Andrew Roderos

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

This is part two of the How to configure EdgeRouter Lite via CLI blog post. If you haven’t read the part one, you might want to read that first. In part one, I covered what I think are the essential configurations to get a user going in a typical home environment setup. In this post, I will talk about features that I personally use at home at the time of writing. Though, I did include one feature that I turned on for few days and decided to turn it off because of issues that I encountered with it being on.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.

Configure IPv6

I would say that IPv6 in residential networks is relatively new, at least in the US. As far I know (I could be wrong), IPv6 in US residential networks has only been around two to three years. I actually did not know that my ISP (Comcast/Xfinity) has been IPv6 ready for about two years now (fully deployed). In fact, I accidentally found that out when I was troubleshooting my slow download speed connection. Once I found out, I started researching on how to configure it on my router.

My ISP uses prefix delegation, which provides a mechanism for automated delegation of IPv6 prefixes using DHCP. There are two EdgeOS configurations I found that worked for me, but I will only show the one that I think is the best out of the two that I tried.

Pay attention to the prefix-length that you’re asking for. In residential networks, Comcast/Xfinity allows the user to ask for a maximum of 16 x /64 prefixes or /60. In business class accounts, they can ask for /56 or 256 x /64 prefixes.

set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 prefix-id :2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 prefix-id :3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 prefix-id :4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :5
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac

In addition to the above configurations, you may want to configure the IPv6 forwarding offload feature as well.

set system offload ipv6 forwarding enable

To verify that you received IPv6 addresses, issue the command found in the example below. Below is my sanitized output that shows both IPv4 and IPv6 addresses.

networkjutsu@rtr# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         24.xxx.xxx.xxx/23                  u/u  WAN
             2001:xxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx/128
eth1         192.168.0.1/24                    u/u  LAN0
             2601:xxx:xxxx:xxx1::1/64
eth1.2       192.168.1.1/24                    u/u  LAN1
             2601:xxx:xxxx:xxx2::1/64
eth1.99      192.168.99.1/24                   u/u  MGMT
             2601:xxx:xxxx:xxx3::1/64
eth1.100     192.168.100.1/24                  u/u  SERVER
             2601:xxx:xxxx:xxx4::1/64
eth2         192.168.2.1/24                    u/u  LAN2
             2601:xxx:xxxx:xxx5::1/64
lo           127.0.0.1/8                       u/u
             ::1/128

If you do not get an IPv6 address, use the following commands to force DHCPv6 renew.

release dhcpv6-pd interface eth0
delete dhcpv6-pd duid
renew dhcpv6-pd interface eth0

Here’s a better way to verify that the configuration actually worked.

networkjutsu@rtr# ping6 google.com
PING google.com(nuq04s29-in-x0e.1e100.net) 56 data bytes
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=1 ttl=56 time=10.9 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=2 ttl=56 time=10.7 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=3 ttl=56 time=10.4 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=4 ttl=56 time=11.5 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 10.480/10.934/11.528/0.355 ms
Mac-mini:~ Andrew$ ping6 netflix.com
PING6(56=40+8+8 bytes) 2601:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx --> 2620:108:700f::36f5:f31c
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=0 hlim=49 time=30.402 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=1 hlim=49 time=29.224 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=2 hlim=49 time=29.088 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=3 hlim=49 time=29.029 ms
^C
--- netflix.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 29.029/29.436/30.402/0.562 ms

Configure sub-interfaces

As you can see above, I have few sub-interfaces configured. There used to be a DMZ configured but I moved it to a pfSense virtual machine. I actually talked a little about it here.

set interfaces ethernet eth1 vif 2 address 192.168.1.1/24
set interfaces ethernet eth1 vif 2 description "LAN1"
set interfaces ethernet eth1 vif 2 mtu 9000
set interfaces ethernet eth1 vif 99 address 192.168.99.1/24
set interfaces ethernet eth1 vif 99 description "MGMT"
set interfaces ethernet eth1 vif 99 mtu 9000
set interfaces ethernet eth1 vif 100 address 192.168.100.1/24
set interfaces ethernet eth1 vif 100 description "SERVER"
set interfaces ethernet eth1 vif 100 mtu 9000

VLAN offload feature is supported in EdgeRouter Lite so you may want to turn that on.

set system offload ipv4 vlan enable

Configure Firewall

In this section, I am still sticking with the ACL-style firewall configuration instead of the Zone-based firewall (ZBF/ZBFW) configuration. In this firewall configuration example, I am blocking a couple of /8 networks that repeatedly brute force attacked my Linux computer. Also, I disabled the auto firewall feature.

set port-forward auto-firewall disable
set firewall group network-group SSH-ATTACKERS description "Known Brute Force SSH Attackers"
set firewall group network-group SSH-ATTACKERS network 103.0.0.0/8
set firewall group network-group SSH-ATTACKERS network 104.0.0.0/8
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "WAN IPv4 inbound traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Deny SSH Attackers"
set firewall name WAN-IN rule 2 destination port 22
set firewall name WAN-IN rule 2 log enable
set firewall name WAN-IN rule 2 protocol tcp
set firewall name WAN-IN rule 2 source group network-group SSH-ATTACKERS
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow SSH to Linux Computer"
set firewall name WAN-IN rule 3 destination port 22
set firewall name WAN-IN rule 3 log enable
set firewall name WAN-IN rule 3 protocol tcp
set firewall name WAN-IN rule 4 action accept
set firewall name WAN-IN rule 4 description "Allow established/related state"
set firewall name WAN-IN rule 4 log disable
set firewall name WAN-IN rule 4 state established enable
set firewall name WAN-IN rule 4 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN

Alternatively, if you do not want to manually add networks to the list then you can configure a different rule set. With this rule set, it will basically match recently seen sources to help prevent brute force attack for certain amount of time.

