Initial Configuration – Ubiquiti EdgeRouter Lite
This tutorial will walk you through setting up a Ubiquiti EdgeRouter Lite for use in a SOHO environment using CLI commands. Below physical architecture diagram of the network we will be creating:
- Login to ERL via SSH, go to configure mode
configure
Interfaces ∞
In this section, we will setup our network interfaces per the above physical network diagram. Note that the WAN IP is assigned via DHCP in this configuration.
- eth0 (LAN)
edit interfaces ethernet eth0 set description "LAN" set address 192.168.69.254/24 set duplex auto set speed auto top
- eth1 (WLAN)
edit interfaces ethernet eth1 set description "WLAN" set address 192.168.68.254/24 set duplex auto set speed auto top
- eth2 (WAN – DHCP)
edit interfaces ethernet eth2 set description "WAN" set address dhcp set duplex auto set speed auto top
User Management ∞
This step is to create a new user to replace the default ubnt
user
- Create new user – Note: the plain text password will be encrypted upon commit
edit system login user new_user set authentication plaintext-password "new_pass" set full-name "New User" set level admin top commit
- Logout, then log back in as the new user
- Delete the default
ubnt
userdelete system login user ubnt
DHCP Server ∞
Now we will create DHCP servers for the LAN and WLAN subnets. We need to create one server per subnet.
- Global DHCP options
edit service dhcp-server set disabled false set dynamic-dns-update enable true top
- LAN Subnet
edit service dhcp-server shared-network-name LAN_DHCP set authoritative disable edit subnet 192.168.69.0/24 set default-router 192.168.69.254 set dns-server 192.168.69.254 set domain-name dlasley.net set lease 86400 set start 192.168.69.100 stop 192.168.69.200 top
- WLAN Subnet
edit service dhcp-server shared-network-name WLAN_DHCP set authoritative disable edit subnet 192.168.68.0/24 set default-router 192.168.68.254 set dns-server 192.168.68.254 set domain-name dlasley.net set lease 86400 set start 192.168.68.100 stop 192.168.68.200 top
Forward DNS Requests ∞
In the DHCP servers that we just setup, we defined the router address as the primary DNS server. We will now need to enable DNS forwarding on both the LAN and WLAN interfaces in order to support this setting.
- Enable DNS forwarding
edit service dns forwarding set cache-size 1000 set listen-on eth0 set listen-on eth1 top
Dynamic DNS Updater ∞
This process will allow your ERL to automatically update a supported Dynamic DNS service upon WAN DHCP renewal, and is completely optional.
- Create an account with a supported service provider. As of now, they are:
- Set the service provider, login, and password. Modify the service from
dyndns
to your service provider, and the username/password to match your credentials.edit service dns dynamic interface eth2 service dyndns set login $USERNAME set password $PASSWORD
- Set the hostname to update, modifying my domain for yours. You can also repeat this step for multiple host names.
set host-name $DOMAIN_NAME
- Move back to the top of the config
top
WAN Masquerading ∞
Now we will need to setup WAN masquerading (to allow local machines access to the internet). If you also need to add port forwarding rules (to allow inbound traffic), check out this tutorial
- Configure NAT rule for WAN Masquerading
edit service nat rule 5000 set description WAN_MASQ set log disable set outbound-interface eth2 set protocol all set type masquerade top
SNMP ∞
- Now we will configure SNMP settings
edit service snmp set community public authorization ro set contact "David Lasley" set location "Server Room" top
Basic Firewall ∞
We will now configure a basic firewall that is not recommended in a production environment. We will set it up to allow any outbound traffic from LAN, WLAN, or the router itself, but will drop all inbound traffic.
- Set global firewall rules
edit firewall set all-ping enable set broadcast-ping disable set conntrack-expect-table-size 4096 set conntrack-hash-size 4096 set conntrack-table-size 32768 set conntrack-tcp-loose enable set ipv6-receive-redirects disable set ipv6-src-route disable set ip-src-route disable set log-martians enable set receive-redirects disable set send-redirects enable set source-validation disable set syn-cookies enable top
- Create ruleset for WAN->(W)LAN. We will add rules to drop Invalid packets and accept established ones.
