New Member
Posts: 10
Registered: ‎04-17-2013
Kudos: 4
Accepted Solution

How to keep Public & Private LAN's separate?

I've setup ERL for a small office with an SBS server.  Everything is working great with internet access, DHCP, port forwarding, multiple source and destination NAT's, hairpin NAT, etc.

 

The only thing I can't figure out is how to keep the traffic separate between the two LAN's.  Eth0 is for the private LAN, eth1 is for a public WiFi LAN and eth2 is for the WAN.  My preference would be that the public LAN not be able to access anything on the private LAN unless I've setup NAT and FW rules for it. Access from the private LAN to public would be OK.  Please tell me I don't need a zone-based firewall for this!

 

An interesting observation is that from the 10.0.0.0/24 network, I can ping several hosts on the 192.168.0.0/24 network - but not all of them.  I can also access services on some of them, but not all of them.  i.e. 192.168.0.2 I can ping and access a web server on it.  192.168.1.12 I can ping, but cannot access the web server on it.  192.168.0.99 I cannot ping at all from the 10.0.0.0/24 network (but is a valid station that replies to pings on the 192.168.0.0/24 segment from other stations).  From the 192.x segment, I cannot ping any 10.x devices.  I'm not understanding why some of this traffic works and some doesn't and also why it only works from the one segment.

 

Here's an overview of how my network is setup and the detailed config follows:

eth0 = Secure LAN

- Server and desktop network resources reside here

- 192.168.0.0/24 network, DHCP from SBS server

 

eth1  = Public LAN

- WiFi access for guests

- 10.0.0.0/24 network, DHCP from ERL

 

eth2 = WAN

- 5 static IP's

- Port forwarding for several server and other client services

- Multiple source NAT's for outbound internet based on source of traffic.

