Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


conzar

4 posts

Wannabe Geek


#198585 14-Jul-2016 21:19
Send private message

  I just received an EdgeRouter POE-5 and started configuring it for my home network.  I have updated it to the latest firmware and used the WAN+2LAN2 template for initial configuration.  I am unfamiliar and a bit confused with the EdgeOS firewall rules.  So before I replace my existing router (which is a Dual Core Pendium-D Server running zental - its totally overkill but it easily handles 1Gb/s WAN routing), I want to make sure that I have a firm grasp on the firewall rules.

 

For managing GNU/Linux based firwalls, I normally use Firewall Builder (I know the project is no longer being developed BUT it still works) to create the rules for iptables.  Does anyone have any advise on how to convert iptables to EdgeOS firewall rules?  Are there any nice GUI's anyone can recommend that will work with EdgeOS/EdgeRouter similar to Firewall Builder?

 

Also, I would like to use the auto-firewall feature when adding port forwarding, will this be an issue if I configure the firewall rules using an external program (if any exists)?

 

The table below is an example configuration based off of the dd-wrt firewall builder template.

 

Thank you for your help!

 

 

 

firewall builder


Create new topic
michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1592861 15-Jul-2016 01:32
Send private message

It really just seems what you're trying to do here can be done via standard port forwarding in the Edgerouter interface? Unless if I am reading it wrong. I have personally always used iptables in the CLI.

 

For starters, you'll want to ensure your Edgerouter is firewalled off from the world (use the CLI and type "configure" to enter configuration mode) - something like this should do it:

 

01:19 mmurphy@charmander ~ $ show firewall name WAN_IN
default-action drop
description "WAN to internal"
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}

 

01:20 mmurphy@charmander ~ $ show firewall name WAN_LOCAL
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 4 {
action accept
description ICMP
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}

 

Next, anything outbound can be forwarded through to your backend servers via the forwarding rules on Firewall/NAT in the WebUI. Ensure you've configured your internal / external interfaces. The Config Tree in the WebUI is really good for beginners just getting to grips to CLI commands. I for one taught myself (coming from Mikrotik) with a mix of their Wiki guides as well as the config tree. I would normally post screenshots of my Edgerouter however it is now gotten so complex it is hard for others to understand what is going on (a mix of networks, NAT rules, IPv6 etc).

 

Essentially all firewalling rules can be done direct under the WebUI however if you have a few to make it could be worth putting them in a chain in the CLI and assigning them to the relevant interfaces (far quicker since each "apply" in the WebUI does a commit/save which takes time). Again, firewalling is very similar to iptables in terms of how it works and in-fact it is iptables under the hood but please for the love of god don't mess around with iptables on this router directly.

 

The router itself is based off Vyatta with the same command structure so using Google + searching things like "Vyatta Firewalling" will normally bring up some really good guides to get started. I don't want to be really held responsible for providing a potentially broken configuration since all networks are different so really you're needing to go out and do an explore to set up firewall rules on this piece of kit. The rules I posted above are normally applied by the wizard so ensure they're set to your WAN interfaces to secure your router.

 

After all that, test with GRC Shields-UP to ensure you're all firewalled. I'll leave this as a weekend project for you :)

 

Just a protip if you're also using the wizard to ensure that offloading is enabled (from the standard CLI, not configure mode):

 

01:30 mmurphy@charmander ~ $ show ubnt offload

 

IP offload module : loaded
IPv4
forwarding: disabled
vlan : enabled
pppoe : enabled
gre : disabled
IPv6
forwarding: enabled
vlan : enabled
pppoe : disabled

 

IPSec offload module: loaded

 

Traffic Analysis :
export : disabled
dpi : disabled

 

to enable offloading on any interfaces that are not enabled go into configure mode and run this:

 

01:31 mmurphy@charmander ~ $ set system offload ipv4 forwarding enable
01:32 mmurphy@charmander ~ $ commit
01:32 mmurphy@charmander ~ $ save
Saving configuration to '/config/config.boot'...
Done




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.




conzar

4 posts

Wannabe Geek


  #1592925 15-Jul-2016 09:10
Send private message

Thank you for your reply.  So, I haven't setup port forwarding just yet and its also not shown in the fwbuilder table.  

 

Why do you say to not use iptables?  Is that possible?

 

Here is my configuration, looks the same as what you posted.

 

show firewall name WAN_IN

 


default-action drop
description "WAN to internal"
rule 10 {
  action accept
  description "Allow established/related"
  state {
    established enable
    related enable
  }
}
rule 20 {
  action drop
  description "Drop invalid state"
  state {
    invalid enable
  }
}

 

 

 

 

show firewall name WAN_LOCAL

 


default-action drop
description "WAN to router"
rule 10 {
  action accept
  description "Allow established/related"
    state {
    established enable
    related enable
  }
}
rule 20 {
  action drop
  description "Drop invalid state"
  state {
    invalid enable
  }
}

 

show ubnt offload

 

 

IP offload module : loaded
IPv4
  forwarding: enabled
  vlan :    disabled
  pppoe : disabled
  gre :     disabled
IPv6
  forwarding: disabled
  vlan         : disabled
 pppoe       : disabled

 

IPSec offload module: loaded

 

Traffic Analysis :
  export : disabled
  dpi      : disabled


Paul1977
5039 posts

Uber Geek


  #1592949 15-Jul-2016 09:49
Send private message

michaelmurfy:

 

01:19 mmurphy@charmander ~ $ show firewall name WAN_IN
default-action drop
description "WAN to internal"
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}

 

 

 

01:20 mmurphy@charmander ~ $ show firewall name WAN_LOCAL
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 4 {
action accept
description ICMP
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}

 


 

Sorry to hijack the thread, but is rule 4 under WAN_LOCAL just to allow pings from the Internet? So not really required right?

