• Skip to main content
  • Skip to footer

NetworkJutsu

Networking & Security Services | San Francisco Bay Area

  • Blog
  • Services
  • Testimonials
  • About
    • About Us
    • Terms of Use
    • Privacy Policy
  • Contact Us

EdgeRouter

Hardening EdgeRouter Lite – Part 4

12/06/2016 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/05/16Hardening EdgeRouter Lite – Part 3Management ACL

Introduction

In my How to configure EdgeRouter Lite via CLI – Part 2 post, there is an L2TP via IPsec section. The commands shown in that blog post works great. However, there are security concerns with that configuration. The remote-access VPN configuration uses pre-shared secret for machine authentication and user authentication with no two-factor authentication (2FA). In this post, I will demonstrate how to harden remote-access VPN connectivity on EdgeRouter Lite.

User Authentication with 2FA

As mentioned in my how-to configure guide, I prefer L2TP over IPsec, so this post will only cover that. The configuration demonstrated here requires a RADIUS server, such as FreeRADIUS. Check my blog post about it if you want to create your own. If you chose the local Google Authenticator route, there might be a way to tie that with user authentication. That is, however, out of the scope of this post.

The EdgeOS has two L2TP modes for user authentication, local and RADIUS. In my how-to guide, it showed the use of the local account which is separate from device management. As previously discussed, username and password are no longer considered secure today. That said, we’re going to add another factor of authentication to the account.

EdgeOS Commands

The first command is to change user authentication mode to RADIUS.

set vpn l2tp remote-access authentication mode radius

The second command is to point the device to the RADIUS server and enter the key you want to use.

set vpn l2tp remote-access authentication radius-server 192.168.250.250 key supersecretkey

The last command is to change the default protocol from MS-CHAPv2 to PAP. Unfortunately, Google Authenticator will only work with PAP, as far as I know.

set vpn l2tp remote-access authentication require pap

Don’t forget to commit and save the configuration. Issue the commit;save command.

FreeRADIUS Configuration

In my FreeRADIUS blog post, there were only a few lines that needed to be changed or added to the config files. Aside from those modifications the files were left in the default state. That’s okay for the most part. However, when we try to access VPN, it takes a bit longer than using the local account. In this section, we’re going to make some optimizations to speed up the process of authentication.

Related: How to implement Duo Security MFA

I am a FreeRADIUS newbie, so I do not know what all of these lines mean, but I commented them out to speed up the process of authentication. I just looked at the debug using sudo freeradius -X command and tried to interpret what it was saying. The lines that included noop, I figured they are not needed for my environment, so I commented them out. Every time I made the change, I tested my VPN to make sure I was able to log in still. If you are currently using or going to use this FreeRADIUS instance for other purposes, then be careful of what you comment out because it may break. Remember, I only use this for remote access VPN and device authentication.

Edit the /etc/freeradius/sites-enabled/default file.

$ sudo vi /etc/freeradius/sites-enabled/default

Find the following and comment them out.

authorize {
#      chap
#      mschap
#      suffix
#      eap {
#              ok = return
#      }
#      expiration
#      logintime
#      pap
authenticate {
#      Auth-Type PAP {
#              pap
#      }
#      Auth-Type CHAP {
#              chap
#      }
#      Auth-Type MS-CHAP {
#              mschap
#      }
#      digest
#      eap
preacct {
#      suffix
#      files
accounting {
#      exec
post-auth {
#      exec

Next step is to edit the clients.conf file. From what I can tell, this is kind of like an ACL. If you do not add the router’s source IP address, then FreeRADIUS will ignore the traffic from the router. Once you open the file using VI or your favorite text editor, look for the client localhost { line and add the lines listed below.

$ sudo vi /etc/freeradius/clients.conf
client rtr {
        ipaddr = 192.168.1.1
        secret = secretkey
}
client localhost {

Since we made changes to the files, we need to restart the service for it to take effect.

$ sudo service freeradius restart

Verification

Now, go ahead and test your VPN connectivity to see if it works. If everything works, then you can now delete the local account from the configuration. Remember, the format for the password is password+TOTP.

delete vpn l2tp remote-access authentication local-users username unique-username-here password your-unique-password-here

Troubleshooting

When you are troubleshooting FreeRADIUS, it is very helpful to use the freeradius -X command. This helped me figure out some issues that I’ve encountered when setting this up. This command may be different in other Linux distro, though. Just check the documentation for the right command. From what I can tell, all Debian-based Linux distro uses this command.

Before you can issue the debug command, you need to stop FreeRADIUS service first or you will get an error, as shown below.

$ sudo freeradius -X
<-- Output omitted for brevity -->
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[273]: Error binding to port for 0.0.0.0 port 1812
$ sudo service freeradius stop
$ sudo freeradius -X
<-- Output omitted for brevity -->
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

Once you’re done with troubleshooting, make sure to start the service back up with sudo service freeradius start command.

Final Words

The problem with local authentication is that we need to enter user account details within EdgeOS. That said, anyone who has admin-level access on EdgeOS will be able to view the password of the users. Changing the remote access VPN authentication from local to RADIUS is a more secure option. On top of that, we can add another factor of authentication.

