Re: [AFMUG] UBNT firewall
Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples?
Re: [AFMUG] UBNT firewall
Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: > > We notice that any time we use NAT on UBNT we get a lot of login > attempts via SSH. Are any of you using the firewall built in? It's > not clear from the GUI interface whether this affects input or > forwarding, or both. > > What I'd like to do is block any SSH logins that are not in one of our > subnets, but I'm afraid if I turn it on, it will affect forwarded > traffic. > > Examples? > >
Re: [AFMUG] UBNT firewall
Not the AP side, but the client side. We have traditionally NATted all residential subs on Canopy, and were trying to do the same with UBNT. With Canopy it's easy, because the NATted TCP stack just passes through, and if SSH ports are open, it goes to the sub's router (no impact on the SM). Not so with UBNT, as the public IP for NAT is also the IP for the CPE. Just wondering if anyone else has tried the CPE firewall to prevent brute-force SSH logins. I suppose I could cobble together something on the POP router, but looking for options. bp On 1/20/2015 9:37 AM, Peter Kranz wrote: Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples?
Re: [AFMUG] UBNT firewall
Management. VLAN. On January 20, 2015 8:51:22 AM AKST, Bill Prince wrote: >Not the AP side, but the client side. We have traditionally NATted all >residential subs on Canopy, and were trying to do the same with UBNT. > >With Canopy it's easy, because the NATted TCP stack just passes >through, >and if SSH ports are open, it goes to the sub's router (no impact on >the >SM). > >Not so with UBNT, as the public IP for NAT is also the IP for the CPE. > >Just wondering if anyone else has tried the CPE firewall to prevent >brute-force SSH logins. > >I suppose I could cobble together something on the POP router, but >looking for options. > >bp > > >On 1/20/2015 9:37 AM, Peter Kranz wrote: >> Generally a bad idea to use that firewall (at least on the access >point side) as it supposedly cuts into your PPS capacity on the radio. >> >> Peter Kranz >> Founder/CEO - Unwired Ltd >> www.UnwiredLtd.com >> Desk: 510-868-1614 x100 >> Mobile: 510-207- >> pkr...@unwiredltd.com >> >> -Original Message- >> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince >> Sent: Monday, January 19, 2015 1:47 PM >> To: af@afmug.com >> Subject: Re: [AFMUG] UBNT firewall >> >> Nobody actually using the UBNT firewall? >> >> bp >> >> >> On 1/14/2015 11:25 AM, Bill Prince wrote: >>> We notice that any time we use NAT on UBNT we get a lot of login >>> attempts via SSH. Are any of you using the firewall built in? It's >>> not clear from the GUI interface whether this affects input or >>> forwarding, or both. >>> >>> What I'd like to do is block any SSH logins that are not in one of >our >>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>> traffic. >>> >>> Examples? >>> >>> >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
My understanding of the UBNT VLAN is that it's all one VLAN? How do you split management/sub traffic? bp On 1/20/2015 10:05 AM, Josh Reynolds wrote: Management. VLAN. On January 20, 2015 8:51:22 AM AKST, Bill Prince wrote: Not the AP side, but the client side. We have traditionally NATted all residential subs on Canopy, and were trying to do the same with UBNT. With Canopy it's easy, because the NATted TCP stack just passes through, and if SSH ports are open, it goes to the sub's router (no impact on the SM). Not so with UBNT, as the public IP for NAT is also the IP for the CPE. Just wondering if anyone else has tried the CPE firewall to prevent brute-force SSH logins. I suppose I could cobble together something on the POP router, but looking for options. bp On 1/20/2015 9:37 AM, Peter Kranz wrote: Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com <http://www.UnwiredLtd.com> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
It creates another interface, a tagged one. You specify which interface is the management interface. Don't route it out of your network. On January 20, 2015 9:13:06 AM AKST, Bill Prince wrote: >My understanding of the UBNT VLAN is that it's all one VLAN? How do you > >split management/sub traffic? > >bp > > >On 1/20/2015 10:05 AM, Josh Reynolds wrote: >> Management. VLAN. >> >> On January 20, 2015 8:51:22 AM AKST, Bill Prince > >> wrote: >> >> Not the AP side, but the client side. We have traditionally >NATted all >> residential subs on Canopy, and were trying to do the same with >UBNT. >> >> With Canopy it's easy, because the NATted TCP stack just passes >through, >> and if SSH ports are open, it goes to the sub's router (no impact >on the >> SM). >> >> Not so with UBNT, as the public IP for NAT is also the IP for the >CPE. >> >> Just wondering if anyone else has tried the CPE firewall to >prevent >> brute-force SSH logins. >> >> I suppose