public:er-x
Table of Contents
General Config
Commit ephemeral configuration; save configuration to survive restart
commit save
Set password
set system login user ubnt authentication plaintext-password <myNewPassword>
Destroy configuration and restore defaults
sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot reboot
Disable GUI old ciphers, unms, and ubnt-discovery
set service gui older-ciphers disable set service unms disable set service ubnt-discover disable set service ubnt-discover-server disable
Set upstream NTP server
set system ntp server ntp.example.com
Review, clear default interface addresses and PoE
show interfaces ethernet set interfaces ethernet eth0 poe output off delete interfaces ethernet eth0 address delete interfaces ethernet eth1 address dhcp
Activate DHCP client on an interface for use as WAN
set interfaces ethernet eth0 address dhcp release dhcp interface eth0 renew dhcp interface eth0
Re-enable a disabled interface
delete interfaces ethernet eth0 disable
Global Settings
reference help.uisp.com
set system offload hwnat enable set system host-name myRouter set system domain-name example.com set system domain-search example.net set system analytics-handler send-analytics-report false set system crash-handler send-crash-report false
VLAN Segmentation with IPv4
reference vanwerkhoven.org
Review, assign LAN interfaces to switch0
show interfaces switch switch0 switch-port set interfaces switch switch0 switch-port interface eth1 set interfaces switch switch0 switch-port interface eth2 set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4
Review, delete existing 802.1Q VLANs; create new ones
show interfaces switch switch0 vif delete interfaces switch switch0 vif set interfaces switch switch0 vif 1 address 192.168.1.1/24 set interfaces switch switch0 vif 1 description LAN set interfaces switch switch0 vif 99 address 10.0.0.1/24 set interfaces switch switch0 vif 99 description CONFIG
Enable 802.1Q VLANs
set interfaces switch switch0 switch-port vlan-aware enable
Apply VLANs to interfaces
set interfaces switch switch0 switch-port interface eth1 vlan pvid 1 set interfaces switch switch0 switch-port interface eth2 vlan pvid 1 set interfaces switch switch0 switch-port interface eth3 vlan pvid 1 set interfaces switch switch0 switch-port interface eth4 vlan pvid 99
an interface may have many VIDs, but only one PVID
Review, delete existing DHCP service; create new pools
show dhcp statistics delete service dhcp-server set service dhcp-server shared-network-name vlan1 authoritative enable set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 default-router 192.168.1.1 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.113 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 203.0.113.114 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 lease 86400 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 domain-name example.com set service dhcp-server shared-network-name vlan99 authoritative enable set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 default-router 10.0.0.1 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 dns-server 10.0.0.1 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 lease 86400 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 start 10.0.0.100 stop 10.0.0.200 set service dhcp-server shared-network-name vlan99 subnet 10.0.0.0/24 domain-name lan
Review, enable DHCP service; show a pool
show service dhcp-server set service dhcp-server disabled false show dhcp leases pool vlan1
Map a MAC to specific IP (static assignment)
set system static-host-mapping host-name myserver inet 192.168.1.42 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver ip-address 192.168.0.42 set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 static-mapping myserver mac-address 00:00:5E:00:53:01
Create, review NAT service
set service nat rule 5010 description 'masquerade for WAN' set service nat rule 5010 outbound-interface eth0 set service nat rule 5010 type masquerade set service nat rule 5010 protocol all set service nat rule 5010 log disable show service nat
Establish port forwarding (requires appropriate firewall rules)
set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward wan-interface eth0 set port-forward lan-interface switch0.1 set port-forward rule 10 description 'SSH' set port-forward rule 10 forward-to address 192.168.1.42 set port-forward rule 10 forward-to port 22 set port-forward rule 10 original-port 22 set port-forward rule 10 protocol tcp