In this example, it will limit SSH connection attempts from the same source to three attempts within one week. I actually have Fail2Ban installed on my Linux box that handles anything that goes through, which was covered here. That’s a better solution in my opinion. However, I believe the best solution to prevent SSH brute force attack is to implement the use of SSH key authentication and disable password authentication.

set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Prevent SSH brute force attack"
set firewall name WAN-IN rule 1 protocol tcp
set firewall name WAN-IN rule 1 destination port 22
set firewall name WAN-IN rule 1 state new enable
set firewall name WAN-IN rule 1 recent count 3
set firewall name WAN-IN rule 1 recent time 604800

Since I configured IPv6, I also need to make sure my firewall is turned on. Since I do not have any external facing servers using IPv6, my firewall is configured with a basic firewall rule. I didn’t use the BOGON filter in this case because it’s a very long list and it could potentially slow down the router.

set firewall ipv6-name WAN6-IN default-action drop
set firewall ipv6-name WAN6-IN description "WAN IPv6 inbound traffic to LAN"
set firewall ipv6-name WAN6-IN enable-default-log
set firewall ipv6-name WAN6-IN rule 1 action accept
set firewall ipv6-name WAN6-IN rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-IN rule 1 state established enable
set firewall ipv6-name WAN6-IN rule 1 state related enable
set firewall ipv6-name WAN6-IN rule 2 action drop
set firewall ipv6-name WAN6-IN rule 2 description "Deny invalid state"
set firewall ipv6-name WAN6-IN rule 2 state invalid enable
set firewall ipv6-name WAN6-LOCAL default-action drop
set firewall ipv6-name WAN6-LOCAL description "WAN IPv6 inbound traffic to the router"
set firewall ipv6-name WAN6-LOCAL enable-default-log
set firewall ipv6-name WAN6-LOCAL rule 1 action accept
set firewall ipv6-name WAN6-LOCAL rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-LOCAL rule 1 state established enable
set firewall ipv6-name WAN6-LOCAL rule 1 state related enable
set firewall ipv6-name WAN6-LOCAL rule 2 action accept
set firewall ipv6-name WAN6-LOCAL rule 2 description "Allow DHCPv6"
set firewall ipv6-name WAN6-LOCAL rule 2 destination port 546
set firewall ipv6-name WAN6-LOCAL rule 2 protocol udp
set firewall ipv6-name WAN6-LOCAL rule 2 source port 547
set firewall ipv6-name WAN6-LOCAL rule 3 action accept
set firewall ipv6-name WAN6-LOCAL rule 3 description "Allow ICMPv6"
set firewall ipv6-name WAN6-LOCAL rule 3 protocol icmp6
set firewall ipv6-name WAN6-LOCAL rule 4 action drop
set firewall ipv6-name WAN6-LOCAL rule 4 description "Deny invalid state"
set firewall ipv6-name WAN6-LOCAL rule 4 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set interfaces ethernet eth0 firewall in ipv6-name WAN6-IN
set interfaces ethernet eth0 firewall local ipv6-name WAN6-LOCAL

Configure Remote Access VPN

In this section, I will only cover the configuration for L2TP over IPsec. The OpenVPN feature is also available in EdgeOS but it’s not covered here because I prefer L2TP/IPsec than OpenVPN.

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username networkjutsu password your-unique-password-here
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.190
set vpn l2tp remote-access client-ip-pool stop 192.168.1.200
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 192.168.1.10
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret your-pre-shared-key-here
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1420

If you have static WAN IP address then the configuration will be something like the one below.

set vpn l2tp remote-access outside-address 1.1.1.10
set vpn l2tp remote-access outside-nexthop 1.1.1.1

Firewall needs to be configured as well or it won’t work. The example below will modify the existing firewall configuration in part one.

set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow NAT-T"
set firewall name WAN-LOCAL rule 3 destination port 4500
set firewall name WAN-LOCAL rule 3 log enable
set firewall name WAN-LOCAL rule 3 protocol udp
set firewall name WAN-LOCAL rule 4 action accept
set firewall name WAN-LOCAL rule 4 description "Allow ESP"
set firewall name WAN-LOCAL rule 4 log enable
set firewall name WAN-LOCAL rule 4 protocol 50
set firewall name WAN-LOCAL rule 5 action accept
set firewall name WAN-LOCAL rule 5 description "Allow L2TP"
set firewall name WAN-LOCAL rule 5 destination port 1701
set firewall name WAN-LOCAL rule 5 log enable
set firewall name WAN-LOCAL rule 5 protocol udp
set firewall name WAN-LOCAL rule 6 action accept
set firewall name WAN-LOCAL rule 6 description "Allow IKE"
set firewall name WAN-LOCAL rule 6 destination port 500
set firewall name WAN-LOCAL rule 6 log enable
set firewall name WAN-LOCAL rule 6 protocol udp
set firewall name WAN-LOCAL rule 7 action accept
set firewall name WAN-LOCAL rule 7 description "Allow Established"
set firewall name WAN-LOCAL rule 7 log disable
set firewall name WAN-LOCAL rule 7 protocol all
set firewall name WAN-LOCAL rule 7 state established enable
set firewall name WAN-LOCAL rule 7 state related enable

The IPsec offload feature is supported as well so make sure to turn that on.

set system offload ipsec enable

Here’s a screenshot of my iPhone connected to my home’s network using VPN.

