This article will provide users with guidance on setting up Firewall and NAT (Network Address Translation) rules on their physical network devices. The suspension feature is designed to block overdue clients and redirect all their HTTP traffic to the suspension "walled garden" page. The DST NAT rule is used to handle the redirection which is similar to a "man-in-the-middle attack". Note that this redirect is possible for http connections only. If a suspended client uses https, their connection will be blocked or a warning of an invalid certificate will be shown on some browsers.
NOTES & REQUIREMENTS:
This guide assumes the reader has already set up the UCRM app properly: provided the device IP, its credentials, interfaces and the server IP where the UCRM app is operated has been set up. For more details on how to configure UCRM settings take a look at this article: UCRM - How to Setup Network, Client Services and Suspension.
Table of Contents
- Setting Up Network Devices
- Ubiquiti EdgeOS
- Ubiquiti EdgeOS: NAT Rule
- Ubiquiti EdgeOS: Firewall Policies
- Ubiquiti EdgeOS: Allowed IP Whitelist
- Mikrotik RouterOS
- Related Articles
Setting Up Network Devices
UCRM communicates with the network devices in order to synchronize the list of suspended (blocked) IP addresses and to set up the Firewall and NAT rules. UCRM will never modify or delete the rules that have been already created on the device. However, this means the devices may need some additional manual configuration. This guide will help administrators set up their network devices on EdgeOS and Mikrotik RouterOS. At the end of this guide the router should be configured with:
- Blocked IP list.
- 1 Destination NAT rule, which will forward blocked users to the walled garden page.
- 2 Firewall rules for blocked IPs.
- Rule allowing DNS.
- Rule blocking forward request to all addresses except the UCRM server IP.
UCRM will handle the following automatically:
Firewall/NAT Groups: UCRM creates a new group of blocked IPs called BLOCKED_USERS and keeps it up-to-date each time a service is suspended or the suspension is canceled or postponed.
The network administrator must configure the following manually:
The administrator must provide 1 NAT rule and 2 Firewall rules to each router interface which serves as an internet gateway for clients. To set this up, follow the instructions below provided in the sections that follow.
Synchronization with EdgeOS is done via SSH (port 22) which must be enabled on the router (default). This will allow UCRM to synchronize the BLOCKED_USERS IP list.
Ubiquiti EdgeOS: NAT Rule
A new destination NAT rule must be created for each router interface which serves as an internet gateway for the network's clients. Go to Firewall/Nat > NAT > Add Destination NAT Rule and set these attributes:
ucrm_forward_suspended_eth1 or the label of your choosing. Using ucrm_ prefix and interface name as suffix is recommended.
Choose the interface for which the rule is being created.
Provide the private IP address where UCRM is located. This is where the traffic will be forwarded to for all blocked users. The same IP should be set in UCRM settings. See System > Settings > Application > Server IP in the UCRM application.
Provide the port number which will be used for the suspension "walled garden" page. Typically, it should be port 81 unless this default port has been changed manually in the UCRM and docker container, for example to 8081.
|Src Address Group||
Choose BLOCKED_USERS. This is the name of the firewall/NAT group used by UCRM. If it is not created yet, you can do so manually in Firewall/Nat > Firewall/Nat Groups > Add Group.
NOTE: If you want to avoid the warning of invalid SSL certificate on some browsers when a past due client tries to access HTTPS site, specify "Dest Port = 80". Doing so you ensure that only HTTP traffic will be correctly forwarded to the UCRM suspension page.
In case you are using your own NAT rules you may need to reorder them with those new UCRM rules you have created. The UCRM rules should typically be moved to the top to get the highest priority.
Ubiquiti EdgeOS: Firewall Policies
For each router interface which serves as an internet gateway for your clients, you need to provide a new Firewall ruleset with the "in" direction. If you are already using an "in direction ruleset" for the given interface, proceed to adding new rules to the existing ruleset.
NOTE: There cannot be two rulesets using the same interface but it is allowed to add a rule to an existing ruleset.
