EdgeRouter - How to Create a Guest\LAN Firewall Rule


Overview


Readers will learn how to create firewall rules that protect the router and limit traffic between multiple Local Area Networks (LANs).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Adding Firewall Rules


Back to Top

topology.png

Firewall policies are used to allow traffic in one direction and block it in another direction.


The EdgeRouter uses a stateful firewall, which means the router firewall rules can match on different connection states. In the example diagram above, firewall rules will be added to limit the traffic between the trust LAN (192.168.1.0/24) and the GUEST network (172.16.1.0/24).

The following traffic restrictions are applied to the GUEST network:

  • Management access to the router is denied.
  • All traffic to the trusted LAN is denied, with the exception of HTTP and HTTPS traffic to the Webserver.
  • All other traffic is allowed (internet access)

Follow the steps below to manually create these firewall rules:

GUI: Access the EdgeRouter Web UI.

1. Navigate to the Firewall/NAT tab.

2. Create a network group that includes all of the RFC1918 private IP ranges.

Firewall/NAT > Firewall/NAT Groups > + Add Group

Name: LAN_NETWORKS
Description: RFC1918 ranges
Group Type:
Network Group

3. Add the IP ranges to the newly created network group.

Firewall/NAT > Firewall/NAT Groups > LAN_NETWORKS > Actions > Config

Network: 192.168.0.0/16

+Add New

Network: 172.16.0.0/12

+Add New

Network: 10.0.0.0/8
NOTE: The 10.0.0.0/8 range is added to the group as well to include all RFC1918 ranges.

4. Add a GUEST_IN firewall policy and set the default action to accept.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: GUEST_IN
Description: guest to lan/wan
Default action:
Accept

5. Add two firewall rules to the newly created firewall policy.

   Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule

Description: allow webserver
Action: Accept
Protocol: All protocols
Destination > Address: 192.168.1.10
Destination > Port: 80,443

Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule

Description: drop guest to lan
Action: Drop
Protocol: All protocols
Destination > Network Group : LAN_NETWORKS

6. Attach the firewall policy to the eth2 LAN interface in the inbound direction.

Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Interfaces

Interface: eth2
Direction: in

7. Add a GUEST_LOCAL firewall policy and set the default action to drop.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: GUEST_LOCAL
Description: guest to router
Default action:
Drop

8. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DNS server.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: allow DNS
Action: Accept
Protocol: Both TCP and UDP
Destination > Port: 53

9. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DHCP server.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: allow DHCP
Action: Accept
Protocol: UDP
Destination > Port: 67

10. Attach the firewall policy to the eth2 LAN interface in the local direction.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Interfaces

Interface: eth2
Direction: local
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Configure the LAN_NETWORKS network group.

set firewall group network-group LAN_NETWORKS description 'RFC1918 ranges'
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8

3. Configure the GUEST_IN firewall policy.

set firewall name GUEST_IN default-action accept 
set firewall name GUEST_IN description 'guest to lan/wan'

set firewall name GUEST_IN rule 10 action accept
set firewall name GUEST_IN rule 10 description 'allow webserver'
set firewall name GUEST_IN rule 10 protocol all
set firewall name GUEST_IN rule 10 destination address 192.168.1.10
set firewall name GUEST_IN rule 10 destination port 80,443

set firewall name GUEST_IN rule 20 action drop
set firewall name GUEST_IN rule 20 description 'drop guest to lan'
set firewall name GUEST_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name GUEST_IN rule 20 protocol all

4. Configure the GUEST_LOCAL firewall policy.

set firewall name GUEST_LOCAL default-action drop
set firewall name GUEST_LOCAL description 'guest to router'

set firewall name GUEST_LOCAL rule 10 action accept
set firewall name GUEST_LOCAL rule 10 description 'allow dns'
set firewall name GUEST_LOCAL rule 10 log disable
set firewall name GUEST_LOCAL rule 10 protocol tcp_udp
set firewall name GUEST_LOCAL rule 10 destination port 53

set firewall name GUEST_LOCAL rule 20 action accept
set firewall name GUEST_LOCAL rule 20 description 'allow dhcp'
set firewall name GUEST_LOCAL rule 20 log disable
set firewall name GUEST_LOCAL rule 20 protocol udp
set firewall name GUEST_LOCAL rule 20 destination port 67

5. Attach the firewall policies to the eth2 interface in the inbound and local direction.

set interfaces ethernet eth2 firewall in name GUEST_IN
set interfaces ethernet eth2 firewall local name GUEST_LOCAL
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

6. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

Intro to Networking - Network Firewall Security

EdgeRouter - How to Create a WAN Firewall Rule

EdgeRouter - Router on a Stick


We're sorry to hear that!