Reply
New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2
Accepted Solution

Second Opinion on Firewall Plan

Hellow everyone. I have experienced great help from these forums. So far I have been able to set up my ER8 with a wan interface and apporiate firewall rules for internet access and an L2TP vpn. Aditionally I have two vlans one for IOT and one for GUEST. In my environment I have my own DNS servers and quite a few others that are on eth6, 192.168.24.0, i currently have no firewal rules assigened to this interface. I would call this my CORE network. my ultimate goal is to segerate this network from everything except another vlan, yet to be created, 6.28, 192.168.28.0. It will however need to service DNS traffic to all other networks, and allow connections to the internet and router for a radius server (24.20), plex server (24.4) and normal https traffic. I posted a spolier with what i thnk needs to be done but im not 100%. I also attached the current config of the router. the 29.0 netowork on eth2 is a backup in case i loose access to the router from the .24 network, it is always unplugged unless needed then is direct connection from computer to router. 

Spoiler
set firewall group network-group CORE network 192.168.24.0/24
set firewall group network-group MAN network 192.168.28.0/24

set firewall name CORE_IN default-action accept
set firewall name CORE_IN rule 10 action accept
set firewall name CORE_IN rule 10 state established enable
set firewall name CORE_IN rule 10 state related enable
set firewall name CORE_IN rule 20 action accept
set firewall name CORE_IN rule 20 destination group address-group DNS_SERVERS
set firewall name CORE_IN rule 20 destination group port-group DNS_PORT
set firewall name CORE_IN rule 20 protocol tcp_udp
set firewall name CORE_IN rule 20 source group network-group GUEST_NETS
set firewall name CORE_IN rule 20 source group network-group IOT_NETS
set firewall name CORE_IN rule 40 action drop
set firewall name CORE_IN rule 40 destination group network-group GUEST_NETS
set firewall name CORE_IN rule 40 destination group network-group IOT_NETS
set interfaces ethernet eth6 firewall in name CORE_IN

set firewall name CORE_LOCAL default-action drop
set firewall name CORE_LOCAL rule 10 action accept
set firewall name CORE_LOCAL rule 10 destination group port-group DHCP_PORT
set firewall name CORE_LOCAL rule 10 source port 68
set firewall name CORE_LOCAL rule 10 protocol udp
set firewall name CORE_LOCAL rule 20 destination group port-group DNS_PORT
set firewall name CORE_LOCAL rule 20 source network-group GUEST_NETS
set firewall name CORE_LOCAL rule 20 source network-group IOT_NETS
set firewall name CORE_LOCAL rule 20 source port-group DNS_PORT
set interfaces ethernet eth6 firewall local name CORE_LOCAL

Accepted Solutions
Highlighted
Emerging Member
Posts: 101
Registered: ‎10-14-2018
Kudos: 28
Solutions: 8

Re: Second Opinion on Firewall Plan

[ Edited ]

The rules do not look right. Perhaps you misunderstood the interface direction of the firewall. "in" direction applies to packets coming into the router from that interface, to be routed and going out through other interfaces. In your example, the command

 

set interfaces ethernet eth6 firewall in name CORE_IN

means to apply CORE_IN rules to all traffic going from your core network to other networks including GUEST, IOT and WAN.

 

With that, rule 20 of CORE_IN does not do anything, because the packets will never have sources from other networks. Rule 40 only prevents connections from core to guest and iot networks; on the other hand, connections from iot and guest to core will be allowed, because of rule 10. That is probably the exact opposite to what you actually want.

 

Similarly, CORE_LOCAL rules affect traffic coming from the core network and going to the router itself. Be careful you may lock the core network out of the router, as the rules basically drop anything other than DHCP.

View solution in original post


All Replies
Highlighted
Emerging Member
Posts: 101
Registered: ‎10-14-2018
Kudos: 28
Solutions: 8

Re: Second Opinion on Firewall Plan

[ Edited ]

The rules do not look right. Perhaps you misunderstood the interface direction of the firewall. "in" direction applies to packets coming into the router from that interface, to be routed and going out through other interfaces. In your example, the command

 

set interfaces ethernet eth6 firewall in name CORE_IN

means to apply CORE_IN rules to all traffic going from your core network to other networks including GUEST, IOT and WAN.

 

With that, rule 20 of CORE_IN does not do anything, because the packets will never have sources from other networks. Rule 40 only prevents connections from core to guest and iot networks; on the other hand, connections from iot and guest to core will be allowed, because of rule 10. That is probably the exact opposite to what you actually want.

 

Similarly, CORE_LOCAL rules affect traffic coming from the core network and going to the router itself. Be careful you may lock the core network out of the router, as the rules basically drop anything other than DHCP.

