Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4290 posts

Uber Geek
+1 received by user: 622

Trusted

Topic # 245317 29-Jan-2019 10:42
Send private message quote this post

I've followed https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-How-to-block-internet-access-for-a-single-... and have a group for insecure devices that are blocked from the internet.

 

I can tell they're blocked as I'll go to their apps and they wont show up, or my camera will stop sending out ios notifications.

 

The only way I can get it to work is to put it at the very top of the LAN IN list:

 

Click to see full size

 

The rule is set up as:

 

Before Predefined Rules
Drop
New, Established, Related
Source - InsecureDevices Group
Source Port : Any

 

Destination: Any

 

Destination Port: Any

 

 

 

 

 

If I move that rule to anywhere other than the very top, it stops working, as in I see traffic coming out from the insecure devices (but then my vpn access works)

 

But with it in this configuration the LAN to insecure access is working.  But any traffic from my VPN LAN (192.168.50.x) seems to fail to get to the insecure devices which are in my regular lan (192.168.10.x)

 

I did try an explicit 192.168.50.x rule to InsecureGroup Accept.  But that didn't seem to help either.

 

 





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


Create new topic


4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188281 27-Feb-2019 16:04
Send private message quote this post

Anyone with an answer?





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


Mr Snotty
8409 posts

Uber Geek
+1 received by user: 4341

Moderator
Trusted
Lifetime subscriber

  Reply # 2188288 27-Feb-2019 16:23
One person supports this post
Send private message quote this post

Because you've got an allow all 2nd from the top - rules run from top to bottom until a match is made so the allow all will take preference over everything else.





 
 
 
 


3834 posts

Uber Geek
+1 received by user: 1552

Subscriber

  Reply # 2188293 27-Feb-2019 16:33
Send private message quote this post

Yea rule 2001 doesn't look like it is specifying source/destination. So that needs to be below the specific allow rules else or it will just catch everything.




4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188294 27-Feb-2019 16:34
Send private message quote this post

So that is why it needs to be at the top to work?

I get that. But what change do I need to make to allow access from the vpn vlan?

Or does this rule need to move further down (the others are related to mqtt access from another vlan)




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188295 27-Feb-2019 16:35
Send private message quote this post

Hmm I need to check that 2001 It should be allow almost anything from my main lan to the iot lan (and rule below only allows 1883 - mqtt out)




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


3834 posts

Uber Geek
+1 received by user: 1552

Subscriber

  Reply # 2188298 27-Feb-2019 16:45
Send private message quote this post

Yea so shift that 2001 to the bottom. Then test everything again.

 

The easiest way to approach a firewall is stick a "Drop all" rule at the bottom, and then work your way up from there just allowing what you need.

 

Just don't lock yourself out of the router! Although, if you are using the GZ cloud unifi controller that shouldn't be a problem i suppose.


2781 posts

Uber Geek
+1 received by user: 393

Trusted
Lifetime subscriber

  Reply # 2188299 27-Feb-2019 16:47
Send private message quote this post

I've simply disabled the device in insights. Not sure if it was the right thing to do. Still functions correctly on the lan. Not sure if it was the right thing to do or not though!





My views (except when I am looking out their windows) are not those of my employer.

2781 posts

Uber Geek
+1 received by user: 393

Trusted
Lifetime subscriber

  Reply # 2188302 27-Feb-2019 16:49
Send private message quote this post

Sorry. Correct terminology is Blocked.





My views (except when I am looking out their windows) are not those of my employer.



4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188318 27-Feb-2019 17:16
Send private message quote this post

hairy1:

I've simply disabled the device in insights. Not sure if it was the right thing to do. Still functions correctly on the lan. Not sure if it was the right thing to do or not though!



That’s another approach. I keep a range of devices in there. But I’m going to move a couple to my iot network (dodgy Chinese xiaomi gateways that report your gps coords now that i have another way of talking to it).

