G3100 Firewall schedule to block access
Eludium-Q36
Enthusiast - Level 2

Given the rise in network intrusion and ransomware, I want to schedule my G3100 firewall to block all incoming access to my 20+ devices LAN during work/vacation/etc. I don't use remote access so that's not an issue. As I understand things currently, firewall rules are used to restrict outbound access, not incoming. (I've already set the firewall IPv4 security level to Medium and IPv6 (which isn't being used) to max.) How do I accomplish this scheduling within the G3100? (please don't suggest external things like using timers on a surge protector.) 

0 Likes
1 Solution

Correct answers
Re: G3100 Firewall schedule to block access
Eludium-Q36
Enthusiast - Level 2

Aargh, I just recalled the GRC Shields Up site from way back when. That was THE go-to site to test your router for vulnerabilities, but it'd be so long since I used it, it had slipped my mind, but it's still there, and updated! So I ran its various intrusion detection and vulnerability tests against my G3100 and the router is virtually impregnable! The only minor test it failed was the "ping" test which revealed the existence-only of my router, otherwise it was unnoticeable. Below is the result of the main router test for my G3100. I feel much better now and am confident I don't need to take any of the other measures I had first written about. Thanks for your replies:

image

View solution in original post

Re: G3100 Firewall schedule to block access
gs0b
Community Leader
Community Leader

To be honest, unplugging it or putting it on a timer will be easiest.

If you don't want to do that, use parental controls to set an access schedule.  The downside is  you'll need to setup a schedule for each of your 20+ devices.

Re: G3100 Firewall schedule to block access
Cang_Household
Community Leader
Community Leader

@Eludium-Q36 wrote:

As I understand things currently, firewall rules are used to restrict outbound access, not incoming.


I think the reality is just the opposite of your statement. Because of NATs, a router do not know where to forward incoming packets, unless the connection is established from the LAN. This creates a de facto firewall blocking all incoming traffic. Nevertheless, a NAT is not a competent replacement of Firewall.

To be safe, I think you want to disable all outbound traffic along the inbound traffic disabled by default. IoT devices will send your public IP address to their company servers periodically. When their servers are compromised, hackers can gain backdoor access to the IoTs and take control of your smart lightbulbs, cameras, speakers, and etc... IoT's Internet access should always be blocked.

Re: G3100 Firewall schedule to block access
Eludium-Q36
Enthusiast - Level 2

Aargh, I just recalled the GRC Shields Up site from way back when. That was THE go-to site to test your router for vulnerabilities, but it'd be so long since I used it, it had slipped my mind, but it's still there, and updated! So I ran its various intrusion detection and vulnerability tests against my G3100 and the router is virtually impregnable! The only minor test it failed was the "ping" test which revealed the existence-only of my router, otherwise it was unnoticeable. Below is the result of the main router test for my G3100. I feel much better now and am confident I don't need to take any of the other measures I had first written about. Thanks for your replies:

image

Re: G3100 Firewall schedule to block access
gs0b
Community Leader
Community Leader

I'l just say this, ShieldsUp tests a tiny portion of anything a security conscious network operator should care about.  It is NOT a security tool, just a feel good web site that pretty much any modern router will pass.

Re: G3100 Firewall schedule to block access
dslr595148
Community Leader
Community Leader

@gs0b wrote:

I'l just say this, ShieldsUp tests a tiny portion of anything a security conscious network operator should care about.  It is NOT a security tool, just a feel good web site that pretty much any modern router will pass.


I will / am adding my two cents too about grc.com

The only times that it talks about blocking outbound connections is/are:

#1 Leak test (grc.com -> freeware -> security -> leak test). Which is more about software firewalls blocking outbound connections because for ex spyware/adware.

#2 Browser Headers (grc.com -> research -> historical -> file downloading spyware). Which is more about RealNetworks RealDownload, Netscape/AOL Smart Download, or NetZip Download Demon utilities  - adding custom headers to track you over the new (read: spyware).

#2 SN (grc.com -> services ->Secuity Now!). This/that is a podcast. The only thing that I read/heard is about outbound connections is more to deal with VLANS so for example IOT units while they can get online but not see your other more private network. I believe he mentioned using pfSense to create the VLAN to do that task.

#3 SSL Test (grc.com -> services -> Certificate Revocation).

#4 Another SSL test (grc.com -> services -> HTTPS Fingerprints).

#5 DNS Nameserver Spoofability Test (grc.com -> services -> DNS Spoofability Test).

Re: G3100 Firewall schedule to block access
dslr595148
Community Leader
Community Leader

NAT routers by default all incomming unsolicited traffic.

So for example(s) of what that means.

If you were to ask for what the IP Address behind the domain name google is from behind your NAT router, your NAT router will allow the answer to that question to go through the NAT router.

However if someone else on the outside where to ask that same question not from behind the NAT router, by default the NAT router drop that traffic.

Re: G3100 Firewall schedule to block access
dslr595148
Community Leader
Community Leader

Now besides what others and I have said earlier, there is at least one way to block what access when you are away.

Option one.

#1 Log-in to the NAT router and go to Parental Controls

#2 The UI will look something like what you see at

https://setuprouter.com/router/verizon/fios-g1100/access-control-65721-large.htm

https://setuprouter.com/router/verizon/fios-g1100-v2/access-control-92124-large.htm

#3 At step one in the UI, select all of the devices from the list.

#4 At step two in the UI, select Block All Internet Access

#5 Then create a schedule as when to do this (read: days and times).

#6 Save/Apply your rule.

Option two if there is one.

#1 Make sure that all of the computer use wi-fi, expect yours.

#2 Log-in to the NAT router and go to Wireless Settings -> Advanced -> Wireless MAC Authentication.

#3 When you do not want anyone using the network

a) Put a check mark next to Enable Access List, set it to Accept all Devices Listed Below and keep the list blank.

Side Very Important Note: As to why not:


Put a check mark next to Enable Access List, set it to Accept all Devices Listed Below and put your computers in there.


The problem with that is that MAC/Physical/Hardware Addresses are always sent in the clear regardless of encryption (read: SSL or WPA as examples) and it is possible to spoof/clone the MAC Address!

By keeping that list blank (that is if the NAT router even allows that), good luck spoofing the MAC Address because none is/are defined. 😉

b) Anyways, moving along. -

> Save/Apply your setting.

c) Disconnect the wired connection from your computer to the NAT router.

d) Profit 🙂

#4 When you do want to allow using the network

a) Connect the wired connection from your computer to the NAT router.

b) Remove the check mark next to Enable Access List.

c)Save/Apply your setting.

d) If you desire to use wireless, now you can disconnect your computer's wired connection and switch to wireless.

e) Profit. 🙂

It is true regarding security, it is always going to be: security vs convenience / security vs convenient