Reply
Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6
Accepted Solution

Bridge and firewall

Hi I'm looking for some help setting up my EdgeRouter Lite with firmware 1.6

 

So I got eth2 and eth1 as a bridge (br0) and when connected traffic flow transparently from one to the other but I then set in config tree the firewall to be set on eth2, eth1 and br0 but can't get the firewall to block the traffic.

 

Is their something I'm missing to setup?


Accepted Solutions
Member
Posts: 194
Registered: ‎12-11-2013
Kudos: 224
Solutions: 7

Re: Bridge and firewall

To be honest, I think you're a bit out of your depth if you don't know how to create a script on the system.  You should really learn some of the basics of Linux and become comfortable with using the CLI on EdgeOS instead of the GUI.

 

That said, I'm interested in this configuration because it's one I would like to see UBNT support in the future, so I decided to mock this up in the lab to verify it works.  

 

I did notice that DHCP gets dropped:

 

IN=br901 OUT=br901 PHYSIN=eth1.901 PHYSOUT=eth0.40 MAC=ff:ff:ff:ff:ff:ff:a8:20:66:50:51:ad:08:00:45:00:01:48 src=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=49249 PROTO=UDP SPT=68 DPT=67 LEN=308 

 

Oops.  

 

Oversight on my part, and probablly why you were having trouble.  If EdgeOS supported physical interface matching we could say any traffic from the internal physical interface was trusted, but it doesn't Smiley Sad

 

The next best thing is to just allow DHCP request traffic through the bridge:

 

set firewall name VLAN901 rule 20 action accept
set firewall name VLAN901 rule 20 protocol udp
set firewall name VLAN901 rule 20 source port 68
set firewall name VLAN901 rule 20 destination port 67

 

The response will be caught by ESTABLISHED, RELATED so you should be all set.

 

Aside from that it works fine and I'm online through a transparent bridge firewall and it seems to work fine.

 

As for creating the script:

 

# Change to root using sudo:

sudo -i

# Use vi to create the script file:

vi /config/scripts/post-config.d/bridge-nf-call-iptables

# In vi hit [i] to enter input mode and paste the 2 line script:

#!/bin/bash
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

# In vi hit [esc] then ":w" and [enter] to save.  Then ":q" and [enter] to quit.

# Back on the CLI make the script file executable:

chmod +x /config/scripts/post-config.d/bridge-nf-call-iptables

 

Here are relevant configuration snippets:

 

firewall {
    group {
        network-group NET-VLAN901 {
            network 10.1.1.0/24
        }
    }
    name VLAN901 {
        default-action drop
        enable-default-log
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 11 {
            action drop
            state {
                invalid enable
            }
        }
        rule 20 {
            action accept
            destination {
                port 67
            }
            protocol udp
            source {
                port 68
            }
        }
        rule 99 {
            action accept
            source {
                group {
                    network-group NET-VLAN901
                }
            }
            state {
                new enable
            }
        }
    }
}
interfaces {
    bridge br901 {
        aging 300
        firewall {
            out {
                name VLAN901
            }
        }
        hello-time 2
        max-age 20
        priority 0
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        description OUTSIDE
        duplex auto
        speed auto
        vif 40 {
            bridge-group {
                bridge br901
            }
        }
    }
    ethernet eth1 {
        description INSIDE
        duplex auto
        speed auto
        vif 901 {
            bridge-group {
                bridge br901
            }
        }
    }
}

 

I have a seperate management IP on a different interface for this setup, but you could assign the bridge interface an IP on the local network if you wanted to.

 

View solution in original post


All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Bridge and firewall

Post your config file.

EdgeMAX Router Software Development
Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

Here you go.

eth0 192.168.1.1 default login.

Attachment
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Bridge and firewall

Firewall needs to be applied to br0 not eth1 and eth2.

EdgeMAX Router Software Development
Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

Ok changed it to br0 for in and out and its still not blocking.

Attachment
SuperUser
Posts: 20,320
Registered: ‎09-17-2013
Kudos: 5085
Solutions: 1444

Re: Bridge and firewall

I'm confused by your setup, as you don't seem to have any WAN interface(s) defined, and your bridge is set up to kill all traffic going anywhere (although, TBH, you don't need rule 1, as it's redundant to the default action).

 

eth0 = 192.168.0.0/24 network (no firewalls)

eth1 & eth2 (aka br0) = no network(s), firewalled.

 

How're you testing this (or, better put -- what's plugged into where)?

 

 

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

[ Edited ]

The firewall rule I add is just a test rule to get it to work which its not.

 

Eth0 is my access to the EdgeRouter nothing more.

eth1 and eth2 is where I want to firewall the traffic unchanged from one to the other with a firewall to do basic SPI like NAT does but without the NAT.

SuperUser
Posts: 20,320
Registered: ‎09-17-2013
Kudos: 5085
Solutions: 1444

Re: Bridge and firewall

OK, you're going to have to clarify better -- 192.168.1.1 (eth0) is connected to your test system, and the br0 interface is doing ... what?

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

The br0 is for traffic I want to bridge from eth1 to eth2 and eth2 to eth1 with a firewall.

