I just purchased my first EdgeRouter X. I immediately upgraded the firmware to 1.8.5 and then used the "WAN+2LAN2" wizard. I also added a couple of port forwards for my e-mail server (TCP ports 25 & 443.) Things almost worked perfect, but unfortunately, I've noticed a few items I'd like the expert's help on:
- The EdgeOS is available from the internet. Obviously, that needs to be blocked on the WAN port (eth0.) I've seen others have this issue, but they had another device on their WAN interface between the EdgeRouter and modem.) I thought about just simply adding a Firewall rule to block all port 80 traffic coming in from eth0, but there might be be a standard way within the EdgeRouter EdgeOS.
- I have WIFI clients on the "Local 2" network (eth0) that often need to sync up e-mail (over SSL) to a server that's on the "Local" network (eth3.) In my old configuration (before UBNT,) this system could make connection - basically going out to the internet and back in the other side. If coming in from the internet, clients can get their e-mails.
- I ran GRC's ShieldsUp! and noticed that the two ports I'm forwarding show as "Open" instead of "Stealth." I've seen a few others have similar issues, but I didn't see a resolution that worked.
Here's my config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 172.25.0.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 172.16.0.1/24
description Local
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth3
rule 1 {
description SMTP
forward-to {
address 172.16.0.2
port 25
}
original-port 25
protocol tcp
}
rule 2 {
description SSL
forward-to {
address 172.16.0.2
port 443
}
original-port 443
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 172.25.0.0/24 {
default-router 172.25.0.1
dns-server 172.25.0.1
dns-server 8.8.8.8
lease 86400
start 172.25.0.100 {
stop 172.25.0.200
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 172.16.0.0/24 {
default-router 172.16.0.1
dns-server 172.16.0.1
dns-server 8.8.8.8
lease 86400
start 172.16.0.100 {
stop 172.16.0.200
}
static-mapping Ooma {
ip-address 172.16.0.10
mac-address 00:18:61:21:11:C3
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on switch0
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
}
system {
host-name ubnt
login {
user ubntadmin {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Denver
}
Please note that the EdgeRouter is indeed the first device in the chain from my cablemodem. (Yes, the WAN IP Address of the EdgeRouter matches the What's My IP.)
Please let me know your thoughts.