I could cobble together something on the POP router, >but >> looking for options. >> >> bp >> >> >> On 1/20/2015 9:37 AM, Peter Kranz wrote: >> >> Generally a bad idea to use that firewall (at least on the >> access point side) as it supposedly cuts into your PPS >> capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd >> www.UnwiredLtd.com <http://www.UnwiredLtd.com> Desk: >> 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com >> -Original Message- From: Af >> [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: >> Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: >Re: >> [AFMUG] UBNT firewall Nobody actually using the UBNT >firewall? >> bp On 1/14/2015 11:25 AM, Bill >> Prince wrote: >> >> We notice that any time we use NAT on UBNT we get a lot >of >> login attempts via SSH. Are any of you using the firewall >> built in? It's not clear from the GUI interface whether >> this affects input or forwarding, or both. What I'd like >> to do is block any SSH logins that are not in one of our >> subnets, but I'm afraid if I turn it on, it will affect >> forwarded traffic. Examples? >> >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
OK. Great. We can put another IP on a management IP on the VLAN. How does that block the SSH logins? Can you specify that SSH only goes through the management VLAN? bp On 1/20/2015 10:14 AM, Josh Reynolds wrote: It creates another interface, a tagged one. You specify which interface is the management interface. Don't route it out of your network. On January 20, 2015 9:13:06 AM AKST, Bill Prince wrote: My understanding of the UBNT VLAN is that it's all one VLAN? How do you split management/sub traffic? bp On 1/20/2015 10:05 AM, Josh Reynolds wrote: Management. VLAN. On January 20, 2015 8:51:22 AM AKST, Bill Prince wrote: Not the AP side, but the client side. We have traditionally NATted all residential subs on Canopy, and were trying to do the same with UBNT. With Canopy it's easy, because the NATted TCP stack just passes through, and if SSH ports are open, it goes to the sub's router (no impact on the SM). Not so with UBNT, as the public IP for NAT is also the IP for the CPE. Just wondering if anyone else has tried the CPE firewall to prevent brute-force SSH logins. I suppose I could cobble together something on the POP router, but looking for options. bp On 1/20/2015 9:37 AM, Peter Kranz wrote: Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com <http://www.UnwiredLtd.com> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
Management services only respond on the management vlan... On January 20, 2015 9:17:24 AM AKST, Bill Prince wrote: >OK. Great. We can put another IP on a management IP on the VLAN. How > >does that block the SSH logins? > >Can you specify that SSH only goes through the management VLAN? > >bp > > >On 1/20/2015 10:14 AM, Josh Reynolds wrote: >> It creates another interface, a tagged one. You specify which >> interface is the management interface. Don't route it out of your >network. >> >> On January 20, 2015 9:13:06 AM AKST, Bill Prince > >> wrote: >> >> My understanding of the UBNT VLAN is that it's all one VLAN? How >> do you split management/sub traffic? >> >> bp >> >> >> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>> Management. VLAN. >>> >>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>> wrote: >>> >>> Not the AP side, but the client side. We have traditionally >NATted all >>> residential subs on Canopy, and were trying to do the same >with UBNT. >>> >>> With Canopy it's easy, because the NATted TCP stack just >passes through, >>> and if SSH ports are open, it goes to the sub's router (no >impact on the >>> SM). >>> >>> Not so with UBNT, as the public IP for NAT is also the IP >for the CPE. >>> >>> Just wondering if anyone else has tried the CPE firewall to >prevent >>> brute-force SSH logins. >>> >>> I suppose I could cobble together something on the POP >router, but >>> looking for options. >>> >>> bp >>> >>> >>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>> >>> Generally a bad idea to use that firewall (at least on >>> the access point side) as it supposedly cuts into your >>> PPS capacity on the radio. Peter Kranz Founder/CEO - >>> Unwired Ltd www.UnwiredLtd.com >>> <http://www.UnwiredLtd.com> Desk: 510-868-1614 x100 >>> Mobile: 510-207- pkr...@unwiredltd.com -Original >>> Message- From: Af [mailto:af-boun...@afmug.com] On >>> Behalf Of Bill Prince Sent: Monday, January 19, 2015 >1:47 >>> PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall >>> Nobody actually using the UBNT firewall? bp >>> On 1/14/2015 11:25 AM, Bill >>> Prince wrote: >>> >>> We notice that any time we use NAT on UBNT we get a >>> lot of login attempts via SSH. Are any of you using >>> the firewall built in? It's not clear from the GUI >>> interface whether this affects input or forwarding, >>> or both. What I'd like to do is block any SSH logins >>> that are not in one of our subnets, but I'm afraid >if >>> I turn it on, it will affect forwarded traffic. >Examples? >>> >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my >brevity. >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
