Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

[guykuo]

The OpenVPN creation command line instructions are up. You can actually get the router isolation system and OpenVPN running.
There is some repetitive data entry during certification creations, but those are fairly simple.

Getting the OPVN credentials and ovpn file installed in the clients varies depending on the client. You'll have to follow the client app instructions for that.

 

[wittaj]

@guykuo I said it before and wow this is just incredible!

So I tried the ASUS router route and it is failing miserably on the setup I posted on page 2, so now thinking this route is the better route for me.

So if we don't use your config file, it looks like we make our screens mirror the screenshots you posted? Or are there a lot more steps and work there than its's worth and you recommend the config file. I want to learn some of this, but also not go crazy in the process LOL.

Regarding the part that gets to the Command Line information, if I wanted to be stupid and not download the SSH (I have an older computer so I don't know if PuTTY would work as the stuff for Windows 10 link you posted didn't work), it looks like if I only used the built-in CLI, it looks like I would only have to key in the stuff you put in blue? I recognize it isn't cut and paste and I say that doesn't look like a lot of blue text to key in now LOL, but wanted to see if I went that route and keyed it in, I would only have to deal with the blue text as the SSH basically allows cut/paste or am I off on this assumption?

 

[guykuo]

I'm afraid trying to use the built-in CLI is likely to be a frustrating experience. Those commands need every single punctuation and space correct. Cut and paste is more likely to succeed. I'm sorry you have to install an SSH client for Windows, but it is probably worth taking the time to do that first. I will be amazed if you manage it using the CLI without a LOT of swearing.

I recommend starting with my config file rather than building from scratch. The idea of the pre-configured file was to get people up with isolation rules with the least amount of effort. I include a known set of rules that have worked for years. I don't show you all the steps for creating them and there are few niceties like hardware acceleration that are already active in my config.

You can approximate it by matching against the settings I have illustrated, but that really is the hard way. Easier is to use the pre-config. Study it. Modify it as desired.

Nice thing about the ER-X, is it is really low cost. You don't lose much and can gain a lot if someone happens to have made a downloadable config tailored for surveillance needs.

 

[wittaj]

Yea, I say looking at the CLI and the blue text you said needs input doesn't look daunting LOL...I know the reality is something different!

Now if you can figure out a way to have the entire process through OpenVPN in a config file and we just have even less changes to make...LOL

Should I wait for config file 2.0 or from a security standpoint you can't "clean it" so that the OpenVPN stuff could connect to your system (I assume that is the issue?)

 

[guykuo]

I could have the entire OpenVPN in a config file, but everybody would have the same keys and be able to get into each others network.

It's not just a matter of cleaning. We need the certificate authorities to be quite distinct between users.

1. I have you connect the router and let it see some traffic BEFORE doing any of the OpenVPN stuff. That lets the router get correct time. Also the traffic is sometimes used to increase entropy of some random number generators, but I don't know if that is the case with the ER-X. Doesn't hurt to get more randomness. (BTW set your time zone in the ER-X system Pane)

2. You generate your own DH parameter file. That will differ from other people's

3. Finally, you generate your own certificates for the OpenVPN server and clients.

By keeping all those three things distinct between ER-X's, we avoid having multiple people with closely related encryption keys. If I pre-generated everything, you and everybody else who used the config would have too much in common.

 

[wittaj]

I am new to all this and still learning and will make mistakes along the way (like apparently the ASUS router that will be returned LOL), but I follow your logic on some level for a NOOB.

I have not seen it yet so I am totally guessing that part of the issue why you cannot "clean it up" for the OpenVPN component is that the CLI and SSH portions are what I would call real-time interaction where you type in a command and something happens and then you type in another command and something happens compared to a programming language where you could pull up the line of code and then go in and make the changes and save and run - if that makes any sense?

I guess another way to think about it is that if your config file went all the way through to OpenVPN, someone would have to go thru the CLI/SSH portion as outlined above to change it because you cannot pull up source code to make changes to make it unique to them at which point a lot probably wouldn't, thus running the risk of people being able to get into other's networks.

Speaking of that, I am always weary about these types of downloads like a Merlin flash to the ASUS firmware or something like a configuration file for a router - what are the chances/odds that something ill intended either on purpose or accidentally could make it's way into the file?

 

[guykuo]

what are the chances/odds that something ill intended either on purpose or accidentally could make it's way into the file?

Never zero, but not terribly likely I f**ked up my instructions or the config file. It is a working config. You could also believe me to a hacker attempting to get into every one's network.
Someone with administrative privileges on this forum could substitute their config file for mine, but that is why I supply the SHA256 checksum for the file. If it gets changed, the checksum won't match.
If someone changes both the file and posted checksum, I'll notice the checksum does not match what I posted.

