Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Highlighted
Senior Member
Posts: 3,266
Registered: ‎05-15-2014
Kudos: 1136
Solutions: 227

Layman's firewall explanation

[ Edited ]

I've created this picture for some local needs, thougt I'll share it here. Maybe some folks find it usefull.

(For the pros, I know it's way more complicated than this, but ...)

 

ERL1.png

TEKUX - IT Consulting and Services
SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation

nice pic Man Happy

 

I like this one myself... 

 

EdgeOS_Order

Senior Member
Posts: 3,266
Registered: ‎05-15-2014
Kudos: 1136
Solutions: 227

Re: Layman's firewall explanation

[ Edited ]

@dpurgert I'm fully aware of that picture, but believe me, the IN and OUT directions on that picture are very confusing to newbies and laymans. To most of newbies it makes no sense why IN and OUT are on one line and how that all works and especially where to create firewall rules ... thus my picture Man Wink

TEKUX - IT Consulting and Services
SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation

true enough Man Happy

New Member
Posts: 1
Registered: ‎12-27-2015

Re: Layman's firewall explanation

[ Edited ]

Hi BranoB,

 

can you share this config?

 

thanks in advanced.

Senior Member
Posts: 3,266
Registered: ‎05-15-2014
Kudos: 1136
Solutions: 227

Re: Layman's firewall explanation

Sorry, I don't have this exact config handy. Do you have problems with any particular part? Post your config and let's figure it out together.

TEKUX - IT Consulting and Services
New Member
Posts: 1
Registered: ‎02-17-2016

Re: Layman's firewall explanation

Thank you!

 

This finaly made me understand the directions of IN and OUT of the firewall towards VLAN.

I have been reading the forum, and trying to fix my rule for default drop traffic to all VLAN, but all I did was locking myself out from internet.

 

I thougt of firewall IN as in "traffic comming into the vlan" and not as I understand now "traffic in to the router from the vlan"

 

Man Happy

SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation


ClassicCrayfish wrote:

Thank you!

 

I thougt of firewall IN as in "traffic comming into the vlan" and not as I understand now "traffic in to the router from the vlan"

 

Man Happy


 

So long as you understand it as traffic pasing through the router (i.e. destined for somewhere else), then you've got it.

New Member
Posts: 16
Registered: ‎06-03-2016
Kudos: 1

Re: Layman's firewall explanation

Ok, I am late to the party but this thread seems critical to my understanding of firewall rules.

 

So, as I think I now understand it, IN always applies to traffic from an interface? Might be to router or to services supplied by the router (DNS, DHCP etc)?

 

I am about to post my current config for help in my "help with DMZ" thread. I am starting to add rules and wanted to be sure my understanding is correct.

 

Thanks

Senior Member
Posts: 3,266
Registered: ‎05-15-2014
Kudos: 1136
Solutions: 227

Re: Layman's firewall explanation

IN traffic entering the router from an interface (and later exiting via another interface)

OUT traffic exiting the router to an interface (previously entered via another interface)

LOCAL traffic entering the router and destined to router itself

TEKUX - IT Consulting and Services
Deleted Account
Posts: 0

Re: Layman's firewall explanation

A firewall policy is a set of rules with a default action. Firewall policies are applied before SNAT (Source Network Address Translation) and after DNAT (Destination Network Address Translation).

 

https://help.ubnt.com/hc/en-us/articles/205231540-EdgeMAX-Add-access-control-list-ACL-

 

IN, OUT, and LOCAL

 

WAN_IN = From the internet, through the router, and onward to your LAN.  In very general terms, you want to drop 90% of this mess - it's script kiddies, port scans, nigerian princes, and anyone else you don't want able to head through your router. Obviously, you're gonna want to allow ports 80, 443, 25, and others if you're running those types of services.  

 

WAN_OUT = traffic that has been forwarded through the router and about to leave exit out the interface.

