Ubiquiti EdgeRouter firewall rules for IOT networks

ubiquiti-er-fw-iot-net.md

Ubiquiti Edgerouter firewall rules for IOT networks

Just going to present several variations on a theme here, tested with a Ubiquiti EdgeRouter 4 in my home lab.

Several resources were consulted in the process of creating these firewall rules, cited below under "Resources".

In these examples, the "default" or "management" VLAN1 is VLAN1, on 192.168.1.0/24. A separate VLAN8 was created for IOT devices on 192.168.8.0/24, along with its own DHCP service on the router.

The minimum requirements here are to have the IOT devices on VLAN8 network get an address from the VLAN8 DHCP server and access the Internet through the VLAN's gateway (192.168.8.1), allow managment network access to the IOT devices, and block access to the management network by devices on the IOT network (VLAN8).

The following rule sets are in addition to any other rule sets protecting the router and local networks from the Internet. The EdgeRouter 4 WAN-LAN2LAN setup wizard creates some default IPv4 and IPv6 firewall rule sets for that purpose (you need to check the box to include IPv6).

The below rules refer to a firewall group, LAN_NETWORKS, that needs to be created in advance. See Create a firewall group on an EdgeRouter for one way to do that.

The following firewall rule sets will allow:

• all devices on the IOT network (VLAN8) to get an IP address from a DHCP server on the router
• all devices on the IOT network (VLAN8) to access the Internet but not private networks (like VLAN1)
• only devices on the management network (VLAN1) to access devices on the IOT network (VLAN8) and to access the Internet.

   name IOT_IN {
        default-action accept
        description "iot to wan/lan"
        rule 10 {
            action accept
            description "accept established/related"
            destination {
                address 192.168.1.0/24
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop iot to wan/lan"
            destination {
                group {
                    network-group LAN_NETWORKS
                }
            }
            log disable
            protocol all
        }
    }
    name IOT_LOCAL {
        default-action drop
        description "iot to router"
        rule 10 {
            action accept
            description "allow DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description "allow DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }

Here are the commands to make the above configuration (printed from a running config with show configuration commands):

set firewall name IOT_IN default-action accept
set firewall name IOT_IN description 'iot to wan/lan'
set firewall name IOT_IN rule 10 action accept
set firewall name IOT_IN rule 10 description 'accept established/related'
set firewall name IOT_IN rule 10 destination address 192.168.1.0/24
set firewall name IOT_IN rule 10 log disable
set firewall name IOT_IN rule 10 protocol all
set firewall name IOT_IN rule 10 state established enable
set firewall name IOT_IN rule 10 state invalid disable
set firewall name IOT_IN rule 10 state new disable
set firewall name IOT_IN rule 10 state related enable
set firewall name IOT_IN rule 20 action drop
set firewall name IOT_IN rule 20 description 'drop iot to wan/lan'
set firewall name IOT_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name IOT_IN rule 20 log disable
set firewall name IOT_IN rule 20 protocol all
set firewall name IOT_LOCAL default-action drop
set firewall name IOT_LOCAL description 'iot to router'
set firewall name IOT_LOCAL rule 10 action accept
set firewall name IOT_LOCAL rule 10 description 'allow DNS'
set firewall name IOT_LOCAL rule 10 destination port 53
set firewall name IOT_LOCAL rule 10 log disable
set firewall name IOT_LOCAL rule 10 protocol tcp_udp
set firewall name IOT_LOCAL rule 20 action accept
set firewall name IOT_LOCAL rule 20 description 'allow DHCP'
set firewall name IOT_LOCAL rule 20 destination port 67
set firewall name IOT_LOCAL rule 20 log disable
set firewall name IOT_LOCAL rule 20 protocol udp

set interfaces ethernet eth1 vif 8 firewall in name IOT_IN
set interfaces ethernet eth1 vif 8 firewall local name IOT_LOCAL

Resources:

The rules that follow were derived from these additional resources:

Edgerouter - How to Create a Guest/LAN Firewall Rule

Settings up EdgeRouter X with LAN segregation and VPN access

What is the netgroup LAN_NETWORKS? Does this contain networks that you want to block traffic to and from? Or some thing else?

Great question. In my config it's currently just a list of standard private networks, used to block any (presumably bogus) inbound traffic purporting to come from them. Here's a snippet showing the group definition that might make it clearer:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN_NETWORKS {
            description "RFC1918 Private Networks"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }

Note to everyone: I have updated the second link above to the last Wayback Machine capture, as it is no longer available on the original author's site. The Internet is ephemeral after all, proceed accordingly!