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        address-group LAN_Addr_SBS_Server {
            address 192.168.0.2
            description "Local LAN address of SBS Server"
        }
        address-group SpamStopsHere_SMTP {
            address 174.37.170.192-174.37.170.223
            address 174.36.242.64-174.36.242.95
            address 208.43.201.128-208.43.201.159
            address 67.225.140.128-67.225.140.191
            address 50.201.66.0-50.201.66.255
            description SpamStopsHere_SMTP
        }
        address-group WAN_Addr_All {
            address xxx.xxx.179.185
            address xxx.xxx.179.186
            address xxx.xxx.179.187
            address xxx.xxx.179.188
            address xxx.xxx.179.189
            description WAN_Addr_All
        }
        address-group WAN_Addr_Outbound {
            address xxx.xxx.179.189
            description WAN_Addr_Outbound
        }
        address-group WAN_Addr_SMTP {
            address xxx.xxx.179.185
            description "WAN IP address for SMTP"
        }
        port-group HTTP_HTTPS_PORTS {
            description "HTTP and HTTPS Ports"
            port 80
            port 443
        }
        port-group MS_SBS_VPN_PORTS {
            description "MS SBS VPN PORTS"
            port 123
            port 1723
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_PUBLIC_IN {
        default-action accept
        description "Public network to other networks"
    }
    name LAN_PUBLIC_LOCAL {
        default-action accept
        description "Public network to router"
    }
    name LAN_SECURE_IN {
        default-action accept
        description "Secure network to other networks"
    }
    name LAN_SECURE_LOCAL {
        default-action accept
        description "Secure network to router"
    }
    name WAN_IN {
        default-action drop
        description "From INTERNET to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "Allow established connections"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid connections"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            description "Allow HTTP & HTTPS for IIS"
            destination {
                address 192.168.0.2
                group {
                }
                port 80,443
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 4 {
            action accept
            description "Allow 4125 for RWW"
            destination {
                address 192.168.0.2
                port 4125
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 5 {
            action accept
            description "Allow 1723 for VPN"
            destination {
                address 192.168.0.2
                port 1723
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 6 {
            action accept
            description "Allow GRE protocol for VPN"
            destination {
                address 192.168.0.2
            }
            log disable
            protocol gre
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 7 {
            action accept
            description "Allow SMTP to Server"
            destination {
                address 192.168.0.2
                port 25
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group SpamStopsHere_SMTP
                }
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 8 {
            action accept
            description "Allow DRAC4/P to Server"
            destination {
                address 192.168.0.9
                port 449,5900
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 9 {
            action accept
            description "Allow 3389 for RWW"
            destination {
                address 192.168.0.2
                port 3389
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "From INTERNET to router"
        rule 1 {
            action drop
            description "Drop invalid connections"
            log enable
            state {
                invalid enable
            }
        }
        rule 2 {
            action accept
            description "Allow established connections"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action accept
            description "ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.1/24
        description Port_0_LAN_Secure
        duplex auto
        firewall {
            in {
                name LAN_SECURE_IN
            }
            local {
                name LAN_SECURE_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.0.1/24
        description Port_1_LAN_Public
        duplex auto
        firewall {
            in {
                name LAN_PUBLIC_IN
            }
            local {
                name LAN_PUBLIC_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address xxx.xxx.179.185/29
        address xxx.xxx.179.186/29
        address xxx.xxx.179.187/29
        address xxx.xxx.179.188/29
        address xxx.xxx.179.189/29
        description Port_2_WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name LAN_PUBLIC_eth1 {
            authoritative disable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 206.13.29.12
                dns-server 206.13.30.12
                lease 86400
                start 10.0.0.101 {
                    stop 10.0.0.250
                }
            }
        }
        shared-network-name LAN_SECURE_eth0 {
            authoritative disable
            disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.101 {
                    stop 192.168.1.250
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            sysshow 
        }
    }
    gui {
        listen-address 192.168.0.1	
        https-port 443
    }
    nat {
        rule 1 {
            description "HTTP traffic for SBS Server (80)"
            destination {
                address xxx.xxx.179.185
                port 80
            }
            inbound-interface eth+
            inside-address {
                address 192.168.0.2
                port 80
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "HTTPS traffic for SBS Server (443)"
            destination {
                address xxx.xxx.179.185
                port 443
            }
            inbound-interface eth+
            inside-address {
                address 192.168.0.2
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 3 {
            description "Remote Web Workplace to Server (4125)"
            destination {
                address xxx.xxx.179.185
                port 4125
            }
            inbound-interface eth+
            inside-address {
                address 192.168.0.2
                port 4125
            }
            log disable
            protocol tcp
            type destination
        }
        rule 4 {
            description "PPTP VPN to Server (1723)"
            destination {
                address xxx.xxx.179.185
                port 1723
            }
            inbound-interface eth2
            inside-address {
                address 192.168.0.2
                port 1723
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5 {
            description "PPTP VPN to Server (GRE)"
            destination {
                address xxx.xxx.179.185
            }
            inbound-interface eth2
            inside-address {
                address 192.168.0.2
            }
            log disable
            protocol gre
            type destination
        }
        rule 6 {
            description "SMTP to Server (25)"
            destination {
                address xxx.xxx.179.185
                port 25
            }
            inbound-interface eth2
            inside-address {
                address 192.168.0.2
                port 25
            }
            log disable
            protocol tcp
            type destination
        }
        rule 7 {
            description "DRAC/4P to Server (449)"
            destination {
                address xxx.xxx.179.185
                port 449
            }
            inbound-interface eth2
            inside-address {
                address 192.168.0.9
                port 449
            }
            log disable
            protocol tcp
            type destination
        }
        rule 8 {
            description "DRAC/4P to Server (5900)"
            destination {
                address xxx.xxx.179.185
                port 5900
            }
            inbound-interface eth2
            inside-address {
                address 192.168.0.9
                port 5900
            }
            log disable
            protocol tcp
            type destination
        }
        rule 9 {
            description "Remote Web Workplace to Server (3389)"
            destination {
                address xxx.xxx.179.185
                port 3389
            }
            disable
            inbound-interface eth+
            inside-address {
                address 192.168.0.2
                port 3389
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5000 {
            description "Hairpin NAT for LAN"
            destination {
                address 192.168.0.0/24
            }
            log disable
            outbound-interface eth0
            protocol all
            source {
                address 192.168.0.0/24
            }
            type masquerade
        }
        rule 5001 {
            description "Outbound to Internet from Server"
            log disable
            outbound-interface eth2
            outside-address {
                address xxx.xxx.179.185
            }
            protocol all
            source {
                address 192.168.0.2
            }
            type source
        }
        rule 5002 {
            description "Outbound to Internet from 10.0.0.0/24"
            destination {
            }
            log disable
            outbound-interface eth2
            outside-address {
                address xxx.xxx.179.188
            }
            protocol all
            source {
                address 10.0.0.0/24
            }
            type source
        }
        rule 5003 {
            description "Outbound to Internet from all others"
            log disable
            outbound-interface eth2
            outside-address {
                address xxx.xxx.179.189
            }
            protocol all
            type source
        }
    }
    ssh {
        listen-address 192.168.0.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth2
        }
        listen-on eth1 {
            outbound-interface eth2
        }
    }
}
system {
    domain-name some-domain.com
    gateway-address xxx.xxx.179.190
    host-name web
    ipv6 {
        disable
    }
    login {
        user admin {
            authentication {
                encrypted-password xxx
                plaintext-password ""
            }
            full-name Admin
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password xxx
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    pptp {
        remote-access {
            authentication {
                mode radius
                radius-server 192.168.0.2 {
                    key xxx
                }
            }
            client-ip-pool {
                start 192.168.0.80
                stop 192.168.0.99
            }
            dns-servers {
                server-1 192.168.0.2
                server-2 192.168.0.1
            }
            mtu 1492
            outside-address xxx.xxx.179.185
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.1.0.4543695.130312.1019 */

