EdgeRouter X VLAN and Firewall Rule Sets

One of the reasons you want to use VLAN is to segregate your network and to control traffics from one network to another.  This post is just about this.

One of the issue I have is the direction in a ruleset  As I was trying to limit the incoming traffics to an interface, you would think the direction should be IN.  Oddly, the direction is actually OUT.

In this example, I have a VLAN 100 and would like to accept traffics from VLAN 1 and 2 into this network, but to restrict the access from it to VLAN 1 and 2.

To do this, I set the default action of this rule to DROP, and then added three rulesets to grant the permitted traffics.

The first rule is a general rule which allows any traffics from this VLAN to connect to the internet.

For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols.  Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED.

The second rule is a specific rule allowing VLAN 1 traffics to enter into this network.

For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols.  Then, on the advanced tab,  I selected the states ESTABLISHED AND RELATED (you may also need NEW).  One extra is required for this ruleset, and it is specifying its source!  on the source tab, I picked VLAN 1 from Network Interface dropdown box (or specifying the VLAN 1 IP, e.g. 192.168.1.0/24).  I applied similar steps for VLAN 2.

After all of these, VLAN 100 should be able to accept traffics from VLAN 1, and 2, and be able to talk to the WAN.  However it should not be able to access network resources in VLAN 1 and 2.

Above is based on this tutorial video I found on YouTube.

Problem connection to Samba Server

Today I have reinstalled Linux on a machine of mine, and configured it to use Samba to share a folder to the rest of my network.

However, when I tested my setup on a Windows machine, I got connection error.  I have checked my setup and everything seems to be fine.  At the end, it turns out nothing wrong with my setup as I can connect to this machine using IP.  The problem is with my NetBIOS resolver.

My Linux machine IP is 133, but the IP reported when I ping it on my Windows machine is 113.

 

If you have similar issue as i did, you may want to check your NetBIOS resolver too.  The problem may be in your network rather than your setting.

n.b. To clear DNS caches under Ubuntu is:

sudo systemd-resolve   --flush-caches

Few Points of Setting up EdgeRuter X

Just want to share a few things I learnt while I was setting up my EdgeRouter X.

PVID is similar to UNTAGGED with other vendors, similar VID is as TAGGED.

Hence, with the example below, the router is configured as

eth1: VLAN 10
eth2: VLAN 20
eth3: VLAN 100
eth4: Truck port for VLAN10, VLAN20 and VLAN100

   

After setting up DHCP for each network, it needs to setup for DNS forwarding.

All fields in DHCP nees to be set.  I made the mistake not filling in the Router and DHCP field.  The router field is for the Gateway, and unlike other router which cannot be implied.  Missing it would result Gateway detail omitted in connected clients and hence no internet access.

System wide DNS isn't set up in the System pane.

But rather using Config Tree

Personally, I prefer to use my choice of DNS provider than my Internet Provider's servers for stability and "privacy".  For example, with my choice of DNS provider, NX is returned for NX for URL like below rather than Internet Provider's error page.

nslookup www.jkjkjlkjlkjlkjl.com
*** UnKnown can't find www.jkjkjlkjlkjlkjl.com: Non-existent domain

Last but not least, enable hardware offloading for NAT and IPSec to get the best out of the router.