EdgeMAX - EdgeRouter 配置来宾网络说明

简介


本文主要介绍如何在 EdgeRouter 中配置来宾网络,实现禁止访问其它局域网但可以访问互联网/DNS 和 DHCP 服务。
在来宾网络下也支持对局域网中指定 IP 地址的设备访问配置

工具


EdgeRouter

操作步骤


  1. 创建一个具有所有本地网络地址的网络组,以便容易地创建防火墙规则阻止组中的所有本地网络地址。如果有一个特定的子网,您想允许访问您的客户网络,请将这些网络调整到您的环境中。
    configure
    set firewall group network-group LAN_NETWORKS
    set firewall group network-group LAN_NETWORKS description "LAN Networks"
    set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
    set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
    set firewall group network-group LAN_NETWORKS network 10.0.0.0/8
    commit
  2. 在 Firewall 中建立 PROTECT_IN 规则组
    1. 建立 PROTECT_IN 规则组,配置规则组默认操作为 accept
      set firewall name PROTECT_IN 
      set firewall name PROTECT_IN default-action accept 
    2. 创建 Accept Rule
      set firewall name PROTECT_IN rule 10 action accept
      set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
      set firewall name PROTECT_IN rule 10 protocol all
      set firewall name PROTECT_IN rule 10 state established enable
      set firewall name PROTECT_IN rule 10 state related enable
    3. 创建 Drop Rule
      set firewall name PROTECT_IN rule 20 action drop
      set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
      set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
      set firewall name PROTECT_IN rule 20 protocol all
      commit
  3. 在 Firewall 中建立 PROTECT_LOCAL 规则组
    1. 建立 PROTECT_LOCAL 规则组,配置规则组默认操作为 drop
      set firewall name PROTECT_LOCAL 
      set firewall name PROTECT_LOCAL default-action drop 
    2. 创建 Accept DNS Rule
      set firewall name PROTECT_LOCAL rule 10 action accept
      set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
      set firewall name PROTECT_LOCAL rule 10 destination port 53
      set firewall name PROTECT_LOCAL rule 10 protocol udp
    3. 创建 Accept DHCP Rule
      set firewall name PROTECT_LOCAL rule 20 action accept
      set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
      set firewall name PROTECT_LOCAL rule 20 destination port 67
      set firewall name PROTECT_LOCAL rule 20 protocol udp
      commit
  4. 配置这些规则组应用到相应的接口(本文应用到 eth1 的虚拟接口 vif10)
    set interfaces ethernet eth1 vif 10 firewall in name PROTECT_IN
    set interfaces ethernet eth1 vif 10 firewall local name PROTECT_LOCAL
    commit
    save
    exit
  5. 建立新规则配置允许对局域网中指定 IP 地址的设备访问(该规则排序应该在 PROTECT_IN Drop Rule 之前以保障先执行)
    set firewall name PROTECT_IN rule 19 action
    set firewall name PROTECT_IN rule 19 action accept
    set firewall name PROTECT_IN rule 19 description "Accept Printer"
    set firewall name PROTECT_IN rule 19 destination address 192.168.1.150
    commit
    save
    exit