Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Monede JO 2024

Suprasolicitare sistem electric

CIV auto import

Mutare in MOZAMBIC - pareri, expe...
 Scoatere antifurt airtag de pe ha...

Magnet in loc de clește pent...

Cumparat/Locuit in apartament si ...

Pot folosi sistemul PC pe post de...
 Sokol cu distorsiuni de cross-over

Filtru apa potabila cu osmoza inv...

Kanal D va difuza serialul “...

Upgrade xiaomi mi11
 securitate - acum se dau drept - ...

Farmacia Dr Max - Pareri / Sugest...

De unde cumparati suspensii / gar...

[UNDE] Reconditionare obiecte lemn
 

EdgeRouter X - Ubiquiti - (ER X)

* * * * * 3 votes
Last Updated: Mar 09 2024 11:58, Started by wolfydRg , Nov 09 2019 21:14  
  ·  
  • Please log in to reply
570 replies to this topic

#37
petman
Posted 12 November 2019 - 07:08

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,863
  • Înscris: 28.11.2001

View Postogo, on 12 noiembrie 2019 - 01:07, said:

Inseamna ca nu ai dat paste la toata configuratia Posted Image

Am sters niste linii unde aveam alocate ip-uri fixe pentru anumite device-uri ca era prea mult de editat :))
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description xxxx
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description xxx
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description xxx
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description xxxx
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 address 192.168.1.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set port-forward auto-firewall enable
set port-forward hairpin-nat disable
set port-forward rule 1 description xxx
set port-forward rule 1 forward-to address 192.168.1.xxxx
set port-forward rule 1 forward-to port xxx
set port-forward rule 1 original-port xxxx
set port-forward rule 1 protocol tcp_udp
set port-forward rule 2 description xxxx
set port-forward rule 2 forward-to address 192.168.1.xxxx
set port-forward rule 2 forward-to port xxx
set port-forward rule 2 original-port xxxx
set port-forward rule 2 protocol tcp_udp
set port-forward rule 3 description xxxx
set port-forward rule 3 forward-to address 192.168.1.xxxx
set port-forward rule 3 forward-to port xxxx
set port-forward rule 3 original-port xxxx
set port-forward rule 3 protocol tcp_udp
set port-forward wan-interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.150 stop 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.xxx
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx ip-address 192.168.1.228
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping xxxx mac-address 'xxxx'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 1000
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service unms disable
set system host-name ubnt
set system login user xxxx authentication encrypted-password 'xxxxxxxx'
set system login user xxxx level admin
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set system ntp server 0.ro.pool.ntp.org
set system ntp server 1.ro.pool.ntp.org
set system ntp server 2.ro.pool.ntp.org
set system offload hwnat enable
set system offload ipsec enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Europe/Bucharest

#38
ogo
Posted 12 November 2019 - 10:56

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
Nu m-am uitat atent DAR (ma uit mai spre seara) DAR (am mai intrebat):
de ce acoperi/stergi adresele din  subnetul 192.168.0.0/16??
Ele sunt private, nu are cum sa ti le acceseze cineva.

#39
mufa
Posted 12 November 2019 - 11:14

mufa

    Porc misogin

  • Grup: Super Moderators
  • Posts: 40,788
  • Înscris: 13.01.2005

View Postogo, on 12 noiembrie 2019 - 02:12, said:

configure
set firewall group network-group BOGONS description 'Martians & UFOs'

###se vor adauga in acest grup clasele de ip ce n-ar trebui sa vina din WAN (internet)###

set firewall group network-group BOGONS network 0.0.0.0/8
set firewall group network-group BOGONS network 100.64.0.0/10
set firewall group network-group BOGONS network 127.0.0.0/8
set firewall group network-group BOGONS network 169.254.0.0/16
set firewall group network-group BOGONS network 172.16.0.0/12
set firewall group network-group BOGONS network 192.0.0.0/24
set firewall group network-group BOGONS network 192.0.2.0/24
set firewall group network-group BOGONS network 192.168.0.0/16
set firewall group network-group BOGONS network 198.18.0.0/15
set firewall group network-group BOGONS network 198.51.100.0/24
set firewall group network-group BOGONS network 203.0.113.0/24
set firewall group network-group BOGONS network 224.0.0.0/4
set firewall group network-group BOGONS network 240.0.0.0/4

###se aplica configuratia, se salveaza, se iese din configuration mode##

commit; save; exit

Cîteva observații/întrebări:

1. Prima adresă e 10.0.0.0/8, nu 0.0.0.0/8 că nu vrei să blochezi tot internetul.
2. În afară de adresele din RFC1918 (10.0.0.0/8, 172.16.0.0/12 și 192.168.0.0/16) și multicast: 224.0.0.0-239.255.255.255.255, de ce ai vrea să blochezi altceva?