Here’s how to view who is connected to the network using VPN.

networkjutsu@rtr# run show vpn remote-access
Active remote access VPN sessions:
User         Time      Proto Iface  Remote IP       TX pkt/byte   RX pkt/byte
----------   --------- ----- -----  --------------- ------ ------ ------ ------
networkjutsu 00h04m11s L2TP  l2tp0  192.168.1.190       8   1.5K      9    320
Total sessions: 1

Configure SNMP

If you like to configure SNMPv2 to monitor your EdgeRouter then use the following configuration. If you are interested in free SNMP monitoring software then check out PRTG, Spiceworks, Nagios, Cacti, etc. I tried PRTG and it was relatively easy to configure. That was the only free SNMP monitoring software that I tried.

set service snmp community community-name-here authorization ro
set service snmp community community-name-here client 192.168.100.50
set service snmp contact contact-name-here
set service snmp description "My Router"

The client line shown above acts as an ACL so that only certain IP’s are able to contact the EdgeRouter via SNMP.

Configure NetFlow

I configured NetFlow and ran it for about two to three days. Then, I noticed every time I was connected to my home network via VPN the RDP session keeps pausing in X amount of minutes. Then, my bandwidth monitor shows that I was only getting between 60 to 80 Mbps download out of 150 Mbps that I pay for. At first, I thought it was my ISP throttling me down. But, after several minutes of troubleshooting, I found out that NetFlow was the culprit of my slow download speeds and the issue with RDP. Having said that, I do not recommend turning NetFlow on unless Ubiquiti finds a way to use the offload feature so the CPU wouldn’t spike to 100% – YMMV (your mileage may vary). I just included it for completeness sake of what configurations that I’ve used and/or using on my EdgeRouter Lite so far.

set system flow-accounting interface eth0
set system flow-accounting netflow engine-id 0
set system flow-accounting netflow server 192.168.100.50 port 2055
set system flow-accounting netflow version 9
!EdgeRouter supports NetFlow version 1, 5 (default), 9, and 10.

Update: The configuration below may help with NetFlow. I have not tested it yet, though.

set system flow-accounting netflow timeout max-active-life 604800
set system flow-accounting netflow timeout flow-generic 3600
set system flow-accounting netflow timeout tcp-fin 300
set system flow-accounting netflow timeout tcp-generic 3600
set system flow-accounting netflow timeout tcp-rst 120
set system flow-accounting netflow timeout icmp 300
set system flow-accounting netflow timeout udp 300

Below are two screenshots of what PRTG stats collected before and after turning off NetFlow on my EdgeRouter Lite.

Configure System Packages

As mentioned in my “Ubiquiti’s EdgeOS CLI Introduction” blog post, EdgeOS is a fork and port of Vyatta Core. Since Vyatta Core is built in Debian-based Linux, one can also configure EdgeOS to download Debian packages. The repo in the example below is US-repository, if you need other repo then visit this site.

Note: Do not use apt-get upgrade and/or apt-get dist-upgrade because some of the packages are customized by Ubiquiti and could potentially break something.

set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url 'http://http.us.debian.org/debian'
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url 'http://security.debian.org'

I actually haven’t installed any packages yet but I’ve used it to update the system. Be aware that if you chose to enable IPv6, it seems to break apt-get since it prefers to use IPv6 and it does not reach the repo servers for whatever reason. Having said that, force apt-get to update using IPv4.

networkjutsu@rtr:~$ sudo echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4
Acquire::ForceIPv4 "true";
networkjutsu@rtr:~$ sudo apt-get update
Get:1 http://security.debian.org wheezy/updates Release.gpg [1554 B]
Get:2 http://security.debian.org wheezy/updates Release [102 kB]
Hit http://http.us.debian.org wheezy Release.gpg
Hit http://http.us.debian.org wheezy Release
Get:3 http://security.debian.org wheezy/updates/main mips Packages [333 kB]
Hit http://http.us.debian.org wheezy/main mips Packages
Get:4 http://security.debian.org wheezy/updates/main Translation-en [202 kB]
Hit http://http.us.debian.org wheezy/contrib mips Packages
Hit http://http.us.debian.org wheezy/non-free mips Packages
Hit http://http.us.debian.org wheezy/contrib Translation-en
Hit http://http.us.debian.org wheezy/main Translation-en
Hit http://http.us.debian.org wheezy/non-free Translation-en
Fetched 638 kB in 18s (34.0 kB/s)
Reading package lists... Done

Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.

Final Words

I really like EdgeRouter Lite for my home environment even though there are things that still need improvements. It does what I need it to do as a router and it is way more advanced than the SOHO routers I’ve used in the past. Yes, it lacks wireless so one will need an access point (AP) for wireless connectivity. If you have an existing SOHO router, check and see if it has the AP-only mode feature. My Netgear WNDR3800 actually allows me to configure it as an AP mode rather than using it as a router. It also allows me to use the switch ports as well, which means I could connect more devices to my route.

References

Convince apt-get *not* to use IPv6 method
Version 1.6.0 IPv6 Comcast
EdgeMAX – Set up L2TP over IPsec VPN server

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

In my previous blog post, I talked about the basics of EdgeOS CLI. If you are new to EdgeOS CLI, then I recommend that you to head over there to learn the basics.

