简介


本文主要介绍如何在 EdgeRouter 中配置来宾网络,实现禁止访问其它局域网但可以访问互联网/DNS 和 DHCP 服务。

在来宾网络下也支持对局域网中指定 IP 地址的设备访问配置


工具


EdgeRouter


操作步骤


1.创建一个具有所有本地网络地址的网络组,以便容易地创建防火墙规则阻止组中的所有本地网络地址。如果有一个特定的子网,您想允许访问您的客户网络,请将这些网络调整到您的环境中。

configure
set firewall group network-group LAN_NETWORKS
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
set firewall group network-group LAN_NETWORKS network 172.16.0.0/12
set firewall group network-group LAN_NETWORKS network 10.0.0.0/8
commit

2.在 Firewall 中建立 PROTECT_IN 规则组

2.1 建立 PROTECT_IN 规则组,配置规则组默认操作为 accept

set firewall name PROTECT_IN 
set firewall name PROTECT_IN default-action accept 

2.2 创建 Accept Rule

set firewall name PROTECT_IN rule 10 action accept
set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
set firewall name PROTECT_IN rule 10 protocol all
set firewall name PROTECT_IN rule 10 state established enable
set firewall name PROTECT_IN rule 10 state related enable

2.3 创建 Drop Rule

set firewall name PROTECT_IN rule 20 action drop
set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name PROTECT_IN rule 20 protocol all
commit

3.在 Firewall 中建立 PROTECT_LOCAL 规则组

3.1 建立 PROTECT_LOCAL 规则组,配置规则组默认操作为 drop

set firewall name PROTECT_LOCAL 
set firewall name PROTECT_LOCAL default-action drop 

3.2 创建 Accept DNS Rule

set firewall name PROTECT_LOCAL rule 10 action accept
set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
set firewall name PROTECT_LOCAL rule 10 destination port 53
set firewall name PROTECT_LOCAL rule 10 protocol udp

3.3 创建 Accept DHCP Rule

set firewall name PROTECT_LOCAL rule 20 action accept
set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
set firewall name PROTECT_LOCAL rule 20 destination port 67
set firewall name PROTECT_LOCAL rule 20 protocol udp
commit

4.配置这些规则组应用到相应的接口(本文应用到 eth1 的虚拟接口 vif10)

set interfaces ethernet eth1 vif 10 firewall in name PROTECT_IN
set interfaces ethernet eth1 vif 10 firewall local name PROTECT_LOCAL
commit
save
exit

5.建立新规则配置允许对局域网中指定 IP 地址的设备访问(该规则排序应该在 PROTECT_IN Drop Rule 之前以保障先执行)

set firewall name PROTECT_IN rule 19 action
set firewall name PROTECT_IN rule 19 action accept
set firewall name PROTECT_IN rule 19 description "Accept Printer"
set firewall name PROTECT_IN rule 19 destination address 192.168.1.150
commit
save
exit