本文主要介绍如何在 EdgeRouter 中配置来宾网络,实现禁止访问其它局域网但可以访问互联网/DNS 和 DHCP 服务。
在来宾网络下也支持对局域网中指定 IP 地址的设备访问配置
工具
EdgeRouter
操作步骤
1.创建一个具有所有本地网络地址的网络组,以便容易地创建防火墙规则阻止组中的所有本地网络地址。如果有一个特定的子网,您想允许访问您的客户网络,请将这些网络调整到您的环境中。
configure
set firewall group network-group LAN_NETWORKS
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8
commit
2.在 Firewall 中建立 PROTECT_IN 规则组
2.1 建立 PROTECT_IN 规则组,配置规则组默认操作为 accept
set firewall name PROTECT_IN
set firewall name PROTECT_IN default-action accept
2.2 创建 Accept Rule
set firewall name PROTECT_IN rule 10 action accept
set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
set firewall name PROTECT_IN rule 10 protocol all
set firewall name PROTECT_IN rule 10 state established enable
set firewall name PROTECT_IN rule 10 state related enable
2.3 创建 Drop Rule
set firewall name PROTECT_IN rule 20 action drop
set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name PROTECT_IN rule 20 protocol all
commit
3.在 Firewall 中建立 PROTECT_LOCAL 规则组
3.1 建立 PROTECT_LOCAL 规则组,配置规则组默认操作为 drop
set firewall name PROTECT_LOCAL
set firewall name PROTECT_LOCAL default-action drop
3.2 创建 Accept DNS Rule
set firewall name PROTECT_LOCAL rule 10 action accept
set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
set firewall name PROTECT_LOCAL rule 10 destination port 53
set firewall name PROTECT_LOCAL rule 10 protocol udp
3.3 创建 Accept DHCP Rule
set firewall name PROTECT_LOCAL rule 20 action accept
set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
set firewall name PROTECT_LOCAL rule 20 destination port 67
set firewall name PROTECT_LOCAL rule 20 protocol udp
commit
4.配置这些规则组应用到相应的接口(本文应用到 eth1 的虚拟接口 vif10)
set interfaces ethernet eth1 vif 10 firewall in name PROTECT_IN
set interfaces ethernet eth1 vif 10 firewall local name PROTECT_LOCAL
commit
save
exit
5.建立新规则配置允许对局域网中指定 IP 地址的设备访问(该规则排序应该在 PROTECT_IN Drop Rule 之前以保障先执行)
set firewall name PROTECT_IN rule 19 action
set firewall name PROTECT_IN rule 19 action accept
set firewall name PROTECT_IN rule 19 description "Accept Printer"
set firewall name PROTECT_IN rule 19 destination address 192.168.1.150
commit
save
exit