Create IPv4 Zone-based Firewall
reference help.ui.com, lazyadmin.nl, kings-guard.com, help.uisp.com forshee.me
Review zones and the firewalls applied to them; delete all zones
show zone-policy zone delete zone-policy zone
Define inter-zone firewall policies and their rules
set firewall name FW_ACCEPT default-action accept set firewall name FW_ACCEPT rule 10 action reject set firewall name FW_ACCEPT rule 10 description 'Reject invalid' set firewall name FW_ACCEPT rule 10 log disable set firewall name FW_ACCEPT rule 10 state invalid enable set firewall name FW_EST default-action drop set firewall name FW_EST rule 10 action accept set firewall name FW_EST rule 10 description 'All established' set firewall name FW_EST rule 10 log disable set firewall name FW_EST rule 10 state established enable set firewall name FW_WAN_TO_LAN default-action drop set firewall name FW_WAN_TO_LAN rule 10 action accept set firewall name FW_WAN_TO_LAN rule 10 description 'All established' set firewall name FW_WAN_TO_LAN rule 10 log disable set firewall name FW_WAN_TO_LAN rule 10 state established enable set firewall name FW_WAN_TO_LAN rule 20 action accept set firewall name FW_WAN_TO_LAN rule 20 description 'myserver http/s' set firewall name FW_WAN_TO_LAN rule 20 log disable set firewall name FW_WAN_TO_LAN rule 20 state new enable set firewall name FW_WAN_TO_LAN rule 20 destination address 192.168.1.42 set firewall name FW_WAN_TO_LAN rule 20 protocol tcp set firewall name FW_WAN_TO_LAN rule 20 destination port 80,443 set firewall name FW_WAN_TO_LAN rule 30 action accept set firewall name FW_WAN_TO_LAN rule 30 description 'myserver ssh' set firewall name FW_WAN_TO_LAN rule 30 log disable set firewall name FW_WAN_TO_LAN rule 30 state new enable set firewall name FW_WAN_TO_LAN rule 30 destination address 192.168.1.42 set firewall name FW_WAN_TO_LAN rule 30 protocol tcp set firewall name FW_WAN_TO_LAN rule 30 destination port 22 set firewall name FW_ROUTER_NMP default-action drop set firewall name FW_ROUTER_NMP rule 10 action accept set firewall name FW_ROUTER_NMP rule 10 description 'Router dns' set firewall name FW_ROUTER_NMP rule 10 log disable set firewall name FW_ROUTER_NMP rule 10 protocol udp set firewall name FW_ROUTER_NMP rule 10 destination port 53 set firewall name FW_ROUTER_NMP rule 20 action accept set firewall name FW_ROUTER_NMP rule 20 description 'Router dhcp' set firewall name FW_ROUTER_NMP rule 20 log disable set firewall name FW_ROUTER_NMP rule 20 protocol udp set firewall name FW_ROUTER_NMP rule 20 destination port 67,68
TCP requires SYN (state new) and ACK (state established) rules!
Review firewall policies; delete one
show firewall name delete firewall name FW_OOPSIE
Define the zones and apply firewall policies to inter-zone traffic flows
set zone-policy zone CONFIG interface switch0.99 set zone-policy zone CONFIG default-action drop #set zone-policy zone CONFIG from LAN firewall name FW_DROP set zone-policy zone CONFIG from LOCAL firewall name FW_ACCEPT #set zone-policy zone CONFIG from WAN firewall name FW_DROP set zone-policy zone LAN interface switch0.1 set zone-policy zone LAN default-action drop #set zone-policy zone LAN from CONFIG firewall name FW_DROP set zone-policy zone LAN from LOCAL firewall name FW_ACCEPT set zone-policy zone LAN from WAN firewall name FW_WAN_TO_LAN set zone-policy zone LOCAL local-zone set zone-policy zone LOCAL default-action drop set zone-policy zone LOCAL from CONFIG firewall name FW_ROUTER_NMP #set zone-policy zone LOCAL from LAN firewall name FW_DROP set zone-policy zone LOCAL from WAN firewall name FW_EST set zone-policy zone WAN interface eth0 set zone-policy zone WAN default-action reject #set zone-policy zone WAN from CONFIG firewall name FW_DROP set zone-policy zone WAN from LAN firewall name FW_ACCEPT set zone-policy zone WAN from LOCAL firewall name FW_ACCEPT
the zone's default-action renders commented directives unnecessary
nmap detects drop as “filtered,” and reject as “closed”
Review zones and the firewall policies applied to them
show zone-policy zone
Restrict SSH and GUI to CONFIG VLAN
set service ssh listen-address 10.0.0.1 set service gui listen-address 10.0.0.1
Miscellaneous global directives to consider
set firewall all-ping enable set firewall broadcast-ping disable set firewall ip-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable
public/er-x.txt · Last modified: 2025/05/16 02:25 by daniel