#40
ogo
Posted 12 November 2019 - 11:20

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
@mufa
Cred ca nu intelegi sensul 0.0.0.0/8 (0.0.0.1 - 0.255.255.254) Aici mai multe detalii: RFC6890

si RFC1122


Exista si 10.0.0.0/8 si este trecuta si ea acolo. UPS - am uitat-o.
Pentru restul adreselor, explicatiile aici: https://www.iana.org...-registry.xhtml

Edited by ogo, 12 November 2019 - 11:23.

#41
mufa
Posted 12 November 2019 - 11:30

mufa

    Porc misogin

  • Grup: Super Moderators
  • Posts: 40,788
  • Înscris: 13.01.2005

View Postogo, on 12 noiembrie 2019 - 11:20, said:

@mufa
Cred ca nu intelegi sensul 0.0.0.0/8 (0.0.0.1 - 0.255.255.254) Aici mai multe detalii: RFC6890

si RFC1122


Exista si 10.0.0.0/8 si este trecuta si ea acolo. UPS - am uitat-o.
Pentru restul adreselor, explicatiile aici: https://www.iana.org...-registry.xhtml
Cineva nu și-a băut cafeaua încă și nu-s sigur dacă sunt eu său băieții care au scris RFC1122 și RFC6890

Quote

For
   example, [RFC1122] reserves an IPv4 address block (0.0.0.0/8) to
   represent the local (i.e., "this") network.
După care deschizi frumos RFC1122, dai Ctrl-F dupa 10.0 și nu găsești nimic.

Dar da, am înțeles acum de ce sunt alea rezervate.

#42
ogo
Posted 12 November 2019 - 11:43

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
Cauta dupa: paragraful 3.2.1.3 in 1122. E explicat "in cuvinte".

#43
ogo
Posted 12 November 2019 - 14:09

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
@mods
Modificati va rog postul acesta: https://forum.softpe...8#entry25496882
si adaugati dupa linia:
set firewall group network-group BOGONS network 0.0.0.0/8
si urmatoarea linie:
set firewall group network-group BOGONS network 10.0.0.0/8

Multumesc!

Edited by ogo, 12 November 2019 - 14:09.

#44
Tyby
Posted 12 November 2019 - 18:16

Tyby

    blue balls

  • Grup: Super Moderators
  • Posts: 15,394
  • Înscris: 29.11.2001
Am facut eu, si am stricat un pic codul din josul postului, ca deforma pagina.

#45
petman
Posted 12 November 2019 - 18:40

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,863
  • Înscris: 28.11.2001

View Postogo, on 12 noiembrie 2019 - 10:56, said:

Nu m-am uitat atent DAR (ma uit mai spre seara) DAR (am mai intrebat):
de ce acoperi/stergi adresele din  subnetul 192.168.0.0/16??
Ele sunt private, nu are cum sa ti le acceseze cineva.
Crezi ca eu știu de ce am facut asta? :)

#46
MembruAnonim
Posted 12 November 2019 - 19:59

MembruAnonim

    MembruAnonim

  • Grup: Banned
  • Posts: 398,284
  • Înscris: 08.10.2015
Cam mare paranoia cu bogon-urile alea?

#47
ogo
Posted 12 November 2019 - 20:21

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
@tiby: multumesc!

@petman:

Quote

sinceritatea este forma cea mai indrazneata a curajului!
FYG: nicio adresa locala din RFC1918 (in cazul tau 192.168.1.0/24 ce face parte din 192.168.0.0/16) dar si restul subnet-urilor ce fac parte din RFC-ul anterior mentionat (10.0.0.0/8, 172.16.0.0/12),  nu trebuie sa fie routate (sa apara in INTERNET).  Ele sunt ip-uri private si pot fi folosite de oricine in reteaua proprie (INTERNET PRIVAT sau mai cunoscut ca LAN).

