EdgeOS CLI (Setting up IPv6 + Firewall) Questions/Learnings

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › EdgeOS CLI (Setting up IPv6 + Firewall) Questions/Learnings

paul151

309 posts

Ultimate Geek

Trusted

#306165 2-Jul-2023 14:11

Preface: I'm a home geek who does not do network for a living but is slowly learning a few things in this area as I'm interested in this stuff and enjoy tinkering. I currently run a IPv6 he.net tunnel into a RPi and have radvd sending out addresses to devices on my LAN. Now that I have a native IPv6 allocation via @quic I want to end up using that for most devices but still have some on the he.net tunnel. Lordy knows how that can be accommodated/done, but for now I am working on how to get the native Quic allocation up and running on my EdgeRouter Lite. I am also using a static IPv4 via Quic (that is all set up and running OK).

I'm working on building my IPv6 firewall config fand have been looking at the @michaelmurfy examples along with examples on the Ubiquiti forums. It seems getting your hands on good overall docs for the CLI is not that easy.

As I work may way through the default examples I see a few commands and options that differ between examples.

In Michael's example he's using 'top' and 'protocol all' in his WAN6_IN but in this example posted 4 years ago by the Ubquiti team both are missing. What does 'top' do and is there anything to be gained by adding in 'protocol all'?

I'm also unsure about 'logging' commands and what is needed and if enabled how much space/resource does that impose on the router?

For example in the Ubiquiti example they have "set firewall ipv6-name WANv6_IN enable-default-log' but Michael's omits this. I am also looking at a YouTube clip and that chap has some rules where he opts to ensure no logging for a certain rule.

Later in that video he's also allowing forwarding of specific traffic on ports which is something I need to do for services I am running that I will want to be able to be reached from the Internet to my home servers. I'm thinking in general my 'base' rules will need to be like rules 100,200.300 etc. and then I'll need to add the port-forward pinhole stuff as entries prior to the base rules (e.g. before rule 100) does that sound correct to you?

I have a number of questions about if I can run something like both a slaac service for IPv6 over pppoe0 and also still have the he.net tunnel stuff running? But I'll stop for now and keep boxing on with an attempted config of firewall rules I'm building. Thanks for reading :)

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3098710 2-Jul-2023 16:33

Drop the HE tunnel - it seriously isn’t needed. You’ll note that many services have it blocked too.

“top” goes to the top level for configuration. But really you were better off requesting an unlock on that thread and posting there. The V6 configuration there works no problems with Quic.

The firewall configuration I posted on my guide is a good starter. It closes off everything apart from ICMP6. Just note many people who have been running Edgerouters with potentially more advanced configuration have since moved on (including me) so these days I can’t be much help than what I’ve already posted.

Firewall rules also work from the top down. You’ll need to reorder as required. Sometimes it is better to use the config viewer in the GUI to make this a little easier.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

fe31nz

1232 posts

Uber Geek

#3098797 3-Jul-2023 02:14

I am still using an EdgeRouter 4 as my main router on 2degrees, with static IPv4 and IPv6.

Logging is all about what you want to see. I tend to log things like dropped packets, and not log things that are allowed through the firewall. The space for logs in the ER RAM is limited, so if the log file overflows, it will delete the older records to make room for the newer ones. And it is quite easy to get too much logging for the RAM storage. So as well as logging to the default RAM storage, I have all my log messages being set using syslog protocol to the rsyslogd daemon on one of my Ubuntu boxes, where it is all stored to a log file that is automatically rotated in accordance with the logrotate settings I have for it. So I get log files like this:

root@mypvr:/var/log# ll er4.log*
-rw-r----- 1 syslog adm 8133585 Jul 3 00:46 er4.log
-rw-r----- 1 syslog adm 266400503 Jul 3 00:00 er4.log.1
-rw-r----- 1 syslog adm 271564373 Jul 2 00:00 er4.log.2
-rw-r----- 1 syslog adm 270217721 Jul 1 00:00 er4.log.3
-rw-r----- 1 syslog adm 263586419 Jun 30 00:00 er4.log.4
-rw-r----- 1 syslog adm 265185445 Jun 29 00:00 er4.log.5
-rw-r----- 1 syslog adm 266247983 Jun 28 00:00 er4.log.6
-rw-r----- 1 syslog adm 265117041 Jun 27 00:00 er4.log.7

The ER commands I have to set up syslogging are these:

set system syslog global facility all level notice

set system syslog global facility protocols level debug

set system syslog host mypvr.jsw.gen.nz facility all level debug

You can also do filtering of the log messages in the rsyslogd setup, and send log lines to different log files based on their content.

