mjp66 / Ubiquiti

765 stars 70 forks source link

Devices Unable to Access certain sites on WiFi Guest or WiFi IoT #48

Closed bestcea closed 3 years ago

bestcea commented 3 years ago

Thank you very much, Mike for the amazing guide. You have made low cost, secure and flexible networking for those with minimal networking skills - like me.

Knowing you have spent a lot of time on the Guide and fielding questions from users, I tried for hours and hours to see if I could figure out the solution to the problem, but I give up. I do not believe this is an "issue" but ignorance on my part. Background, I have an EdgeX router, loaded with your latest configuration and a UniFi AP.

The problem is certain sites do not load using a computer or IoT devices cannot communicate with a website. Google.com and yahoo.com load fine. When trying to reach microsoft.com I receive a cannot communicate with server error; amazon.com I receive an invalid security certificate.

Thank you or others in advance for any help.

bestcea

GeoffWy commented 3 years ago

Sounds like your devices are not accessing DNS. I assume you have port 53 enabled in your GUEST-LOCAL ruleset. Might be best to post a sanitised configuration so we can see how your DNS and firewall are configured.

mjp66 commented 3 years ago

Typically, if some sites work, and some sites don't work, that is because of a PPPOE connection. Look at section 5 and check out the links about changing the MSS and/or MTU settings. Might try them even if you don't have a PPPOE connection. One of those links may have a debugging method, don't remember at the moment. First make a config backup. Good Luck.

bestcea commented 3 years ago

Thank you Mike. I don't have a PPPOE, but I tried the combinations. No luck. I will post what GeoffWy suggested.

bestcea commented 3 years ago

Sounds like your devices are not accessing DNS. I assume you have port 53 enabled in your GUEST-LOCAL ruleset. Might be best to post a sanitised configuration so we can see how your DNS and firewall are configured.

GeoffWy, Thank you for posting. My configuration is straight off Mike's latest config file"

firewall { all-ping enable broadcast-ping disable group { address-group OPENDNS_SERVERS_GROUP { address 208.67.222.222 address 208.67.220.220 description "OpenDNS Servers" } address-group RFC-1918_GROUP { address 192.168.0.0/16 address 172.16.0.0/12 address 10.0.0.0/8 description "RFC-1918 Group" } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name HOME_OUT { default-action accept description "Home Out" rule 10 { action accept description "Allow Wifi Iot Established Replies" log disable protocol all source { group { address-group NETv4_switch0.7 } } state { established enable invalid disable new disable related enable } } rule 20 { action accept description "Allow Wired Iot Established Replies" log disable protocol all source { group { address-group NETv4_eth1 } } state { established enable invalid disable new disable related enable } } rule 30 { action accept description "Allow Wifi Guest Established Replies" log disable protocol all source { group { address-group NETv4_switch0.6 } } state { established enable invalid disable new disable related enable } } rule 40 { action accept description "Allow Wifi Spare Established Replies" log disable protocol all source { group { address-group NETv4_switch0.8 } } state { established enable invalid disable new disable related enable } } rule 50 { action drop description "Drop RFC-1918 Traffic" log disable protocol all source { group { address-group RFC-1918_GROUP } } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WIFI_GUEST_LOCAL { default-action drop description "WiFi Guest Local" rule 1 { action accept description "Allow DHCP" destination { port 67 } log disable protocol udp source { port 68 } } rule 2 { action accept description "Allow DNS" destination { group { } port 53 } log disable protocol tcp_udp } } name WIFI_IOT_LOCAL { default-action drop description "WiFi Iot Local" rule 1 { action accept description "Allow DHCP" destination { port 67 } log disable protocol udp source { port 68 } } rule 2 { action accept description "Allow Only OpenDNS" destination { group { address-group OPENDNS_SERVERS_GROUP } port 53 } log disable protocol tcp_udp } } name WIFI_SPARE_LOCAL { default-action drop description "WiFi Spare Local" rule 1 { action accept description "Allow DHCP" destination { port 67 } log disable protocol udp source { port 68 } } rule 2 { action accept description "Allow Only OpenDNS" destination { group { address-group OPENDNS_SERVERS_GROUP } port 53 } log disable protocol tcp_udp } } name WIRED_SEPARATE_IN { default-action accept description "Wired Separate In" rule 1 { action drop description "Block RFC-1918 Traffic" destination { group { address-group RFC-1918_GROUP } } log disable protocol all } } name WIRED_SEPARATE_LOCAL { default-action drop description "Wired Separate Local" rule 1 { action accept description "Allow DHCP" destination { port 67 } log disable protocol udp source { port 68 } } rule 2 { action accept description "Allow DNS" destination { group { } port 53 } log disable protocol tcp_udp } } name WIRED_SEPARATE_OUT { default-action accept description "Wired Separate Out" rule 1 { action drop description "Drop Non-Separate Traffic" log disable protocol all source { group { address-group RFC-1918_GROUP } } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { description "Wired Iot Net" duplex auto speed auto } ethernet eth2 { address 192.168.5.1/24 description "Wired Separate Net" duplex auto firewall { in { name WIRED_SEPARATE_IN } local { name WIRED_SEPARATE_LOCAL } out { name WIRED_SEPARATE_OUT } } speed auto } ethernet eth3 { description "Home Net" duplex auto speed auto } ethernet eth4 { description "Home Net" duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { description "Home Net" mtu 1500 switch-port { interface eth1 { vlan { pvid 7 } } interface eth3 { vlan { pvid 1 } } interface eth4 { vlan { pvid 1 vid 6 vid 7 } } vlan-aware enable } vif 1 { address 192.168.3.1/24 description "Home Net" firewall { out { name HOME_OUT } } mtu 1500 } vif 6 { address 192.168.6.1/24 description "Wifi Guest Net" firewall { local { name WIFI_GUEST_LOCAL } } mtu 1500 } vif 7 { address 192.168.7.1/24 description "Wifi Iot Net" firewall { local { name WIFI_IOT_LOCAL } } mtu 1500 } vif 8 { address 192.168.8.1/24 description "Wifi Spare Net" firewall { local { name WIFI_SPARE_LOCAL } } mtu 1500 } } } protocols { igmp-proxy { interface switch0.1 { alt-subnet 0.0.0.0/0 role upstream threshold 1 } interface switch0.7 { alt-subnet 0.0.0.0/0 role downstream threshold 1 } } } service { dhcp-server { disabled false hostfile-update enable shared-network-name HomeNetDHCP { authoritative enable subnet 192.168.3.0/24 { default-router 192.168.3.1 dns-server 192.168.3.1 domain-name HomeNet lease 86400 start 192.168.3.38 { stop 192.168.3.243 } } } shared-network-name SecureNetDHCP { authoritative enable subnet 192.168.5.0/24 { default-router 192.168.5.1 dns-server 8.8.8.8 dns-server 8.8.4.4 domain-name SeparateNet lease 86400 start 192.168.5.38 { stop 192.168.5.243 } } } shared-network-name WifiGuestDHCP { authoritative enable subnet 192.168.6.0/24 { default-router 192.168.6.1 dns-server 208.67.222.222 ⁃ dns-server 208.67.220.220 domain-name WifiGuestNet lease 86400 start 192.168.6.38 { stop 192.168.6.243 } } } shared-network-name WifiIotDHCP { authoritative enable subnet 192.168.7.0/24 { default-router 192.168.7.1 dns-server 208.67.222.222 dns-server 208.67.220.220 domain-name WifiIotNet lease 86400 start 192.168.7.38 { stop 192.168.7.243 } } } shared-network-name WifiSpareDHCP { authoritative enable subnet 192.168.8.0/24 { default-router 192.168.8.1 dns-server 208.67.222.222 dns-server 208.67.220.220 domain-name WifiSpareNet lease 86400 start 192.168.8.38 { stop 192.168.8.243 } } } static-arp disable use-dnsmasq enable } dns { forwarding { cache-size 400 listen-on switch0 system } } gui { http-port 80 https-port 443 older-ciphers enable } mdns { repeater { interface switch0.1 interface switch0.7 } } nat { rule 1 { description "Exclude OpenDNS WiFi Guest" destination { group { address-group OPENDNS_SERVERS_GROUP } port 53 } exclude inbound-interface switch0.6 inside-address { port 53 } log disable protocol tcp_udp type destination } rule 2 { description "Force OpenDNS WiFi Guest" destination { port 53 } inbound-interface switch0.6 inside-address { address 208.67.222.222 } log disable protocol tcp_udp type destination } rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { domain-name home.local XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
level admin } } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat enable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York traffic-analysis { dpi enable export enable } }