New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

Re: Second Opinion on Firewall Plan

[ Edited ]

ok... after thinking about this some more i think it may be overkill to add firewall rules to my eth6 192.168.24.0 network. Please correct me if my thinking is wrong. 

 

PRIVATE_NETS= 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16

IOT= 192.168.25.0/24

GUEST= 192.168.27.0/24

DNS-SERVERS= 192.168.24.20, 192.168.24.21

 

I'm already blocking everything from my guest and IOT netoworks to the 24.0 network with these ruels:

set firewall name GUEST_IN rule 40 action drop
set firewall name GUEST_IN rule 40 destination group network-group PRIVATE_NETS

set firewall name IOT_IN rule 40 action drop
set firewall name IOT_IN rule 40 destination group network-group PRIVATE_NETS 

 

I'm blocking traffic from IOT to GUEST and GUEST to IOT with these rules

set firewall name GUEST_IN rule 50 action drop
set firewall name GUEST_IN rule 50 destination group network-group IOT_NET

set firewall name IOT_IN rule 50 action drop
set firewall name IOT_IN rule 50 destination group network-group GUEST_NET

 

On the GUEST and IOT I'm allowing DNS to my 192.168.24.0 network with these rules

set firewall name GUEST_IN rule 20 action accept
set firewall name GUEST_IN rule 20 destination group address-group DNS_SERVERS
set firewall name GUEST_IN rule 20 destination group port-group DNS_PORT
set firewall name GUEST_IN rule 20 protocol tcp_udp
set firewall name GUEST_IN rule 20 source group network-group GUEST

set firewall name IOT_IN rule 20 action accept
set firewall name IOT_IN rule 20 destination group address-group DNS_SERVERS
set firewall name IOT_IN rule 20 destination group port-group DNS_PORT
set firewall name IOT_IN rule 20 protocol tcp_udp
set firewall name IOT_IN rule 20 source group network-group GUEST

 

And allowing DHCP traffic to the router from GUEST and IOT with these ruels

set firewall name GUEST_LOCAL rule 20 action accept
set firewall name GUEST_LOCAL rule 20 destination port-group DHCP_PORT port 67
set firewall name GUEST_LOCAL rule 20 protocol udp
set firewall name GUEST_LOCAL rule 20 source port 68

set firewall name IOT_LOCAL rule 20 action accept
set firewall name IOT_LOCAL rule 20 destination port-group DHCP_PORT port 67
set firewall name IOT_LOCAL rule 20 protocol udp
set firewall name IOT_LOCAL rule 20 source port 68

 

And allowing Establishe/related traffic with

set firewall name GUEST_LOCAL rule 10 action accept
set firewall name GUEST_LOCAL rule 10 state established enable
set firewall name GUEST_LOCAL rule 10 state related enable

et firewall name GUEST_IN rule 10 action accept
set firewall name GUEST_IN rule 10 state established enable
set firewall name GUEST_IN rule 10 state related enable

set firewall name IOT_LOCAL rule 10 action accept
set firewall name IOT_LOCAL rule 10 state established enable
set firewall name IOT_LOCAL rule 10 state related enable

set firewall name IOT_IN rule 10 action accept
set firewall name IOT_IN rule 10 state established enable
set firewall name IOT_IN rule 10 state related enable

 

And finally the default actions for the GUEST and IOT networks are

set firewall name GUEST_IN default-action accept

set firewall name IOT_IN default-action accept

set firewall name GUEST_LOCAL default-action drop

set firewall name IOT_LOCAL default-action drop

 

I think that I'm finally understanding this. 

 

IN traffic is traffic from a network to be routed to another network. 

LOCAL traffic is traffic from a network to be handled locally by the router

 

For example DHCP traffic is handled by the router, in my network, so that traffic needs to be on the LOCAL side. DNS however is handled by another network so it needs to be routed through the router to that network. 

 

Emerging Member
Posts: 101
Registered: ‎10-14-2018
Kudos: 28
Solutions: 8

Re: Second Opinion on Firewall Plan

Yes these rules look proper to me, except maybe a typo here:

set firewall name IOT_IN rule 20 source group network-group GUEST

I think you meant "network-group IOT". Actually you can remove all the "source group network-group" statements in your IN/LOCAL rules, because in your setup all the traffic coming from IOT or GUEST vlan will have their respective network group as the source.

 

CORE is your most privileged network so it makes sense to not have any firewall rules for CORE_IN. That means devices in that network can access anything else unrestricted, which probably is your goal.

New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

Re: Second Opinion on Firewall Plan

yes that is my goal, and yes it was just a typo. Thank you for the replys and explanitions. 

Reply