This tutorial will walk you through setting up a Ubiquiti EdgeRouter Lite for use in a SOHO environment using CLI commands. Below physical architecture diagram of the network we will be creating:
erl_soho.png

  1. Login to ERL via SSH, go to configure mode
    configure

Interfaces

In this section, we will setup our network interfaces per the above physical network diagram. Note that the WAN IP is assigned via DHCP in this configuration.

  1. eth0 (LAN)
    edit interfaces ethernet eth0
    set description "LAN"
    set address 192.168.69.254/24
    set duplex auto
    set speed auto
    top
  2. eth1 (WLAN)
    edit interfaces ethernet eth1
    set description "WLAN"
    set address 192.168.68.254/24
    set duplex auto
    set speed auto
    top
  3. eth2 (WAN – DHCP)
    edit interfaces ethernet eth2
    set description "WAN"
    set address dhcp
    set duplex auto
    set speed auto
    top

User Management

This step is to create a new user to replace the default ubnt user

  1. Create new user – Note: the plain text password will be encrypted upon commit
    edit system login user new_user
    set authentication plaintext-password "new_pass"
    set full-name "New User"
    set level admin
    top
    commit
  2. Logout, then log back in as the new user
  3. Delete the default ubnt user
    delete system login user ubnt

DHCP Server

Now we will create DHCP servers for the LAN and WLAN subnets. We need to create one server per subnet.

  1. Global DHCP options
    edit service dhcp-server
    set disabled false
    set dynamic-dns-update enable true
    top
  2. LAN Subnet
    edit service dhcp-server shared-network-name LAN_DHCP
    set authoritative disable
    edit subnet 192.168.69.0/24
    set default-router 192.168.69.254
    set dns-server 192.168.69.254
    set domain-name dlasley.net
    set lease 86400
    set start 192.168.69.100 stop 192.168.69.200
    top
  3. WLAN Subnet
    edit service dhcp-server shared-network-name WLAN_DHCP
    set authoritative disable
    edit subnet 192.168.68.0/24
    set default-router 192.168.68.254
    set dns-server 192.168.68.254
    set domain-name dlasley.net
    set lease 86400
    set start 192.168.68.100 stop 192.168.68.200
    top

Forward DNS Requests

In the DHCP servers that we just setup, we defined the router address as the primary DNS server. We will now need to enable DNS forwarding on both the LAN and WLAN interfaces in order to support this setting.

  1. Enable DNS forwarding
    edit service dns forwarding
    set cache-size 1000
    set listen-on eth0
    set listen-on eth1
    top

Dynamic DNS Updater

This process will allow your ERL to automatically update a supported Dynamic DNS service upon WAN DHCP renewal, and is completely optional.

  1. Create an account with a supported service provider. As of now, they are:
  2. Set the service provider, login, and password. Modify the service from dyndns to your service provider, and the username/password to match your credentials.

    edit service dns dynamic interface eth2 service dyndns
    set login $USERNAME
    set password $PASSWORD

  3. Set the hostname to update, modifying my domain for yours. You can also repeat this step for multiple host names.

    set host-name $DOMAIN_NAME

  4. Move back to the top of the config

    top


WAN Masquerading

Now we will need to setup WAN masquerading (to allow local machines access to the internet). If you also need to add port forwarding rules (to allow inbound traffic), check out this tutorial

  1. Configure NAT rule for WAN Masquerading
    edit service nat rule 5000
    set description WAN_MASQ
    set log disable
    set outbound-interface eth2
    set protocol all
    set type masquerade
    top

SNMP

  1. Now we will configure SNMP settings
    edit service snmp
    set community public authorization ro
    set contact "David Lasley"
    set location "Server Room"
    top

Basic Firewall

We will now configure a basic firewall that is not recommended in a production environment. We will set it up to allow any outbound traffic from LAN, WLAN, or the router itself, but will drop all inbound traffic.

  1. Set global firewall rules
    edit firewall
    set all-ping enable
    set broadcast-ping disable
    set conntrack-expect-table-size 4096
    set conntrack-hash-size 4096
    set conntrack-table-size 32768
    set conntrack-tcp-loose enable
    set ipv6-receive-redirects disable
    set ipv6-src-route disable
    set ip-src-route disable
    set log-martians enable
    set receive-redirects disable
    set send-redirects enable
    set source-validation disable
    set syn-cookies enable
    top
  2. Create ruleset for WAN->(W)LAN. We will add rules to drop Invalid packets and accept established ones.
    edit firewall name WAN_IN
    set description "Inbound WAN to (W)LAN"
    set default-action drop
    
    set rule 5000 action accept
    set rule 5000 description "Allow Established/Related"
    set rule 5000 log disable
    set rule 5000 protocol all
    set rule 5000 state established enable
    set rule 5000 state invalid disable
    set rule 5000 state new disable
    set rule 5000 state related enable
    
    set rule 5001 action drop
    set rule 5001 description "Drop Invalid"
    set rule 5001 log disable
    set rule 5001 protocol all
    set rule 5001 state established disable
    set rule 5001 state invalid enable
    set rule 5001 state new disable
    set rule 5001 state related disable
    
    top
  3. Create ruleset for WAN->Local (router). We will add rules to drop Invalid packets and accept established ones. Note that this is basically identical to the last ruleset, except it will be applied to traffic destined for the router
    edit firewall name WAN_LOCAL
    set description "Inbound WAN to Local Router"
    set default-action drop
    
    set rule 5000 action accept
    set rule 5000 description "Allow Established/Related"
    set rule 5000 log disable
    set rule 5000 protocol all
    set rule 5000 state established enable
    set rule 5000 state invalid disable
    set rule 5000 state new disable
    set rule 5000 state related enable
    
    set rule 5001 action drop
    set rule 5001 description "Drop Invalid"
    set rule 5001 log disable
    set rule 5001 protocol all
    set rule 5001 state established disable
    set rule 5001 state invalid enable
    set rule 5001 state new disable
    set rule 5001 state related disable
    
    top
  4. Add firewall rules to WAN interface
    edit interfaces ethernet eth2 firewall
    set in name WAN_IN
    set local name WAN_LOCAL
    top

Define System Settings

Now we will set the system settings such as hostname, nameserver, time zones, etc.

  1. Hostname & domain name
    set system host-name erl-001
    set system domain-name dlasley.net
  2. Nameservers
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
  3. Timezone – Timezones can be listed by traversing the directories in /usr/share/zoneinfo/
    set system time-zone America/Los_Angeles
  4. Add Debian repositories (optional). Make sure to perform an apt-get update if you do this.

    edit system package 
    
    set repository wheezy components 'main contrib non-free'
    set repository wheezy distribution wheezy
    set repository wheezy url http://http.us.debian.org/debian
    
    set repository wheezy-security components main
    set repository wheezy-security distribution wheezy/updates
    set repository wheezy-security url http://security.debian.org
    
    top


Final Config

Attached is the final configuration that will be generated with this tutorial. I have left the default ubnt/ubnt user in this configuration. You can upload this file to /config/config.boot using SCP, or follow the directions here to upload via the WebUI.

9