NATting in the radio just eliminates so many issues. It solved lots of
issues for us when we did it with Canopy. It was easy because the
management/NAT are always separated in Canopy. It just became part of
our standard practice.
So if we're doing NAT on the CPE, management traffic will go to the
public interface? That seems broken. What defines "management" traffic
besides SSH/WWW ports?
bp
<part15sbs{at}gmail{dot}com>
On 1/20/2015 11:07 AM, Brett A Mansfield wrote:
You'll need to set up a dhcp server for that vlan or manually assign it.
Even with NAT on the CPE the management interface will work the same.
But when doing NAT you'll be able to access the radio from its public
address as well. There really is no reason to NAT at the radio with
VLANs.
Any reason you'd do NAT at the radio?
Thank you,
Brett A Mansfield
On Jan 20, 2015, at 12:03 PM, Bill Prince <part15...@gmail.com
<mailto:part15...@gmail.com>> wrote:
If you're bridging, where does the management VLAN get it's IP address?
Likewise (or almost likewise), if we're NATting in the CPE, is there
a place to assign the VLAN interface a different IP address?
bp
<part15sbs{at}gmail{dot}com>
On 1/20/2015 10:33 AM, Brett A Mansfield wrote:
UBNT has a good video on this very thing. �If done right, all ssh
traffic would be passed through the radio to the customers router on
the public side and the management side will only be accessible
internally.
Here is a link to their video on the VLAN setup for management.
http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529
Thank you,
Brett A Mansfield
On Jan 20, 2015, at 11:18 AM, Josh Reynolds <j...@spitwspots.com
<mailto:j...@spitwspots.com>> wrote:
Management services only respond on the management vlan...
On January 20, 2015 9:17:24 AM AKST, Bill Prince
<part15...@gmail.com <mailto:part15...@gmail.com>> wrote:
OK.� Great.� We can put another IP on a management IP on
the VLAN.� How does that block the SSH logins?
Can you specify that SSH only goes through the management VLAN?
bp
<part15sbs{at}gmail{dot}com>
On 1/20/2015 10:14 AM, Josh Reynolds wrote:
It creates another interface, a tagged one. You specify which
interface is the management interface. Don't route it out of
your network.
On January 20, 2015 9:13:06 AM AKST, Bill Prince
<part15...@gmail.com> wrote:
My understanding of the UBNT VLAN is that it's all one
VLAN? How do you split management/sub traffic?
bp
<part15sbs{at}gmail{dot}com>
On 1/20/2015 10:05 AM, Josh Reynolds wrote:
Management. VLAN.
On January 20, 2015 8:51:22 AM AKST, Bill Prince
<part15...@gmail.com> wrote:
Not the AP side, but the client side. We have traditionally NATted
all
residential subs on Canopy, and were trying to do the same with
UBNT.
With Canopy it's easy, because the NATted TCP stack just passes
through,
and if SSH ports are open, it goes to the sub's router (no impact
on the
SM).
Not so with UBNT, as the public IP for NAT is also the IP for the
CPE.
Just wondering if anyone else has tried the CPE firewall to prevent
brute-force SSH logins.
I suppose I could cobble together something on the POP router, but
looking for options.
bp
<part15sbs{at}gmail{dot}com>
On 1/20/2015 9:37 AM, Peter Kranz wrote:
Generally a bad idea to use that firewall (at
least on the access point side) as it supposedly
cuts into your PPS capacity on the radio. Peter
Kranz Founder/CEO - Unwired Ltd
www.UnwiredLtd.com <http://www.unwiredltd.com/>
Desk: 510-868-1614 x100 Mobile: 510-207-0000
pkr...@unwiredltd.com -----Original Message-----
From: Af [mailto:af-boun...@afmug.com] On Behalf
Of Bill Prince Sent: Monday, January 19, 2015
1:47 PM To: af@afmug.com Subject: Re: [AFMUG]
UBNT firewall Nobody actually using the UBNT
firewall? bp <part15sbs{at}gmail{dot}com> On
1/14/2015 11:25 AM, Bill Prince wrote:
We notice that any time we use NAT on UBNT we
get a lot of login attempts via SSH. Are any
of you using the firewall built in? It's not
clear from the GUI interface whether this
affects input or forwarding, or both. What
I'd like to do is block any SSH logins that
are not in one of our subnets, but I'm afraid
if I turn it on, it will affect forwarded
traffic. Examples?
--
Sent from my Android device with K-9 Mail. Please excuse
my brevity.
--
Sent from my Android device with K-9 Mail. Please excuse my
brevity.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.