EdgeRouter POE-5 Help with Firewall

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › EdgeRouter POE-5 Help with Firewall

conzar

4 posts

Wannabe Geek

Topic # 198585 14-Jul-2016 21:19

I just received an EdgeRouter POE-5 and started configuring it for my home network. I have updated it to the latest firmware and used the WAN+2LAN2 template for initial configuration. I am unfamiliar and a bit confused with the EdgeOS firewall rules. So before I replace my existing router (which is a Dual Core Pendium-D Server running zental - its totally overkill but it easily handles 1Gb/s WAN routing), I want to make sure that I have a firm grasp on the firewall rules.

For managing GNU/Linux based firwalls, I normally use Firewall Builder (I know the project is no longer being developed BUT it still works) to create the rules for iptables. Does anyone have any advise on how to convert iptables to EdgeOS firewall rules? Are there any nice GUI's anyone can recommend that will work with EdgeOS/EdgeRouter similar to Firewall Builder?

Also, I would like to use the auto-firewall feature when adding port forwarding, will this be an issue if I configure the firewall rules using an external program (if any exists)?

The table below is an example configuration based off of the dd-wrt firewall builder template.

Thank you for your help!

firewall builder

michaelmurfy

Meow
7611 posts

Uber Geek
+1 received by user: 3700

Moderator

Trusted

Lifetime subscriber

Reply # 1592861 15-Jul-2016 01:32

One person supports this post

It really just seems what you're trying to do here can be done via standard port forwarding in the Edgerouter interface? Unless if I am reading it wrong. I have personally always used iptables in the CLI.

For starters, you'll want to ensure your Edgerouter is firewalled off from the world (use the CLI and type "configure" to enter configuration mode) - something like this should do it:

01:19 mmurphy@charmander ~ $ show firewall name WAN_IN
 default-action drop
 description "WAN to internal"
 rule 2 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 3 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 
01:20 mmurphy@charmander ~ $ show firewall name WAN_LOCAL
 default-action drop
 description "WAN to router"
 rule 1 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 3 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 rule 4 {
 action accept
 description ICMP
 log disable
 protocol icmp
 state {
 established disable
 invalid disable
 new enable
 related disable
 }
 }

Next, anything outbound can be forwarded through to your backend servers via the forwarding rules on Firewall/NAT in the WebUI. Ensure you've configured your internal / external interfaces. The Config Tree in the WebUI is really good for beginners just getting to grips to CLI commands. I for one taught myself (coming from Mikrotik) with a mix of their Wiki guides as well as the config tree. I would normally post screenshots of my Edgerouter however it is now gotten so complex it is hard for others to understand what is going on (a mix of networks, NAT rules, IPv6 etc).

Essentially all firewalling rules can be done direct under the WebUI however if you have a few to make it could be worth putting them in a chain in the CLI and assigning them to the relevant interfaces (far quicker since each "apply" in the WebUI does a commit/save which takes time). Again, firewalling is very similar to iptables in terms of how it works and in-fact it is iptables under the hood but please for the love of god don't mess around with iptables on this router directly.

The router itself is based off Vyatta with the same command structure so using Google + searching things like "Vyatta Firewalling" will normally bring up some really good guides to get started. I don't want to be really held responsible for providing a potentially broken configuration since all networks are different so really you're needing to go out and do an explore to set up firewall rules on this piece of kit. The rules I posted above are normally applied by the wizard so ensure they're set to your WAN interfaces to secure your router.

After all that, test with GRC Shields-UP to ensure you're all firewalled. I'll leave this as a weekend project for you :)

Just a protip if you're also using the wizard to ensure that offloading is enabled (from the standard CLI, not configure mode):

01:30 mmurphy@charmander ~ $ show ubnt offload

IP offload module : loaded
IPv4
forwarding: disabled
vlan : enabled
pppoe : enabled
gre : disabled
IPv6
forwarding: enabled
vlan : enabled
pppoe : disabled

IPSec offload module: loaded

Traffic Analysis :
export : disabled
dpi : disabled

to enable offloading on any interfaces that are not enabled go into configure mode and run this:

01:31 mmurphy@charmander ~ $ set system offload ipv4 forwarding enable
01:32 mmurphy@charmander ~ $ commit
01:32 mmurphy@charmander ~ $ save
Saving configuration to '/config/config.boot'...
Done

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

conzar

4 posts

Wannabe Geek

Reply # 1592925 15-Jul-2016 09:10

Thank you for your reply. So, I haven't setup port forwarding just yet and its also not shown in the fwbuilder table.

Why do you say to not use iptables? Is that possible?

Here is my configuration, looks the same as what you posted.

show firewall name WAN_IN


 default-action drop
 description "WAN to internal"
 rule 10 {
  action accept
  description "Allow established/related"
  state {
    established enable
    related enable
  }
 }
 rule 20 {
  action drop
  description "Drop invalid state"
  state {
    invalid enable
  }
 }

show firewall name WAN_LOCAL


 default-action drop
 description "WAN to router"
 rule 10 {
  action accept
  description "Allow established/related"
    state {
    established enable
    related enable
  }
 }
 rule 20 {
  action drop
  description "Drop invalid state"
  state {
    invalid enable
  }
 }

show ubnt offload

IP offload module : loaded
IPv4
forwarding: enabled
vlan : disabled
pppoe : disabled
gre : disabled
IPv6
forwarding: disabled
vlan : disabled
pppoe : disabled

IPSec offload module: loaded

Traffic Analysis :
export : disabled
dpi : disabled

Paul1977

2274 posts

Uber Geek
+1 received by user: 644

Reply # 1592949 15-Jul-2016 09:49

michaelmurfy:
01:19 mmurphy@charmander ~ $ show firewall name WAN_IN
 default-action drop
 description "WAN to internal"
 rule 2 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 3 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
01:20 mmurphy@charmander ~ $ show firewall name WAN_LOCAL
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 4 {
action accept
description ICMP
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}

Sorry to hijack the thread, but is rule 4 under WAN_LOCAL just to allow pings from the Internet? So not really required right?