UBNT has a good video on this very thing. If done right, all ssh traffic would be passed through the radio to the customers router on the public side and the management side will only be accessible internally. Here is a link to their video on the VLAN setup for management. http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 Thank you, Brett A Mansfield > On Jan 20, 2015, at 11:18 AM, Josh Reynolds wrote: > > Management services only respond on the management vlan... > > On January 20, 2015 9:17:24 AM AKST, Bill Prince wrote: > OK. Great. We can put another IP on a management IP on the VLAN. How does > that block the SSH logins? > > Can you specify that SSH only goes through the management VLAN? > > bp > > > On 1/20/2015 10:14 AM, Josh Reynolds wrote: >> It creates another interface, a tagged one. You specify which interface is >> the management interface. Don't route it out of your network. >> >> On January 20, 2015 9:13:06 AM AKST, Bill Prince >> <mailto:part15...@gmail.com> wrote: >> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >> split management/sub traffic? >> >> bp >> >> >> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>> Management. VLAN. >>> >>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>> <mailto:part15...@gmail.com> wrote: >>> Not the AP side, but the client side. We have traditionally NATted all >>> residential subs on Canopy, and were trying to do the same with UBNT. >>> >>> With Canopy it's easy, because the NATted TCP stack just passes through, >>> and if SSH ports are open, it goes to the sub's router (no impact on the >>> SM). >>> >>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>> >>> Just wondering if anyone else has tried the CPE firewall to prevent >>> brute-force SSH logins. >>> >>> I suppose I could cobble together something on the POP router, but >>> looking for options. >>> >>> bp >>> >>> >>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>> Generally a bad idea to use that firewall (at least on the access point >>> side) as it supposedly cuts into your PPS capacity on the >>> radio. >>> >>> Peter Kranz >>> Founder/CEO - Unwired Ltd >>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>> Desk: 510-868-1614 x100 >>> Mobile: 510-207- >>> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> >>> >>> -Original Message- >>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On >>> Behalf Of Bill Prince >>> Sent: Monday, January 19, 2015 1:47 PM >>> To: af@afmug.com <mailto:af@afmug.com> >>> Subject: Re: [AFMUG] UBNT firewall >>> >>> Nobody actually using the UBNT firewall? >>> >>> bp >>> >>> >>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>> We notice that any time we use NAT on UBNT we get a lot of login >>> attempts via SSH. Are any of you using the firewall built in? It's >>> not clear from the GUI interface whether this affects input or >>> forwarding, or both. >>> >>> What I'd like to do is block any >>> SSH logins that are not in one of our >>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>> traffic. >>> >>> Examples? >>> >>> >>> >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
If you're bridging, where does the management VLAN get it's IP address? Likewise (or almost likewise), if we're NATting in the CPE, is there a place to assign the VLAN interface a different IP address? bp On 1/20/2015 10:33 AM, Brett A Mansfield wrote: UBNT has a good video on this very thing. If done right, all ssh traffic would be passed through the radio to the customers router on the public side and the management side will only be accessible internally. Here is a link to their video on the VLAN setup for management. http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 Thank you, Brett A Mansfield On Jan 20, 2015, at 11:18 AM, Josh Reynolds <mailto:j...@spitwspots.com>> wrote: Management services only respond on the management vlan... On January 20, 2015 9:17:24 AM AKST, Bill Prince <mailto:part15...@gmail.com>> wrote: OK. Great. We can put another IP on a management IP on the VLAN. How does that block the SSH logins? Can you specify that SSH only goes through the management VLAN? bp On 1/20/2015 10:14 AM, Josh Reynolds wrote: It creates another interface, a tagged one. You specify which interface is the management interface. Don't route it out of your network. On January 20, 2015 9:13:06 AM AKST, Bill Prince wrote: My understanding of the UBNT VLAN is that it's all one VLAN? How do you split management/sub traffic? bp On 1/20/2015 10:05 AM, Josh Reynolds wrote: Management. VLAN. On January 20, 2015 8:51:22 AM AKST, Bill Prince wrote: Not the AP side, but the client side. We have traditionally NATted all residential subs on Canopy, and were trying to do the same with UBNT. With Canopy it's easy, because the NATted TCP stack just passes through, and if SSH ports are open, it goes to the sub's router (no impact on the SM). Not so with UBNT, as the public IP for NAT is also the IP for the CPE. Just wondering if anyone else has tried the CPE firewall to prevent brute-force SSH logins. I suppose I could cobble together something on the POP router, but looking for options. bp On 1/20/2015 9:37 AM, Peter Kranz wrote: Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
