Saturday, November 28, 2015

Open Mesh and Ubiquiti Router Network 2

What:

A multi-vlan network using an Ubiquiti router and Open-Mesh WiFi access points.
This network has the following features:

  • Dynamic DNS
  • Individual DHCP pools for each VLAN.
  • L2TP VPN
  • NAT / Masquerading
  • Transparent Web Proxy with individual rule sets for VLAN6 and VLAN9


Why:

I was approached by a non-profit organization who was in need of a campus wide WiFi network.

Components:

Because of price and features, the below components were used:

Firmware:

IMPORTANT: Upgrade the firmware to the latest EdgeOS. 
As of this writing, the latest is 1.7.0.

Interfaces:

I have the router interfaces setup like below:
  • Ports:
    • eth0: 192.168.1.1/24
      • DHCP: 192.168.1.201-192.168.254

    • eth1: no-ip 
      • VLANs
        • 1 - 192.168.2.1/24 - Cloudtrax
          • DHCP: 192.168.2.201-254
        • 3 - 172.16.0.1/23 - OfficeStaff
          • DHCP: 172.16.1.1 - 172.16.1.254
        • 6 - 10.0.0.1/21 - Guests
          • DHCP: 10.0.2.1 - 10.0.7.254
        • 9 - 172.16.8.1/23 - ChildrensArea
          • DHCP: 172.16.9.1-172.16.9.254
        • 12 - 172.16.10.1/23 - TechStaff
          • DHCP: 172.16.11.1-172.16.11.254
    • eth2: DHCP - WAN

NAT/Masquerading:


I ran the below commands to setup masquerading:

set 'service' 'nat' 'rule' '5010' 'outbound-interface' 'eth2'
set 'service' 'nat' 'rule' '5010' 'type' 'masquerade'

I gathered some tips and ideas from the below links:
https://help.ubnt.com/hc/en-us/articles/205197660-EdgeMAX-SOHO-Example
https://community.ubnt.com/t5/EdgeMAX/Basic-SOHO-Home-Config/m-p/453453
https://community.ubnt.com/t5/EdgeMAX/Basic-SOHO-Home-Config/td-p/398055

Web Filter

The GUI has no controls for a Web Proxy Filter, but the feature is present.

I used the below tutorial to get me started.
https://community.ubnt.com/t5/EdgeMAX/Edgerouter-Lite-v1-7-0-modify-proxy-configuration-to-use/m-p/1341469

Here is an example of setting up webproxy for the "Guest" VLAN

Enable transparent proxy for the Guest DHCP pool
set service dhcp-server shared-network-name GuestDHCP subnet 10.0.0.0/21 wpad-url 10.0.0.1

Set the default proxy settings
set service webproxy cache-size 0
set service webproxy default-port 3128
set service webproxy enable-access-log
set service webproxy listen-address 172.16.6.1
set service webproxy listen-address 172.16.8.1
set service webproxy mem-cache-size 32
set service webproxy url-filtering squidguard auto-update update-hour 0
set service webproxy url-filtering squidguard block-category adv
set service webproxy url-filtering squidguard default-action allow

set service webproxy url-filtering squidguard source-group GuestProxy address 10.0.2.1-10.0.7.254 #set source group
set service webproxy url-filtering squidguard redirect-url http://google.com #blocked sites will redirect traffic to google

Filter rules:
set service webproxy url-filtering squidguard rule 20 block-category adv
set service webproxy url-filtering squidguard rule 20 block-category aggressive
...
set service webproxy url-filtering squidguard rule 20 block-category movies
set service webproxy url-filtering squidguard rule 20 block-category porn
set service webproxy url-filtering squidguard rule 20 block-category redirector
set service webproxy url-filtering squidguard rule 20 block-category ringtones
set service webproxy url-filtering squidguard rule 20 block-category spyware
set service webproxy url-filtering squidguard rule 20 block-category violence
set service webproxy url-filtering squidguard rule 20 block-category warez
set service webproxy url-filtering squidguard rule 20 block-category violence
set service webproxy url-filtering squidguard rule 20 local-block-url  youtube.com
set service webproxy url-filtering squidguard rule 20 local-block-url  m.youtube.com
set service webproxy url-filtering squidguard rule 20 local-block-url  www.youtube.com
set service webproxy url-filtering squidguard rule 20 local-block-url  googlevideo.com
set service webproxy url-filtering squidguard rule 20 local-block doubleclick.net
set service webproxy url-filtering squidguard rule 20 default-action allow
set service webproxy url-filtering squidguard rule 20 source-group GuestProxy #assign the ruleset to the source-group

L2TP/VPN

I used the below how-to for guidance on setting up L2TP

https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server


Dynamic DNS

For Dynamic DNS, I use Duck DNS and I used the below hint to set it up.
http://community.ubnt.com/t5/EdgeMAX/Setting-up-DUCKDNS-on-Edgemax/td-p/1406473

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)