Contivity Stateful Firewall 1

[rstew3]

Hello all. I'm new to firewalls, and need some hints as to what I need set up for basic internet connectivity. We have installed a Contivity 1740 with the stateful firewall, and I have weaseled my way through it in order to get out to the internet, but certain sites are not coming up, or things on the page are not showing. The sites that are coming up, are often coming up very slowly.

Anyone have a list of basic things I need to allow/configure?

Thanks in advance.

 

[PederChr]

Hi.. First you need to turn on FW under services- FW/NAT.

If you want to NAT traffic to internet you also neede to turn on NAT on the interface.

After enable fw and nat create a fw rule - start with any any accecpt, and secound create a NAT rule.

NAT:
from any to any and action is "port NAT" to Contivity'es public interface.

Hope this help!

 

[rstew3]

I got that far already. I also have a couple of users created and successfully tested the VPN. What I need is a basic rule set for the firewall portion. We don't have an internal mail server, ftp server or anything like that, just basically using this service for internet access. When going to certain web sites like dell.com's "my account" page, the page will not load when users try to log in. I was told that I just needed to create a rule that allows all traffic that originates internally to go anywhere. Is there any other services/ports that I need to allow?

 

[PederChr]

Interface spesific rules, /base/grop-name. try to add a rule there, ports that needs to be open is: DNS and HTTP/HTTPS,

 

[rstew3]

Create a rule for those coming inbound? I have already created the rule allowing any service originating locally to go out.

Thanks again for the help.

 

[PederChr]

inbound traffic, you don't need that..

If you have a mail server on private lan you should get a inboud rule..

 

[biv343]

Maybe a little late since this looks to be a stale post, but your speed issues are most likely due to the TCP MSS option being set to "disabled" on the LAN0/LAN1 Interfaces. Go to the Interfaces configuration (where you would set the IP address), and set TCP MSS option to Enabled. This will allow for packet fragmentation - you're probably noticing that low graphics sites (like Yahoo) load fine, but high graphics sites load slowly, if at all.

I think this feature first came out in 4.80 or 4.85 - don't remember which.

 

[rstew3]

I got a chance to go sit at this site for a while, and I got the problem figured out. It was actually a problem with the MTU size and not the firewall.

MTU size of 1500 is the default and the max an Ethernet frame can hold for a payload, but xDSL uses PPPoE (Point-to-Point Protocol over Ethernet) which adds a second 8 byte header to the packets. I had to set the MTU size to 1492 to allow for the second header.

Not only do the specific web pages that were not working come up, but all web traffic is now much faster.

Thanks to all for the input.