Home » Lantronix Manuals » Electronics Accessories » Lantronix X300 Series » Manual Viewer

Lantronix X300 Series X300 Series User Guide Rev B - Page 161

Firewall Zones, Packet filtering actions

View all Lantronix X300 Series manuals

Add to My Manuals
Save this manual to your list of manuals

Page 161 highlights

11: Network Parameters Drop invalid packet Input Output Forward Description Check to drop the invalid packets that are not matching any active connection. Select to accept or reject the inbound traffic to all the interfaces. Select to accept or reject the outbound traffic from all the interfaces. Select to accept or reject the forwarded traffic from all the interfaces. Firewall Zones Two firewall zones, the LAN zone and WAN zone, are predefined in the gateway. All traffic from LAN to WAN has no restrictions but all incoming traffic from WAN source is blocked unless a port forwarding rule is set or unless a particular port is opened. A zone section groups one or more interfaces and serves as source or destination for forwarding, rules, and redirects. A zone is defined by the following rules:  Masquerade (NAT) of outgoing traffic (WAN) is controlled on a per zone basis on the outgoing interface.  INPUT rules describe what happens to traffic trying to reach the gateway through an interface in that zone.  OUTPUT rules zone describe what happens to traffic originating from the gateway going through an interface in that zone.  FORWARD rules describe what happens to traffic passing between different interfaces in that zone. Packet filtering actions  ACCEPT - traffic is allowed to pass as if there is no firewall in place. If the port at the destination is closed, a response will be returned as if a Reject rule is in place.  DROP - the firewall discards the packet and sends no response back to the source host that sent the packet. The source host will wait for a response until a timeout occurs and may attempt to retry the connection after timeout occurs.  REJECT - the firewall discards the packet and sends a response back to the source host that the port is closed. Doing so can hint to the source that packet filtering firewall is in place. In general, use REJECT to deny traffic from trusted hosts by gracefully informing them that traffic is not allowed to pass. Use DROP to deny traffic from untrusted hosts or when you don't want expose information about the destination host. To configure firewall zones: 1. Go to Network > Firewall. 2. To add and configure a new firewall zone, click Add. 3. To modify settings for an existing firewall zone, click Edit. 4. Enter or modify the firewall zone settings. See Table 11-25. 5. Click Save. X300 Series IoT Cellular Gateway User Guide 161

