UBNT has a good video on this very thing. If done right, all ssh traffic would be passed through the radio to the customers router on the public side and the management side will only be accessible internally.
Here is a link to their video on the VLAN setup for management. http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 Thank you, Brett A Mansfield > On Jan 20, 2015, at 11:18 AM, Josh Reynolds <[email protected]> wrote: > > Management services only respond on the management vlan... > > On January 20, 2015 9:17:24 AM AKST, Bill Prince <[email protected]> wrote: > OK. Great. We can put another IP on a management IP on the VLAN. How does > that block the SSH logins? > > Can you specify that SSH only goes through the management VLAN? > > bp > <part15sbs{at}gmail{dot}com> > > On 1/20/2015 10:14 AM, Josh Reynolds wrote: >> It creates another interface, a tagged one. You specify which interface is >> the management interface. Don't route it out of your network. >> >> On January 20, 2015 9:13:06 AM AKST, Bill Prince <[email protected]> >> <mailto:[email protected]> wrote: >> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >> split management/sub traffic? >> >> bp >> <part15sbs{at}gmail{dot}com> >> >> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>> Management. VLAN. >>> >>> On January 20, 2015 8:51:22 AM AKST, Bill Prince <[email protected]> >>> <mailto:[email protected]> wrote: >>> Not the AP side, but the client side. We have traditionally NATted all >>> residential subs on Canopy, and were trying to do the same with UBNT. >>> >>> With Canopy it's easy, because the NATted TCP stack just passes through, >>> and if SSH ports are open, it goes to the sub's router (no impact on the >>> SM). >>> >>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>> >>> Just wondering if anyone else has tried the CPE firewall to prevent >>> brute-force SSH logins. >>> >>> I suppose I could cobble together something on the POP router, but >>> looking for options. >>> >>> bp >>> <part15sbs{at}gmail{dot}com> >>> >>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>> Generally a bad idea to use that firewall (at least on the access point >>> side) as it supposedly cuts into your PPS capacity on the >>> radio. >>> >>> Peter Kranz >>> Founder/CEO - Unwired Ltd >>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>> Desk: 510-868-1614 x100 >>> Mobile: 510-207-0000 >>> [email protected] <mailto:[email protected]> >>> >>> -----Original Message----- >>> From: Af [mailto:[email protected] <mailto:[email protected]>] On >>> Behalf Of Bill Prince >>> Sent: Monday, January 19, 2015 1:47 PM >>> To: [email protected] <mailto:[email protected]> >>> Subject: Re: [AFMUG] UBNT firewall >>> >>> Nobody actually using the UBNT firewall? >>> >>> bp >>> <part15sbs{at}gmail{dot}com> >>> >>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>> We notice that any time we use NAT on UBNT we get a lot of login >>> attempts via SSH. Are any of you using the firewall built in? It's >>> not clear from the GUI interface whether this affects input or >>> forwarding, or both. >>> >>> What I'd like to do is block any >>> SSH logins that are not in one of our >>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>> traffic. >>> >>> Examples? >>> >>> >>> >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