This is a two-part series on how to configure EdgeRouter Lite in a home environment using the command line interface. Part one will mostly focus on what I think is a typical home environment (US only) with optional configurations. The configurations covered here should be enough to get a home user going.

Part two will talk about mostly my configuration, which I think is not a typical home network setup. Though, I am not doing a lot of fancy stuff with my router. Mostly, just adding functionality for my wants and/or needs.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.

Logging in the first time

When you connect to the router via console or SSH, you will be prompted to log in with the the factory default account, which is ubnt/ubnt. Once logged in, you will be presented with a prompt like the one below.

Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
Last login: Wed Mar 16 19:48:55 2016 from 192.168.1.200
ubnt@ubnt:~$

Managing Accounts

At a minimum, change the default password to something not easy to guess and it must not be in the dictionary so it won’t be easily compromised. Preferably, create a new administrator account then use it going forward. Once the new admin account is set up, delete the default account.

To create a new account, issue the following commands below. Do not worry about the plaintext part of the syntax. Once the configuration has been committed, it will automatically change it to an encrypted password.

set system login user andrew authentication plaintext-password passwordhere
commit
networkjutsu@rtr# show system login user andrew
 authentication {
 encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
 plaintext-password ""
 }
[edit]

Commands below are optional. By default, the newly created account is an administrator.

delete system login user andrew authentication plaintext-password
set system login user andrew level admin
networkjutsu@rtr# show system login user andrew
 authentication {
 encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
 }
 level admin
[edit]

If you want this user to be read-only, then make the user account as an operator.

set system login user andrew level operator
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
andrew@rtr:~$ configure
Invalid command
andrew@rtr:~$ show configuration
Must be an admin user to run this command.

Delete the default user account. You may want delete the /home directory as well, since EdgeOS seems to keep it for whatever reason.

delete system login user ubnt
commit
networkjutsu@rtr:~$ ls /home
networkjutsu  ubnt
networkjutsu@rtr:~$ sudo rm -r /home/ubnt
networkjutsu@rtr:~$ ls /home
networkjutsu
networkjutsu@rtr:~$

System Related Configuration

This section talks about everything system related, like DNS, NTP, time zone, etc. The configuration statements below shows how to configure the domain name of the router, desired host name, DNS server, time zone, and NTP servers. The NTP statements below are set by default.

set system domain-name networkjutsu.local
set system host-name rtr
set system time-zone America/Los_Angeles
set system name-server 192.168.1.10
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org

For routers that have hardware acceleration feature, it is a good idea to turn them on. The hardware acceleration feature allows the EdgeRouter to hit 1 Mpps with a throughput close to 1 Gbps – claim by Ubiquiti and tested by third party. If the hardware offload is turned off, then the performance will suffer in certain scenarios. Though, if you experience weird network issues, then you may want to turn it off as part of troubleshooting.

The traffic analysis configuration is optional. Traffic analysis uses deep packet inspection (DPI) which allows EdgeOS to know what applications are traversing the router and integrate it with the traffic analysis feature so users can see which IP addresses are using the most bandwidth and what application. Not all applications will be categorized properly.

set system offload ipv4 forwarding enable
set system traffic-analysis dpi enable
set system traffic-analysis export enable

Best practice is to create a banner to warn users, whether authorized or not, that activity might be logged and letting them know that they could get in trouble by accessing or modifying the system, etc.

set system login banner pre-login "********************************************************************\n*                                                                  *\n* * * *                    NETWORKJUTSU                      * * * *\n* * * *                   WARNING NOTICE:                    * * * *\n*   This system is restricted solely to NetworkJutsu authorized    *\n*   users for legitimate business purposes only. The actual or     *\n*   attempted unauthorized access, use, or modification of this    *\n*   system is strictly prohibited by NetworkJutsu. Unauthorized    *\n*   users are subject to disciplinary proceedings and/or           *\n*   criminal and civil penalties under state, federal, or other    *\n*   domestic and foreign laws. The use of this system may be       *\n*   monitored and recorded for administrative and security reasons *\n*   Anyone accessing this system expressly consents to such        *\n*   monitoring and is advised that if monitoring reveals possible  *\n*   evidence of criminal activity, NetworkJutsu may provide the    *\n*   evidence of such activity to law enformencent officials. All   *\n*   users must comply with NetworkJutsu instructions regarding the *\n*   protection of NetworkJutsu information assets.                 *\n*                                                                  *\n********************************************************************\n"

Configure WAN

I subscribe to Comcast/Xfinity’s Residential High Speed Cable Internet service. That said, I get dynamic IP address so my interface is set to DHCP.

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet

Configure LAN

I use all three interfaces at home and all of them are in separate subnets. Some people have used the last interface as bridge mode, which act as another switch port. Personally, I would not do this since it doesn’t run on hardware and can cause the router to perform worse in certain situations.

set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 mtu 9000
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 mtu 9000

The MTU setting is optional but I like to set mine to Jumbo Frame so it is set to 9000 bytes. By default, it uses 1500 bytes.

Configure PAT

I do not have business class Internet service so I only have one public IP address. This is majority of the setup in the US with non-business Internet service and I would assume some parts of the world as well. That said, we’ll need to configure PAT (Port Address Translation).

set service nat rule 5000 description PAT
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade

Configure Port Forwarding

The port-forward command seems to be an EdgeOS implementation only. I did a quick search on Vyatta 6.3 documentation and did not find that command. This is probably not a very common setup in a home environment so treat these commands as optional or configure them in case you need it in the future.

