EdgeMAX EdgeRouter 配置来宾网络说明

本文主要介绍如何在 EdgeRouter 中配置来宾网络,实现禁止访问其它局域网但可以访问互联网/DNS 和 DHCP 服务。

在来宾网络下也支持对局域网中指定 IP 地址的设备访问配置

工具

EdgeRouter

操作步骤

1.创建一个具有所有本地网络地址的网络组，以便容易地创建防火墙规则阻止组中的所有本地网络地址。如果有一个特定的子网，您想允许访问您的客户网络，请将这些网络调整到您的环境中。

configure

set firewall group network-group LAN_NETWORKS

set firewall group network-group LAN_NETWORKS description "LAN Networks"

set firewall group network-group LAN_NETWORKS network 192.168.0.0/16

set firewall group network-group LAN_NETWORKS network 172.16.0.0/12

set firewall group network-group LAN_NETWORKS network 10.0.0.0/8

commit

2.在 Firewall 中建立 PROTECT_IN 规则组

2.1 建立 PROTECT_IN 规则组，配置规则组默认操作为 accept

set firewall name PROTECT_IN 

set firewall name PROTECT_IN default-action accept 

2.2 创建 Accept Rule

set firewall name PROTECT_IN rule 10 action accept

set firewall name PROTECT_IN rule 10 description "Accept Established/Related"

set firewall name PROTECT_IN rule 10 protocol all

set firewall name PROTECT_IN rule 10 state established enable

set firewall name PROTECT_IN rule 10 state related enable

2.3 创建 Drop Rule

set firewall name PROTECT_IN rule 20 action drop

set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"

set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS

set firewall name PROTECT_IN rule 20 protocol all

commit

3.在 Firewall 中建立 PROTECT_LOCAL 规则组

3.1 建立 PROTECT_LOCAL 规则组，配置规则组默认操作为 drop

set firewall name PROTECT_LOCAL 

set firewall name PROTECT_LOCAL default-action drop 

3.2 创建 Accept DNS Rule

set firewall name PROTECT_LOCAL rule 10 action accept

set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"

set firewall name PROTECT_LOCAL rule 10 destination port 53

set firewall name PROTECT_LOCAL rule 10 protocol udp

3.3 创建 Accept DHCP Rule

set firewall name PROTECT_LOCAL rule 20 action accept

set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"

set firewall name PROTECT_LOCAL rule 20 destination port 67

set firewall name PROTECT_LOCAL rule 20 protocol udp

commit

4.配置这些规则组应用到相应的接口(本文应用到 eth1 的虚拟接口 vif10)

set interfaces ethernet eth1 vif 10 firewall in name PROTECT_IN

set interfaces ethernet eth1 vif 10 firewall local name PROTECT_LOCAL

commit

save

exit

5.建立新规则配置允许对局域网中指定 IP 地址的设备访问(该规则排序应该在 PROTECT_IN Drop Rule 之前以保障先执行)

set firewall name PROTECT_IN rule 19 action

set firewall name PROTECT_IN rule 19 action accept

set firewall name PROTECT_IN rule 19 description "Accept Printer"

set firewall name PROTECT_IN rule 19 destination address 192.168.1.150

commit

save

exit