Reply
New Member
Posts: 4
Registered: ‎01-17-2018

Firewall Vlan not working

 

Hi, 

Newbie/rookie here, I need some help with the following:

I have an edgerouterX setup with a trunk for my UAP, so I can have a separated network for my employees and for my guests. The guests are on switch0.10 and the employees are on switch0.1. This all works. However I can't seem to get the firewall rules for blocking social, p2p and proxy (20, 30 en 50 op GUEST_TO_LAN) traffic on only the guest network to work. I can still make use of proxies, p2p software and social websites.

 

My settings are as below:

firewall {                                                                     
     all-ping enable                                                         
     broadcast-ping disable                                                     
     group {                                                                     
         network-group Employee_LAN {                                            
             description ""                                                     
             network 192.168.0.0/16                                             
             network 172.16.0.0/12                                              
             network 10.0.0.0/8                                                 
         }                                                                      
     }                                                                          
     ipv6-receive-redirects disable                                             
     ipv6-src-route disable                                                     
     ip-src-route disable                                                       
     log-martians enable                                                        
     name GUEST_TO_LAN {                                                        
         default-action accept                                                  
         description ""                                                         
         rule 10 {                                                              
             action accept                                                      
             log disable                                                        
             protocol all                                                       
             state {                                                            
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 20 {
             action drop
             application {
                 category P2P
             }
             description DROP_P2P
             log disable
             protocol all
         }
         rule 30 {
             action drop
             application {
                 category Social-Network
             }
             description DROP_SOCIAL
             log disable
             protocol all
         }
         rule 40 {
             action drop
             description LAN_RANGES
             destination {
                 group {
                     network-group Employee_LAN
                 }
             }
             log disable
             protocol all
         }
         rule 50 {
             action drop
             application {
                 category Bypass-Proxies-and-Tunnels
             }
             description DROP_proxies
             log disable
             protocol all
         }
     }
     name GUEST_TO_LOCAL {
         default-action drop
         description ""
         rule 1 {
             action accept
             description DNS
             destination {
                 port 53
             }
             log disable
             protocol tcp_udp
         }
         rule 2 {
             action accept
             description DHCP
             destination {
                 port 67
             }
             log disable
             protocol udp
         }
         rule 3 {
             action accept
             description rule3respondtolan
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         description Local
         mtu 1500
         switch-port {
             interface eth1 {
                 vlan {
                     pvid 1
                 }
             }
             interface eth2 {
                 vlan {
                     pvid 1
                     vid 10
                 }
             }
             interface eth3 {
                 vlan {
                     pvid 1
                 }
             }
             interface eth4 {
                 vlan {
                     pvid 1
                 }
             }
             vlan-aware enable
         }
         vif 1 {
             address 192.168.1.1/24
             mtu 1500
         }
         vif 10 {
             address 10.0.0.1/24
             firewall {
                 in {
                     name GUEST_TO_LAN
                 }
                 local {
                     name GUEST_TO_LOCAL
                 }
             }
             mtu 1500
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name GUEST {
             authoritative disable
             subnet 10.0.0.0/24 {
                 default-router 10.0.0.1
                 dns-server 10.0.0.1
                 lease 86400
                 start 10.0.0.10 {
                     stop 10.0.0.254
                 }
             }
         }
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 dns-server 192.168.1.1
                 lease 86400
                 start 192.168.1.10 {
                     stop 192.168.1.254
                 }
             }
         }
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0.1
             listen-on switch0.10
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5010 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }

Also more restrictions or settings recommended for guest wlan is welcome, since I want to prevent them as much as I can to do something illegal

New Member
Posts: 4
Registered: ‎01-17-2018

Re: Firewall Vlan not working

No one?

Established Member
Posts: 1,843
Registered: ‎03-02-2016
Kudos: 447
Solutions: 142

Re: Firewall Vlan not working

P2P, social media, and proxies are not illegal.

I'd suggest using OpenDNS for filtering, as it's probably easier and might even work better.
Ubiquiti Employee
Posts: 2,650
Registered: ‎05-08-2017
Kudos: 463
Solutions: 384

Re: Firewall Vlan not working

[ Edited ]

These categories rely on the operational state of the traffic analysis feature. Have you enabled this feature through the GUI Traffic Analysis tab or CLI:

 

configure
set system traffic-analysis dpi enable
set system traffic-analysis export enable
commit ; save

Also, make sure that the websites you wish to block are actually listed in the categories. You may need to update the firmware to populate the categories. As of this moment, there is no way to manually add websites to these categories.

 

You can verify the list of websites included in these categories with:

 

/usr/sbin/ubnt-dpi-util show-cat-apps P2P
/usr/sbin/ubnt-dpi-util show-cat-apps Social-Network
/usr/sbin/ubnt-dpi-util show-cat-apps Bypass-Proxies-and-Tunnels

Ben

 

 

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 4
Registered: ‎01-17-2018

Re: Firewall Vlan not working

[ Edited ]

@UBNT-benpin wrote:

These categories rely on the operational state of the traffic analysis feature. Have you enabled this feature through the GUI Traffic Analysis tab or CLI:

 

configure
set system traffic-analysis dpi enable
set system traffic-analysis export enable
commit ; save

Also, make sure that the websites you wish to block are actually listed in the categories. You may need to update the firmware to populate the categories. As of this moment, there is no way to manually add websites to these categories.

 

You can verify the list of websites included in these categories with:

 

/usr/sbin/ubnt-dpi-util show-cat-apps P2P
/usr/sbin/ubnt-dpi-util show-cat-apps Social-Network
/usr/sbin/ubnt-dpi-util show-cat-apps Bypass-Proxies-and-Tunnels

Ben

 

 


Hi Ben, 

Thank you for your answer. I have indeed already configured the traffic analysis. The Websites I checked are also included in the category (for example twitter, facebook, etc.)

 

(also thank you for your videos, they were a great help!)

New Member
Posts: 4
Registered: ‎01-17-2018

Re: Firewall Vlan not working

[ Edited ]

@gfunkdave wrote:
P2P, social media, and proxies are not illegal.

I'd suggest using OpenDNS for filtering, as it's probably easier and might even work better.

I know, but most of torrenting etc is, which is under p2p. Will consider OpenDNS, want to give this a try first

Emerging Member
Posts: 50
Registered: ‎12-20-2017
Kudos: 6
Solutions: 4

Re: Firewall Vlan not working

I would also recommend using OpenDNS as well. It's definitely worth it, at least from the malware security standpoint.

However, OpenDNS will only catch about 98% of the traffic and block it. We have had two instances were someone managed to find a tracker that OpenDNS did not have in their P2P database. In that case we received a not so nice letter from the MPAA, and promptly employed a L3 level P2P block.

 

 

Reply