Quick Configs Ubiquiti - Firewall Rules, Guest VLAN & VIF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this will be a great example on how to set up firewall rules guest network access and virtual interfaces on ubiquity edgemax device neisscades a natural X so our Charter has a wine interface eat zero on to range a default gateway of course going to my simulated internet over here and on my internal trusted side I have a single interface each one which has a to stop interface or virtual interfaces one one seven two and one will be in the ten so these numbers correspond with the VLAN IDs that are also configured on this switch so VLAN 1 7 2 is for the guests and VLAN 10 is for LAN so the land is my trust land I would just want to allow everything from them so I could have a management station or just trust his house on this land however for my guests range I want to limit down access ideally I just want them to be able to reach the internet and I want them to be able to use device itself for DHCP and DNS services so I I will have a bunch of firewall rules that apply in this case did they eat 1.17 to interface in the inbound and indeed local direction we want to block guest access to the land ranges so we do not want these guests to be able to reach any device on our land so the way these virtual interfaces work this is basically a switch or basically it is a switch and it is configured with an access port or untaek port and feel n17 to hear and an access port on tak port in VLAN 10 here and this is a trunk or tag port which uses both 172 and 10 so our charter basically function as a router on ace on a stick so normally if my gap mile and range wants to reach the guest range it will go to the edge router the traffic will go back towards the guest and then the return traffic will go back to the edge char and then back to the land range that's basically how that works they don't let go directly through the switch so that's the point that we want to limit down traffic that's the point that we apply firewall rules so we do not want the guests to be able to reach the land range however we do want the guests to be able to respond to land ranges requests so let's say I have a management station that manages the access points here in this case it's not really access points just except on the machine but for our purposes that will work just fine so we don't want that the experi machine to be able to manage those so do we turn traffic that is gromek from the land so the land goes to the gas network that returned traffic we do want to allow that back however if the guess initiate the traffic then we are blocking it and the same goes for this internet if the guest goes to the internet the returned traffic from the Internet is allowed back to either the guests or its LAN however a traffic initiated on the internet site is being blocked so we do that with established rules so this is basically the configuration I think I'm gonna put in here however I'm gonna do most of this stuff in the GUI so the first step would be to actually create our virtual interfaces so right now my interface doesn't have an address and I can't really configure a virtual interface using the normal configuration methods so I need to go to the con factory here another con factory I'm going through interfaces eat one then for vif here I can say add so I want to add two of those so one is for ten and the other is for 172 and I want to update the list and then under ten here I can set a new address so that will be 1000 1/24 and the other one will be 1 7 2 16 0 1 / 24 so once I do this and I can add adders here as well and then I can preview and basically see that this is exactly what it's putting into the device so let's apply this and we have created our virtual interfaces so we want to create our final rules next however before I do that I want to test out these connections to see if I can actually reach devices on my land so let's go to Mike's Ubuntu machine here which is sitting at 1 7 to 16 0 10 so this is in the guest network range so I should be able to reach the IP address of the edge reversing at 1 7 to 16 0 to 10 and I should also be able to reach the 10001 address of the edge router so that's connected to the LAN range and I should be able to reach the bottom machine or the extreme machine setting in the land range so if I do a trace route to 10 0 10 with a dash and I can see it's going to the hr:172 1601 and it is going to the it's ending up on the XP machine so that's basically how that works on the other side the extreme oisin if I do a tracer - D - 1 7 to 16 0 I can see that it's going to 1000 and 1 and then 176 is 0 10 so that is working just fine as well so this is specifically the type of access that we want to block so I should also be able to reach my wine here so that's that should see I P address on the ground so we do want to allow that one we're done with our firewall policies so let's create it start creating them so I go to firewall net and then on the final policy I wanna add a new rule set so I'm gonna start alright before I do that I want to create a firewall group so I want to create a new firewall net group so this one will be called LAN and the group type is a network group so once I save this I can add