A29J_130789574330391040IMb0cMkpFw.jpgEdge router x by ubnt is a router which is not expensive but is has a lot of advanced futures. It has its down side to it that its GUI is hard to figure out, also vary little documentation available. But once you get to know it there is a lot you can do with it.
What I will be focusing is when having two networks on the router and you want to create a firewall between the two networks. This can be useful for example, where you have one secure network and one that is a not that secure [can be a wireless network, etc.] and you want to protect the secure network from any attack that my come from the not secured network.
A ubnt router could be configured by port, you can have as many networks as the amount of ports on the router (without having a vlan although you can have a vlan as well).
Now Let’s start with a example we have 2 networks one is 192.168.1.1 on eth0 which is not the secure network, and 192.168.2.1 on switch0 which runs on eth2/eth3/eth4/eth5 (eth1 we use for the WAN)  which is the secure network. You also want to restrict the .1.1 from having access to the .2.1 and from accessing the router management.
1-      Create a firewall port group that will include ssh port (22) http (80) https (443) and telnet (23).
2-       Go to the Firewall/NAT tab, firewall/add ruleset, name it, set the default action to accept.
3-      On the newly created ruleset, action/configuration/roles/add new rule, name it, action -drop, next move to advanced, check -established -new –related, at the destination/address enter [in our example] 192.168.2.0, save. On the interface tab select the eth0 (the not secure network), add an interface and select switch, both should be in the direction IN – Note: you may wonder why on eth0 the interface destination is set to IN when what we are blocking eth0 to reach OUT to wsitch0? This is because from the routers point of view IN mean packet coming from devices within the network (eth0) going out. The second question you may have why is there and need to add the switch interface since all you do is restricting the non-secure [eth0], the answer is, it will work with only selecting the non-secure [eth0] but for performance reasons you should select both, this is based on what I seen online but I don’t yet have an explanation. Yet one more point which I realized but also don’t yet have an explanation if you do not select new (established -new –related) in the advanced tab when you do a ping from the non-secure network to the secure network it will respond once and the other 3 will be blocked (request time out)
4-      Create a new ruleset, name it, and set the default action accept.
5-      On this one will create 3 rules. 1- Name it, action drop, advanced, -established –related, destination select the port group we created in step 1. 2- name it, action drop, advanced, -established –related, destination 192.168.1.0/24, 3- name it, action drop, advanced, -established –related, destination 192.168.2.0/24 [the reason you need to block .1.0 and .2.0 since you can reach the web interface from both network with any of the IP addresses] interface, eth0 and this time choose direction local.
On YouTube and online at help.ubnt.com it provide a different way to do it but is more complicated and did not figure out why all these steps are necessary.
Note all this can be does with scrips, so you can set it up once and then use it for all your clients.
Will welcome any comments.
0

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month