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward lan-interface eth2
set port-forward wan-interface eth0

The port forwarding rule below is allowing Internet users to connect to a Linux computer running OpenSSH server.

set port-forward rule 1 description "Linux Computer"
set port-forward rule 1 forward-to address 192.168.1.50
set port-forward rule 1 forward-to port 22
set port-forward rule 1 original-port 22
set port-forward rule 1 protocol tcp

Configure Services

There are few services that you may need so that everything will work smoothly. First one on the list is DHCP services.

set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.10
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name networkjutsu.local
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200

Next one is DNS forwarding services. This configuration statements direct the system to forward DNS requests to name servers configured on the router. I believe the default DNS cache is set to 128 entries.

set service dns forwarding cache-size 128
set service dns forwarding listen-on eth2
set service dns forwarding listen-on eth1

SSH is enabled by default and uses its default protocol and port (tcp/22). I am, however, unsure if the protocol version was set to version 2. To be on the safe side, just issue to the command to change it to version 2. Protocol version 1 has a lot of security flaws and should not be used.

set service ssh port 22
set service ssh protocol-version v2

If you use UPnP at home then use the following commands. Personally, I would disable this.

set service upnp listen-on eth1 outbound-interface eth0
set service upnp listen-on eth2 outbound-interface eth0

Configure Basic Firewall

The firewall configuration can be pretty simple. With the set port-forward auto-firewall enable command, Ubiquiti made even simple for any users since it will automatically add firewall rules if the user creates port forwarding rule(s).

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "From Internet traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow established/related state"
set firewall name WAN-IN rule 3 log disable
set firewall name WAN-IN rule 3 state established enable
set firewall name WAN-IN rule 3 state related enable
set firewall name WAN-LOCAL default-action drop
set firewall name WAN-LOCAL description "From Internet traffic to the router"
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 1 action drop
set firewall name WAN-LOCAL rule 1 description "Drop invalid state"
set firewall name WAN-LOCAL rule 1 log disable
set firewall name WAN-LOCAL rule 1 state invalid enable
set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow Established"
set firewall name WAN-LOCAL rule 3 log disable
set firewall name WAN-LOCAL rule 3 state established enable
set firewall name WAN-LOCAL rule 3 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN
set interfaces ethernet eth0 firewall local name WAN-LOCAL
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable

While the configuration above is good enough. I recommend to add the following rules as well. These IPs should not be coming from the Internet anyway so why not block them?

set firewall group network-group BOGON network 0.0.0.0/8
set firewall group network-group BOGON network 10.0.0.0/8
set firewall group network-group BOGON network 100.64.0.0/10
set firewall group network-group BOGON network 127.0.0.0/8
set firewall group network-group BOGON network 169.254.0.0/16
set firewall group network-group BOGON network 172.16.0.0/12
set firewall group network-group BOGON network 192.0.0.0/24
set firewall group network-group BOGON network 192.0.2.0/24
set firewall group network-group BOGON network 192.168.0.0/16
set firewall group network-group BOGON network 192.18.0.0/15
set firewall group network-group BOGON network 198.51.100.0/24
set firewall group network-group BOGON network 203.0.113.0/24
set firewall group network-group BOGON network 224.0.0.0/4
set firewall group network-group BOGON network 240.0.0.0/4
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Drop BOGON source"
set firewall name WAN-IN rule 2 source group network-group BOGON
set firewall name WAN-LOCAL rule 2 action drop
set firewall name WAN-LOCAL rule 2 description "Drop BOGON source"
set firewall name WAN-LOCAL rule 2 source group network-group BOGON

Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.

Final Words

The configuration listed here should be enough for majority of the home users. If you are an advanced user and/or IT professional, you may want to consider reading the part two. Though, not every advanced features are covered – only the ones I personally use at the time of writing.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

I talked about EdgeRouter Lite in my previous blog here but I did not talk about the Web UI or CLI at all. In this blog post, I will share the basic use of the EdgeOS command line interface (CLI).

The Network Operating System (NOS) used by Ubiquiti on their EdgeRouter series is called EdgeOS – a fork and port of Vyatta Core 6.3. In fact, one of the developers of EdgeOS came from Vyatta that worked closely with the VyOS main developer, which is another fork of Vyatta Core.

I’ve never touched Vyatta so I am still a newbie with EdgeOS. I am, however, familiar with Junos OS and EdgeOS has that similar look and feel to it. The set and show commands are very similar to Junos OS. Any users who are only familiar with IOS/NX-OS might feel a little lost but ? is helpful, just like in Cisco.

Accessing CLI

There are three ways on how to access the CLI on EdgeRouter series. The first one is by using the console port. The console port is set differently than a lot of networking devices that I’ve used so one shouldn’t expect that their saved console profile used for Cisco would work on EdgeRouter series. The key difference is the baud rate which is set to 115200.

The second way of accessing the CLI is by using the Web UI, as shown below. Personally, I do not like accessing it via the Web UI because I cannot copy and paste configurations and I have to log in twice just to access the CLI.

The third way of accessing the CLI is by using SSH – enabled by default. This is the most common and preferred way of accessing networking devices.

Note: My Mac mini has an alias called rtr that I use to connect to my router, which makes it easier to type than ssh networkjutsu@rtr command.

