blocking a range of IP addresses on WAN from accessing LAN
AronS
Newbie ✭
I have a NSA220 that I am trying to block a range of external (WAN) IP addresses so they cannot access (or try to access) our internal (LAN) IP addresses. I created an address object in NETWORK and then an Access Rule in FIREWALL following the attached screenshot, but used WAN for the Address object zone assignment and in the Access rule I switched the From to WAN and the To to LAN but I am still seeing the IP addresses in Connection monitor so it doesn't appear they are blocked. I'm guessing I did something wrong?
Category: Mid Range Firewalls
0
Answers
The default Access rules on a Sonicwall block all inbound WAN to LAN connections already. Are you sure the WAN side is initiating the connection?
Hi @ARONS,
Thank you for visiting SonicWall Community.
In SonicWall, by default we block all WAN to LAN traffic with the default access rule as below,
Source: Any, Destination: Any, Service: Any, Action: Deny.
If you have modified this default access rule to Allow, then you may require a new rule to block the traffics from WAN to LAN. If you see the connections from the IP addresses that are supposed to be blocked. Could you please send me the screenshot of the connections monitor page and the access rules page highlighting the IP address(es) that's in question?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @AronS
This is seems to some internal app/backdoor trying to make connection to some unknown WAN IP (LAN to WAN).
I also faced the same issue and created LAN to WAN deny rule as well as WAN to LAN.
We have terminal services configured for remote desktop connections. The traffic I'm seeing are attempted connections to our RDP systems. They aren't initiated by our LAN systems, so I'm don't think that blocking LAN to WAN would be relevant to my issue
Hi @AronS,
Do you have the default WAN to LAN Deny rule in place or have you allowed any Terminal Service ports from WAN to LAN in the SonicWall?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @AronS
As per the security prospective it's not recommended to open the RDP ports.
For the terminal services access, recommended to use Sonicwall SSL VPN / GVC.
the default WAN to LAN deny rule is in place
You should not have RDP access open to the internet. This is a huge security risk and will eventually get you hacked or ransomwared.
To answer the intial question. If you ARE going to run like this you should either severely limit the IPs allowed to access the RDP systems in your allow rule. Or you will have to play the cat and mouse game of manually adding IPs to your deny rule. Or disable all RDP access and force users to connect with a VPN client first. Or you can get an updated firewall with at least comprehensive security services and enable GEOIP filtering, etc.