Thanks in advance for your help!
My Env:
- ERPOE-5
- 1.9.0
- Configured using Wizard for WAN-2LAN-2 (I think... eth1 is bridged).
My configuration is below for reference (IPs obfuscated in places...).
My problems is that I cannot figure out why / how traffic from my internal network (192.168.1.0/24 in the config below) is being allowed out to the Internet. From what I can see the FW has rules to allow traffic from the Internet to my internal network for est. and related packets and traffic from the Internet for est. and related traffic that is destined to the router itself. However, I don't see any rules for traffic to leave the internal network outbound to the Internet.
I would really appreciate it if someone could explain how this is working. I have to be missing something simple and fundamental.
It would be even better if there was an EdgeOS CLI reference that I could read, too. However, I have goodled by brains out trying to find one and I think that UBNT forgot to write one (or they are really good at keeping it hidden).
Thanks again!
admin@edg-rtr5-poe:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br0 {
address 192.168.1.1/24
aging 300
bridged-conntrack disable
description "Local Bridge"
hello-time 2
max-age 20
priority 32768
promiscuous enable
stp false
}
ethernet eth0 {
address a.b.c.d/nn
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
bridge-group {
bridge br0
}
description "Local Bridge"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
description "Local Bridge"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
description "Local Bridge"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
description "Local Bridge"
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
bridge-group {
bridge br0
}
description "Local Bridge"
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
service {
dns {
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name botham.net
gateway-address e.f.g.h
host-name edg-rtr5-poe
login {
user admin {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 192.168.1.10
name-server 192.168.1.11
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}