Mac-mini:~ Andrew$ rtr
********************************************************************
*                                                                  *
* * * *                    NETWORKJUTSU                      * * * *
* * * *                   WARNING NOTICE:                    * * * *
*   This system is restricted solely to NetworkJutsu authorized    *
*   users for legitimate business purposes only. The actual or     *
*   attempted unauthorized access, use, or modification of this    *
*   system is strictly prohibited by NetworkJutsu. Unauthorized    *
*   users are subject to disciplinary proceedings and/or           *
*   criminal and civil penalties under state, federal, or other    *
*   domestic and foreign laws. The use of this system may be       *
*   monitored and recorded for administrative and security reasons *
*   Anyone accessing this system expressly consents to such        *
*   monitoring and is advised that if monitoring reveals possible  *
*   evidence of criminal activity, NetworkJutsu may provide the    *
*   evidence of such activity to law enformencent officials. All   *
*   users must comply with NetworkJutsu instructions regarding the *
*   protection of NetworkJutsu information assets.                 *
*                                                                  *
********************************************************************
networkjutsu@rtr.networkjutsu.local's password:
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
Last login: Sat Apr  9 13:50:05 2016 from 192.168.1.200
networkjutsu@rtr:~$

Command Modes

When a user first logs in to the router, he/she is in operational mode. The dollar sign prompt is an indicator that the user is in operational mode. For the people who are only familiar with Cisco IOS, the operational mode is essentially the User EXEC mode. It provides access to operational commands for showing and clearing information, enabling or disabling debug commands, configuring terminal settings, loading and saving configuration, and restarting the router. The example below shows the commands available in operational mode.

networkjutsu@rtr:~$ ?
Possible completions:
  add           Add an object to a service
  clear         Clear system information
  configure     Enter configure mode
  connect       Establish a connection
  copy          Copy data
  debug         Enable debugging of specified routing protocol
  delete        Delete a file
  disconnect    Take down a connection
  generate      Generate an object
  initial-setup Enter initial configuration dialog
  no            Disable or reset operational variable
  ping          Send Internet Control Message Protocol (ICMP) echo request
  ping6         Send IPv6 Internet Control Message Protocol (ICMP) echo request
  reboot        Reboot the system
  release       Release specified variable
  rename        Re-name something.
  renew         Renew specified variable
  reset         Reset a service
  restart       Restart a service
  set           Set system or shell options
  show          Show system information
  shutdown      Shutdown the system
  telnet        Telnet to <hostname|IPv4 address>
  terminal      Control terminal behaviors
  traceroute    Track network path to <hostname|IPv4 address>
  traceroute6   Track network path to <hostname|IPv6 address>
  update        Run an update command

To enter configuration mode, enter configure command. To exit the configuration mode, enter exit command.

networkjutsu@rtr:~$ configure
[edit]
networkjutsu@rtr# exit
exit
networkjutsu@rtr:~$

For users who are familiar with Junos OS, I would assume that they noticed the [edit] prompt section. That prompt indicates where the user is at in the hierarchical configuration tree. The example below shows the commands available in the configuration mode.

networkjutsu@rtr# ?
Possible completions:
  confirm       Confirm prior commit-confirm
  comment       Add comment to this configuration element
  commit        Commit the current set of changes
  commit-confirm
                Commit the current set of changes with 'confirm' required
  compare       Compare configuration revisions
  copy          Copy a configuration element
  delete        Delete a configuration element
  discard       Discard uncommitted changes
  edit          Edit a sub-element
  exit          Exit from this configuration level
  load          Load configuration from a file and replace running configuration
  loadkey       Load user SSH key from a file
  merge         Load configuration from a file and merge running configuration
  rename        Rename a configuration element
  rollback      Rollback to a prior config revision (requires reboot)
  run           Run an operational-mode command
  save          Save configuration to a file
  set           Set the value of a parameter or create a new element
  show          Show the configuration (default values may be suppressed)

Command Completion

Majority, if not all, of the NOS out there provide command completion feature to save keystrokes. However, in Cisco IOS/NX-OS, typing the first few characters of a command is fine as long as it does not match any other commands. In EdgeOS, it will give an error message to the user when the command is not fully spelled out. I find this very annoying because I am so used to just typing the first few characters of the commands without hitting Tab key in Cisco IOS/NX-OS.

networkjutsu@rtr:~$ sh conf
sh: conf: No such file or directory
networkjutsu@rtr:~$ show config
Possible completions:
 configuration Show running configuration

Viewing Configuration

Displaying the configuration on EdgeOS can be done in both operational and configuration mode. The difference between the two are the available options. In the operational mode, viewing just a section of configuration tree is not as easy compared to the configuration mode because the user has to know the commands. In configuration mode, the Tab or ? key is available to guide the users on what command they are looking for.

What is nice about viewing the configuration in operational mode is the option to see the configuration in a set format compared to tree structure format. This doesn’t seem like it is available in configuration mode. In Junos OS, this can be accomplished easily by using the show | display set command. By displaying the set format, it makes it easy to save a text file for template purposes.

networkjutsu@rtr:~# run show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group BOGON {
            network 0.0.0.0/8
<-- Output omitted for brevity -->
networkjutsu@rtr:~# run show configuration commands | match "firewall group network-group BOGON"
set firewall group network-group BOGON network 0.0.0.0/8
<-- Output omitted for brevity -->

Notice that the command was ran under the configuration mode but with the run command in front of the operational mode commands. EdgeOS allows the users to issue operational mode commands under configuration mode if they do not wish to exit out of it. This is the same as the do command in Cisco IOS.

