I required a segregated region of my home network that can leverage the same internet connection and NAT border, but be isolated from communications with anything else on my network. This was primarily to be used as a quarantine area to conduct research, and somewhere to place foreign untrusted devices.
I decided to use the eth3
interface on my EdgeRouter X for this purpose, and plug in a standard ol’ router/AP combo using it’s WAN interface and to obtain an IP address via DHCP.
Here are the steps and configuration is used:
Via the ER web GUI:
- Remove
eth3
from theswitch0
group - Configure an ip and subnet for
eth3
, for example10.0.0.1/30
- Setup DHCP for
10.0.0.0/30
, with the router specified as10.0.0.1
Via the ER cli:
- Enter configure mode, and create a network-group that specifies the subnet(s) of my ‘Production’ LAN subnet that I don’t want the research network to be able to communicate with:
configure set firewall group network-group LAN_NETWORKS set firewall group network-group LAN_NETWORKS description "LAN Networks" set firewall group network-group LAN_NETWORKS network 192.168.0.0/24
- Create a firewall ruleset to allow the research network to connect to everything (i.e. internet) except for the the ‘Production’ LAN subnet specified above.
set firewall name PROTECT_IN set firewall name PROTECT_IN default-action accept set firewall name PROTECT_IN rule 20 action drop set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS" set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS set firewall name PROTECT_IN rule 20 protocol all
- Create a firewall ruleset to allow the research network to use the DHCP and DNS services provided by the EdgeRouter X:
set firewall name PROTECT_LOCAL set firewall name PROTECT_LOCAL default-action drop set firewall name PROTECT_LOCAL rule 10 action accept set firewall name PROTECT_LOCAL rule 10 description "Accept DNS" set firewall name PROTECT_LOCAL rule 10 destination port 53 set firewall name PROTECT_LOCAL rule 10 protocol tcp_udp set firewall name PROTECT_LOCAL rule 20 action accept set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP" set firewall name PROTECT_LOCAL rule 20 destination port 67 set firewall name PROTECT_LOCAL rule 20 protocol udp
- Commit the changes made thus far
commit
- Now need to associate the firewall rulesets with the interface being used for the research network, in my case
eth3
set interfaces ethernet eth3 firewall in name PROTECT_IN set interfaces ethernet eth3 firewall local name PROTECT_LOCAL
- Finally, commit and save the configuration
commit save