EdgeRouter IoT/Guest Network Isolation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Willie and welcome back to my channel first of all thank you to everybody we went over the 9000 subscriber mark today I really never thought I was I never really thought I would make it 10 subscribers so thank you to everyone that next stop is 10,000 and that's where we're giving away a brand new USG and a brand new unify switch eight 150-watt and you do not have to be an IT to win the closer we get to that 10,000 mark I will start outlining the rules for that contest everybody's going to have a shot to win so once again thank you to everyone so if you're not subscribed please hit that subscribe button you know we're putting out more content all the time starting to do a lot of design and things like that and tonight what we're going to talk about is the edge router and firewall rules I know what you're saying yeah you said you're going to do the follow up I am going to do the follow up to the HD I'm working on my my background stuff and still let some some comments soak about that get some feedback so tonight we are going to talk about how to block a network access from a subnet or a port on an edge router so you could do use this to do you know to isolate a guest network to isolate an IOT network anything like that so let's hop into a real quick the first thing I'm going to do is I'm going to bring up the screen here we're going to draw a little bit so what we've got is right now we've got an edge router X and we're connecting on this IP 192 168 69 dot 1 now we just use the way n plus 2 land wizard to configure this ok and if you watch one of the last edge router videos that's where this would have come from so what we've got we've got our internet right here and then we've got switches 0 and switch 0 is right here so internets plug in here this is e2 0 this is e1 this is e2 and right now all of these are in switches 0 but what we're going to do is we're going to pull this guy out and we're going to make him his own Network now you could do this with the veal and we're going to do with the physical network so we'll change the description and all that then we're going to look at the rules I'm going to show you how to do the rules in the GUI but then I'm also going to provide a link to a Google Doc that if you just want to copy and paste all this change your interfaces and all that then you can make this happen so what we will do is once we have this guy setup is we will firewall him from the rest of the of the group so that is kind of the gist of it I couldn't wait too much longer to get the drawing pen back out you know I love my Wacom tablet so let's take a look so the first thing that we're going to do is we are going to pull this eath one out we're going to create a network on each one ok so the first thing we need to do is we need to if you've configured your switch we need to configure the switch go to the VLANs this is where the switch ports are assigned to switch to 0 we're going to uncheck each one and we're going to save that ok each one is now out of switches 0 so we're going to go ahead and configure this and we're going to call this I'm going to call this one my IOT Network and I'm going to do a manual IP and we'll do 192 168 70 . 1/24 okay so then the next thing we're going to do is we're going to go to services and we're on DHCP so we're going to add a DHCP server I'm going to call this IOT DHCP can I have a space in there I can't have a space so we'll put a hyphen in there V 192 168 70 dot 0 and we'll hand out seventy dot 100 through 70 dot one fifty one ninety two dot one sixty eight dot 70 that one is the router we're also probably going to play some DNS tricks at some point so we will have the edge router also be the DNS server so we'll go ahead and we'll save that and we'll just have to go over to our DNS tab and make sure that the router is listening on that so it is already eath one is listening so we're good there had it not been set up to listen when you came in here switches Eero would have been the only interface so you would have had to add keith one so you do that and say so now effectively what we've got is we've got a network on each one and it's not a VLAN you like I said you could do this with a VLAN on any of these ports but we are using a physical port so now let's take a look at firewall rules so the first thing that we're going to do and I'm going to copy and paste this into a Google document but the first thing we're do is we're going to create a network group called protect networks and these are the networks that we want to protect and we want to protect all of the internal ranges that are available so let's go over to firewall NAT firewall NAT groups and I want to make sure that I am calling it the exact same thing in C so let's protect networks the description is protected networks and it is going to be a network group so now we're going to go ahead and configure this and we'll make a room for all of our networks here the first one is 192 168 0 0 slash 16 the second is the 172 dot 16 bed 0 0 slash 12 and the last one is the 10.0.0.0 dot 0 dot 0 slash 8 go ahead and save that and so now we have our protect networks group set up so now we're going to come over here to our firewall policies and since we use the wizard we have our default lan in LAN local policies but we are going to create new policies based on these rules and we're going to call them block in and block local so we'll talk about these as we create those so the first thing we're going to do is