How to configure EdgeRouter Lite via CLI – Part 2


This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Date Title Description
03/13/16 My Home Router – EdgeRouter Lite Quick introduction to EdgeRouter Lite
04/09/16 Ubiquiti’s EdgeOS CLI Introduction EdgeOS CLI Primer
05/01/16 How to configure EdgeRouter Lite via CLI – Part 1 EdgeOS configuration guide for CLI junkies
12/03/16 Hardening EdgeRouter Lite – Part 1 Basic management hardening
12/04/16 Hardening EdgeRouter Lite – Part 2 EdgeOS with two-factor authentication
12/05/16 Hardening EdgeRouter Lite – Part 3 Management ACL
12/06/16 Hardening EdgeRouter Lite – Part 4 Remote Access VPN with two-factor authentication

Introduction

This is part two of the How to configure EdgeRouter Lite via CLI blog post. If you haven’t read the part one, you might want to read that first. In part one, I covered what I think are the essential configurations to get a user going in a typical home environment setup. In this post, I will talk about features that I personally use at home at the time of writing. Though, I did include one feature that I turned on for few days and decided to turn it off because of issues that I encountered with it being on.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address the security concerns. Please check the link above.

Configure IPv6

I would say that IPv6 in residential networks is relatively new, at least in the US. As far I know (I could be wrong), IPv6 in US residential networks has only been around two to three years. I actually did not know that my ISP (Comcast/Xfinity) has been IPv6 ready for about two years now (fully deployed). In fact, I accidentally found that out when I was troubleshooting my slow download speed connection. Once I found out, I started researching on how to configure it on my router.

My ISP uses prefix delegation, which provides a mechanism for automated delegation of IPv6 prefixes using DHCP. There are two EdgeOS configurations I found that worked for me, but I will only show the one that I think is the best out of the two that I tried.

Pay attention to the prefix-length that you’re asking for. In residential networks, Comcast/Xfinity allows the user to ask for a maximum of 16 x /64 prefixes or /60. In business class accounts, they can ask for /56 or 256 x /64 prefixes.

set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 prefix-id :2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 prefix-id :3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 prefix-id :4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :5
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac

In addition to the above configurations, you may want to configure the IPv6 forwarding offload feature as well.

set system offload ipv6 forwarding enable

To verify that you received IPv6 addresses, issue the command found in the example below. Below is my sanitized output that shows both IPv4 and IPv6 addresses.

[email protected]# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         24.xxx.xxx.xxx/23                  u/u  WAN
             2001:xxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx/128
eth1         192.168.0.1/24                    u/u  LAN0
             2601:xxx:xxxx:xxx1::1/64
eth1.2       192.168.1.1/24                    u/u  LAN1
             2601:xxx:xxxx:xxx2::1/64
eth1.99      192.168.99.1/24                   u/u  MGMT
             2601:xxx:xxxx:xxx3::1/64
eth1.100     192.168.100.1/24                  u/u  SERVER
             2601:xxx:xxxx:xxx4::1/64
eth2         192.168.2.1/24                    u/u  LAN2
             2601:xxx:xxxx:xxx5::1/64
lo           127.0.0.1/8                       u/u
             ::1/128

If you do not get an IPv6 address, use the following commands to force DHCPv6 renew.

release dhcpv6-pd interface eth0
delete dhcpv6-pd duid
renew dhcpv6-pd interface eth0

Here’s a better way to verify that the configuration actually worked.

[email protected]# ping6 google.com
PING google.com(nuq04s29-in-x0e.1e100.net) 56 data bytes
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=1 ttl=56 time=10.9 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=2 ttl=56 time=10.7 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=3 ttl=56 time=10.4 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=4 ttl=56 time=11.5 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 10.480/10.934/11.528/0.355 ms

Mac-mini:~ Andrew$ ping6 netflix.com
PING6(56=40+8+8 bytes) 2601:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx --> 2620:108:700f::36f5:f31c
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=0 hlim=49 time=30.402 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=1 hlim=49 time=29.224 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=2 hlim=49 time=29.088 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=3 hlim=49 time=29.029 ms
^C
--- netflix.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 29.029/29.436/30.402/0.562 ms

Configure sub-interfaces

As you can see above, I have few sub-interfaces configured. There used to be a DMZ configured but I moved it to a pfSense virtual machine. I actually talked a little about it here.

