Segmenting and Hardening Network With Ubiquiti Edgerouter 4

I’m looking to pay someone for an hour of screen share/handholding to lock down my Ubiquiti Edgerouter 4. The immediate need is to add a 2nd WAN to change ISP service (webserver stays online as DNS changes propagate).

I’ve also started to segment my network (VLANs for webserver, employee, public wifi, and trusted), but I’m a bit fuzzy on setting firewall rules, like:

  • trusted net with one-way access to everything
  • employee/point of sale with file share/SQL/etc access to the trusted net
  • webserver/public wifi DMZ
1 Like

I’m wondering whether no one answered because of the way you described the post, implying that the person would be allowed to do one hour only, regardless of their rates, because people got in contact with your through DMs or, the least probable, because no one here has got Ubiquiti experience.

Anyways, this seems like the kinda thing that with basic networking skills one should be able to accomplish regardless of vendor. Maybe by posting more info, screenshots and diagrams one would be able to do it for free.

Also ubiquity is scretchy on dual wan. It still requires manual setup and modifications of the system files to get it rolling. I’d never use ubiquity in more than a home setup personally.

Unlikely in an hour.

For example, assuming you’re using DNAT to get from your public IP on your WAN to your webserver, you’d need to setup connection tracking and fwmarks to ensure your outgoing packets go out over the correct interface.
For IPv6 it’s “easier”, you “just” need to ensure that each host on the network gets multiple prefixes, one for each ISP.

It’s something that’d be best to try in a lab first - would need a spare edgeos device and at least 3 physical interfaces. e.g. I’d grab a €50 edgerouter-x and 3 USB nics, and I’d put each nic into its own network namespace. One namespace would just run a webserver. The other two would be two ISPs. Then I’d setup two new namespace to act as clients of two ISPs, and hook them up to ISP namespaces using veth pairs. These “other ISP client” namespaces would just run curl for verification.

At that point we can start setting up IPv4 and IPv6 to match the setup @EricM has in prod.

It might also be worth noting that there’s a chance that something related to this multi wan setup messes up the edgerouter 4 performance in some way… I don’t see what that could be OOTH, but it’s important to be aware of that unfortunate possibility and plan on how to rollback the setup in case of issues and/or how to check that things are working correctly after each step or change.

Doable, but if this system is used at a business that can’t tolerate downtime, this would need lots of prep.

Additionally, very few folks come here looking for more work.

I just figured it’d take an hour. My options were:

  • Free - spend a week posting configs back and forth on ubiquti forum
  • 4 hrs - read docs, set up firewall and always wonder if I did it right
  • 1 hr - pay someone to jump in a discord call and hold my hand

I don’t mind paying people who know what they’re doing.

It’s a small business with a static, low-traffic web server. I thought the ubiquity gear was a step up from higher-end home networking gear.

I always backup stable settings. I’ve already locked myself out of the management console playing with the firewall rules and had to restore after a factory reset.

1 Like