Hey! Listen! This post is part of a series on the Ubiquiti EdgeRouter Lite. Check them all out!
|2017-10-03||Dyn DDNS on EdgeRouter|
|2017-04-25||DuckDNS on EdgeRouter|
|2017-01-08||Ubiquiti EdgeRouter serial console settings|
|2016-11-29||Ubiquiti UniFi controller setup on Raspberry Pi 3|
|2016-08-30||EdgeRouter Lite Dnsmasq setup|
|2016-06-13||EdgeRouter Lite software upgrade|
|2016-05-12||EdgeRouter Lite OpenVPN setup|
|2016-04-29||Ubiquiti EdgeRouter Lite setup|
- Initial setup
- Optional setup
As much as I love my C7 running OpenWrt, I’ve been hearing a lot of good things about Ubiquiti devices. In particular, the EdgeRouter Lite, which is touted as being the world’s first router under $100 capable of passing one million packets per second (1Mpps). In contrast, I’ve read that the TP-Link WDR-3600 can pass about 25Kpps. This is partly due to the hardware in the WDR-3600, and partly due to the software (OpenWrt). I wanted to try out the EdgeRouter Lite (ERL) and see how it performed.
Currently, my setup looks like the diagram below.
I plan on putting the ERL in front of the C7, and using the C7 as a switch and AP only (as shown below). Eventually, I’ll replace the C7 with a proper switch and AP.
Also, I’m not a network engineer. Do this at your own risk, I’m not responsible for anything you break 🙂
The ERL packs a dual-core 500MHz MIPS64 processor, 512MB DDR2 RAM, and 2GB of flash storage. In addition, it also supports hardware offload for the functions below. This means that the CPU can offload these tasks to a special chip, freeing up the CPU and greatly improving throughput.
- IPv4 forwarding
- IPv4 vlan
- IPv4 PPPoE
- IPv4 GRE
- IPv4 export
- IPv4 DPI
- IPv6 forwarding
- IPv6 vlan
- IPv6 PPPoE
For this guide, I am configuring the ERL through the ethX ports over SSH, not via the console port. Because of this, I end up doing a good bit of connecting/disconnecting from my ERL. If you’d like to avoid this problem, pickup a console cable and adapter (or this combo cable).
My setup is going to use eth0 to connect to my WAN, and eth1 for my LAN. You could use eth2 for another LAN if needed. However, do not bridge the two LANs, as that will disable the hardware offload (see here and here). If you need more ports, you’ll need a separate switch.
EdgeOS is based on Vyatta Core 6.3, which is itself based on Debian. As a side-note, VyOS is also a fork of Vyatta, so most principles from VyOS will apply to EdgeOS as well. The EdgeOS command line (CLI) can be accessed one of three ways: SSH via an ethX port, a console port, or through the web interface. The CLI has two modes: operational mode and configuration mode (similar to vi’s normal and insert modes). By default, you are loaded into operational mode, used to show system settings. Operational mode is indicated by a dollar-sign prompt ($).
Use the configure command to enter configuration mode, which is used to make configuration changes to the ERL. Configuration mode is indicated by a number sign prompt (#) and the word edit.
ubnt@ubnt:~$ configure  ubnt@ubnt#
The CLI has context-sensitive tab completion only for commands, not for browsing around the filesystem. In addition, context-sensitive help is available with the ? command, with detailed help available with the ?? command.
When making changes, they are not active until committed. To see what changes you’ve made, but not commited, use the compare command.
To undo uncommitted changes, use the discard command.
To commit changes, use the commit command.
Committed changes are not persistent across reboots. Use the save command to write the changes to the plain-text configuration file, which is available at /config/config.boot. Note – using ? reveals that save can also save the configuration to a SCP, FTP, or TFTP location.
To get back to operational mode, use exit.
As far documentation is concerned, Ubiquiti’s documentation is pretty poor, but their forums and Reddit are the best places to get help. The old Vyatta Core 6.3 documents are very helpful as well. In addition, two important primers to have on-hand are the ERL quick-start guide and the EdgeOS user guide.
Before we connect to the router for the first time and start making changes, I recommend you download the latest firmware. Go to Ubiquiti’s download page for the ERL and download the latest firmware (v1.8.0 at the time of this writing).
Next, connect your PC to eth0 of the ERL with an ethernet cable, then give your PC a static IP address in the 192.168.1.x range (e.g., 192.168.1.2). The web GUI is available at https://192.168.1.1, but I’ll be trying to do most of my work through the CLI.
First, transfer the firmware file to the ERL (the default credentials are ubnt/ubnt).
scp ER-e100.v126.96.36.19953089.tar firstname.lastname@example.org:~
Next, SSH into the ERL.
