Create a EdgeRouter DMZ/Guest Network

EdgeRouters are a cheap and easy way to get a nice home router that gives you a proper CLI interface and have amazing throughput. After purchasing an EdgeRouter Lite 12+ months ago I finally moved off my pfSense box which has served me well for the last 5 years.

At home I have a guest network that unknown devices go on to and a DMZ for things like my Raspberry Pi that I use as a jump box, basically anything I don't trust. Setting this up under pfSense involved using floating firewall rules and was (in my opinion) a bit messy. I've detailed how to do this on EdgeOS via the command line or GUI below and its nice and clean!

Command Line

First we'll create an address group for the private networks we don't want the DMZ/Guest network to access:

# Enter a configure session
configure
# Create network group
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 description "RFC1918 ranges"

Now we need to make rules for our DMZ/Guest interface in, local and out. Our in rule is for network traffic coming into the interface from the network. We'll assume we want to allow traffic out to the broader internet but drop all destined to private networks:

set firewall name DMZ_IN default-action accept
set firewall name DMZ_IN description 'DMZ to LAN/WAN'
set firewall name DMZ_IN rule 10 action accept
set firewall name DMZ_IN rule 10 description 'Allow established/related'
set firewall name DMZ_IN rule 10 log disable
set firewall name DMZ_IN rule 10 state established enable
set firewall name DMZ_IN rule 10 state related enable
set firewall name DMZ_IN rule 20 action drop
set firewall name DMZ_IN rule 20 description 'Drop invalid state'
set firewall name DMZ_IN rule 20 log disable
set firewall name DMZ_IN rule 20 state invalid enable
set firewall name DMZ_IN rule 30 action reject
set firewall name DMZ_IN rule 30 description 'Drop access to private ranges'
set firewall name DMZ_IN rule 30 destination group network-group RFC1918
set firewall name DMZ_IN rule 30 log disable
set firewall name DMZ_IN rule 30 protocol all

The local rule is traffic destined from the network to the EdgeRouter itself. We'll assume you want to allow DNS and DHCP but block everything else:

set firewall name DMZ_LOCAL default-action reject
set firewall name DMZ_LOCAL description 'DMZ to router'
set firewall name DMZ_LOCAL rule 10 action accept
set firewall name DMZ_LOCAL rule 10 description 'Allow established/related'
set firewall name DMZ_LOCAL rule 10 log disable
set firewall name DMZ_LOCAL rule 10 protocol all
set firewall name DMZ_LOCAL rule 10 state established enable
set firewall name DMZ_LOCAL rule 10 state invalid disable
set firewall name DMZ_LOCAL rule 10 state new disable
set firewall name DMZ_LOCAL rule 10 state related enable
set firewall name DMZ_LOCAL rule 20 action drop
set firewall name DMZ_LOCAL rule 20 description 'Drop invalid'
set firewall name DMZ_LOCAL rule 20 log disable
set firewall name DMZ_LOCAL rule 20 protocol all
set firewall name DMZ_LOCAL rule 20 state established disable
set firewall name DMZ_LOCAL rule 20 state invalid enable
set firewall name DMZ_LOCAL rule 20 state new disable
set firewall name DMZ_LOCAL rule 20 state related disable
set firewall name DMZ_LOCAL rule 30 action accept
set firewall name DMZ_LOCAL rule 30 description 'Allow DHCP'
set firewall name DMZ_LOCAL rule 30 destination port 67
set firewall name DMZ_LOCAL rule 30 log disable
set firewall name DMZ_LOCAL rule 30 protocol udp
set firewall name DMZ_LOCAL rule 40 action accept
set firewall name DMZ_LOCAL rule 40 description 'Allow DNS'
set firewall name DMZ_LOCAL rule 40 destination port 53
set firewall name DMZ_LOCAL rule 40 log disable
set firewall name DMZ_LOCAL rule 40 protocol tcp_udp

