UCRM - Setting up Network Devices & Suspension Feature

Overview


This article will provide users with guidance on setting up Firewall and NAT (Network Address Translation) rules on their physical network devices.

Table of Contents


1. Setting Up Network Devices

2. Ubiquiti EdgeOS

2.1 NAT Rule

2.2 Firewall Policies

2.3 Allowed IP Whitelist

3. Mikrotik RouterOS

4. Related Articles


Setting Up Network Devices


Back to Top

UCRM communicates with your network devices in order to synchronize the list of suspended (blocked) IP addresses and to set up the Firewall and NAT rules. UCRM will never modify or delete the rules you have already created on the device. However, this means your devices may need some additional manual configuration. This guide will help you set up your network devices on EdgeOS and RouterOS respectively. At the end of this guide your router should be configured with:

  • Blocked IP list
  • 1 Destination NAT rule, which will forward blocked users to the walled garden page
  • 2 Firewall rules for blocked IPs
    • Rule allowing DNS
    • Rule blocking forward request to all addresses except the UCRM server IP

book_25x25.png  NOTES & REQUIREMENTS:

The suspension feature is designed to block past due clients and redirect all their HTTP traffic to the suspension "walled garden" page. The DST NAT rule is used to handle the redirection which is similar to a "man-in-the-middle attack". Note that this redirect is possible for http connections only. If a suspended client uses https, their connection will be blocked or a warning of an invalid certificate will be shown on some browsers.

Prerequisites

This guide assumes you have already set up the UCRM app properly, i.e. you provided the device IP, its credentials, interfaces and you set up the server IP where the UCRM app is operated. For more details on how to configure UCRM settings take a look at this article: UCRM - How to Setup Network, Client Services and Suspension.

Prerequisites

This guide assumes you have already set up the UCRM app properly, i.e. you provided the device IP, its credentials, interfaces and you set up the server IP where the UCRM app is operated. For more details on how to configure UCRM settings take a look at this article: UCRM - How to Setup Network, Client Services and Suspension.

Ubiquiti EdgeOS


Back to Top

What UCRM handles automatically:

Firewall/NAT Groups - UCRM creates a new group of blocked IPs called BLOCKED_USERS and keeps it up-to-date each time a service is suspended or the suspension is canceled or postponed.

What the network administrator must configure manually:

In a nutshell, the administrator must provide 1 NAT rule and 2 Firewall rules to each router interface which serves as an internet gateway for clients. To set this up, follow the instructions below.

Synchronization with EdgeOS is done via SSH (port 22) which must be enabled on the router (default). This will allow UCRM to synchronize the BLOCKED_USERS IP list.

2.1 NAT Rule


2.1.1 For each router interface which serves as an internet gateway for your clients you need to create a new destination NAT rule. Go to Firewall/Nat > NAT > Add Destination NAT Rule and set these attributes:

Description

ucrm_forward_suspended_eth1 or any label you want. Using ucrm_ prefix and interface name as suffix is recommended.

Inbound Interface

Choose the interface for which you are creating the rule

Translation address

Provide the private IP address where UCRM is located. This is where the traffic will be forwarded to for all the blocked users (The same IP should be set in UCRM settings. See System > Settings > Application > Server IP in your UCRM app)

Translation port

Provide the port number which will be used for the suspend walled garden page. Typically, it should be 81 unless you have changed this default port manually in your UCRM and docker container, for example to 8081.

Protocol

Select TCP

Src Address Group

Choose BLOCKED_USERS. This is the name of the firewall/nat group used by UCRM. If it’s not created yet you can do it manually in Firewall/Nat | Firewall/Nat Groups | Add Group

info_i_25x25.png Note: If you want to avoid the warning of invalid SSL certificate on some browsers when a past due client tries to access HTTPS site, specify “Dest Port = 80”. Doing so you ensure that only HTTP traffic will be correctly forwarded to the UCRM suspension page.

2.1.2. In case you are using your own NAT rules you may need to reorder them with those new UCRM rules you have created. The UCRM rules should typically be moved to the top to get the highest priority.

2.2 Firewall Policies


2.2.1. For each router interface which serves as an internet gateway for your clients, you need to provide a new Firewall ruleset with the "in" direction. If you are already using an "in direction ruleset" for the given interface, proceed to adding new rules to the existing ruleset. Note: there cannot be two rulesets using the same interface but it is allowed to add a rule to an existing ruleset.

2.2.2. How to Create a New Ruleset

2.2.2.1. Go to Firewall/NAT > Firewall Policies > Add Ruleset and set these attributes:

Name

ucrm_blocked_users_eth1 for eth1 interface, or any label you want. Using ucrm_ prefix and interface name as suffix is recommended.