Yes, the CLI portion contains some bits that are interactive. I can't produce a batch file to do it for you.

It will make more sense with the Router in front of you. Once my config is uploaded into it, you can play with it by hooking its WAN inside your existing LAN before hooking the ER-X up as your actual router.

 

[wittaj]

@guykuo yea I would think that it would be easier to introduce something ill intended into a flash of firmware than a config file. I think if you were a hacker you would simply provide the entire config file so everyone has the same OpenVPN LOL. And not provide a checksum!

Honestly, I am struggling trying to figure out what someone could put into a config file for ill-intent, so enlighten me on what could be done LOL. I look at the config file as basically the configuration settings of the router and unless the router has been hacked, the firmware of the router should prevent the ability to configure it in such a way that would make someone susceptible? I mean someone could set it up intended to isolate the cameras from "phoning home" and messed that up (which I doubt you did), so I don't know what could be done, but I'm curious so just asking...

I guess I will order one of these and give it a try. I certainly think it will do what the ASUS router couldn't. Hopefully I don't have too many questions as I play with it!

 

[guykuo]

Simplest I can think of is one could produce a config file with leaky firewall rules. It could be noticed by someone reading through the rules, but a beginner may not understand the implications of the rulesets.
Another is the DNS query system. The config file defines which DNS servers are used. One could point DNS at a rouge DNS server that points your queries to the wrong server. Again, that could be noticed looking at the config settings.

The firmware is a better place to really hide stuff, but we tend to trust Ubiquity. They also supply checksums for their firmware.

Honestly, the biggest real risk is from a noob getting an ER-X, starting from scratch, and creating a poorly conceived firewall rulesets. Mess up the rules and you lose protection and/or function. When I started with an ER-X, it took me three days to build up a configuration that worked.

 

[wittaj]

@guykuo that is what I was thinking - if someone had some leaky firewall rules or a NOOB messed up some settings it won't be any worse than an unmanaged switch? Well I guess it could be worse in that they may FUBAR the entire thing that they can't see the internet at all from any device, but a simple factory reset fixes that after pulling out hair trying to figure out where the problem is LOL.

And I would assume that your config file probably has the DNS automatically assigned by the ISP as the default?

I really do appreciate all you have done making this as painless as can be for others that are looking for this type of set-up/customization/flexibility!

I will deal with this once I get the router in my hands, but I assume rules can be setup to allow the NVR or cams to send out motion emails?

 

[guykuo]

DNS servers are defined in the config rather than via pulling from ISP. Currently, the pre-config uses.

dns {
forwarding {
cache-size 600
listen-on eth1
listen-on eth2
listen-on eth3
listen-on eth1.1003
listen-on eth4
listen-on vtun0
name-server 1.1.1.1
name-server 129.250.35.251
name-server 208.67.222.222
name-server 8.8.8.8
}
}

Have not covered how to adjust the DNS and hardware acceleration yet in this tutorial. I plan that for the last reserved spot.

Paused adding stuff for until I could see someone actually using the posted info. Otherwise waste of my time.

 

[wittaj]

@guykuo Hmmm.... I guess there is a benefit to this rather than pulling from ISP? If you are going to cover that in the next reserved spot, that is fine too. I know that when I have changed the DNS away from auto the ISP gets concerned LOL, so I would probably need to keep it at auto from ISP.

 

[Brad Strohfeldt]

Paused adding stuff for until I could see someone actually using the posted info. Otherwise waste of my time.

Guykuo, just want to thank you for your effort to make the er-x accessible for us noobs. I have been struggling with how to do opvn and was concerned about the very large learning curve to use this router but I now feel that using your config I should now be able to at least get up and running with some confidence that it will be secure. So based on your work I have ordered an er- x for my network. Thankyou

 

[wittaj]

Have not covered how to adjust the DNS and hardware acceleration yet in this tutorial. I plan that for the last reserved spot.

Paused adding stuff for until I could see someone actually using the posted info. Otherwise waste of my time.

Please continue - just got back returning the ASUS and picking this router up. Don't leave us now!

Oh wait - there is an Edgerouter X and Edgerouter X advanced...they look the same but have different ISBN numbers - are they same for this purpose?

 

[guykuo]

I don't see a separate Edgerouter Advanced X on the Ubiquity product page. They refer to the EdgeRouter X as an "advanced" router.

 

[wittaj]

I don't see a separate Edgerouter Advanced X on the Ubiquity product page. They refer to the EdgeRouter X as an "advanced" router.

Weird - The Advanced has an ISBN of B00YFJT29C and the plain X is B0144R449W - maybe they had slight name variation based on which outlets sold it? They look the same - I guess we will find out!