For the most part, this is secure enough. In fact, I’ve seen a lot of organizations that use a similar setup. However, some organizations or people want to implement the securest method possible for their remote access VPN. That said, they need to implement certificate-based machine authentication. Heck, they may even combine both 2FA and certificate-based machine authentication for maximum security.

If I ever get the L2TP over IPsec working using certificates, then I will cover it in my next blog post. I know it’s possible, but my client is stuck in IKE Phase 1. The problem is most likely my certificates.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Hardening EdgeRouter Lite – Part 3

12/05/2016 By Andrew Roderos 1 Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

I focused on authentication method in the first two posts of this EdgeRouter Lite series. In today’s post, I will focus on access restriction to the management plane. To accomplish this access restriction, we need to create firewall policies on the router and apply it to LAN and sub-interfaces. This post will show what you need for the firewall policy.

Management ACL

While restricting management services to listen on a single address, it is also a good practice to restrict addresses or networks allowed to reach it. The firewall on EdgeOS allows users the creation of address groups and network groups. The groups allow users include more than one address in the firewall policy. Without further ado, below is an example of a firewall policy that one can apply to EdgeRouter Lite.

Firewall group

We need to gather the source IP addresses or network prefixes that will be allowed to connect to the EdgeRouter Lite. It is good practice that these hosts are one of the most secure computers in the network.  We do not want the bad guys taking control of our router since all traffic traverses through it. For example, my Linux hosts have 2FA enabled for both SSH and console access.

The address-group allows users to add multiple IP addresses.

set firewall group address-group SSH-TRUSTED address 192.168.254.100
set firewall group address-group SSH-TRUSTED address 192.168.254.101

The network-group allows users to add network prefixes.

set firewall group network-group GUI-TRUSTED network 192.168.253.0/24
set firewall group network-group GUI-TRUSTED network 192.168.254.0/24

Firewall policy

Once we’ve created the firewall group, we are now ready to create the firewall rules.

The first three lines are what a lot of people will call this as a catch-all rule. Any traffic not defined in our firewall policy will fall under this rule.

set firewall name LAN-LOCAL default-action drop
set firewall name LAN-LOCAL description 'LAN IPv4 inbound traffic to the router'
set firewall name LAN-LOCAL enable-default-log

The next firewall rule is unnecessary, but I like to add it in the beginning. In my environment, this rule has one of the lowest numbers, so it is safe to move it at the end of the firewall policy if you feel so inclined. Alternatively, do not add this rule since the catch-all rule will drop this traffic.

set firewall name LAN-LOCAL rule 10 action drop
set firewall name LAN-LOCAL rule 10 description 'Drop invalid state'
set firewall name LAN-LOCAL rule 10 log disable
set firewall name LAN-LOCAL rule 10 state invalid enable

I will leave the next rule at your discretion. Some people like to allow ICMP for troubleshooting purposes and some people do not.

set firewall name LAN-LOCAL rule 20 action accept
set firewall name LAN-LOCAL rule 20 description 'Allow ICMP'
set firewall name LAN-LOCAL rule 20 log disable
set firewall name LAN-LOCAL rule 20 protocol icmp

The next rule depends if you run SNMP or not. I run the free PRTG Network Monitor in my environment, so I have to add it.

set firewall name LAN-LOCAL rule 30 action accept
set firewall name LAN-LOCAL rule 30 description 'Allow SNMP'
set firewall name LAN-LOCAL rule 30 destination port 161
set firewall name LAN-LOCAL rule 30 log disable
set firewall name LAN-LOCAL rule 30 protocol udp
set firewall name LAN-LOCAL rule 30 source address 192.168.200.200

These next rules are what we need to restrict source IP addresses or network prefixes that can connect to the EdgeRouter Lite. If you disable GUI access then there is no point in adding firewall rules for both HTTP and HTTPS.

set firewall name LAN-LOCAL rule 40 action accept
set firewall name LAN-LOCAL rule 40 description 'Allow SSH'
set firewall name LAN-LOCAL rule 40 destination port 22
set firewall name LAN-LOCAL rule 40 log disable
set firewall name LAN-LOCAL rule 40 protocol tcp
set firewall name LAN-LOCAL rule 40 source group address-group SSH-TRUSTED
set firewall name LAN-LOCAL rule 50 action accept
set firewall name LAN-LOCAL rule 50 description 'Allow HTTPS'
set firewall name LAN-LOCAL rule 50 destination port 443
set firewall name LAN-LOCAL rule 50 log disable
set firewall name LAN-LOCAL rule 50 protocol tcp
set firewall name LAN-LOCAL rule 50 source group network-group GUI-TRUSTED
set firewall name LAN-LOCAL rule 60 action accept
set firewall name LAN-LOCAL rule 60 description 'Allow HTTP'
set firewall name LAN-LOCAL rule 60 destination port 80
set firewall name LAN-LOCAL rule 60 log disable
set firewall name LAN-LOCAL rule 60 protocol tcp
set firewall name LAN-LOCAL rule 60 source group network-group GUI-TRUSTED

The last rule allows any traffic that is in established or related state. Check this site to understand the states.

set firewall name LAN-LOCAL rule 70 action accept
set firewall name LAN-LOCAL rule 70 description 'Allow Established'
set firewall name LAN-LOCAL rule 70 log disable
set firewall name LAN-LOCAL rule 70 protocol all
set firewall name LAN-LOCAL rule 70 state established enable
set firewall name LAN-LOCAL rule 70 state related enable

Apply the firewall policy

Now, we need to apply the firewall rule to all your LAN interfaces including sub-interfaces.

set interfaces ethernet eth1 firewall local name LAN-LOCAL
set interfaces ethernet eth2 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 10 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 50 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 100 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 200 firewall local name LAN-LOCAL

Save config

Now, we need to save the configuration by issuing commit;save command.

Verification

Try connecting to EdgeRouter Lite without logging out from your current SSH or secure HTTP connection. This ensures that you still have access to the router just in case there’s a mistake with the ACL. If you have a Network Management System (NMS), make sure that SNMP is working as well.

Final Words

Any traffic destined to the EdgeRouter Lite must be restricted. While we did it on the WAN side, we also need to secure the LAN side. As much as possible, the allowed list must be limited. Only systems that must have router access should be on the list. Finally, computers on the list should have great security controls to keep it from being compromised.

The next blog post, I am going to talk about securing the remote access VPN. The blog post will address the security concerns on my how to configure EdgeRouter Lite guide.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Hardening EdgeRouter Lite – Part 2

12/04/2016 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/05/16Hardening EdgeRouter Lite – Part 3Management ACL
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

In the first part of this EdgeRouter Lite series, I made changes to improve security of the management plane. In this post, I am going to give an alternative to people who do not like or want to use public-key authentication. This means we stick with the password-based authentication but with an additional factor of authentication.

Authentication

The use of two-factor authentication (2FA) or multi-factor authentication (MFA) has gained popularity in the past several years. This is because password-based authentication is no longer considered secure today. In fact, there are many organizations today that are deploying or have recently deployed 2FA or MFA to their systems.

What makes 2FA or MFA more secure than the usual username and password combination? One common behavior of users is to use the same password across all their accounts. This behavior is a bad thing because it only takes one system to get compromised for malicious users to gain access to other accounts. With 2FA or MFA, even if the user used the same password, the malicious user won’t be able to gain access to other accounts without the other factor of authentication.

The three common factors of authentication are something you know (e.g. password), something you have (e.g. smartphone), and something you are (e.g. biometrics). In this post, we’re going to combine both something you know and something you have factors of authentication that will work with the EdgeRouter family. Though, all the methods discussed here have limitations. Hopefully, Ubiquiti will make changes in their future firmware releases that remove these limitations.

SSH Authentication

If for whatever reason, you chose not to use public key authentication, then we have other methods on how to secure password-based authentication. Though, both of them have limitations so pick one that you feel comfortable with.

Method 1

This method is good for people who are not running RADIUS with 2FA and have no plans for the foreseeable future. One of the disadvantages of this method is that it will only work for SSH authentication. Managing the router via Web UI will need to use the local account without the time-based one-time password (TOTP). This is not a problem with CLI junkies, though.

Another disadvantage is that it will not survive a firmware upgrade. That said, you will have to redo part of the work to get the functionality back. Though, you might be able to restore the packages by creating a script using this method. The ~/.google_authenticator file(s) will need to be backed up as well.

Steps

The first step is to run as root.

sudo su

The second step is optional. This package will prompt you a QR code once you generate Google Authenticator (GA) secret key. Just like the one here. This package makes it convenient for the users since scanning QR code is faster than typing. If you do not want to install the package, you just enter the secret key on your GA app manually.

sudo apt-get install libqrencode3

The third step is to download the Google Authenticator package.

wget http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20160607-2_mips.deb

The fourth step is to install the package.

dpkg -i libpam-google-authenticator_20160607-2_mips.deb

The fifth step is to stop being a root.

exit

The next step is to generate the secret key. Please follow this guide on how to do that. Go directly to the Generating Google Authenticator Secret Key section.

The last step is to edit PAM for SSH. We need to instruct the pam_ssh module to use Google Authenticator PAM when a user logs in. Use the same guide as above and scroll down to Configuring SSH PAM section.

Method 2

The previous section demonstrated the unofficial way of enabling 2FA. I say unofficial because users are required to redo the work after firmware upgrade. While unofficial, it is still an effective way of adding another factor of authentication; thus, increasing security. In this section, I am going to show you on how to set up EdgeRouter family in using RADIUS with 2FA functionality.

The advantage of using this method is that we stay within the EdgeOS environment; thus, no redo of work after the firmware upgrade. Another advantage of this method is that it can be used for Web UI as well.

The disadvantage of this method is that local account may be used. Meaning, users may bypass the 2FA altogether. Hopefully, Ubiquiti has plans to add a command that will disable local account usage when RADIUS is up and running. For now, I suggest in using a secure password and store it in a password manager app and use it only during an emergency, like when RADIUS is down. You might also want to change the local account password periodically.

The EdgeOS requires having an existing local account that matches your RADIUS server. Without the local user account, it will never work. As far as I can tell, this annoying feature has been in EdgeOS for several years now. Ubiquiti developers still have no plans on changing this anytime soon, which is unfortunate.

If you do not have RADIUS server and would like to have one, then visit my blog post where I talked about FreeRADIUS with 2FA. Since I have two FreeRADIUS servers already, it was a no-brainer for me to point the EdgeRouter Lite to it. Without further delay, below are the commands to use to point the router to RADIUS server.

set system login radius-server 192.168.200.100 port 1812
set system login radius-server 192.168.200.100 secret supersecretkeyhere
set system login radius-server 192.168.200.200 port 1812
set system login radius-server 192.168.200.200 secret supersecretkeyhere

Last step is to commit & save the configuration. Issue commit;save command.

Verification

Try to connect to the router using SSH without logging out your current session. This is to make sure that you have access to the router for when something goes wrong. Remember, the password format is password + TOTP.

Final Words

The methods discussed here are not perfect but improves the network security of the network infrastructure. Remember we are dealing with a relatively inexpensive gear with enterprise features, so expect some compromises.

My recommendation is to use the public key authentication method. If you are concerned about machines with public keys getting compromised, then I suggest in using a management ACL. This ACL will restrict IP addresses which are allowed to access the router. The next blog post will talk about on how to create a management ACL.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Hardening EdgeRouter Lite – Part 1

12/03/2016 By Andrew Roderos 6 Comments

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/05/16Hardening EdgeRouter Lite – Part 3Management ACL
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

It has been a while since I talked about my EdgeRouter Lite. Since then, my configuration has changed. I will be discussing some of the configuration changes in this series of blog posts.

As the title implies, I will cover the process of hardening EdgeRouter Lite to address the security concerns one might have with my two-part blog post. This, by no means, is complete or the most secure configuration so feel free to drop me a line with your suggestions.

Note: This post is based on firmware version 1.9.

Web UI

The HTTPS service listens, by default, to all addresses assigned to router’s interfaces. We can improve security by restricting web management traffic to a single address.

set service gui listen-address 192.168.200.1

Alternatively, I could disable the service if I have no use for it.

delete service gui

One of the things I noticed in EdgeOS is that it listens to port 80 and 443. However, users that try to hit the router via HTTP will be redirected to HTTPS. The show service gui command won’t list it but when you issue show configuration commands | match “service gui” then it will show up. This behavior is OK in my opinion since it switches to secure HTTP. Though, there might be some people who will find this unacceptable. If you are one of them, the delete service gui http-port 80 command will disable this. Alternatively, one can just use the firewall to block it. I will cover the firewall configuration in future blog posts.

SSH Service

In my how to configure EdgeRouter Lite part one guide, my SSH service section has two config lines. While it touches a bit about security, I didn’t really touch on securing the service further. By default, the router’s SSH server will listen to any addresses assigned to an interface, just like the Web UI. In this section, we will instruct EdgeOS to only listen to a specific IP address.

set service ssh listen-address 192.168.200.1

Public-Key Authentication

One of the mitigation techniques for SSH brute force attack is by using SSH key authentication method. In order to do this, we will need to generate SSH keys on the client(s), load the public key on EdgeRouter, and disable password authentication.

Generating SSH keys

In this post, the host that I used to generate keys runs on Ubuntu Server 16.04.1. Generating keys on macOS and other Linux distro might be the same command. If you’re a Windows user, please research on how to generate keys using PuTTY Generator.

username@ubuntu01:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa): <just hit enter>
Enter passphrase (empty for no passphrase): <enter passphrase here>
Enter same passphrase again: <enter passphrase here>
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:a-bunch-of-characters-are-displayed-here username@ubuntu01
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|     random      |
|   characters    |
|      are        |
|    displayed    |
|      here       |
|                 |
|                 |
+----[SHA256]-----+

Copying SSH key

There are two methods, that I know of, on how to copy the public key that we generated to the EdgeRouter. I will only cover two of them.

Method 1

This method is the easiest out of the two. This method will only work if password authentication is still enabled. If not, then you will have to use the second method.

username@ubuntu01:~$ ssh-copy-id username@ubnt.domain.local
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
username@ubnt.domain.local's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'username@ubnt.domain.local'" and check to make sure that only the key(s) you wanted were added.

The public key is now copied and we are now ready to load the key. Skip the method 2 section and go to the next.

Method 2

This method is a bit more involved than the first one. The second part of this method is applicable to Windows users. It’s just a matter of copying the public key to clipboard and saving it to a file in EdgeRouter. This will be the method you’ll use going forward when you disable password authentication and need to add more public keys. Alternatively, you can enable password authentication temporarily and use the first method to add more public keys. Don’t forget to disable password authentication.