Default action

Choose Accept

2.2.2.2. Save new ruleset. This will create a new item in the ruleset list.

2.2.2.3. Find the item line in the list and edit the ruleset by clicking on Actions > Interfaces and setting these attributes:

Interface

Set the interface for which you are creating the ruleset

Direction

Set in

2.2.3. How to Add 2 New Rules to an Existing Ruleset 

In order to enable to suspension feature you need to create 2 new firewall rules within each ruleset linked with an interface. 

2.2.3.1. Find the ruleset line in the list and edit the ruleset by clicking on Actions > Edit Ruleset.

2.2.3.2. Add ucrm_allow_dns rule. Click Add New Rule and set these attributes:

In tab Basic

Description

ucrm_allow_dns or any label you want. Using ucrm_ prefix is recommended.

Action

Set Accept

Protocol

Set UDP

In tab Source

Address Group

Select BLOCKED_USERS

In tab Destination

Port

53

2.2.3.3. Add ucrm_drop_suspended rule. Click Add New Rule and set these attributes:

In tab Basic

Description

ucrm_drop_suspended or any label you want. Using ucrm_ prefix is recommended.

Action

Set Drop

Protocol

Set All protocols

In tab Source

Address Group

Select BLOCKED_USERS

In tab Destination

Address

Provide exclamation mark followed by the IP address where the UCRM is located. For example: !192.168.199.100 This will block all the traffic except the connections to UCRM app. See the Allowed IP Whitelist section below if you need to to allow more IP addresses.

2.2.3.4. In case you are using your own Firewall rules within the given ruleset you may need to reorder them with those new UCRM rules you have created. The UCRM rules will typically be moved to the top to get the highest priority.

In the end, the ruleset should look like this:

 

2.3. Allowed IP Whitelist


You may want to allow connections of your blocked users to more IP addresses. For example, when you want to allow the access to UCRM even for blocked users or when you are using AirControl along with UCRM and the communication between blocked CPE devices and the server where AirControl is located should be enabled. This can be incorporated using a group of allowed IP address and use this address group in a new Firewall rule and new DST NAT rule. This is the step by step guide:

2.3.1: Whitelist in the Firewall Rule

  • Go to Firewall/Nat | Firewall/Nat Groups | Add Group
  • Create group named UCRM_WHITELIST and add IPs of UCRM and AirControl or other IPs you want to be accessible from all CPEs even when they are suspended.
  • Go to Firewall/Nat | Firewall Policies and add a new rule, you can name it ucrm_allow_access_to_whitelist
  • Set these attributes of the new rule
    • In tab basic set Accept as the Action
    • In tab source set BLOCKED_USERS as the Address group
    • In tab destination set UCRM_WHITELIST as the Address group
  • Finally, when the rule is created, the most important step which must be done is to change the order of the rules. This accepting rule must be placed before the blocking rule. See the final look of the ruleset:

image00.png

This is the suspension ruleset incorporating the allowed accessible IP whitelist.

2.3.2: Whitelist in the DST NAT rule

Now, the blocked users’ traffic destinating to WHITELIST IPs will not be blocked. However, it will be still redirected to the suspension page because the DST NAT rules have higher priority than Firewall rules. For this reason, you need to create a new DST NAT rule which will not redirect the traffic:

  • The easiest way how to allow a single DST IP is to provide it as an exception the the current DST NAT rule. Don’t forget to provide the IP with the exclamation mark. See the example below:

Screen_Shot_2017-10-04_at_12.40.16_PM.png

  • If you need to allow more than one IP, you need to create a new rule like this:

Screen_Shot_2017-10-04_at_12.40.29_PM.png

  • Then, move this rule up to increase the priority so that this rule will be applied first before the general “ucrm forward suspended” rule, by doing the following:

Screen_Shot_2017-10-04_at_12.42.25_PM.png

Mikrotik RouterOS


Back to Top

Synchronization with RouterOS is done via Mikrotik API which must be enabled on the router (default). This will enable UCRM to synchronize the BLOCKED_USERS IP list and set up the NAT rules and Filter rules. 

In case you are using your own NAT or Filter rules you maybe need to reorder them with those new UCRM ones. All the rules created by UCRM can be identified by the ucrm_ prefix. The UCRM rules should typically be moved to the top to get the highest priority. 

Note that when using bridge on your router you should set up:

  • Using IP Firewall
  • Disallow fast path 

Related Articles


Back to Top