Edge Router X – 1 WAN, 1 IoT LAN & 3 Protected LANs Setup
This assumes the WAN+2LAN2 Setup Wizard was used.
Then customomized as per the Sample Configuration table below. (WAN_IN & WAN_LOCAL Firewall Policies exist)
Sample Configuration
| Interface | Description | Network | VLAN |
| eth0 | ISP | DHCP | 2 |
| eth1 | IoT (Untrusted/Contained) | 192.168.10.0/24 | 10 |
| eth2 | Protected Network 20 | 192.168.20.0/24 | 20 |
| eth3 | Protected Network 30 | 192.168.30.0/24 | 30 |
| eth4 | Protected Network 40 | 192.168.40.0/24 | 40 |
Firewall NAT Groups
PROTECTED_NETWORKS
Firewall/NAT>Firewall/Nat Groups>+Add Group>
Name: PROTECTED_NETWORKS
Description: Protected Networks
Group Type: Network Group
[Save]
PROTECTED_NETWORKS>Actions>Configure
- Network: 192.168.20.0/24
- Network: 192.168.30.0/24
- Network: 192.168.40.0/24
[Save]
Firewall Policies
Ruleset: BLOCK_IN
FIrewall/NAT>Firewall Policies>+Add Ruleset>
Name: BLOCK_IN
Description: Block In
Default Action: Accept
[Save]
Firewall/NAT>Firewall Policies>BLOCK_IN>Actions>Edit Ruleset>
Interfaces:
Interface: eth1
Direction: in
[Save Ruleset]
Rule: Accept Established/Related
Firewall/NAT>Firewall Policies>BLOCK_IN>Edit Ruleset>Rules>Add New Rule>
Basic
Description: Accept Established/Related
Action: Accept
Protocol: All Protocols
Advanced:
State: Established, Related
[Save]
Rule: Drop PROTECTED_NETWORKS
Firewall/NAT>Firewall Policies>BLOCK_IN>Edit Ruleset>Rules>Add New Rule>
Basic
Description: Drop PROTECTED_NETWORKS
Action: Drop
Protocol: All Protocols
Destination :
Network Group : Protected Networks
Ruleset: BLOCK_LOCAL
FIrewall/NAT>Firewall Policies>+Add Ruleset>
Name: BLOCK_LOCAL
Description: Block Local
[Save]
Firewall/NAT>Firewall Policies>BLOCK_LOCAL>Actions>Edit Ruleset>
Interfaces:
Interface: eth1
Direction: local
[Save Ruleset]
Firewall/NAT>Firewall Policies>BLOCK_LOCAL>Actions>Edit Ruleset>
Rule: Accept DNS
Firewall/NAT>Firewall Policies>BLOCK_LOCAL>Edit Ruleset>Rules>Add New Rule>
Basic:
Description: Accept DNS
Action: Accept
Protocol: UDP
Destination:
Port: 53
[Save]
Rule: Accept DHCP
Firewall/NAT>Firewall Policies>BLOCK_LOCAL>Edit Ruleset>Rules>Add New Rule>
Basic:
Description: Accept DHCP
Action: Accept
Protocol: UDP
Destination:
Port: 67
[Save]
CLI
configure
set firewall group network-group PROTECTED_NETWORKS
set firewall group network-group PROTECTED_NETWORKS description “Protected Networks”
set firewall group network-group PROTECTED_NETWORKS network 192.168.20.0/24
set firewall group network-group PROTECTED_NETWORKS network 192.168.30.0/24
set firewall group network-group PROTECTED_NETWORKS network 192.168.40.0/24
set firewall name BLOCK_IN
set firewall name BLOCK_IN default-action accept
set firewall name BLOCK_IN rule 10 action accept
set firewall name BLOCK_IN rule 10 description “Accept Established/Related”
set firewall name BLOCK_IN rule 10 protocol all
set firewall name BLOCK_IN rule 10 state established enable
set firewall name BLOCK_IN rule 10 state related enable
set firewall name BLOCK_IN rule 20 action drop
set firewall name BLOCK_IN rule 20 description “Drop PROTECTED_NETWORKS”
set firewall name BLOCK_IN rule 20 destination group network-group PROTECTED_NETWORKS
set firewall name BLOCK_IN rule 20 protocol all
set firewall name BLOCK_LOCAL
set firewall name BLOCK_LOCAL default-action drop
set firewall name BLOCK_LOCAL rule 10 action accept
set firewall name BLOCK_LOCAL rule 10 description “Accept DNS”
set firewall name BLOCK_LOCAL rule 10 destination port 53
set firewall name BLOCK_LOCAL rule 10 protocol udp
set firewall name BLOCK_LOCAL rule 20 action accept
set firewall name BLOCK_LOCAL rule 20 description “Accept DHCP”
set firewall name BLOCK_LOCAL rule 20 destination port 67
set firewall name BLOCK_LOCAL rule 20 protocol udp
commit
set interfaces ethernet eth1 firewall in name BLOCK_IN
set interfaces ethernet eth1 firewall local name BLOCK_LOCAL
commit
save
exit
Related
- Edgerouter X First Time Setup
- VLANs on Ubiquiti EdgeRouterX
Links
- https://www.ui.com/edgemax/edgerouter-x/