Good morning,
We have an Edge router Lite which has been working flawlessly for the past year or so. We literally set it up and never looked back. However after carrying out an audit we noticed that the gui and other ports like ssh can be reached from the WAN. On troubleshooting this we found that no interface was specified in the WAN_LOCAL default firewall policy therefore we set it up on the external interface(PPOE - ETH0), direction IN. See attached screenshot.
Rule and router config were saved.
The problem is that we still can access the GUI or SSH into the router via its public IP address (from other public networks). We only would like access to the router from the LAN interface (ETH1).
Router config below.
ubnt@ubnt# run show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.0.0.1/8
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_LOCAL
}
}
mtu 1392
name-server auto
password ****************
user-id *********
}
speed auto
}
ethernet eth1 {
address 172.23.2.254/22
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "eth2 Disabled"
disable
duplex auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name wificlients {
authoritative disable
subnet 172.23.0.0/22 {
default-router 172.23.2.254
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 172.23.0.10 {
stop 172.23.2.250
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Malta
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
advanced-queue {
branch {
}
filters {
match 10 {
attach-to 1
ip {
destination {
address 172.23.0.0/22
}
}
target 10
}
match 20 {
attach-to 1
ip {
:
time-zone Europe/Malta
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
advanced-queue {
branch {
}
filters {
match 10 {
attach-to 1
ip {
destination {
address 172.23.0.0/22
}
}
target 10
}
match 20 {
attach-to 1
ip {
destination {
}
source {
address 172.23.0.0/22
}
}
target 20
}
}
leaf {
queue 10 {
bandwidth 75mbit
description Download
parent 1
queue-type HFQ_DL
}
queue 20 {
bandwidth 5mbit
description Upload
parent 1
queue-type HFQ_UL
}
}
queue-type {
hfq HFQ_DL {
description download
host-identifier dip
max-rate 5mbit
subnet 172.23.0.0/22
}
hfq HFQ_UL {
description Upload
host-identifier sip
max-rate 512kbit
subnet 172.23.0.0/22
}
}
root {
queue 1 {
attach-to global
bandwidth 75mbit
}
}
}
}
Also just fyi we are currently running EdgeOSv1.8.0beta3. We were advised to upgrade to the BETA at the time due to the traffic control feature which limits Upload and download speeds to users connected on the LAN interface.
Your help is greatly appreciated.
Thanks and regards,
Tim