EdgeRouter - How to Protect a Guest Network on EdgeRouter

Overview


This article describes the steps necessary to protect a Guest VLAN from accessing other LANs while still granting access to Internet, DNS, and DHCP. See step 5 (optional) to allow access from the Guest VLAN to specific devices such as a printer on the protected LAN.

Note: This assumes that a Guest VLAN has been previously created by following this article. Optionally, it is possible to create a DHCP server for your VLAN using this article.

Note: The commands in this article will be issued in the configuration mode. Once you have access to the CLI, type “configure” to enter configuration mode. It is important to “commit” changes to make them active and “save” to save these changes to memory so they will persist after reboot. To exit configuration mode and return to operational mode type “exit”.

Table of Contents


  1. Create a Network Group
  2. Create PROTECT_IN firewall
    1. Create Ruleset
    2. Set Default Action
    3. Create Accept Rule
    4. Create Drop Rule
  3. Create PROTECT_LOCAL firewall
    1. Create Ruleset
    2. Set Default Action
    3. Create Accept DNS Rule
    4. Create Accept DHCP Rule
  4. Set Rulesets to Interfaces
  5. Allow Device Access (Optional)
  6. Related Articles

 Step 1: Create a Network Group


Back to Top

Create a Network Group with all Local Network Addresses to allow for easily creating firewall rules blocking all Local Network Addresses in the group. Adjust these networks to your environment if there is a specific subnet you would like to allow access to from your guest network. 

configure
set firewall group network-group LAN_NETWORKS
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8
commit

Step 2: Create PROTECT_IN Firewall


Back to Top

This protects the Guest VLAN from the subnets created in the Network Group from Step 1.

  1. Create Ruleset
    set firewall name PROTECT_IN 
  2. Set Default Action
    set firewall name PROTECT_IN default-action accept 
  3. Create Accept Rule

    set firewall name PROTECT_IN rule 10 action accept
    set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
    set firewall name PROTECT_IN rule 10 protocol all
    set firewall name PROTECT_IN rule 10 state established enable
    set firewall name PROTECT_IN rule 10 state related enable
  4. Create Drop Rule
    set firewall name PROTECT_IN rule 20 action drop
    set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
    set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
    set firewall name PROTECT_IN rule 20 protocol all
    commit

 Step 3: Create PROTECT_LOCAL Firewall


Back to Top

This allows the Guest VLAN to obtain DNS and DHCP information from the router.

  1. Create Ruleset 
    set firewall name PROTECT_LOCAL 
  2. Set Default Action 
    set firewall name PROTECT_LOCAL default-action drop 
  3. Create Accept DNS Rule
    set firewall name PROTECT_LOCAL rule 10 action accept
    set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
    set firewall name PROTECT_LOCAL rule 10 destination port 53
    set firewall name PROTECT_LOCAL rule 10 protocol udp
  4. Create Accept DHCP Rule
    set firewall name PROTECT_LOCAL rule 20 action accept
    set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
    set firewall name PROTECT_LOCAL rule 20 destination port 67
    set firewall name PROTECT_LOCAL rule 20 protocol udp
    commit

 Step 4: Set Rulesets to Interfaces


Back to Top

Note: The eth2 vif 10 interface in this example will likely be different for your environment. Set the firewall to your specific VLAN, on your specific interface.

set interfaces ethernet eth1 vif 10 firewall in name PROTECT_IN
set interfaces ethernet eth1 vif 10 firewall local name PROTECT_LOCAL
commit
save
exit

 Step 5: Allow Device Access (Optional)


Back to Top

This step is only required if access is needed to a specific device outside of the Guest VLAN (for example, a printer in the blocked LAN subnet).

Note: This rule must come in order, before the drop rule (rule 20 in this example) in the PROTECT_IN Ruleset.

set firewall name PROTECT_IN rule 19 action
set firewall name PROTECT_IN rule 19 action accept
set firewall name PROTECT_IN rule 19 description "Accept Printer"
set firewall name PROTECT_IN rule 19 destination address 192.168.1.150
commit
save
exit

Related Articles