You'll need to set up a dhcp server for that vlan or manually assign it. Even with NAT on the CPE the management interface will work the same. But when doing NAT you'll be able to access the radio from its public address as well. There really is no reason to NAT at the radio with VLANs. Any reason you'd do NAT at the radio? Thank you, Brett A Mansfield > On Jan 20, 2015, at 12:03 PM, Bill Prince wrote: > > If you're bridging, where does the management VLAN get it's IP address? > > Likewise (or almost likewise), if we're NATting in the CPE, is there a place > to assign the VLAN interface a different IP address? > > bp > > > On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >> UBNT has a good video on this very thing. �If done right, all ssh traffic >> would be passed through the radio to the customers router on the public side >> and the management side will only be accessible internally. >> >> Here is a link to their video on the VLAN setup for management. >> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >> >> Thank you, >> Brett A Mansfield >> >> >>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds wrote: >>> >>> Management services only respond on the management vlan... >>> >>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince >>>> wrote: >>>> OK.� Great.� We can put another IP on a management IP on the VLAN.� >>>> How does that block the SSH logins? >>>> >>>> Can you specify that SSH only goes through the management VLAN? >>>> >>>> bp >>>> >>>> >>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>> It creates another interface, a tagged one. You specify which interface >>>>> is the management interface. Don't route it out of your network. >>>>> >>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince >>>>>> wrote: >>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >>>>>> split management/sub traffic? >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>> Management. VLAN. >>>>>>> >>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>> wrote: >>>>>>>> >>>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>> >>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>> through, >>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>> the >>>>>>>> SM). >>>>>>>> >>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>> >>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>> brute-force SSH logins. >>>>>>>> >>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>> looking for options. >>>>>>>> >>>>>>>> bp >>>>>>>> >>>>>>>> >>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>>> radio. >>>>>>>>> >>>>>>>>> Peter Kranz >>>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>>> www.UnwiredLtd.com >>>>>>>>> Desk: 510-868-1614 x100 >>>>>>>>> Mobile: 510-207- >>>>>>>>> pkr...@unwiredltd.com >>>>>>>>> >>>>>>>>> -Original Message- >>>>>>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince >>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>>> To: af@afmug.com >>>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>>> >>>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>>> >>>>>>>>> bp >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>>> forwarding, or both. >>>>>>>>>> >>>>>>>>>> What I'd like to do is block any >>>>>>>>>> SSH logins that are not in one of our >>>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>>> traffic. >>>>>>>>>> >>>>>>>>>> Examples? >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >
Re: [AFMUG] UBNT firewall
NATting in the radio just eliminates so many issues. It solved lots of issues for us when we did it with Canopy. It was easy because the management/NAT are always separated in Canopy. It just became part of our standard practice. So if we're doing NAT on the CPE, management traffic will go to the public interface? That seems broken. What defines "management" traffic besides SSH/WWW ports? bp On 1/20/2015 11:07 AM, Brett A Mansfield wrote: You'll need to set up a dhcp server for that vlan or manually assign it. Even with NAT on the CPE the management interface will work the same. But when doing NAT you'll be able to access the radio from its public address as well. There really is no reason to NAT at the radio with VLANs. Any reason you'd do NAT at the radio? Thank you, Brett A Mansfield On Jan 20, 2015, at 12:03 PM, Bill Prince <mailto:part15...