my network ranges in here so let me minimize this I want to actions config and then under here I want to add 3 networks so that these are just see default private network ranges 192 168 1 7 2 16 and the 10 range so we want to block all types of access to those lands so if our host is going to the internet they will never go to one of these addresses these are always internal so that's why we are blocking specifically these address ranges so the next step is to actually create a firewall policy and I do that by going to file policies here and add a rule set so this will be the guest tool and for our policy and that will these this network group here will link to that firewall rule so I do want my default action to be except here because this will apply in the inbound direction on the one on the each one that 172 interface so that will also be applied to traffic from the gas network that is going to the internet so that will be the default action except everything else that is going direct to this land I wrote that is specifically what we are going to block so going back to my rule here so let me minimize this and add it to rule set so I basically have to apply a bunch of rules here so the first one will have the description established so that is specifically for the established traffic so I'm doing this because I do want these house to be able to respond to requests from the land work so that's why this is an established related rule that applies to protocols all so let me save that one that will be rule one and the rule one rule two will be specifically what we are dropping so we are allowing gas to respond so this will be a drop for the description Network group so we are allowing gas to respond to the land range however we do not want them to initiate traffic destined towards the land range so that's why this is a destination rule so I have to go to destination and then for ad network group here I have to select lands so that's basically all I need to do here once I save this I've created my farm policy but of course it's not really doing anything unless I apply it so luckily this autocomplete studies saw pair of hits the virtual interfaces and it will be each one not 172 in the inbound direction so once that is done my guests will basically no longer be able to reach the land house without them unless the land hose first initiate traffic basically and they are allowed to the internet because of that default action except so let's do my other rules so this one will be the gas to locals so let me add another rule set here and the gas the local does have a default action drop so we do specifically want to deny the hosts from behaving able to manage the device reach the device by any means unless the host itself the a dryer itself is initiating the traffic or if they want to get a DGP address or if they want to use the a driver for DNS services so I want to add a new rule here and this one will be except for TCP UDP my description will be DNS and under the destination port so this is again from the clients perspective destination port 53 we do want to allow that and the other one will be for DHCP so let me add a new rule again this one for description these be accept so that is good UDP only not UDP and TCP and this one will be for destination port 67 so UDP uses both 67 and 68 but 68 is from the host from the DGP server two declines 67 is from the clients to the server so that's why I'm only allowing for 767 if you're not sure about that then you can just add 68 as well so the third rule will be this destination or establish rule again so basically the exact same rule for all protocols at fast established related so that is because my Edgewater here if it tries to give a DGP addresses it might ping one of those hosts first however if these hoes do not respond to that traffic because that's being blocked we might give out the wrong address and we also might want to test out these addresses see if they're still alive so we can clear our DT bindings or do stuff like that or try to manage our access points here so that's why we also have this established rule in there so once that's done I have to apply it to an interface because otherwise it's not really doing anything so I do want to apply this in the local direction again unless each one that 172 so there are no firewall policies that are actually applying to my eat 1.10 interface so the last rule is this when to LAN rule so let let me add a new rule set so this one will be been to LAN so the default action will be drop so this one applies to my external interface so edit rule set it let me add a new rule so this one of course will be again for the established traffic which you are going to accept all protocols and on advanced establish related so that's basically the exact same rule which if you've always seen me configure twice already so I do want to supply in the eat zero interface in the inbound direction so ideally we do want all of our file rules to apply an inbound direction because if it applies in the outbound direction then it is processed by the edge part first so if I do outbound eat zero that means that the edgehog will first process the traffic and then it will drop is in the egress direction here if we apply it on the eat one