edit firewall name WAN_IN set description "Inbound WAN to (W)LAN" set default-action drop set rule 5000 action accept set rule 5000 description "Allow Established/Related" set rule 5000 log disable set rule 5000 protocol all set rule 5000 state established enable set rule 5000 state invalid disable set rule 5000 state new disable set rule 5000 state related enable set rule 5001 action drop set rule 5001 description "Drop Invalid" set rule 5001 log disable set rule 5001 protocol all set rule 5001 state established disable set rule 5001 state invalid enable set rule 5001 state new disable set rule 5001 state related disable top
- Create ruleset for WAN->Local (router). We will add rules to drop Invalid packets and accept established ones. Note that this is basically identical to the last ruleset, except it will be applied to traffic destined for the router
edit firewall name WAN_LOCAL set description "Inbound WAN to Local Router" set default-action drop set rule 5000 action accept set rule 5000 description "Allow Established/Related" set rule 5000 log disable set rule 5000 protocol all set rule 5000 state established enable set rule 5000 state invalid disable set rule 5000 state new disable set rule 5000 state related enable set rule 5001 action drop set rule 5001 description "Drop Invalid" set rule 5001 log disable set rule 5001 protocol all set rule 5001 state established disable set rule 5001 state invalid enable set rule 5001 state new disable set rule 5001 state related disable top
- Add firewall rules to WAN interface
edit interfaces ethernet eth2 firewall set in name WAN_IN set local name WAN_LOCAL top
Define System Settings ∞
Now we will set the system settings such as hostname, nameserver, time zones, etc.
- Hostname & domain name
set system host-name erl-001 set system domain-name dlasley.net
- Nameservers
set system name-server 8.8.8.8 set system name-server 8.8.4.4
- Timezone – Timezones can be listed by traversing the directories in
/usr/share/zoneinfo/
set system time-zone America/Los_Angeles
-
Add Debian repositories (optional). Make sure to perform an
apt-get update
if you do this.edit system package set repository wheezy components 'main contrib non-free' set repository wheezy distribution wheezy set repository wheezy url http://http.us.debian.org/debian set repository wheezy-security components main set repository wheezy-security distribution wheezy/updates set repository wheezy-security url http://security.debian.org top
Final Config ∞
Attached is the final configuration that will be generated with this tutorial. I have left the default ubnt/ubnt user in this configuration. You can upload this file to /config/config.boot
using SCP, or follow the directions here to upload via the WebUI.
I wanted to say ‘thank you’ for taking the time to fully document this initial configuration. I used your guide to help troubleshoot a variety of issues during my setup.
I’m still struggling with the terminology used within the stateful firewall. IN and OUT apply to an interface, but LOCAL applies to the router. I read the wiki over a ubnt, but for whatever reason the explanation of LOCAL is just not clicking.
Is there a better way to explain the use of LOCAL or maybe relate this to a Cisco IOS?
I’m happy that this guide has come to good use.
I had trouble understanding `LOCAL` also, and I agree that the documentation is slim. In IOS terms, this would be applying an ACL to inbound traffic on the WAN interface. Check out http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#applyacls for a description of In vs. Inbound traffic.
oh my god this guide saved me from soooo many simple mistakes! thank you!
Why do you enable DNS forwarding on the WAN side? Isn’t that just asking for amplification trouble?
You are definitely right that you would never want to do that. I am advising to enable it on LAN and W(ireless)LAN, which are eth0 and eth1 in this tutorial. eth2 is the WAN ;)
I’m trying to set up DDNS with DNS-O-Matic. I found a tutorial here: http://community.ubnt.com/t5/EdgeMAX/Dynamic-DNS-DDNS-from-behind-a-NAT-ADSL-router-No-IP-com-WORKING/m-p/585199#M15698
However, when attempting to perform the first command of the configuration (after editing /opt/vyatta/sbin/vyatta-dynamic-dns.pl), I get the response “invalid command”:
set service dns dynamic interface eth1 service dyndns host-name all.dnsomatic.com
I thought that there might have been a typo in the syntax, so I looked to your tutorial above. However, I seem to have run into more problems. Here is my input and output:
thaixstyle@Eden:~$ edit service dns dynamic interface eth1 service dyndns
Warning: unknown mime-type for “service” — using “application/octet-stream”
Warning: unknown mime-type for “dns” — using “application/octet-stream”
Warning: unknown mime-type for “dynamic” — using “application/octet-stream”
Warning: unknown mime-type for “interface” — using “application/octet-stream”
Warning: unknown mime-type for “eth1” — using “application/octet-stream”
Warning: unknown mime-type for “service” — using “application/octet-stream”
Warning: unknown mime-type for “dyndns” — using “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Error: no “edit” mailcap rules found for type “application/octet-stream”
Lol. Nevermind. I forgot to enter configure mode. N00b.