@gmail.com>> wrote: If you're bridging, where does the management VLAN get it's IP address? Likewise (or almost likewise), if we're NATting in the CPE, is there a place to assign the VLAN interface a different IP address? bp On 1/20/2015 10:33 AM, Brett A Mansfield wrote: UBNT has a good video on this very thing. �If done right, all ssh traffic would be passed through the radio to the customers router on the public side and the management side will only be accessible internally. Here is a link to their video on the VLAN setup for management. http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 Thank you, Brett A Mansfield On Jan 20, 2015, at 11:18 AM, Josh Reynolds <mailto:j...@spitwspots.com>> wrote: Management services only respond on the management vlan... On January 20, 2015 9:17:24 AM AKST, Bill Prince mailto:part15...@gmail.com>> wrote: OK.� Great.� We can put another IP on a management IP on the VLAN.� How does that block the SSH logins? Can you specify that SSH only goes through the management VLAN? bp On 1/20/2015 10:14 AM, Josh Reynolds wrote: It creates another interface, a tagged one. You specify which interface is the management interface. Don't route it out of your network. On January 20, 2015 9:13:06 AM AKST, Bill Prince wrote: My understanding of the UBNT VLAN is that it's all one VLAN? How do you split management/sub traffic? bp On 1/20/2015 10:05 AM, Josh Reynolds wrote: Management. VLAN. On January 20, 2015 8:51:22 AM AKST, Bill Prince wrote: Not the AP side, but the client side. We have traditionally NATted all residential subs on Canopy, and were trying to do the same with UBNT. With Canopy it's easy, because the NATted TCP stack just passes through, and if SSH ports are open, it goes to the sub's router (no impact on the SM). Not so with UBNT, as the public IP for NAT is also the IP for the CPE. Just wondering if anyone else has tried the CPE firewall to prevent brute-force SSH logins. I suppose I could cobble together something on the POP router, but looking for options. bp On 1/20/2015 9:37 AM, Peter Kranz wrote: Generally a bad idea to use that firewall (at least on the access point side) as it supposedly cuts into your PPS capacity on the radio. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall Nobody actually using the UBNT firewall? bp On 1/14/2015 11:25 AM, Bill Prince wrote: We notice that any time we use NAT on UBNT we get a lot of login attempts via SSH. Are any of you using the firewall built in? It's not clear from the GUI interface whether this affects input or forwarding, or both. What I'd like to do is block any SSH logins that are not in one of our subnets, but I'm afraid if I turn it on, it will affect forwarded traffic. Examples? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
Jesus Christ no. No. SSH, web, SNMP, etc only respond on whatever the management interface is. If it's left default, it responds on what's assigned. If you vlan it off, it only responds on that vlan. Other untagged traffic goes through as bridged or routed depending on what you have configured. On January 20, 2015 10:12:37 AM AKST, Bill Prince wrote: >NATting in the radio just eliminates so many issues. It solved lots of > >issues for us when we did it with Canopy. It was easy because the >management/NAT are always separated in Canopy. It just became part of >our standard practice. > >So if we're doing NAT on the CPE, management traffic will go to the >public interface? That seems broken. What defines "management" >traffic >besides SSH/WWW ports? > >bp > > >On 1/20/2015 11:07 AM, Brett A Mansfield wrote: >> You'll need to set up a dhcp server for that vlan or manually assign >it. >> >> Even with NAT on the CPE the management interface will work the same. > >> But when doing NAT you'll be able to access the radio from its public > >> address as well. There really is no reason to NAT at the radio with >> VLANs. >> >> Any reason you'd do NAT at the radio? >> >> Thank you, >> Brett A Mansfield >> >> On Jan 20, 2015, at 12:03 PM, Bill Prince > <mailto:part15...@gmail.com>> wrote: >> >>> If you're bridging, where does the management VLAN get it's IP >address? >>> >>> Likewise (or almost likewise), if we're NATting in the CPE, is there > >>> a place to assign the VLAN interface a different IP address? >>> >>> bp >>> >>> >>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >>>> UBNT has a good video on this very thing. �If done right, all ssh > >>>> traffic would be passed through the radio to the customers router >on >>>> the public side and the management side will only be accessible >>>> internally. >>>> >>>> Here is a link to their video on the VLAN setup for management. >>>> >http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>>> >>>> Thank you, >>>> Brett A Mansfield >>>> >>>> >>>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds >>>> <mailto:j...