Reply
New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Help Configuring 5 Port Edge Router POE

Hello Community

I am a complete newbie with Ubiquity products and need help in a configuration.  I think I am close, but have hit a wall.  Basic configuration of the system is to be as follows:

eth0 - Admin Use w/ full Internet Access

eth1 - Internet access from ISP (COX)

eth2 - Available for network users

eth3 - UniFI AP LR - with separate VLANs (public - Internet access only / private - full access LAN / WAN / etc)

eth4 - To 5 Port Tough Switch

I need basic firewall protection (NAT + SPI Protection + Filter Anonymous Requests - Pings + Filter outside IDENT Port 113 scans.

If anyone can help me - I'd be grateful.

So - here is what I have done so far:

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Admin
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description COX
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description NetworkPort-01
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description WiFiAP
        duplex auto
        poe {
            output 24v
        }
        speed auto
        vif 200 {
            address dhcp
            description Private
            mtu 1500
        }
        vif 201 {
            address dhcp
            description Public
            mtu 1500
        }
    }
    ethernet eth4 {
        address dhcp
        description ToughSwitch
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name NetNameHere {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.1.50 {
                    stop 192.168.1.254
                }
            }
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description 2Inernet
            destination {
                address 0.0.0.0
            }
            log disable
            outbound-interface eth1
            protocol all
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name HostameHere
    login {
        user LocalAdmin {
            authentication {
                encrypted-password BIGPW01STRINGHERE/
                plaintext-password ""
            }
            full-name "NetAdmin"
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password BIGPW02STRINGHERE
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 68.105.28.16
    name-server 68.105.28.17
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0.4574253.130626.1248 */

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

You might want to start with the example 5 port config firewall at - LINK. 

Also depending on your performance needs you might want to consider switching eth0 with eth4 as eth0 and eth1 have independent gig interfaces into the cpu while eth2 - eth4 are on a switch that share a gig interface to the cpu.

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

Thank you  UBNT-stig

I am getting closer, but still not quite there … I hope you or another member of the community can help.

Current setting / intent is:

Small Office setting - all DHCP and routing done by the EdgeRouter.

eth0 - LAN / direct wired to ToughSwith port 1

eth1 - WAN / From ISP (COX) modem

eth2 - UniFi AP - LR - with two VLANs
    200 = Private with full access to the Internet and other users & devices on the LAN - Inlcuding eth0 / Tough Switch
    201 = Public with only access to Internet

eth3 - LAN - Full access to the Internet and other users & devices on the LAN - Inlcuding eth0 / Tough Switch

eth4 - LAN - Full access to the Internet and other users & devices on the LAN- Inlcuding eth0 / Tough Switch

Firewall to prvide protection and manage VLAN traffic (ie - 200 full internal access / 201 Internet only access).

Here is where I am to date - still trying to figure out the traffic between ports (on the x.x.1.x and x.x.2.x switch routes) and VLANs.

Thank you all - I am hopeful that the final configuration that we can come up with will be of help and value to others in the future.  This seems like a great product - but the setup is more than I am used to (super cool / nice interface though - looking forward to learning more - I have 2 or 3 other places I would love to deply this same setup!)

I am open to any suggestions to improve performance.

RE



firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        network-group BOGONS {
            description "Invalid WAN networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Wired network to other networks."
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired network to router."
    }
    name WAN_IN {
        default-action drop
        description "Internet to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "rate limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description ToTOUGHSwitch
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description WAN-ISP-COX
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description WiFi-UniFi-AP-LR
        duplex auto
        poe {
            output 24v
        }
        speed auto
        vif 200 {
            description 200-Private-WiFi
            mtu 1500
        }
        vif 201 {
            description 201-Public-WiFi
            mtu 1500
        }
    }
    ethernet eth3 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Switch-eth2-3-4
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name switch {
            authoritative enable
            description switch
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                ntp-server 192.168.2.1
                start 192.168.2.10 {
                    stop 192.168.2.254
                }
                time-server 192.168.2.1
            }
        }
        shared-network-name wired-eth0 {
            authoritative enable
            description "Wired Network - Eth0"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                ntp-server 192.168.1.1
                start 192.168.1.10 {
                    stop 192.168.1.100
                }
                time-server 192.168.1.1
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            listen-on switch0
            system
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            description "WAN MASQ"
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
        listen-on switch0 {
            outbound-interface eth1
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user ubnt {
            authentication {
                encrypted-password $6$R0tERhM5JPDg$w808vSeWV1JJICgvhFGt81Vfxx6HiM3ErQ7V1nkpx1V16sPBNM01taOj60AjyXdPx493hbWugpjS8I1V/XBPW.
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0.4574253.130626.1248 */

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

Community -

 

Did some more playing - still not there - looking for help & wisdom.

