LANCOM Support Knowledgebase Document No. 1902.2212.5548.RHOO - V1.90

LCOS version 10.30 and later: Configuring layer-7 application control in the firewall



Description:

As of LCOS version 10.30 you can create application-specific rules in the firewall of a LANCOM router with which Internet applications (e.g. Facebook, Netflix, etc.) can be
  • allowed
  • blocked
  • limited or
  • prioritized.

By means of layer-7 application control, you can keep control over which applications are used on your network.

This document describes how to configure layer-7 application control in the firewall of a LANCOM router.



Requirements:
  • LANtools version 10.30 or later (download)
  • LCOS version 10.30 or later (download)


The LANCOM router must operate as a DNS server or DNS forwarder in the network. Clients on the local network must use the router as a DNS server. In addition, clients need to be prevented from using DNS-over-TLS and DNS-over-HTTPS (also in the browser) directly with external DNS servers.

This can be achieved with the following options:
  • The DHCP server has to communicate the IP address of the router as a DNS server. The Internet Setup Wizard configures this by default.
  • Firewall rules have to be set up to prevent the direct use of external DNS servers, e.g. by blocking the outgoing port 53 for clients on the source network.
  • Firewall rules have to be set up that prevent the direct use of external DNS servers that support DNS-over-TLS, e.g. by blocking the outgoing port 853 for clients on the source network.
  • Disable DNS-over-HTTPS (DoH) in the browser.


Notes on how to synchronize the firewall's DNS database:

Since the firewall learns its information from the DNS requests of the clients, in certain situations the DNS database will be incomplete. This can happen in the following situations:
  • A new firewall rule is added, but the client still has a cached DNS entry.
  • The router was restarted when the client already has a cached DNS entry.

Helpful in these cases are emptying the DNS cache on the client, rebooting the client, or a time-out of the DNS record on the client.

The router’s own services, such as ping, are not handled by the firewall rules. By sending a ping to a full DNS name (without wildcard expressions), the generation of rule resolutions (DNS to IP addresses) can be performed on-demand either from the command line (once) or by a cron job.
    Info:
    Different DNS names that resolve to the same IP address cannot be distinguished. In this case, the first rule that references one of these DNS names will apply. That should not be a problem for large service providers. However, it could occur with small websites hosted by the same vendor.



Example scenario:

As the following illustration shows, you can use layer-7 application control to regulate the use of a wide variety of Internet applications.


  • This example configuration uses a deny-all strategy in the firewall of the LANCOM router. For this, all services are initially blocked by the firewall, and what should be allowed is permitted with explicit firewall rules.
  • Two Internet connections are available:
    • INTERNET1 with routing tag 0 and
    • INTERNET2 with routing tag 1
  • Use of the Internet in and of itself is allowed, although users should not be allowed to use the service “Facebook”.
  • Use of the service “Youtube” should be allowed, although the available bandwidth should be limited and “Youtube” may only be used via the connection INTERNET2.


Procedure:

The two Internet connections used in this example are already functional.
  • The connection INTERNET1 in the IP routing table is set as a default route with the routing tag 0.
  • The connection INTERNET2 is set as a default route with the routing tag 1.



1) Configuring a firewall rule to block the “Facebook” service:

1.1) In order to reference DNS destinations in firewall rules, the destinations first have to be configured in the menu Firewall/QoS -> General -> Application-based routing.

By default the list of DNS destinations already contains entries for the services Facebook, Youtube, Netflix and Salesforce. Further information about the DNS destination lists is available in the LCOS Reference Manual.



1.2) Open the menu Firewall/QoS -> IPv4 rules -> Rules and add a new firewall rule.



1.3) Give the new rule a meaningful name.



1.4) Since the Facebook service should not be available, the action must be set as the REJECT object.



1.5) The rule should apply for all stations on the local network (LOCALNET) and for connections to the DNS destination FACEBOOK.



1.6) Save your new firewall rule with the OK button.



2) Configuring a firewall rule to use and limit the “Youtube” service:

2.1) To limit a bandwidth, you first go to the menu Firewall/QoS -> IPv4 rules -> Firewall objects -> Action objects and add a separate object.

2.2) Give the new action object a meaningful name.



2.3) Configure the following conditions:
  • The action should execute when data is transmitted over a default route.
  • A global max. of 1 Mbps of the total available bandwidth should be available for Youtube.
  • If the limit is exceeded, the IP packets should be dropped.



2.4) Save the action object with the OK button.

2.5) Open the menu Firewall/QoS -> IPv4 rules -> Rules and add a new firewall rule.
  • Give the new rule a meaningful name.
  • As the service “Youtube” should operate exclusively over the connection INTERNET2, you should set the routing tag to the value 1.



2.6) Use the action object you created in steps 2.2 and 2.3 for limiting the bandwidth.



2.7) The rule should apply for all stations on the local network (LOCALNET) and for connections to the DNS destination YOUTUBE.



2.8) Save your new firewall rule with the OK button.



2.9) Write the configuration back to the LANCOM router.

    Note:
    For application-based routing, there is the new parameter FW-DNS for the trace command. It can monitor changes to the firewall database of DNS destinations:
    • If a DNS packet arrives, it outputs the packet along with the affected wildcard expressions and destinations.
    • If the TTL (time-to-live) of an entry expires, it outputs the associated record along with the relevant wildcard expressions and destinations.
    • If one of the two firewalls registers or de-registers a DNS destination because its configuration has changed.
    • If there is a change to the tables Setup -> Firewall -> DNS-Destinations or Setup -> Firewall -> DNS-Destination-List.

Catchwords: firewall; dns; sd-wan; cloud; office 365; ip address; rules
Please review this document! This document was helpful This document was not helpful