 

NOTE: "WAN_OUT" to the "out" direction on the WAN interface, it only applies to forwarded traffic so the requests from the router itself does not go through these rules

 

WAN_LOCAL = Traffic destined for the router (for example if you wanted to use the web UI on the router you'd need to allow port 443 on LOCAL. This firewall is for packets destined to the router itself (i.e. "localhost") from the wan

 

LAN_IN = everything inbound to the router from your LAN (e.g. 192.168.1.0/24) that's destined for somewhere else (WAN, other LAN such as 192.168.2.0/24).  In a SMB, or SOHO setup, this is probably explicitly permissive. In an enterprise setting, this may or may not be permissive (e.g. blocking all outgoing traffic except for SFTP on a non-standard port)

 

LAN_LOCAL = everything inbound to the router from your LAN destined for the router.  Again, unless you're doing enterprise routing, this is probably fairly open - although good SMB setups with guest networks may block the guest network range.

 

In terms of using IN or OUT rules, some will say that IN is better because if you're going to drop a packet it's better to do it on input rather than go through the full packet processing path only to drop it before it leaves the router. Also note that creating a firewall ruleset without applying it to an interface/direction does nothing.

 

Firewall for IPv6 is separate from IPv4 firewall and currently it needs to be configured using the CLI ("set firewall ipv6-name ..." etc.). OR the Config Tree in the Web UI, so you'll need to create IPv6 rules separately and apply them to the appropriate interface/direction.

 

Easiest addressing to IPv6 firewalling is either DHCPv6 with reservations OR static IP.  Once you have a fixed address for the device, you apply firewall policy just like you would in IPv4. Currently (v1.6.0) the NAT configuration is IPv4-only. So for now you might try using the "ip6tables" command directly to manipulate the IPv6 nat table (sudo ip6tables -t nat ...).  http://networkingnerd.net/2011/12/01/whats-the-poi​nt-of-nat66/

http://blog.ipspace.net/2011/12/we-just-might-need​-nat66.html

 

Disabling IPv6 on the router = set system ipv6 disable

 

NAT - Symmetric type

NAT changes the addressing of packets. A NAT rule tells the EdgeRouter what action to take with a specific packet. Define the following:

  • Criteria for matching packets
  • Action to take with matching packets

Rules are organized into a set and applied in the specified Rule Order. If the packets match a rule’s criteria, then its action is performed. If not, then the next rule is applied.

 

Source NAT Rules

Source NAT Rules change the source address of packets; a typical scenario is that a private source needs to communicate with a public destination. A Source NAT Rule goes from the private network to the public network and is applied after routing, just before packets leave the EdgeRouter. SNAT = Source NAT = Translation / Manipulation from Internal to External (masqueraded to the Internet).

 

SNAT vs MASQUERADE: Both are network address translation (NAT) techniques whereby the source (LAN) address gets automatically converted to another address (typically the WAN address) by the router.

- MASQUERADE converts the address to the WAN address, whatever it happens to be. In other words, at every conversion, it has to check what the WAN address is.

- SNAT converts the address to a fixed address, set to the WAN address by the firewall initialization.

In theory, SNAT should be faster, since both are performing the same translation but MASQUERADE has to perform that extra lookup. In practice, we're only talking about a few machine instructions here, so the difference is not noticeable.

Masquerade only uses the primary address of the interface.  Now say my ISP gives me a /29 with 5 addresses. Then I might have something like:

 

ubnt@R3# show interfaces ethernet eth6
address 1.1.1.2/29
address 1.1.1.3/29
address 1.1.1.4/29
address 1.1.1.5/29
address 1.1.1.6/29
duplex auto
speed auto
[edit]

 

Now say I want LAN1 to use 1.1.1.3 and LAN2 to use 1.1.1.6.   To do that I need source NAT = SNAT.

 

Destination NAT Rules

Destination NAT Rules change the destination address of packets; a typical scenario is that a public source needs to communicate with a private destination. A Destination NAT Rule goes from the public network to the private network and is applied before routing.  SEE ALSO “PORT FORWARDING”. DNAT = Translation / Manipulation from External to Internal = Wan to LAN mapping

 

 

Hairpin NAT

Enabled by default. If you want to allow a host on the internal network to use the public IP address to access an internal server, then keep Hairpin NAT enabled. (Hairpin NAT is also known as NAT loopback or NAT reflection.) Note: If Hairpin NAT is enabled, then it only enables Hairpin NAT for the port forwarding rules defined in the wizard; it does not affect the Destination NAT Rules defined on the Security > NAT tab (refer to “Destination NAT Rules”)

 

NAT Hairpin = "NAT inside-to-inside" = "NAT Loopback" = "NAT Reflection" = SNAT Loopback.

