My Home Router – EdgeRouter Lite


This blog post is the very first part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/05/16Hardening EdgeRouter Lite – Part 3Management ACL
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

TL;DR: Looking for a home router with some SMB/Enterprise features and not afraid of using CLI? Buy the EdgeRouter Lite.

A few months ago, I bought the EdgeRouter Lite. Before buying the router, I was running Palo Alto Networks PA-200 for a few months to play with it but I was not happy with the throughput I was getting when everything was turned on (App-ID, Threat Prevention, PAN-DB URL filtering, etc). My 150 Mbps download went down to around 50 Mbps. To be fair, Palo Alto Networks does list it accurately in their hardware spec sheet. While I could’ve turned everything off and stick with the PA-200, I wanted to move it to the side and just make it a home lab device. To fully play with the PA-200 and other stuff on my plate, I wanted to redesign my home network; hence, the purchase of EdgeRouter Lite and TP-LINK TL-SG2008.

Specifications

For $99 (MSRP), the router provides a lot of features that I will never use at home. The official spec sheet is located here but for your convenience, I’ve listed some of its specs below. There is a lower end Ubiquiti router for $49, EdgeRouter X. This is perfect for those looking for low budget router with some SMB/enterprise features. It offers the same software capabilities but the biggest difference is under the hood. The EdgeRouter X only has 256 MB RAM, 256 MB code storage, and the processor is different and could affect performance because it does not have the same hardware accelerated features of EdgeRouter Lite. While the processor does have some hardware accelerated features (e.g. HW NAT), I believe it is still not supported by EdgeOS at this time of writing (hardware acceleration on EdgeRouter X has been supported since v1.8.5). The things that are hardware accelerated in the EdgeRoute Lite are found here.

Hardware:

Max Power Consumption: 7W
Interfaces: (1) RJ45 Serial Port and (3) 10/100/1000 Ethernet Ports
Layer 3 Forwarding Performance: 1 Mpps
Processor: Dual-core 500 MHz, MIPS64 with Hardware Acceleration for packet processing (Cavium Octeon CN5020)
Flash storage: 2 GB
RAM: 512 MB DDR2 RAM

Software:

Interface/Encapsulation: Ethernet, 802.1Q (VLAN), PPPoE, GRE, IP in IP, 802.3ad (LACP), and Bridging
Addressing: Static IPv4/IPv6 Addressing, DHCP/DHCPv6
Routing: Static routes, OSPFv2/OSPFv3, RIP/RIPng, BGP (with IPv6 support)
Security: ACL-Based Firewall, Zone-Based Firewall (ZBF)
VPN: IPSec Site-to-Site and Remote Access, OpenVPN Site-to-Site and Remote Access, PPTP Remote Access, L2TP Remote Access, and PPTP Client
Services: DHCP/DHCPv6 Server, DHCP/DHCPv6 Relay, Dynamic DNS, DNS Forwarding, VRRP, RADIUS Client, Web Caching, and PPPoE Server
QoS: FIFO, Stochastic Fairness Queueing, Random Early Detection (RED), Token Bucket Filter, Deficit Round Robin, Hierarchical Token Bucket, and Ingress Policing
Management: Web UI, CLI (Console, SSH, Telnet), SNMP, NetFlow, LLDP, NTP, UBNT Discovery Protocol, Logging

New to v1.8: MPLS, VPLS, and more!

Why did I buy EdgeRouter Lite?

Some of the reasons why I bought the EdgeRouter Lite are the following:

IEEE 802.1Q

The main reason why I bought the EdgeRouter Lite was the 802.1Q (VLAN) capability. I needed to separate my devices to different VLANs especially the VMs in my ESXi home lab. One of the things that pushed me to have VLAN capability is the F5 BIG-IP LTM home lab. I really wanted to set it up properly and mimic a similar setup found in an enterprise. Though, the current topology is very simple right now. That topology will change in the future once I am comfortable with F5 BIG-IP LTM.

