A Professional Router at a Consumer Price
I really enjoy working on and improving my home network and I am regularly looking for the next thing to tweak or try on my network. So it was a natural progression for me to move from the standard router that my ISP provides, to a more professional piece of equipment like the Ubiquiti EdgeRouterX.
Ubiquiti has a variety of IT products and devices that are perfect for small or medium business but can also work great at home without breaking the bank. The EdgeRouter-X is probably one of the best entry points into the EdgeRouter line of products by Ubiquiti. What you get for the sub $100 price point is a highly configurable router that is perfect for home use whether you have a few devices or hundreds.
Where the ER-X really shines is in its ability to be configured in different ways to support more than one flat network topology. Your run-of-the-mill ISP router / AP combo can be limited in this area. In my home network, I have both wired and wireless clients, smart devices, a virtual lab for testing and some infrastructure services and servers. The ER-X allows me to configure my network in the best possible way so that my network is properly organized and segregated where necessary. I could just dump all of my devices on to one subnet, but where’s the fun in that? (Not to mention, where’s the security?)
I will definitely have additional posts highlighting different parts of my home network and the equipment I use there, but for now, let’s dive into my setup and guide for creating a three-zone firewall on the ER-X.
Common sense disclaimer – the information below relates to configuring a firewall on an internet-facing device. Follow this guide at your own risk and use common sense and disconnect from the internet before working on your firewall. Also, since this is a long guide and since no one is perfect, please leave a comment if you encounter any errors. Thanks!
Ports and Interface-Based Firewall
Before I do a quick run-down of zone-based vs. interface-based firewalls, there is some nomenclature worth mentioning.
The ports on the router are named eth0 through eth4 which gives you a total of 5 physical ports. Since these ports are dynamic, the software actually manages switching functions and groups them under “switch0”. For the purposes of this article, I will refer to switch0 as the LAN side of the router.
In the basic WAN + LAN setup, eth0 is set as the WAN and the remaining ports (eth1 – eth4) are added to switch0 (LAN group). The firewall that is automatically created is a based on those interfaces, eth0 and switch0 and the subsequent rules added are standard “DENY ALL” from WAN > LAN except for established and related traffic. This allows clients to initiate a connection from the LAN, to the WAN but not the other way around. This standard rule is what keeps your LAN safe from intrusion from the WAN side.
The thing to remember here is that this firewall configuration is based solely on those two interfaces, eth0, and switch0.
If we want to take our firewall a step further, we can create firewall rules and zones, and then add interfaces to them. This allows us to create separate areas where specific network ports, subnets or VLANs can exist with their own firewall rules while having all of this manageable through the ER-X web interface. One caveat though, the setup is best done through command line interface, or CLI since it would be time-consuming to enter all of these changes through the web interface.
In my case, my network is setup with three zones: WAN, LAN (trusted), and DMZ. The reason for wanting a DMZ and regular trusted LAN was originally to segregate my lab environment but it also works perfectly to separate my IoT VLAN and Guest WiFi VLAN, which I’ll explain later in this article. Although my DMZ does not contain any externally-facing services that a traditional DMZ might hold (like a web server) for simplicity’s sake and for this guide it will still be called the DMZ.
One more thing worth mentioning, if you want to assign an interface that is already part of the switch0 group, you will need to remove that interface from the group before you can assign it to a zone. In my example I set eth3 as my DMZ zone’s interface but I had to take eth3 out of the switch0 group before assigning it to the DMZ zone. This is because switch0 is part of the LAN zone, so eth3 can’t be part of switch0 (in the LAN) and also part of the DMZ zone, at the same time. Visit this thread for more info on this topic.
Create The Firewall Rulesets
Before we create zones, we need to create the rulesets that will be used with the zones. Essentially, we need to create a rule for every possible direction that traffic might flow between zones. Also, a three-zone firewall actually has four zones since the router itself is considered the “LOCAL” zone.
Technically we could write twelve firewall rulesets, but we can can simplify this to just six by lumping together some of the rulesets.
We can do this because the LOCAL zone (the router) should always be able to communicate to any other zone, otherwise it wouldn’t be functioning as a router.
So right away, lets condense:
LOCAL TO WAN LOCAL TO DMZ LOCAL TO LAN
LOCAL TO ALL
Also, since the LAN is going to be our trusted zone, we can allow traffic to flow from it to any other zone. Just remember, we will still have other rulesets that restrict flow into the trusted LAN.