 

Also are the lines that specify "disable" such as "established disable" optional - i.e. are they set to disable by default unless you specify otherwise? I note on all your other rules (except WAN_LOCAL rule 4) you only specify "enable" lines.




kamicrazy
17 posts

Geek


  #1593050 15-Jul-2016 12:07
Send private message

About WAN_LOCAL pings from the internet. I normally allow this so that Path MTU discovery works. This is important if for instance you have an IPv6 connection.

 

Regarding firewall rules,

 

How I normally build the rules is to configure the NAT translation first.

 

Then afterwards I add the firewall rules to allow the NAT traffic to occur.

 

One way to go about this is to disable the firewall first to make sure your NAT rules work correctly and the re-enable the firewall afterwards to build the correct firewall rules.

 

Further to the suggestion of googling vyatta examples, I suggest looking on the vyos.net website.


Paul1977
5039 posts

Uber Geek


  #1593093 15-Jul-2016 13:11
Send private message

kamicrazy:

 

About WAN_LOCAL pings from the internet. I normally allow this so that Path MTU discovery works. This is important if for instance you have an IPv6 connection.

 

 

Everything on mine seemed to be working without it, so hadn't really considered MTU discovery etc.

 

I've now enabled ICMP in WAN_LOCAL but ideally don't want to allow all ICMP traffic. I would still like to block ICMP echo requests to the WAN only (I want to allow echo requests on other interfaces, so can't just use the global "set firewall all-ping disable").

 

Any ideas on how to do this?

 

EDIT: Does the below look right?

 

paul@edgerouter# show firewall name WAN_Local
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action drop
description "Drop Ping"
icmp {
code 0
type 8
}
log disable
protocol icmp
state {
established enable
invalid enable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow ICMP"
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}


michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1593152 15-Jul-2016 13:41
Send private message

Oh yes I am using IPv6 and these are from my router - I am required to have ping turned on for my tunnel. The local rules are to your router so in your case delete rule 30 + 40





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


Paul1977
5039 posts

Uber Geek


  #1593160 15-Jul-2016 13:51
Send private message

michaelmurfy:

 

Oh yes I am using IPv6 and these are from my router - I am required to have ping turned on for my tunnel. The local rules are to your router so in your case delete rule 30 + 40

 

 

I'm not using IPv6, but after what kamicrazy said about MTU Path Discovery etc I did a bit of a Google which seemed to indicate that blocking all ICMP probably wasn't the best idea.

 

So I added rule 30 to specifically block pings, and rule 40 to allow all other ICMP traffic to the router. Is ICMP to the router not needed for MTU Path Discovery?


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
conzar

4 posts

Wannabe Geek


  #1593204 15-Jul-2016 15:08
Send private message

Has anyone used Zone Builder?


michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1593271 15-Jul-2016 17:47
Send private message

conzar:

 

Has anyone used Zone Builder?

 

 

I personally just use the CLI for firewall rules, or the GUI (WebUI) which has quite a simple interface. The CLI is pretty quick once you're used to it.





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


conzar

4 posts

Wannabe Geek


  #1593345 15-Jul-2016 20:10
Send private message

michaelmurfy:

 

 

 

I personally just use the CLI for firewall rules, or the GUI (WebUI) which has quite a simple interface. The CLI is pretty quick once you're used to it.

 

 

I don't like using the CLI for editing firewall rules.  I like a visual representation; firewall builder is object oriented.  One of the reasons I purchased the EdgeRouter was that its based on Debian.  However, I really think that being able to visualize firewall rules is beneficial for the following reasons: better abstraction, easier to maintain, and easier for others to collaborate.  Its a shame the main dev of fwbuilder dropped the project, but its open source so there is always the possibly of someone else picking up the torch (fork on bitbucket or github).  Or perhaps, someone else can create a different program entirely.  I guess if I really want to do EdgeOS firewall rules, I could make an attempt at implementing an export myself (but that will require a huge time sink which I really don't have time ATM).

 

It would be great for a more object oriented approach to be incorporated into the EdgeOS software.  That would solve my current problem ATM.

 

I was also thinking that a puppet module would be ideal from a DevOps perspective.  But to develop an EdgeOS puppet module will be even more work than the firewall builder update.  A puppet module would be the ultimate in controlling the router configuration and would be way easier to manage the firewall rules.

 

Anyways, its looking like I am going to have to invest some time in learning EdgeOS firewall rules.  I will probably opt for the web UI as I really don't want to be typing out the configuration on the router itself (it sort of goes against my training as a DevOps/programmer).

 

For anyone interested, I found this youtube video that helps explain the UI elements.  I have a long way to go in order to build the firewall rules that I want.

 

https://www.youtube.com/watch?v=WzzGD8e2P7w


Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.