 

RE

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

Here is where I am to date - still trying to figure out the traffic between ports (on the x.x.1.x and x.x.2.x switch routes) and VLANs.

It's not clear to me what the issue is.  Can you explain in more detail?  And if you've changed the config, please post it again (in a code tag).

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig (and fellow community peoples)

I guess I did not expect the subnets in the example config file - in other words I expected to see both the eth0 and switched group eth2/3/4 to all be on 192.168.1.xxx.  Thinking through it though - as long as I wind up full access across both subnets - I actually prefer the 192.168.1.1/24 and 192.168.2.1/24 addressing.

So - at this point I think we are almost there - last bit of help I think I need is the routing and firewall rules to provide proper vlan access control.  (That is 200 = Private with full access to the Internet and other users & devices on the LAN and 201 = Public with only access to Internet.

To summarize again - the basic intent is small office with the router proving all DHCP addressing.

eth0 - LAN / direct wired to ToughSwith port 1

eth1 - WAN / From ISP (COX) modem

eth2 - UniFi AP - LR - with two VLANs
    200 = Private with full access to the Internet and other users & devices on the LAN
    201 = Public with only access to Internet

eth3 - LAN - Full access to the Internet and other users & devices on the LAN

eth4 - LAN - Full access to the Internet and other users & devices on the LAN

Thanks again!
RE

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

--- current configuration ---

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

It's certainly possible to do the vlan isolation on the router, but it may be easier to do it in UniFi.  Here in the office the UniFi AP tag guest and public with different vlans and then restrict what networks the guest can see.

Also if you really want just 1 lan subnet that is possible to by put eth2, eth3 and eth4 in switch-port mode and then bridging eth0 and switch0.  However with bridging you do lose some performance.

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE


RE wrote:

--- current configuration ---


I just took another look at this config and I don't see how this could be working for you. The config show vlans on eth2, but the system doesn't allow vlans on interfaces in switch port mode.  You proabably need to move the vlans to switch0.

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig & lurkers

 

OK - good to know on the vlans on port eth2.  It let me put them in without error, so I thought I was good to go.

 

So I will drop back to the 5 port example you gave me.

Questions:

1) For best performance should I leave my Tough Switch on eth0 / ISP on eth1 / and AP on eth2?

2) For security with the guiest access - it sounds like I do not need to configure vlans up in the router, is that correct?

3) With the Router / Switch / AP is this how you would configure?

4) Should the configuration then work with no / minimal tweaks?

Cant say thanks enough -

 

RE

 

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

Maybe try somethink like this.  Note I haven't accutely tested this but I think might work.

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        network-group BLOCKED_NETS {
            network 192.168.1.0/24
            network 192.168.2.0/24
            network 192.168.3.0/24
            network 192.168.4.0/24
        }
        network-group BOGONS {
            description "Invalid WAN networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Wired network to other networks."
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired network to router."
    }
    name VLAN_IN {
        default-action accept
        rule 10 {
            action drop
            destination {
                group {
                    network-group BLOCKED_NETS
                }
            }
            log enable
        }
    }
    name WAN_IN {
        default-action drop
        description "Internet to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "rate limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description ToTOUGHSwitch
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description WAN-ISP-COX
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description WiFi-UniFi-AP-LR
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Switch-eth2-3-4
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
        vif 200 {
            address 192.168.3.1/24
            description 200-Private-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
        vif 201 {
            address 192.168.4.1/24
            description 201-Public-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name VLAN-200-private-wifi {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.10 {
                    stop 192.168.3.254
                }
            }
        }
        shared-network-name VLAN-201-public-wifi {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.4.1
                lease 86400
                start 192.168.4.10 {
                    stop 192.168.4.254
                }
            }
        }
        shared-network-name switch {
            authoritative enable
            description switch
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                ntp-server 192.168.2.1
                start 192.168.2.10 {
                    stop 192.168.2.254
                }
                time-server 192.168.2.1
            }
        }
        shared-network-name wired-eth0 {
            authoritative enable
            description "Wired Network - Eth0"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                ntp-server 192.168.1.1
                start 192.168.1.10 {
                    stop 192.168.1.100
                }
                time-server 192.168.1.1
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            listen-on switch0
            listen-on switch0.200
            listen-on switch0.201
            system
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            description "WAN MASQ"
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
        listen-on switch0 {
            outbound-interface eth1
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user ubnt {
            authentication {
                encrypted-password $6$05CZDORU8qgCb$YZhJ4Q/xRUzfZRfroR2b8gTOn376Vih975UI1LrqnvoN0/tbJd1UJ3o6AmdF0BBplyTsRofbvsyxiYOV9sp/z.
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0.4574253.130626.1248 */

 

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig

THANK YOU!