When editing the ER configuration, I first run a command like this on the ER command line:

show configuration commands >/config/user-data/er4-commands.txt

That converts the current configuration into a list of commands, so you can then cut and paste from them to make alterations. That is much easier than typing things in all the time. You can then do things like delete a config line by pasting it into your editor, changing the "set" at the front to "delete" then copying the text to your ER command line session.

I have ssh access to my ER4 which I use to get a command line from any box on my network. But I also have an sshfs connection to the ER4 set up on one Ubuntu box, allowing filesystem access. So I can, on that box, load the er4-commands.txt file as one file in my editor to cut and paste from. It also allows me to do daily scheduled backups of the config.boot file and the scripts I have set up on my ER4. The sshfs access is set up by this line in /etc/fstab:

root@er4g.jsw.gen.nz:/ /mnt/er4 fuse.sshfs noauto,allow_root,transform_symlinks,identityfile=/root/.ssh/id_rsa 0 0

It uses root access to the ER4 to do the mount, to avoid all sorts of permissions problems. The /root/.ssh/id_rsa file has a copy of the ssh key needed to login to the ER4 - you need to have the ssh access on the ER set up so that key only access (as well as password access) will work.

I made the decision early on in my use of EdgeRouters that I wanted to use the zone firewall configuration, rather than the standard firewall setup that is configured directly on each interface. You have to create firewall rules between each zone you define. I have these zones:

Local - Inside the EdgeRouter itself

Outside - the Internet outside my network

Outer - the guest subnet where I allow my guests to connect to my network (WiFi or designated Ethernet sockets)

Inner - the subnet where all my trusted devices are connected

IoT - the subnet where all my IoT and other untrusted devices are connected

For each zone there is a set of firewall rules that controls connection to each other zone (but not for connecting to itself). So for me that is a total of 5x4 = 20 sets of firewall rules (although some are trivial, like "deny all access"). And each of those firewall rules potentially has to be done twice, once for IPv4 and once for IPv6. So a zone firewall is much more work initially. But it has greatly decreased the work later when (for example) I wanted to add the eth3 port on my ER4 (an SFP port) to my "Inner" network where all the trusted devices are connected. All I had to do was add one line of config:

set zone-policy zone Z-Inner interface eth3

and then all the Z-Inner zone firewall rules worked for eth3 just as they were already working for eth2. And if you want to add a VPN connection, you can just add its interface to the zone you set up for the Internet outside your network, and no extra firewall rules need to be written.

Firewall rules work in the numbered order - the first rule that matches a packet is used to determine what happens to that packet. So the order you put the rules in is normally most specific first to most general last. So a blocking rule to block traffic from a specific list of IP addresses (that have attacked your network, for example), would come at the top of the list. Below the specific blocking rules would normally be the three standard rules:

1) The "established" rule that allows in packets matching already existing connections.

2) The "related" rule that allows in packets related to already existing connections, such as ICMPv6 packets that tell you that a packet has been dropped for some reason.

3) The "invalid" rule that drops all packets that are invalid, such as having the wrong length or format or unknown values for critical fields such as the packet type.

Then after that, there will be all your "accept" rules, that allow in things you want to allow, such as traffic to your web server or email server. These are to allow connections in the incoming direction to be started. Once they are started, the packets for the rest of the connection until it is closed will match against the "established" rule.

Just before the end of the rules, for traffic exiting to the Internet, I normally have a rule that blocks all traffic to non-routeable IP addresses (such as the 192.168.0.0/16 block). It is bad form to let non-routeable packets out of your network. They will normally be dropped by the ISP router you connect to, but it just puts more load on the ISP router to have to do that. There are non-routeable IPv6 addresses also.

And finally, there needs to be a rule that says to deny everything else. You can have a specific rule to do that, but it is easier to simply start the firewall definitions with a "default-action-drop" option line.

paul151

309 posts

Ultimate Geek

Trusted

#3101013 7-Jul-2023 16:21

fe31nz:

I am still using an EdgeRouter 4 as my main router on 2degrees, with static IPv4 and IPv6.

