circle-info
Join EnGenius at ISC West 2026 in Las Vegas for AI-powered networking and proactive security solutions.
View event detailsarrow-up-right
search
Contact SupportCloud Demo

Blocking Inbound Traffic

When configuring a network firewall with EnGenius ESG Security Gateways, it's essential to consider the direction of traffic. Outbound traffic, such as users browsing the internet, is initiated by internal network users. Inbound traffic, on the other hand, involves external sources attempting to connect to the network. These scenarios are managed differently because, generally, internal users can be trusted more than external internet connections.

Controlling outbound traffic is straightforward: create an allow rule using the Layer 3 Firewall. This rule impacts 1:1 NAT, Port Forwarding, and standard WAN traffic. More details about the outbound firewall feature are available in the Firewall Rules. Inbound firewall control, however, operates differently.

The inbound firewall denies any traffic that does not have a session initiated by a client behind the ESG. This setup allows internal client machines to connect with necessary resources but prevents external devices from initiating connections with internal client machines.

For instance, consider PC , located on the internet, and Server, located within the ESG's LAN. If PC attempts to send traffic to Server, the ESG will check for an existing session/connection between PC and Server.

  • If an existing session is found, the traffic is allowed through.

  • If no existing session is found, the traffic is dropped.

The inbound firewall's ability to track existing connections makes it a stateful firewall. Both inbound and outbound firewalls on the ESG are stateful.

Both Port Forwarding and 1:1 NAT include a section for Allowed remote IP, which controls which external addresses can initiate connections. Addresses specified here can connect through the designated public ports. The Any keyword grants access to any address, or multiple addresses can be listed if separated by commas. By specifying which addresses should communicate with internal nodes, unsolicited connections are prevented.

hashtag
Example: Port Forwarding and 1:1 NAT Rules

Below is an example of both Port Forwarding and 1:1 NAT rules:

Port Fowarding
1:1 NAT

hashtag
Traffic Flow Using a Port Forwarding Rule

Using the port forwarding rule above, suppose PC attempts to connect to the ESG's WAN IP on TCP port 50000.

  1. Traffic Initiation: PC initiates traffic to ESG on TCP port 50000.

  2. Rule Check: The ESG checks if the packet matches any forwarding rules. If no match is found, the traffic is dropped. If a match is found, it is allowed.

In this example, the inbound traffic is allowed because it meets the port forwarding rule criteria:

  • Protocol is TCP

  • Public port used is 50000

  • Source IP is 100.1.1.1

  • Traffic from this IP address is allowed due to the Any rule in the Allowed remote IP section.

It's recommended to restrict the IP addresses allowed to use a port forwarding and/or 1:1 NAT rule to prevent unsolicited connections.

hashtag
Conclusion

Restricting inbound access is crucial for enhancing network security. By limiting inbound connections or controlling outbound replies, unwanted traffic can be minimized, thereby protecting the network from potential threats.

Previous1:1 NATNextRouting & Static Route

Last updated

Was this helpful?