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

Maybe this will help explain what I'm trying to do.

br0.png
SuperUser
Posts: 20,320
Registered: ‎09-17-2013
Kudos: 5085
Solutions: 1444

Re: Bridge and firewall

OK, so if I'm reading this right ... you're doing it wrong. Can you explain what it is you're trying to accomplish in more detail?  What's the purpose of using a router here?

 

A bridge just connects two L2 network segments across the bridged interfaces (e.g. LAN -> WLAN).  These two segments are on the same L3 subnet (such as 192.168.1.0/24).  Due to this, the bridge has no concept of packets or IP addresses, and relies entirely on ethernet frames for data transport. 

 

Packets get introduced when you go up to L3 (when you start traversing different networks - such as 192.168.1.0/24 and 192.168.2.0/24 ... or subnets - such as 192.168.1.0/25 and 192.168.1.129/25)

 

 

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

[ Edited ]

dpurgert wrote:

 Can you explain what it is you're trying to accomplish in more detail?  What's the purpose of using a router here?

 

 

 


Surely you can see what I'm trying to do packets arrive at eth1 the EdgeRouter Lite with the firewall set on eth1 keeps state and sends it out eth2 when packets arrive at eth2 the EdgeRouter Lite checks the state and either drops it or sends it out eth1 based on the firewall rules set on eth1 and eth2.

 

So if I'm doing it wrong how do I firewall 10.1.1.2 going to 8.8.8.8 go in to the EdgeRouter Lite and out the EdgeRouter Lite as 10.1.1.2 to 8.8.8.8?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Bridge and firewall

To do layer2 firewall I think you would need ebtables instead of iptables.

EdgeMAX Router Software Development
Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

[ Edited ]

So what do I need to do? Is their a beta I can get to make it work the way I want?

 

Found this post you made but what do I do with it?

http://community.ubnt.com/t5/EdgeMAX/Firewalling-on-a-Transparent-Bridge/m-p/747440#M25049

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Bridge and firewall


UBNT-stig wrote:

To do layer2 firewall I think you would need ebtables instead of iptables.


sudo ebtables -A FORWARD -i eth+ -j DROP

 Once I do that my pings stop and I can see drop counters:

ubnt@ubnt:~$ sudo ebtables -L --Lc                                              
Bridge table: filter                                                            
                                                                                
Bridge chain: INPUT, entries: 0, policy: ACCEPT                                 
                                                                                
Bridge chain: FORWARD, entries: 1, policy: ACCEPT                               
-i eth+ -j DROP , pcnt = 3 -- bcnt = 138                                        
                                                                                
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT                           

 Of course that rule makes the bridge kinda useless.

EdgeMAX Router Software Development
Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

[ Edited ]

I don't think this ebtables will help me.

 

So how do I firewall 10.1.1.2 going to 8.8.8.8 go in to the EdgeRouter Lite and out the EdgeRouter Lite as 10.1.1.2 to 8.8.8.8?

SuperUser
Posts: 20,320
Registered: ‎09-17-2013
Kudos: 5085
Solutions: 1444

Re: Bridge and firewall


legacy0 wrote:

I don't think this ebtables will help me.

 

So how do I firewall 10.1.1.2 going to 8.8.8.8 go in to the EdgeRouter Lite and out the EdgeRouter Lite as 10.1.1.2 to 8.8.8.8?


 

You don't.  10.0.0.0/8 is one of the three "private" netblocks (the other two being 172.16.0.0/12 and 192.168.0.0/16).  They're un-routable addresses on the internet.

 

Again, what is it that you're trying to do with a router?  Are you trying to connect your network to the outside world?  If that's what you're trying to do, then a setup similar to this example will work

Interface declarations:

 

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.10.1/24
        description LAN
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}

 

and SNAT (masquerade) for sending things to the world:

    nat {
        rule 5001 {
            outbound-interface eth0
            type masquerade
        }

 

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

[ Edited ]

But I don't want my 10.1.1.2 changed when it goes in to the EdgeRouter Lite and out I want it to be the same source IP that went in to go out but with a firewall in between done by the EdgeRouter Lite.

 

Member
Posts: 294
Registered: ‎11-24-2014
Kudos: 19
Solutions: 6

Re: Bridge and firewall

And DHCP for 10.1.1.2 must be gotten from the network the EdgeRouter Lite is connected to not given out by the EdgeRouter Lite.

SuperUser
Posts: 20,320
Registered: ‎09-17-2013
Kudos: 5085
Solutions: 1444

Re: Bridge and firewall

[ Edited ]

OK, you're making no sense.

 

What's your network layout?  Something like this?

 

host (10.1.2.3) -> ERL (eth1 / 10.1.2.1) -> ERL (eth2 10.4.5.2) -> Rest of network (10.4.5.0/24) -> Internet (public_ip_redacted).

 

 

If it's something like that, then you need to do this on the ERL:

 

eth1 = 10.1.2.1 

eth2 = 10.4.5.2 (or something else on the netblock outside of any DHCP leases)

 

Routing:

10.1.2.0/24 - Connected (should be auto-added)

10.4.5.0/24 - Connected (should be auto-added)

0.0.0.0/0 - 10.4.5.1 (Default Gateway -- you'll probably need to define this)

 

 

edit -- 

 

Though, if I'm reading your last post right ... you're using the wrong device, and would be better suited with a switch.

Reply