I set up my new RB5009 a while ago and stuck with the default firewall until I got everything else sorted out and have some more time to dive deeper into it which was now.
So I started reading and watching tutorials and in one the guy started without firewall and used nmap on his public IP to show how this is a bad idea. So I did as well just out of curiosity and I found open ports as well which surprised me, but only when connected to my LAN. When using my mobile hotspot or neighbours wifi I got nothing.
Now for me as a newbie in anything more than a consumer grade pulg-it-in-and-it-works-router that doesn't make any sense. I mean it's my public IP and in my understanding it shouldn't matter from where I run nmap from?
Can somebody please explain what's going on or point me to some resources because I couldn't find anything.
Re: Why can I nmap using public IP from LAN? [SOLVED]
When running default config, ROS relies on ingress interfaces rather than source or destination address. So when you try to establish connection to any of router's addresses, ROS first determines it's a connection to be handled by router itself ... hence it'll use FW chain=input. And then rules check in-interface-list ... and if you try to do connection from your LAN, then in-interface belongs to LAN interface list.
It is possible to rewrite rules so that they act on destination IP address ... but that becomes a RPITA if your WAN IP address is not manually set static value.
Fact is that, all in all, default firewall rules in recent ROS versions are very good ... much better than rules presented in most of "random youtube tutorials". The main problem with those tutorials is that many of them are old and based on older ROS which came with inferior default firewall setup. Another problem is that many tutorial authors didn't know wery well what they were talking about. And "recipes" presented often apply to (more or less) specific cases.
So many people (myself included) here on this forum advise to start from default and adjust it to specific needs using minimum number if changes. Studying packet flow helps to understand why rules behave the way they do.
It is possible to rewrite rules so that they act on destination IP address ... but that becomes a RPITA if your WAN IP address is not manually set static value.
Fact is that, all in all, default firewall rules in recent ROS versions are very good ... much better than rules presented in most of "random youtube tutorials". The main problem with those tutorials is that many of them are old and based on older ROS which came with inferior default firewall setup. Another problem is that many tutorial authors didn't know wery well what they were talking about. And "recipes" presented often apply to (more or less) specific cases.
So many people (myself included) here on this forum advise to start from default and adjust it to specific needs using minimum number if changes. Studying packet flow helps to understand why rules behave the way they do.
Re: Why can I nmap using public IP from LAN?
If you nmap your WAN from your LAN, your router sees it as a local request so you likely have different access rules for internal traffic (or maybe not).
Hotspot your phone, connect to it and try again for a true wan response.
Hotspot your phone, connect to it and try again for a true wan response.
Who is online
Users browsing this forum: No registered users and 12 guests