Reply
Highlighted
Emerging Member
Posts: 42
Registered: ‎07-22-2016
Kudos: 11
Solutions: 3
Accepted Solution

Feature Wizard for Zone Initialization

[ Edited ]

Hey everyone,

I've been working on a zone initialization wizard. Ever since I got a couple EdgeRouter X's for home, I've been really loving the features. We use zone-based rules and structure at work (with some of the larger sized PaloAltos). When I saw zone support, I had to explore it, and found that a wizard was needed to get past the complexity of building out all the permutations of rulesets. Personally, I wish zones were more like bound objects one could simply include 1-to-many of in source and destinations of fw rules... but I'm still happy to see what this has to offer.

Anyway... I'm still working on the zone initialization wizard (refinements mostly), but it's probably ready for others to play with if they are interested. I need to do more with the form (mostly instructions and warnings that it can take a while).

One thing to note, the wizard could run for 3-5 minutes easily depending on how many zones you have it setup, and even result in a loss of access for a short while. It is best run on a router that has had it's basic networking already setup and does not have zones in place yet. I haven't put in all the checks to remove existing zones or associations with interfaces, so that could be buggy. But if you don't have any FW rulesets tied to interfaces, I don't think there will be issues.

I have the wizard create a basic set of rules. It can be overly permissive for final implementation, but without knowing one's planned use, it's safer to let the access start as I do, I think (i.e. zones can openly get to the router, and vice versa). I do lock it down further in my own setup after this initialization.

Also to note, during its running time, you may also lose access to the router for a minute or so while Vyatta applies all the commands during the commit phase. I was watching what it was doing via command line, and noticed that at a point during commit, one of the backend perl scripts resulted in my losing access. But a minute later all resumed and everything was done properly.

Anyway... if anyone wants to check it out... I'm attaching here. It's still a work in progress, though. I hope to refine it soon with as many checks for conflicts in advance as possible so it runs cleanly. I would be interested in any feedback. This was my first attempt at a wizard and I'm still fairly new to the EdgeRouter/EdgeMAX world.

Thanks,
-Alex

Screen Shot 2016-08-22 at 12.27.45 AM.png

 

 

Using EdgeRouter X (2) running v1.9.0 | Zone-based FW rulesets
Attachment

Accepted Solutions
Ubiquiti Employee
Posts: 103
Registered: ‎11-04-2013
Kudos: 37
Solutions: 10

Re: Feature Wizard for Zone Initialization

Added to the wizards list. Thanks for sharing!

View solution in original post


All Replies
Ubiquiti Employee
Posts: 103
Registered: ‎11-04-2013
Kudos: 37
Solutions: 10

Re: Feature Wizard for Zone Initialization

Added to the wizards list. Thanks for sharing!

New Member
Posts: 26
Registered: ‎06-21-2014

Re: Feature Wizard for Zone Initialization

wizard for Zones is not working on ERL ver 1.9 , every time after initialization on any interface I am losing connection to GUI ,any ideas?

Emerging Member
Posts: 42
Registered: ‎07-22-2016
Kudos: 11
Solutions: 3

Re: Feature Wizard for Zone Initialization

When you say you lose connectivity with the GUI, do you mean during the initialization, or after all is done?

 

During initialization, there is a point where connectivity seems to get dropped.  This seems to occur when the commit occurs for all the changes.  However, when I've just waited (no more than a minute, I think) it comes back and completes.  

 

If you mean that you are not able to access the GUI after that is all done, then that is unexpected.  The default FW rules explicitly allow traffic from each of the zones to the local zone (the router's interfaces).  Hopefully you just mean during the init process.

 

If you are seeing it during the init, how long do you wait for?  It should come back after a minute or so.

 

I know... I seriously need to add some more guidance and instruction on the wizard page.  It can run for a long period of time and has that GUI interruption.  I have tested this on both 1.8.5 and 1.9.0 without issue, though.

 

Thanks,

-Alex

Using EdgeRouter X (2) running v1.9.0 | Zone-based FW rulesets
Member
Posts: 243
Registered: ‎02-05-2016
Kudos: 168
Solutions: 1

Re: Feature Wizard for Zone Initialization

Dosnt appear to work in 1.9.1

 

run it up, it runs for some time, lose access for a min, then log in and no rules have changed at all, no zone config or anything, can you assist?

Emerging Member
Posts: 42
Registered: ‎07-22-2016
Kudos: 11
Solutions: 3

Re: Feature Wizard for Zone Initialization

Does it give an error.  I only use this to initialize my routers.  If you already have firewall definitions bound to interfaces, you may have issues.  It does work on 1.9.1, and 1.9.1.1.  I just used it to help initialize a router for someone.  I did hit a problem with the default rules that were already bound to the eth0 interface for WAN_IN and such.  I had to disassociate all firewall rules from the interfaces.  Then it ran without a hitch.  I did receive an error, though.

 

If I ever get around to it, I should have it disassociate all FW rules by default before proceeding.

 

Hope that helps.

Using EdgeRouter X (2) running v1.9.0 | Zone-based FW rulesets
Member
Posts: 243
Registered: ‎02-05-2016
Kudos: 168
Solutions: 1

Re: Feature Wizard for Zone Initialization

Hi Mate

 

Tried it many ways, I thought i could erase it, create my interfaces and run the zone wiz

 

got different issues each time

 

i tried most recently keeping my config by un assigning interfaces with the existing rules, then run it, still no dice

 

happy to work through it, keen to get zbf running

New Member
Posts: 1
Registered: ‎03-07-2017

Re: Feature Wizard for Zone Initialization

Hello,

 

On latest EdgeOS version 1.9.7 this wizard does not work anymore, "Error: Unable to load the wizard (Internal Server Error)" appears.

 

Can you help and advise how to make it work again?

 

Thank you!

New Member
Posts: 2
Registered: ‎03-01-2018

Re: Feature Wizard for Zone Initialization

Hi there Are all the wizards access restricted? I get access denied Thanks for any help! Luis
New Member
Posts: 15
Registered: ‎03-24-2018
Solutions: 1

Re: Feature Wizard for Zone Initialization

I just tried adding this on my ERX v1.10.1 and it errors out:

 

Error: Unable to load the wizard (Internal Server Error)

I'll have a go at pulling the logs and such, but wanted to flag that this isn't working for me on my recent(ish) FW, and the ERX is configured with standard 2LANS+WAN ruleset and the 2 regular WAN_IN and WAN_LOCAL rules.

 
New Member
Posts: 1
Registered: ‎11-20-2018

Re: Feature Wizard for Zone Initialization

[ Edited ]

 

The wizard is still working with v1.10.7 on my ER-X

You can use my updated attachment or fix the bug yourself if already installed.

 

Error: Unable to load the wizard (Internal Server Error)

edit validator.json and add the missing ,

vi /config/wizard/feature/[Zone_Initializer]/validator.json

{
    "rules": {
        "zname": {
            "required": true
        },
        "zinterface": {
            "required": true,
            "interfaceName": 1
        }
    }
}

 

 

Setup (works on my machine)

  1. Hard reset ER-X
  2. Basic Setup wizard, static ip, firewall disabled and eth1-4 connected to switch0
  3. Add VLAN interfaces on switch0(or any other interface), DNS interfaces, DHCP ranges (image 1)
  4. Run Zone Initializer wizard (image 2)
  5. Wait ~5min or longer
  6. Change firewall rules of VLANXX-WAN to default action: accept to allow internet access

 

 JfdJpdR.png 

 1TgsUby.png

 

 

 

===== EDIT

Improved the wizard to include vif's

 

jfQMv7j.png

Attachment
Attachment
Reply