I am configuring my hex 750Br3 with;
EN2 with an unmanange switch where I have my UAP AP and all my cctv and IoT devices outdoors.
EN3 with another netgear unmanaged switch with all the employees LAN PCs/Macs, and an UAP AP indoor.
EN4 where I have another LAN devices and PPPoE connection to a UAP AP and Radius/Userman.
EN5 to have a PPPoE Connection to a another device located next door at the LAB.
I have not configured no bridges on any of the EN ports, having read a few posts to avoid it since the hex ports but EN1 & 2 are all slaves. I can not figure out how to make them divorced from it coz there aint no dialog on the form to do so nor am not aware what to do, so I tried my way to get my config going.
Now, right in the middle where I was doing the DHCP Servers, the address list, DHCP servers, Routes all went RED and Routes told me all but 2 are unreachable. I am still can not figure out why and being a newbie, but maybe I haven’t plug my cables yet on en 3-5 coz am doing this at the lab?
Can someone assist me or slam my head with the right scripts or a window to fix my little hex? I am out of juice already and it seems my paycheck will never come this month LOL.
I am hoping this friendly forum can help.
Thank you,
Thank you. I will. let me export in a few. am just a few mins away from my workstation.
the storm took all my time yesterday and today the clean up and a take the tree out of my yard/terrace. sorry for not getting back quickly but first thing first before I lose my mind!! gracias!
the config started fresh no default config and like I said above, aint no bridge. its a hex and all ports but 1 and 2 are slaves. theyre all on their own ether ports and devices.
(1) There is a disconnect on the config…
You have five pools but only four dhcp servers etc…
ip pools for
cctv-iot
lan-pool2
radius
ppoe
pool5
BUT dhcp servers for
cctv-iot -ETHER2
lan-pool2- ETHER3
radius -ETHER4
pool5 - PPOE -ETHER5
Which leads me to believe you have a duplicate in the pools (in that ppoe and pool 5 are for the same purpose).
(2) Set your firewall rules to default, not sure what you made up there (from what sources) but its not efficient or well structured.
(other than your special torrent rules which I guess are there for a purpose and should stay.
(3) The first NAT rule is fine, not sure you need the following three???
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Allow Port Forwarding”\ (can be removed or disabled if not doing any port forwarding.)(
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=\
Now you have a forward chain that drops all traffic from LAN to LAN, LAN to WAN and WAN to LAN.
If you wish to ENABLE any traffic then you have to add the rules where the +++++++ line is located (before the drop all else rule as the end)
For example if you wish to allow all your subnets to the internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN ***
*** You would put your two torrent rules right before this rule!!
For example if you wish to allow LAN3 one way connectivity (unsolicited) to IOT-CCTV
add chain=forward action=accept in-interface=ether3 out-interface=ether2
add action=accept chain=input comment=“defconf: accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
**add action=accept chain=input comment=“Allow ADMIN to Router” in-interface=ethernet3 ***********
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
DO NOT ADD THIS LAST RULE AT THE BOTTOM UNTIL YOU ARE SURE YOU HAVE ADMIN ACCESS !!! **************
add action=drop chain=input comment=“Drop All Else”
************** Basically the idea here is the same as the forward chain, you want to lock down any traffic to and from the router itself and then only allow traffic required.
The most important thing to do is to ensure ONLY the admin has FULL access to the router. The rest of the users DO NOT and thus we typically give FULL access only to the ethernet port (or VLAN(s)) the admin will be using to access/config the router. The rest of the users typically only need DNS services from the router (sometimes NTP).
Caution: However if you put the block all rule first and do not have an admin access rule already in place you will lock yourself out of the router.
One last thing, if you have a bunch of users on the same ethernet port (LAN) and you want to tighten down access just to you… easily done with a firewall source address list.
In this case you ensure you have statically assigned your device(s) in dchp server leases
for example admin desktop PC, admin laptop, admin Ipad, admin smartphone to a list called admin access then the rule becomes
add chain=input action=accept in-interface=ethernet3 source-address-list=adminaccess
(own address of an interface must never be the same like the network address). Whether this causes also ether3 and ether4 subnets to become unreachable is out of my knowledge, it would have to be due to some bug.
What I don’t understand at all is why there is “PPPoE conn” at ether5 and “PPPoE Radius Userman” at ether4 on the drawing, but in the configuration, PPPoE server is attached to ether4 rather than ether5.
Are remote PPPoE clients actually supposed to connect to a PPPoE server listening at ether5? If so, you’ve misunderstood how PPPoE works, as you’ve assigned a DHCP server to ether5 - it can be done but the DHCP server will not assign addresses to PPPoE clients, it will assign them to DHCP clients connected to ether5.
Thank you Anav.
Like I said, I am completely a newbee here. Did you mean one NAT is enough to get all the dhcp servers ip translated? even PPPoE on Radius?
I went thru your replies early today but because of the heavy rains here, I will have to make the changes later so I can attend to the damages outside the house. I will dig in later and make the appropriate changes where possible.
Ether5 connx does not exist yet, its awaiting funding, will strip them out later.
My intention was only me/admin and a few specific mac addresses that belong to support staff will have full access rights. so,
All are prohibitted on ether2,3,4,5 access to each other device/s but the specific local servers.
Ether2 only has cctv monitors, IoT, cctv cams with its own UAP AP. The intent is to keep them from the outside and block the space from the internet.
Ether3 is only for intra/ternet for companystaffs , servers, LAN and for their guests mobile devices a UAP AP to access only the internet.
Ether4 is only for all users on that LAN and and has is own UAP AP. All in that space must use Radius to authenticate and also access intra/ternet.
Etner5 is for the LAB PPPoE connection but it does NOT exist yet waiting for space assignment, funding, construction and AP.
Thank you Cindy. I’ve corrected that .0 on ether5 (its a lab waiting) but deleted that entry earlier since it does not exist yet. FYI, There is a PPPoE on Ether4 to a UAP AP with a Usernman/Radius and its on the script above, but uncabled at this time, ether 3 also is not cabled up coz the hEX is in the lab and i was thinking yesterday right in the middle of the storm that the red errors probly were from the unterminated ether ports, hence the “unreachable” routes.
if you may, amigo. how do I get rid of hEX ports 3-5 from slavery? is there a special script to convert them to nothing or something away and send them to their freedom? this is 2021 for heavens!
If they are not part of a bridge port - then open the interface properties and there might/should be a 'master port' option - this is typical on ports in same switch chip to bridge them via hardware (Essentially) - but I thought they got rid of this when moving to hardware offloading in the bridge itself - might be a hold-over. Set the master port to 'none' and you should be good to go.
If you are really stuck - DM me and I'd be happy to anydesk in and help
just fixed my yard and removed the fallen tree and now, I just started to work on this. First of I fixed the unroutables, and the dupe dhcp server pool coz ether5 devices are non existent right now. So, it all seems clean and I see no more red errors and I moved my MacMIni where my camera footage and IoT AP access.
Next, I will go thru Anan’s recommendations, revisit the script and start it from there. Hopefully, I will gain a better understanding of this hEX.
Thanks,
I been lookin for that but my hEX aint have that option. v6.48.2 fw. maybe i can do it from the terminal. say, whats the command if you go it my friend? Gracias !