Also are the lines that specify "disable" such as "established disable" optional - i.e. are they set to disable by default unless you specify otherwise? I note on all your other rules (except WAN_LOCAL rule 4) you only specify "enable" lines.

kamicrazy

12 posts

Geek

Reply # 1593050 15-Jul-2016 12:07

About WAN_LOCAL pings from the internet. I normally allow this so that Path MTU discovery works. This is important if for instance you have an IPv6 connection.

Regarding firewall rules,

How I normally build the rules is to configure the NAT translation first.

Then afterwards I add the firewall rules to allow the NAT traffic to occur.

One way to go about this is to disable the firewall first to make sure your NAT rules work correctly and the re-enable the firewall afterwards to build the correct firewall rules.

Further to the suggestion of googling vyatta examples, I suggest looking on the vyos.net website.

Paul1977

2274 posts

Uber Geek
+1 received by user: 644

Reply # 1593093 15-Jul-2016 13:11

kamicrazy:

About WAN_LOCAL pings from the internet. I normally allow this so that Path MTU discovery works. This is important if for instance you have an IPv6 connection.

Everything on mine seemed to be working without it, so hadn't really considered MTU discovery etc.

I've now enabled ICMP in WAN_LOCAL but ideally don't want to allow all ICMP traffic. I would still like to block ICMP echo requests to the WAN only (I want to allow echo requests on other interfaces, so can't just use the global "set firewall all-ping disable").

Any ideas on how to do this?

EDIT: Does the below look right?

paul@edgerouter# show firewall name WAN_Local
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action drop
description "Drop Ping"
icmp {
code 0
type 8
}
log disable
protocol icmp
state {
established enable
invalid enable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow ICMP"
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}

michaelmurfy

Meow
7611 posts

Uber Geek
+1 received by user: 3700

Moderator

Trusted

Lifetime subscriber

Reply # 1593152 15-Jul-2016 13:41

Oh yes I am using IPv6 and these are from my router - I am required to have ping turned on for my tunnel. The local rules are to your router so in your case delete rule 30 + 40

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

Paul1977

2274 posts

Uber Geek
+1 received by user: 644

Reply # 1593160 15-Jul-2016 13:51

michaelmurfy:

Oh yes I am using IPv6 and these are from my router - I am required to have ping turned on for my tunnel. The local rules are to your router so in your case delete rule 30 + 40

I'm not using IPv6, but after what kamicrazy said about MTU Path Discovery etc I did a bit of a Google which seemed to indicate that blocking all ICMP probably wasn't the best idea.

So I added rule 30 to specifically block pings, and rule 40 to allow all other ICMP traffic to the router. Is ICMP to the router not needed for MTU Path Discovery?

conzar

4 posts

Wannabe Geek

Reply # 1593204 15-Jul-2016 15:08

Has anyone used Zone Builder?

michaelmurfy

Meow
7611 posts

Uber Geek
+1 received by user: 3700

Moderator

Trusted

Lifetime subscriber

Reply # 1593271 15-Jul-2016 17:47

conzar:

Has anyone used Zone Builder?

I personally just use the CLI for firewall rules, or the GUI (WebUI) which has quite a simple interface. The CLI is pretty quick once you're used to it.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

conzar

4 posts

Wannabe Geek

Reply # 1593345 15-Jul-2016 20:10

michaelmurfy:

I personally just use the CLI for firewall rules, or the GUI (WebUI) which has quite a simple interface. The CLI is pretty quick once you're used to it.

I don't like using the CLI for editing firewall rules. I like a visual representation; firewall builder is object oriented. One of the reasons I purchased the EdgeRouter was that its based on Debian. However, I really think that being able to visualize firewall rules is beneficial for the following reasons: better abstraction, easier to maintain, and easier for others to collaborate. Its a shame the main dev of fwbuilder dropped the project, but its open source so there is always the possibly of someone else picking up the torch (fork on bitbucket or github). Or perhaps, someone else can create a different program entirely. I guess if I really want to do EdgeOS firewall rules, I could make an attempt at implementing an export myself (but that will require a huge time sink which I really don't have time ATM).

It would be great for a more object oriented approach to be incorporated into the EdgeOS software. That would solve my current problem ATM.

I was also thinking that a puppet module would be ideal from a DevOps perspective. But to develop an EdgeOS puppet module will be even more work than the firewall builder update. A puppet module would be the ultimate in controlling the router configuration and would be way easier to manage the firewall rules.

Anyways, its looking like I am going to have to invest some time in learning EdgeOS firewall rules. I will probably opt for the web UI as I really don't want to be typing out the configuration on the router itself (it sort of goes against my training as a DevOps/programmer).

For anyone interested, I found this youtube video that helps explain the UI elements. I have a long way to go in order to build the firewall rules that I want.

https://www.youtube.com/watch?v=WzzGD8e2P7w