set interfaces ethernet eth1 vif 2 address 192.168.1.1/24
set interfaces ethernet eth1 vif 2 description "LAN1"
set interfaces ethernet eth1 vif 2 mtu 9000
set interfaces ethernet eth1 vif 99 address 192.168.99.1/24
set interfaces ethernet eth1 vif 99 description "MGMT"
set interfaces ethernet eth1 vif 99 mtu 9000
set interfaces ethernet eth1 vif 100 address 192.168.100.1/24
set interfaces ethernet eth1 vif 100 description "SERVER"
set interfaces ethernet eth1 vif 100 mtu 9000

VLAN offload feature is supported in EdgeRouter Lite so you may want to turn that on.

set system offload ipv4 vlan enable

Configure Firewall

In this section, I am still sticking with the ACL-style firewall configuration instead of the Zone-based firewall (ZBF/ZBFW) configuration. In this firewall configuration example, I am blocking a couple of /8 networks that repeatedly brute force attacked my Linux computer. Also, I disabled the auto firewall feature.

set port-forward auto-firewall disable
set firewall group network-group SSH-ATTACKERS description "Known Brute Force SSH Attackers"
set firewall group network-group SSH-ATTACKERS network 103.0.0.0/8
set firewall group network-group SSH-ATTACKERS network 104.0.0.0/8
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "WAN IPv4 inbound traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Deny SSH Attackers"
set firewall name WAN-IN rule 2 destination port 22
set firewall name WAN-IN rule 2 log enable
set firewall name WAN-IN rule 2 protocol tcp
set firewall name WAN-IN rule 2 source group network-group SSH-ATTACKERS
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow SSH to Linux Computer"
set firewall name WAN-IN rule 3 destination port 22
set firewall name WAN-IN rule 3 log enable
set firewall name WAN-IN rule 3 protocol tcp
set firewall name WAN-IN rule 4 action accept
set firewall name WAN-IN rule 4 description "Allow established/related state"
set firewall name WAN-IN rule 4 log disable
set firewall name WAN-IN rule 4 state established enable
set firewall name WAN-IN rule 4 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN

Alternatively, if you do not want to manually add networks to the list then you can configure a different rule set. With this rule set, it will basically match recently seen sources to help prevent brute force attack for certain amount of time.

In this example, it will limit SSH connection attempts from the same source to three attempts within one week. I actually have Fail2Ban installed on my Linux box that handles anything that goes through, which was covered here. That’s a better solution in my opinion. However, I believe the best solution to prevent SSH brute force attack is to implement the use of SSH key authentication and disable password authentication.

set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Prevent SSH brute force attack"
set firewall name WAN-IN rule 1 protocol tcp
set firewall name WAN-IN rule 1 destination port 22
set firewall name WAN-IN rule 1 state new enable
set firewall name WAN-IN rule 1 recent count 3
set firewall name WAN-IN rule 1 recent time 604800

Since I configured IPv6, I also need to make sure my firewall is turned on. Since I do not have any external facing servers using IPv6, my firewall is configured with a basic firewall rule. I didn’t use the BOGON filter in this case because it’s a very long list and it could potentially slow down the router.

set firewall ipv6-name WAN6-IN default-action drop
set firewall ipv6-name WAN6-IN description "WAN IPv6 inbound traffic to LAN"
set firewall ipv6-name WAN6-IN enable-default-log
set firewall ipv6-name WAN6-IN rule 1 action accept
set firewall ipv6-name WAN6-IN rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-IN rule 1 state established enable
set firewall ipv6-name WAN6-IN rule 1 state related enable
set firewall ipv6-name WAN6-IN rule 2 action drop
set firewall ipv6-name WAN6-IN rule 2 description "Deny invalid state"
set firewall ipv6-name WAN6-IN rule 2 state invalid enable
set firewall ipv6-name WAN6-LOCAL default-action drop
set firewall ipv6-name WAN6-LOCAL description "WAN IPv6 inbound traffic to the router"
set firewall ipv6-name WAN6-LOCAL enable-default-log
set firewall ipv6-name WAN6-LOCAL rule 1 action accept
set firewall ipv6-name WAN6-LOCAL rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-LOCAL rule 1 state established enable
set firewall ipv6-name WAN6-LOCAL rule 1 state related enable
set firewall ipv6-name WAN6-LOCAL rule 2 action accept
set firewall ipv6-name WAN6-LOCAL rule 2 description "Allow DHCPv6"
set firewall ipv6-name WAN6-LOCAL rule 2 destination port 546
set firewall ipv6-name WAN6-LOCAL rule 2 protocol udp
set firewall ipv6-name WAN6-LOCAL rule 2 source port 547
set firewall ipv6-name WAN6-LOCAL rule 3 action accept
set firewall ipv6-name WAN6-LOCAL rule 3 description "Allow ICMPv6"
set firewall ipv6-name WAN6-LOCAL rule 3 protocol icmp6
set firewall ipv6-name WAN6-LOCAL rule 4 action drop
set firewall ipv6-name WAN6-LOCAL rule 4 description "Deny invalid state"
set firewall ipv6-name WAN6-LOCAL rule 4 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set interfaces ethernet eth0 firewall in ipv6-name WAN6-IN
set interfaces ethernet eth0 firewall local ipv6-name WAN6-LOCAL