While I do have old Cisco routers capable of VLAN, they are not gigabit capable, consumes a lot of power, and loud. The ERLite-3 is very small, consumes little power, and fanless. Yes, I could have done a virtual router or firewall and run it on my VMware ESXi since it is on 24/7/365 but I did not want to do that. I did, however, played with pfSense on a VM for a very short amount of time years ago.

Firewall capability

Advanced firewall capability is a nice addition to my home network. I have some services open for me, friends, and family to connect from the Internet to my home servers so being able to create different zones and apply rules is really a great addition. Now, I can create a DMZ for services that are open to the whole world and have rules that allow or deny traffic to and/or from the DMZ. I decided to not take advantage of the Zone-Based Firewall feature in EdgeOS and stayed with the ACL-style configuration. Mostly because I read that the ZBF/ZBFW does slow the boot up times of the router. While my router shouldn’t reboot that often, I know for sure that people in the house would complain if it takes a long time for them to connect to the Internet if the router reboots. Also, I also did not want to write a whole lot of rules. I had seven interfaces on the router so if my calculation is correct, that would mean I need 56 zone rulesets.

While ZBF/ZBFW is a great feature, there are still limitations with the firewall capabilities of EdgeRouter Lite. It is understandable because it is not really a firewall so expecting it to be is unfair. That said, I took the DMZ interface out of the router and move it to a virtualized pfSense. Geo-based IP filtering is back, yay! I actually mentioned in my SSH Brute Force Attack blog post that I had it when I was using Palo Alto Networks PA-200. The Geo-based IP filtering significantly reduced the brute force attacks to my box.

VPN capability

Another capability that I like is the VPN capability. While I had been running L2TP over IPsec using my Synology DS1812+, it is nice to finally move the functionality to the edge. I am no longer port forwarding anything to my NAS. While I didn’t see much traffic on these ports, it is better to be safe than sorry. The SSH brute force attack incident has been a good lesson.

Thoughts

Before I bought the router, I have done a good amount of research so I was confident that I will be happy with the purchase. I have been running it for almost three months and I am happy to report that I couldn’t be happier with the outcome of my purchase. While I am barely using all of its capabilities, it is pretty inexpensive to justify the home router upgrade. Yes, it does not have wireless capabilities like my all-in-one Netgear router/AP/switch but it is more capable router than the Netgear. I still use my Netgear router but as an AP and switch to add more ports to my TP-LINK TL-SG2008. I also have Ruckus 7363 running at home that is dedicated only for 5 GHz devices.

This router is not for people who are not willing to configure a lot of the advanced features via CLI. While Ubiquiti has been adding more features to the Web UI in each of their release, it is still missing a lot of advanced features that would be nice to have in the Web UI. For example, the Web UI still does not have L2TP over IPsec or OpenVPN configuration. Users who wish to take advantage of this feature means that they will need to hit the CLI. I do not have a lot of experience with Config Tree because I like the CLI more. I do want to point out that Web UI supports IPsec Site-to-Site and PPTP configuration.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

Andrew Roderos is an IT professional who specializes in networking, a CCIE hopeful, and forever a student of technology. Technologies that he is mostly interested in are routing and switching, virtualization, data center, and a little bit of network security. Outside of the information technology world, he enjoys reading science fiction books, manga, and photography.

  • Alex

    Did you ever have the chance to look at the EdgeRouter-X / ER-X? It is cheaper than the Lite, has more Interfaces, but apparently does not support offloading in the extent the Lite does. The ER-X even comes in an SFP variant ER-X-SFP which is still cheaper than the Lite. I’m considering buying the ER-X just to play with it :).

    • Never tried the EdgeRouter X. It should have the same software capabilities so the user experience will be similar. You should definitely give it a try and see if it fits your needs. I just like the performance that I get with the ERL for $50 more so I went with it. Good luck with your purchase! Report back your experience with the ERX if you can so other readers can decide what to get. 🙂

    • Jamie Maunder

      The ER-X now supports hardware offloading (for much better speeds). Can’t use QoS or DPI with the hardware offloading enabled though. I love love love the ER-X, just sucks it can’t light up any of the UniFi circles 🙂 https://uploads.disquscdn.com/images/037157e45bfa896b951809bbae6835713df4222751b0d542820047cb1694a12a.jpg