Sunday, August 7, 2016

Ubiquity EdgeRouter X WAN Subnet and Remote Access Configuration

For this topic, we are continuing to configure the Ubiquity EdgeRouter X, this time for a public-side subnet, access to devices on that subnet, and secure access to the EdgeRouter X only from defined locations (an Access Control List). Note that I described the EdgeRouter X as a firewalled router for a single Local Area Network (LAN) to access the Internet last time since that is a much more common scenario. The topic today could also be used to set up two separate LANs accessing the Internet through the EdgeRouter X as well.

This could be helpful to set up a separate DMZ network for guest access and/or your "Internet-of-Things" (IoT) devices. Just be aware the EdgeRouter X WAN2-LAN2 wizard configures a single port ('eth1', without the Power-over-Ethernet pass-through) for this "secondary" network, and all remaining ports are for the "primary" LAN ('eth2', 'eth3', and the PoE pass-through 'eth4', WAN access is through 'eth0'). You will need an Ethernet switch or Wireless Access Point (WAP) if you need more connections or access on that network [EDIT: or later firmware now released fixes that issue].

In my instance, I have an HP LaserJet printer (with JetDirect network connection) on a public-side IP address for use with Google Cloud Print (my host is a Server 2003 R2 system on my home network, so it didn't break with the "Stable" Chrome browser version 52 update). I will show which port(s) to open for that remote printing as well, to demonstrate how you could have services that need to be accessed from the Internet on that network. The HP LaserJet has an Access Control List that you can set (as did the IP Camera I used at one time), but the EdgeRouter X further locks it down by port numbers.

To get started, log-in to the EdgeRouter X with the account we set up at the end of the last topic, then click on the 'Wizards" tab and select the "WAN-2LAN2" wizard as we did before. I upgraded the EdgeRouter firmware before this topic, so now we have an option to preserve the account we set up without needing to revert to the "ubnt" default account. Since we are wanting the EdgeRouter X to have all traffic pass through it (including the small public-side network it will manage) we are going to "bridge" the Internet modem (in my case, DSL) and use PPPoE authentication from the EdgeRouter X (if you need help with this area, contact your Internet Service Provider, ISP).


If you are setting up a different "secondary" LAN enter the appropriate IP address and subnet mask. Note that the wizard protested that I had enabled the DHCP server for my small public-side subnet, so I unchecked that box before continuing (with one device set with a static IP address I didn't need it anyway, and may see if I can turn it on later if I connect an Ethernet switch there. Also, note that I specified the wrong subnet size (as a '/30' rather than a '/29') that I corrected after the Edge Router X rebooted.

As before, it is best to configure the EdgeRouter X from the LAN we set up connected to either the 'eth2' or 'eth3' connection. The EdgeRouter X turns off the PoE pass-through with any reconfiguration, to be safe that you aren't changing the device connected to that port and damaging it. After it has rebooted you can turn on the PoE functionality as we did in the first topic.

Once enabled your network(s) should be running again under default rules. I changed the "gateway" IP address of my subnet since the EdgeRouter X is now managing it, so don't forget to make the needed adjustments if necessary. The gateway address (the way out to the Internet) will be the IP address you set for the "secondary" network in the wizard.

We will now add the needed ports (HTTPS, port 443 TCP, access for a web interface of the printer, and for the "RAW" printer data put on port 9100 TCP) for that small public-side subnet. Select the 'Firewall/NAT' tab, the 'Firewall Policies' tab, then 'Edit' the "WAN_IN" ruleset by selecting it from the button on the right. Click on "Add New Rule" (my screenshot shows what the two entries will look like once complete).


On the "Basic" tab name the new rule, in this instance we are adding HTTPS access first. Click 'Accept' and 'TCP' for a protocol. We won't be changing anything on the 'Advanced' or 'Time' tabs. Click on the 'Source' tab and specify the appropriate network address(es) with their subnet. Don't enter anything for the ports, as that will be handled from the 'Destination' tab. We are also separating the rules rather than listing the ports together, as I want to see the web interface of the printer than the specific locations that are sending print jobs (over port 9100 TCP.


The 'Source' tab looks very similar to the 'Destination' tab layout shown here. Give the IP address of the device on the subnet. Put '443' (for HTTPS) in the 'Port' field. Click on the 'Save' button.


You should now have access to the web interface (make sure you specify "https://" in the web browser). Add the "RAW" printer data port 9100 TCP as appropriate as well. Test printing to make sure it works. We have the subnet working like it is supposed to, managed by the EdgeRouter X!

Now on to adding secure remote access to your firewall interface (both HTTPS and SSH). This will also be from the 'Firewall/NAT' and 'Firewall Policies' tabs, but the "WAN_LOCAL" policy. Add a new rule, naming and adding the same entries to the 'Basic' tab before. Provide the appropriate entry on the 'Source' tab, again leaving the 'Port' entry blank. On the 'Destination' tab it will be slightly different this time, where we enter both 'Port' entries of "22" (for SSH), a comma (no spaces), then "443", and select 'pppoe' from the 'Interface Addr' choices [EDIT: note you can also have the defined port names of "ssh,https" in place of the numbers].


You now should have access remotely to your EdgeRouter X. I plan to investigate whether aliases can be used like the pfSense firewall (check out my earlier blog entries for those topics). Next, we will start assigning (or "Reserving") IP addresses for equipment on the LAN (where you are running the DHCP service from the EdgeRouter) to further lock down security. Stay tuned!

No comments:

Post a Comment