 


Accepted Solutions
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: How to keep Public & Private LAN's separate?


@Jon_HB wrote:

 

How do I allow access from 192.168.0.0/24 to 10.0.0.0/24?  Seem to me that it should allow it by default.


I think if you add the same "established" rule that you have in WAN_IN rule 1 to LAN_PUBLIC_IN then you'd be able to access the public from the private.  Note the establish rule need to come before the drop destination 192.168.0.0/24 rule.

EdgeMAX Router Software Development

View solution in original post


All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: How to keep Public & Private LAN's separate?

Have you tried something like:

ubnt@ubnt# show firewall 
 name LAN_PUBLIC_IN {
     default-action accept
     rule 1 {
         action drop
         destination {
             address 192.168.0.0/24
         }
     }
 }

 

EdgeMAX Router Software Development
New Member
Posts: 10
Registered: ‎04-17-2013
Kudos: 4

Re: How to keep Public & Private LAN's separate?

I had tried that, but I had done it on the LAN_SECURE_IN interface thinking that it needed to route to there.  So yes, now it works to block access from 10.0.0.0/24.  Thank you!

 

How do I allow access from 192.168.0.0/24 to 10.0.0.0/24?  Seem to me that it should allow it by default.

 

Also, any rhyme or reason why there was only partial access from 10.x to 192.x?

New Member
Posts: 10
Registered: ‎04-17-2013
Kudos: 4

Re: How to keep Public & Private LAN's separate?

[ Edited ]

Hmmm... seems all hosts on the 192.x network are blocked, except the ERL at 192.168.0.1.  Why would a station on the 10.x network still be able to access that host?

 

EDIT:  answered my own Q here by adding the same rule above to LAN_PUBLIC_LOCAL.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: How to keep Public & Private LAN's separate?


@Jon_HB wrote:

 

How do I allow access from 192.168.0.0/24 to 10.0.0.0/24?  Seem to me that it should allow it by default.


I think if you add the same "established" rule that you have in WAN_IN rule 1 to LAN_PUBLIC_IN then you'd be able to access the public from the private.  Note the establish rule need to come before the drop destination 192.168.0.0/24 rule.

EdgeMAX Router Software Development
New Member
Posts: 10
Registered: ‎04-17-2013
Kudos: 4

Re: How to keep Public & Private LAN's separate?

Thank you, that worked.

 

Interesting though that I had already placed that rule, but I had limited the source network to 192.168.0.0/24 and the destination network to 10.0.0.0/24 and it didn't work.  Once I removed the source and destination limits, the rule worked fine.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: How to keep Public & Private LAN's separate?


@Jon_HB wrote:

Thank you, that worked.

 

Interesting though that I had already placed that rule, but I had limited the source network to 192.168.0.0/24 and the destination network to 10.0.0.0/24 and it didn't work.  Once I removed the source and destination limits, the rule worked fine.


That's because the rule is actually allowing traffic going from 10.0.0.0/24 to 192.168.0.0/24 only if it was initiated from 192.168.0.0/24 (i.e. established).  So you had the source/destination backwards.

EdgeMAX Router Software Development