@demonik: Daca ai RDS poti incerca; o sa observi ca ai minim 2-3 "accesari" mai ales de la ip-uri ce fac parte din subnet-urile definite de RFC1918, accesari ce vin din INTERNET catre interfata WAN a gateway-ului tau.

#48
MembruAnonim
Posted 12 November 2019 - 20:27

MembruAnonim

    MembruAnonim

  • Grup: Banned
  • Posts: 398,284
  • Înscris: 08.10.2015
Care banuiesc ca oricum ajung pe regula de drop momentan.. e necesara o regula in plus? Intreb :) pe routerele astea mici orice regula in plus costa :))

#49
MembruAnonim
Posted 12 November 2019 - 20:44

MembruAnonim

    MembruAnonim

  • Grup: Banned
  • Posts: 398,284
  • Înscris: 08.10.2015
RFC1918 este folosit si de furnizori pentru jucariile proprii, pana la urma si reteaua furnizorului este tot un LAN. In cazul  tau ogo am impresia ca cineva iti vrea "binele" de tot vezi accesari de la astfel de IP-uri pe interfata WAN. Si cred ca acele IP-uri sunt surse din reteaua lor nu vin din Internet. Cred...

#50
ogo
Posted 12 November 2019 - 22:02

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
Ce e din 10.0.0.0/8 e din RDS 100% (echipamentele lor folosesc IP-uri din netmask-ul privat pe 8 biti, acest lucru fiind confirmat telefonic). Restul, mai ales 192.168.0.0/16 vin "echipamentele" clientilor RDS, marea lor majoritate setata prost (mai ales la FTTB). Ce vine pe broadcast sunt iarasi echipamente prost setate care fac "discovery" la "n" protocoale ce ruleaza pe diferitele echipamente prezente in retea (ale isp-ului sau nu).
BOGON-urile nu ar trebui sa apara pe WAN dar probleme de genul apar la f multe AS-uri iar unele dintre ele chiar le anunta direct in INTERNET. O lista detaliata AICI.

@demonik
depinde de firewall-ul tau: teoretic tu ai ceva de genul pe chain-ul INPUT: drop all not comming from LAN, si sa pp ca lan-ul tau inseamna 192.168.0.0/24 - Ce crezi ca se intampla cand pe WAN iti vine un BOGON tot din 192.168.0.0/24 - router-ul tau va raspunde sau nu? :)

#51
MembruAnonim
Posted 12 November 2019 - 22:28

MembruAnonim

    MembruAnonim

  • Grup: Banned
  • Posts: 398,284
  • Înscris: 08.10.2015
Sa zicem ca raspunde, chit ca mi se pare imposibil intrucat vine prin interfata ppp care nu-i in LAN (prin LAN ma refer la interface list, care la randul ei contine doar bridge-ul, nu la o clasa de ip-uri, interface list folosit si in regula amintita de tine mai sus), ce se intampla mai departe (daca "raspunde")?

Edited by MembruAnonim, 12 November 2019 - 22:33.

#52
ogo
Posted 12 November 2019 - 22:54

ogo

    Senior Member

  • Grup: Senior Members
  • Posts: 4,537
  • Înscris: 07.03.2006
N-am idee, depinde daca este intentionat sau nu, depinde de intentiile "agresorului", depinde de securitate firmware-ului ce ruleaza pe echipamentul respectiv,  dar, ca o concluzie, cred ca e mai usor sa previ decat sa "tratezi".

#53
MembruAnonim
Posted 12 November 2019 - 23:05

MembruAnonim

    MembruAnonim

  • Grup: Banned
  • Posts: 398,284
  • Înscris: 08.10.2015
De fapt problema cu rapunsul este aceiasi chiar daca sursa e un IP privat sau public. In cazul celor private e mai urat deoarece dechide o portita care poate fi o bresa grava de securitate.

#54
Tyby
Posted 13 November 2019 - 16:30

Tyby

    blue balls

  • Grup: Super Moderators
  • Posts: 15,394
  • Înscris: 29.11.2001
abordarea lui ogo este corecta, doar ca - intr-adevar - baga ceva overhead pe router. Insa la nivelul la care a ajung performanta bruta in zilele noastre, zau ca e cam ultima problema de care ma tem. Mai curand am ramas fara pool DHCP decat fara resurse pe masina de rutare. :peacefingers:

Anunturi

Bun venit pe Forumul Softpedia!
Back to Networking

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Forumul Softpedia
  2. Professional Zone
  3. Networking
Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate