Post by Peter Kranz
Generally a bad idea to use that firewall (at least on the access

Post by Peter Kranz
Peter Kranz
Founder/CEO - Unwired Ltd
www.UnwiredLtd.com
Desk: 510-868-1614 x100
Mobile: 510-207-0000
-----Original Message-----
Sent: Monday, January 19, 2015 1:47 PM
Subject: Re: [AFMUG] UBNT firewall
Nobody actually using the UBNT firewall?
bp
<part15sbs{at}gmail{dot}com>

Post by Josh Reynolds
Management. VLAN.
On January 20, 2015 8:51:22 AM AKST, Bill Prince
Not the AP side, but the client side. We have traditionally

Post by Josh Reynolds
residential subs on Canopy, and were trying to do the same with

Post by Josh Reynolds
With Canopy it's easy, because the NATted TCP stack just passes

Post by Josh Reynolds
and if SSH ports are open, it goes to the sub's router (no impact

Post by Josh Reynolds
SM).
Not so with UBNT, as the public IP for NAT is also the IP for the

Post by Josh Reynolds
Just wondering if anyone else has tried the CPE firewall to

Post by Josh Reynolds
brute-force SSH logins.
I suppose I could cobble together something on the POP router,

Post by Josh Reynolds
looking for options.
bp
<part15sbs{at}gmail{dot}com>
Generally a bad idea to use that firewall (at least on the
access point side) as it supposedly cuts into your PPS
capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd
-----Original Message----- From: Af
[AFMUG] UBNT firewall Nobody actually using the UBNT

Post by Josh Reynolds
bp <part15sbs{at}gmail{dot}com> On 1/14/2015 11:25 AM, Bill
We notice that any time we use NAT on UBNT we get a lot

Post by Josh Reynolds
login attempts via SSH. Are any of you using the firewall
built in? It's not clear from the GUI interface whether
this affects input or forwarding, or both. What I'd like
to do is block any SSH logins that are not in one of our
subnets, but I'm afraid if I turn it on, it will affect
forwarded traffic. Examples?
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Josh Reynolds
Management. VLAN.
On January 20, 2015 8:51:22 AM AKST, Bill Prince
Not the AP side, but the client side. We have traditionally NATted all
residential subs on Canopy, and were trying to do the same with UBNT.
With Canopy it's easy, because the NATted TCP stack just passes through,
and if SSH ports are open, it goes to the sub's router (no impact on the
SM).
Not so with UBNT, as the public IP for NAT is also the IP for the CPE.
Just wondering if anyone else has tried the CPE firewall to prevent
brute-force SSH logins.
I suppose I could cobble together something on the POP router, but
looking for options.
bp
<part15sbs{at}gmail{dot}com>
Generally a bad idea to use that firewall (at least on
the access point side) as it supposedly cuts into your
PPS capacity on the radio. Peter Kranz Founder/CEO -
Unwired Ltd www.UnwiredLtd.com
<http://www.UnwiredLtd.com> Desk: 510-868-1614 x100
Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47
Nobody actually using the UBNT firewall? bp
<part15sbs{at}gmail{dot}com> On 1/14/2015 11:25 AM, Bill
We notice that any time we use NAT on UBNT we get a
lot of login attempts via SSH. Are any of you using
the firewall built in? It's not clear from the GUI
interface whether this affects input or forwarding,
or both. What I'd like to do is block any SSH logins
that are not in one of our subnets, but I'm afraid if
I turn it on, it will affect forwarded traffic. Examples?
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Josh Reynolds
It creates another interface, a tagged one. You specify which
interface is the management interface. Don't route it out of your

Post by Josh Reynolds
On January 20, 2015 9:13:06 AM AKST, Bill Prince
My understanding of the UBNT VLAN is that it's all one VLAN? How
do you split management/sub traffic?
bp
<part15sbs{at}gmail{dot}com>

Post by Josh Reynolds
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Josh Reynolds
It creates another interface, a tagged one. You specify which interface is the management interface. Don't route it out of your network.
My understanding of the UBNT VLAN is that it's all one VLAN? How do you split management/sub traffic?
bp
<part15sbs{at}gmail{dot}com>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Josh Reynolds
Management services only respond on the management vlan...
OK. Great. We can put another IP on a management IP on the
VLAN. How does that block the SSH logins?
Can you specify that SSH only goes through the management VLAN?
bp
<part15sbs{at}gmail{dot}com>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Bill Prince
If you're bridging, where does the management VLAN get it's IP address?
Likewise (or almost likewise), if we're NATting in the CPE, is there
a place to assign the VLAN interface a different IP address?
bp
<part15sbs{at}gmail{dot}com>