Configure Remote Access VPN

In this section, I will only cover the configuration for L2TP over IPsec. The OpenVPN feature is also available in EdgeOS but it’s not covered here because I prefer L2TP/IPsec than OpenVPN.

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username networkjutsu password your-unique-password-here
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.190
set vpn l2tp remote-access client-ip-pool stop 192.168.1.200
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 192.168.1.10
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret your-pre-shared-key-here
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1420

If you have static WAN IP address then the configuration will be something like the one below.

set vpn l2tp remote-access outside-address 1.1.1.10
set vpn l2tp remote-access outside-nexthop 1.1.1.1

Firewall needs to be configured as well or it won’t work. The example below will modify the existing firewall configuration in part one.

set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow NAT-T"
set firewall name WAN-LOCAL rule 3 destination port 4500
set firewall name WAN-LOCAL rule 3 log enable
set firewall name WAN-LOCAL rule 3 protocol udp
set firewall name WAN-LOCAL rule 4 action accept
set firewall name WAN-LOCAL rule 4 description "Allow ESP"
set firewall name WAN-LOCAL rule 4 log enable
set firewall name WAN-LOCAL rule 4 protocol 50
set firewall name WAN-LOCAL rule 5 action accept
set firewall name WAN-LOCAL rule 5 description "Allow L2TP"
set firewall name WAN-LOCAL rule 5 destination port 1701
set firewall name WAN-LOCAL rule 5 log enable
set firewall name WAN-LOCAL rule 5 protocol udp
set firewall name WAN-LOCAL rule 6 action accept
set firewall name WAN-LOCAL rule 6 description "Allow IKE"
set firewall name WAN-LOCAL rule 6 destination port 500
set firewall name WAN-LOCAL rule 6 log enable
set firewall name WAN-LOCAL rule 6 protocol udp
set firewall name WAN-LOCAL rule 7 action accept
set firewall name WAN-LOCAL rule 7 description "Allow Established"
set firewall name WAN-LOCAL rule 7 log disable
set firewall name WAN-LOCAL rule 7 protocol all
set firewall name WAN-LOCAL rule 7 state established enable
set firewall name WAN-LOCAL rule 7 state related enable

The IPsec offload feature is supported as well so make sure to turn that on.

set system offload ipsec enable

Here’s a screenshot of my iPhone connected to my home’s network using VPN.

iPhone L2TP over IPsec

Here’s how to view who is connected to the network using VPN.

[email protected]# run show vpn remote-access
Active remote access VPN sessions:

User         Time      Proto Iface  Remote IP       TX pkt/byte   RX pkt/byte
----------   --------- ----- -----  --------------- ------ ------ ------ ------
networkjutsu 00h04m11s L2TP  l2tp0  192.168.1.190       8   1.5K      9    320

Total sessions: 1

Configure SNMP

If you like to configure SNMPv2 to monitor your EdgeRouter then use the following configuration. If you are interested in free SNMP monitoring software then check out PRTG, Spiceworks, Nagios, Cacti, etc. I tried PRTG and it was relatively easy to configure. That was the only free SNMP monitoring software that I tried.

set service snmp community community-name-here authorization ro
set service snmp community community-name-here client 192.168.100.50
set service snmp contact contact-name-here
set service snmp description "My Router"

The client line shown above acts as an ACL so that only certain IP’s are able to contact the EdgeRouter via SNMP.

