This blog post is the very first part of a series on EdgeRouter Lite. You may want to check them all out!
|04/09/16||Ubiquiti’s EdgeOS CLI Introduction||EdgeOS CLI Primer|
|05/01/16||How to configure EdgeRouter Lite via CLI – Part 1||EdgeOS configuration guide for CLI junkies|
|05/01/16||How to configure EdgeRouter Lite via CLI – Part 2||EdgeOS configuration guide for CLI junkies|
|12/03/16||Hardening EdgeRouter Lite – Part 1||Basic management hardening|
|12/04/16||Hardening EdgeRouter Lite – Part 2||EdgeOS with two-factor authentication|
|12/05/16||Hardening EdgeRouter Lite – Part 3||Management ACL|
|12/06/16||Hardening EdgeRouter Lite – Part 4||Remote Access VPN with two-factor authentication|
TL;DR: Looking for a home router with some SMB/Enterprise features and not afraid of using CLI? Buy the EdgeRouter Lite.
A few months ago, I bought the EdgeRouter Lite. Before buying the router, I was running Palo Alto Networks PA-200 for a few months to play with it but I was not happy with the throughput I was getting when everything was turned on (App-ID, Threat Prevention, PAN-DB URL filtering, etc). My 150 Mbps download went down to around 50 Mbps. To be fair, Palo Alto Networks does list it accurately in their hardware spec sheet. While I could’ve turned everything off and stick with the PA-200, I wanted to move it to the side and just make it a home lab device. To fully play with the PA-200 and other stuff on my plate, I wanted to redesign my home network; hence, the purchase of EdgeRouter Lite and TP-LINK TL-SG2008.
For $99 (MSRP), the router provides a lot of features that I will never use at home. The official spec sheet is located here but for your convenience, I’ve listed some of its specs below. There is a lower end Ubiquiti router for $49, EdgeRouter X. This is perfect for those looking for low budget router with some SMB/enterprise features. It offers the same software capabilities but the biggest difference is under the hood. The EdgeRouter X only has 256 MB RAM, 256 MB code storage, and the processor is different and could affect performance because it does not have the same hardware accelerated features of EdgeRouter Lite. While the processor does have some hardware accelerated features (e.g. HW NAT), I believe it is still not supported by EdgeOS at this time of writing (hardware acceleration on EdgeRouter X has been supported since v1.8.5). The things that are hardware accelerated in the EdgeRoute Lite are found here.
Max Power Consumption: 7W
Interfaces: (1) RJ45 Serial Port and (3) 10/100/1000 Ethernet Ports
Layer 3 Forwarding Performance: 1 Mpps
Processor: Dual-core 500 MHz, MIPS64 with Hardware Acceleration for packet processing (Cavium Octeon CN5020)
Flash storage: 2 GB
RAM: 512 MB DDR2 RAM
Interface/Encapsulation: Ethernet, 802.1Q (VLAN), PPPoE, GRE, IP in IP, 802.3ad (LACP), and Bridging
Addressing: Static IPv4/IPv6 Addressing, DHCP/DHCPv6
Routing: Static routes, OSPFv2/OSPFv3, RIP/RIPng, BGP (with IPv6 support)
Security: ACL-Based Firewall, Zone-Based Firewall (ZBF)
VPN: IPSec Site-to-Site and Remote Access, OpenVPN Site-to-Site and Remote Access, PPTP Remote Access, L2TP Remote Access, and PPTP Client
Services: DHCP/DHCPv6 Server, DHCP/DHCPv6 Relay, Dynamic DNS, DNS Forwarding, VRRP, RADIUS Client, Web Caching, and PPPoE Server
QoS: FIFO, Stochastic Fairness Queueing, Random Early Detection (RED), Token Bucket Filter, Deficit Round Robin, Hierarchical Token Bucket, and Ingress Policing
Management: Web UI, CLI (Console, SSH, Telnet), SNMP, NetFlow, LLDP, NTP, UBNT Discovery Protocol, Logging
New to v1.8: MPLS, VPLS, and more!
Why did I buy EdgeRouter Lite?
Some of the reasons why I bought the EdgeRouter Lite are the following:
The main reason why I bought the EdgeRouter Lite was the 802.1Q (VLAN) capability. I needed to separate my devices to different VLANs especially the VMs in my ESXi home lab. One of the things that pushed me to have VLAN capability is the F5 BIG-IP LTM home lab. I really wanted to set it up properly and mimic a similar setup found in an enterprise. Though, the current topology is very simple right now. That topology will change in the future once I am comfortable with F5 BIG-IP LTM.
While I do have old Cisco routers capable of VLAN, they are not gigabit capable, consumes a lot of power, and loud. The ERLite-3 is very small, consumes little power, and fanless. Yes, I could have done a virtual router or firewall and run it on my VMware ESXi since it is on 24/7/365 but I did not want to do that. I did, however, played with pfSense on a VM for a very short amount of time years ago.
Advanced firewall capability is a nice addition to my home network. I have some services open for me, friends, and family to connect from the Internet to my home servers so being able to create different zones and apply rules is really a great addition.
Now, I can create a DMZ for services that are open to the whole world and have rules that allow or deny traffic to and/or from the DMZ. I decided to not take advantage of the Zone-Based Firewall feature in EdgeOS and stayed with the ACL-style configuration. Mostly because I read that the ZBF/ZBFW does slow the boot up times of the router. While my router shouldn’t reboot that often, I know for sure that people in the house would complain if it takes a long time for them to connect to the Internet if the router reboots. Also, I also did not want to write a whole lot of rules. I had seven interfaces on the router so if my calculation is correct, that would mean I need 56 zone rulesets.
While ZBF/ZBFW is a great feature, there are still limitations with the firewall capabilities of EdgeRouter Lite. It is understandable because it is not really a firewall so expecting it to be is unfair. That said, I took the DMZ interface out of the router and move it to a virtualized pfSense. Geo-based IP filtering is back, yay! I actually mentioned in my SSH Brute Force Attack blog post that I had it when I was using Palo Alto Networks PA-200. The Geo-based IP filtering significantly reduced the brute force attacks to my box.
Another capability that I like is the VPN capability. While I had been running L2TP over IPsec using my Synology DS1812+, it is nice to finally move the functionality to the edge. I am no longer port forwarding anything to my NAS. While I didn’t see much traffic on these ports, it is better to be safe than sorry. The SSH brute force attack incident has been a good lesson.
Before I bought the router, I have done a good amount of research so I was confident that I will be happy with the purchase. I have been running it for almost three months and I am happy to report that I couldn’t be happier with the outcome of my purchase. While I am barely using all of its capabilities, it is pretty inexpensive to justify the home router upgrade. Yes, it does not have wireless capabilities like my all-in-one Netgear router/AP/switch but it is more capable router than the Netgear. I still use my Netgear router but as an AP and switch to add more ports to my TP-LINK TL-SG2008. I also have Ruckus 7363 running at home that is dedicated only for 5 GHz devices.
This router is not for people who are not willing to configure a lot of the advanced features via CLI. While Ubiquiti has been adding more features to the Web UI in each of their release, it is still missing a lot of advanced features that would be nice to have in the Web UI. For example, the Web UI still does not have L2TP over IPsec or OpenVPN configuration. Users who wish to take advantage of this feature means that they will need to hit the CLI. I do not have a lot of experience with Config Tree because I like the CLI more. I do want to point out that Web UI supports IPsec Site-to-Site and PPTP configuration.
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.