Section	Page
X300 Series IoT Cellular Gateway User Guide	1
Contents	4
List of Figures	10
List of Tables	11
1: About this Guide	15
Purpose	15
Summary of Chapters	15
Additional Documentation	17
2: Introduction	18
Key Features	18
InfiniShield™ Security	18
Software Features	18
Lantronix Software Services	19
Applications	19
SKU Information	19
Hardware Components	21
General Specification	21
Front Panel	22
Back Panel	24
LEDs	25
Cellular	26
SIM Slot	27
Antenna Connections	27
Certified Antennas	27
Antenna Selection	27
Ethernet Port (LAN)	28
Serial Port	29
Power Input	30
Power Consumption	30
Reset Button	30
Product Label	31
3: Installation	32
Package Contents	32
User Supplied Items	32
Accessories	33
Preparing to Install	34
Enabling DHCP Client on Your Computer	34
SIM Card Management	34
SIM Card Activation	34
SIM Management Portal	35
Second SIM Card	35
Lantronix Connectivity Services Links	35
Physical Installation	35
Insert SIM Card	35
Connect the Antennas	37
Connect the AC Power	37
Connect the Gateway to a Computer	38
Connect using Wi-Fi	38
Connect using Ethernet	38
Default Configuration	40
Web Admin Page	40
Wireless Access Point SSID	40
Default Interface Configuration	40
4: Web Administration Interface	41
Logging In	42
Change Passwords After Initial Login	43
Logging Out	44
5: Using Lantronix Provisioning Manager	45
Installing Lantronix Provisioning Manager	45
Accessing the Gateway Using Lantronix Provisioning Manager	45
6: Quick Setup	46
Quick Setup	46
7: Status	48
Overview (Page)	48
System Status	48
ConsoleFlow Status	49
Memory Status	50
MWAN Interfaces Status	50
Firewall Status	50
Network Status	51
Cellular Status	52
Network Status	53
Active DHCP and DHCPv6 Leases Status	53
Wireless Status	54
Dynamic DNS Status	54
Routes	55
System Log	56
Kernel Log	56
Processes	56
Realtime Graphs	57
Load	57
Traffic	58
Wireless	58
Connection	59
Load Balancing	61
Interface	61
Detail	61
Diagnostics	61
Troubleshooting	61
8: System	62
System	62
General Settings	62
Logging	63
Time Synchronization	64
Language and Style	65
Administration	65
Router Password	65
SSH Access	65
SSH-Keys	66
Software	66
Configure OPKG	67
Startup	68
Initscripts	68
Local Startup	69
Scheduled Tasks	69
LED Configuration	70
Backup / Flash Firmware	72
Actions	72
Configuration	73
Custom Commands	73
Write Custom Shell Command	73
Run Custom Shell Command	74
Reboot	74
Schedule a Reboot	74
9: VPN	76
IPsec (Internet Protocol Security)	76
OpenVPN	80
OpenVPN Instances	80
Template-based Configuration	82
Predefined templates	82
Edit the template-based configuration	82
OpenVPN Configuration File	82
Edit the OVPN Configuration File	82
10: Services	83
Agents	83
DOTA	84
Lantronix Server	84
Custom Server	84
Dynamic DNS	86
External Filesystems	89
GPS	90
Description of NMEA Messages	91
GPGGA Format	92
GPRMC Format	93
GPGSV Format	94
GPGSA Format	95
GPVTG Format	96
Keepalived	98
Keepalived Configuration	98
Logs Information	101
Page Selector	101
Reporting Agent	102
Sending Data	103
Data Format	104
Service Actions	104
SMS	105
SMS Configuration	105
SMS AT Commands	105
Ethernet SMS	108
Live Message	109
SNMPD	110
SNMP Architecture	110
SNMP Versions	110
SNMP Configuration	111
Agent Behavior	111
View-based Access Control Model (VACM)	111
SNMPv3 with User-based Security Model (USM)	112
System Information and Monitoring	112
Active Monitoring	112
Configure SNMPv1 or SNMPv2	113
Configure SNMPv3 with USM	113
SNMPTRAPD	120
SNMP-TRAP Configuration	120
uHTTPd	123
Web Server Configuration	123
Self-Signed SSL Certificate Parameters	125
11: Network	126
Interfaces	126
Interfaces Overview	126
Interface Status	128
Interface Protocols	129
Protocol Descriptions	130
Static Address	130
DHCP Client	132
DHCPv6 Client	134
PPPoE	135
QMI Cellular	138
CELLULAR Interface	140
LAN Interface	141
DHCP Server	141
WWAN and WWAN6 Interface	143
Add Virtual Interface	144
Relay Bridge	147
Wireless	148
Wireless Network Configuration	149
DHCP and DNS	152
General Settings	152
Resolv and Host Files	153
TFTP Settings	153
Advanced Settings	154
Static Leases	155
Hostnames	156
Static Routes	156
Static IPv4 Routes	156
Static IPv6 Routes	157
Diagnostics	159
Firewall	160
General Settings	160
Firewall Global Settings	160
Firewall Zones	161
Port Forwards	163
Add Port Forwarding Rule	163
Traffic Rules	164
Add Traffic Rule	165
Custom Rules	166
QoS	167
Load Balancing	169
How it works	169
Globals	169
Interfaces	170
Members	172
Policies	173
Rules	175
Notification	176
12: Bluetooth	177
Bluetooth Settings	177
Configure Bluetooth settings	177
Scan for and Pair a Device	177
Bluetooth SPP	178
Configure Bluetooth SPP Connection	179
Configure Tunnel SPP Slave	179
Configure Tunnel SPP Master	179
13: ConsoleFlow	181
Client	181
ConsoleFlow Line	182
14: Discovery	184
Query Port	184
15: Serial	185
Serial Line Statistics	185
Serial Line Configuration	185
16: SSL	187
Credentials	187
Trusted Authorities	188
17: Tunnel	190
Tunnel Statistics	190
Tunnel Modbus RTU to Modbus TCP	190
Tunnel Accept	191
Tunnel Connect	194
Hosts	195
Connecting Multiple Hosts	196
Tunnel Disconnect	197
A: Compliance Information	198
FCC Statement	199
Federal Communication Commission Interference Statement	199
ISED Statement	200
EU Declaration of Conformity	201
EU Statements	204
RF Output Power of X303F202S	210
RF Output Power of X304G002S	211
B: Power Cable Schematic	212
Power Cable Schematic	212
C: List of Acronyms and Protocols	213

Match case Limit results 1 per page

11: Network

X300 Series IoT Cellular Gateway User Guide

161

Firewall Zones

Two firewall zones, the LAN zone and WAN zone, are predefined in the gateway. All traffic from

LAN to WAN has no restrictions but all incoming traffic from WAN source is blocked unless a port

forwarding rule is set or unless a particular port is opened.

A zone section groups one or more interfaces and serves as source or destination for forwarding,

rules, and redirects. A zone is defined by the following rules:



Masquerade (NAT) of outgoing traffic (WAN) is controlled on a per zone basis on the outgoing

interface.



INPUT rules describe what happens to traffic trying to reach the gateway through an interface

in that zone.



OUTPUT rules zone describe what happens to traffic originating from the gateway going

through an interface in that zone.



FORWARD rules describe what happens to traffic passing between different interfaces in that

zone.

Packet filtering actions



ACCEPT – traffic is allowed to pass as if there is no firewall in place. If the port at the

destination is closed, a response will be returned as if a Reject rule is in place.



DROP – the firewall discards the packet and sends no response back to the source host that

sent the packet. The source host will wait for a response until a timeout occurs and may

attempt to retry the connection after timeout occurs.



REJECT – the firewall discards the packet and sends a response back to the source host that

the port is closed. Doing so can hint to the source that packet filtering firewall is in place.

In general, use REJECT to deny traffic from trusted hosts by gracefully informing them that traffic

is not allowed to pass. Use DROP to deny traffic from untrusted hosts or when you don’t want

expose information about the destination host.

To configure firewall zones:

Go to Network > Firewall.

To add and configure a new firewall zone, click

Add

To modify settings for an existing firewall zone, click

Edit

Enter or modify the firewall zone settings. See

Table 11-25

Click

Save

Drop invalid packet

Check to drop the invalid packets that are not matching any active

connection.

Input

Select to accept or reject the inbound traffic to all the interfaces.

Output

Select to accept or reject the outbound traffic from all the interfaces.

Forward

Select to accept or reject the forwarded traffic from all the interfaces.

Parameters

Description