As mentioned in previous posts, I purchased and setup an EdgeRouter X from Ubiquiti. That all went relatively well and the device has been performing great.
Minor Performance Issues
Well, I did have a few instances where the internet port kept getting disconnected. This happened twice. Both times, it was later at night. I just stopped using the internet and went to bed. No one else complained so, it was no big deal. However, I'll have to keep an eye on it. I'd like to find a way to record the log file entries in a database.
Rules Update
Last time, I created rules for all of the devices on my network. I decided to make rules for all devices, not just the ones I blocked. For now, there are some rules that block kids devices overnight. In the future, I will change the main ruleset to drop all traffic. Then, I will change the individual rules to allow traffic during specific times. This will keep the kids from spoofing their MAC address or using "unauthorized" devices.
I may also make an additional rule to allow access to any device during daylight hours for any guests that come over. On the other hand, almost everyone who comes over has a phone with a data plan so it probably is unnecessary
Configuration Backed Up
Today, I backed up the configuration. That was very easy. I probably should test it by restoring it but I'm scared I will brick the router.
System Image Upgraded
Finally, I downloaded the latest system image from the Ubiquiti web site and installed it. That also went smoothly. Interestingly, the options that were missing compared the manual are now there. For example, there is now a "Basic Setup" wizard option. I guess I should have done a system image update before I did any another configuration.
The purpose of this blog is to record my progress on maker projects that I am working on. I will tag each post with the name of the project to group posts together.
Advertisement
Friday, December 29, 2017
Thursday, December 28, 2017
Setting up an EdgeRouter -- Blocking by device and time
In may last post, I described the initial setup of my new EdgeRouter X by Ubiquiti. I connected it to my ISP, and pointed it to OpenDNS as the DNS server. Now, I am going to setup a rule to block access to the internet for specific devices at specific times. In this way, I can effectively turn off the internet for my kid's devices overnight without turning off my internet access. Plus, each kid can have a different schedule. If I want to take away internet access as a punishment, I can easily do this by changing the settings for the specific kid's rule.
First Failed Attempt
As an aside, on my first attempt, I managed to block all traffic on my internal network. I created a ruleset that dropped all packets as a default action. I turned it on for the interface for the switch and immediately lost connection to the router. The only way to fix it was to reset the device to factory settings and start over. Doh!
Resetting the Router
There are several ways to reset the router. I tried simply holding in the reset button while the device was powered on. This did not seem to do anything. In order to get the reset to work, I had to push in the reset button, then plug in the power until the reset sequence finished.
One other thing. After I changed the IP address of the switch to 0.1, I had to plug the cable from my PC into port eth1 on the switch. It took me a few minutes to figure out why I could not connect to the switch while plugged in to port eth0 after it was configured to connect to the internet on port eth0. Maybe this will help someone who reads this blog.
Configuring the Router to Block Traffic
Here are the steps I followed to configure the router.
After logging in to the device, I clicked on the Firewall/NAT button and then the Firewall Policies tab.
I clicked on the "Add Ruleset" button and created a new ruleset named "Blocking". This ruleset will contain all of the rules for each device I want to block on my network. The default action is set to Accept all traffic. This way, all traffic is allowed by default. The firewall will only block traffic for specific rules. The mistake I made was to set the Default Action to Drop.
After saving the new ruleset, I clicked on the Actions dropdown for the new Blocking ruleset and chose the Interfaces option. I set the Interface to eth0 and the Direction to out. The ruleset was now finished after saving it.
The next step was to create a default rule. I clicked on the Actions dropdown and chose "Edit Ruleset". Next, I clicked on the "Add New Rule" button. On the Basic tab, I entered a description that was for the device I wanted to block. The Enable box was checked by default. Drop was selected as the Action. (Reject would have also worked.) The "All protocols" radio button was selected. I did not choose logging because I don't want an entry in the log for every blocked packet. Here is a screen shot of the settings.
