Network configuration
Overview
- DOCSIS modem in bridge mode provided by Spectrum (no WiFi thank you very much!)
- Ubiquiti Edgerouter as firewall and 4 ports (one is used up by the DLINK)
- 8 port DLINK 1G switch
- Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman
Bellman provides DNS and DHCP
- WLAN wildsong2 2.4 GHz
- WLAN wildsong5 5 GHz
Someday I might put up SSID=wildsong for guest access and create a separate VLAN but at the moment I have more interesting things to do.
Wired
- Bellman server
- Murre Windows 10 Desktop
- Other random gadgets come and go including a few Raspberry Pi's
- 1 Grandstream Android phone
Wireless via Unifi
I think everything but the Squeezebox should work on 5 GHz.
In the eLab,
- Desktop Tern in the eLab.
- 1 Grandstream Android phone
Laptops
Squeezebox, 2.4 GHz ONLY
EdgeRouter-X
2018-11-05 Current firmware is 1.9.7; 1.10.7 is available and a few fixes might be relevant.
Use bwilson account to get access
You can SSH into it or go to its web interface.
I have a basic firewall set up here. There are additional rules on Bellman.
Port forwarding to Bellman
- SSH
- Asterisk (UDP for RTP, 5060-5061 for SIP)
- HTTPS (not HTTP!)
Masquerade for outbound traffic
It does DDNS to Cloudflare. See https://gw/#Services/DNS
set service dns dynamic interface eth0 service custom-cloudflare protocol cloudflare set service dns dynamic interface eth0 service custom-cloudflare server www.cloudflare.com set service dns dynamic interface eth0 service custom-cloudflare host-name bellman.wildsong.biz set service dns dynamic interface eth0 service custom-cloudflare login "[email protected]" set service dns dynamic interface eth0 service custom-cloudflare password "xxxxxxxx" set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz use=web ssl=yes"
To see current settings:
show service dns dynamic { interface eth0 { service custom-cloudflare { host-name bellman.wildsong.biz login [email protected] options zone=wildsong.biz password xxxxxxxxxxxxxxxxxxxxxxxxxxxxx protocol cloudflare server www.cloudflare.com } } } forwarding { cache-size 400 listen-on switch0 name-server 8.8.8.8 name-server 8.8.4.4 options expand-hosts }
Use this command to get status:
show dns dynamic status
Force update:
update dns dynamic interface eth0
Firewall ruleset
In the Port Forwarding tab, turn off the feature that automatically allows port forwarded traffic.
In the WAN_IN ruleset, I have 6 rules now
- Allow established/related
- Drop invalid state
- Accept media traffic - ports 10000-20000 both TCP and UDP
- Accept all Twilio traffic for North America (using a group)
- Accept SSH destination bellman port 22
- Accept HTTPS destination bellman port 443
- Accept destination bellman port 9200,9300 - elasticsearch
Getting hammered from the Internet on my Asterisk server
Set up a whitelist for Twilio and block all other outside SIP traffic.
"Simply create an address group, name it "whitelist" and add the allowed IP addresses.
Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."
It appears to be working; I can still see attempts in the "STATS" tab for WAN-IN but nothing on the Asterisk console. This should reduce the work that Bellman has to do, checking ACL lists.
Getting syn flooded from 23.225.141.70
ssh 192.168.123.1 configure # Find a good rule number to use show firewall name WAN_IN # Add the rule to blacklist the attacker
set firewall name WAN_IN rule 40 action drop set firewall name WAN_IN rule 40 source address 23.225.141.70 set firewall name WAN_IN rule 40 protocol tcp
commit; save # Did not work!
delete firewall name WAN_IN rule 40 commit; save
# Heavy handed, but we're running all services on HTTP anyway # Just drop port forwarding for port 80!
show port-forward
rule 4 { description HTTP forward-to { address 192.168.123.2 port 80 } original-port 80 protocol tcp } ...
delete port-forward rule 4 commit; save
This worked. For now anyway.
Unifi
Use vastra account to get access to UniFi server in Docker.
2018-11-05 Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.