Can someone help me with the below firewall?
Here is my port configuration on the ER-Pro:
eth0: WAN
eth1: LAN, connected via UniFi 48-port PoE Switch -- 1.2 and 1.3 are VLAN's, see below
eth2: DMZ/AT&T MicroCell hooked directly to router
I have the following VLANs:
1 - Main LAN
2 - Samsung TV's (had to isolate because they pick up my 20 Sonos speakers and put them as input options)
3 - Guest WiFi
4 - DMZ (for AT&T MicroCell device)
5 - Management, currently unused
I want everything in VLAN1 (main LAN) to be able to communicate with each other. I don't want VLAN1 to communicate with any other VLAN (either outgoing or incoming).
I want the DMZ pretty much isolated as much as possible without any protection if possible. Like the other VLAN's, I don't want it to be able to cross any VLAN.
I'm finding that when connected to WiFi on my main LAN (VLAN1), I cannot access the router config GUI. When connected to the guest WiFi, I'm able to access it.
Finally, what do I need to include in order to allow remote access to my router config? Any other recommendations to speed things up or better protect my network would be very appreciated!
Thanks!
firewall {
all-ping enable
broadcast-ping disable
group {
address-group CAM {
address 10.0.1.80-10.0.1.82
description Cameras
}
address-group GUEST {
address 10.0.3.0/24
description "Guest VLAN"
}
address-group LAN {
address 10.0.1.0/24
description LAN
}
address-group MANAGEMENT {
address 10.0.5.0/24
description "Management VLAN"
}
address-group TV {
address 10.0.2.0/24
description "TV VLAN"
}
network-group DMZ {
description DMZ
network 10.0.4.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_In {
default-action accept
description ""
rule 1 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 2 {
action drop
description TV
destination {
address 10.0.2.0/24
}
log disable
protocol all
}
rule 3 {
action drop
description Guest
destination {
address 10.0.3.0/24
}
log disable
protocol all
}
rule 4 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name DMZ_Local {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name Guest_In {
default-action accept
description "Guest Access"
rule 10 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 20 {
action drop
description TV
destination {
address 10.0.2.0/24
}
log disable
protocol all
}
rule 30 {
action drop
description DMZ
destination {
address 10.0.4.0/24
}
log disable
protocol all
}
rule 40 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name Guest_Local {
default-action accept
description "Local Guest"
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name InterVLAN1 {
default-action accept
description "Primary LAN"
rule 1 {
action drop
description "VLAN2 Drop"
destination {
address 10.0.2.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.2.0/24
}
}
rule 2 {
action drop
description "VLAN3 Drop"
destination {
address 10.0.3.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.3.0/24
}
}
rule 4 {
action drop
description "VLAN4 Drop"
destination {
address 10.0.4.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.4.0/24
}
}
}
name TV_In {
default-action accept
description ""
rule 1 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 2 {
action drop
description Guest
destination {
address 10.0.3.0/24
}
log disable
protocol all
}
rule 3 {
action drop
description DMZ
destination {
address 10.0.4.0/24
}
log disable
protocol all
}
rule 4 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name TV_Local {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 4 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "Xfinity Internet"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.0.1.1/24
description "Nix Intranet"
duplex auto
firewall {
in {
}
local {
name InterVLAN1
}
out {
}
}
speed auto
vif 2 {
address 10.0.2.1/24
description "TV Internet Access"
firewall {
in {
name TV_In
}
local {
name TV_Local
}
}
}
vif 3 {
address 10.0.3.1/24
description "Guest Internet Access"
firewall {
in {
name Guest_In
}
local {
name Guest_Local
}
}
}
}
ethernet eth2 {
address 10.0.4.1/24
description DMZ
duplex auto
firewall {
in {
name DMZ_In
}
local {
name DMZ_Local
}
}
mtu 1492
speed auto
}
ethernet eth3 {
address dhcp
description "Backup Access"
duplex auto
speed auto
}
ethernet eth4 {
disable
duplex auto
speed auto
}
ethernet eth5 {
disable
duplex auto
speed auto
}
ethernet eth6 {
disable
duplex auto
speed auto
}
ethernet eth7 {
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
rule 1 {
description "Luca Bedroom Camera"
forward-to {
address 10.0.1.80
port 10009
}
original-port 10009
protocol tcp
}
rule 2 {
description "Luca Playroom Camera"
forward-to {
address 10.0.1.81
port 10010
}
original-port 10010
protocol tcp
}
rule 3 {
description "Bentley Camera"
forward-to {
address 10.0.1.82
port 10011
}
original-port 10011
protocol tcp
}
rule 4 {
description "MicroCell 123 UDP"
forward-to {
address 10.0.4.2
port 123
}
original-port 123
protocol udp
}
rule 5 {
description "MicroCell 4500 UDP"
forward-to {
address 10.0.4.2
port 4500
}
original-port 4500
protocol udp
}
rule 6 {
description "MicroCell 500 UDP"
forward-to {
address 10.0.4.2
port 500
}
original-port 500
protocol udp
}
rule 7 {
description "MicroCell 443 TCP"
forward-to {
address 10.0.4.2
port 443
}
original-port 443
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DMZ {
authoritative disable
subnet 10.0.4.0/24 {
default-router 10.0.4.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 31536000
(static mapping removed)
}
}
}
shared-network-name Guest {
authoritative disable
subnet 10.0.3.0/24 {
default-router 10.0.3.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 86400
start 10.0.3.100 {
stop 10.0.3.150
}
}
}
shared-network-name LAN1 {
authoritative disable
subnet 10.0.1.0/24 {
default-router 10.0.1.1
dns-server 10.0.1.1
lease 432000
start 10.0.1.140 {
stop 10.0.1.255
}
(lengthy static mapping removed)
unifi-controller 10.0.1.100
}
}
shared-network-name TV {
authoritative disable
subnet 10.0.2.0/24 {
default-router 10.0.2.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 31536000
(static mapping removed)
}
}
}
}
dns {
dynamic {
interface eth0 {
service dyndns {
host-name *****.*****.***
login *****
password ****************************
}
web dyndns
}
}
forwarding {
cache-size 150
listen-on eth1
listen-on eth1.2
listen-on eth1.3
listen-on eth2
system
}
}
gui {
http-port 80
https-port 10015
older-ciphers enable
}
nat {
rule 1 {
description Cameras
inbound-interface eth0
inside-address {
address 10.0.1.80-10.0.1.82
port 10009-10011
}
log disable
protocol tcp
type destination
}
rule 2 {
description MicroCell
inbound-interface eth0
inside-address {
address 10.0.4.2
}
log disable
protocol all
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
listen-on eth1.2 {
outbound-interface eth0
}
}
}
system {
domain-name ***.***
host-name router
login {
user ****** {
authentication {}
full-name “***”
level admin
}
}
name-server 75.75.75.75
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe disable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1104 */