I have a RB750 router and I use a Bell HH2000 modem. I understand the HH2000 cannot be set in a true bridge mode, but using Quickset I have set the router “address acquisition” to PPPoE and can connect to the internet without trouble (I believe this gets me to as close as possible to a real bridge mode). My concern is the default firewall rules. Because I am connecting using PPPoE, do I have to change the firewall rules to reflect this, or do the default rules still “work” without any changes if connecting with PPPoE?
Here are the default rules;
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked\
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid\
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp\
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1\
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN\
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec\
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec\
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related\
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked\
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid\
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN\
I’ll try and dig and find out. I have had the router for a few years but recently started from scratch and did a reset on it so set everything back to default.
Can you point me in the right direction on where to look for the interface lists?
I guess I’m trying to set the router up just using the default settings, so I’m hoping the firewall rules will be OK for me when using PPPoE with the Bell modem.
The interface lists are in the interfaces menu (second tab).
However, the way the new default firewall is organized is such that a new interface (like a PPPoE client) is automatically protected against outside traffic.
You can put it in the WAN interface list when you like, but when it is not in any list at all it will be safe regardless (because of the use of !LAN (NOT LAN) to drop unwanted traffic)
That makes me feel better knowing for the most part I’m still protected. I just wasn’t sure if using PPPoE required me to also change the firewall rules.
In the interface list it does show three entries;
LAN - bridge
WAN ether1
WAN pppoe-out1
Is that after you put pppoe-out1 there, or was that automatically added?
Did you add the PPPoE client yourself or did you use the QuickSet and select PPPoE there?
I presume it was the latter situation. The QuickSet wizard does everything as it should be.
Before this change (the interface lists and the new firewall) there were lots of people who added PPPoE manually and without knowing they had no internet-side firewall at all.
That has now been improved, as even when you do that now the firewall still works OK.
