A firewall policy is a set of rules with a default action. Firewall policies are applied before SNAT (Source Network Address Translation) and after DNAT (Destination Network Address Translation).
https://help.ubnt.com/hc/en-us/articles/205231540-EdgeMAX-Add-access-control-list-ACL-
IN, OUT, and LOCAL
WAN_IN = From the internet, through the router, and onward to your LAN. In very general terms, you want to drop 90% of this mess - it's script kiddies, port scans, nigerian princes, and anyone else you don't want able to head through your router. Obviously, you're gonna want to allow ports 80, 443, 25, and others if you're running those types of services.
WAN_OUT = traffic that has been forwarded through the router and about to leave exit out the interface.
NOTE: "WAN_OUT" to the "out" direction on the WAN interface, it only applies to forwarded traffic so the requests from the router itself does not go through these rules
WAN_LOCAL = Traffic destined for the router (for example if you wanted to use the web UI on the router you'd need to allow port 443 on LOCAL. This firewall is for packets destined to the router itself (i.e. "localhost") from the wan
LAN_IN = everything inbound to the router from your LAN (e.g. 192.168.1.0/24) that's destined for somewhere else (WAN, other LAN such as 192.168.2.0/24). In a SMB, or SOHO setup, this is probably explicitly permissive. In an enterprise setting, this may or may not be permissive (e.g. blocking all outgoing traffic except for SFTP on a non-standard port)
LAN_LOCAL = everything inbound to the router from your LAN destined for the router. Again, unless you're doing enterprise routing, this is probably fairly open - although good SMB setups with guest networks may block the guest network range.
In terms of using IN or OUT rules, some will say that IN is better because if you're going to drop a packet it's better to do it on input rather than go through the full packet processing path only to drop it before it leaves the router. Also note that creating a firewall ruleset without applying it to an interface/direction does nothing.
Firewall for IPv6 is separate from IPv4 firewall and currently it needs to be configured using the CLI ("set firewall ipv6-name ..." etc.). OR the Config Tree in the Web UI, so you'll need to create IPv6 rules separately and apply them to the appropriate interface/direction.
Easiest addressing to IPv6 firewalling is either DHCPv6 with reservations OR static IP. Once you have a fixed address for the device, you apply firewall policy just like you would in IPv4. Currently (v1.6.0) the NAT configuration is IPv4-only. So for now you might try using the "ip6tables" command directly to manipulate the IPv6 nat table (sudo ip6tables -t nat ...). http://networkingnerd.net/2011/12/01/whats-the-point-of-nat66/
http://blog.ipspace.net/2011/12/we-just-might-need-nat66.html
Disabling IPv6 on the router = set system ipv6 disable
NAT - Symmetric type
NAT changes the addressing of packets. A NAT rule tells the EdgeRouter what action to take with a specific packet. Define the following:
- Criteria for matching packets
- Action to take with matching packets
Rules are organized into a set and applied in the specified Rule Order. If the packets match a rule’s criteria, then its action is performed. If not, then the next rule is applied.
Source NAT Rules
Source NAT Rules change the source address of packets; a typical scenario is that a private source needs to communicate with a public destination. A Source NAT Rule goes from the private network to the public network and is applied after routing, just before packets leave the EdgeRouter. SNAT = Source NAT = Translation / Manipulation from Internal to External (masqueraded to the Internet).
SNAT vs MASQUERADE: Both are network address translation (NAT) techniques whereby the source (LAN) address gets automatically converted to another address (typically the WAN address) by the router.
- MASQUERADE converts the address to the WAN address, whatever it happens to be. In other words, at every conversion, it has to check what the WAN address is.
- SNAT converts the address to a fixed address, set to the WAN address by the firewall initialization.
In theory, SNAT should be faster, since both are performing the same translation but MASQUERADE has to perform that extra lookup. In practice, we're only talking about a few machine instructions here, so the difference is not noticeable.
Masquerade only uses the primary address of the interface. Now say my ISP gives me a /29 with 5 addresses. Then I might have something like:
ubnt@R3# show interfaces ethernet eth6
address 1.1.1.2/29
address 1.1.1.3/29
address 1.1.1.4/29
address 1.1.1.5/29
address 1.1.1.6/29
duplex auto
speed auto
[edit]
Now say I want LAN1 to use 1.1.1.3 and LAN2 to use 1.1.1.6. To do that I need source NAT = SNAT.
Destination NAT Rules
Destination NAT Rules change the destination address of packets; a typical scenario is that a public source needs to communicate with a private destination. A Destination NAT Rule goes from the public network to the private network and is applied before routing. SEE ALSO “PORT FORWARDING”. DNAT = Translation / Manipulation from External to Internal = Wan to LAN mapping
Hairpin NAT
Enabled by default. If you want to allow a host on the internal network to use the public IP address to access an internal server, then keep Hairpin NAT enabled. (Hairpin NAT is also known as NAT loopback or NAT reflection.) Note: If Hairpin NAT is enabled, then it only enables Hairpin NAT for the port forwarding rules defined in the wizard; it does not affect the Destination NAT Rules defined on the Security > NAT tab (refer to “Destination NAT Rules”)
NAT Hairpin = "NAT inside-to-inside" = "NAT Loopback" = "NAT Reflection" = SNAT Loopback.
http://community.ubnt.com/t5/EdgeMAX/SNAT-Loopback-aka-Hairpin-Question/td-p/1552015
The routers which support this specifically look for traffic which should hairpin. The routers which don't support this do normal routing, and they send traffic destined for external addresses out the WAN interface, per the routing table.
This is completely dependent on the router make, model, and software version.
What happens on the routers which don't support this is that the traffic from the inside host to the external server address has the destination address looked up in the routing table, and that points to the WAN interface, so the the traffic is sent to the WAN interface, which is an outside interface, so the inside source address gets translated, per the inside source NAT rules, to an outside address (usually the WAN interface address), and the traffic is sent out the WAN interface. This is all based on normal routing rules.
The traffic will travel to the ISP router, which will promptly drop it since it is coming in from an interface where the destination address is. Routers drop traffic destined for the network from which it originates.
UPnP
Instead of manually configuring port forwarding rules, you can use UPnP for automatic port forwarding when you have hardware that supports UPnP.
Typically, a NAT Port Forwarding rule is used from the outside network to get to a server on the inside network by using the public address of the router (or hostname). But in cases where the same local server address must be accessed from inside the local network, NAT Hairpin applies.