 

[wittaj]

@guykuo - wow what an incredible little box this is. I cannot believe how much customization is in it. Now granted it doesn't have wifi, but the features have to be better than any consumer wifi router, especially at that price point.

So I spent a good chunk of today playing with just to get a feel for it and try to understand the logic and screens. I did it as the Wizard first so I could try to understand why you did this or that in your setup to try to understand the logic. I figured when I am done playing I will simply reset it and add your config file.

Maybe some of this will become clearer when it is actually attached to my network, but I have a few questions:

From Post #21 - VLAN 1003-Eth1 - Supports a limited access guest VLAN. This is intended to support a guest WiFi system wherein the access points tag guest packets on VLAN 1003. 1003 matches the guest VLAN implemented by Apple. VLAN 1003 can only reach the internet, but not the main LAN nor any other LANs.

How does one access that and is it only for Apple products? I thought I would add the guest wifi unit to Eth3 or Eth4. I am guessing maybe that this VLAN 1003-Eth1 is intended for a guest access SSID in a wifi router plugged into Eth1?

From Post#27

How are the port numbers decided - I assume these correspond to whatever that item is (I still have trouble following opening ports).
Rule #1 - is that how the NVR will be able to send out notification emails or will another rule need to be set up for that?
Rule #6 - does that allow the cams to get the time directly or can they only get that through the PC or NVR

Also From Post#27 - DNS Service We also define which network interfaces are provided DNS service. We listen on eth1, eth2, eth3, eth1.1003, eth4, and vtun0. Only interfaces that are listed receive DNS services.
Vtun0 will eventually be our OpenVPN interface. I have added it here for that eventual use.

I think Rule 2 above prevents it, but should eth2 be removed from listening? Where can I manually set DNS or auto from ISP?

So right now my system is a combo modem/wifi router from the ISP. It has claims (as all consumer grade routers have) that the router has security software (Norton I think on this one, but like ASUS is Trend Micro). Does the Ubiquity have any of that in its router (or is it basically marketing bs to make people feel safe about their router because the real protection should be at the device level?) Does this router protect from the Ping of Death and Denial of Service issues that other routers claim to protect (or is that the rules above that prevent talking from the outside in except via VPN? Do you think there will be an issue placing this after that router?

Hopefully that will be my only questions LOL, but I am sure more will come up once I load your config in and try it out and then try OpenVPN. Which by the way, can the VPN be set up such as to kill the connection if the VPN is lost? My poor old computer was having trouble trying to keep up and kept blacking the screen and saying it was low on memory, so hopefully it doesn't complete die when I try to open up the SSH program to copy/paste!

 

[guykuo]

How does one access that and is it only for Apple products? I thought I would add the guest wifi unit to Eth3 or Eth4. I am guessing maybe that this VLAN 1003-Eth1 is intended for a guest access SSID in a wifi router plugged into Eth1?

VLAN 1003-Eth1 is defined in my config to be plugged into eth1 and with a VLAN of 1003. Apple happens to use VLAN 1003 for their guest VLAN number. You can use a different VLAN number if your wifi access points implement guest networking on a different VLAN. If your wifi access points for guest usage do not implement a guest VLAN tagging, yes hang them off the limited LAN 3 or LAN 4.

How are the port numbers decided

That is the LOCAL ruleset in your post. That rule set controls access to things INSIDE (aka LOCAL to) the ROUTER. Remeber, the rules are relative to the router. Local is services inside the router. IN is stuff passing in and eventually out through the router.

Ports 53 and 67 are standard ports for DHCP and DNS services. Regarding the rules in local ruleset...
Rule #1 gives the NVR unlimited access to access services provided by the router like DHCP, NTP, DNS.
Rule#6 allows the cameras to use the ER-X as the NTP source. We need that because block the cameras from doing NTP from outside world.

should eth2 be removed from listening?
NO! We intentionally list Eth2 so the ruleset can control eth2. If you remove eth2 from the ruleset's listen interfaces list, none of these rules would be applied against eth2. Eth2 would get full access without restriction --> badness.
Notice how eth1 is NOT listed. That is how main LAN eth1 gets full administrative access of the ER-X.

Rules 2 and 3 disallow LAN2 from DHCP and DNS.

Where can I manually set DNS or auto from ISP?
You have to do that from the CLI, I don't think you can from the GUI.

I am adding that to the DNS server instruction post...

 

[wittaj]

@guykuo - as usual, thanks for you simplified explanation!

So my NVR is in route so I guess once I hook that router up, I will lose email notifications until the NVR arrives and the notifications come thru that?

 

[guykuo]

I think you are saying your cameras are sending SMTP notifications. Yes, the cameras will be blocked from sending anything out.
Only thing permitted to "dial" out of LAN2 is the NVR or NVRPC at 192.168.52.20