The first step is to view the public key from the host.

username@ubuntu01:~$ more ~/.ssh/id_rsa.pub
ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01

The next step is to copy everything. Note: It may show up as multiple lines on your screen. Make sure to paste it as a single line to a file in EdgeRouter.

sudo vi ~/.ssh/authorized_keys
ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01

If you are not familiar with VI/VIM editor, then use this.

bash
echo ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01 >> ~/.ssh/authorized_keys
exit

Loading SSH key

The next step is to load the public key to the configuration. The command covered here instructs the router to load the public key from the Linux environment to EdgeOS. This ensures that the keys will survive a reboot and/or firmware upgrade since configurations will be saved in /config directory.

loadkey username ~/.ssh/authorized_keys

We’ll delete the authorized_keys file since it is no longer needed.

sudo rm ~/.ssh/authorized_keys

Disable Password Authentication

The last step in enabling public key authentication is to disable password authentication. Right now, users are still able to log into the EdgeRouter using password. To disable this behavior, we’ll need to configure SSH daemon to only allow public key authentication.

set service ssh disable-password-authentication

For this to take effect, we’ll need to commit the changes and save the config to the config.boot file. The command below will cause SSH daemon (sshd) to restart.

commit; save

Verification

Now, we’re ready to test our EdgeRouter configuration.

Host with public key

Here’s my Ubuntu host with public key connecting to EdgeRouter Lite.

username@ubuntu01:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Enter passphrase for key '/home/username/.ssh/id_rsa': <enter passphrase>
Linux ubnt 3.10.20-UBNT #1 SMP Fri Jul 29 16:51:50 PDT 2016 mips64
Welcome to EdgeOS
Last login: Fri Nov 25 10:09:27 2016 from 192.168.254.100

Depending on your host’s OS, the behavior may be different. My host likes to ask for the private key passphrase every time I try to connect to EdgeRouter Lite. This requirement of passphrase could serve as an additional layer of security. Though, this depends if the user is using a unique and secure passphrase. To modify this behavior, I had to add the identity to the key manager so I don’t have to keep typing every single time. I will leave it to your discretion if you want to do the same thing.

Installing key manager

Install keychain package as the key manager.

username@ubuntu01:~$ sudo apt-get install keychain -y

Edit the .bashrc file and add the following.

username@ubuntu01:~$ vi .bashrc
keychain id_rsa id_dsa
. ~/.keychain/`uname -n`-sh

If you are not familiar with VI/VIM, follow the commands below.

username@ubuntu01:~$ sed -i '$ a keychain id_rsa id_dsa' .bashrc
username@ubuntu01:~$ sed -i '$ a . ~/.keychain/`uname -n`-sh' .bashrc

For the change to take effect, enter the command below.

username@ubuntu01:~$ . .bashrc
 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 2888
 * Warning: can't find id_dsa; skipping
 * Adding 1 ssh key(s): /home/username/.ssh/id_rsa
Enter passphrase for /home/username/.ssh/id_rsa: <enter passphrase>
 * ssh-add: Identities added: /home/username/.ssh/id_rsa

Now, my host is no longer asking for passphrase every time I try to connect to my EdgeRouter. Though, this will not survive a reboot. It will prompt me again to enter the passphrase when the host reboots. This is better than entering the passphrase every time, though!

username@ubuntu01:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Linux ubnt 3.10.20-UBNT #1 SMP Fri Jul 29 16:51:50 PDT 2016 mips64
Welcome to EdgeOS
Last login: Fri Nov 25 12:35:33 2016 from 192.168.254.100

Host with no public key

Clients that do not have public keys saved in the EdgeRouter will no longer be able to connect.

username@ubuntu02:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Permission denied (publickey).

Final Words

This post addresses some of the security concerns with my two-part blog post on how to configure EdgeRouter Lite. While there were few security bits here and there in the series, this post increases security by hardening the management plane. There will be more things we can do to enhance management security but will be covered in the future. The next post will give users an alternative to SSH public-key authentication.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

References

Ubuntu Community QuickTips
Ubiquiti Community – SSH authorized_keys

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

How to configure EdgeRouter Lite via CLI – Part 2

05/01/2016 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/05/16Hardening EdgeRouter Lite – Part 3Management ACL
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

This is part two of the How to configure EdgeRouter Lite via CLI blog post. If you haven’t read the part one, you might want to read that first. In part one, I covered what I think are the essential configurations to get a user going in a typical home environment setup. In this post, I will talk about features that I personally use at home at the time of writing. Though, I did include one feature that I turned on for few days and decided to turn it off because of issues that I encountered with it being on.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.

Configure IPv6

I would say that IPv6 in residential networks is relatively new, at least in the US. As far I know (I could be wrong), IPv6 in US residential networks has only been around two to three years. I actually did not know that my ISP (Comcast/Xfinity) has been IPv6 ready for about two years now (fully deployed). In fact, I accidentally found that out when I was troubleshooting my slow download speed connection. Once I found out, I started researching on how to configure it on my router.

My ISP uses prefix delegation, which provides a mechanism for automated delegation of IPv6 prefixes using DHCP. There are two EdgeOS configurations I found that worked for me, but I will only show the one that I think is the best out of the two that I tried.

Pay attention to the prefix-length that you’re asking for. In residential networks, Comcast/Xfinity allows the user to ask for a maximum of 16 x /64 prefixes or /60. In business class accounts, they can ask for /56 or 256 x /64 prefixes.

set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 prefix-id :2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 prefix-id :3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.99 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 prefix-id :4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.100 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :5
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac

In addition to the above configurations, you may want to configure the IPv6 forwarding offload feature as well.

set system offload ipv6 forwarding enable

Note

You will also need to issue the WAN6-LOCAL rules in the firewall section below.