That is it for the Basic tab. Nothing needs to be set on the Advanced tab.
The MAC Address of the device to block is entered on the Source tab. I could also use the IP address to identify the device but that is easy for a kid to change. In theory, the MAC address can also be spoofed to get around the rules. If I find out that they are doing that, I will have to drop all packets by default and make rules to allow traffic by specific MAC address.
That is it. Now that I have one rule made, I can use the Actions button to copy the rule and simply change the MAC address and time for each kid's device.
First Failed Attempt
As an aside, on my first attempt, I managed to block all traffic on my internal network. I created a ruleset that dropped all packets as a default action. I turned it on for the interface for the switch and immediately lost connection to the router. The only way to fix it was to reset the device to factory settings and start over. Doh!
Resetting the Router
There are several ways to reset the router. I tried simply holding in the reset button while the device was powered on. This did not seem to do anything. In order to get the reset to work, I had to push in the reset button, then plug in the power until the reset sequence finished.
One other thing. After I changed the IP address of the switch to 0.1, I had to plug the cable from my PC into port eth1 on the switch. It took me a few minutes to figure out why I could not connect to the switch while plugged in to port eth0 after it was configured to connect to the internet on port eth0. Maybe this will help someone who reads this blog.
Configuring the Router to Block Traffic
Here are the steps I followed to configure the router.
After logging in to the device, I clicked on the Firewall/NAT button and then the Firewall Policies tab.
I clicked on the "Add Ruleset" button and created a new ruleset named "Blocking". This ruleset will contain all of the rules for each device I want to block on my network. The default action is set to Accept all traffic. This way, all traffic is allowed by default. The firewall will only block traffic for specific rules. The mistake I made was to set the Default Action to Drop.
After saving the new ruleset, I clicked on the Actions dropdown for the new Blocking ruleset and chose the Interfaces option. I set the Interface to eth0 and the Direction to out. The ruleset was now finished after saving it.
The next step was to create a default rule. I clicked on the Actions dropdown and chose "Edit Ruleset". Next, I clicked on the "Add New Rule" button. On the Basic tab, I entered a description that was for the device I wanted to block. The Enable box was checked by default. Drop was selected as the Action. (Reject would have also worked.) The "All protocols" radio button was selected. I did not choose logging because I don't want an entry in the log for every blocked packet. Here is a screen shot of the settings.
That is it for the Basic tab. Nothing needs to be set on the Advanced tab.
The MAC Address of the device to block is entered on the Source tab. I could also use the IP address to identify the device but that is easy for a kid to change. In theory, the MAC address can also be spoofed to get around the rules. If I find out that they are doing that, I will have to drop all packets by default and make rules to allow traffic by specific MAC address.
Finally, the time to block the device is entered on the Time tab. In this case, I wanted to block traffic from this device from midnight to 4am every day. I could have blocked traffic for certain days and could even make multiple rules for the same device to have different times during the week and on weekends.
Saturday, December 23, 2017
Setting up an EdgeRouter, Part I
Introduction
Ever since my kids got devices that could get on the internet, I have been looking for ways to manage and monitor their access. We do randomly check their devices for "bad stuff" and we talk about what they should not be doing on the internet. Those are good, basic steps that any good parent should take.
I always point my routers to OpenDNS as the DNS server to filter out objectionable content. I am sure that helps, but savvy kids could install VPN apps to get around this.
Finally, the wireless AP is setup to turn off the wireless radios at 10:00pm until 4:00am. This keeps the kids off of the internet on their phones overnight since they don't have data plans. Also, they are supposed to leave their phones downstairs for charging overnight so they can't play offline games. The downside is that all wireless devices are affected by this and not just the kid's phones.
What I need is a router that
- allows me to block internet access at specific times for specific devices
- allows me to see what sites people are going to
- allows me to block access to VPN by device. I sometimes need to login to work using VPN. I can't just block all VPN access.