I recommend viewing the current version of the firmware (my ERL shipped with v1.2.0).
Upload the system image.
add system image ~/ER-e100.v188.8.131.5253089.tar
Use the command below to show all the installed images.
show system image
You’ll then need to reboot to make the new image take effect.
Once you’re back up, use the command below to show the installed images (EdgeOS can store two images, should you need to revert). At this point, you should be booted into the latest image.
show system image
Just to be sure, verify the version you’re running.
Optional – If you’re running low on space, you can use the two commands below to view image storage and delete the unused image.
show system image storage delete system image
Set the hostname
Now that our firmware is updated, we can start making changes. I’m starting by changing the hostname.
configure set system host-name <name> commit save
Note – Notice that I’m using configure to enter configuration mode, making my changes, then running commit and save. After that, you’ll need to type exit if you want to get back to operational mode.
The list of available time zones is available by navigating the files and directories under /usr/share/zoneinfo, should you need to update it.
configure set system time-zone US/Eastern commit save
The ERL does not have a hardware clock, so it depends on NTP to synchronize time. You can verify the NTP settings below.
configure show system ntp
The ERL will use a pool of Ubiquiti NTP servers by default.
First, configure the WAN interface on eth0. My provider (Verizon FiOS) distributes addresses via DHCP (as I imagine most fiber/cable providers in the US do), so my WAN interface will use DHCP.
configure delete interfaces ethernet eth0 address 192.168.1.1/24 set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description "WAN" set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto
Next, configure the LAN interface on eth1. I’m using the 10.10.2.x IP range, specified in CIDR notation. I’m not a network engineer, so use a calculator to determine what you need (hint – /24 will provide 254 usable IP addresses).
set interfaces ethernet eth1 address 10.10.2.1/24 set interfaces ethernet eth1 description "LAN" set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto commit
At this point, when you type commit, your SSH session will hang, since we just set eth0 to be a DHCP client. Change your PC’s static IP address to something in the 10.10.2.x range (e.g., 10.10.2.2), then move your ethernet cable over to eth1. SSH back into the ERL, and make sure you commit and save the changes you just made. This is where that console cable would come in handy…
configure commit save
Now, we need to setup a DHCP server on eth1. Pick a start and stop range, specify the router IP, DNS server, and lease time.
configure set service dhcp-server disabled false set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 start 10.10.2.100 stop 10.10.2.199 set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 default-router 10.10.2.1 set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 dns-server 10.10.2.1 set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 lease 86400
Here, we’ll tell DNS which interface to listen on and set a cache size. Then, we’ll tell DNSMasq to use the router itself (127.0.0.1) for DNS, and then forward DNS requests to my specified DNS servers (I’m using OpenNIC DNS servers). The options I’m using are standard DNSMasq options.
set service dns forwarding listen-on eth1 set service dns forwarding cache-size 400 set system name-server 127.0.0.1 set service dns forwarding name-server 184.108.40.206 set service dns forwarding name-server 220.127.116.11 set service dns forwarding options domain-needed set service dns forwarding options bogus-priv set service dns forwarding options all-servers
I’m also telling eth0 not to request DNS servers via DHCP, as per this post, because I want to use only OpenNIC servers.
set interfaces ethernet eth0 dhcp-options name-server no-update commit save
Now, change your PC’s static IP back to DHCP, disconnect from eth1, and reconnect to it. You should be getting an IP in the range you specified above. You can test your DNS servers here.
At this point, our ERL can route, but we don’t have a firewall. To setup these rules, think of this from the router’s perspective. At a minimum, you need two sets of firewall rules: one for traffic coming from the internet destined for the LAN, and one for traffic coming from the internet destined for the ERL itself. If you’re more of a visual person, this is a great way to visualize these firewall rules.
We’ll start by setting some global options.
configure set firewall all-ping enable set firewall broadcast-ping disable set firewall receive-redirects disable set firewall ipv6-receive-redirects disable set firewall ip-src-route disable set firewall ipv6-src-route disable set firewall log-martians enable
Now, create a firewall to protect the LAN. We’re saying the default action is to drop anything coming into our LAN, with the exception of already established sessions. In addition, we drop anything with an invalid state.
set firewall name WAN_IN default-action drop set firewall name WAN_IN description "WAN to internal" set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description "Allow established/related" set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description "Drop invalid state" set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 20 log enable
Then, a firewall to protect the ERL itself. Again, We’re saying the default action is to drop anything coming into our ERL, with the exception of already established sessions. We drop anything with an invalid state, and we also limit pings.
