====General Config==== //[[https://help.uisp.com/hc/en-us/sections/22589717213591-EdgeRouter|EdgeOS]] reportedly mimics [[https://en.m.wikipedia.org/wiki/VyOS|VyOS]]// Commit ephemeral configuration; save configuration to survive restart commit save Set password set system login user ubnt authentication plaintext-password Destroy configuration and restore defaults sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot reboot Disable GUI old ciphers, unms, and ubnt-discovery set service gui older-ciphers disable set service unms disable set service ubnt-discover disable set service ubnt-discover-server disable Set upstream NTP server set system ntp server ntp.example.com Review, clear default interface addresses and PoE show interfaces ethernet set interfaces ethernet eth0 poe output off delete interfaces ethernet eth0 address delete interfaces ethernet eth1 address dhcp Activate DHCP client on an interface for use as WAN set interfaces ethernet eth0 address dhcp release dhcp interface eth0 renew dhcp interface eth0 Re-enable a disabled interface delete interfaces ethernet eth0 disable Global Settings reference [[https://help.uisp.com/hc/en-us/articles/22591077433879-EdgeRouter-Hardware-Offloading|help.uisp.com]] set system offload hwnat enable set system host-name myRouter set system domain-name example.com set system domain-search example.net set system analytics-handler send-analytics-report false set system crash-handler send-crash-report false ====VLAN Segmentation with IPv4==== reference [[https://www.vanwerkhoven.org/blog/2022/home-network-configuration/|vanwerkhoven.org]] Review, assign LAN interfaces to switch0 show interfaces switch switch0 switch-port set interfaces switch switch0 switch-port interface eth1 set interfaces switch switch0 switch-port interface eth2 set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4 Review, delete existing 802.1Q VLANs; create new ones show interfaces switch switch0 vif delete interfaces switch switch0 vif set interfaces switch switch0 vif 1 address 192.168.1.1/24 set interfaces switch switch0 vif 1 description LAN set interfaces switch switch0 vif 99 address 10.0.0.1/24 set interfaces switch switch0 vif 99 description CONFIG Enable 802.1Q VLANs set interfaces switch switch0 switch-port vlan-aware enable Apply VLANs to interfaces set interfaces switch switch0 switch-port interface eth1 vlan pvid 1 set interfaces switch switch0 switch-port interface eth2 vlan pvid 1 set interfaces switch switch0 switch-port interface eth3 vlan pvid 1 set interfaces switch switch0 switch-port interface eth4 vlan pvid 99 //an interface may have many VIDs, but only one PVID// Review, delete existing DHCP service; create new pools show dhcp statistics delete service dhcp-server set service dhcp-server shared-network-name vlan1 authoritative enable set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 default-router 192.168.1.1 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.113 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.114 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 lease 86400 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 domain-name example.com set service dhcp-server shared-network-name vlan99 authoritative enable set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 default-router 10.0.0.1 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 dns-server 10.0.0.1 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 lease 86400 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 start 10.0.0.100 stop 10.0.0.200 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 domain-name lan Review, enable DHCP service; show a pool show service dhcp-server set service dhcp-server disabled false show dhcp leases pool vlan1 Map a MAC to specific IP (static assignment) set system static-host-mapping host-name myserver inet 192.168.1.42 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver ip-address 192.168.0.42 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver mac-address 00:00:5E:00:53:01 Create, review NAT service set service nat rule 5010 description 'masquerade for WAN' set service nat rule 5010 outbound-interface eth0 set service nat rule 5010 type masquerade set service nat rule 5010 protocol all set service nat rule 5010 log disable show service nat Establish port forwarding //(requires appropriate firewall rules)// set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward wan-interface eth0 set port-forward lan-interface switch0.1 set port-forward rule 10 description 'SSH' set port-forward rule 10 forward-to address 192.168.1.42 set port-forward rule 10 forward-to port 22 set port-forward rule 10 original-port 22 set port-forward rule 10 protocol tcp ====Create IPv4 Zone-based