why is CMG blocking access?
A: I've configured a CMG to act as a simple router, just to connect to ISP WAN and do routing only. But somehow it's blocking normal browsing access, but I can ping external web sites from LAN. I've not configured any access rules to block traffic at all, what's blocking my accesses?
Below is my config, which is supposed to be very simple....
---------------------------------------------------
!
interface eth0
enable
ip address 200.124.242.170/30 remark WAN
!
interface eth1
enable
ip address 201.125.201.65/27
!
interface eth 3
ip address 192.168.1.253/24
!
ip route 0.0.0.0/0 nexthop 200.124.242.169
!
firewall-input 10 permit all tcp dport 22
!
---------------------------------------------------
Q: The problem is triggered by the "firewall-input" config....
mbox CMG by default runs as a router, and it will just route/forwards traffic based on it's routing table, without any blocking.
However, once you enable any firewall rules, you turn mbox into a firewall, so by default as a firewall, it blocks everything unless explicitly permitted.
Above config has a firewall-input rule which is to permit access to mbox local SSH service only and block everything else. It is a good practice to do that, however this rule also automatically turns on firewall function on mbox, so it will also block accesses passing through mbox, unless explicitly permitted.
When things go wrong, especially when accesses are not passing through, the best tool to use is always tcpdump. Do a tcpdump on the WAN and LAN interface, if you only see traffic on one side (either LAN or WAN), it means traffic is blocked.
If you use "show firewall access-list" to check, it will say "No firewall-access lists configured." But it doesn't mean it's not enforcing any access control, because it's already now running as a firewall. So anything not explicitly permitted will be denied, except some default permissions. If you use "show firewall access-list all", you will see some default firewall access-list:
mbox# show firewall access-list all
Chain FORWARD (policy DROP 21 packets, 860 bytes)
pkts bytes target prot opt in out source destination
1949K 397M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ state RELATED,ESTABLISHED
10481 528K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT udp -- * * 0.0.0.0/0 255.255.255.255 /* DEFAULTHIDE99 */ udp dpts:67:68
1558 136K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpt:53
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpt:5060
6 242 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */
From above you will see the default rules are permitting DNS (UDP/53) and ICMP to pass through, that's why you could ping to external URLs but couldn't browse them because no http/https browsing rules are added explicitly.
If you simply just want to permit all access (eg. you may have other more sophysicated firewall at LAN to control access), just add below rule in green bold. It will permit/route all accesses.
---------------------------------------------------
!
interface eth0
enable
ip address 200.124.242.170/30 remark WAN
!
interface eth1
enable
ip address 201.125.201.65/27
!
interface eth 3
ip address 192.168.1.253/24
!
ip route 0.0.0.0/0 nexthop 200.124.242.169
!
firewall-input 10 permit all tcp dport 22
!
firewall-access 10 permit all
!
---------------------------------------------------