To verify that you received IPv6 addresses, issue the command found in the example below. Below is my sanitized output that shows both IPv4 and IPv6 addresses.

networkjutsu@rtr# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         24.xxx.xxx.xxx/23                  u/u  WAN
             2001:xxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx/128
eth1         192.168.0.1/24                    u/u  LAN0
             2601:xxx:xxxx:xxx1::1/64
eth1.2       192.168.1.1/24                    u/u  LAN1
             2601:xxx:xxxx:xxx2::1/64
eth1.99      192.168.99.1/24                   u/u  MGMT
             2601:xxx:xxxx:xxx3::1/64
eth1.100     192.168.100.1/24                  u/u  SERVER
             2601:xxx:xxxx:xxx4::1/64
eth2         192.168.2.1/24                    u/u  LAN2
             2601:xxx:xxxx:xxx5::1/64
lo           127.0.0.1/8                       u/u
             ::1/128

If you do not get an IPv6 address, use the following commands to force DHCPv6 renew.

release dhcpv6-pd interface eth0
delete dhcpv6-pd duid
renew dhcpv6-pd interface eth0

Here’s a better way to verify that the configuration actually worked.

networkjutsu@rtr# ping6 google.com
PING google.com(nuq04s29-in-x0e.1e100.net) 56 data bytes
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=1 ttl=56 time=10.9 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=2 ttl=56 time=10.7 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=3 ttl=56 time=10.4 ms
64 bytes from nuq04s29-in-x0e.1e100.net: icmp_seq=4 ttl=56 time=11.5 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 10.480/10.934/11.528/0.355 ms
Mac-mini:~ Andrew$ ping6 netflix.com
PING6(56=40+8+8 bytes) 2601:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx --> 2620:108:700f::36f5:f31c
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=0 hlim=49 time=30.402 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=1 hlim=49 time=29.224 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=2 hlim=49 time=29.088 ms
16 bytes from 2620:108:700f::36f5:f31c, icmp_seq=3 hlim=49 time=29.029 ms
^C
--- netflix.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 29.029/29.436/30.402/0.562 ms

Configure sub-interfaces

As you can see above, I have few sub-interfaces configured. There used to be a DMZ configured but I moved it to a pfSense virtual machine. I actually talked a little about it here.

set interfaces ethernet eth1 vif 2 address 192.168.1.1/24
set interfaces ethernet eth1 vif 2 description "LAN1"
set interfaces ethernet eth1 vif 2 mtu 9000
set interfaces ethernet eth1 vif 99 address 192.168.99.1/24
set interfaces ethernet eth1 vif 99 description "MGMT"
set interfaces ethernet eth1 vif 99 mtu 9000
set interfaces ethernet eth1 vif 100 address 192.168.100.1/24
set interfaces ethernet eth1 vif 100 description "SERVER"
set interfaces ethernet eth1 vif 100 mtu 9000

VLAN offload feature is supported in EdgeRouter Lite so you may want to turn that on.

set system offload ipv4 vlan enable

Configure Firewall

In this section, I am still sticking with the ACL-style firewall configuration instead of the Zone-based firewall (ZBF/ZBFW) configuration. In this firewall configuration example, I am blocking a couple of /8 networks that repeatedly brute force attacked my Linux computer. Also, I disabled the auto firewall feature.

set port-forward auto-firewall disable
set firewall group network-group SSH-ATTACKERS description "Known Brute Force SSH Attackers"
set firewall group network-group SSH-ATTACKERS network 103.0.0.0/8
set firewall group network-group SSH-ATTACKERS network 104.0.0.0/8
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "WAN IPv4 inbound traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Deny SSH Attackers"
set firewall name WAN-IN rule 2 destination port 22
set firewall name WAN-IN rule 2 log enable
set firewall name WAN-IN rule 2 protocol tcp
set firewall name WAN-IN rule 2 source group network-group SSH-ATTACKERS
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow SSH to Linux Computer"
set firewall name WAN-IN rule 3 destination port 22
set firewall name WAN-IN rule 3 log enable
set firewall name WAN-IN rule 3 protocol tcp
set firewall name WAN-IN rule 4 action accept
set firewall name WAN-IN rule 4 description "Allow established/related state"
set firewall name WAN-IN rule 4 log disable
set firewall name WAN-IN rule 4 state established enable
set firewall name WAN-IN rule 4 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN

Alternatively, if you do not want to manually add networks to the list then you can configure a different rule set. With this rule set, it will basically match recently seen sources to help prevent brute force attack for certain amount of time.

