Good stuff Willie! I love how you break it down step by step with an explanation of each step. I have pretty good networking knowledge (network tech in a previous life plus a fairly complex network at home) but you have educated me to another level. My major weakness is good knowledge of Linux related firewall/iptables,routing, etc., as most of my networking background is with Windows, and Mainframe looooong ago. I recently got it to the Ubiquiti line of gear (USG-3, ER-X, AP-AC-Lite/Mesh) and love the Ubi stuff but can be a challenge for non Linux OS types. Anyway, keep up the great videos!
If you intend on blocking multiple ports with otherwise identical rules it's easier to create a port group in Firewall>Firewall/NAT Groups so you don't have to keep copying/duplicating rules just to block addresses or ports to/from every VLAN. Especially handy for killing inter-vlan routing.
Excellent job short sweet to the point picked up an edgemax you should be an amazon affilate and edit your description to include the link to the router so people who purchase can support you. Through amazon purchase. I guess I don't see any real to life advantage of doing things manually vs automatically if you have small IOT devices etc anyways just as easy as I assumed it was ... If you forward a port well guess what you forward a port no matter if auto or not often you require forwarding for different reasons if you need remote access to a web server however you could have one web server jerk things as needed with java or http etc... I am curious on looking at other features I have toyed around quite a bit with this thing tonight spent a couple of hours learned a lot before I even started looking at manuals or watching videos as you say hands on. But just wanted to give a shout out and say thanks!
Willie I wanted to go a bit more on this thank you. For over a year I hadn't really worked with my firewall rules as my understanding was just muddy. I couldn't find a video that break things down to the point I could say aaah thats what that means. Fast forward to this latest video series when you broke down each area 1 by 1, for me it was when the light went off and things started to come together. This weekend I wanted to kill every port forward rule I had and move it over to a rule group of some type giving me more control over what end points had access to the network. As you said each case is different and no one way is correct, and for a basic forward in a home or small business network the port forward page does work. For those that need more control then I see moving over to this type of configuration. The one video that would help people is the NAT Hairpin as I don't have an internal DHCP server. Also I am happy to say I went back to your old (voiceless) videos and rocked out a few portgroups. So I wrote all this to say I really to thank you for the wisdom you have pushed forward to the UBNT community.
Thanks a lot for this series. It might be 5 years old, but it still helped me setup the router :P. I got a question about WAN_IN vs WAN_OUT. In the WAN_IN video we blocked outgoing traffic by setting the source to port 80. In this WAN_OUT we blocked outgoing traffic by setting the destination to port 80. What's the difference between the 2 blocking methods?
In the WAN_IN video outgoing traffic was not blocked, it was the incoming traffic that was blocked. The result is the same, as internet browsing won't work unless you can send information to the server and receive information back from it.
Hi, This is by far the most simple explanation to such scenario I've seen!! Liked it a lot. Nevertheless, something is not working for me and I hope this is a right place to ask for help - I'm trying to set a rule for an IoT device on my network I want to be able to communicate only with my MQTT server (outside my network). So I've followed your explanation to test it first using my laptop and a specific site, only that I want to use IP instead of ports. I set first rule as allow from source IP (static of my laptop) to destination IP (public of some site) and then added a second rule to block all from my source IP. That setting blocked also the access to the site from the first rule. What am I doing wrong here? Thanks!
Hi Willie, great videos! I could really use your help on my issue and I'm sure it's something simple. I have a Cisco IP Phone registered to an ITSP via SIP and it's going through an ERLite-3 router. It has the standard firewall policies and rulesets that get configured via the wizard when you first set it up and nothing else. I'm able to receive inbound external calls but am unable to place any outbound external calls even though the phone is registered via SIP as I mentioned above. The SIP trace shows the phone sending an INVITE message for the outbound call but it never leaves the ERLite-3 router and the ITSP tech support said they don't see any traffic for the call coming to them. What do I need to configure on the eth0 outbound interface for this to work? Thank you in advance!
My setup as a webserver that can be reached from the internet using network adres translation (NAT) this works correctly. Is it possible to prevent the webserver from establishing a connection to the internet while incoming connections are still allowed? Do I need to block outgoing SYN packets? How? I want to implement this to prevent attacks like log4shell. I already tryed to block connections as shown in this tutorial but that shuts down all traffic to my webserver making it unavailable. I want to implement this to prevent attacks like log4shell.
Thanks for sharing, which make me a newbie to familiar with EdgeOS. In fact, I would like to block center websites, such as faceback during working day as one task of parental controls. But it seems that EdgeOS cannot do it and find the EdgeOS is not designed for home. Do you have a way to work around it or just simple switch to other brand routers?
UI routers... should do a bit on capacity. For example the ERX is probably less than ideal for a symetric 1Gbps connection like ATT fiber. UI does have more capacity like the ER8 but you'll pay for it.
Hi Willie,, I have an issue with edgerouter, I want to block airplay broadcasting from AV receiver device... I think only way to do it is block the port that use as airplay on several eth ( for example eth.3). I've tried some way inside firewall policies but failed. can you help? thanks for advance and sorry for bad English.
Exactly what I needed, wanted a block WAN access for an entire subnet, quick simply to the point and worked, thanks my dude!
Good stuff Willie! I love how you break it down step by step with an explanation of each step. I have pretty good networking knowledge (network tech in a previous life plus a fairly complex network at home) but you have educated me to another level. My major weakness is good knowledge of Linux related firewall/iptables,routing, etc., as most of my networking background is with Windows, and Mainframe looooong ago. I recently got it to the Ubiquiti line of gear (USG-3, ER-X, AP-AC-Lite/Mesh) and love the Ubi stuff but can be a challenge for non Linux OS types. Anyway, keep up the great videos!
man i just got a brand new ER-4, 3 days ago and i have used about 4 of your videos. SUBSCRIBED! THANKS!
