Search Results for set firewall on ubnt

OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter

前言 Network Topology RT-AC68U 使用PPPoE拨号上网，但是分配的IP是100.64.204.111, 看着像公网IP实际却是Carrier-grade NAT. 现在需要将RT-AC68U与一台在公网的EdgeRouter使用OpenVPN Site-to-Site连接起来，并在RT-AC68U端实现policy-based routing。需要让RT-AC68U下的所有设备能访问EdgeRouter LAN的网络，并根据需求透过VPS访问指定互联网。本实验参考下列文章： Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite EdgeRouter OpenVPN Connectivity Monitor EdgeRouter 策略路由实现分析 EdgeRouter Policy Based Routing Using DNSMASQ IPSET Incoming search terms:openvpn pbr iptables tagsLink to this post!

EdgeRouter Policy Based Routing Using DNSMASQ IPSET

之前用SNIProxy按域名区分流量，着实麻烦。尤其是后期发现路由表莫名其妙出问题。 EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。官方有两篇教程： EdgeRouter – Policy-based routing for destination port EdgeRouter – Policy-based routing (source address based) 第二篇文章顺带提了network-group。之前在配置VPN时，使用过network-group，还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。而，这里的network-group的实现，使用了netfilter的ipset。Man pages可以看这里，命令在edgerouter上也附带了。 dnsmasq支持 ‘–ipset‘ 参数，把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档。 dnsmasq配置的语法比较简单。

--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

1	--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

domain 部分参考 address 的语法。例如：

ipset=/.sskaje.me/MY_SET
ipset=/test.com/MY_SET

1 2	ipset=/.sskaje.me/MY_SET ipset=/test.com/MY_SET

配置好所有自己需要的域名，重启dnsmasq即可。 ipset本身支持timeout，但是edge os的network-group不支持，所以在配置dnsmasq之前，最好创建一个新的network-group。假定新建的ipset名叫 MY_SET，edge router的主要相关配置如下：

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify
set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET
set firewall modify AUTO_VPN rule 20 modify table 4
set firewall modify AUTO_VPN rule 20 protocol all

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify

set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET

set firewall modify AUTO_VPN rule 20 modify table 4

set firewall modify AUTO_VPN rule 20 protocol all

其他诸如配置 static table, interface firewall 可以参考最前边的文档。 Incoming search terms:edgeos firewall network-group … Continue reading “EdgeRouter Policy Based Routing Using DNSMASQ IPSET”

SoftEther between VPS and UBNT EdgeRouter

This is a placeholder. And, this article won’t be public. You are not authorised to read all content in this post. Please login… Incoming search terms:haproxy reverse proxy through socks5#ip=1Link to this post!

L2TP Remote Access Server on UBNT EdgeRouter

EdgeRouter Lite with Firmware 1.9.0 L2TP PSK Mode. WAN interface: eth1 LAN IP: 192.168.3.1 VPN Subnets: 192.168.47.1-192.168.47.99 Run commands below in ‘configure mode’. 1 Configure IPSec

set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable

set vpn ipsec auto-firewall-nat-exclude disable

set vpn ipsec ipsec-interfaces interface eth1

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal enable

2 Configure L2TP

set vpn l2tp remote-access authentication local-users username USERNAME password PASSWORD
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.47.1
set vpn l2tp remote-access client-ip-pool stop 192.168.47.99
set vpn l2tp remote-access dns-servers server-1 192.168.3.1
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret PreShar3dSecRe7
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access outside-address 0.0.0.0

set vpn l2tp remote-access authentication local-users username USERNAME password PASSWORD

set vpn l2tp remote-access authentication mode local

set vpn l2tp remote-access client-ip-pool start 192.168.47.1

set vpn l2tp remote-access client-ip-pool stop 192.168.47.99

set vpn l2tp remote-access dns-servers server-1 192.168.3.1

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret PreShar3dSecRe7

set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

set vpn l2tp remote-access outside-address 0.0.0.0

3 Configure DNS Make sure you have following lines, otherwise you can get DNS resolved.

set service dns forwarding options bind-interfaces
set service dns forwarding options except-interface=eth1

1 2	set service dns forwarding options bind-interfaces set service dns forwarding options except-interface=eth1

Incoming search terms:edgerouter lite l2tpLink to this post!

UBNT EdgeOS 配置设备路由(interface-route)的方法

之前 EdgeOS PPTP VPN客户端配置里，配置VPN后，需要按需配置路由。由于自用的路由下一跳IP不确定，所以用了 interface-route。配置命令如下：

set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

1	set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

按这种方式配置路由的麻烦在于，每次输入都需要把目标网段后边配上一个interface，万一哪天需要改这个interface，要不一个一个改，要不重新导入配置文件。另外一个方法是用路由表＋防火墙路由表如下：

root@ubnt# show protocols static table 
 table 1 {
     description "route table via eth1: default internet access"
     interface-route 0.0.0.0/0 {
         next-hop-interface eth1 {
         }
     }
 }
 table 2 {
     description "route table via vtun0: openvpn  access"
     interface-route 0.0.0.0/0 {
         next-hop-interface vtun0 {
         }
     }
 }
[edit]

root@ubnt# show protocols static table

table 1 {

description "route table via eth1: default internet access"

interface-route 0.0.0.0/0 {

next-hop-interface eth1 {

}

table 2 {

description "route table via vtun0: openvpn access"

interface-route 0.0.0.0/0 {

next-hop-interface vtun0 {

}

[edit]

防火墙里配置一个地址组，并配好modify规则

firewall {
     group {
         network-group FORBIDDEN_ZONE {
             network 8.8.0.0/16
             network 8.25.0.0/16
         }
     }

     modify AUTO_VPN {
         description "Auto route to vpn based on destination"
         enable-default-log
         rule 1 {
             action modify
             description "route to table 2"
             destination {
                 group {
                     network-group FORBIDDEN_ZONE
                 }
             }
             log enable
             modify {
                 table 2
             }
         }
         rule 2 {
             action modify
             description "default route to table 1 "
             disable
             log enable
             modify {
                 table 1
             }
         }
     }
 }

firewall {

group {

network-group FORBIDDEN_ZONE {

network 8.8.0.0/16

network 8.25.0.0/16

}

modify AUTO_VPN {

description "Auto route to vpn based on destination"

enable-default-log

rule 1 {

action modify

description "route to table 2"

destination {

group {

network-group FORBIDDEN_ZONE

}

log enable

modify {

table 2

}

rule 2 {

action modify

description "default route to table 1 "

disable

log enable

modify {

table 1

}

再把内外网口的防火墙规则改一下

set interfaces ethernet eth0 firewall in modify AUTO_VPN

1	set interfaces ethernet eth0 firewall in modify AUTO_VPN

就行了。这里我的eth1连的外网，eth0是LAN。不过这里有个case我没试过，直接配置interface-route的方法，如果目标网段的interface掉了，会回落到默认的出口上，不知道modify的效果如何。 EdgeOS 1.8b3下firewall的log记录在 /var/log/messages 里，可以看到请求命中了哪个规则。 Incoming search terms:EDGEOSset firewall on ubntset interfaces ethernet eth0 firewall in modify balancestatic route edgerouterubnt edgeos su rootubnt 防火墙禁pingLink to this post!