in the inbound direction then it is basically being dropped before this being processed so that's why that is preferable so my rules should be active right now and this is just my DGP source so let me add as well because I do want these hoes to get a DHCP address so let me add a DHCP server so I'm just gonna do the guest one in this example I also have to want for the LAN however it's not really necessary in this example so I want my range to start at 1 7 2 16 0 10 and okay white space here as well and and at 150 so that's just an example sorry the router will be a Trotter itself and it will also be the dinosaur in this case so let me say that my host should be able to get an address through DGP which we are specifically allowing on that interface so let me go to my farm rules final policies and look at the stats of these rules and let's try to send some traffic over so let me start with the gas to land policy here so you can see I also already have some default action accepts here so if I go to my Xubuntu machine over here so let me clear the screen and let's do ping - 0 0 - you can see that that is being allowed just fine and we have at some established traffic going up and the default action is going up as well so we are being allowed to the internet which is exactly what we want however if I try to ping the expression on that other land you can see that my network group drop here is increasing because we are specifically dropping that type of traffic and if I do a trace route so tracer or trace route 1000 10 - n you can see that it is ending up at the edge router however after that it is being dropped so which is exactly what we want so that is that default action or that is steep drop action on this network group and the rest of the traffic is just being allowed like the traffic going to the internet so let me do my guest - local 1 next you can see I already have some DNS pack is hitting this rule so that is being allowed so let's see this default action drop so go to my crib on the machine again so if I try to ping the edge router itself you can see that that is being dropped as well and we can see that our rule is increasing now as well so that counts for both you 172 interface and if I ping the other interface the other virtual IP address you can see that that is being dropped as well and are counting it counter is increasing here as well so that seems to be working just fine so the final step I want to do a CD each client for each 0 so let's give this IP address and oh it doesn't want to give itself an IP address for dhp so that's weird however I do want I see I have a hit on this rule so let me do a ditch client for let me release that address see if that's working just fine you can see that I get another hit on this rule so I my itrod is allowing DHCP address and these are hitting that rule so this is not working because I've used this process a couple of times I've tested out this example let's see if we can get another DHCP address and you can see that my hit counter is increasing here as well so if I go to services for ditch B and then few leases I can see that my coupon to core has gotten an address trudi HP so that is working just fine and if i go back and let's try and ping the tutors there to range again you can see that is working just fine as well so that's basically how you create these rules how you create these virtual interfaces the main thing that you want to do is remember that these apply to or you might want to apply them ideally in inbound direction and don't forget that there's also this local direction that's going to the device itself the other thing is that you want to use the convict tree if you are configuring this from the GUI and not the command line because you cannot do it in the normal method so I hope it's been informative and thank you for your time
Info
Channel: Ben Pin
Views: 25,396
Rating: 4.9673471 out of 5
Keywords: ubiquiti, edgerouter, edgemax, edgeos, edge os, edge max, edgerouter x, edgerouter pro, edgerouter lite, quick, configs, command line interface, cli, quick configs, firewall, policies, guest, network, access, internet, lan, limit, vlan, virtual lan, virtual interface, subinterface, vif
Id: oDWFR7FFw4w
Channel Id: undefined
Length: 15min 6sec (906 seconds)
Published: Sat Sep 17 2016
Related Videos
Quick Configs Ubiquiti - Basic Zone Based Firewall
Ben Pin
9.8K
Simple Ubiquiti VLAN Config
Crosstalk Solutions
230K
QC Ubiquiti EdgeMAX - UAP with Guest WLAN & VLAN Trunks (VIF)
Ben Pin
42K
EdgeRouter IoT/Guest Network Isolation
Willie Howe
93K
Edgerouter Firewall
Toasty Answers
22K
Ubiquiti Edge Full Setup and Configuration For Home Or Small Business
Mactelecom Networks
7.2K
EdgeOS WAN IN Firewall Rules
Willie Howe
81K
Configuring Vlans and Trunk Port on Edge Router X
Mactelecom Networks
7.9K
pfSense - Basic LAN Firewall Rules
Gateway IT Tutorials
28K
QC Ubiquiti EdgeMAX - Blocking Adult Websites using Traffic Analysis & Firewall Categories
Ben Pin
22K
Secure IoT Network Configuration
Crosstalk Solutions
308K
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network
Lawrence Systems
135K
Network CHAOS and Spanning Tree to the Edge! Ep.15: Real-World Business Switch Network Build
Viatto
3.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.