In this example, it will limit SSH connection attempts from the same source to three attempts within one week. I actually have Fail2Ban installed on my Linux box that handles anything that goes through, which was covered here. That’s a better solution in my opinion. However, I believe the best solution to prevent SSH brute force attack is to implement the use of SSH key authentication and disable password authentication.

set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Prevent SSH brute force attack"
set firewall name WAN-IN rule 1 protocol tcp
set firewall name WAN-IN rule 1 destination port 22
set firewall name WAN-IN rule 1 state new enable
set firewall name WAN-IN rule 1 recent count 3
set firewall name WAN-IN rule 1 recent time 604800

Since I configured IPv6, I also need to make sure my firewall is turned on. Since I do not have any external facing servers using IPv6, my firewall is configured with a basic firewall rule. I didn’t use the BOGON filter in this case because it’s a very long list and it could potentially slow down the router.

set firewall ipv6-name WAN6-IN default-action drop
set firewall ipv6-name WAN6-IN description "WAN IPv6 inbound traffic to LAN"
set firewall ipv6-name WAN6-IN enable-default-log
set firewall ipv6-name WAN6-IN rule 1 action accept
set firewall ipv6-name WAN6-IN rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-IN rule 1 state established enable
set firewall ipv6-name WAN6-IN rule 1 state related enable
set firewall ipv6-name WAN6-IN rule 2 action drop
set firewall ipv6-name WAN6-IN rule 2 description "Deny invalid state"
set firewall ipv6-name WAN6-IN rule 2 state invalid enable
set firewall ipv6-name WAN6-LOCAL default-action drop
set firewall ipv6-name WAN6-LOCAL description "WAN IPv6 inbound traffic to the router"
set firewall ipv6-name WAN6-LOCAL enable-default-log
set firewall ipv6-name WAN6-LOCAL rule 1 action accept
set firewall ipv6-name WAN6-LOCAL rule 1 description "Allow established/related state"
set firewall ipv6-name WAN6-LOCAL rule 1 state established enable
set firewall ipv6-name WAN6-LOCAL rule 1 state related enable
set firewall ipv6-name WAN6-LOCAL rule 2 action accept
set firewall ipv6-name WAN6-LOCAL rule 2 description "Allow DHCPv6"
set firewall ipv6-name WAN6-LOCAL rule 2 destination port 546
set firewall ipv6-name WAN6-LOCAL rule 2 protocol udp
set firewall ipv6-name WAN6-LOCAL rule 2 source port 547
set firewall ipv6-name WAN6-LOCAL rule 3 action accept
set firewall ipv6-name WAN6-LOCAL rule 3 description "Allow ICMPv6"
set firewall ipv6-name WAN6-LOCAL rule 3 protocol icmp6
set firewall ipv6-name WAN6-LOCAL rule 4 action drop
set firewall ipv6-name WAN6-LOCAL rule 4 description "Deny invalid state"
set firewall ipv6-name WAN6-LOCAL rule 4 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set interfaces ethernet eth0 firewall in ipv6-name WAN6-IN
set interfaces ethernet eth0 firewall local ipv6-name WAN6-LOCAL

Configure Remote Access VPN

In this section, I will only cover the configuration for L2TP over IPsec. The OpenVPN feature is also available in EdgeOS but it’s not covered here because I prefer L2TP/IPsec than OpenVPN.

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username networkjutsu password your-unique-password-here
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.190
set vpn l2tp remote-access client-ip-pool stop 192.168.1.200
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 192.168.1.10
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret your-pre-shared-key-here
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1420

If you have static WAN IP address then the configuration will be something like the one below.

set vpn l2tp remote-access outside-address 1.1.1.10
set vpn l2tp remote-access outside-nexthop 1.1.1.1

Firewall needs to be configured as well or it won’t work. The example below will modify the existing firewall configuration in part one.

set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow NAT-T"
set firewall name WAN-LOCAL rule 3 destination port 4500
set firewall name WAN-LOCAL rule 3 log enable
set firewall name WAN-LOCAL rule 3 protocol udp
set firewall name WAN-LOCAL rule 4 action accept
set firewall name WAN-LOCAL rule 4 description "Allow ESP"
set firewall name WAN-LOCAL rule 4 log enable
set firewall name WAN-LOCAL rule 4 protocol 50
set firewall name WAN-LOCAL rule 5 action accept
set firewall name WAN-LOCAL rule 5 description "Allow L2TP"
set firewall name WAN-LOCAL rule 5 destination port 1701
set firewall name WAN-LOCAL rule 5 log enable
set firewall name WAN-LOCAL rule 5 protocol udp
set firewall name WAN-LOCAL rule 6 action accept
set firewall name WAN-LOCAL rule 6 description "Allow IKE"
set firewall name WAN-LOCAL rule 6 destination port 500
set firewall name WAN-LOCAL rule 6 log enable
set firewall name WAN-LOCAL rule 6 protocol udp
set firewall name WAN-LOCAL rule 7 action accept
set firewall name WAN-LOCAL rule 7 description "Allow Established"
set firewall name WAN-LOCAL rule 7 log disable
set firewall name WAN-LOCAL rule 7 protocol all
set firewall name WAN-LOCAL rule 7 state established enable
set firewall name WAN-LOCAL rule 7 state related enable

The IPsec offload feature is supported as well so make sure to turn that on.

set system offload ipsec enable

Here’s a screenshot of my iPhone connected to my home’s network using VPN.

iPhone L2TP over IPsec

Here’s how to view who is connected to the network using VPN.

networkjutsu@rtr# run show vpn remote-access
Active remote access VPN sessions:
User         Time      Proto Iface  Remote IP       TX pkt/byte   RX pkt/byte
----------   --------- ----- -----  --------------- ------ ------ ------ ------
networkjutsu 00h04m11s L2TP  l2tp0  192.168.1.190       8   1.5K      9    320
Total sessions: 1

Configure SNMP

If you like to configure SNMPv2 to monitor your EdgeRouter then use the following configuration. If you are interested in free SNMP monitoring software then check out PRTG, Spiceworks, Nagios, Cacti, etc. I tried PRTG and it was relatively easy to configure. That was the only free SNMP monitoring software that I tried.

set service snmp community community-name-here authorization ro
set service snmp community community-name-here client 192.168.100.50
set service snmp contact contact-name-here
set service snmp description "My Router"

The client line shown above acts as an ACL so that only certain IP’s are able to contact the EdgeRouter via SNMP.