@spitwspots.com>> wrote: >>>>> >>>>> Management services only respond on the management vlan... >>>>> >>>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince >>>>> mailto:part15...@gmail.com>> wrote: >>>>> >>>>> OK.� Great.� We can put another IP on a management IP on >>>>> the VLAN.� How does that block the SSH logins? >>>>> >>>>> Can you specify that SSH only goes through the management >VLAN? >>>>> >>>>> bp >>>>> >>>>> >>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>>> It creates another interface, a tagged one. You specify which >>>>>> interface is the management interface. Don't route it out of >>>>>> your network. >>>>>> >>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince >>>>>> wrote: >>>>>> >>>>>> My understanding of the UBNT VLAN is that it's all one >>>>>> VLAN? How do you split management/sub traffic? >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>> Management. VLAN. >>>>>>> >>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>> wrote: >>>>>>> >>>>>>> Not the AP side, but the client side. We have >traditionally NATted all >>>>>>> residential subs on Canopy, and were trying to do >the same with UBNT. >>>>>>> >>>>>>> With Canopy it's easy, because the NATted TCP stack >just passes through, >>>>>>> and if SSH ports are open, it goes to the sub's >router (no impact on the >>>>>>> SM). >>>>>>> >>>>>>> Not so wit
Re: [AFMUG] UBNT firewall
gement. VLAN. >>>>>>>>>> >>>>>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>>>>>> wrote: >>>>>>>>>>> Not the AP side, but the client side. We have traditionally NATted >>>>>>>>>>> all >>>>>>>>>>> residential subs on Canopy, and were trying to do the same with >>>>>>>>>>> UBNT. >>>>>>>>>>> >>>>>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>>>>> through, >>>>>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact >>>>>>>>>>> on the >>>>>>>>>>> SM). >>>>>>>>>>> >>>>>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the >>>>>>>>>>> CPE. >>>>>>>>>>> >>>>>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>>>>> brute-force SSH logins. >>>>>>>>>>> >>>>>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>>>>> looking for options. >>>>>>>>>>> >>>>>>>>>>> bp >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>>>>>> radio. >>>>>>>>>>>> >>>>>>>>>>>> Peter Kranz >>>>>>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>>>>>> www.UnwiredLtd.com >>>>>>>>>>>> Desk: 510-868-1614 x100 >>>>>>>>>>>> Mobile: 510-207- >>>>>>>>>>>> pkr...@unwiredltd.com >>>>>>>>>>>> >>>>>>>>>>>> -Original Message- >>>>>>>>>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince >>>>>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>>>>>> To: af@afmug.com >>>>>>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>>>>>> >>>>>>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>>>>>> >>>>>>>>>>>> bp >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>>>>>> attempts via SSH. Are any of you using the firewall built in? >>>>>>>>>>>>> It's >>>>>>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>>>>>> forwarding, or both. >>>>>>>>>>>>> >>>>>>>>>>>>> What I'd like to do is block any >>>>>>>>>>>>> SSH logins that are not in one of our >>>>>>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>>>>>> traffic. >>>>>>>>>>>>> >>>>>>>>>>>>> Examples? >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>>> >>>>>>>> -- >>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [AFMUG] UBNT firewall
it's easy, because the NATted TCP stack just passes through, >>>>> and if SSH ports are open, it goes to the sub's router (no impact on the >>>>> SM). >>>>> >>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>> >>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>> brute-force SSH logins. >>>>> >>>>> I suppose I could cobble together something on the POP router, but >>>>> looking for options. >>>>> >>>>> bp >>>>> >>>>> >>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>> >>>>>> Generally a bad idea to use that firewall (at least on the access point >>>>>> side) as it supposedly cuts into your PPS capacity on the >>>>>> radio. >>>>>> >>>>>> Peter Kranz >>>>>> Founder/CEO - Unwired Ltd >>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>> Desk: 510-868-1614 x100 >>>>>> Mobile: 510-207- >>>>>> pkr...@unwiredltd.com >>>>>> >>>>>> -Original Message- >>>>>> From: Af [mailto:af-boun...@afmug.com ] On Behalf >>>>>> Of Bill Prince >>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>> To: af@afmug.com >>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>> >>>>>> Nobody actually using the UBNT firewall? >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>> >>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>> not clear from the GUI interface whether this affects input or >>>>>>> forwarding, or both. >>>>>>> >>>>>>> What I'd like to do is block any >>>>>>> SSH logins that are not in one of our >>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>> traffic. >>>>>>> >>>>>>> Examples? >>>>>> >>>>>> >>>>>> >>>>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> >>> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >> >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > >
Re: [AFMUG] UBNT firewall
;>>> bp >>>>> >>>>> >>>>> >>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>> >>>>> Management. VLAN. >>>>> >>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>> wrote: >>>>>> >>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>> >>>>>> With Canopy it's easy, because the NATted TCP stack just passes through, >>>>>> and if SSH ports are open, it goes to the sub's router (no impact on the >>>>>> SM). >>>>>> >>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>> >>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>> brute-force SSH logins. >>>>>> >>>>>> I suppose I could cobble together something on the POP router, but >>>>>> looking for options. >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>> >>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>> radio. >>>>>>> >>>>>>> Peter Kranz >>>>>>> Founder/CEO - Unwired Ltd >>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>> Desk: 510-868-1614 x100 >>>>>>> Mobile: 510-207- >>>>>>> pkr...@unwiredltd.com >>>>>>> >>>>>>> -Original Message- >>>>>>> From: Af [mailto:af-boun...@afmug.com ] On >>>>>>> Behalf Of Bill Prince >>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>> To: af@afmug.com >>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>> >>>>>>> Nobody actually using the UBNT firewall? >>>>>>> >>>>>>> bp >>>>>>> >>>>>>> >>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>> >>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>> forwarding, or both. >>>>>>>> >>>>>>>> What I'd like to do is block any >>>>>>>> SSH logins that are not in one of our >>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>> traffic. >>>>>>>> >>>>>>>> Examples? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> >>>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> >>> >>> >>> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >
Re: [AFMUG] UBNT firewall
K.� Great.� We can put another IP on a management IP on the >>>>>> VLAN.� How does that block the SSH logins? >>>>>> >>>>>> Can you specify that SSH only goes through the management VLAN? >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>>>> It creates another interface, a tagged one. You specify which interface >>>>>>> is the management interface. Don't route it out of your network. >>>>>>> >>>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince >>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >>>>>>> split management/sub traffic? >>>>>>> >>>>>>> bp >>>>>>> >>>>>>> >>>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>>> Management. VLAN. >>>>>>>> >>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>> >>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>> through, >>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>> the >>>>>>>> SM). >>>>>>>> >>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>> >>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>> brute-force SSH logins. >>>>>>>> >>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>> looking for options. >>>>>>>> >>>>>>>> bp >>>>>>>> >>>>>>>> >>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>> radio. >>>>>>>> >>>>>>>> Peter Kranz >>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>> Desk: 510-868-1614 x100 >>>>>>>> Mobile: 510-207- >>>>>>>> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> >>>>>>>> >>>>>>>> -Original Message- >>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>> On Behalf Of Bill Prince >>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>> >>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>> >>>>>>>> bp >>>>>>>> >>>>>>>> >>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>> forwarding, or both. >>>>>>>> >>>>>>>> What I'd like to do is block any >>>>>>>> SSH logins that are not in one of our >>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>> traffic. >>>>>>>> >>>>>>>> Examples? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>> >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >
Re: [AFMUG] UBNT firewall
. >>>>>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>>>>> >>>>>> <http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529> >>>>>> >>>>>> Thank you, >>>>>> Brett A Mansfield >>>>>> >>>>>> >>>>>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds >>>>>> <mailto:j...@spitwspots.com>> wrote: >>>>>>> >>>>>>> Management services only respond on the management vlan... >>>>>>> >>>>>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince >>>>>> <mailto:part15...@gmail.com>> wrote: >>>>>>> OK.� Great.� We can put another IP on a management IP on the >>>>>>> VLAN.� How does that block the SSH logins? >>>>>>> >>>>>>> Can you specify that SSH only goes through the management VLAN? >>>>>>> >>>>>>> bp >>>>>>> >>>>>>> >>>>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>>>>> It creates another interface, a tagged one. You specify which >>>>>>>> interface is the management interface. Don't route it out of your >>>>>>>> network. >>>>>>>> >>>>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince >>>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do >>>>>>>> you split management/sub traffic? >>>>>>>> >>>>>>>> bp >>>>>>>> >>>>>>>> >>>>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>>>> Management. VLAN. >>>>>>>>> >>>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>>>> Not the AP side, but the client side. We have traditionally NATted >>>>>>>>> all >>>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>>> >>>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>>> through, >>>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>>> the >>>>>>>>> SM). >>>>>>>>> >>>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>>> >>>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>>> brute-force SSH logins. >>>>>>>>> >>>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>>> looking for options. >>>>>>>>> >>>>>>>>> bp >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>>> radio. >>>>>>>>> >>>>>>>>> Peter Kranz >>>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>>> Desk: 510-868-1614 x100 >>>>>>>>> Mobile: 510-207- >>>>>>>>> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> >>>>>>>>> >>>>>>>>> -Original Message- >>>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>>> On Behalf Of Bill Prince >>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>>> >>>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>>> >>>>>>>>> bp >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>> forwarding, or both. >>>>>>>>> >>>>>>>>> What I'd like to do is block any >>>>>>>>> SSH logins that are not in one of our >>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>> traffic. >>>>>>>>> >>>>>>>>> Examples? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>> >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >
Re: [AFMUG] UBNT firewall
t;>> Brett A Mansfield >>>> >>>> >>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds >>>> wrote: >>>> >>>> Management services only respond on the management vlan... >>>> >>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince >>>> wrote: >>>>> >>>>> OK.� Great.� We can put another IP on a management IP on the >>>>> VLAN.� How does that block the SSH logins? >>>>> >>>>> Can you specify that SSH only goes through the management VLAN? >>>>> >>>>> bp >>>>> >>>>> >>>>> >>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>> >>>>> It creates another interface, a tagged one. You specify which >>>>> interface is the management interface. Don't route it out of your network. >>>>> >>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince >>>>> wrote: >>>>>> >>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do >>>>>> you split management/sub traffic? >>>>>> >>>>>> bp >>>>>> >>>>>> >>>>>> >>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>> >>>>>> Management. VLAN. >>>>>> >>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>> wrote: >>>>>>> >>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>> >>>>>>> With Canopy it's easy, because the NATted TCP stack just passes through, >>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on the >>>>>>> SM). >>>>>>> >>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>> >>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>> brute-force SSH logins. >>>>>>> >>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>> looking for options. >>>>>>> >>>>>>> bp >>>>>>> >>>>>>> >>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>> >>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>> radio. >>>>>>>> >>>>>>>> Peter Kranz >>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>> Desk: 510-868-1614 x100 >>>>>>>> Mobile: 510-207- >>>>>>>> pkr...@unwiredltd.com >>>>>>>> >>>>>>>> -Original Message- >>>>>>>> From: Af [mailto:af-boun...@afmug.com ] On >>>>>>>> Behalf Of Bill Prince >>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>> To: af@afmug.com >>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>> >>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>> >>>>>>>> bp >>>>>>>> >>>>>>>> >>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>> >>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>> forwarding, or both. >>>>>>>>> >>>>>>>>> What I'd like to do is block any >>>>>>>>> SSH logins that are not in one of our >>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>> traffic. >>>>>>>>> >>>>>>>>> Examples? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> >>>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>> >>>> >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> >> > > >