What:
A multi-vlan network using an Ubiquiti router and Open-Mesh WiFi access points.This network has the following features:
- Dynamic DNS
- Individual DHCP pools for each VLAN.
- L2TP VPN
- NAT / Masquerading
- Transparent Web Proxy with individual rule sets for VLAN6 and VLAN9
Why:
I was approached by a non-profit organization who was in need of a campus wide WiFi network.Components:
Because of price and features, the below components were used:Firmware:
IMPORTANT: Upgrade the firmware to the latest EdgeOS.
As of this writing, the latest is 1.7.0.
Interfaces:
I have the router interfaces setup like below:- Ports:
- eth0: 192.168.1.1/24
- DHCP: 192.168.1.201-192.168.254
- eth1: no-ip
- VLANs
- 1 - 192.168.2.1/24 - Cloudtrax
- DHCP: 192.168.2.201-254
- 3 - 172.16.0.1/23 - OfficeStaff
- DHCP: 172.16.1.1 - 172.16.1.254
- 6 - 10.0.0.1/21 - Guests
- DHCP: 10.0.2.1 - 10.0.7.254
- 9 - 172.16.8.1/23 - ChildrensArea
- DHCP: 172.16.9.1-172.16.9.254
- 12 - 172.16.10.1/23 - TechStaff
- DHCP: 172.16.11.1-172.16.11.254
- eth2: DHCP - WAN
- eth0: 192.168.1.1/24
NAT/Masquerading:
I ran the below commands to setup masquerading:
set 'service' 'nat' 'rule' '5010' 'outbound-interface' 'eth2' set 'service' 'nat' 'rule' '5010' 'type' 'masquerade'
I gathered some tips and ideas from the below links:
https://help.ubnt.com/hc/en-us/articles/205197660-EdgeMAX-SOHO-Example
https://community.ubnt.com/t5/EdgeMAX/Basic-SOHO-Home-Config/m-p/453453
https://community.ubnt.com/t5/EdgeMAX/Basic-SOHO-Home-Config/td-p/398055
Web Filter
The GUI has no controls for a Web Proxy Filter, but the feature is present.I used the below tutorial to get me started.
https://community.ubnt.com/t5/EdgeMAX/Edgerouter-Lite-v1-7-0-modify-proxy-configuration-to-use/m-p/1341469
Here is an example of setting up webproxy for the "Guest" VLAN
Enable transparent proxy for the Guest DHCP pool
set service dhcp-server shared-network-name GuestDHCP subnet 10.0.0.0/21 wpad-url 10.0.0.1
Set the default proxy settings
set service webproxy cache-size 0 set service webproxy default-port 3128 set service webproxy enable-access-log set service webproxy listen-address 172.16.6.1 set service webproxy listen-address 172.16.8.1 set service webproxy mem-cache-size 32 set service webproxy url-filtering squidguard auto-update update-hour 0 set service webproxy url-filtering squidguard block-category adv set service webproxy url-filtering squidguard default-action allow set service webproxy url-filtering squidguard source-group GuestProxy address 10.0.2.1-10.0.7.254 #set source group set service webproxy url-filtering squidguard redirect-url http://google.com #blocked sites will redirect traffic to google
Filter rules:
set service webproxy url-filtering squidguard rule 20 block-category adv set service webproxy url-filtering squidguard rule 20 block-category aggressive ... set service webproxy url-filtering squidguard rule 20 block-category movies set service webproxy url-filtering squidguard rule 20 block-category porn set service webproxy url-filtering squidguard rule 20 block-category redirector set service webproxy url-filtering squidguard rule 20 block-category ringtones set service webproxy url-filtering squidguard rule 20 block-category spyware set service webproxy url-filtering squidguard rule 20 block-category violence set service webproxy url-filtering squidguard rule 20 block-category warez set service webproxy url-filtering squidguard rule 20 block-category violence set service webproxy url-filtering squidguard rule 20 local-block-url youtube.com set service webproxy url-filtering squidguard rule 20 local-block-url m.youtube.com set service webproxy url-filtering squidguard rule 20 local-block-url www.youtube.com set service webproxy url-filtering squidguard rule 20 local-block-url googlevideo.com set service webproxy url-filtering squidguard rule 20 local-block doubleclick.net set service webproxy url-filtering squidguard rule 20 default-action allow set service webproxy url-filtering squidguard rule 20 source-group GuestProxy #assign the ruleset to the source-group
L2TP/VPN
I used the below how-to for guidance on setting up L2TPhttps://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server
Dynamic DNS
For Dynamic DNS, I use Duck DNS and I used the below hint to set it up.http://community.ubnt.com/t5/EdgeMAX/Setting-up-DUCKDNS-on-Edgemax/td-p/1406473