set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description "WAN to router" set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description "Allow established/related" set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description "Drop invalid state" set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 20 log enable set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description "Limit pings" set firewall name WAN_LOCAL rule 30 limit burst 1 set firewall name WAN_LOCAL rule 30 limit rate 50/minute set firewall name WAN_LOCAL rule 30 log enable set firewall name WAN_LOCAL rule 30 protocol icmp
Now, enable the firewall by applying it to our eth0 interface.
set interfaces ethernet eth0 firewall in name WAN_IN set interfaces ethernet eth0 firewall local name WAN_LOCAL commit save
Because of NAT, one external IP can map to many internal IPs. This allowed the extension of the use of IPv4, even though we were quickly running out of addresses. The rule below will change (masquerade) all traffic going out of eth0 to have its source address changed to the public address of eth0 (instead of staying at 10.10.2.x, where it would never get a return).
configure set service nat rule 5000 description "Masquerade for WAN" set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 type masquerade commit save
That’s it! Technically, you should be able to get online with this configuration and be pretty safe!
Verify hardware offload
Verify hardware offload is working for the services you need.
show ubnt offload
I highly recommend changing the password of the default ubnt user (even if you disable password authentication via SSH).
configure set system login user ubnt authentication plaintext-password <password_here> commit save
Ubiquiti also recommends creating a new user and removing the default ubnt user. I’m not going to cover that, but see this document for more details.
Setup SSH keys
I also highly recommend setting up SSH keys so you don’t need to use password authentication. Start by copying the key from your PC to the ERL.
scp ~/.ssh/id_rsa.pub email@example.com:~/id_rsa.pub
Then, load the key and turn off password authentication.
configure loadkey ubnt ~/id_rsa.pub set service ssh disable-password-authentication commit save
Note – If you receive the error below when trying to load a key, make sure there are no spaces in the comment section of the key.
Not a valid key file format (see man sshd) at /opt/vyatta/sbin/vyatta-load-user-key.pl line 96, <$in> line 1.
If you’d like, you can setup a SSH banner for pre-login and post-login.
configure set system login banner pre-login '\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED!\n\n\tPlease contact Logan Marchione for access\n\n\n\n' set system login banner post-login '\n\n\n\tWelcome to EdgeRouter Lite\n\n\n\n' commit save
Note – The string \n is a newline, and \t is an indent.
Change SSH port
You can argue about security through obscurity, but I’m going to change the port SSH listens on. At the very least, it’ll help protect from scanners and bots.
configure set service ssh port 1234 commit save
Change GUI port
Again, changing this port is more security through obscurity.
configure set service gui https-port 8443 commit save
I’ve been using my own router with Verizon FiOS for a while, but for some reason, I can’t pull an IP from the ONT unless I’m cloning the MAC of the original Actiontec router. Until I get the time (i.e., willpower) to call Verizon, I’m going to choose to clone the MAC.
configure set interfaces ethernet eth0 mac 00:00:00:00:00:00 commit save
I like to connect remotely via SSH and/or VPN to my router, so I use Dyn for my dynamic DNS service.
configure set service dns dynamic interface eth0 service dyndns host-name <hostname.dyn.com> set service dns dynamic interface eth0 service dyndns login <username> set service dns dynamic interface eth0 service dyndns password <password_here> commit save
Then, trigger a manual update. EdgeOS will only update the dynamic service when your IP address actually changes.
update dns dynamic interface eth0
You can show the status with the command below.
show dns dynamic status
Remote SSH access
I like to connect back to my home via SSH, and will eventually setup a VPN. To allow SSH, I’ll need to open a port for SSH in the firewall.
configure set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description "Allow SSH to router" set firewall name WAN_LOCAL rule 40 destination port 1234 set firewall name WAN_LOCAL rule 40 log enable set firewall name WAN_LOCAL rule 40 protocol tcp commit save
Remote GUI access
In my case, I want remote access to SSH, but I don’t want the GUI to be open to world. This will make it so it only listens for requests from the LAN, not the WAN.
configure set service gui listen-address 10.10.2.1 commit save
Static DHCP leases
I prefer to set static DHCP leases on the router, rather than configuring all my devices with a static IP. Use the syntax below to setup a static lease.
configure set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 static-mapping client01 ip-address 10.10.2.10 set service dhcp-server shared-network-name LAN subnet 10.10.2.0/24 static-mapping client01 mac-address 00:00:00:00:00:00 commit save
Note – It’s best practice to not use addresses inside the DHCP pool (mine is 10.10.2.100 – 10.10.2.199).
Hope this was helpful! I plan on configuring a VPN on this router in the near future.