Contemporary Controls: Understanding IP Router Firewall Settings
February 28, 2022
IP routers connect two Internet Protocol (IP) networks together—passing appropriate traffic while blocking all other traffic using either a wired or wireless connection. Features like a firewall make the Wide Area Network (WAN) connection as secure as possible, but properly setting the firewall is a common IP router setup issue.
IP routers connect separate networks, allowing information to travel between devices located on different subnets. The networks may be physically separate, such as between a building management system and the Internet, or they may be logically separate, such as a machine subnet that shares cabling with an area controller. One side of the router is connected to the larger network called the WAN, while the other side is connected to the Local Area Network (LAN).
These two sides are logically separated by a firewall that puts up a barrier between the two subnets. It is a filter, allowing or restricting data traffic. Firewalls are flexible, allowing you to modify the blocking rules by protocol, by port, or by application software.
The firewall looks at the contents of the messages that pass through it. It allows messages from the local side to freely traverse through to the WAN side, while blocking the messages originating from the WAN side to reach the LAN side. This offers protection to the local devices behind the firewall. Messages or responses related to the requests from the LAN side devices are allowed through the firewall. The ability of the firewall to look at the messages and allow the related messages by looking at their status coincides with the term Stateful Firewall Inspection. The firewall is enabled by default on the Contemporary Controls IP routers for security.
While the messages originating from the WAN side are blocked, there is also the need to access LAN side devices for configuration and programming. The IP routers provide the ability to access these LAN side devices using advanced features, such as Network Address Translation (NAT), Port Forwarding and Port Range Forwarding, to go through the firewall. The IP routers provide the ability to enable or disable the firewall, but if using any of these advanced features, the firewall should be left enabled. If the firewall is disabled, then the IP router is just connecting two subnets together and no messages from the WAN side are blocked. Hence there is no need to use the advanced features like NAT, Port Forwarding or Port Range Forwarding to access the LAN side devices and these settings are not used. While setting up these advanced features, the common issue seen is that the firewall has been disabled on the IP routers because the user forgets to turn it back on after inadvertently turning it off while testing. Or, the user incorrectly assumes that the firewall must be disabled to traverse the firewall for LAN side device access.
