info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

EdgeRouter - Router on a Stick


Overview


Readers will learn how to configure the EdgeRouter as a 'Router on a Stick' using Virtual VLAN Interfaces (VIFs).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information. Device used in this article:

Table of Contents


  1. Network Diagram
  2. How to Configure the Router on a Stick Setup
  3. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1.10 (LAN) - 10.0.10.1/24
  • eth1.20 (GUEST) - 10.0.20.1/24

zbf_topology_new_-_Copy.png


How to Configure the Router on a Stick Setup


Back to Top

The 'router on a stick' setup allows the router to route between VLANs by associating an Ethernet interface with multiple VLAN IDs. This allows the devices in VLAN20 (guests) to communicate with the devices in VLAN10 (LAN). Firewall rules are also added to limit the 'inter-VLAN' traffic between VLAN10 and VLAN20. In this example, the guests in VLAN20 are only allowed to communicate with the DNS server in VLAN10.

The following traffic is allowed/denied on VLAN20:

  • Management access to the router is denied.
  • All traffic to VLAN10 is denied, with the exception of DNS requests to the DNS server (10.0.10.10).
  • All other traffic is allowed (internet access) 
GUI: Access the Graphical User Interface (GUI).

1. Define the VLAN IDs and associate the interfaces with an IP address.

Dashboard > Add Interface > Add VLAN

VLAN ID: 10
Interface: eth1
Address: Manually define IP address
10.0.10.1/24

VLAN ID: 20
Interface: eth1
Address: Manually define IP address
10.0.20.1/24

2. Create the DHCP scopes for the relevant VLANs.

Services > DHCP Server > Add DHCP Server

DHCP Name: vlan10
Subnet: 10.0.10.0/24
Range Start: 10.0.10.11
Range Stop: 10.0.10.150
Router: 10.0.10.1
DNS 1: 10.0.10.10

DHCP Name: vlan20
Subnet: 10.0.20.0/24
Range Start: 10.0.20.11
Range Stop: 10.0.20.150
Router: 10.0.20.1
DNS 1: 10.0.10.10

3. Create the firewall rule that will prevent the guests in VLAN20 to manage the EdgeRouter.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: guest-local
Default action: Drop

4. Apply the firewall rule to the VLAN20 interface in the local direction.

Firewall/NAT > Firewall Policies > guest-local > Actions > Interfaces

Interface: eth1.20
Direction: local

5. Create the firewall rule that denies all traffic from VLAN20 to VLAN10, with the exception of DNS requests to the DNS server.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: guest-in
Default action: Accept

Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule

Description: dns
Action: Accept
Protocol: Both TCP and UDP
Destination Address: 10.0.10.10
Destination Port: 53

Firewall/NAT > Firewall Policies > guest-in > Actions > Edit Ruleset > + Add New Rule

Description: other
Action: Drop
Protocol: All protocols
Destination Address: 10.0.10.0/24

6. Apply the firewall rule to the VLAN20 interface in the in direction.

Firewall/NAT > Firewall Policies > guest-in > Actions > Interfaces

Interface: eth1.20
Direction: in

The CLI equivalent of this configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set interfaces ethernet eth1 vif 10 address 10.0.10.1/24
set interfaces ethernet eth1 vif 20 address 10.0.20.1/24

set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 start 10.0.10.11 stop 10.0.10.150
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 default-router 10.0.10.1
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 dns-server 10.0.10.10

set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 start 10.0.20.11 stop 10.0.20.150
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 default-router 10.0.20.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.20.0/24 dns-server 10.0.10.10

set firewall name guest-local default-action drop

set firewall name guest-in default-action accept

set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description dns
set firewall name guest-in rule 10 log disable
set firewall name guest-in rule 10 protocol tcp_udp
set firewall name guest-in rule 10 destination port 53
set firewall name guest-in rule 10 destination address 10.0.10.10

set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description other
set firewall name guest-in rule 20 log disable
set firewall name guest-in rule 20 protocol all
set firewall name guest-in rule 10 destination address 10.0.10.0/24

set interfaces ethernet eth1 vif 20 firewall in name guest-in
set interfaces ethernet eth1 vif 20 firewall local name guest-local

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH