Ubiquiti Edgerouter Leaves Open Ports

JaredBusch

@alexntg
The WAN_LOCAL handles traffic from the internet to the router itself.

name WAN_LOCAL {
    default-action drop
    description "WAN to Router"
    rule 1 {
        action accept
        state {
            established enable
            related enable
        }
    }
    rule 2 {
        action drop
        log enable
        state {
            invalid enable
        }
    }
    rule 5 {
        action accept
        description "ICMP 50/m"
        limit {
            burst 1
            rate 50/minute
        }
        log enable
        protocol icmp
    }
    rule 6 {
        action accept
        description "Accept VPN"
        ipsec {
            match-ipsec
        }
        log disable
        protocol all
        source {
            address 10.202.253.0/24
        }
        state {
            established enable
            invalid disable
            new enable
            related enable
        }
    }
    rule 7 {
        action accept
        description "Allow OpenVPN"
        destination {
            address 12.XXX.239.42/32
            port 1193-1194
        }
        log disable
        protocol udp
        state {
            established enable
            invalid disable
            new enable
            related enable
        }
    }
}

JaredBusch

@alexntg
And it is applied on the interface like so:

ethernet eth2 {
    address 12.XXX.239.42/29
    address 12.XXX.239.43/29
    address 12.XXX.239.44/29
    description WAN
    duplex auto
    firewall {
        in {
            name WAN_IN
        }
        local {
            name WAN_LOCAL
        }
    }
    speed auto
    traffic-policy {
        out VoIP
    }
}

alexntg

I'll give it a go this weekend when I have hands-on with the device, just in case something should go wrong.

StrongBad

Definitely looking to see a follow up on this one.

alexntg

@StrongBad said:

Definitely looking to see a follow up on this one.

It's not the weekend yet.

JaredBusch

@alexntg said:

@StrongBad said:

Definitely looking to see a follow up on this one.

It's not the weekend yet.

Did you ever apply the correct firewall rules to the unit?

alexntg

It got backburnered, but I just worked on it this morning. It worked like a charm!

JaredBusch

@alexntg said:

It got backburnered, but I just worked on it this morning. It worked like a charm!

Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.

scottalanmiller

We are about to put one in at home.

alexntg

For home use, check out the Sophos UTM Home Edition. It's a full=featured UTM for home.

alexntg

@JaredBusch said:

@alexntg said:

It got backburnered, but I just worked on it this morning. It worked like a charm!

Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.

I picked it up for a small 15-person company that has minimal requirements other than PCI (they process card payments online). While they're tiny, there was a gap between the home-edition devices and business-class devices in regard to filtering outbound traffic. Ubiquiti seems to fill that niche.

scottalanmiller

@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

alexntg

@scottalanmiller said:

@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

The pricing for the home edition is publicly posted:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

As far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.

alexntg

@scottalanmiller said:

@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.

JaredBusch

@alexntg said:

There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.

The EdgeMax Router line is not a Network Security Appliance. It is a router. Do not mix up the device's purpose.

scottalanmiller

@alexntg said:

@scottalanmiller said:

@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

The pricing for the home edition is publicly posted:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

As far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.

It's free for software, but not the appliance. VyOS is free too.