EdgeRouter - Zone-Based Firewall


Overview


Readers will learn how to configure a Zone-Based Firewall (ZBF) on an EdgeRouter.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information. Device used in this article:

Table of Contents


  1. Network Diagram
  2. Zone-Based Firewall
  3. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1.10 (LAN) - 10.0.10.1/24
  • eth1.20 (GUEST) - 10.0.20.1/24

 zbf_topology_new_-_Copy.png


Zone-Based Firewall


Back to Top

A Zone-Based Firewall assigns each interface to a specific zone. The firewall zones will be used to define what traffic is allowed to flow between the interfaces. The traffic that originates in the EdgeRouter itself will also be assigned to a zone: the local zone.

The following zones are used in this example:

  • wan Assigned to the eth0 interface.
  • lan Assigned to VLAN10 on the eth1 interface (eth1.10).
  • guest Assigned to VLAN20 on the eth1 interface (eth1.20).
  • local Traffic sent from the EdgeRouter itself.

The following traffic is allowed to flow between the zones:

  • wan to all other zones: Only established/related traffic is allowed.
  • lan to all other zones: All traffic is allowed.
  • local to all other zones: All traffic is allowed.
  • guest to wan zone: All traffic is allowed.
  • guest to lan zone: Only DNS requests to the server at 10.0.10.10 and established/related traffic is allowed.
  • guest to local zone: All traffic is dropped. 
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Define the firewall rules that applies to the wan zone.

set firewall name wan default-action drop

set firewall name wan rule 10 action accept
set firewall name wan rule 10 description established
set firewall name wan rule 10 state established enable
set firewall name wan rule 10 state related enable

set firewall name wan rule 20 action drop
set firewall name wan rule 20 description invalid
set firewall name wan rule 20 state invalid enable

3. Define the firewall rule that applies to the lan zone.

set firewall name lan default-action accept

4. Define the firewall rule that applies to the local zone.

set firewall name local default-action accept

5. Define the firewall rules that applies to the guest zone for traffic from guest to the lan zone.

set firewall name guest-lan default-action drop

set firewall name guest-lan rule 10 action accept
set firewall name guest-lan rule 10 description dns
set firewall name guest-lan rule 10 log disable
set firewall name guest-lan rule 10 protocol tcp_udp
set firewall name guest-lan rule 10 destination port 53
set firewall name guest-lan rule 10 destination address 10.0.10.10

set firewall name guest-lan rule 20 action accept
set firewall name guest-lan rule 20 description established
set firewall name guest-lan rule 20 log disable
set firewall name guest-lan rule 20 protocol all
set firewall name guest-lan rule 20 state established enable
set firewall name guest-lan rule 20 state related enable

6. Define the firewall rules that applies to the guest zone for traffic from guest to the local zone.

set firewall name guest-local default-action drop

7. Define the firewall rules that applies to the guest zone for traffic from guest to the wan zone.

set firewall name guest-wan default-action accept

8. Create the zone policies for the wan zone and assign the zone to the eth0 interface.

set zone-policy zone wan default-action drop
set zone-policy zone wan from local firewall name local
set zone-policy zone wan from lan firewall name lan
set zone-policy zone wan from guest firewall name guest-wan
set zone-policy zone wan interface eth0

9. Create the zone policies for the lan zone and assign the zone to the eth1.10 interface.

set zone-policy zone lan default-action drop
set zone-policy zone lan from local firewall name local
set zone-policy zone lan from wan firewall name wan
set zone-policy zone lan from guest firewall name guest-lan
set zone-policy zone lan interface eth1.10

10. Create the zone policies for the guest zone and assign the zone to the eth1.20 interface.

set zone-policy zone guest default-action drop
set zone-policy zone guest from local firewall name local
set zone-policy zone guest from wan firewall name wan
set zone-policy zone guest from lan firewall name lan
set zone-policy zone guest interface eth1.20

11. Create the zone policies for the local zone.

set zone-policy zone local default-action drop
set zone-policy zone local from wan firewall name wan
set zone-policy zone local from lan firewall name lan
set zone-policy zone local from guest firewall name guest-local
set zone-policy zone local local-zone

12. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!