 

http://community.ubnt.com/t5/EdgeMAX/SNAT-Loopback-aka-Hairpin-Question/td-p/1552015

 

The routers which support this specifically look for traffic which should hairpin. The routers which don't support this do normal routing, and they send traffic destined for external addresses out the WAN interface, per the routing table.

 

This is completely dependent on the router make, model, and software version.

 

What happens on the routers which don't support this is that the traffic from the inside host to the external server address has the destination address looked up in the routing table, and that points to the WAN interface, so the the traffic is sent to the WAN interface, which is an outside interface, so the inside source address gets translated, per the inside source NAT rules, to an outside address (usually the WAN interface address), and the traffic is sent out the WAN interface. This is all based on normal routing rules.

 

The traffic will travel to the ISP router, which will promptly drop it since it is coming in from an interface where the destination address is. Routers drop traffic destined for the network from which it originates.

 

 

UPnP

Instead of manually configuring port forwarding rules, you can use UPnP for automatic port forwarding when you have hardware that supports UPnP.

 

Typically, a NAT Port Forwarding rule is used from the outside network to get to a server on the inside network by using the public address of the router (or hostname).  But in cases where the same local server address must be accessed from inside the local network, NAT Hairpin applies.

New Member
Posts: 16
Registered: ‎06-03-2016
Kudos: 1

Re: Layman's firewall explanation

Thank you very much for that detailed writeup!

Things are starting to make more sense.

Senior Member
Posts: 3,266
Registered: ‎05-15-2014
Kudos: 1136
Solutions: 227

Re: Layman's firewall explanation

Difference between various firewall actions:

 

ACCEPT - let the packet through

DROP - drop the packet, don't let the source know

REJECT - drop the packed, but let the source know

TEKUX - IT Consulting and Services
Regular Member
Posts: 495
Registered: ‎06-01-2016
Kudos: 55
Solutions: 18

Re: Layman's firewall explanation

Really great graphic, thanks!  Would love to see the more complicated version; the only easy addition I can imagine is placing DHCP per interface.  I might go wild and crazy and try to diagram in my individual firewall rules...

SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation


Aaarrrgggh wrote:

Really great graphic, thanks!  Would love to see the more complicated version; the only easy addition I can imagine is placing DHCP per interface.  I might go wild and crazy and try to diagram in my individual firewall rules...


DHCP per interface would simply be multiple "interface_IN" rulesets (or a single one, in the case of multiple "guest" VLANs, that all should have the same ruleset).

New Member
Posts: 38
Registered: ‎03-28-2013
Solutions: 1

Re: Layman's firewall explanation

Hi,

 

Regarding the disallow guest to lan, is it possible to disallow guest to the firewall apart from the lan.

 

A few years ago I had an issue where I had a PPTP Vpn setup and I was able to get to the firewall device itself from the remote site. I managed to to block access to all local pc's but one (the pc I needed through the VPN through firewall rules) but I couldn't manage to block access to the firewall device.

 

Thanks

SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation

not sure what you're asking, you mean blocking a given network from accessing the router itself?

New Member
Posts: 38
Registered: ‎03-28-2013
Solutions: 1

Re: Layman's firewall explanation

Yes. That's it. 

 

The setup I had two years ago was PPTP vpn. 

 

If I remeber correctly, I managed to block the local lan resources from seeing the device through firewall rules but I couldn't manage to block remote pc's (through VPN) from seeing the firewall.

 

When I say not seeing the firewall I mean nothing comes up with 192.168.1.1 in a browser. Applies aswell to SSH.

 

Thanks

New Member
Posts: 7
Registered: ‎12-29-2016

Re: Layman's firewall explanation

This post is awesome.  Thank you for the great diagram and info.

 

Does anybody know when incoming WAN IPSec decryption happens and outgoing encryption happens if an IPSec VPN is in play?

 

Assuming the outgoing happens between the interface and SNAT (as we have to write excption SNAT rules)(?)  What about decryption?  Does that happen before DNAT, or before the FW local (or in?) 

 

Thanks,

Ian

 

SuperUser
Posts: 19,051
Registered: ‎09-17-2013
Kudos: 4769
Solutions: 1342

Re: Layman's firewall explanation

In a very general sense, all VPN stuff will all happen in the "local processing" bubble (assuming, ofc that the ER is the VPN endpoint).

Reply