Firewall: Basic protection of our WAN interface
First a little general setup of the firewall
set firewall log-martians enable set firewall ip-src-route disable set firewall all-ping enable
I am still following my setup of part 1, so our outside WAN interface is ETH0.
We want to drop all traffic comming in through this interface except connections that are already established. First we create the rule and then we attach it to the interface.
set firewall name WAN_IN default-action drop set firewall name WAN_IN description "WAN_IN" set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set interfaces ethernet eth0 firewall in name WAN_IN
Now we need to do the same for the interface address itself. In the Edgerouter this has to be done as a separate rule, because it distinguishes between traffic coming through the interface and traffic destined for the interface itself.
set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description "WAN_IN internet to edgerouter" set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set interfaces ethernet eth0 firewall local name WAN_LOCAL
This should be a minimum set of rules for protecting our WAN interface. After this step you should port scan yourself to see if everything is like you expect. A good place to go is Steve Gibson’s ShieldsUP scanner at grc.com.
Creating a few internal networks
I just bought an “Ubiquiti Unifi AC Lite” access point and connected it to ETH3. Our first job is to give it power and setup a network for it with DNS and DHCP. This network is untagged and used for the AP to connect to its controller if needed. It’s only for administrative purposes and no real traffic will flow in this network.
set interfaces ethernet eth3 poe output 24v set interfaces ethernet eth3 address 192.168.20.1/24 set interfaces ethernet eth3 description "WIFI AP management" set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 default-router 192.168.20.1 set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 dns-server 192.168.20.1 set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 start 192.168.20.10 stop 192.168.20.100 set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 unifi-controller 192.168.100.10 set service dns forwarding listen-on eth3
Now we create a couple of networks that should be broadcasted on the AP. I plan to use vlan 30 as a trusted network and vlan 40 as a guest network. The traffic to these two networks are sent as tagged traffic to the AP. The AP will take care of putting each VLAN into its own SSID.
set interfaces ethernet eth3 vif 30 address 192.168.30.1/24 set interfaces ethernet eth3 vif 30 description "WIFI trusted" set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 default-router 192.168.30.1 set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 dns-server 192.168.30.1 set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 start 192.168.30.10 stop 192.168.30.100 set service dns forwarding listen-on eth3.30 set interfaces ethernet eth3 vif 40 address 192.168.40.1/24 set interfaces ethernet eth3 vif 40 description "WIFI guest" set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 default-router 192.168.40.1 set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 dns-server 192.168.40.1 set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 start 192.168.40.10 stop 192.168.40.100 set service dns forwarding listen-on eth3.40
Setting up the AP is another story. Maybe there will be another blogpost about that.
Just look at this as an example. The networks could have been made at any interface for any kind of purpose – tagged or untagged.
Firewall: Protecting the internal networks
Now that we have a couple of networks, the goal is to isolate some of them. As an example, we are going to make sure that the guest network (vlan 40) is able to connect to the internet, but under no circumstances connect to our other internal networks eg. vlan 30. We do this by making some general purpose rules than can be reused if we decide to make other protected networks.
The first rule-set allows all traffic coming in through the interface, except new connections to our internal networks (192.168.0.0/16).
set firewall name PROTECT_IN default-action accept set firewall name PROTECT_IN rule 10 action drop set firewall name PROTECT_IN rule 10 description "Drop new connecions to LAN" set firewall name PROTECT_IN rule 10 destination address 192.168.0.0/16 set firewall name PROTECT_IN rule 10 state new enable set firewall name PROTECT_IN rule 10 protocol all
Again we need to make a rule-set that drops everything destined for the interface intself, except DNS and DHCP
set firewall name PROTECT_LOCAL default-action drop set firewall name PROTECT_LOCAL rule 10 action accept set firewall name PROTECT_LOCAL rule 10 description "Allow DNS" set firewall name PROTECT_LOCAL rule 10 destination port 53 set firewall name PROTECT_LOCAL rule 10 protocol udp set firewall name PROTECT_LOCAL rule 20 action accept set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP" set firewall name PROTECT_LOCAL rule 20 destination port 67 set firewall name PROTECT_LOCAL rule 20 protocol udp
Now we just need to bind these general rule-sets to our guest vlan interface. – or any other interface we don’t want to connect to our internal network.
set interfaces ethernet eth3 vif 40 firewall in name PROTECT_IN set interfaces ethernet eth3 vif 40 firewall local name PROTECT_LOCAL
What do we have?
