Initial Configuration – Ubiquiti EdgeRouter Lite

[[[TOC]]]
This tutorial will walk you through setting up a Ubiquiti EdgeRouter Lite for use in a SOHO environment using CLI commands. Below physical architecture diagram of the network we will be creating:
[[image:erl_soho.png|medium|link=source]]
# Login to ERL via SSH, go to configure mode
{{{
configure
}}}
——
=Interfaces=
In this section, we will setup our network interfaces per the above physical network diagram. Note that the WAN IP is assigned via DHCP in this configuration.
# eth0 (LAN)
{{{
edit interfaces ethernet eth0
set description “LAN”
set address 192.168.69.254/24
set duplex auto
set speed auto
top
}}}
# eth1 (WLAN)
{{{
edit interfaces ethernet eth1
set description “WLAN”
set address 192.168.68.254/24
set duplex auto
set speed auto
top
}}}
# eth2 (WAN – DHCP)
{{{
edit interfaces ethernet eth2
set description “WAN”
set address dhcp
set duplex auto
set speed auto
top
}}}
——
=User Management=
This step is to create a new user to replace the default `ubnt` user
# Create new user – //Note: the plain text password will be encrypted upon commit//
{{{
edit system login user new_user
set authentication plaintext-password “new_pass”
set full-name “New User”
set level admin
top
commit
}}}
# Logout, then log back in as the new user
# Delete the default `ubnt` user
{{{
delete system login user ubnt
}}}
——
=DHCP Server=
Now we will create DHCP servers for the LAN and WLAN subnets. We need to create one server per subnet.
# Global DHCP options
{{{
edit service dhcp-server
set disabled false
set dynamic-dns-update enable true
top
}}}
# LAN Subnet
{{{
edit service dhcp-server shared-network-name LAN_DHCP
set authoritative disable
edit subnet 192.168.69.0/24
set default-router 192.168.69.254
set dns-server 192.168.69.254
set domain-name dlasley.net
set lease 86400
set start 192.168.69.100 stop 192.168.69.200
top
}}}
# WLAN Subnet
{{{
edit service dhcp-server shared-network-name WLAN_DHCP
set authoritative disable
edit subnet 192.168.68.0/24
set default-router 192.168.68.254
set dns-server 192.168.68.254
set domain-name dlasley.net
set lease 86400
set start 192.168.68.100 stop 192.168.68.200
top
}}}
=Forward DNS Requests=
In the DHCP servers that we just setup, we defined the router address as the primary DNS server. We will now need to enable DNS forwarding on both the LAN and WLAN interfaces in order to support this setting.
# Enable DNS forwarding
{{{
edit service dns forwarding
set cache-size 1000
set listen-on eth0
set listen-on eth1
top
}}}
——
=Dynamic DNS Updater=
This process will allow your ERL to automatically update a supported Dynamic DNS service upon WAN DHCP renewal, and is completely optional.

  1. Create an account with a supported service provider. As of now, they are:
    • [[http://dnspark.com/|DNS Park]]
    • [[http://www.dslreports.com/|DSL Reports]]
    • [[http://dyn.com|DynDNS]]
    • [[http://web.easydns.com/|Easy DNS]]
    • [[http://www.namecheap.com/|Name Cheap]]
    • [[http://www.sitelutions.com/|SiteLutions]]
    • [[http://www.zoneedit.com/|ZoneEdit]]
  2. Set the service provider, login, and password. Modify the service from `dyndns` to your service provider, and the username/password to match your credentials.
    {{{
    edit service dns dynamic interface eth2 service dyndns
    set login $USERNAME
    set password $PASSWORD
    }}}

  3. Set the hostname to update, modifying my domain for yours. You can also repeat this step for multiple host names.
    {{{
    set host-name $DOMAIN_NAME
    }}}

  4. Move back to the top of the config
    {{{
    top
    }}}

——
=WAN Masquerading=
Now we will need to setup WAN masquerading (to allow local machines access to the internet). If you also need to add port forwarding rules (to allow inbound traffic), check out [[nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip|this tutorial]]
# Configure NAT rule for WAN Masquerading
{{{
edit service nat rule 5000
set description WAN_MASQ
set log disable
set outbound-interface eth2
set protocol all
set type masquerade
top
}}}
——
=SNMP=
# Now we will configure SNMP settings
{{{
edit service snmp
set community public authorization ro
set contact “David Lasley”
set location “Server Room”
top
}}}
——
=Basic Firewall=
We will now configure a basic firewall that is not recommended in a production environment. We will set it up to allow any outbound traffic from LAN, WLAN, or the router itself, but will drop all inbound traffic.
# Set global firewall rules
{{{
edit firewall
set all-ping enable
set broadcast-ping disable
set conntrack-expect-table-size 4096
set conntrack-hash-size 4096
set conntrack-table-size 32768
set conntrack-tcp-loose enable
set ipv6-receive-redirects disable
set ipv6-src-route disable
set ip-src-route disable
set log-martians enable
set receive-redirects disable
set send-redirects enable
set source-validation disable
set syn-cookies enable
top
}}}
# Create ruleset for WAN->(W)LAN. We will add rules to drop Invalid packets and accept established ones.
{{{
edit firewall name WAN_IN
set description “Inbound WAN to (W)LAN”
set default-action drop