Looks like we are good to go!

I have not done a ton of testing / conectivity / speed test etc - but everything seems to be working great.  All subnets seem to work properly - the AP finally picked up and configured perfectly the first time.

Can't say thanks enough!

RE

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

All -

After 2 weeks ... I am finally back on this project - I thought things were good to go - - -

The problem now is - I cannot access the Internet via wireless using the VLAN settings I had intended to use - thinking this would provide better segregation and security.  I think we have something in the security or routs not set up correctly.  See the previous thread - current configuration is listed above.

When I drop the VLAN requirements off the UniFi APs in the UniFi management tool - I can access the Internet.  Add the VLAN specs back in … no Access / Internet on the public and private connections.

Wireless devices pick up on the UniFi AP - DHCP settings / assignments all look good.  Wired connections are good.
Anyone out there able to lend a hand?

RE

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

I sound like unifi isn't tag the packets with the vlan id.  When on  the vlan are you getti8ng an IP address in the correct subnet?  Can you ping the router?

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig:

 

Yes - I show connected users - with a valid IP - with the subnet that matches the VLAN (dot3 and dot4).

 

RE

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

Do you see the firewall VLAN_IN statistics incrementing when you try accessing Interest?  Do you have any firewall drops recorded in the log?

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig

As of tonight I have access to the net on both my public and private wifis - on the private side, I can not see any other devices on the network ... or even ping from 192.168.2.10 to 192.168.2.14 ...

I have connections through the 2 vlans to the Internet ...

thanks,

RE

OK here is the current configuration:

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        network-group BLOCKED_NETS {
            network 192.168.1.0/24
            network 192.168.2.0/24
            network 192.168.3.0/24
            network 192.168.4.0/24
        }
        network-group BOGONS {
            description "Invalid WAN networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Wired network to other networks."
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired network to router."
    }
    name VLAN_IN {
        default-action accept
        rule 10 {
            action drop
            destination {
                group {
                    network-group BLOCKED_NETS
                }
            }
            log enable
        }
    }
    name WAN_IN {
        default-action drop
        description "Internet to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "rate limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description ToTOUGHSwitch
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description WAN-ISP-COX
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description WiFi-UniFi-AP-LR
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Switch-eth2-3-4
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
        vif 200 {
            address 192.168.3.1/24
            description 200-Private-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
        vif 201 {
            address 192.168.4.1/24
            description 201-Public-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name VLAN-200-private-wifi {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.10 {
                    stop 192.168.3.254
                }
            }
        }
        shared-network-name VLAN-201-public-wifi {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.4.1
                lease 86400
                start 192.168.4.10 {
                    stop 192.168.4.254
                }
            }
        }
        shared-network-name switch {
            authoritative enable
            description switch
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                ntp-server 192.168.2.1
                start 192.168.2.10 {
                    stop 192.168.2.254
                }
                time-server 192.168.2.1
            }
        }
        shared-network-name wired-eth0 {
            authoritative enable
            description "Wired Network - Eth0"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                ntp-server 192.168.1.1
                start 192.168.1.10 {
                    stop 192.168.1.100
                }
                time-server 192.168.1.1
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            listen-on switch0
            listen-on switch0.200
            listen-on switch0.201
            system
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            description "WAN MASQ"
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
        listen-on switch0 {
            outbound-interface eth1
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user ubnt {
            authentication {
                encrypted-password $6$05CZDORU8qgCb$YZhJ4Q/xRUzfZRfroR2b8gTOn376Vih975UI1LrqnvoN0/tbJd1UJ3o6AmdF0BBplyTsRofbvsyxiYOV9sp/z.
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0.4574253.130626.1248 */

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE

So are you saying the problem is solved or is there still an issue?