Post by Brett A Mansfield
You'll need to set up a dhcp server for that vlan or manually assign

Post by Brett A Mansfield
Even with NAT on the CPE the management interface will work the same.
But when doing NAT you'll be able to access the radio from its public
address as well. There really is no reason to NAT at the radio with
VLANs.
Any reason you'd do NAT at the radio?
Thank you,
Brett A Mansfield

Post by Bill Prince
NATting in the radio just eliminates so many issues. It solved lots of
issues for us when we did it with Canopy. It was easy because the
management/NAT are always separated in Canopy. It just became part of our
standard practice.
So if we're doing NAT on the CPE, management traffic will go to the
public interface? That seems broken. What defines "management" traffic
besides SSH/WWW ports?
bp
<part15sbs{at}gmail{dot}com>
You'll need to set up a dhcp server for that vlan or manually assign it.
Even with NAT on the CPE the management interface will work the same.
But when doing NAT you'll be able to access the radio from its public
address as well. There really is no reason to NAT at the radio with VLANs.
Any reason you'd do NAT at the radio?
Thank you,
Brett A Mansfield
If you're bridging, where does the management VLAN get it's IP address?
Likewise (or almost likewise), if we're NATting in the CPE, is there a
place to assign the VLAN interface a different IP address?
bp
<part15sbs{at}gmail{dot}com>
UBNT has a good video on this very thing. ￜIf done right, all ssh
traffic would be passed through the radio to the customers router on the
public side and the management side will only be accessible internally.
Here is a link to their video on the VLAN setup for management.
http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529
Thank you,
Brett A Mansfield
Management services only respond on the management vlan...
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Brett A Mansfield
It's possible there is a bug in the software then. All of my NATd radios
on 5.5.9 and older I can only access the management on the management VLAN,
but all of the ones running 5.5.10 I can access it on both the management
VLAN and untagged interfaces.
Though there may be something in the configuration causing it. I'm double
checking. It clearly shows management is set to the tagged vlan. Looks like
the bridge is missing in the config though. It must have wiped it out when
NAT was put in place.
Thank you,
Brett A Mansfield
Jesus Christ no.
No.
SSH, web, SNMP, etc only respond on whatever the management interface is.
If it's left default, it responds on what's assigned. If you vlan it off,
it only responds on that vlan. Other untagged traffic goes through as
bridged or routed depending on what you have configured.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Josh Reynolds
Jesus Christ no.
No.
SSH, web, SNMP, etc only respond on whatever the management interface is. If it's left default, it responds on what's assigned. If you vlan it off, it only responds on that vlan. Other untagged traffic goes through as bridged or routed depending on what you have configured.
NATting in the radio just eliminates so many issues. It solved lots of issues for us when we did it with Canopy. It was easy because the management/NAT are always separated in Canopy. It just became part of our standard practice.
So if we're doing NAT on the CPE, management traffic will go to the public interface? That seems broken. What defines "management" traffic besides SSH/WWW ports?
bp
<part15sbs{at}gmail{dot}com>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Post by Jeremy
Do UBNT radios support .1Q?
If we VLAN traffic to each AP already how would we do a management VLAN? Would we have to make every AP port a trunk port (pruned, of course), and then let the radio do the tagging and untagging?
It's possible there is a bug in the software then. All of my NATd radios on 5.5.9 and older I can only access the management on the management VLAN, but all of the ones running 5.5.10 I can access it on both the management VLAN and untagged interfaces.
Though there may be something in the configuration causing it. I'm double checking. It clearly shows management is set to the tagged vlan. Looks like the bridge is missing in the config though. It must have wiped it out when NAT was put in place.
Thank you,
Brett A Mansfield

Post by Jeremy
If we VLAN traffic to each AP already how would we do a management VLAN?
Would we have to make every AP port a trunk port (pruned, of course), and
then let the radio do the tagging and untagging?
On Tue, Jan 20, 2015 at 1:13 PM, Brett A Mansfield <