Differences

This shows you the differences between two versions of the page.

--- public:er-x [2025/05/16 02:24] – created daniel
+++ public:er-x [2025/05/16 02:25] (current) – created again daniel
@@ Line 1: / Line 1: @@
-foo
+====General Config====
+//[[https://help.uisp.com/hc/en-us/sections/22589717213591-EdgeRouter|EdgeOS]] reportedly mimics [[https://en.m.wikipedia.org/wiki/VyOS|VyOS]]//
+Commit ephemeral configuration; save configuration to survive restart
+  commit
+  save
+Set password
+  set system login user ubnt authentication plaintext-password <myNewPassword>
+Destroy configuration and restore defaults
+  sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
+  reboot
+Disable GUI old ciphers, unms, and ubnt-discovery
+  set service gui older-ciphers disable
+  set service unms disable
+  set service ubnt-discover disable
+  set service ubnt-discover-server disable
+Set upstream NTP server
+  set system ntp server ntp.example.com
+Review, clear default interface addresses and PoE
+  show interfaces ethernet
+  set interfaces ethernet eth0 poe output off
+  delete interfaces ethernet eth0 address
+  delete interfaces ethernet eth1 address dhcp
+Activate DHCP client on an interface for use as WAN
+  set interfaces ethernet eth0 address dhcp
+  release dhcp interface eth0
+  renew dhcp interface eth0
+Re-enable a disabled interface
+  delete interfaces ethernet eth0 disable
+Global Settings
+reference
+[[https://help.uisp.com/hc/en-us/articles/22591077433879-EdgeRouter-Hardware-Offloading|help.uisp.com]]
+  set system offload hwnat enable
+  set system host-name myRouter
+  set system domain-name example.com
+  set system domain-search example.net
+  set system analytics-handler send-analytics-report false
+  set system crash-handler send-crash-report false
+====VLAN Segmentation with IPv4====
+reference
+[[https://www.vanwerkhoven.org/blog/2022/home-network-configuration/|vanwerkhoven.org]]
+Review, assign LAN interfaces to switch0
+  show interfaces switch switch0 switch-port
+  set interfaces switch switch0 switch-port interface eth1
+  set interfaces switch switch0 switch-port interface eth2
+  set interfaces switch switch0 switch-port interface eth3
+  set interfaces switch switch0 switch-port interface eth4
+Review, delete existing 802.1Q VLANs; create new ones
+  show interfaces switch switch0 vif
+  delete interfaces switch switch0 vif
+  set interfaces switch switch0 vif 1 address 192.168.1.1/24
+  set interfaces switch switch0 vif 1 description LAN
+  set interfaces switch switch0 vif 99 address 10.0.0.1/24
+  set interfaces switch switch0 vif 99 description CONFIG
+Enable 802.1Q VLANs
+  set interfaces switch switch0 switch-port vlan-aware enable
+Apply VLANs to interfaces
+  set interfaces switch switch0 switch-port interface eth1 vlan pvid 1
+  set interfaces switch switch0 switch-port interface eth2 vlan pvid 1
+  set interfaces switch switch0 switch-port interface eth3 vlan pvid 1
+  set interfaces switch switch0 switch-port interface eth4 vlan pvid 99
+//an interface may have many VIDs, but only one PVID//
+Review, delete existing DHCP service; create new pools
+  show dhcp statistics
+  delete service dhcp-server
+  set service dhcp-server shared-network-name vlan1 authoritative enable
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 default-router 192.168.1.1
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.113
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.114
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 lease 86400
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 domain-name example.com
+  set service dhcp-server shared-network-name vlan99 authoritative enable
+  set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 default-router 10.0.0.1
+  set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 dns-server 10.0.0.1
+  set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 lease 86400
+  set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 start 10.0.0.100 stop 10.0.0.200
+  set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 domain-name lan
+Review, enable DHCP service; show a pool
+  show service dhcp-server
+  set service dhcp-server disabled false
+  show dhcp leases pool vlan1
+Map a MAC to specific IP (static assignment)
+  set system static-host-mapping host-name myserver inet 192.168.1.42
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver ip-address 192.168.0.42
+  set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver mac-address 00:00:5E:00:53:01
+Create, review NAT service
+  set service nat rule 5010 description 'masquerade for WAN'
+  set service nat rule 5010 outbound-interface eth0
+  set service nat rule 5010 type masquerade
+  set service nat rule 5010 protocol all
+  set service nat rule 5010 log disable
+  show service nat
+Establish port forwarding
+//(requires appropriate firewall rules)//
+  set port-forward auto-firewall enable
+  set port-forward hairpin-nat enable
+  set port-forward wan-interface eth0
+  set port-forward lan-interface switch0.1
+  set port-forward rule 10 description 'SSH'
+  set port-forward rule 10 forward-to address 192.168.1.42
+  set port-forward rule 10 forward-to port 22