Thanks for your reply, it's appreciated. It seems these devices are no longer in favour but good to find someone who is actively using it.

fe31nz:

I made the decision early on in my use of EdgeRouters that I wanted to use the zone firewall configuration, rather than the standard firewall setup that is configured directly on each interface. You have to create firewall rules between each zone you define. I have these zones:

In my case I think this may be overkill for my needs (and abilities to set it up) so am going to just focus on some rules for the WAN_IN and WAN_LOCAL

What I've come up with based on a mix of info online is the following set of rules as a starter. Do these seem OK to you, anything really amiss of that I should consider changing or adding?

In my case I have the WAN on eth0 and the LAN on eth1

setup IPv6 firewall rules for eth0 (WAN) port

configure

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'

set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable

set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable

set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow ICMPv6 packets'
set firewall ipv6-name WANv6_IN rule 30 protocol ipv6-icmp

top

setup IPv6 firewall rules for eth0 Local traffic

set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'

set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable

set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable

set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow ICMPv6 packets'
set firewall ipv6-name WANv6_LOCAL rule 300 protocol ipv6-icmp

set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

top

commit
save

Then to apply these I think I need them on both eth0 and the pppoe0 but am not sure.

I see this as one option put forward online

set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL

...and this I think is the option I should use?

set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name WANv6_LOCAL

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3101088 7-Jul-2023 21:40

You only need to apply it on the pppoe0 (Quic) interface. No need to add it to anything else. The examples I have (https://www.geekzone.co.nz/downloads/er_v6.txt) are a very good start for you and should be all you need. I assume you may want to make your services like your BBS etc available on IPv6 and for this you'll need to open it up. The IPv6 address that gets assigned to your devices should remain the same as in my example I'm also setting you up with SLAAC.

As the incoming connection isn't coming through on eth0 there is no need to put any rules there. Your hairpin / firewall interface in the GUI should also be set to pppoe0.

paul151

309 posts

Ultimate Geek

Trusted

#3101194 8-Jul-2023 10:14

Thanks Michael.

I think both sets of rules I have created are essentially a mirror of what you have in your file, but I note the syntax seems to have changed a bit as time has gone on. I'm picking both are equally as fine to run with and do the same thing?

Your rules use the command 'protocol all' in many lines. I don't see this in other examples I've looked at (e.g. the Ubiquiti forums) is there greater merit/benefit in using this statement vs whatever is the default by not using it?

I also spotted a syntax difference in the IMCPv6 packets, your command has 'protocol icmpv6' but other examples I see use 'protocol ipv6-icmp' again I'm guessing it's just a later OS thing or perhaps both are fine to use? It's jolly hard to find a good comprehensive Ubiquiti CLI manual online :(

I assume you may want to make your services like your BBS etc available on IPv6 and for this you'll need to open it up.

Yes correct, I'd like to set static IPv6 addresses for those systems, but not sure how that works with respect to SLAAC, you're saying those assigned addresses via SLAAC would remain static or mostly but not totally?

The IPv6 address that gets assigned to your devices should remain the same as in my example I'm also setting you up with SLAAC.

As the incoming connection isn't coming through on eth0 there is no need to put any rules there. Your hairpin / firewall interface in the GUI should also be set to pppoe0.

My setup is Quic on pppoe0 and I created (perhaps wrongly a eth0.0 VLAN thinking I needed an untagged VLAN to get Quic running also) and then I have eth0 connected to the ONT (and can see stats on the Dashboard) and my switch connected to eth1 while eth2 is unused at present.

In my Firewall/Nat > Firewall Policies section, I have WAN_IN and WAN_LOCAL set to interfaces of pppoe0/in and /local respectively, while the LAN_IN has eth1/in set as the interface.

When I tried to set Firewall > Port Forwarding > WAN interface to pppoe0 it would not apply the error was ' "lan-interface" is required when hairpin NAT is enabled)' so I think it wants eth0

Do you agree the best commands to apply the rules are

set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name WANv6_LOCAL

Unrelated comment: it's super frustrating not to be able to use multiple BBCodes for quoting in a reply, indeed it's not until you press 'post reply' you get to find out if you've hit some unknown limit as to how many quotes you can add. I've oped to use bold/italics in this reply to try and negate this.

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3101570 8-Jul-2023 22:10

Yep pppoe 0 is the interface for all firewall rules. You should never use eth0 for any rules as this interface is actually not used - pretend it doesn’t exist.

That configuration I used about a month ago. It is still current. I’m not sure what else you’re reading but as I don’t use an Edgerouter anymore I can’t be of too much help outside of that post.

