in Uncategorized 411 Words

Segregated research network with EdgeRouter X

I required a segregated region of my home network that can leverage the same internet connection and NAT border, but be isolated from communications with anything else on my network. This was primarily to be used as a quarantine area to conduct research, and somewhere to place foreign untrusted devices.

I decided to use the eth3 interface on my EdgeRouter X for this purpose, and plug in a standard ol’ router/AP combo using it’s WAN interface and to obtain an IP address via DHCP.

Here are the steps and configuration is used:

Via the ER web GUI:

  • Remove eth3 from the switch0 group
  • Configure an ip and subnet for eth3, for example 10.0.0.1/30
  • Setup DHCP for 10.0.0.0/30, with the router specified as 10.0.0.1

Via the ER cli:

  • Enter configure mode, and create a network-group that specifies the subnet(s) of my ‘Production’ LAN subnet that I don’t want the research network to be able to communicate with: 
      configure
  set firewall group network-group LAN_NETWORKS
  set firewall group network-group LAN_NETWORKS description "LAN Networks"
  set firewall group network-group LAN_NETWORKS network 192.168.0.0/24
  • Create a firewall ruleset to allow the research network to connect to everything (i.e. internet) except for the the ‘Production’ LAN subnet specified above.

     

      set firewall name PROTECT_IN
  set firewall name PROTECT_IN default-action accept
  set firewall name PROTECT_IN rule 20 action drop
  set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
  set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
  set firewall name PROTECT_IN rule 20 protocol all
  • Create a firewall ruleset to allow the research network to use the DHCP and DNS services provided by the EdgeRouter X: 
      set firewall name PROTECT_LOCAL
  set firewall name PROTECT_LOCAL default-action drop
  set firewall name PROTECT_LOCAL rule 10 action accept
  set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
  set firewall name PROTECT_LOCAL rule 10 destination port 53
  set firewall name PROTECT_LOCAL rule 10 protocol tcp_udp
  set firewall name PROTECT_LOCAL rule 20 action accept
  set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
  set firewall name PROTECT_LOCAL rule 20 destination port 67
  set firewall name PROTECT_LOCAL rule 20 protocol udp
  • Commit the changes made thus far 
      commit
  • Now need to associate the firewall rulesets with the interface being used for the research network, in my case eth3 
      set interfaces ethernet eth3 firewall in name PROTECT_IN
  set interfaces ethernet eth3 firewall local name PROTECT_LOCAL
  • Finally, commit and save the configuration 
      commit
  save

 

 

 

Leave a comment