This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!
Date | Title | Description |
03/13/16 | My Home Router – EdgeRouter Lite | Quick introduction to EdgeRouter Lite |
04/09/16 | Ubiquiti’s EdgeOS CLI Introduction | EdgeOS CLI Primer |
05/01/16 | How to configure EdgeRouter Lite via CLI – Part 2 | EdgeOS configuration guide for CLI junkies |
12/03/16 | Hardening EdgeRouter Lite – Part 1 | Basic management hardening |
12/04/16 | Hardening EdgeRouter Lite – Part 2 | EdgeOS with two-factor authentication |
12/05/16 | Hardening EdgeRouter Lite – Part 3 | Management ACL |
12/06/16 | Hardening EdgeRouter Lite – Part 4 | Remote Access VPN with two-factor authentication |
Introduction
In my previous blog post, I talked about the basics of EdgeOS CLI. If you are new to EdgeOS CLI, then I recommend that you to head over there to learn the basics.
This is a two-part series on how to configure EdgeRouter Lite in a home environment using the command line interface. Part one will mostly focus on what I think is a typical home environment (US only) with optional configurations. The configurations covered here should be enough to get a home user going.
Part two will talk about mostly my configuration, which I think is not a typical home network setup. Though, I am not doing a lot of fancy stuff with my router. Mostly, just adding functionality for my wants and/or needs.
UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.
Logging in the first time
When you connect to the router via console or SSH, you will be prompted to log in with the the factory default account, which is ubnt/ubnt. Once logged in, you will be presented with a prompt like the one below.
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
Last login: Wed Mar 16 19:48:55 2016 from 192.168.1.200
ubnt@ubnt:~$
Managing Accounts
At a minimum, change the default password to something not easy to guess and it must not be in the dictionary so it won’t be easily compromised. Preferably, create a new administrator account then use it going forward. Once the new admin account is set up, delete the default account.
To create a new account, issue the following commands below. Do not worry about the plaintext part of the syntax. Once the configuration has been committed, it will automatically change it to an encrypted password.
set system login user andrew authentication plaintext-password passwordhere
commit
networkjutsu@rtr# show system login user andrew
authentication {
encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
plaintext-password ""
}
[edit]
Commands below are optional. By default, the newly created account is an administrator.
delete system login user andrew authentication plaintext-password
set system login user andrew level admin
networkjutsu@rtr# show system login user andrew
authentication {
encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
}
level admin
[edit]
If you want this user to be read-only, then make the user account as an operator.
set system login user andrew level operator
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
andrew@rtr:~$ configure
Invalid command
andrew@rtr:~$ show configuration
Must be an admin user to run this command.
Delete the default user account. You may want delete the /home directory as well, since EdgeOS seems to keep it for whatever reason.
delete system login user ubnt
commit
networkjutsu@rtr:~$ ls /home
networkjutsu ubnt
networkjutsu@rtr:~$ sudo rm -r /home/ubnt
networkjutsu@rtr:~$ ls /home
networkjutsu
networkjutsu@rtr:~$
System Related Configuration
This section talks about everything system related, like DNS, NTP, time zone, etc. The configuration statements below shows how to configure the domain name of the router, desired host name, DNS server, time zone, and NTP servers. The NTP statements below are set by default.
set system domain-name networkjutsu.local
set system host-name rtr
set system time-zone America/Los_Angeles
set system name-server 192.168.1.10
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
For routers that have hardware acceleration feature, it is a good idea to turn them on. The hardware acceleration feature allows the EdgeRouter to hit 1 Mpps with a throughput close to 1 Gbps – claim by Ubiquiti and tested by third party. If the hardware offload is turned off, then the performance will suffer in certain scenarios. Though, if you experience weird network issues, then you may want to turn it off as part of troubleshooting.
The traffic analysis configuration is optional. Traffic analysis uses deep packet inspection (DPI) which allows EdgeOS to know what applications are traversing the router and integrate it with the traffic analysis feature so users can see which IP addresses are using the most bandwidth and what application. Not all applications will be categorized properly.
set system offload ipv4 forwarding enable
set system traffic-analysis dpi enable
set system traffic-analysis export enable
Best practice is to create a banner to warn users, whether authorized or not, that activity might be logged and letting them know that they could get in trouble by accessing or modifying the system, etc.
set system login banner pre-login "********************************************************************\n* *\n* * * * NETWORKJUTSU * * * *\n* * * * WARNING NOTICE: * * * *\n* This system is restricted solely to NetworkJutsu authorized *\n* users for legitimate business purposes only. The actual or *\n* attempted unauthorized access, use, or modification of this *\n* system is strictly prohibited by NetworkJutsu. Unauthorized *\n* users are subject to disciplinary proceedings and/or *\n* criminal and civil penalties under state, federal, or other *\n* domestic and foreign laws. The use of this system may be *\n* monitored and recorded for administrative and security reasons *\n* Anyone accessing this system expressly consents to such *\n* monitoring and is advised that if monitoring reveals possible *\n* evidence of criminal activity, NetworkJutsu may provide the *\n* evidence of such activity to law enformencent officials. All *\n* users must comply with NetworkJutsu instructions regarding the *\n* protection of NetworkJutsu information assets. *\n* *\n********************************************************************\n"
Configure WAN
I subscribe to Comcast/Xfinity’s Residential High Speed Cable Internet service. That said, I get dynamic IP address so my interface is set to DHCP.