SLAAC is derived off the MAC address so it’ll stay static as long as your prefix doesn’t change or your MAC address doesn’t change. You could always manually assign too as needed.

Lastly, EdgeOS is derived off VyOS / Vyatta so you can use multiple examples for configuration. I personally used VyOS as inspiration for a whole lot of my configuration.

paul151

309 posts

Ultimate Geek

Trusted

#3101681 9-Jul-2023 14:42

Thank you, I have made good progress and have the EdgeRouter setup with Quic for IPv6. Yay.

Systems on the LAN now have SLAAC IPv6 assignments and I have also assigned static IPv6 addresses to some of the PCs I am running.

I am now working to ensure I have the correct firewall rules in place to allow correct access to those static IPv6 systems.

If I can correctly configure access to allow traffic to a specific system on a specific port then I can mirror that setup for the rest of what I need to open up.

One service runs NNTP on port 119 and it's address is 2407:8b00:1169:900::300 (news.bbs.nz - AAAA record)

I applied the following to my WAN6_IN and it didn't seem to work

set firewall ipv6-name WAN6_IN rule 110 action accept
set firewall ipv6-name WAN6_IN rule 110 description “Accept NNTP”
set firewall ipv6-name WAN6_IN rule 110 source port 119
set firewall ipv6-name WAN6_IN rule 110 protocol tcp
set firewall ipv6-name WAN6_IN rule 110 destination port 119
set firewall ipv6-name WAN6_IN rule 110 destination address 2407:8b00:1169:900::300
set firewall ipv6-name WAN6_IN rule 110 log disable

I then removed the source port and destination address and packets started flowing.

But I've since re-added destination address. I think that's the right level of restrictions to apply not just traffic allowed in destined for port 119 but also specifying the specific end IPv6 address - does that sound right?

I am unsure if I need to add anything to my WAN6_LOCAL rule set?

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

fe31nz

1232 posts

Uber Geek

#3101782 10-Jul-2023 01:48

When allowing traffic in on a port, you normally do not want to restrict the source port as in most protocols, the source port gets randomly chosen. So dropping that restriction is correct. You definitely do want to have the destination address specified, otherwise you are exposing that port on all your other IPv6 devices. It is probably not a very high risk to do that on port 119, but it is still a risk.

The WAN_LOCAL rules are for controlling what access there is from the outside to your EdgeRouter - you do not want any such access except via a good VPN protocol that only you have the keys for. Otherwise you can be exposing kernel bugs in the old kernel that the EdgeRouters use - these bugs have been fixed in later kernels, but some can give root access and the only way to safely use an old kernel in a router is to prevent any access that could be used to exploit such bugs. The bugs are also a security issue for anyone legitimately using your network from the inside - so make sure that your guest subnet also does not have any access to the router itself. And you probably want to block the kids' devices from any router access also.

paul151

309 posts

Ultimate Geek

Trusted

#3102452 10-Jul-2023 21:39

Thank you, that really helps. I have applied the changes.

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

paul151

309 posts

Ultimate Geek

Trusted

#3108064 25-Jul-2023 19:57

A belated follow-up question for folks using EdgeRouter gear.

Does anyone know of the CLI commands or how to setup a forwarding rule of inbound traffic to an IPv6 address so that traffic sent to port xxxx on that address is instead redirected to port yyyy ?

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

fe31nz

1232 posts

Uber Geek

#3108110 26-Jul-2023 00:28

paul151:

A belated follow-up question for folks using EdgeRouter gear.

Does anyone know of the CLI commands or how to setup a forwarding rule of inbound traffic to an IPv6 address so that traffic sent to port xxxx on that address is instead redirected to port yyyy ?

I am not sure that there is any such command at the Vyatta commands level. NAT is not something that is normally needed with IPv6. EdgeRouters do allow you to use the underlying ip6tables commands to tell the kernel to do anything it possibly can do, which would include this (a DNAT rule I think). I have played with a setup doing that, but with only limited success as I am not very good with ip6tables yet. You would want to put those commands in a script that is run at boot time, which is something that EdgeRouters can also do.

However, maybe it would be better to rethink what is going on here. If you want software running on that PC to accept its traffic on port xxxx, just tell the software involved to listen on port xxxx. Most software that listens on ports can be told what port to use. If not, then on that PC you could use ip6tables (or more likely nftables if it is a modern kernel) to redirect the traffic. And if that was not possible, you could use an IPv6 tunnel program to accept the traffic on port xxxx and tunnel it to the same address on yyyy.