set rule 5000 action accept
set rule 5000 description “Allow Established/Related”
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable

set rule 5001 action drop
set rule 5001 description “Drop Invalid”
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable

top
}}}
# Create ruleset for WAN->Local (router). We will add rules to drop Invalid packets and accept established ones. //Note that this is basically identical to the last ruleset, except it will be applied to traffic destined for the router//
{{{
edit firewall name WAN_LOCAL
set description “Inbound WAN to Local Router”
set default-action drop

set rule 5000 action accept
set rule 5000 description “Allow Established/Related”
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable

set rule 5001 action drop
set rule 5001 description “Drop Invalid”
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable

top
}}}
# Add firewall rules to WAN interface
{{{
edit interfaces ethernet eth2 firewall
set in name WAN_IN
set local name WAN_LOCAL
top
}}}
——
=Define System Settings=
Now we will set the system settings such as hostname, nameserver, time zones, etc.
# Hostname & domain name
{{{
set system host-name erl-001
set system domain-name dlasley.net
}}}
# Nameservers
{{{
set system name-server 8.8.8.8
set system name-server 8.8.4.4
}}}
# Timezone – //Timezones can be listed by traversing the directories in `/usr/share/zoneinfo/`//
{{{
set system time-zone America/Los_Angeles
}}}
# Add Debian repositories (optional). Make sure to perform an `apt-get update` if you do this.
{{{
edit system package

set repository wheezy components ‘main contrib non-free’
set repository wheezy distribution wheezy
set repository wheezy url http://http.us.debian.org/debian

set repository wheezy-security components main
set repository wheezy-security distribution wheezy/updates
set repository wheezy-security url http://security.debian.org

top
}}}

** Note that versions prior to Firmware 1.7 were based on Debian `squeeze` instead of `wheezy`
——
=Final Config=
[[file:erl_base_soho_config.boot|Attached is the final configuration that will be generated with this tutorial. I have left the default ubnt/ubnt user in this configuration.]] You can upload this file to `/config/config.boot` using SCP, or follow the directions [[http://wiki.ubnt.com/System_-_Configuration_Management_%26_Device_Maintenance|here]] to upload via the WebUI.


Posted

in

by

Tags:

Comments

21 responses to “Initial Configuration – Ubiquiti EdgeRouter Lite”

  1. Keystroke13 Avatar
    Keystroke13

    I wanted to say ‘thank you’ for taking the time to fully document this initial configuration. I used your guide to help troubleshoot a variety of issues during my setup.

    I’m still struggling with the terminology used within the stateful firewall. IN and OUT apply to an interface, but LOCAL applies to the router. I read the wiki over a ubnt, but for whatever reason the explanation of LOCAL is just not clicking.

    Is there a better way to explain the use of LOCAL or maybe relate this to a Cisco IOS?

    1. dlasley Avatar

      I’m happy that this guide has come to good use.
      I had trouble understanding `LOCAL` also, and I agree that the documentation is slim. In IOS terms, this would be applying an ACL to inbound traffic on the WAN interface. Check out http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#applyacls for a description of In vs. Inbound traffic.

  2. JimBo Avatar
    JimBo

    oh my god this guide saved me from soooo many simple mistakes! thank you!

  3. Miklos Avatar

    Why do you enable DNS forwarding on the WAN side? Isn’t that just asking for amplification trouble?

    1. Dave Lasley Avatar

      You are definitely right that you would never want to do that. I am advising to enable it on LAN and W(ireless)LAN, which are eth0 and eth1 in this tutorial. eth2 is the WAN ;)

  4. Won Avatar
    Won

    I’m trying to set up DDNS with DNS-O-Matic. I found a tutorial here: http://community.ubnt.com/t5/EdgeMAX/Dynamic-DNS-DDNS-from-behind-a-NAT-ADSL-router-No-IP-com-WORKING/m-p/585199#M15698

    However, when attempting to perform the first command of the configuration (after editing /opt/vyatta/sbin/vyatta-dynamic-dns.pl), I get the response “invalid command”:

    set service dns dynamic interface eth1 service dyndns host-name all.dnsomatic.com

    I thought that there might have been a typo in the syntax, so I looked to your tutorial above. However, I seem to have run into more problems. Here is my input and output:

    thaixstyle@Eden:~$ edit service dns dynamic interface eth1 service dyndns
    Warning: unknown mime-type for “service” — using “application/octet-stream”
    Warning: unknown mime-type for “dns” — using “application/octet-stream”
    Warning: unknown mime-type for “dynamic” — using “application/octet-stream”
    Warning: unknown mime-type for “interface” — using “application/octet-stream”
    Warning: unknown mime-type for “eth1” — using “application/octet-stream”
    Warning: unknown mime-type for “service” — using “application/octet-stream”
    Warning: unknown mime-type for “dyndns” — using “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”
    Error: no “edit” mailcap rules found for type “application/octet-stream”

  5. Won Avatar
    Won

    Lol. Nevermind. I forgot to enter configure mode. N00b.

