EdgeRouter - How to Create a Guest\LAN Firewall Rule


Overview


Readers will learn how to create firewall rules that protect the router and limit traffic between multiple Local Area Networks (LANs).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Network Diagram
  2. Guest\LAN Firewall Policy
  3. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN)
  • eth1 (LAN1) - 192.168.1.1/24
  • eth2 (LAN2) - 172.16.1.1/24

topology_protect.png


Guest\LAN Firewall Policy


Back to Top

Firewall rules will be added to limit the traffic between the trust LAN (192.168.1.0/24) and the guest network (172.16.1.0/24). In this example, the guests are only allowed to communicate with the printer at 192.168.1.10. All other traffic between the LANs will be dropped.

The following traffic is allowed/denied on the guest network:

  • Management access to the router is denied.
  • All traffic to the trusted LAN is denied, with the exception of to the printer.
  • All other traffic is allowed (internet access)

Follow the steps below to manually create these firewall policies using either the GUI or the Command Line Interface (CLI).

GUI: Access the Graphical User Interface (GUI).

1. Navigate to the Firewall/NAT tab

2. Create a network group that includes all of the RFC1918 private IP ranges.

Firewall/NAT > Firewall/NAT Groups > + Add Group

Name: LAN_NETWORKS
Description: RFC1918 ranges
Group Type:
Network Group

2. Add the IP ranges to the newly created network group.

Firewall/NAT > Firewall/NAT Groups > LAN_NETWORKS > Actions > Config

Network: 192.168.0.0/16

+Add New

Network: 172.16.0.0/12

+Add New

Network: 10.0.0.0/8

3. Add a GUEST_IN firewall policy and set the default action to accept.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: GUEST_IN
Description: guest to lan/wan
Default action:
Accept

4. Add two firewall rules to the newly created firewall policy.

Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule

Description: allow printing
Action: Accept
Protocol: All protocols
Destination > Address: 192.168.1.10

Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Edit Ruleset > + Add New Rule

Description: drop guest to lan
Action: Drop
Protocol: All protocols
Destination > Network Group : LAN_NETWORKS

3. Attach the firewall policy to the eth2 interface in the inbound direction.

Firewall/NAT > Firewall Policies > GUEST_IN > Actions > Interfaces

Interface: eth2
Direction: in

4. Add a GUEST_LOCAL firewall policy and set the default action to drop.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: GUEST_LOCAL
Description: guest to router
Default action:
Drop

5. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DNS server.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: allow DNS
Action: Accept
Protocol: Both TCP and UDP
Destination > Port: 53

6. Add a firewall rule to the newly created firewall policy that allows guests to use the EdgeRouter as a DHCP server.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: allow DHCP
Action: Accept
Protocol: UDP
Destination > Port: 67,68

7. Attach the firewall policy to the WAN interface in the local direction.

Firewall/NAT > Firewall Policies > GUEST_LOCAL > Actions > Interfaces

Interface: eth2
Direction: local
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

 

The CLI equivalent of this firewall configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Configure the LAN_NETWORKS network group.

set firewall group network-group LAN_NETWORKS description 'RFC1918 ranges'
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8

3. Configure the GUEST_IN firewall policy.

set firewall name GUEST_IN default-action accept 
set firewall name GUEST_IN description 'guest to lan/wan'

set firewall name GUEST_IN rule 10 action accept
set firewall name GUEST_IN rule 10 description 'allow printing'
set firewall name GUEST_IN rule 10 protocol all
set firewall name GUEST_IN rule 10 destination address 192.168.1.10

set firewall name GUEST_IN rule 20 action drop
set firewall name GUEST_IN rule 20 description 'drop guest to lan'
set firewall name GUEST_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name GUEST_IN rule 20 protocol all

4. Configure the GUEST_LOCAL firewall policy.

set firewall name GUEST_LOCAL default-action drop
set firewall name GUEST_LOCAL description 'guest to router'

set firewall name GUEST_LOCAL rule 10 action accept
set firewall name GUEST_LOCAL rule 10 description dns
set firewall name GUEST_LOCAL rule 10 log disable
set firewall name GUEST_LOCAL rule 10 protocol tcp_udp
set firewall name GUEST_LOCAL rule 10 destination port 53

set firewall name GUEST_LOCAL rule 20 action accept
set firewall name GUEST_LOCAL rule 20 description dhcp
set firewall name GUEST_LOCAL rule 20 log disable
set firewall name GUEST_LOCAL rule 20 protocol udp
set firewall name GUEST_LOCAL rule 20 destination port 67,68

5. Attach the firewall policies to the eth2 interface in the inbound and local direction.

set interfaces ethernet eth2 firewall in name GUEST_IN
set interfaces ethernet eth2 firewall local name GUEST_LOCAL
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

6. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

Intro to Networking - Network Firewall Security

EdgeRouter - How to Create a WAN Firewall Rule

EdgeRouter - Router on a Stick