Segregated research network with EdgeRouter X

I required a segregated region of my home network that can leverage the same internet connection and NAT border, but be isolated from communications with anything else on my network. This was primarily to be used as a quarantine area to conduct research, and somewhere to place foreign untrusted devices.

I decided to use the eth3 interface on my EdgeRouter X for this purpose, and plug in a standard ol’ router/AP combo using it’s WAN interface and to obtain an IP address via DHCP.

Here are the steps and configuration is used:

Via the ER web GUI:

  • Remove eth3 from the switch0 group
  • Configure an ip and subnet for eth3, for example 10.0.0.1/30
  • Setup DHCP for 10.0.0.0/30, with the router specified as 10.0.0.1

Via the ER cli:

  • Enter configure mode, and create a network-group that specifies the subnet(s) of my ‘Production’ LAN subnet that I don’t want the research network to be able to communicate with:
      configure
      set firewall group network-group LAN_NETWORKS
      set firewall group network-group LAN_NETWORKS description "LAN Networks"
      set firewall group network-group LAN_NETWORKS network 192.168.0.0/24
    
  • Create a firewall ruleset to allow the research network to connect to everything (i.e. internet) except for the the ‘Production’ LAN subnet specified above.

     

      set firewall name PROTECT_IN
      set firewall name PROTECT_IN default-action accept
      set firewall name PROTECT_IN rule 20 action drop
      set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
      set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
      set firewall name PROTECT_IN rule 20 protocol all
    
  • Create a firewall ruleset to allow the research network to use the DHCP and DNS services provided by the EdgeRouter X:
      set firewall name PROTECT_LOCAL
      set firewall name PROTECT_LOCAL default-action drop
      set firewall name PROTECT_LOCAL rule 10 action accept
      set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
      set firewall name PROTECT_LOCAL rule 10 destination port 53
      set firewall name PROTECT_LOCAL rule 10 protocol tcp_udp
      set firewall name PROTECT_LOCAL rule 20 action accept
      set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
      set firewall name PROTECT_LOCAL rule 20 destination port 67
      set firewall name PROTECT_LOCAL rule 20 protocol udp
    
  • Commit the changes made thus far
      commit
    
  • Now need to associate the firewall rulesets with the interface being used for the research network, in my case eth3
      set interfaces ethernet eth3 firewall in name PROTECT_IN
      set interfaces ethernet eth3 firewall local name PROTECT_LOCAL
    
  • Finally, commit and save the configuration
      commit
      save
    

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s