- Login to ERL via SSH, go to configure mode
In this section, we will setup our network interfaces per the above physical network diagram. Note that the WAN IP is assigned via DHCP in this configuration.
- eth0 (LAN)
edit interfaces ethernet eth0 set description "LAN" set address 192.168.69.254/24 set duplex auto set speed auto top
- eth1 (WLAN)
edit interfaces ethernet eth1 set description "WLAN" set address 192.168.68.254/24 set duplex auto set speed auto top
- eth2 (WAN – DHCP)
edit interfaces ethernet eth2 set description "WAN" set address dhcp set duplex auto set speed auto top
User Management ∞
This step is to create a new user to replace the default
- Create new user – Note: the plain text password will be encrypted upon commit
edit system login user new_user set authentication plaintext-password "new_pass" set full-name "New User" set level admin top commit
- Logout, then log back in as the new user
- Delete the default
delete system login user ubnt
DHCP Server ∞
Now we will create DHCP servers for the LAN and WLAN subnets. We need to create one server per subnet.
- Global DHCP options
edit service dhcp-server set disabled false set dynamic-dns-update enable true top
- LAN Subnet
edit service dhcp-server shared-network-name LAN_DHCP set authoritative disable edit subnet 192.168.69.0/24 set default-router 192.168.69.254 set dns-server 192.168.69.254 set domain-name dlasley.net set lease 86400 set start 192.168.69.100 stop 192.168.69.200 top
- WLAN Subnet
edit service dhcp-server shared-network-name WLAN_DHCP set authoritative disable edit subnet 192.168.68.0/24 set default-router 192.168.68.254 set dns-server 192.168.68.254 set domain-name dlasley.net set lease 86400 set start 192.168.68.100 stop 192.168.68.200 top
Forward DNS Requests ∞
In the DHCP servers that we just setup, we defined the router address as the primary DNS server. We will now need to enable DNS forwarding on both the LAN and WLAN interfaces in order to support this setting.
- Enable DNS forwarding
edit service dns forwarding set cache-size 1000 set listen-on eth0 set listen-on eth1 top
Dynamic DNS Updater ∞
This process will allow your ERL to automatically update a supported Dynamic DNS service upon WAN DHCP renewal, and is completely optional.
- Create an account with a supported service provider. As of now, they are:
- Set the service provider, login, and password. Modify the service from
dyndnsto your service provider, and the username/password to match your credentials.
edit service dns dynamic interface eth2 service dyndns set login $USERNAME set password $PASSWORD
- Set the hostname to update, modifying my domain for yours. You can also repeat this step for multiple host names.
set host-name $DOMAIN_NAME
- Move back to the top of the config
WAN Masquerading ∞
Now we will need to setup WAN masquerading (to allow local machines access to the internet). If you also need to add port forwarding rules (to allow inbound traffic), check out this tutorial
- Configure NAT rule for WAN Masquerading
edit service nat rule 5000 set description WAN_MASQ set log disable set outbound-interface eth2 set protocol all set type masquerade top
- Now we will configure SNMP settings
edit service snmp set community public authorization ro set contact "David Lasley" set location "Server Room" top
Basic Firewall ∞
We will now configure a basic firewall that is not recommended in a production environment. We will set it up to allow any outbound traffic from LAN, WLAN, or the router itself, but will drop all inbound traffic.
- Set global firewall rules
edit firewall set all-ping enable set broadcast-ping disable set conntrack-expect-table-size 4096 set conntrack-hash-size 4096 set conntrack-table-size 32768 set conntrack-tcp-loose enable set ipv6-receive-redirects disable set ipv6-src-route disable set ip-src-route disable set log-martians enable set receive-redirects disable set send-redirects enable set source-validation disable set syn-cookies enable top
- Create ruleset for WAN->(W)LAN. We will add rules to drop Invalid packets and accept established ones.
edit firewall name WAN_IN set description "Inbound WAN to (W)LAN" set default-action drop set rule 5000 action accept set rule 5000 description "Allow Established/Related" set rule 5000 log disable set rule 5000 protocol all set rule 5000 state established enable set rule 5000 state invalid disable set rule 5000 state new disable set rule 5000 state related enable set rule 5001 action drop set rule 5001 description "Drop Invalid" set rule 5001 log disable set rule 5001 protocol all set rule 5001 state established disable set rule 5001 state invalid enable set rule 5001 state new disable set rule 5001 state related disable top
- Create ruleset for WAN->Local (router). We will add rules to drop Invalid packets and accept established ones. Note that this is basically identical to the last ruleset, except it will be applied to traffic destined for the router
edit firewall name WAN_LOCAL set description "Inbound WAN to Local Router" set default-action drop set rule 5000 action accept set rule 5000 description "Allow Established/Related" set rule 5000 log disable set rule 5000 protocol all set rule 5000 state established enable set rule 5000 state invalid disable set rule 5000 state new disable set rule 5000 state related enable set rule 5001 action drop set rule 5001 description "Drop Invalid" set rule 5001 log disable set rule 5001 protocol all set rule 5001 state established disable set rule 5001 state invalid enable set rule 5001 state new disable set rule 5001 state related disable top
- Add firewall rules to WAN interface
edit interfaces ethernet eth2 firewall set in name WAN_IN set local name WAN_LOCAL top
Define System Settings ∞
Now we will set the system settings such as hostname, nameserver, time zones, etc.
- Hostname & domain name
set system host-name erl-001 set system domain-name dlasley.net
set system name-server 18.104.22.168 set system name-server 22.214.171.124
- Timezone – Timezones can be listed by traversing the directories in
set system time-zone America/Los_Angeles
edit system package set repository wheezy components 'main contrib non-free' set repository wheezy distribution wheezy set repository wheezy url http://http.us.debian.org/debian set repository wheezy-security components main set repository wheezy-security distribution wheezy/updates set repository wheezy-security url http://security.debian.org top
Final Config ∞
Attached is the final configuration that will be generated with this tutorial. I have left the default ubnt/ubnt user in this configuration. You can upload this file to
/config/config.boot using SCP, or follow the directions here to upload via the WebUI.