Layer 3 (L3) outbound firewall

The Needs / Function Introduction

As more and more devices are connecting to networks through Wi-Fi — laptops, phones, IoT devices, etc. And with all that wireless traffic, it’s becoming really important to control where those devices can go, especially when they try to access wired devices or the Internet.

That’s where the Layer 3 outbound firewall comes in. It gives us, as network admins, better control over outbound traffic from wireless clients.

With these firewall rules, we can decide whether to allow or block traffic going from Wi-Fi clients to the wired LAN or the Internet. This feature helps improve network security by managing outbound traffic from wireless clients to other network resources.

How it works

L3 firewall rules are defined to evaluate outbound traffic that is directed from wireless clients to the wired LAN or the Internet. The key components of how this works are as follows:

Top-Down Evaluation: Firewall rules are processed from top to bottom.
First Match Applies: The first rule that matches the traffic is applied, and all subsequent rules are ignored.
Default Rule: If no rule matches, the default rule is applied, which allows all traffic by default.
Stateless Behavior: L3 firewall rules are stateless, meaning each packet is evaluated independently, without tracking session state or connection history.
Rule Number Limit: Each AP supports up to 256 user-defined Layer 3 firewall rules.

Deny "Private Address" Setting

A key L3 firewall rule is the "Private Address" default rule, which allows administrators to easily and quickly control whether wireless clients can access wired and wireless devices within private address ranges

A common use case for this rule is in a "Guest SSID" scenario. By changing the policy for traffic destined to the private address from Allow to Deny, clients on the guest SSID will be prevented from accessing the private address but will still be able to connect to the Internet. This feature works in both Bridge Mode and NAT Mode.

For this firewall rule, private addresses refers to any destination IP address within the RFC1918 private address spaces:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Configuring the Private Address Deny Rule

To configure the Private Address Deny rule, follow these steps:

Navigate to Configure > Access Point > Select SSID > Firewall
Click the Edit button and then change the "Policy" for the row with Destination as Private Address from Allow to Deny.
Click Apply to save changes at the top right of the page.

Better to konw

If clients on this SSID need access to other subnets within the RFC1918 private address spaces, you'll need to configure an additional Layer 3 firewall rule to allow traffic to those subnets. This rule should be placed above the Private address rule in the list

Example Configuration

In this case, we want to block traffic from the 10.0.0.0/8 network to the 192.168.1.0/24 network but allow access to other remote networks like the Internet.

Here’s how it works with the rules:

Rule 1: Any traffic from 10.0.0.0/8 to 192.168.1.0/24 is blocked because it matches this rule with a "Deny" action.
Rule 2/3: The default rule allows all other traffic, so if traffic does not match Rule 1, it will be allowed.

As a result, traffic to the 192.168.1.0/24 network is blocked, while all other traffic — including Internet access and private addresses such as 172.16.1.1 — is still allowed.

Must know

ECW AP Firmware: v1.x.95 or above

Last updated 3 months ago

Was this helpful?