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
Configure LAN
I use all three interfaces at home and all of them are in separate subnets. Some people have used the last interface as bridge mode, which act as another switch port. Personally, I would not do this since it doesn’t run on hardware and can cause the router to perform worse in certain situations.
set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 mtu 9000
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 mtu 9000
The MTU setting is optional but I like to set mine to Jumbo Frame so it is set to 9000 bytes. By default, it uses 1500 bytes.
Configure PAT
I do not have business class Internet service so I only have one public IP address. This is majority of the setup in the US with non-business Internet service and I would assume some parts of the world as well. That said, we’ll need to configure PAT (Port Address Translation).
set service nat rule 5000 description PAT
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade
Configure Port Forwarding
The port-forward command seems to be an EdgeOS implementation only. I did a quick search on Vyatta 6.3 documentation and did not find that command. This is probably not a very common setup in a home environment so treat these commands as optional or configure them in case you need it in the future.
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward lan-interface eth2
set port-forward wan-interface eth0
The port forwarding rule below is allowing Internet users to connect to a Linux computer running OpenSSH server.
set port-forward rule 1 description "Linux Computer"
set port-forward rule 1 forward-to address 192.168.1.50
set port-forward rule 1 forward-to port 22
set port-forward rule 1 original-port 22
set port-forward rule 1 protocol tcp
Configure Services
There are few services that you may need so that everything will work smoothly. First one on the list is DHCP services.
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.10
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name networkjutsu.local
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200
Next one is DNS forwarding services. This configuration statements direct the system to forward DNS requests to name servers configured on the router. I believe the default DNS cache is set to 128 entries.
set service dns forwarding cache-size 128
set service dns forwarding listen-on eth2
set service dns forwarding listen-on eth1
SSH is enabled by default and uses its default protocol and port (tcp/22). I am, however, unsure if the protocol version was set to version 2. To be on the safe side, just issue to the command to change it to version 2. Protocol version 1 has a lot of security flaws and should not be used.
set service ssh port 22
set service ssh protocol-version v2
If you use UPnP at home then use the following commands. Personally, I would disable this.
set service upnp listen-on eth1 outbound-interface eth0
set service upnp listen-on eth2 outbound-interface eth0
Configure Basic Firewall
The firewall configuration can be pretty simple. With the set port-forward auto-firewall enable command, Ubiquiti made even simple for any users since it will automatically add firewall rules if the user creates port forwarding rule(s).
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "From Internet traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow established/related state"
set firewall name WAN-IN rule 3 log disable
set firewall name WAN-IN rule 3 state established enable
set firewall name WAN-IN rule 3 state related enable
set firewall name WAN-LOCAL default-action drop
set firewall name WAN-LOCAL description "From Internet traffic to the router"
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 1 action drop
set firewall name WAN-LOCAL rule 1 description "Drop invalid state"
set firewall name WAN-LOCAL rule 1 log disable
set firewall name WAN-LOCAL rule 1 state invalid enable
set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow Established"
set firewall name WAN-LOCAL rule 3 log disable
set firewall name WAN-LOCAL rule 3 state established enable
set firewall name WAN-LOCAL rule 3 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN
set interfaces ethernet eth0 firewall local name WAN-LOCAL
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable
While the configuration above is good enough. I recommend to add the following rules as well. These IPs should not be coming from the Internet anyway so why not block them?
set firewall group network-group BOGON network 0.0.0.0/8
set firewall group network-group BOGON network 10.0.0.0/8
set firewall group network-group BOGON network 100.64.0.0/10
set firewall group network-group BOGON network 127.0.0.0/8
set firewall group network-group BOGON network 169.254.0.0/16
set firewall group network-group BOGON network 172.16.0.0/12
set firewall group network-group BOGON network 192.0.0.0/24
set firewall group network-group BOGON network 192.0.2.0/24
set firewall group network-group BOGON network 192.168.0.0/16
set firewall group network-group BOGON network 192.18.0.0/15
set firewall group network-group BOGON network 198.51.100.0/24
set firewall group network-group BOGON network 203.0.113.0/24
set firewall group network-group BOGON network 224.0.0.0/4
set firewall group network-group BOGON network 240.0.0.0/4
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Drop BOGON source"
set firewall name WAN-IN rule 2 source group network-group BOGON
set firewall name WAN-LOCAL rule 2 action drop
set firewall name WAN-LOCAL rule 2 description "Drop BOGON source"
set firewall name WAN-LOCAL rule 2 source group network-group BOGON
Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.
Final Words
The configuration listed here should be enough for majority of the home users. If you are an advanced user and/or IT professional, you may want to consider reading the part two. Though, not every advanced features are covered – only the ones I personally use at the time of writing.
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.