I was thinking we might need to change the VLAN_IN rules to allow the each subnet to talk to the router:

  name VLAN_IN {
        default-action accept
        rule 1 {
        action accept
        destination {
            address 192.168.1.1
        }
        source {
            address 192.168.1.0/24
        }
    }
    rule 2 {
        action accept
        destination {
            address 192.168.2.1
        }
        source {
            address 192.168.2.0/24
        }
    }
    rule 3 {
        action accept
        destination {
            address 192.168.3.1
        }
        source {
            address 192.168.3.0/24
        }
    }
    rule 4 {
        action accept
        destination {
            address 192.168.4.1
        }
        source {
            address 192.168.4.0/24
        }
    }
    rule 10 {
        action drop
        destination {
            group {
                network-group BLOCKED_NETS
            }
        }
        log enable
    }

 

New Member
RE
Posts: 20
Registered: ‎11-29-2013
Posts: 20
Registered: 11-29-2013

Re: Help Configuring 5 Port Edge Router POE

UBNT-stig - and any other insightful lurker :smileyhappy:

OK - so I added the new rules - the good news is that I can now ping between devices on the sub nets - but cannot ping from the private wifi to the wired connections.  For example - I can ping from 192.168.3.10 to 192.168.3.11.  I cannot ping from 192.168.1.10 to 192.168.3.10.  Seems like I want to ping between subnets 1 (wired) 2 (wired) and 3 (private wifi) but I don't want to ping internally from the dot 4 subnet.


Thanks to all - RE

current config follows:






firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        network-group BLOCKED_NETS {
            network 192.168.1.0/24
            network 192.168.2.0/24
            network 192.168.3.0/24
            network 192.168.4.0/24
        }
        network-group BOGONS {
            description "Invalid WAN networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Wired network to other networks."
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired network to router."
    }
    name VLAN_IN {
        default-action accept
        rule 10 {
            action drop
            description "rule 10"
            destination {
                group {
                    network-group BLOCKED_NETS
                }
            }
            log enable
        }
        rule 11 {
            action accept
            description "rule 11"
            destination {
                address 192.168.1.1
            }
            log disable
            protocol all
            source {
                address 192.168.1.0/24
            }
        }
        rule 12 {
            action accept
            description "rule 12"
            destination {
                address 192.168.2.1
            }
            log disable
            protocol all
            source {
                address 192.168.2.0/24
            }
        }
        rule 13 {
            action accept
            description "rule 13"
            destination {
                address 192.168.3.1
            }
            log disable
            protocol all
            source {
                address 192.168.3.0/24
            }
        }
        rule 14 {
            action accept
            description "rule 14"
            destination {
                address 192.168.4.1
            }
            log disable
            protocol all
            source {
                address 192.168.4.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "Internet to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "rate limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description ToTOUGHSwitch
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description WAN-ISP-COX
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description WiFi-UniFi-AP-LR
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Switch-eth2-3-4
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
        vif 200 {
            address 192.168.3.1/24
            description 200-Private-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
        vif 201 {
            address 192.168.4.1/24
            description 201-Public-WiFi
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name VLAN-200-private-wifi {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.10 {
                    stop 192.168.3.254
                }
            }
        }
        shared-network-name VLAN-201-public-wifi {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.4.1
                lease 86400
                start 192.168.4.10 {
                    stop 192.168.4.254
                }
            }
        }
        shared-network-name switch {
            authoritative enable
            description switch
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                ntp-server 192.168.2.1
                start 192.168.2.10 {
                    stop 192.168.2.254
                }
                time-server 192.168.2.1
            }
        }
        shared-network-name wired-eth0 {
            authoritative enable
            description "Wired Network - Eth0"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                ntp-server 192.168.1.1
                start 192.168.1.10 {
                    stop 192.168.1.100
                }
                time-server 192.168.1.1
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            listen-on switch0
            listen-on switch0.200
            listen-on switch0.201
            system
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            description "WAN MASQ"
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
        listen-on switch0 {
            outbound-interface eth1
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user ubnt {
            authentication {
                encrypted-password $6$05CZDORU8qgCb$YZhJ4Q/xRUzfZRfroR2b8gTOn376Vih975UI1LrqnvoN0/tbJd1UJ3o6AmdF0BBplyTsRofbvsyxiYOV9sp/z.
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0.4574253.130626.1248 */

Ubiquiti Employee
UBNT-stig
Posts: 3,347
Registered: ‎06-09-2011
Posts: 3347
Kudos: 1013
Solutions: 267
Contributions: 14
Registered: 06-09-2011

Re: Help Configuring 5 Port Edge Router POE


RE wrote:

UBNT-stig - and any other insightful lurker :smileyhappy:

OK - so I added the new rules - the good news is that I can now ping between devices on the sub nets - but cannot ping from the private wifi to the wired connections.  For example - I can ping from 192.168.3.10 to 192.168.3.11.  I cannot ping from 192.168.1.10 to 192.168.3.10.  Seems like I want to ping between subnets 1 (wired) 2 (wired) and 3 (private wifi) but I don't want to ping internally from the dot 4 subnet.


I'm now more confused at what you're trying to accomplish.  Initially I thought you didn't want any subet to be able to talk to any other subnet expect WAN.  Are you now saying that you only want to limit public vlan 201 to WAN?

Reply