using router firmware version 5.0.0.

TERMS:

  • Port – An application-specific or process-specific software construct serving as a communications endpoint in a computer’s host operating system.
  • IP Source – The IP address and/or Port originating the traffic.
  • IP Destination – The IP address and/or Port that the traffic is bound for.

REQUIREMENTS:

  • Cradlepoint Series 3 products: AER2100, MBR1400, MBR1400v2, MBR1200B, IBR600, IBR650, CBR400, CBR450, CBA 750B or MBR95.

CONFIGURATION:

  1. Log into CradlePoint’s Admin Pages.  For assistance accessing the router’s Admin Pages, click here.
  2. Once logged in, in the tabs across the top click on Network Settings > Firewall.  User-added image
  3. In the box labeled Advanced IP Filer Rules click Add.                                                  User-added image
  4. In the Add/Edit IP Filter Rule box, configure the rule as needed.  Leaving an IP address or port field blank will create a rule that will match traffic with ANY value in that field.  Checking the IP negation or port negation box will match all traffic EXCEPT traffic that matches that field.                                                                                                                   User-added image
  5. Click Submit.

USE CASES:

Depending on how hardened you want the security on your router, a multitude of rules can be created.  This document will cover creating rules to allow most common services and finish with a “Deny All” rule to block all other traffic.

  1. Allow LAN – create a rule that allows traffic from the LAN to the LAN.  This rule should always be added first if you plan on creating a “Deny All” rule, so you have admin access to the router.  The above screenshot illustrates how to create this rule, assuming the LAN is 192.168.0.0/24.
  2. DHCP – DHCP Discover packets are sent with a source IP of 0.0.0.0 and a destination IP of 255.255.255.255, so if you want to use DHCP you must create a rule to allow those networks if you plan on creating a “Deny All” rule.
  3. LAN HTTP – to allow users on the LAN to access web sites using port 80, create a rule to allow the LAN network to any address on port 80.
  4. LAN HTTPS – to allow users on the LAN to access web sites using port 443, create a rule to allow the LAN network to any address on port 443.
  5. WAN to NTP – for the router to be able to set the system clock, you must allow the WAN interface(s) access to the configured NTP server.  The default NTP server, pool.ntp.org uses many IP addresses, so you must create a rule that allows the WAN interface(s) to any IP address on UDP port 123.
  6. WAN to DNS – for the router to use DNS services, you must create a rule allowing the WAN interface(s) to your upstream DNS server(s).
  7. WAN to WPC – if you use WiPipe Central, you will need to create a rule that allows the WAN interface(s) to the IP address of WPC server (services.cradlepoint.com) and vice versa.  When this document was written, that IP address was 206.207.72.222.
  8. WAN to ECM – if you use Enterprise Cloud Manager, you will need to create a rule to allow your WAN interface(s) to the ECM server (cradlepointecm.com) and vice versa.  When this article was written, that IP address was 198.61.136.185
  9. Firmware check – to allow the router to check for firmware updates, you must create a rule to allow the WAN interface(s) to the firmware check server.  When this article was written, that IP address was 23.253.54.16.
  10. Firmware update – to allow the router to download a firmware update, you must create a rule to allow the WAN interface(s) to the firmware download server.  When this article was written, that IP address was 184.84.222.112.
  11. Firmware Update Via ECM – to allow a router managed by ECM to download a firmware update, you must create a rule to allow the WAN interface(s) to the firmware download server.  When this article was written, the IP addresses were 63.80.4.16 and 63.80.4.41, so create a rule to allow 63.80.4.0/26
  12. VPN – to allow traffic across a VPN, you must create rules that allow traffic between the two WAN interfaces of the VPN endpoints and rules allowing traffic between the two LANs that will communicate over the VPN.
  13. Deny All – to block all other traffic, create a DENY rule with all of the source and destination fields blank.

EXAMPLES:

Rule #2 from above – DHCP:

User-added image

Rule #3 from above – LAN to HTTP:

User-added image

Rule #5 from above – WAN to NTP:

User-added image

Rule #12 from above – Deny All:

User-added image

The below screenshot shows a list of most of these rules configured on a router.  The local routers WAN interface is 166.130.4.172 and has a VPN tunnel to a remote router at 166.241.162.155.  In this example, the LAN is only allowed to send traffic over the VPN.  All other traffic is denied.

User-added image


Category: Cradlepoint Series 3

← FAQs