Edgerouter using BGP and setting up a guest network



  • Hello,

    I just replaced a Cisco 1941 that was running BGP and advertising a whole class C block to two ISPs with an EdgeRouter Infinity. There is an ASA firewall behind the 1941/EdgeRouter that is doing the NAT translations for this class C block. The Edgerouter WAN interface has only 1 address assigned to it.

    In the 1941 there was a guest wireless network setup on it. I am trying to configure the EdgeRouter to also have this guest wireless network. I setup an interface with a 192.168.22.1/24 address, configured DHCP for that network, and created a Source NAT rule for the 192.168.22.0/24 network to translate it to an unused address in the block. Am I going to have to add that unused address in the Source NAT rule to the WAN interface also? Do I need to setup any routing or firewall rules?

    Thanks



  • If you don't care what IP your guest network shows to the public, you should be able to do this.

    You should simply need to create a source NAT rule for the traffic.

    At various locations, I have fiber services delivered without an ISP router from the carriers. Part of that service is also a /29 block of IP addresses.

    What I do in those instances is put the /30 public IP that would normally be on the ISP router on my router, then I create source and destination rules to handle the traffic.

    ISP Assigned Router IP: 123.123.123.190/30
    Routed IP block: 123.122.122.138/29

    eth0 = WAN 123.123.123.190/30
    eth3 = LAN 10.200.0.1/23
    eth3.10 = Public Wifi 10.200.10.1/24

    set interfaces ethernet eth0 address 123.123.123.190/30
    set interfaces ethernet eth0 description 'AT&T FIber'
    set interfaces ethernet eth0 duplex full
    set interfaces ethernet eth0 firewall in name WAN_IN
    set interfaces ethernet eth0 firewall local name WAN_LOCAL
    set interfaces ethernet eth0 speed 100
    set interfaces ethernet eth3 address 10.200.0.1/23
    set interfaces ethernet eth3 description 'LAN'
    set interfaces ethernet eth3 duplex auto
    set interfaces ethernet eth3 firewall in name LAN_IN
    set interfaces ethernet eth3 firewall local name LAN_LOCAL
    set interfaces ethernet eth3 speed auto
    set interfaces ethernet eth3 vif 10 address 10.200.10.1/24
    set interfaces ethernet eth3 vif 10 description 'Guest Wireless'
    set interfaces ethernet eth3 vif 10 firewall in name Public_WiFi_IN
    set interfaces ethernet eth3 vif 10 firewall local name Public_WiFi_LOCAL
    

    Note that I do not assign the routed block to any interface.

    Some firewall rules to prevent talking and such..

    set firewall group address-group 10_0_0_0_8 address 10.0.0.0/8
    set firewall group address-group 10_0_0_0_8 description 'Entire 10.0.0.0/8'
    set firewall group network-group Public_WiFI_LAN description 'Public WiFi LAN'
    set firewall group network-group Public_WiFI_LAN network 10.200.10.0/24
    set firewall name Public_WiFi_IN default-action accept
    set firewall name Public_WiFi_IN description 'Public WiFi in to other interfaces'
    set firewall name Public_WiFi_IN rule 10 action accept
    set firewall name Public_WiFi_IN rule 10 description 'Allow response to existing connections'
    set firewall name Public_WiFi_IN rule 10 log disable
    set firewall name Public_WiFi_IN rule 10 protocol all
    set firewall name Public_WiFi_IN rule 10 state established enable
    set firewall name Public_WiFi_IN rule 10 state invalid disable
    set firewall name Public_WiFi_IN rule 10 state new disable
    set firewall name Public_WiFi_IN rule 10 state related enable
    set firewall name Public_WiFi_IN rule 20 action accept
    set firewall name Public_WiFi_IN rule 20 description 'Allow access to gateway'
    set firewall name Public_WiFi_IN rule 20 destination group address-group ADDRv4_eth3.10
    set firewall name Public_WiFi_IN rule 20 log disable
    set firewall name Public_WiFi_IN rule 20 protocol all
    set firewall name Public_WiFi_IN rule 30 action drop
    set firewall name Public_WiFi_IN rule 30 description 'Block all other access to private networks'
    set firewall name Public_WiFi_IN rule 30 destination group address-group 10_0_0_0_8
    set firewall name Public_WiFi_IN rule 30 log disable
    set firewall name Public_WiFi_IN rule 30 protocol all
    set firewall name Public_WiFi_IN rule 40 action drop
    set firewall name Public_WiFi_IN rule 40 description 'Block all SMTP'
    set firewall name Public_WiFi_IN rule 40 destination port 25
    set firewall name Public_WiFi_IN rule 40 log enable
    set firewall name Public_WiFi_IN rule 40 protocol tcp
    set firewall name Public_WiFi_LOCAL default-action drop
    set firewall name Public_WiFi_LOCAL description 'Public WiFi in to router'
    set firewall name Public_WiFi_LOCAL rule 10 action accept
    set firewall name Public_WiFi_LOCAL rule 10 description 'Allow DNS'
    set firewall name Public_WiFi_LOCAL rule 10 destination port 53
    set firewall name Public_WiFi_LOCAL rule 10 log enable
    set firewall name Public_WiFi_LOCAL rule 10 protocol udp
    set firewall name Public_WiFi_LOCAL rule 50 action accept
    set firewall name Public_WiFi_LOCAL rule 50 description 'Allow pings'
    set firewall name Public_WiFi_LOCAL rule 50 limit burst 1
    set firewall name Public_WiFi_LOCAL rule 50 limit rate 62/minute
    set firewall name Public_WiFi_LOCAL rule 50 log enable
    set firewall name Public_WiFi_LOCAL rule 50 protocol icmp
    

    Then I use NAT rules to specify how it routes out. I do not have a destination NAT rule here because there is no inbound traffic allowed. the NAT translation should handle the return traffic.

    In your case, you could just tell it to use the IP on the WAN interface instead of some other IP.

    set service nat rule 5995 description 'Outbound Public WiFi LAN Traffic'
    set service nat rule 5995 log disable
    set service nat rule 5995 outbound-interface eth0
    set service nat rule 5995 outside-address address 123.122.122.140
    set service nat rule 5995 protocol all
    set service nat rule 5995 source group network-group Public_WiFI_LAN
    set service nat rule 5995 type source
    

Log in to reply