+  set port-forward rule 10 original-port 22
+  set port-forward rule 10 protocol tcp
+====Create IPv4 Zone-based Firewall====
+reference
+[[https://help.ui.com/hc/en-us/articles/115003173168-Zone-Based-Firewalls-in-UniFi|help.ui.com]],
+[[https://lazyadmin.nl/home-network/unifi-zone-based-firewall/|lazyadmin.nl]],
+[[https://kings-guard.com/the-unifi-zone-based-firewall-is-a-game-changer/|kings-guard.com]],
+[[https://help.uisp.com/hc/en-us/articles/22591199546007-EdgeRouter-Packets-Processing|help.uisp.com]]
+[[https://www.forshee.me/ubiquiti-edgerouter-lite-setup-part-2-firewall-setup/|forshee.me]]
+Review zones and the firewalls applied to them; delete all zones
+  show zone-policy zone
+  delete zone-policy zone
+Define inter-zone firewall policies and their rules
+  set firewall name FW_ACCEPT default-action accept
+  set firewall name FW_ACCEPT rule 10 action reject
+  set firewall name FW_ACCEPT rule 10 description 'Reject invalid'
+  set firewall name FW_ACCEPT rule 10 log disable
+  set firewall name FW_ACCEPT rule 10 state invalid enable
+  set firewall name FW_EST default-action drop
+  set firewall name FW_EST rule 10 action accept
+  set firewall name FW_EST rule 10 description 'All established'
+  set firewall name FW_EST rule 10 log disable
+  set firewall name FW_EST rule 10 state established enable
+  set firewall name FW_WAN_TO_LAN default-action drop
+  set firewall name FW_WAN_TO_LAN rule 10 action accept
+  set firewall name FW_WAN_TO_LAN rule 10 description 'All established'
+  set firewall name FW_WAN_TO_LAN rule 10 log disable
+  set firewall name FW_WAN_TO_LAN rule 10 state established enable
+  set firewall name FW_WAN_TO_LAN rule 20 action accept
+  set firewall name FW_WAN_TO_LAN rule 20 description 'myserver http/s'
+  set firewall name FW_WAN_TO_LAN rule 20 log disable
+  set firewall name FW_WAN_TO_LAN rule 20 state new enable
+  set firewall name FW_WAN_TO_LAN rule 20 destination address 192.168.1.42
+  set firewall name FW_WAN_TO_LAN rule 20 protocol tcp
+  set firewall name FW_WAN_TO_LAN rule 20 destination port 80,443
+  set firewall name FW_WAN_TO_LAN rule 30 action accept
+  set firewall name FW_WAN_TO_LAN rule 30 description 'myserver ssh'
+  set firewall name FW_WAN_TO_LAN rule 30 log disable
+  set firewall name FW_WAN_TO_LAN rule 30 state new enable
+  set firewall name FW_WAN_TO_LAN rule 30 destination address 192.168.1.42
+  set firewall name FW_WAN_TO_LAN rule 30 protocol tcp
+  set firewall name FW_WAN_TO_LAN rule 30 destination port 22
+  set firewall name FW_ROUTER_NMP default-action drop
+  set firewall name FW_ROUTER_NMP rule 10 action accept
+  set firewall name FW_ROUTER_NMP rule 10 description 'Router dns'
+  set firewall name FW_ROUTER_NMP rule 10 log disable
+  set firewall name FW_ROUTER_NMP rule 10 protocol udp
+  set firewall name FW_ROUTER_NMP rule 10 destination port 53
+  set firewall name FW_ROUTER_NMP rule 20 action accept
+  set firewall name FW_ROUTER_NMP rule 20 description 'Router dhcp'
+  set firewall name FW_ROUTER_NMP rule 20 log disable
+  set firewall name FW_ROUTER_NMP rule 20 protocol udp
+  set firewall name FW_ROUTER_NMP rule 20 destination port 67,68
+//TCP requires SYN (state new) and ACK (state established) rules!//
+Review firewall policies; delete one
+  show firewall name
+  delete firewall name FW_OOPSIE
+Define the zones and apply firewall policies to inter-zone traffic flows
+  set zone-policy zone CONFIG interface switch0.99
+  set zone-policy zone CONFIG default-action drop
+  #set zone-policy zone CONFIG from LAN firewall name FW_DROP
+  set zone-policy zone CONFIG from LOCAL firewall name FW_ACCEPT
+  #set zone-policy zone CONFIG from WAN firewall name FW_DROP
+  set zone-policy zone LAN interface switch0.1
+  set zone-policy zone LAN default-action drop
+  #set zone-policy zone LAN from CONFIG firewall name FW_DROP
+  set zone-policy zone LAN from LOCAL firewall name FW_ACCEPT
+  set zone-policy zone LAN from WAN firewall name FW_WAN_TO_LAN
+  set zone-policy zone LOCAL local-zone
+  set zone-policy zone LOCAL default-action drop
+  set zone-policy zone LOCAL from CONFIG firewall name FW_ROUTER_NMP
+  #set zone-policy zone LOCAL from LAN firewall name FW_DROP
+  set zone-policy zone LOCAL from WAN firewall name FW_EST
+  set zone-policy zone WAN interface eth0
+  set zone-policy zone WAN default-action reject
+  #set zone-policy zone WAN from CONFIG firewall name FW_DROP
+  set zone-policy zone WAN from LAN firewall name FW_ACCEPT
+  set zone-policy zone WAN from LOCAL firewall name FW_ACCEPT
+//the zone's default-action renders commented directives unnecessary//
+//nmap detects drop as "filtered," and reject as "closed"//
+Review zones and the firewall policies applied to them
+  show zone-policy zone
+Restrict SSH and GUI to CONFIG VLAN
+  set service ssh listen-address 10.0.0.1
+  set service gui listen-address 10.0.0.1
+Miscellaneous global directives to consider
+  set firewall all-ping enable
+  set firewall broadcast-ping disable
+  set firewall ip-src-route disable
+  set firewall log-martians enable
+  set firewall receive-redirects disable
+  set firewall send-redirects enable
+  set firewall source-validation disable
+  set firewall syn-cookies enable