Follow these steps to create a new ruleset:
1. Go to Firewall/NAT > Firewall Policies > Add Ruleset and set these attributes:
ucrm_blocked_users_eth1 for eth1 interface, or any label you want. Using ucrm_ prefix and interface name as suffix is recommended.
2. Save the new ruleset. This will create a new item in the ruleset list.
3. Find the item line in the list and edit the ruleset by clicking on Actions > Interfaces and setting these attributes:
Set the interface for which you are creating the ruleset.
How to Add 2 New Rules to an Existing Ruleset
1. In order to enable to suspension feature you need to create 2 new firewall rules within each ruleset linked with an interface.
2. Find the ruleset line in the list and edit the ruleset by clicking on Actions > Edit Ruleset.
3. Add ucrm_allow_dns rule. Click Add New Rule and set these attributes:
In the Basic tab:
ucrm_allow_dns or any label you want. Using ucrm_ prefix is recommended.
In the Source tab:
In the Destination tab:
4. Add ucrm_drop_suspended rule. Click Add New Rule and set these attributes:
In the Basic tab:
ucrm_drop_suspended or any label you want. Using ucrm_ prefix is recommended.
Set All protocols.
In the Source tab:
In the Destination tab:
Provide exclamation mark followed by the IP address where the UCRM is located. For example: !192.168.199.100 This will block all the traffic except the connections to UCRM app. See the Allowed IP Whitelist section below if you need to to allow more IP addresses.
5. In case you are using your own Firewall rules within the given ruleset you may need to reorder them with those new UCRM rules you have created. The UCRM rules will typically be moved to the top to get the highest priority.
In the end, the ruleset should look like this:
Ubiquiti EdgeOS: Allowed IP Whitelist
You may want to allow connections of your blocked users to more IP addresses. For example, when you want to allow the access to UCRM even for blocked users or when you are using AirControl along with UCRM and the communication between blocked CPE devices and the server where AirControl is located should be enabled. This can be incorporated using a group of allowed IP address and use this address group in a new Firewall rule and new DST NAT rule. This is the step by step guide:
Whitelist in the Firewall Rule
1. Go to Firewall/Nat | Firewall/Nat Groups | Add Group
2. Create group named UCRM_WHITELIST and add IPs of UCRM and AirControl or other IPs you want to be accessible from all CPEs even when they are suspended.
3. Go to Firewall/Nat | Firewall Policies and add a new rule, you can name it ucrm_allow_access_to_whitelist
4. Set these attributes of the new rule
- In tab basic set Accept as the Action
- In tab source set BLOCKED_USERS as the Address group
- In tab destination set UCRM_WHITELIST as the Address group
5. Finally, when the rule is created, the most important step which must be done is to change the order of the rules. This accepting rule must be placed before the blocking rule. See the final look of the ruleset:
This is the suspension ruleset incorporating the allowed accessible IP whitelist.
Whitelist in the DST NAT Rule
Now, the blocked users’ traffic destinating to WHITELIST IPs will not be blocked. However, it will be still redirected to the suspension page because the DST NAT rules have higher priority than Firewall rules. For this reason, you need to create a new DST NAT rule which will not redirect the traffic:
1. The easiest way how to allow a single DST IP is to provide it as an exception the the current DST NAT rule. Don’t forget to provide the IP with the exclamation mark. See the example below:
2. If you need to allow more than one IP, you need to create a new rule like this:
3. Then, move this rule up to increase the priority so that this rule will be applied first before the general “ucrm forward suspended” rule, by doing the following:
Synchronization with RouterOS is done via Mikrotik API which must be enabled on the router (default). This will enable UCRM to synchronize the BLOCKED_USERS IP list and set up the NAT rules and Filter rules.
In case you are using your own NAT or Filter rules you maybe need to reorder them with those new UCRM ones. All the rules created by UCRM can be identified by the ucrm_ prefix. The UCRM rules should typically be moved to the top to get the highest priority.
Note that when using bridge on your router you should set up:
Using IP Firewall
Disallow fast path