Hi!
I want to ask for some guidiance and help setting up my network. I am new to this but have learned a lot from these forums! Without any previos knowledge of firewalls, I felt that Zone Based Firewall to me is logical and structured - I also like that the default is drop, i.e. you create rules for what you want to allow. This (if correct) feels like a good place to start.
At the moment my config is pretty simple. My Edgerouter PoE is _not_ connected directly to the internet, but downstream from my ISP gateway. I the future I will of course remove the ISP gateway, but at the moment of testing, this config don't matter for what firewall rules and policies does, right?
ERPoE
----------- ------------------------- --------- | Gateway | - | Eth0 (Eth1) Sw0 | - | AP/Sw | ----------- ------------------------- --------- | ------------ | Computer | ------------
I have defined a network on Switch0 (192.168.0.1/24), to which my PC is connected as well as an old AP/Switch with some wireless units connected to.
As a start, I have defined three zones:
LAN - all interfaces but eth0
WAN - interface eth0
Local - ERPoE
I have defined zone-pairs as I have understood how ZBF works, and rulesets for them. I've kept it simple - WAN-anything is default drop, but allow related and established traffic. For the others it is the same rules, but default accept. Here is the code in its current state - I plan on adding VLANs for guest wifi but first want to get a good understanding of the basic principles before proceeding.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_TO_Local {
default-action accept
description ""
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name LAN_TO_WAN {
default-action accept
description ""
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name Local_TO_LAN {
default-action accept
description ""
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name Local_TO_WAN {
default-action accept
description ""
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_TO_LAN {
default-action drop
description ""
enable-default-log
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_TO_Local {
default-action drop
description ""
enable-default-log
rule 1 {
action accept
description "Allow return traffic"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
poe {
output off
}
speed auto
}
ethernet eth1 {
address 192.168.2.1/24
description LAN
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.0.1/24
description LAN-Switch-Local
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN-DHCP {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
lease 86400
start 192.168.0.100 {
stop 192.168.0.254
}
}
}
shared-network-name Mgmt-DHCP {
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
start 192.168.2.100 {
stop 192.168.2.254
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description LAN-NAT
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
zone-policy {
zone LAN {
default-action drop
from Local {
firewall {
name Local_TO_LAN
}
}
from WAN {
firewall {
name WAN_TO_LAN
}
}
interface eth1
interface switch0
}
zone Local {
default-action drop
from LAN {
firewall {
name LAN_TO_Local
}
}
from WAN {
firewall {
name WAN_TO_Local
}
}
local-zone
}
zone WAN {
default-action drop
from LAN {
firewall {
name LAN_TO_WAN
}
}
from Local {
firewall {
name Local_TO_WAN
}
}
interface eth0
}
}With this setup, services like Chromecast and Steam have no problems connecting and playing their respective material. Is this expected (related/established)?
My concern is - I was expecting at least some problems, but everything seems fine. Is it working as intended or have I missed something in the configuration? (I saw in one post regarding ZBF e.g. that an allow rule was made for Steam)