Hopefully, the EdgeRouter X by Ubiquiti will let me do everything I want.
I bought an EdgeRouter X on Amazon for about $50. There are more expensive models but this one seemed like it would do everything I wanted. Plus, we have Amazon Prime right now so shipping was free. Some people said that the router stopped working after a few days. Amazon offered buyer protection for <$2, so I paid for that as well. If I get a lemon, I hope they will give me my money back.
Initial Thoughts
If you read reviews of the EdgeRouter, some people complain that it is hard to setup. I did not find that to be true at all. I am in IT but I am not a network engineer and do not work with routers normally. So, configuring the EdgeRouter is by no means something I can do without help.
The manual that the router comes with is simply a quick start guide. It explains how to plug everything in and nothing more. You need the full user guide to get anywhere. Fortunately, that can be downloaded from the Ubiquity website. I have not read much of it yet but, at 104 pages, it appears to be pretty comprehensive. Also, I have had good luck googling things. Some of the information Google finds is outdated but still helpful.
Setting up to Connect to the Internet
The main thing I need the EdgeRouter to do is connect my home network to the internet through my cable modem. This was very easy to setup.
First, I followed the instructions in the quick start guide to power up the EdgeRouter. I plugged a network cable from my laptop into port ETH0. Then, I configured the Ethernet port on my laptop to have a fixed IP address of 192.168.1.1. I brought up the web configuration interface and logged in as the ubnt user.
There is a wizard to configure the device to connect to the internet. The user guide says that the wizard is named, "Basic Setup". However, my device did not have a wizard with that name. Fortunately, the "WAN+2LAN2" wizard is the same as the Basic Setup wizard. I used the WAN+2LAN2 wizard and followed the instructions in the user guide for the Basic Setup wizard.
For the internet port choices, I left the defaults.
The wizard screen also has a section to setup the LAN. You need to expand the section at the bottom of the screen to see the choices. One thing that through me off a bit is the DHCP setup. The address box is for the default address of the switch for the LAN. This is the address that DHCP will give to the clients as the router address. At first, I thought that this box was for the lower IP address setting. I set the address as 192.168.0.1.
Also, by default, the software starts the DHCP IP range at .38 and ends it at .243. That is more than enough for a home network.
The last step is to click the Apply button and reboot the router.
Physically Connecting to the Cable Modem
It took a bit of fiddling to get the router installed on my network. I connected the Ethernet cable from the cable modem to eth0 on the EdgeRouter and powered up the EdgeRouter. The cable modem's network light lit up to indicate that the EdgeRouter was connected. However, I could not get to the internet even though I could see that the EdgeRouter had a routable IP from my ISP and was downloading traffic. A simple reboot of the cable modem and the EdgeRouter fixed the problem.
OpenDNS
Setting up the EdgeRouter to use OpenDNS was a bit harder but still pretty easy. The user guide does not specify how to do this. Fortunately, I am not the only one who tried to do this. Google to the rescue.
Part of the configuration can be done with the gui tools in the EdgeOS. Part of the configuration must be done by entering unix commands into the Command Line Interface (CLI).
First, I clicked on the System button in the bottom-left corner of the screen. This brings up the System configuration screen. I entered the two OpenDNS server IP addresses in the system name server box. Those addresses are 208.67.222.222 and 208.67.220.220. I also added the local IP address of 127.0.0.1 and saved those changes.
Next, I opened up the CLI interface and logged in as an administrator. I entered the following commands in the interface.
configure
set service dns forwarding system
commit
save
exit
exit
Finally, I had to go to the OpenDNS web site and refresh my network's IP address. It took about five minutes for the OpenDNS servers to propagate my changes but eventually OpenDNS was doing it's job.
That's it for now. I have my EdgeRouter connected to my cable modem. I can get to the internet and am using OpenDNS for the DNS servers.
Next, I want to configure the router to block specific devices from accessing the internet at specific times.
Subscribe to:
Posts (Atom)