/ Warning: Do not remove the following line. / / === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === / / Release version: v1.10.10.5210345.190714.1127 /

GeoffWy commented 3 years ago

Not got time to look in detail at the moment but in you DNS rule you seem to have source group enabled but with no group set. Not sure if this would cause the rule to fail or not. name WIFI_GUEST_LOCAL { . . rule 2 { action accept description "Allow DNS" destination {

group {

} port 53 } log disable protocol tcp_udp

bestcea commented 3 years ago

Thanks GeoffWy. I added OpenDNS servers group to that rule and it did not work.

Basically Wired IoT, WiFi IoT, WiFi Guest or WiFi Spare do not allow many sites, amongst them Microsoft.com, amazon.com. My Wired IoT and Wifi IoT are coalesced per the guide. In the case of amazon I get a Firefox error "www.amazon.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site." For Microsoft.com I get a Cisco OpenDNS screen saying site block due to content filtering. I just discovered GitHub.com does not work either, because it cannot establish a secure connection.

mjp66 commented 3 years ago

I compared my reference config file against the GitHub published config file, no difference. Your config file has an inserted "?" on the following line "dns-server 208.67.220.220". That is inside the section "shared-network-name WifiGuestDHCP". You might want to re-config that section.

GeoffWy commented 3 years ago

I configured my system some time ago based on a much earlier version of Mike's guide (thanks Mike), but and I have modified it a lot, so I don't do some things quite the same way as Mike. There some things that puzzle me about the firewall rules in your config. First a number of your rules have an empty destination group as I pointed out in previous post. Not sure if it would cause a problem, but it ought not really to be there. Second, I can't see that the firewall rules to allow only open dns can work. Take WIFI_IOT_LOCAL as an example. These are rules applied at vif7 to traffic traveling to local - ie the switch itself. rule 2 is set to allow OPENDNS_SERVERS_GROUP as a destination. But those are external internet addresses and can never be a destination for traffic destined to local - the rule will never take effect. The rule that should be present here is one to block traffic to port 53, so that your IOT cannot access the switches DNS service. The NAT rules applied on exit to the WAN take care of allowing the OPENDNS_SERVERS_GROUP through unchanged, and any other addresses to be mapped to an open dns server.

Not sure if any of this will solve your problem though!

Another further thought - is the device you are using to test holding on to a previous dhcp configuration? Can you check which dns servers it is actually trying to use?