we're going to add a rule set and we'll call this one block in and if we look back at our configuration our default rule is our default derivative that our default action will be to accept so we'll go ahead and now we'll edit this rule set and the first rule that we are going to add is going to be accept accept establish related protocol all so we'll add a new rule and put in the description here accept established related accept established related because the edge router is both stateful and stateless so remember that protocol all state established related and so we will go ahead and save that and then we are going to add another rule and we are going to call it drop this is going to drop our protective networks and so our default action is going to be drop and if we go back to our rule the destination will be anything headed towards those protected networks so we over to destination destination Network group protected networks we'll save that so we've got the accept and then the drop then the next thing that we actually have to do to this is we have to actually assign interfaces to it so what we want to do is look at what interface we're going to apply this on we're going to apply this on each one because that's where the network lives that we want to segregate from the rest of the rest of the networks so we're going to come over to interfaces it will be one direction in and save the ruleset so we've got all that now we're going to create another one which will be blocked local because we don't want anybody on that Network accessing any services any web gives SSH anything like that on the router but we do have to allow them to do DNS and DHCP so we will go ahead and add another rule set and I'm just going to come over here to make sure that I have a congruence between the GUI and what we would copy and paste into the router through an SSH connection so this is going to be blocked local and the default action will be to drop and we're going to call this block local we'll save that we'll go ahead edit this rule set and the first rule that we're going to add here is going to be action accept and we are going to accept DNS so this will be accept DNS and when you look back here you'll see that the destination is going to be port 53 UDP so we'll go ahead and save that and then our next one is going to be accept DHCP it should also be UDP in port 67 go ahead and save that then we also have to assign this two interfaces so we're going to come over here should be eath one local because it has services that are on the router so we'll go ahead and save that and so as long as the interfaces and everything took theoretically what should happen is we should be able to plug into each one get an IP address so right now let's see what's our IP 69 dot 38 so we'll plug directly into eath 1 we'll get an IP well see if we can surf the web but then we'll see if we can get into for example we'll see if we can get to like 66 dot 10 which is a server internally so let's see what happens okay we have physically switched ports and the machines taken just a minute see what happens here and it will manually do it since it doesn't want to cooperate okay so now we've got seventy dot 100 let's see if we can paying so you will see that we cannot ping 66 dot 10 I'm actually going to leave that going let's see if we can get back into this interface on the router connecting connecting connecting poof ok so we know that we know that our cloud key is 66.5 nothing but and there's Google what else so you can see Internet as Perkin along just fine but we cannot get to anything inside that network so you know I'm showing you that this this ping is going right and we're surfing the web all that good stuff oh wow flood warning 10th and 1/4 of an inch 10th and 1/4 of an inch 10th and 1/4 of an inch you know I'm not trying to be a smart aleck but good thing the thing I have a camera on my sub pump area alright so let's open another command prompt now what we're going to do is I'm going to switch back and you should see this traffic immediately start working maybe not immediately I'll probably have to do a release renew whatever I'm always tinkering with my network connection so it's it doesn't surprise me that got any sort of a failure there and so you can see that the traffic started you can see we're back on 69 dot 38 and the ping cert immediately so I will paste that into a Google Doc and link to it so if you liked the video please give me a thumbs up please subscribe please comment please share please use all those affiliate links down there to give a little something to the channel or you know if you want to give a little donation that's okay to follow me on Twitter and Instagram if you want to be alerted when I release a new video click that little Bell thing that's floating around down there wherever it is and we'll see you in the next video
Info
Channel: Willie Howe
Views: 105,583
Rating: undefined out of 5
Keywords: ubiquiti, unifi, guest, edgemax, vlan, wifi, edgerouter, unifi access point, edgerouter lite, quick, lan, access, edgeos, firewall, limit, policies, cli, network, command line interface, wireless, internet, configs, quick configs, edgerouter pro, virtual interface, vif, edgerouter x, access point, edge router, unifi controller, uap, usg, uap-ac-pro, tutorial, uap-ac-lite, uap-ac-lr, ubiquiti wifi, hotspot, edge max, us-8-150w, ubiquiti networks, ubiquity networks
Id: baj3747yfos
Channel Id: undefined
Length: 17min 14sec (1034 seconds)
Published: Mon May 22 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.