New Member
Posts: 10
Registered: ‎06-14-2014

Help a newbie understand Firewall rules

New EdgeMax Lite owner here.  I think I have a basic grasp on how the firewall rules work, but looking for help with something a little more advanced.  Here is how my router is setup:

eth0 - WAN

eth1 - LAN

eth2 - unused

What I'd like to do is take eth2 and move my wireless AP over to the port and treat it almost like a unsecured network.  I'd like to block all the traffic from the LAN except for a few IPs, and allow all to access the internet port.

Let's say my WLAN subnet is 192.168.2.x, and I want 192.168.2-192.168.2.5 be able to access everything on the LAN, and everything else is denied. 

 What would that firewall rule for the LAN port look like?  Would I use IN or LOCAL? 

Member
Posts: 250
Registered: ‎02-03-2014
Kudos: 19
Solutions: 9

Re: Help a newbie understand Firewall rules

Question, is your LAN on a different subnet? If so, what's it's range?

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Help a newbie understand Firewall rules

[ Edited ]

Direction IN is traffic into the router for routing to other networks.

Direction LOCAL is traffic into the router for communicating with the router itself.

firewall {
    all-ping.......

    name WLAN_IN {
        default action accept
        description "Block traffic to LAN"
        rule 10 {
            action accept
            description "Allow specific addresses to LAN"
source {
address { 192.168.2.2-192.168.2.5
}
} } rule 20 { action drop description "Drop traffic to subnet 10.0.0.0/8"
destination { address {
10.0.0.0/8 }
log enable
}
}
        rule 30 {
            action drop
description "Drop traffic to subnet 172.16.0.0/12"
            destination {
                address {
172.16.0.0/12 }
log enable
}
}
        rule 40 {
            action drop
description "Drop traffic to subnet 192.168.0.0/16"
            destination {
                address {
192.168.0.0/16 }
log enable
} }

 This still needs some refining, but it's pretty close.  I might get time to edit it and clean it up tonight.

One thing to remember is that firewall rules are checked in order.  That is what makes this work.  Rule 10 is ahead of rule 40 and therefore the rule is met and traffic meeting its conditions passes through the firewall before getting to rule 40.  If these rules were reversed, no traffic to subnet 192.168.0.0/16 would be allowed past the firewall as is would be dropped before getting to the allow rule.

An additional option is to add established and related rules ahead of these.  That would allow anything on the WLAN to answer traffic sent to it from the LAN, but still not allow it to initiate any traffic. 

        rule 1 {
            action accept
            description "Allow any established or related traffic"
            state {
                established enable
                related enable
            }
        )

 Without the established related rule,  equipment on the WLAN will be blocked from responding to any traffic from the LAN.  IE: It you tried to ping a computer on the WLAN from a computer on the LAN, the computer on the WLAN would be blocked from responding.  With the established / related rule added, the same computer could respond to the ping from the LAN, but still could not initiate a new ping the other direction.  Very helpful for troubleshooting purposes.

Hope this helps.

New Member
Posts: 10
Registered: ‎06-14-2014

Re: Help a newbie understand Firewall rules

Wow, thanks.  Yes my LAN is a separate subnet, sorry for not specifiying that. 

 

Just so I'm clear, IN is traffic routed to other networks, LOCAL is for traffic to router itself.  So does this mean the only time local is really used is to deny administration of the router?  When would OUT be used? (Is OUT same as IN, but processed later in the packet lifecycle?)

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Help a newbie understand Firewall rules


@pusta wrote:

Wow, thanks.  Yes my LAN is a separate subnet, sorry for not specifiying that. 

 

Just so I'm clear, IN is traffic routed to other networks, LOCAL is for traffic to router itself.  So does this mean the only time local is really used is to deny administration of the router?  When would OUT be used? (Is OUT same as IN, but processed later in the packet lifecycle?)


You have the IN and LOCAL correct.  This is why you have sepperate WAN_IN and WAN_LOCAL rulesets.  The first are rules for traffic to your LAN and the other is rules to the router.  There are times other than blocking traffic to the router that WAN_LOCAL is used.  The port for my OpenVPN tunnel is controlled through the WAN_LOCAL ruleset as it is the two routers which are actually creating the ptp tunnel.

OUT is any traffic outbound from the router through the port/interface.  I don't believe that it matters if it came from the router itself or another port being routed through.  I believe the OUT direction is often used for traffic shaping.  I haven't had a need to deal with outbound firewall rules.

Beyond that, there are also zone-based firewalls.  I use that for my primary network location.  I have 9 subnets grouped into 5 zones.  WAN, DMZ, GUEST, LAN, & LOCAL.  You create rulesets for each zone-pair both directions and then assign interfaces to the zones.  So 5 zones would have 20 rulesets to cover all the zone-pairs.  I think my firewall has 93 rules across the 20 rulesets.  It seems complicated, but it really is pretty straight forward.  You just go through each zone-pair, such as WAN-to-DMZ and put in rules for what traffic is allowed through the zone-pair.  Then you move on to the next one.  WAN-to-GUEST, then WAN-to-LAN, WAN-to-LOCAL, DMZ-to-WAN, DMZ-to-GUEST, etc.