The example below shows how to display the whole configuration and by section using in the configuration mode.

networkjutsu@rtr# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         network-group BOGON {
             network 0.0.0.0/8
<-- Output omitted for brevity -->
networkjutsu@rtr# show firewall group network-group BOGON
 network 0.0.0.0/8
<-- Output omitted for brevity -->

Adding or Modifying Configuration

Adding and/or modifying configuration changes to the router is done by issuing the set command in configuration mode. Though, I also noticed that there are a couple of configurable items in operational mode as well.

networkjutsu@rtr:~$ set
Possible completions:
  <OPTION>      Bash builtin set command
  date          Set date and time
  system        Set system operational parameters
networkjutsu@rtr#
Possible completions:
  confirm	Confirm prior commit-confirm
  comment	Add comment to this configuration element
  commit	Commit the current set of changes
  commit-confirm
  		Commit the current set of changes with 'confirm' required
  compare	Compare configuration revisions
  copy		Copy a configuration element
  delete	Delete a configuration element
  discard	Discard uncommitted changes
  edit		Edit a sub-element
  exit		Exit from this configuration level
  load		Load configuration from a file and replace running configuration
  loadkey	Load user SSH key from a file
  merge		Load configuration from a file and merge running configuration
  rename	Rename a configuration element
  rollback	Rollback to a prior config revision (requires reboot)
  run		Run an operational-mode command
  save		Save configuration to a file
  set		Set the value of a parameter or create a new element
  show		Show the configuration (default values may be suppressed)
[edit]

If the user wants to view the configuration changes made so far then this can be done in two ways: using the show and compare command. Personally, I would use the latter command especially when I’ve done a lot of configuration changes because using the previous command requires to either show the whole configuration or specific configuration tree.

networkjutsu@rtr# set system host-name EdgeRouterLite
[edit]
networkjutsu@rtr# show system host-name
>host-name EdgeRouterLite
[edit]
networkjutsu@rtr# compare
[edit service]
+lldp {
+}
[edit system]
>host-name EdgeRouterLite
[edit]

As one may have noticed, the plus sign (+) next to the lldp means that this statement has been added to the configuration, but the configuration change hasn’t been committed yet. The right angle bracket (>) means that a running configuration statement was modified. In this case, the host name was changed from rtr to EdgeRouterLite.

Deleting Configuration

In Cisco IOS and NX-OS, the no command is how to negate the configuration statement(s). In EdgeOS, the delete command is used to negate the configuration statement(s).

networkjutsu@rtr# delete interfaces ethernet eth1 address 192.168.0.1/24
[edit]
networkjutsu@rtr# compare
[edit interfaces ethernet eth1]
-address 192.168.0.1/24
[edit]

The minus sign (-) next to the address means that the statement has been deleted from the configuration, but the configuration change hasn’t been committed yet.

Discarding Configuration

Let’s say the user made a mistake and needed to back out of the changes quick. For example, the user incorrectly made changes to a wrong router and quickly realized it. The user could use the delete command but may take few minutes to type all of the commands. Luckily, EdgeOS provides a way to discard all of the uncommitted changes.

networkjutsu@rtr# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
networkjutsu@rtr# exit discard
exit
networkjutsu@rtr:~$

Another way of discarding changes without exiting is by using the discard command.

networkjutsu@rtr# compare
[edit system]
>host-name Router
[edit]
networkjutsu@rtr# discard
Changes have been discarded
[edit]

Committing Configuration Changes

One of the differences between Junos OS and Cisco IOS/NX-OS is that changes made on the latter takes effect right away. In Junos OS, or any NOS that is similar to it, any configuration changes do not take effect until the user issue the commit command.

networkjutsu@rtr# commit
[ service lldp ]
Starting lldpd...
[edit]

Saving Configuration

If one wants to keep all of the configuration changes even after reboot then use the save command. By default, the configuration is saved to /config directory. The example below shows how to commit and save the configuration in one line.

networkjutsu@rtr# delete service lldp
[edit]
networkjutsu@rtr# commit;save
[ service lldp ]
Stopping lldpd...
Saving configuration to '/config/config.boot'...
Done
[edit]

Thoughts

It is understandable that a user would feel intimidated configuring a device on CLI if he/she is unfamiliar with the command syntax. While EdgeOS’ Web UI has come a long way, a lot of the features are still only configurable under CLI so one should get comfortable using it. I am sure that Ubiquiti has plans to keep adding features that are configurable using the Web UI but it is probably safe to assume that it won’t be for quite some time.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

This blog post is the very first part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

TL;DR: Looking for a home router with some SMB/Enterprise features and not afraid of using CLI? Buy the EdgeRouter Lite.

A few months ago, I bought the EdgeRouter Lite. Before buying the router, I was running Palo Alto Networks PA-200 for a few months to play with it but I was not happy with the throughput I was getting when everything was turned on (App-ID, Threat Prevention, PAN-DB URL filtering, etc). My 150 Mbps download went down to around 50 Mbps. To be fair, Palo Alto Networks does list it accurately in their hardware spec sheet. While I could’ve turned everything off and stick with the PA-200, I wanted to move it to the side and just make it a home lab device. To fully play with the PA-200 and other stuff on my plate, I wanted to redesign my home network; hence, the purchase of EdgeRouter Lite and TP-LINK TL-SG2008.

Specifications

For $99 (MSRP), the router provides a lot of features that I will never use at home. The official spec sheet is located here but for your convenience, I’ve listed some of its specs below. There is a lower end Ubiquiti router for $49, EdgeRouter X. This is perfect for those looking for low budget router with some SMB/enterprise features. It offers the same software capabilities but the biggest difference is under the hood. The EdgeRouter X only has 256 MB RAM, 256 MB code storage, and the processor is different and could affect performance because it does not have the same hardware accelerated features of EdgeRouter Lite. While the processor does have some hardware accelerated features (e.g. HW NAT), I believe it is still not supported by EdgeOS at this time of writing (hardware acceleration on EdgeRouter X has been supported since v1.8.5). The things that are hardware accelerated in the EdgeRoute Lite are found here.

