Home/Support/Support Forum/Implementing IP block-list on WR21
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Implementing IP block-list on WR21

0 votes
I would like to implement an IP block-list on multiple WR21 routers, as we are getting hundreds of hits captured by the firewall. What would be the fastest way of doing this, as there are too many addresses to enter as separate rules in the firewall.
asked Oct 28, 2015 in Digi TransPort by dansaund New to the Community (0 points)

Please log in or register to answer this question.

3 Answers

0 votes
the correct way if you have public addressable address would be to block by default and allow by exception.

so put permit rules that are more specific to the connecting device's

so use the source address instead of any.

this is the main issue when using firewalls people let everything in and then try to block specific traffic
answered Oct 29, 2015 by James.Wilson Veteran of the Digi Community (1,225 points)
Thanks - that would be my usual plan however in this case the routers are used in mobile monitoring equipment and we will not know the source IP address to block (plus they may change).  I suppose we could allow via UK allocated IP ranges, but same question then applies - how to enter multiple IP ranges in the firewall script.
0 votes
this is why in this sort of situation is to use a private APN and a private VPN in to the operator or the monitoring station also uses cellular APN

second way would be to use vpn tunnels from the remote sites to a centrel point and do management from there over VPN

if you want to go the other way there are tables on the internet on ranges of IP in each country at least that will reduce the number of attampts.
answered Oct 29, 2015 by James.Wilson Veteran of the Digi Community (1,225 points)
Thanks again James, wherever possible I always use a VPN into the device but sometimes it's not possible, then and only then as a last resort does a public IP get used.

I'd found the IP range tables on the internet, and my question was how to physically enter these multi-IP range tables into the firewall.  When I tried using the "|" character as "or" (as shown in the manual - example block in log break end from 1.80.0.0/13 | 1.92.0.0/14..) the firewall rejects this.  

So, just to clarify my question is physically how do I enter multiple IP ranges into firewall scripts?
0 votes
Ok you would have to use a rule per block but you could also use the label feature too

pass in break Ports from 1.80.0.0/13 to any
pass in break Ports from 1.92.0.0/14 to any
pass in break Ports from y.y.y.y/x to any

block break end

Ports:
Pass break end from any to any port=22

regards
answered Oct 29, 2015 by James.Wilson Veteran of the Digi Community (1,225 points)
The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address

if you face issue with your router get help from this
www.belkinroutersupportnumber.com/
...