Configure NetFlow

I configured NetFlow and ran it for about two to three days. Then, I noticed every time I was connected to my home network via VPN the RDP session keeps pausing in X amount of minutes. Then, my bandwidth monitor shows that I was only getting between 60 to 80 Mbps download out of 150 Mbps that I pay for. At first, I thought it was my ISP throttling me down. But, after several minutes of troubleshooting, I found out that NetFlow was the culprit of my slow download speeds and the issue with RDP. Having said that, I do not recommend turning NetFlow on unless Ubiquiti finds a way to use the offload feature so the CPU wouldn’t spike to 100% – YMMV (your mileage may vary). I just included it for completeness sake of what configurations that I’ve used and/or using on my EdgeRouter Lite so far.

set system flow-accounting interface eth0
set system flow-accounting netflow engine-id 0
set system flow-accounting netflow server 192.168.100.50 port 2055
set system flow-accounting netflow version 9

!EdgeRouter supports NetFlow version 1, 5 (default), 9, and 10.

Update: The configuration below may help with NetFlow. I have not tested it yet, though.

set system flow-accounting netflow timeout max-active-life 604800
set system flow-accounting netflow timeout flow-generic 3600
set system flow-accounting netflow timeout tcp-fin 300
set system flow-accounting netflow timeout tcp-generic 3600
set system flow-accounting netflow timeout tcp-rst 120
set system flow-accounting netflow timeout icmp 300
set system flow-accounting netflow timeout udp 300

Below are two screenshots of what PRTG stats collected before and after turning off NetFlow on my EdgeRouter Lite.

NetFlow CPU spikes

CPU usage

NetFlow slow download

Download speed

Configure System Packages

As mentioned in my “Ubiquiti’s EdgeOS CLI Introduction” blog post, EdgeOS is a fork and port of Vyatta Core. Since Vyatta Core is built in Debian-based Linux, one can also configure EdgeOS to download Debian packages. The repo in the example below is US-repository, if you need other repo then visit this site.

Note: Do not use apt-get upgrade and/or apt-get dist-upgrade because some of the packages are customized by Ubiquiti and could potentially break something.

set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url 'http://http.us.debian.org/debian'
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url 'http://security.debian.org'

I actually haven’t installed any packages yet but I’ve used it to update the system. Be aware that if you chose to enable IPv6, it seems to break apt-get since it prefers to use IPv6 and it does not reach the repo servers for whatever reason. Having said that, force apt-get to update using IPv4.

[email protected]:~$ sudo echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4
Acquire::ForceIPv4 "true";

[email protected]:~$ sudo apt-get update
Get:1 http://security.debian.org wheezy/updates Release.gpg [1554 B]
Get:2 http://security.debian.org wheezy/updates Release [102 kB]
Hit http://http.us.debian.org wheezy Release.gpg
Hit http://http.us.debian.org wheezy Release
Get:3 http://security.debian.org wheezy/updates/main mips Packages [333 kB]
Hit http://http.us.debian.org wheezy/main mips Packages
Get:4 http://security.debian.org wheezy/updates/main Translation-en [202 kB]
Hit http://http.us.debian.org wheezy/contrib mips Packages
Hit http://http.us.debian.org wheezy/non-free mips Packages
Hit http://http.us.debian.org wheezy/contrib Translation-en
Hit http://http.us.debian.org wheezy/main Translation-en
Hit http://http.us.debian.org wheezy/non-free Translation-en
Fetched 638 kB in 18s (34.0 kB/s)
Reading package lists... Done

Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.

Final Words

I really like EdgeRouter Lite for my home environment even though there are things that still need improvements. It does what I need it to do as a router and it is way more advanced than the SOHO routers I’ve used in the past. Yes, it lacks wireless so one will need an access point (AP) for wireless connectivity. If you have an existing SOHO router, check and see if it has the AP-only mode feature. My Netgear WNDR3800 actually allows me to configure it as an AP mode rather than using it as a router. It also allows me to use the switch ports as well, which means I could connect more devices to my route.

References

Convince apt-get *not* to use IPv6 method
Version 1.6.0 IPv6 Comcast
EdgeMAX – Set up L2TP over IPsec VPN server

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

As an IT professional, I have a strong passion for technology and a desire to learn more about it. Technologies that I am mostly interested in are computer networking, network security, virtualization, and programming. Outside of the information technology world, I enjoy traveling, reading science fiction books and manga, watching movies, and photography.