Setting up a home lan pt 2, securing the edge router.


In one of the previous posts i showed how to configure a home edge router with a minimal config. However, we did forget to add even basic security to the router.

Let’s try to harden the router by first blocking weird traffic coming from the internet. What do I mean by ”weird”? First, let’s block traffic coming from sources that should never send traffic from the internet. We call such sources ”martians”.

Let’s create an access list that will list all addresses that should never be on your WAN and block them.

Lines 10-70 are martians, line 80 is my public IP which belongs to me so this IP should never send me traffic from somewhere else out on the internet, line 90 permits traffic coming to my public IP, while line 100 blocks all other traffic.

ip access-list ext MARTIANS

10 deny ip any
20 deny ip any
30 deny ip any
40 deny ip any
50 deny ip any
60 deny ip any
70 deny ip any
80 deny ip host any
90 permit ip any host
100 deny ip any any

Finally, I apply the ACL on the wan interface with the commands:

int gi0

ip access-group MARTIANS in

do wr