But at a push I like your idea.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


2781 posts

Uber Geek
+1 received by user: 393

Trusted
Lifetime subscriber

  Reply # 2188333 27-Feb-2019 18:01
Send private message quote this post

I've done it with Dahua cameras. I use Blue Iris and Home Assistant so don't need remote access. I assign them a static IP and block them in insights.

 

I guess a VLAN is a good way to go but not enough time in the day. 

 

Interestingly I couldn't find any info on what blocking *actually* does on Unifi.





My views (except when I am looking out their windows) are not those of my employer.



4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188344 27-Feb-2019 18:25
Send private message quote this post

hairy1:

I've done it with Dahua cameras. I use Blue Iris and Home Assistant so don't need remote access. I assign them a static IP and block them in insights.


I guess a VLAN is a good way to go but not enough time in the day. 


Interestingly I couldn't find any info on what blocking *actually* does on Unifi.



Yeah I have my dahua nvr in there as well. Technically I think I can release it as I’ve flashed it with official English firmware




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




4290 posts

Uber Geek
+1 received by user: 622

Trusted

  Reply # 2188409 27-Feb-2019 19:30
Send private message quote this post

What is this FW log record telling me?

 

Feb 27 19:25:29 USG kernel: [LAN_IN-2005-D]IN=eth1 OUT=pppoe2 MAC=234234 SRC=192.168.10.66 DST=17.188.156.31 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=39466 DF PROTO=TCP SPT=48733 DPT=2195 WINDOW=14600 RES=0x00 SYN URGP=0

 

This is accepted?  or dropped?

 

Is the LAN_IN-2005-D  mean LAN In rule 2005 and drop?  So it's dropping that machine 192.168.10.66 (which is my nvr, the machine I couldn't access from the vpn) going to 17.188.156.31 (which seems to be apple).

 

Can these logs go into something for dumbed down users for visualising rules in action?  something like ntop, but for fw rules.





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


3834 posts

Uber Geek
+1 received by user: 1552

Subscriber

  Reply # 2188418 27-Feb-2019 19:45
Send private message quote this post

That's a fairly clear log entry.

It's on the 'LAN_IN' chain and matches rule 2005. The packet came in on eth1 interface and was headed for pppoe2. From there you have the layer 3 info about IP's and ports involved.

If that rule is a drop rule, then it was dropped.

Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

A call from the companies providing internet access for the great majority of New Zealanders, to the companies with the greatest influence over social media content
Posted 19-Mar-2019 15:21


Two e-scooter companies selected for Wellington trial
Posted 15-Mar-2019 17:33


GeForce GTX 1660 available now
Posted 15-Mar-2019 08:47


Artificial Intelligence to double the rate of innovation in New Zealand by 2021
Posted 13-Mar-2019 14:47


LG demonstrates smart home concepts at LG InnoFest
Posted 13-Mar-2019 14:45


New Zealanders buying more expensive smartphones
Posted 11-Mar-2019 09:52


2degrees Offers Amazon Prime Video to Broadband Customers
Posted 8-Mar-2019 14:10


D-Link ANZ launches D-Fend AC2600 Wi-Fi Router Protected by McAfee
Posted 7-Mar-2019 11:09


Slingshot commissions celebrities to design new modems
Posted 5-Mar-2019 08:58


Symantec Annual Threat Report reveals more ambitious, destructive and stealthy attacks
Posted 28-Feb-2019 10:14


FUJIFILM launches high performing X-T30
Posted 28-Feb-2019 09:40


Netflix is killing content piracy says research
Posted 28-Feb-2019 09:33


Trend Micro finds shifting threats require kiwis to rethink security priorities
Posted 28-Feb-2019 09:27


Mainfreight uses Spark IoT Asset Tracking service
Posted 28-Feb-2019 09:25


Spark IoT network now covers 98% of New Zealand population
Posted 19-Feb-2019 09:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.