EdgeRouter - How to Create a Guest\LAN Firewall Rule
Overview
Readers will learn how to create firewall rules that protect the router and limit traffic between multiple Local Area Networks (LANs).
Adding Firewall Rules
Firewall policies are used to allow traffic in one direction and block it in another direction.
The EdgeRouter uses a stateful firewall, which means the router firewall rules can match on different connection states. In the example diagram above, firewall rules will be added to limit the traffic between the trust LAN (192.168.1.0/24) and the GUEST network (172.16.1.0/24).
The following traffic restrictions are applied to the GUEST network:
- Management access to the router is denied.
- All traffic to the trusted LAN is denied, with the exception of HTTP and HTTPS traffic to the Webserver.
- All other traffic is allowed (internet access)
Follow the steps below to manually create these firewall rules:
1. Navigate to the Firewall/NAT tab.
2. Create a network group that includes all of the RFC1918 private IP ranges.
Firewall/NAT > Firewall/NAT Groups > + Add Group
Name: LAN_NETWORKS
Description: RFC1918 ranges
Group Type: Network Group
3. Add the IP ranges to the newly created network group.
Firewall/NAT > Firewall/NAT Groups > LAN_NETWORKS > Actions > Config
Network: 192.168.0.0/16
+Add New
Network: 172.16.0.0/12
+Add New
Network: 10.0.0.0/8
4. Add a GUEST_IN firewall policy and set the default action to accept.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: GUEST_IN
Description: guest to lan/wan
Default action: Accept
5. Add two firewall rules to the newly created firewall policy.
Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule
Description: allow webserver
Action: Accept
Protocol: TCP
Destination > Address: 192.168.1.10
Destination > Port: 80,443
Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule
Description: drop guest to lan
Action: Drop
Protocol: All protocols
Destination > Network Group : LAN_NETWORKS
6. Attach the firewall policy to the eth2 LAN interface in the inbound direction.
Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Interfaces
Interface: eth2
Direction: in
7. Add a GUEST_LOCAL firewall policy and set the default action to drop.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: GUEST_LOCAL
Description: guest to router
Default action: Drop
8. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DNS server.
Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule
Description: allow DNS
Action: Accept
Protocol: Both TCP and UDP
Destination > Port: 53
9. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DHCP server.
Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule
Description: allow DHCP
Action: Accept
Protocol: UDP
Destination > Port: 67
10. Attach the firewall policy to the eth2 LAN interface in the local direction.
Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Interfaces
Interface: eth2
Direction: local
The above configuration can also be set using the CLI:
1. Enter configuration mode.
configure
2. Configure the LAN_NETWORKS network group.
set firewall group network-group LAN_NETWORKS description 'RFC1918 ranges'
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8
3. Configure the GUEST_IN firewall policy.
set firewall name GUEST_IN default-action accept
set firewall name GUEST_IN description 'guest to lan/wan'
set firewall name GUEST_IN rule 10 action accept
set firewall name GUEST_IN rule 10 description 'allow webserver'
set firewall name GUEST_IN rule 10 protocol tcp
set firewall name GUEST_IN rule 10 destination address 192.168.1.10
set firewall name GUEST_IN rule 10 destination port 80,443
set firewall name GUEST_IN rule 20 action drop
set firewall name GUEST_IN rule 20 description 'drop guest to lan'
set firewall name GUEST_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name GUEST_IN rule 20 protocol all
4. Configure the GUEST_LOCAL firewall policy.
set firewall name GUEST_LOCAL default-action drop
set firewall name GUEST_LOCAL description 'guest to router'
set firewall name GUEST_LOCAL rule 10 action accept
set firewall name GUEST_LOCAL rule 10 description 'allow dns'
set firewall name GUEST_LOCAL rule 10 log disable
set firewall name GUEST_LOCAL rule 10 protocol tcp_udp
set firewall name GUEST_LOCAL rule 10 destination port 53
set firewall name GUEST_LOCAL rule 20 action accept
set firewall name GUEST_LOCAL rule 20 description 'allow dhcp'
set firewall name GUEST_LOCAL rule 20 log disable
set firewall name GUEST_LOCAL rule 20 protocol udp
set firewall name GUEST_LOCAL rule 20 destination port 67
5. Attach the firewall policies to the eth2 interface in the inbound and local direction.
set interfaces ethernet eth2 firewall in name GUEST_IN
set interfaces ethernet eth2 firewall local name GUEST_LOCAL
6. Commit the changes and save the configuration.
commit ; save
Related Articles
Intro to Networking - How to Establish a Connection Using SSH
Intro to Networking - Network Firewall Security