So again we can condense the LAN rules from:
LAN TO WAN LAN TO DMZ LAN TO LOCAL
LAN TO ALL
Same thing for the WAN rules:
WAN TO LAN WAN TO DMZ WAN TO LOCAL
So here are our six firewall rulesets:
DMZ TO WAN DMZ TO LAN DMZ TO LOCAL LAN TO ALL LOCAL TO ALL WAN IN
These rulesets cover all possible traffic flows and now that we have them named, we can create the individual rules within each ruleset.
To get started, log into your ER-X and open the terminal from the top right (CLI button). You’ll be prompted to log in again. You can also do this through an SSH client like PuTTy, just make sure SSH is enabled on your router.
At the terminal, type configure and press enter to enter edit mode. Any changes you make here will be queued but not yet applied until you type commit and press enter.
The commands to create the rulesets and individual rules are as follows:
edit firewall name WAN_IN set default-action drop set rule 1 action accept set rule 1 description Established and related set rule 1 log disable set rule 1 protocol all set rule 1 state established enable set rule 1 state related enable **NOTE** - if you used the default setup wizard you may already have a ruleset called WAN_IN. You will need to remove this ruleset before entering the commands above and obviously make sure your router is physically disconnected from the internet!
This sets the following basic firewall separting the internet from our network:
- Creates the WAN_IN ruleset
- Sets the default action to “drop”
- Creates an individual rule titled “Established and related”
- Turns off logging (optional)
- Specifies all protocols
- Sets the rule states to established and related
With these commands set, we need to exit this firewall ruleset, so we can start on the next one. Type “exit” and press enter.
Enter the remaining firewall ruleset commands, remembering to exit after each block to start the next one.
edit firewall name LOCAL_TO_ALL set default-action accept edit firewall name LAN_TO_ALL set default-action accept
edit firewall name DMZ_TO_WAN set default-action accept
edit firewall name DMZ_TO_LAN set default-action drop edit firewall name DMZ_TO_LOCAL set default-action drop set rule 1 action accept set rule 1 description dns set rule 1 log disable set rule 1 protocol udp set rule 1 destination port 53 set rule 2 action accept set rule 2 description dhcp set rule 2 log disable set rule 2 destination port 67-68 set rule 2 action accept
Take note of how DMZ TO LOCAL is different. This ruleset allows DNS and DHCP through to the router. This is assuming the router is providing these functions, so if you have another server doing DNS and/or DHCP, you will need to put these rules in the DMZ TO LAN ruleset (assuming your server is in the LAN).
Now would be a good time to check our work, so after exiting the last firewall ruleset, type commit and hit enter. If all goes well, you should not get any error messages. However, we also need to save these to the boot config so they aren’t lost after a reboot. Type “save” and hit enter.
You can then log into your router’s web interface and view the rulesets you just created.
Create The Zones
With our rulesets created we can now create the zones and apply interfaces and rulesets to them.
See below these commands for a description of what they do.
set zone-policy zone WAN interface eth0 set zone-policy zone WAN default-action drop set zone-policy zone WAN from LAN firewall name LAN_TO_ALL set zone-policy zone WAN from DMZ firewall name DMZ_TO_WAN set zone-policy zone WAN from LOCAL firewall name LOCAL_TO_ALL set zone-policy zone LAN interface switch0 set zone-policy zone LAN default-action drop set zone-policy zone LAN from DMZ firewall name DMZ_TO_LAN set zone-policy zone LAN from WAN firewall name WAN_IN set zone-policy zone LAN from LOCAL firewall name LOCAL_TO_ALL set zone-policy zone DMZ interface eth3 set zone-policy zone DMZ default-action drop set zone-policy zone DMZ from WAN firewall name WAN_IN set zone-policy zone DMZ from LAN firewall name LAN_TO_ALL set zone-policy zone DMZ from LOCAL firewall name LOCAL_TO_ALL set zone-policy zone LOCAL local-zone set zone-policy zone LOCAL default-action drop set zone-policy zone LOCAL from DMZ firewall name DMZ_TO_LOCAL set zone-policy zone LOCAL from LAN firewall name LAN_TO_ALL set zone-policy zone LOCAL from WAN firewall name WAN_IN
The first line in each block creates the zone and applies the specified interface to that zone. So the first command in the list creates a zone called “WAN” and adds the eth0 interface to it.
