info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

EdgeRouter - How to Protect a Guest Network


Overview


This article describes the steps necessary to prevent a Guest network from accessing other LANs while still granting access to the Internet, DNS, and DHCP. Please see step 5 to allow access from the Guest network to specific devices such as a server on the trusted LAN.


Table of Contents


  1. Create a Network Group
  2. Create a PROTECT_IN Firewall Rule
  3. Create a PROTECT_LOCAL Firewall Rule
  4. Apply the Firewall Rules to the Interfaces
  5. Allow Access to Certain Services / Devices (Optional)
  6. Related Articles

Network Diagram


Back to Top


Step 1: Create a Network Group


Back to Top

Create a Network Group with all Local Network Addresses to allow for easily creating firewall rules blocking all Local Network Addresses in the group. Adjust these networks to your environment if there is a specific subnet you would like to allow access to from your guest network. 

1. Enter configuration mode.

configure

2. Create the Network Group.

set firewall group network-group LAN_NETWORKS
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8

3. Commit the changes.

commit


Step 2: Create a PROTECT_IN Firewall Rule


Back to Top

This prevents the Guest network from reaching the LAN networks defined in the Network Group in Step 1.

1. Create the PROTECT_IN firewall policy which accepts all traffic by default.

set firewall name PROTECT_IN 
set firewall name PROTECT_IN default-action accept

2. (Optional) Allow the guests to respond to traffic initiated from one of the trusted LAN networks.

set firewall name PROTECT_IN rule 10 action accept
set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
set firewall name PROTECT_IN rule 10 protocol all
set firewall name PROTECT_IN rule 10 state established enable
set firewall name PROTECT_IN rule 10 state related enable

3. Create a drop rule that drops all traffic to the trusted LAN networks.

set firewall name PROTECT_IN rule 20 action drop
set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name PROTECT_IN rule 20 protocol all

4. Commit the changes.

commit

Step 3: Create a PROTECT_LOCAL Firewall Rule


Back to Top

This allows the Guests to obtain DNS and DHCP information from the router while denying all other traffic (such as attempts to log in to the router).

1. Create the PROTECT_LOCAL firewall policy which drops all traffic by default.

set firewall name PROTECT_LOCAL 
set firewall name PROTECT_LOCAL default-action drop

2. Allow the guests to use the router for DNS lookups (TCP / UDP port 53)

set firewall name PROTECT_LOCAL rule 10 action accept
set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
set firewall name PROTECT_LOCAL rule 10 destination port 53
set firewall name PROTECT_LOCAL rule 10 protocol tcp_udp

3. Allow the guests to receive a DHCP address from the router (UDP port 67)

set firewall name PROTECT_LOCAL rule 20 action accept
set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
set firewall name PROTECT_LOCAL rule 20 destination port 67
set firewall name PROTECT_LOCAL rule 20 protocol udp

4. Commit the changes.

commit

Step 4: Apply the Firewall Rules to the Interfaces


Back to Top

The firewall policies are applied on the interface where the guests are connected in the inbound (in) and local direction.If your guests reside on a VLAN, you can also apply the firewall rules to a VLAN interface (eth2 vif 10 for example)

1. Attach the firewall policies to the interfaces.

set interfaces ethernet eth2 firewall in name PROTECT_IN
set interfaces ethernet eth2 firewall local name PROTECT_LOCAL

2. Commit the changes and save the configuration.

commit ; save
NOTE: If the firewall policies are not applied to an interface, then they will not be used/consulted by the EdgeRouter.

Step 5: Allow Access to Certain Services / Devices (Optional)


Back to Top

This step is only required if the guests require access to a specific device in the trusted LAN. For example, a server or printer that needs to be shared.

NOTE: This rule number must be lower than the drop rule created in step 2 in the PROTECT_IN ruleset.

1. Allow the guests to access the server at 192.168.1.10 (you can also limit this to specific ports and protocols).

set firewall name PROTECT_IN rule 15 action
set firewall name PROTECT_IN rule 15 action accept
set firewall name PROTECT_IN rule 15 description "Allow Access to Server"
set firewall name PROTECT_IN rule 15 destination address 192.168.1.10

2. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top