Edgerouter Security, Part4

Firewall: Basic protection of our WAN interface

First a little general setup of the firewall

set firewall log-martians enable
set firewall ip-src-route disable
set firewall all-ping enable

I am still following my setup of part 1, so our outside WAN interface is ETH0.

We want to drop all traffic comming in through this interface except connections that are already established. First we create the rule and then we attach it to the interface.

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "WAN_IN"
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set interfaces ethernet eth0 firewall in name WAN_IN

Now we need to do the same for the interface address itself. In the Edgerouter this has to be done as a separate rule, because it distinguishes between traffic coming through the interface and traffic destined for the interface itself.

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "WAN_IN internet to edgerouter"
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set interfaces ethernet eth0 firewall local name WAN_LOCAL

This should be a minimum set of rules for protecting our WAN interface. After this step you should port scan yourself to see if everything is like you expect. A good place to go is Steve Gibson’s ShieldsUP scanner at grc.com.

Creating a few internal networks

I just bought an “Ubiquiti Unifi AC Lite” access point and connected it to ETH3. Our first job is to give it power and setup a network for it with DNS and DHCP. This network is untagged and used for the AP to connect to its controller if needed. It’s only for administrative purposes and no real traffic will flow in this network.

set interfaces ethernet eth3 poe output 24v

set interfaces ethernet eth3 address 192.168.20.1/24
set interfaces ethernet eth3 description "WIFI AP management"
set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 default-router 192.168.20.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 dns-server 192.168.20.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 start 192.168.20.10 stop 192.168.20.100
set service dhcp-server shared-network-name vlan20 subnet 192.168.20.1/24 unifi-controller 192.168.100.10
set service dns forwarding listen-on eth3

Now we create a couple of networks that should be broadcasted on the AP. I plan to use vlan 30 as a trusted network and vlan 40 as a guest network. The traffic to these two networks are sent as tagged traffic to the AP. The AP will take care of putting each VLAN into its own SSID.

set interfaces ethernet eth3 vif 30 address 192.168.30.1/24
set interfaces ethernet eth3 vif 30 description "WIFI trusted"
set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 default-router 192.168.30.1
set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 dns-server 192.168.30.1
set service dhcp-server shared-network-name vlan30 subnet 192.168.30.1/24 start 192.168.30.10 stop 192.168.30.100
set service dns forwarding listen-on eth3.30

set interfaces ethernet eth3 vif 40 address 192.168.40.1/24
set interfaces ethernet eth3 vif 40 description "WIFI guest"
set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 default-router 192.168.40.1
set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 dns-server 192.168.40.1
set service dhcp-server shared-network-name vlan40 subnet 192.168.40.1/24 start 192.168.40.10 stop 192.168.40.100
set service dns forwarding listen-on eth3.40

Setting up the AP is another story. Maybe there will be another blogpost about that.

Just look at this as an example. The networks could have been made at any interface for any kind of purpose – tagged or untagged.

Firewall: Protecting the internal networks

Now that we have a couple of networks, the goal is to isolate some of them. As an example, we are going to make sure that the guest network (vlan 40)  is able to connect to the internet, but under no circumstances connect to our other internal networks eg. vlan 30. We do this by making some general purpose rules than can be reused if we decide to make other protected networks.

The first rule-set allows all traffic coming in through the interface, except new connections to our internal networks (192.168.0.0/16).

set firewall name PROTECT_IN default-action accept
set firewall name PROTECT_IN rule 10 action drop 
set firewall name PROTECT_IN rule 10 description "Drop new connecions to LAN" 
set firewall name PROTECT_IN rule 10 destination address 192.168.0.0/16
set firewall name PROTECT_IN rule 10 state new enable
set firewall name PROTECT_IN rule 10 protocol all

Again we need to make a rule-set that drops everything destined for the interface intself, except DNS and DHCP

set firewall name PROTECT_LOCAL default-action drop
set firewall name PROTECT_LOCAL rule 10 action accept 
set firewall name PROTECT_LOCAL rule 10 description "Allow DNS" 
set firewall name PROTECT_LOCAL rule 10 destination port 53
set firewall name PROTECT_LOCAL rule 10 protocol udp
set firewall name PROTECT_LOCAL rule 20 action accept 
set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP" 
set firewall name PROTECT_LOCAL rule 20 destination port 67 
set firewall name PROTECT_LOCAL rule 20 protocol udp

Now we just need to bind these general rule-sets to our guest vlan interface. – or any other interface we don’t want to connect to our internal network.

set interfaces ethernet eth3 vif 40 firewall in name PROTECT_IN
set interfaces ethernet eth3 vif 40 firewall local name PROTECT_LOCAL

What do we have?