If you intend on blocking multiple ports with otherwise identical rules it's easier to create a port group in Firewall>Firewall/NAT Groups so you don't have to keep copying/duplicating rules just to block addresses or ports to/from every VLAN. Especially handy for killing inter-vlan routing.
Awesome stuff. Really like how you explained things. I liked and subscribed!!
Thanks Willie, great videos, thanks to you and your Ubiquiti series I've now purchased both ER-Lite and ER-4 EdgeRouters. Thanks!
I've been looking for a simple how-to. This is it. Thank you.
Excellent job short sweet to the point picked up an edgemax you should be an amazon affilate and edit your description to include the link to the router so people who purchase can support you. Through amazon purchase.
I guess I don't see any real to life advantage of doing things manually vs automatically if you have small IOT devices etc anyways just as easy as I assumed it was ... If you forward a port well guess what you forward a port no matter if auto or not often you require forwarding for different reasons if you need remote access to a web server however you could have one web server jerk things as needed with java or http etc...
I am curious on looking at other features I have toyed around quite a bit with this thing tonight spent a couple of hours learned a lot before I even started looking at manuals or watching videos as you say hands on.
But just wanted to give a shout out and say thanks!
Willie I wanted to go a bit more on this thank you. For over a year I hadn't really worked with my firewall rules as my understanding was just muddy. I couldn't find a video that break things down to the point I could say aaah thats what that means.
Fast forward to this latest video series when you broke down each area 1 by 1, for me it was when the light went off and things started to come together. This weekend I wanted to kill every port forward rule I had and move it over to a rule group of some type giving me more control over what end points had access to the network.
As you said each case is different and no one way is correct, and for a basic forward in a home or small business network the port forward page does work. For those that need more control then I see moving over to this type of configuration.
The one video that would help people is the NAT Hairpin as I don't have an internal DHCP server. Also I am happy to say I went back to your old (voiceless) videos and rocked out a few portgroups.
So I wrote all this to say I really to thank you for the wisdom you have pushed forward to the UBNT community.
--- still watching the video but wondering wouldn' drop all and allow and then create exceptions?
Thanks a lot for this series. It might be 5 years old, but it still helped me setup the router :P.
I got a question about WAN_IN vs WAN_OUT. In the WAN_IN video we blocked outgoing traffic by setting the source to port 80. In this WAN_OUT we blocked outgoing traffic by setting the destination to port 80. What's the difference between the 2 blocking methods?
In the WAN_IN video outgoing traffic was not blocked, it was the incoming traffic that was blocked. The result is the same, as internet browsing won't work unless you can send information to the server and receive information back from it.
Hi,
This is by far the most simple explanation to such scenario I've seen!! Liked it a lot.
Nevertheless, something is not working for me and I hope this is a right place to ask for help - I'm trying to set a rule for an IoT device on my network I want to be able to communicate only with my MQTT server (outside my network). So I've followed your explanation to test it first using my laptop and a specific site, only that I want to use IP instead of ports. I set first rule as allow from source IP (static of my laptop) to destination IP (public of some site) and then added a second rule to block all from my source IP. That setting blocked also the access to the site from the first rule. What am I doing wrong here?
Thanks!
Hi Willie, great videos! I could really use your help on my issue and I'm sure it's something simple. I have a Cisco IP Phone registered to an ITSP via SIP and it's going through an ERLite-3 router. It has the standard firewall policies and rulesets that get configured via the wizard when you first set it up and nothing else. I'm able to receive inbound external calls but am unable to place any outbound external calls even though the phone is registered via SIP as I mentioned above. The SIP trace shows the phone sending an INVITE message for the outbound call but it never leaves the ERLite-3 router and the ITSP tech support said they don't see any traffic for the call coming to them. What do I need to configure on the eth0 outbound interface for this to work? Thank you in advance!
My setup as a webserver that can be reached from the internet using network adres translation (NAT) this works correctly.
Is it possible to prevent the webserver from establishing a connection to the internet while incoming connections are still allowed? Do I need to block outgoing SYN packets? How? I want to implement this to prevent attacks like log4shell. I already tryed to block connections as shown in this tutorial but that shuts down all traffic to my webserver making it unavailable.
I want to implement this to prevent attacks like log4shell.
How would I block all out, except for my son's online school content/log in pages?
For most scenarios, it's better to filter/block on LAN_IN rather than WAN_OUT.
Thanks for sharing, which make me a newbie to familiar with EdgeOS. In fact, I would like to block center websites, such as faceback during working day as one task of parental controls. But it seems that EdgeOS cannot do it and find the EdgeOS is not designed for home. Do you have a way to work around it or just simple switch to other brand routers?
UI routers... should do a bit on capacity. For example the ERX is probably less than ideal for a symetric 1Gbps connection like ATT fiber. UI does have more capacity like the ER8 but you'll pay for it.
Hi Willie,,
I have an issue with edgerouter, I want to block airplay broadcasting from AV receiver device... I think only way to do it is block the port that use as airplay on several eth ( for example eth.3).
I've tried some way inside firewall policies but failed. can you help?
thanks for advance and sorry for bad English.
I know it's dated video! But great video, saved my kids grades by setting rules. :)
Can you block specific server IP addresses using this method please?
Sure.
Hi!!! How Block P2P utorrent if is encrypter!!!
Nice one, thanks for this video
Thank you! Great info!!
Thanks