I'm setting up an EdgeRouter PoE (1.8.0) as follows:
eth0 - WAN (plugged into my ISP's fiber interface box with static IP information configured, I did this through the WAN+2LAN2 wizard)
eth1 interface IP:192.168.248.1
eth1 subnet: 192.168.248.0/24 (private business network)
eth2 interface IP: 10.0.0.1
eth2 subnet: 10.0.0.0/16 (public wifi for guests)
eth3 and eth4 are disabled since I'm not using them.
DHCP servers for both eth1 and eth2. That part works fine - I can pull a 10.0.x.x address if I plug my laptop into eth2 and a 192.168.248.x address if I plug my laptop into eth1.
Two things I want to accomplish:
1. For obvious security reasons, I want to block traffic between eth1 and eth2. Currently, I can plug a laptop into eth2 and ping stuff on eth1. I don't want this to happen. I want both interfaces to have Internet access, but I don't want them able to talk to each other at all.
2. I don't want anyone on the public network (eth2) to even be able to access the web UI login page. Currently, I can plug my laptop into eth2, pull a 10.0.0.1 address, and see the username/password entry screen for the webUI. Don't want this to happen (also for obvious security reasons). I've changed the default password, of course, but I don't want guests on the public network to even see that page.
I've tried the following:
- Create ruleset applied to eth1/in with default action "accept" and a single rule with action "drop" if destination is 10.0.0.0/16.
- Create another ruleset applied to eth2/in with default action "accept" and a single rule with action "drop" if destination is 192.168.248.0/24. (found advice to do that in this thread https://community.ubnt.com/t5/EdgeMAX/separate-eth1-from-eth2/td-p/494887)
I'm still able to ping 192.168.248.1 when I'm plugged in eth2 and 10.0.0.1 when plugged into eth1.
I'm hoping I've just overlooked something dumb. Would prefer to do this through the GUI if possible.