Layer 3 Firewall

Outbound Rules

You can configure Outbound rule (Access Control List) statements to permit or deny specific traffic between VLANs or from the LAN to the Internet. These outbound rule can be based on protocol, source IP address and port, and destination IP address and port. Please note that outbound rules do not apply to VPN traffic. To configure firewall rules affecting traffic between VPN peers, please refer to Link

To add a new outbound firewall rule, click Add Rule.

• Policy : Determines whether the ACL statement permits or blocks traffic that matches the specified criteria.

• Description: Allows you to add additional information or comments about the rule.

• Protocol : Specify the type of traffic (TCP, UDP, ICMP, or Any).

• Source IP : Supports individual IPs or CIDR subnets. Multiple entries can be comma-separated. Using "Any" specifies all networks. The source IP or CIDR subnet must be from the subnets configured in Gateway > Interfaces > LAN. "Any" covers all subnets configured in this section.

• Destination : Supports individual IPs, CIDR subnets, or FQDNs. Multiple entries can be comma-separated. Using "Any" specifies all networks.

• Src Port and Dst Port : Supports individual port numbers or port ranges. Multiple ports can be entered comma-separated, but port ranges cannot be entered comma-separated.

FQDN Support

FQDN-based L3 firewall rules are implemented by monitoring DNS traffic. When a client device tries to access a web resource, the ESG tracks the DNS requests and responses to identify the IP of the web resource. Important considerations include:

1. The ESG must see both the client DNS request and the server's response to map the IP accurately. This applies to all DNS requests, not just from specific clients. DNS communication within the same VLAN is not monitored.

2. If a client has cached DNS information or static DNS entries, the ESG may not block or allow traffic correctly if no new DNS request is generated for inspection.

Allowed Services

This allows you to configure the allowed services to access EnGenius Gateway

ICMP Ping: Use this setting to allow the EnGenius Gateway to reply to inbound ICMP ping requests coming from the specified address(es). Supported values for the remote IP address field include None, Any, or a specific IP range (using CIDR notation). You can also enter multiple IP ranges separated by commas.

Both Routed mode and Passthrough mode are supported

Site-to-site VPN Firewall Rule

Administrators can add firewall rules to control traffic through the VPN tunnel for an ESG gateway. This stateful firewall will block traffic only if it does not match an existing flow. These rules apply to all networks in the organization that use site-to-site VPN, including both AutoVPN and non-EnGenius networks.

To create a site-to-site VPN firewall rule, follow the steps below.

1. Navigate to Configure > Gateway > Site-to-site VPN.

2. Select Add a rule in the VPN Outbound Rules.

3. Fill in the parameters for the rule

Considerations for VPN Firewall Rules

When configuring VPN firewall rules, it’s crucial to block traffic as close to the originating client device as possible to minimize VPN tunnel traffic and enhance network performance. Therefore, site-to-site firewall rules are applied only to outgoing traffic. Consequently, the ESG cannot block VPN traffic initiated by non-EnGenius peers.

The following example illustrates a misconfigured site-to-site firewall rule: Site-to-site firewall rules apply only to outbound traffic. This rule is ineffective because the source subnet is not a LAN subnet on the ESG.

In contrast, the following rule is correctly configured: Traffic from the 10.0.1.0/24 subnet will be blocked from reaching the 10.0.2.0/24 subnet because 10.0.1.0/24 is a LAN subnet on the ESG.