Hardware:

Max Power Consumption: 7W
Interfaces: (1) RJ45 Serial Port and (3) 10/100/1000 Ethernet Ports
Layer 3 Forwarding Performance: 1 Mpps
Processor: Dual-core 500 MHz, MIPS64 with Hardware Acceleration for packet processing (Cavium Octeon CN5020)
Flash storage: 2 GB
RAM: 512 MB DDR2 RAM

Software:

Interface/Encapsulation: Ethernet, 802.1Q (VLAN), PPPoE, GRE, IP in IP, 802.3ad (LACP), and Bridging
Addressing: Static IPv4/IPv6 Addressing, DHCP/DHCPv6
Routing: Static routes, OSPFv2/OSPFv3, RIP/RIPng, BGP (with IPv6 support)
Security: ACL-Based Firewall, Zone-Based Firewall (ZBF)
VPN: IPSec Site-to-Site and Remote Access, OpenVPN Site-to-Site and Remote Access, PPTP Remote Access, L2TP Remote Access, and PPTP Client
Services: DHCP/DHCPv6 Server, DHCP/DHCPv6 Relay, Dynamic DNS, DNS Forwarding, VRRP, RADIUS Client, Web Caching, and PPPoE Server
QoS: FIFO, Stochastic Fairness Queueing, Random Early Detection (RED), Token Bucket Filter, Deficit Round Robin, Hierarchical Token Bucket, and Ingress Policing
Management: Web UI, CLI (Console, SSH, Telnet), SNMP, NetFlow, LLDP, NTP, UBNT Discovery Protocol, Logging

New to v1.8: MPLS, VPLS, and more!

Why did I buy EdgeRouter Lite?

Some of the reasons why I bought the EdgeRouter Lite are the following:

IEEE 802.1Q

The main reason why I bought the EdgeRouter Lite was the 802.1Q (VLAN) capability. I needed to separate my devices to different VLANs especially the VMs in my ESXi home lab. One of the things that pushed me to have VLAN capability is the F5 BIG-IP LTM home lab. I really wanted to set it up properly and mimic a similar setup found in an enterprise. Though, the current topology is very simple right now. That topology will change in the future once I am comfortable with F5 BIG-IP LTM.

While I do have old Cisco routers capable of VLAN, they are not gigabit capable, consumes a lot of power, and loud. The ERLite-3 is very small, consumes little power, and fanless. Yes, I could have done a virtual router or firewall and run it on my VMware ESXi since it is on 24/7/365 but I did not want to do that. I did, however, played with pfSense on a VM for a very short amount of time years ago.

Firewall capability

Advanced firewall capability is a nice addition to my home network. I have some services open for me, friends, and family to connect from the Internet to my home servers so being able to create different zones and apply rules is really a great addition. Now, I can create a DMZ for services that are open to the whole world and have rules that allow or deny traffic to and/or from the DMZ. I decided to not take advantage of the Zone-Based Firewall feature in EdgeOS and stayed with the ACL-style configuration. Mostly because I read that the ZBF/ZBFW does slow the boot up times of the router. While my router shouldn’t reboot that often, I know for sure that people in the house would complain if it takes a long time for them to connect to the Internet if the router reboots. Also, I also did not want to write a whole lot of rules. I had seven interfaces on the router so if my calculation is correct, that would mean I need 56 zone rulesets.

While ZBF/ZBFW is a great feature, there are still limitations with the firewall capabilities of EdgeRouter Lite. It is understandable because it is not really a firewall so expecting it to be is unfair. That said, I took the DMZ interface out of the router and move it to a virtualized pfSense. Geo-based IP filtering is back, yay! I actually mentioned in my SSH Brute Force Attack blog post that I had it when I was using Palo Alto Networks PA-200. The Geo-based IP filtering significantly reduced the brute force attacks to my box.

VPN capability

Another capability that I like is the VPN capability. While I had been running L2TP over IPsec using my Synology DS1812+, it is nice to finally move the functionality to the edge. I am no longer port forwarding anything to my NAS. While I didn’t see much traffic on these ports, it is better to be safe than sorry. The SSH brute force attack incident has been a good lesson.

Thoughts

Before I bought the router, I have done a good amount of research so I was confident that I will be happy with the purchase. I have been running it for almost three months and I am happy to report that I couldn’t be happier with the outcome of my purchase. While I am barely using all of its capabilities, it is pretty inexpensive to justify the home router upgrade. Yes, it does not have wireless capabilities like my all-in-one Netgear router/AP/switch but it is more capable router than the Netgear. I still use my Netgear router but as an AP and switch to add more ports to my TP-LINK TL-SG2008. I also have Ruckus 7363 running at home that is dedicated only for 5 GHz devices.

This router is not for people who are not willing to configure a lot of the advanced features via CLI. While Ubiquiti has been adding more features to the Web UI in each of their release, it is still missing a lot of advanced features that would be nice to have in the Web UI. For example, the Web UI still does not have L2TP over IPsec or OpenVPN configuration. Users who wish to take advantage of this feature means that they will need to hit the CLI. I do not have a lot of experience with Config Tree because I like the CLI more. I do want to point out that Web UI supports IPsec Site-to-Site and PPTP configuration.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.