To me, the zone-based policy is much cleaner in the end.  Both work.  It's personal preference.

Hope that helps explain some of this.  Just ask if you have further questions.

New Member
Posts: 10
Registered: ‎06-14-2014

Re: Help a newbie understand Firewall rules

This is all starting to click.  Thanks for the wealth of information.  I purchased this thing partly for a reliable router and mostly to learn, and it's good to know there's a friendly community behind it. 

For all of your Zones, do those have to be physical ports on the router?  For example, can I create two subnets on eth1 and firewall one off from the other?  I assume I can since I can specify the source and destination subnets, but just want to check.  I'd love to have a guest subnet just for wifi users who visit, but all I have today is an Asus router I'm using as an access point.  I believe I'd need something more advanced where I can subnet off of WLAN SSID. 

Anyway, thanks again for the info, this has been very valuable.

Highlighted
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Help a newbie understand Firewall rules

[ Edited ]

For your wireless, move up to a UniFi AP.  Inexpensive with full capabilities for up to 4 SSIDs.

 

As for your question about zones and ports.  Here's the long short answer......

Ports, are the physical port that you plug a cable into.  Interfaces, are the network connections and can be physical or virtual (hense the name virtual local area network or VLAN). 

If you look at the code for my interfaces below, I have 3 ports (eth0, eth1, & eth2).  My first interface (network connection) is on the physical port eth0 and gets a DHCP address from my ISP.  Port eth1 does not have an interface on the physical port, but has 2 virtual interfaces which are vlan130 and vlan160.  Port eth2 follows the same configuration with 6 vlans.

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "DMZ SUBNETS"
        duplex auto
        speed auto
        vif 130 {
            address 10.112.130.1/24
            description Public_Servers
            mtu 1500
        }
        vif 160 {
            address 10.112.160.1/24
            description BCF_Guest
            mtu 1500
        }
    }
    ethernet eth2 {
        description "LAN SUBNETS"
        duplex auto
        speed auto
        vif 20 {
            address 10.10.20.1/24
            description BCF_Home
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description BCF_Servers
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description BCF_VOIP
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description BCF_CCTV
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description BCF_Wrls
            mtu 1500
        }
        vif 99 {
            address 10.10.99.1/24
            description BCF_Mgmt
            mtu 1500
        }
    }
    loopback lo {
    }
}

 Interfaces and firewall rulesets are assigned to zones in the zone-policy.  Mine is shown below.

Zone DMZ lists the rulesets for traffic from each additional zone and has interface eth1.130 (vlan130) in the DMZ zone.  Zone GUEST lists its rulesets and includes vlan160.  Zone LAN  includes vlans 20, 30, 40, 50, 60, & 99.  Zone LOCAL is the router itself and zone WAN is the physical port eth0.

zone-policy {
    zone DMZ {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-DMZ
            }
        }
        from LAN {
            firewall {
                name LAN-DMZ
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-DMZ
            }
        }
        from WAN {
            firewall {
                name WAN-DMZ
            }
        }
        interface eth1.130
    }
    zone GUEST {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-GUEST
            }
        }
        from LAN {
            firewall {
                name LAN-GUEST
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-GUEST
            }
        }
        from WAN {
            firewall {
                name WAN-GUEST
            }
        }
        interface eth1.160
    }
    zone LAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LAN
            }
        }
        from GUEST {
            firewall {
                name GUEST-LAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface eth2.20
        interface eth2.30
        interface eth2.40
        interface eth2.50
        interface eth2.60
        interface eth2.99
    }
    zone LOCAL {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LOCAL
            }
        }
        from GUEST {
            firewall {
                name GUEST-LOCAL
            }
        }
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-WAN
            }
        }
        from GUEST {
            firewall {
                name GUEST-WAN
            }
        }
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        interface eth0
    }
}

 The thing to remember here, is that zone-based firewalls control traffic between zones.  Therefore, interfaces which are on the same zone (such as zone LAN) can communicate freeley without restriction.

The power of a zone-based firewall comes from the ability to very easily define the rules between each zone. 

With my network configuration, it would be very difficult to accurately define rules between zones using an interface-based firewall.  Think of trying to write rules for each of the 6 lan interfaces which would allow traffic between those 6, but limit traffic to the DMZ interface and block traffic from each of those interfaces to and from the GUEST network or from the DMZ, and yet allow all traffic to the internet while blocking unwanted traffic back in from the internet.


@pusta wrote:

 

For all of your Zones, do those have to be physical ports on the router?  For example, can I create two subnets on eth1 and firewall one off from the other? 

With a zone-based firewall, you would simply put one vlan on one zone and the other vlan on another zone.  Define the rules each direction between the zones.  Done.

My entire network, including my internet connection could be run on one single port of my ERL.  I would simply sepperate the networks by vlan on my switch and my internet connection, just like everything else, would plug into the appropriate port on the switch.

 

Next: VLANs, how they work and what they do.