Configure NetFlow

I configured NetFlow and ran it for about two to three days. Then, I noticed every time I was connected to my home network via VPN the RDP session keeps pausing in X amount of minutes. Then, my bandwidth monitor shows that I was only getting between 60 to 80 Mbps download out of 150 Mbps that I pay for. At first, I thought it was my ISP throttling me down. But, after several minutes of troubleshooting, I found out that NetFlow was the culprit of my slow download speeds and the issue with RDP. Having said that, I do not recommend turning NetFlow on unless Ubiquiti finds a way to use the offload feature so the CPU wouldn’t spike to 100% – YMMV (your mileage may vary). I just included it for completeness sake of what configurations that I’ve used and/or using on my EdgeRouter Lite so far.

set system flow-accounting interface eth0
set system flow-accounting netflow engine-id 0
set system flow-accounting netflow server 192.168.100.50 port 2055
set system flow-accounting netflow version 9
!EdgeRouter supports NetFlow version 1, 5 (default), 9, and 10.

Update: The configuration below may help with NetFlow. I have not tested it yet, though.

set system flow-accounting netflow timeout max-active-life 604800
set system flow-accounting netflow timeout flow-generic 3600
set system flow-accounting netflow timeout tcp-fin 300
set system flow-accounting netflow timeout tcp-generic 3600
set system flow-accounting netflow timeout tcp-rst 120
set system flow-accounting netflow timeout icmp 300
set system flow-accounting netflow timeout udp 300

Below are two screenshots of what PRTG stats collected before and after turning off NetFlow on my EdgeRouter Lite.

NetFlow CPU spikes
CPU usage
NetFlow slow download
Download speed

Configure System Packages

As mentioned in my “Ubiquiti’s EdgeOS CLI Introduction” blog post, EdgeOS is a fork and port of Vyatta Core. Since Vyatta Core is built in Debian-based Linux, one can also configure EdgeOS to download Debian packages. The repo in the example below is US-repository, if you need other repo then visit this site.

Note: Do not use apt-get upgrade and/or apt-get dist-upgrade because some of the packages are customized by Ubiquiti and could potentially break something.

set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url 'http://http.us.debian.org/debian'
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url 'http://security.debian.org'

I actually haven’t installed any packages yet but I’ve used it to update the system. Be aware that if you chose to enable IPv6, it seems to break apt-get since it prefers to use IPv6 and it does not reach the repo servers for whatever reason. Having said that, force apt-get to update using IPv4.

networkjutsu@rtr:~$ sudo echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4
Acquire::ForceIPv4 "true";
networkjutsu@rtr:~$ sudo apt-get update
Get:1 http://security.debian.org wheezy/updates Release.gpg [1554 B]
Get:2 http://security.debian.org wheezy/updates Release [102 kB]
Hit http://http.us.debian.org wheezy Release.gpg
Hit http://http.us.debian.org wheezy Release
Get:3 http://security.debian.org wheezy/updates/main mips Packages [333 kB]
Hit http://http.us.debian.org wheezy/main mips Packages
Get:4 http://security.debian.org wheezy/updates/main Translation-en [202 kB]
Hit http://http.us.debian.org wheezy/contrib mips Packages
Hit http://http.us.debian.org wheezy/non-free mips Packages
Hit http://http.us.debian.org wheezy/contrib Translation-en
Hit http://http.us.debian.org wheezy/main Translation-en
Hit http://http.us.debian.org wheezy/non-free Translation-en
Fetched 638 kB in 18s (34.0 kB/s)
Reading package lists... Done

Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.

Final Words

I really like EdgeRouter Lite for my home environment even though there are things that still need improvements. It does what I need it to do as a router and it is way more advanced than the SOHO routers I’ve used in the past. Yes, it lacks wireless so one will need an access point (AP) for wireless connectivity. If you have an existing SOHO router, check and see if it has the AP-only mode feature. My Netgear WNDR3800 actually allows me to configure it as an AP mode rather than using it as a router. It also allows me to use the switch ports as well, which means I could connect more devices to my route.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

References

Convince apt-get *not* to use IPv6 method
Version 1.6.0 IPv6 Comcast
EdgeMAX – Set up L2TP over IPsec VPN server

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email
  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Footer

WORK WITH US

Schedule a free consultation now!

LET’S TALK

Copyright © 2011–2023 · NetworkJutsu · All Rights Reserved · Privacy Policy · Terms of Use