Lol we’ve all been there – Glad you figured it out!
Thanks a lot. GREAT tutorial. Helped me configure the edge router perfectly the first time. Thanks for taking the time to put this together.
No problem, I have admittedly come back to this tutorial every time I screw up my router… which tends to be often :|
sweet config tutorial
saved me some heartache when our oldest ERL died :(
Glad you liked it! Sorry about the router, dead technology is not fun :(
I did find a solution to update the debian sources.
Important is that i use Firmware 1.6!!!
Maybee you give that tip inside yours instructions.
I could install nano and midnight commander.
Because of VPN i did write you a mail.
Now its possible with :
https://community.ubnt.com/t5/EdgeMAX-CLI-Basics-Knowledge/EdgeMAX-Add-other-Debian-packages-to-EdgeOS/ta-p/413071
Hi Dave,
Thank you very much for the time put into this now im a happy camper.
I did follow this tutorial and i’m up and running .
eth2 to my modem
eth0 ( LAN ) to my computer : working very good
eth1 ( WLAN ) —— Can’t connect to anything showing connected but when i connect my other PC here i get no internet am i missing something here please help me.
Cheers
Leon
Are you able to ping the EdgeRouter from the computer connected via Wifi (192.168.68.254 if no deviation from the tutorial)? Additionally, is the Wifi Access Point getting an IP?
Nice tutorial of how to configure the edgerouter.
I’m doing a project in which I have to connect one or two ISP router, two laptops and one VoIP phone to the edgeRouter and then to create a VPN from this edgeRouter to the central office building
Can I connect one laptop to the console port to configure the interfaces and all the other things insted of using the eth0?
And I’m trouble in how give internet connection to the laptops (I want to go step by step, VoIP to other moment). The ISP router (has 4 lan ports and wifi connection) has 192.168.1.1 as IP and it should be connected to eth0. The laptop has to be connected via LAN to the EdgeRouter and receive an IP to have internet access, right? How to do this?
If you can help me I would be grateful.
You cannot connect a standard ethernet device directly to the console port, as it is not really an ethernet interface, it is serial. You will need a USB to RJ45 Rollover Console cable for this purpose.
I’m somewhat unclear on your proposed setup, but it sounds like the ISP router will be passing the internet through to the EdgeRouter? If that is the case, the ISP router would be plugged into eth2 if following this tutorial to the letter.
It sounds like you have too many routers in this scenario though – I would recommend only having one routing device, then utilizing all other routers as switches (pass-thru) devices instead. Otherwise, you will find yourself running into a lot of issues with double NAT; particularly when the VPN comes into play.
Ok, yes you are correct, I want the ISP router to do that and the laptops that I connect to the EdgeRouter have internet access.
In my hands for testing I have only one laptop, one ISP router, the edgeRouter Poe 5 and the VoIP phone.
Thanks.
Got it – this tutorial isn’t really for you then, as it has the EdgeRouter performing routing duties. You will need to bridge the ports on your EdgeRouter in order to directly pass data to the ISP router. This is not a recommended setup, and will reduce the throughput of your EdgeRouter. It is recommended to use a switch for this purpose.
If you do want to continue with this setup, I recommend taking a look at this – https://help.ubnt.com/hc/en-us/articles/204952244-EdgeMAX-How-do-I-bridge-eth2-3-and-4-switch0-with-eth1-on-the-EdgeRouter-POE-
Thank you very much! I will try it, thanks for the info!
Thank you so much for this.
After we plugged in the ERL (I was doing this remotely) and I finally got to the utterly atrocious web interface, I spent an hour or two fiddling with things and the dashboard kept saying NAT was disabled.
Then I figured out that I can ssh into it, and found this post, and typed in the magic commands (adjusted for our config) and the house has internet again.
I still have a bunch of stuff to configure like firewall, port forwards and DDNS, but at least I have a better idea now how to deal with this thing.
Thank you.