Firewall==== reference [[https://help.ui.com/hc/en-us/articles/115003173168-Zone-Based-Firewalls-in-UniFi|help.ui.com]], [[https://lazyadmin.nl/home-network/unifi-zone-based-firewall/|lazyadmin.nl]], [[https://kings-guard.com/the-unifi-zone-based-firewall-is-a-game-changer/|kings-guard.com]], [[https://help.uisp.com/hc/en-us/articles/22591199546007-EdgeRouter-Packets-Processing|help.uisp.com]] [[https://www.forshee.me/ubiquiti-edgerouter-lite-setup-part-2-firewall-setup/|forshee.me]] Review zones and the firewalls applied to them; delete all zones show zone-policy zone delete zone-policy zone Define inter-zone firewall policies and their rules set firewall name FW_ACCEPT default-action accept set firewall name FW_ACCEPT rule 10 action reject set firewall name FW_ACCEPT rule 10 description 'Reject invalid' set firewall name FW_ACCEPT rule 10 log disable set firewall name FW_ACCEPT rule 10 state invalid enable set firewall name FW_EST default-action drop set firewall name FW_EST rule 10 action accept set firewall name FW_EST rule 10 description 'All established' set firewall name FW_EST rule 10 log disable set firewall name FW_EST rule 10 state established enable set firewall name FW_WAN_TO_LAN default-action drop set firewall name FW_WAN_TO_LAN rule 10 action accept set firewall name FW_WAN_TO_LAN rule 10 description 'All established' set firewall name FW_WAN_TO_LAN rule 10 log disable set firewall name FW_WAN_TO_LAN rule 10 state established enable set firewall name FW_WAN_TO_LAN rule 20 action accept set firewall name FW_WAN_TO_LAN rule 20 description 'myserver http/s' set firewall name FW_WAN_TO_LAN rule 20 log disable set firewall name FW_WAN_TO_LAN rule 20 state new enable set firewall name FW_WAN_TO_LAN rule 20 destination address 192.168.1.42 set firewall name FW_WAN_TO_LAN rule 20 protocol tcp set firewall name FW_WAN_TO_LAN rule 20 destination port 80,443 set firewall name FW_WAN_TO_LAN rule 30 action accept set firewall name FW_WAN_TO_LAN rule 30 description 'myserver ssh' set firewall name FW_WAN_TO_LAN rule 30 log disable set firewall name FW_WAN_TO_LAN rule 30 state new enable set firewall name FW_WAN_TO_LAN rule 30 destination address 192.168.1.42 set firewall name FW_WAN_TO_LAN rule 30 protocol tcp set firewall name FW_WAN_TO_LAN rule 30 destination port 22 set firewall name FW_ROUTER_NMP default-action drop set firewall name FW_ROUTER_NMP rule 10 action accept set firewall name FW_ROUTER_NMP rule 10 description 'Router dns' set firewall name FW_ROUTER_NMP rule 10 log disable set firewall name FW_ROUTER_NMP rule 10 protocol udp set firewall name FW_ROUTER_NMP rule 10 destination port 53 set firewall name FW_ROUTER_NMP rule 20 action accept set firewall name FW_ROUTER_NMP rule 20 description 'Router dhcp' set firewall name FW_ROUTER_NMP rule 20 log disable set firewall name FW_ROUTER_NMP rule 20 protocol udp set firewall name FW_ROUTER_NMP rule 20 destination port 67,68 //TCP requires SYN (state new) and ACK (state established) rules!// Review firewall policies; delete one show firewall name delete firewall name FW_OOPSIE Define the zones and apply firewall policies to inter-zone traffic flows set zone-policy zone CONFIG interface switch0.99 set zone-policy zone CONFIG default-action drop #set zone-policy zone CONFIG from LAN firewall name FW_DROP set zone-policy zone CONFIG from LOCAL firewall name FW_ACCEPT #set zone-policy zone CONFIG from WAN firewall name FW_DROP set zone-policy zone LAN interface switch0.1 set zone-policy zone LAN default-action drop #set zone-policy zone LAN from CONFIG firewall name FW_DROP set zone-policy zone LAN from LOCAL firewall name FW_ACCEPT set zone-policy zone LAN from WAN firewall name FW_WAN_TO_LAN set zone-policy zone LOCAL local-zone set zone-policy zone LOCAL default-action drop set zone-policy zone LOCAL from CONFIG firewall name FW_ROUTER_NMP #set zone-policy zone LOCAL from LAN firewall name FW_DROP set zone-policy zone LOCAL from WAN firewall name FW_EST set zone-policy zone WAN interface eth0 set zone-policy zone WAN default-action reject #set zone-policy zone WAN from CONFIG firewall name FW_DROP set zone-policy zone WAN from LAN firewall name FW_ACCEPT set zone-policy zone WAN from LOCAL firewall name FW_ACCEPT //the zone's default-action renders commented directives unnecessary// //nmap detects drop as "filtered," and reject as "closed"// Review zones and the firewall policies applied to them show zone-policy zone Restrict SSH and GUI to CONFIG VLAN set service ssh listen-address 10.0.0.1 set service gui listen-address 10.0.0.1 Miscellaneous global directives to consider set firewall all-ping enable set firewall broadcast-ping disable set firewall ip-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable