Re: [AFMUG] UBNT firewall

[Bill Prince]

OK.  Great.  We can put another IP on a management IP on the VLAN.  How 
does that block the SSH logins?

Can you specify that SSH only goes through the management VLAN?
bp
<part15sbs{at}gmail{dot}com>

On 1/20/2015 10:14 AM, Josh Reynolds wrote:
It creates another interface, a tagged one. You specify which 
interface is the management interface. Don't route it out of your network.

On January 20, 2015 9:13:06 AM AKST, Bill Prince <part15...@gmail.com> 
wrote:

    My understanding of the UBNT VLAN is that it's all one VLAN? How
    do you split management/sub traffic?

    bp
    <part15sbs{at}gmail{dot}com>

    On 1/20/2015 10:05 AM, Josh Reynolds wrote:
    Management. VLAN.

    On January 20, 2015 8:51:22 AM AKST, Bill Prince
    <part15...@gmail.com> wrote:

        Not the AP side, but the client side. We have traditionally NATted all
        residential subs on Canopy, and were trying to do the same with UBNT.

        With Canopy it's easy, because the NATted TCP stack just passes through,
        and if SSH ports are open, it goes to the sub's router (no impact on the
        SM).

        Not so with UBNT, as the public IP for NAT is also the IP for the CPE.

        Just wondering if anyone else has tried the CPE firewall to prevent
        brute-force SSH logins.

        I suppose I could cobble together something on the POP router, but
        looking for options.

        bp
        <part15sbs{at}gmail{dot}com>

        On 1/20/2015 9:37 AM, Peter Kranz wrote:

            Generally a bad idea to use that firewall (at least on
            the access point side) as it supposedly cuts into your
            PPS capacity on the radio. Peter Kranz Founder/CEO -
            Unwired Ltd www.UnwiredLtd.com
            <http://www.UnwiredLtd.com> Desk: 510-868-1614 x100
            Mobile: 510-207-0000 pkr...@unwiredltd.com -----Original
            Message----- From: Af [mailto:af-boun...@afmug.com] On
            Behalf Of Bill Prince Sent: Monday, January 19, 2015 1:47
            PM To: af@afmug.com Subject: Re: [AFMUG] UBNT firewall
            Nobody actually using the UBNT firewall? bp
            <part15sbs{at}gmail{dot}com> On 1/14/2015 11:25 AM, Bill
            Prince wrote:

                We notice that any time we use NAT on UBNT we get a
                lot of login attempts via SSH. Are any of you using
                the firewall built in? It's not clear from the GUI
                interface whether this affects input or forwarding,
                or both. What I'd like to do is block any SSH logins
                that are not in one of our subnets, but I'm afraid if
                I turn it on, it will affect forwarded traffic. Examples?



    -- 
    Sent from my Android device with K-9 Mail. Please excuse my brevity. 


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.