    1. Dave Lasley Avatar

      Lol we’ve all been there – Glad you figured it out!

  6. Sandman Avatar
    Sandman

    Thanks a lot. GREAT tutorial. Helped me configure the edge router perfectly the first time. Thanks for taking the time to put this together.

    1. Dave Lasley Avatar

      No problem, I have admittedly come back to this tutorial every time I screw up my router… which tends to be often :|

  7. enderwa Avatar
    enderwa

    sweet config tutorial

    saved me some heartache when our oldest ERL died :(

    1. Dave Lasley Avatar

      Glad you liked it! Sorry about the router, dead technology is not fun :(

  8. Wilfried Goedert Avatar
    Wilfried Goedert

    I did find a solution to update the debian sources.

    Important is that i use Firmware 1.6!!!
    Maybee you give that tip inside yours instructions.
    I could install nano and midnight commander.

    Because of VPN i did write you a mail.

    Now its possible with :
    https://community.ubnt.com/t5/EdgeMAX-CLI-Basics-Knowledge/EdgeMAX-Add-other-Debian-packages-to-EdgeOS/ta-p/413071

  9. Leon Smalto Avatar

    Hi Dave,
    Thank you very much for the time put into this now im a happy camper.
    I did follow this tutorial and i’m up and running .
    eth2 to my modem
    eth0 ( LAN ) to my computer : working very good
    eth1 ( WLAN ) —— Can’t connect to anything showing connected but when i connect my other PC here i get no internet am i missing something here please help me.

    Cheers
    Leon

    1. Dave Lasley Avatar

      Are you able to ping the EdgeRouter from the computer connected via Wifi (192.168.68.254 if no deviation from the tutorial)? Additionally, is the Wifi Access Point getting an IP?

  10. Guillem Escuder Avatar
    Guillem Escuder

    Nice tutorial of how to configure the edgerouter.

    I’m doing a project in which I have to connect one or two ISP router, two laptops and one VoIP phone to the edgeRouter and then to create a VPN from this edgeRouter to the central office building

    Can I connect one laptop to the console port to configure the interfaces and all the other things insted of using the eth0?

    And I’m trouble in how give internet connection to the laptops (I want to go step by step, VoIP to other moment). The ISP router (has 4 lan ports and wifi connection) has 192.168.1.1 as IP and it should be connected to eth0. The laptop has to be connected via LAN to the EdgeRouter and receive an IP to have internet access, right? How to do this?

    If you can help me I would be grateful.

    1. Dave Lasley Avatar

      You cannot connect a standard ethernet device directly to the console port, as it is not really an ethernet interface, it is serial. You will need a USB to RJ45 Rollover Console cable for this purpose.

      I’m somewhat unclear on your proposed setup, but it sounds like the ISP router will be passing the internet through to the EdgeRouter? If that is the case, the ISP router would be plugged into eth2 if following this tutorial to the letter.

      It sounds like you have too many routers in this scenario though – I would recommend only having one routing device, then utilizing all other routers as switches (pass-thru) devices instead. Otherwise, you will find yourself running into a lot of issues with double NAT; particularly when the VPN comes into play.

      1. Guillem Escuder Avatar
        Guillem Escuder

        Ok, yes you are correct, I want the ISP router to do that and the laptops that I connect to the EdgeRouter have internet access.

        In my hands for testing I have only one laptop, one ISP router, the edgeRouter Poe 5 and the VoIP phone.

        Thanks.

        1. Dave Lasley Avatar

          Got it – this tutorial isn’t really for you then, as it has the EdgeRouter performing routing duties. You will need to bridge the ports on your EdgeRouter in order to directly pass data to the ISP router. This is not a recommended setup, and will reduce the throughput of your EdgeRouter. It is recommended to use a switch for this purpose.

          If you do want to continue with this setup, I recommend taking a look at this – https://help.ubnt.com/hc/en-us/articles/204952244-EdgeMAX-How-do-I-bridge-eth2-3-and-4-switch0-with-eth1-on-the-EdgeRouter-POE-

          1. Guillem Escuder Avatar
            Guillem Escuder

            Thank you very much! I will try it, thanks for the info!

  11. Rafael Kitover Avatar

    Thank you so much for this.

    After we plugged in the ERL (I was doing this remotely) and I finally got to the utterly atrocious web interface, I spent an hour or two fiddling with things and the dashboard kept saying NAT was disabled.

    Then I figured out that I can ssh into it, and found this post, and typed in the magic commands (adjusted for our config) and the house has internet again.

    I still have a bunch of stuff to configure like firewall, port forwards and DDNS, but at least I have a better idea now how to deal with this thing.

    Thank you.

Leave a Reply to Rafael Kitover Cancel reply

Your email address will not be published. Required fields are marked *