Now we have a protected WAN interface and the possibility to create internal LAN’s which we can make sure isn’t allowed to talk to our other internal LAN’s. All these are just examples and could be extended to your need. Try to keep as few rule-sets as possible and make them as general as possible. This reduces the overall complexity of your Edgerouter configuration.
Hello,
In firewall design, the “drop” should be ban. It’s usually better to deny by default and accept what we want. In your configuration you used a trick to prevent the wifi-gest accessing your wan. The traffic is denied using the ip address of each network.
It’s better firewalling the traffinc using the interfaces. You are sure you won’t miss anything, and you are no more dependant of the IP address. You can change the network address without editing the rules, and you could also have more than 1 subnet in your guest zone.
For your wifi-guest. Instead of applying rules to interfaces directly, you can do zone-policy to apply rules from zone to zone. The setup is much longer and more complex but you get a better control of the firewalling.
lan to wan => acceptlan to wifi-trusted => accept
wifi-trusted to lan => accept
wifi-guest to wan => accept
Everything else is dropped, you don’t have to explicitely drop wifi-guest to your lan
An extract of my configuration to explain zone-policy with 2 zones (lan and wan):
### Setup interfacesset interfaces ethernet eth0 address 192.168.10.254/24
set interfaces ethernet eth0 description inside
set interfaces ethernet eth1 address xx.xx.xx.xx/24
set interfaces ethernet eth1 description outside
### Create firewall rules
# FW "lan => wan"
set firewall name inside-outside default-action accept
# FW "wan => lan"
set firewall name outside-inside default-action drop
set firewall name outside-inside rule 1000 action accept
set firewall name outside-inside rule 1000 state established enable
set firewall name outside-inside rule 1000 state related enable
# FW "Edgerouter => lan"
set firewall name local-inside default-action accept
# FW "Edgerouter => wan"
set firewall name local-outside default-action accept
# FW "lan => Edgerouter"
set firewall name inside-local default-action accept
# FW "wan => Edgerouter"
set firewall name outside-local default-action drop
set firewall name outside-local rule 1 action accept
set firewall name outside-local rule 1 state established enable
set firewall name outside-local rule 1 state related enable
set firewall name outside-local rule 1500 action accept
set firewall name outside-local rule 1500 icmp type-name echo-request
set firewall name outside-local rule 1500 protocol icmp
### Linking zone and interfaces
set zone-policy zone local local-zone
set zone-policy zone inside interface eth0
set zone-policy zone outside interface eth1
### Default action to zone
set zone-policy zone local default-action drop
set zone-policy zone inside default-action drop
set zone-policy zone outside default-action drop
### Applying rules to "zone-src => zone-dst"
set zone-policy zone outside from inside firewall name inside-outside
set zone-policy zone inside from outside firewall name outside-inside
set zone-policy zone inside from local firewall name local-inside
set zone-policy zone local from inside firewall name inside-local
set zone-policy zone outside from local firewall name local-outside
set zone-policy zone local from outside firewall name outside-local
### Done
Hi Alesk,
I am fully aware of the zone solution for the edgerouter. I was just scared off by many of the postings on the internet claiming boot times of 20 minutes!
You are right that it’s a better solution 🙂
Best regards,
Alex
Yes… @home, my config is 1km long and my router take arround 15mn to boot… Hope they will fix this soon.