What I would like to do is break it down for basic traffic first, then how the default FW rules affect on traffic but with real world information.
In other words work my way around the diagram.
Before I get to tracing real world traffic as per below, I think it would be worthwhile to discuss blocks in the diagram so that the tracing flows faster LOL.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Scenario
Fibre ISP, internet comes through their VLAN24 network.
Hex Router, WAN1 to be setup for Fibre ISP ( assuming setup up WAN as DHCP static 0.0.0.0 IP and mask 0.0.0.0) Plus create VLAN24 on HEX and assign to WAN1
Ether 2 -5 standard simple HEX LAN 192.168.88.1 gateway.
PC on ether2 assigned 192.168.88.10
normal web browsing
Https bank sessions
Host FTP server non encrypted
Packet Flow Tracking
(traffic that passes)
A. web browsing to a website
B. web site visit encrypted (Bank)
C. Incoming unsolicited traffic for FTP server (password entry)
(traffic that is stopped)
D. Scans/ probes from threat vectors (PC bot etc).
E. Rogue application (or evil link in email) phoning home.
(FW rules)
default rules in place (invalid connection, not on this LAN, and DNAT)
IP Firewall FILTER with address lists
IP Firewall FILTER (input) vs IP RAW (prerouting)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
BLOCK DISCUSSION
Block Entry - Physical In-Interface: I'm assuming this refers the actual physical entry point into the router for traffic and could be one of Five ports (HEX router).
Block Exit - Physical Out-Interface: I'm assuming this refers to the actual physical exit point for traffic out of the router and could be one of the five ports.
Block 1 - In-Interface Bridge Port Decision Box: I'm assuming this is asking, is the traffic coming in on the WAN or LAN?
If WAN go to MPLS Traffic decision box.
If LAN go to A. Bridging Block
Don’t get lost in it. I think the important parts for you are:
Bridge is like a switch. It’s transparent by default and you no longer worry about individual interfaces (ports). For routing, think about bridge interface as a simple interface like ethernet.
The most useful image from linked page for you is:
All routed packets go first in prerouting, where it’s decided where will they go next.
Packets to router itself will continue to input.
Packets destined elsewhere will go to forward and later to postrouting.
Packets originating from router will start in output and continue to postrouting
If you use NAT, then destination is changed in dstnat (e.g. for forwarded ports) and source in srcnat (e.g. main NAT that hides your local network behing one address on WAN interface).
Just allow stuff you need and block everything else by default. In most cases, you don’t need to allow anything from internet.
No chance. The rogue application won’t be stupid and will use standard http(s), so you won’t be able to distinguish it from other traffic. Not on router anyway. You’d need output filtering on your PC, where you can tell request from e.g. web browser from others. And even that doesn’t solve the evil link problem.
I didnt realize that second diagram could be so useful.
So the way I read the order,
Outgoing packet (from pc on lan). Starts in output as stated. Decides which interface to go out (WAN)… then ensures that there are ro FW filters blocking the departure. Assuming connection tracking is an internal flag (sequential numbering) It is not clear where the SNAT is done (Private IP changed to WANIP.)
Not sure if there is a forwarding flow here at all?
Return packet (originating behind the LAN) goes to prerouting, it basically has nothing to do with hotspot-in or raw prerouting, it hits connection tracking, I am assuming it gets assigned a tracking flag or something (sequential number), then hits DST-NAT. This is where the router checks if there is Port Forwarding (virtual Server) Rule for the packet (from the wan, matches port, and where to send it (Lanip). Im assuming it skips the input chain (not going to the router) and goes straight to Forwarding. Here it gets forwarded to the right bridge/interface, and the it looks like it checks to ensure the packet passes forwarding FIlter rules, before going out to the device through a LAN port..
SO I can sorta follow it on the blocks diagram but I get lost trying to follow a packet on the actual flow diagram.
No. Packet from PC on LAN enters router via LAN interface, so it starts in prerouting and continues through forward and postrouting. And that’s also when source NAT happens (as the image shows).
Mostly ok, except that every packet hits raw table in prerouting. It’s just that nothing happens there by default.
