Packet Routing Filter
- Last Updated: November 12, 2025
- 3 minute read
- LoadMaster
- LoadMaster LTSF
- Documentation
Packet Routing Filter
If the packet routing filter is not activated, the LoadMaster also acts as a simple IP forwarder.
When the packet routing filter is activated, it restricts traffic to the LoadMaster but client access to services running on the interface addresses (SSH 22, HTTPS 443, SNMP 161, and DNS 53) is unaffected. Enabling SNAT prevents you from blocking traffic to a Virtual Service that has the same IP address as the LoadMaster's default gateway interface. This can affect Azure or any cloud platforms that use a single IP address.
Reject/Drop blocked packets
When an IP packet is received from a host, which is blocked using the Access Control Lists (ACLs), the request is normally ignored (dropped). The LoadMaster may be configured to return an ICMP reject packet, but for security reasons, it is recommended to drop any blocked packets silently.
Restrict traffic to Interfaces
This setting enforces restrictions upon routing between attached subnets. Progress Kemp has this option disabled by default.
Include WUI in IP Access lists
By default, the access control lists on the Packet Routing Filter page control access to the Virtual Services on the LoadMaster but not WUI access. If the Include WUI in IP Access Lists option is enabled, access to the WUI is also controlled by the access control lists. Enabling the Include WUI in IP Access Lists option allows the WUI to be accessed only from the IP address that enabled the check box - a message appears next to the check box saying Access allowed from <IPAddress>. This protects you from locking yourself out of the WUI. Attempts to log in from other IP addresses will be denied. If access to the WUI is needed from other IP addresses, you must add them to the allowed list.
The Include WUI in IP Access Lists option is only designed to work with one IP address.
Enabling the Include WUI in IP Access lists option does not affect any current access to Virtual Services. For example:
-
If you enable the Include WUI in IP Access lists option from an IP address that is not in either the allowed or blocked lists, that IP address has access to the WUI and all the Virtual Services.
-
Other IP addresses not in either the allowed or blocked list do not have access to the WUI but they do have access to all Virtual Services.
If you add IP addresses using the Add Allowed Address(es) fields, the connectivity for all other IP addresses will be blocked to the Virtual Services.
With the Include WUI in IP Access lists option disabled, access to the WUI is not affected by the packet filter.
If you need to, you can disable the access control lists using the console interface.
Add Blocked Address(es)
The LoadMaster supports a “blacklist” Access Control List (ACL) system. Any host or network entered into the ACL will be blocked from accessing any service provided by the LoadMaster.
The ACL is only enabled when the Packet Filter is enabled. The whitelist allows a specific IP address or address range access. If the address or range is part of a larger range in the blacklist, the whitelist will take precedence for the specified addresses.
If a user does not have any addresses listed in their blacklist and only has addresses listed in their whitelist, then only connections from addresses listed on the whitelist are allowed and connections from all other addresses are blocked.
This option allows a user to add or delete a host or network IP address to the Access Control List. In addition to IPv4 addresses - IPv6 addresses are allowed in the lists if the system is configured with an IPv6 address family. Using a network specifier specifies a network.
For example, specifying the address 192.168.200.0/24 in the blacklist will block all hosts on the 192.168.200 network.