This last firewall group is optional but assumes you want to reject traffic destined for this interface from other networks internally and goes on the out direction:

set firewall name DMZ_OUT default-action reject
set firewall name DMZ_OUT description 'LAN/WAN to DMZ'
set firewall name DMZ_OUT rule 10 action accept
set firewall name DMZ_OUT rule 10 description 'Allow established/related'
set firewall name DMZ_OUT rule 10 log disable
set firewall name DMZ_OUT rule 10 protocol all
set firewall name DMZ_OUT rule 10 state established enable
set firewall name DMZ_OUT rule 10 state invalid disable
set firewall name DMZ_OUT rule 10 state new disable
set firewall name DMZ_OUT rule 10 state related enable
set firewall name DMZ_OUT rule 20 action drop
set firewall name DMZ_OUT rule 20 description 'Drop invalid'
set firewall name DMZ_OUT rule 20 log disable
set firewall name DMZ_OUT rule 20 protocol all
set firewall name DMZ_OUT rule 20 state established disable
set firewall name DMZ_OUT rule 20 state invalid enable
set firewall name DMZ_OUT rule 20 state new disable
set firewall name DMZ_OUT rule 20 state related disable
set firewall name DMZ_OUT rule 30 action reject
set firewall name DMZ_OUT rule 30 description 'Drop access from private ranges'
set firewall name DMZ_OUT rule 30 source group network-group RFC1918
set firewall name DMZ_OUT rule 30 log disable
set firewall name DMZ_OUT rule 30 protocol all

Second last step is to apply these rules to our DMZ/Guest network interface. We'll assume your interface is eth2:

set interfaces ethernet eth2 firewall in name DMZ_IN
set interfaces ethernet eth2 firewall local name DMZ_LOCAL
set interfaces ethernet eth2 firewall out name DMZ_OUT

Finally apply everything and you're done!

commit; save

GUI

Why? Its so much clicking! Remember you can open a terminal from the Toolbox dropdown in the GUI and apply the rules written above.

If you really need to do it via the GUI first open the Firewall/NAT tab and go to Firewall/NAT Groups. Click Add Group in the top left and create a Network Group named RFC1918 with a description of RFC1918 ranges.

Now click on the Action dropdown for the newly created network group and click Config. Add the below networks to it and click save.

  • 192.168.0.0/16
  • 172.16.0.0/12
  • 10.0.0.0/8

Firewall Rules

You need to add 3 rulesets for this setup, call them DMZ_IN, DMZ_OUT and DMZ_LOCAL with the below values:

Name Description Default action
DMZ_IN DMZ to LAN/WAN Accept
DMZ_LOCAL DMZ to router Reject
DMZ_OUT LAN/WAN to DMZ Reject

The first rule you need to create is a default rule for established/related traffic. Select the DMZ_IN ruleset, edit it and and hit Add New Rule in the dialog box that appears.

Put Allow established/related in the description and tick Enable. The Action should be Accept and  the protocol should be All Protocols. Now jump over to the Advanced tab and tick Established and Related for each state.

Repeat that rule for both the DMZ_OUT and DMZ_LOCAL rulesets.

Second rule we want to create across all our rule sets is one that drops all invalid traffic. Go back through each ruleset and create a new rule with a description of Drop invalid, an Action of Drop and under the Advanced tab select Invalid as the state.

Time to create the rules that actually make this a DMZ/Guest network. On the DMZ_IN ruleset create a new rule and call it Drop access to private ranges. Action should be set to Drop and Protocol should be set to All protocols. Finally go to the Source tab and open the Network Group dropdown and select RFC1918 ranges which is the network group we created in the first set! Apply the rule and close this ruleset.

The next rule on DMZ_OUT is optional and only needed if you want to block inbound access from other local networks. If you do, create a new rule the same as above but use the Source tab not Destination and call its description Drop access from private ranges.

Finally, in the last set of rules we'll allow DHCP and DNS, again if you don't require these you can skip this section. Open the DMZ_LOCAL ruleset and create a new rule described as Allow DHCP. Set Protocol to UDP, Action to Accept and under the Destination tab set the Port to 53. Last rule is for DNS, create a new rule described as Allow DNS. Set Action to Accept, Protocol to Both TCP and UDP and under the Destination tab set Port to 53. Save and close!

Add Rules to Interfaces

Last step, you need to add the rules to each interface in the direction they're intended. Open each ruleset and go to the Interfaces tab and set the Interface to your DMZ/Guest interface (in my case it was eth2) whilst setting the appropriate Direction from the table below.

Ruleset Direction
DMZ_IN in
DMZ_OUT out
DMZ_LOCAL local

Save each ruleset and you're all setup with a nice little DMZ.

Tagged: EdgeRouter, Networking

Share this post