Now we have a protected WAN interface and the possibility to create internal LAN’s which we can make sure isn’t allowed to talk to our other internal LAN’s. All these are just examples and could be extended to your need. Try to keep as few rule-sets as possible and make them as general as possible. This reduces the overall complexity of your Edgerouter configuration.

3 thoughts to “Edgerouter Security, Part4”

  1. Hello,

    In firewall design, the “drop” should be ban. It’s usually better to deny by default and accept what we want. In your configuration you used a trick to prevent the wifi-gest accessing your wan. The traffic is denied using the ip address of each network.

    It’s better firewalling the traffinc using the interfaces. You are sure you won’t miss anything, and you are no more dependant of the IP address. You can change the network address without editing the rules, and you could also have more than 1 subnet in your guest zone.

    For your wifi-guest. Instead of applying rules to interfaces directly, you can do zone-policy to apply rules from zone to zone. The setup is much longer and more complex but you get a better control of the firewalling.

    lan to wan => accept
    lan to wifi-trusted => accept
    wifi-trusted to lan => accept
    wifi-guest to wan => accept

    Everything else is dropped, you don’t have to explicitely drop wifi-guest to your lan

    An extract of my configuration to explain zone-policy with 2 zones (lan and wan):

    ### Setup interfaces
    set interfaces ethernet eth0 address 192.168.10.254/24
    set interfaces ethernet eth0 description inside
    set interfaces ethernet eth1 address xx.xx.xx.xx/24
    set interfaces ethernet eth1 description outside

    ### Create firewall rules

    # FW "lan => wan"
    set firewall name inside-outside default-action accept

    # FW "wan => lan"
    set firewall name outside-inside default-action drop
    set firewall name outside-inside rule 1000 action accept
    set firewall name outside-inside rule 1000 state established enable
    set firewall name outside-inside rule 1000 state related enable

    # FW "Edgerouter => lan"
    set firewall name local-inside default-action accept
    # FW "Edgerouter => wan"
    set firewall name local-outside default-action accept
    # FW "lan => Edgerouter"
    set firewall name inside-local default-action accept
    # FW "wan => Edgerouter"
    set firewall name outside-local default-action drop
    set firewall name outside-local rule 1 action accept
    set firewall name outside-local rule 1 state established enable
    set firewall name outside-local rule 1 state related enable
    set firewall name outside-local rule 1500 action accept
    set firewall name outside-local rule 1500 icmp type-name echo-request
    set firewall name outside-local rule 1500 protocol icmp

    ### Linking zone and interfaces
    set zone-policy zone local local-zone
    set zone-policy zone inside interface eth0
    set zone-policy zone outside interface eth1

    ### Default action to zone
    set zone-policy zone local default-action drop
    set zone-policy zone inside default-action drop
    set zone-policy zone outside default-action drop

    ### Applying rules to "zone-src => zone-dst"
    set zone-policy zone outside from inside firewall name inside-outside
    set zone-policy zone inside from outside firewall name outside-inside
    set zone-policy zone inside from local firewall name local-inside
    set zone-policy zone local from inside firewall name inside-local
    set zone-policy zone outside from local firewall name local-outside
    set zone-policy zone local from outside firewall name outside-local

    ### Done

    1. Hi Alesk,

      I am fully aware of the zone solution for the edgerouter. I was just scared off by many of the postings on the internet claiming boot times of 20 minutes!
      You are right that it’s a better solution 🙂

      Best regards,
      Alex

Leave a Reply

Your email address will not be published. Required fields are marked *