Firewall setting and port forwarding with Cisco DPC3939B with 5 static IPs.
My setup is just a Cisco DPC3939B with 5 static IPs, no router no firewall after it. It connects to an ethernet switch just like all my other devices on the LAN do. The LAN is a Windows active directory domain with Exchange 2010, web server, a few PCs, tablets, and a few IP cameras.
The LAN is 192.168.0.x/24. So after Comcast told me the Cisco DPC3939B is enabled with the 5 static IPs. The first thing is to change the LAN IP on the DPC3939B from 10.1.10.1 to 192.168.0.1, then disable the DHCP server. Now my PC's on the LAN can get IP from the windows DHCP server (and registered with the active directory) and get to Internet thru the DPC3939B at 192.168.0.1.
Then, next is to setup the 1:1 NAT under Advanced, NAT:
Suddenly, my mail server gets incoming emails and my web server is browseable from Internet. Yay!
Question I have now is if my servers are on Internet totally unprotected or the DPC3939B has a few ports opened by default to each of the 1:1 NAT addresses? Here is the confusing firewall menu in its default setting:
1. What is "Disable Firewall for True Static IP Subnet Only"?
2. When I check on "Disable Ping on WAN Interface" and click Save Settings, it unchecks itself. Bug?
3. It is by default at Minimum security. What is " Block as per below and enable IDS IDENT (port 113)"?
So, I googled around and this thread has similar situation:
According to VBSSP-RICH, I need to uncheck "Disable Firewall for True Static IP Subnet Only" and then I need to go to Advanced, Port Mgmt, and uncheck "Disable all rules and allow all inbound traffic through" and select "Block all ports but allow exceptions below":
Now, the MAIN QUESTION is before I add rules for the port forwarding, my mail server still gets incoming emails (or mxtoolbox.com tested with response from my mail server) and my web server is still browseable from Internet. Why? Does it mean my servers are totally out in the open?
I hate this stupid DPC3939B. Yet I can't set it to a bridge and I don't want to invest into another router (that can support multiple WAN IPs) and have one more piece of device to manage.
What did I do wrong?