The second line sets the default action for the zone, which should always be “drop”.
The next three lines for each zone specify what firewall rulesets should be applied to the traffic coming into the zone, based on where that traffic is coming from. For example, traffic coming into the LAN from the WAN would be subject to the firewall ruleset “WAN_IN”. These are the rulesets we created earlier.
Once you’ve entered these commands, type “commit”, then “save” if you didn’t get any error messages.
At this point, the three zone firewall is configured as follows:
Clients that you connect to switch0 (eth1, 2 and 4) will be in the LAN zone and will be able to get out the web. Clients connected to eth3 are in the DMZ and can get out to the web, can send DNS and DHCP requests to the router but can’t talk to clients in the LAN or open a management session with the router. Lastly, of course, your network is safely behind the WAN_IN firewall rule.
You can view all of these zones in the Config Tree tab in the router’s web interface. Drill down to zone-policy > zone to see the list of zones you created. You can also make individual changes here if needed.
You can stop here if you don’t need VLANs, but you still need to do two more things for the zones to work.
1) Assign an IP address to eth3. It must be a unique address, not already in use. If your LAN is using 192.168.1.1/24, eth3 can use something else like 10.0.0.1/24, etc. Select actions > config to set the IP.
2) Create a DHCP server for the eth3 network that matches it’s interface. This can be done under the Services tab. Enter the information based on the network you entered for the interface. Also enter the interface address (router) and enter your upstream DNS. Save and test by connecting a client to eth3 and verifying it gets an IP and has internet access.
What About VLANs?
You may be wondering about the VLANs I mentioned earlier so let’s go over that topic. The zone-based firewall we just set up is only tied to the physical interfaces on the router itself. Eth0 is in the WAN zone, eth3 is the DMZ zone and the other switch ports are in the LAN zone. That gives us only three ports for LAN clients and one DMZ client so we’ll need to create VLANs on the router and use VLAN tagging on a device like a managed switch or access point that supports it, if we want to segregate more devices.
An easily approchable device that supports VLAN tagging is the Ubiquiti Unifi Access Point. I have the UAP-AC-Lite version and I run three SSIDs on it: LAN, IoT and Guest. If I want to segregate traffic three ways, I need to use VLAN tagging to achive this since the physical access point can only be plugged into one port.
Create the VLAN
It is simple to create a new VLAN on the EdgeRouter-X, just click the add interface button near the top left of the dashboard screen (just below the graphs). Enter a VLAN ID and interface. The interface you choose depends on where your access point or managed switch will be plugged into. So in my example network, I would plug my AP into eth4, which is part of switch0, so my VLAN should be on switch0.
Specify a name and manually enter the address that you’d like the VLAN to have (similar to what I mentioned above for the DMZ example). It must be different than any other interface’s address. Click save and the VLAN will appear at the bottom of the dashboard list.
Add the VLAN to a Zone
We need to add our newly created VLAN to a zone. In this example, I am adding the VLAN to the DMZ zone. This has the effect of isolating the VLAN traffic from the DMZ but also applies the DMZ zone’s firewall rules to the VLAN so we can be sure the traffic isnt able to reach the LAN.
Open the Config Tree tab and drill down to the DMZ zone. You should see one interface listed if you followed this guide: eth3. Click the add button and enter the VLAN ID you just created (switch0.18 in this example). This adds VLAN 18 to the DMZ zone. Click preview then apply to make the changes.
In my case, my IoT and Guest VLANs are added to the DMZ so I can be sure they are isolated and firewalled.
DHCP for VLAN
Finally, you will want to create a new DHCP server under the Services tab (as mentioned above for the eth3/DMZ network) for this VLAN.
Now you can tag one or more of your wireless networks on the Unifi AP, with the VLAN ID you just set up. Traffic coming in on that SSID will be tagged and isolated to it’s VLAN only and will also be restricted by the DMZ firewall rules. One of the great things about this setup is that you can create any number of VLANs and add them to the DMZ and it will keep you from having to completely re-write your firewall rules each time. If you created a new zone each time you needed to isolate traffic, you would greatly increase the number of to-and-from rules that would need to be set up.
I hope you’ve found this guide helpful and as always, thanks for reading!