EdgeRouter

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

In my previous blog post, I talked about the basics of EdgeOS CLI. If you are new to EdgeOS CLI, then I recommend that you to head over there to learn the basics.

This is a two-part series on how to configure EdgeRouter Lite in a home environment using the command line interface. Part one will mostly focus on what I think is a typical home environment (US only) with optional configurations. The configurations covered here should be enough to get a home user going.

Part two will talk about mostly my configuration, which I think is not a typical home network setup. Though, I am not doing a lot of fancy stuff with my router. Mostly, just adding functionality for my wants and/or needs.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.

Logging in the first time

When you connect to the router via console or SSH, you will be prompted to log in with the the factory default account, which is ubnt/ubnt. Once logged in, you will be presented with a prompt like the one below.

Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
Last login: Wed Mar 16 19:48:55 2016 from 192.168.1.200
ubnt@ubnt:~$

Managing Accounts

At a minimum, change the default password to something not easy to guess and it must not be in the dictionary so it won’t be easily compromised. Preferably, create a new administrator account then use it going forward. Once the new admin account is set up, delete the default account.

To create a new account, issue the following commands below. Do not worry about the plaintext part of the syntax. Once the configuration has been committed, it will automatically change it to an encrypted password.

set system login user andrew authentication plaintext-password passwordhere
commit
networkjutsu@rtr# show system login user andrew
 authentication {
 encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
 plaintext-password ""
 }
[edit]

Commands below are optional. By default, the newly created account is an administrator.

delete system login user andrew authentication plaintext-password
set system login user andrew level admin
networkjutsu@rtr# show system login user andrew
 authentication {
 encrypted-password $6$Y/qNTwje6aKGB$Wx3zu/X410vdHLZuAWbh5Py9PMmFPMKFNA5lXC6L7sSZuHK.dliuQShrvC.1DkqISqjFDPfxJ.5yJ2P8Cq7or0
 }
 level admin
[edit]

If you want this user to be read-only, then make the user account as an operator.

set system login user andrew level operator
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
andrew@rtr:~$ configure
Invalid command
andrew@rtr:~$ show configuration
Must be an admin user to run this command.

Delete the default user account. You may want delete the /home directory as well, since EdgeOS seems to keep it for whatever reason.

delete system login user ubnt
commit
networkjutsu@rtr:~$ ls /home
networkjutsu  ubnt
networkjutsu@rtr:~$ sudo rm -r /home/ubnt
networkjutsu@rtr:~$ ls /home
networkjutsu
networkjutsu@rtr:~$

System Related Configuration

This section talks about everything system related, like DNS, NTP, time zone, etc. The configuration statements below shows how to configure the domain name of the router, desired host name, DNS server, time zone, and NTP servers. The NTP statements below are set by default.

set system domain-name networkjutsu.local
set system host-name rtr
set system time-zone America/Los_Angeles
set system name-server 192.168.1.10
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org

For routers that have hardware acceleration feature, it is a good idea to turn them on. The hardware acceleration feature allows the EdgeRouter to hit 1 Mpps with a throughput close to 1 Gbps – claim by Ubiquiti and tested by third party. If the hardware offload is turned off, then the performance will suffer in certain scenarios. Though, if you experience weird network issues, then you may want to turn it off as part of troubleshooting.

The traffic analysis configuration is optional. Traffic analysis uses deep packet inspection (DPI) which allows EdgeOS to know what applications are traversing the router and integrate it with the traffic analysis feature so users can see which IP addresses are using the most bandwidth and what application. Not all applications will be categorized properly.

set system offload ipv4 forwarding enable
set system traffic-analysis dpi enable
set system traffic-analysis export enable

Best practice is to create a banner to warn users, whether authorized or not, that activity might be logged and letting them know that they could get in trouble by accessing or modifying the system, etc.

set system login banner pre-login "********************************************************************\n*                                                                  *\n* * * *                    NETWORKJUTSU                      * * * *\n* * * *                   WARNING NOTICE:                    * * * *\n*   This system is restricted solely to NetworkJutsu authorized    *\n*   users for legitimate business purposes only. The actual or     *\n*   attempted unauthorized access, use, or modification of this    *\n*   system is strictly prohibited by NetworkJutsu. Unauthorized    *\n*   users are subject to disciplinary proceedings and/or           *\n*   criminal and civil penalties under state, federal, or other    *\n*   domestic and foreign laws. The use of this system may be       *\n*   monitored and recorded for administrative and security reasons *\n*   Anyone accessing this system expressly consents to such        *\n*   monitoring and is advised that if monitoring reveals possible  *\n*   evidence of criminal activity, NetworkJutsu may provide the    *\n*   evidence of such activity to law enformencent officials. All   *\n*   users must comply with NetworkJutsu instructions regarding the *\n*   protection of NetworkJutsu information assets.                 *\n*                                                                  *\n********************************************************************\n"

Configure WAN

I subscribe to Comcast/Xfinity’s Residential High Speed Cable Internet service. That said, I get dynamic IP address so my interface is set to DHCP.

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet

Configure LAN

I use all three interfaces at home and all of them are in separate subnets. Some people have used the last interface as bridge mode, which act as another switch port. Personally, I would not do this since it doesn’t run on hardware and can cause the router to perform worse in certain situations.

set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 mtu 9000
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 mtu 9000

The MTU setting is optional but I like to set mine to Jumbo Frame so it is set to 9000 bytes. By default, it uses 1500 bytes.

Configure PAT

I do not have business class Internet service so I only have one public IP address. This is majority of the setup in the US with non-business Internet service and I would assume some parts of the world as well. That said, we’ll need to configure PAT (Port Address Translation).

set service nat rule 5000 description PAT
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade

Configure Port Forwarding

The port-forward command seems to be an EdgeOS implementation only. I did a quick search on Vyatta 6.3 documentation and did not find that command. This is probably not a very common setup in a home environment so treat these commands as optional or configure them in case you need it in the future.

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward lan-interface eth2
set port-forward wan-interface eth0

The port forwarding rule below is allowing Internet users to connect to a Linux computer running OpenSSH server.

set port-forward rule 1 description "Linux Computer"
set port-forward rule 1 forward-to address 192.168.1.50
set port-forward rule 1 forward-to port 22
set port-forward rule 1 original-port 22
set port-forward rule 1 protocol tcp

Configure Services

There are few services that you may need so that everything will work smoothly. First one on the list is DHCP services.

set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.10
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name networkjutsu.local
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.200

Next one is DNS forwarding services. This configuration statements direct the system to forward DNS requests to name servers configured on the router. I believe the default DNS cache is set to 128 entries.

set service dns forwarding cache-size 128
set service dns forwarding listen-on eth2
set service dns forwarding listen-on eth1

SSH is enabled by default and uses its default protocol and port (tcp/22). I am, however, unsure if the protocol version was set to version 2. To be on the safe side, just issue to the command to change it to version 2. Protocol version 1 has a lot of security flaws and should not be used.

set service ssh port 22
set service ssh protocol-version v2

If you use UPnP at home then use the following commands. Personally, I would disable this.

set service upnp listen-on eth1 outbound-interface eth0
set service upnp listen-on eth2 outbound-interface eth0

Configure Basic Firewall

The firewall configuration can be pretty simple. With the set port-forward auto-firewall enable command, Ubiquiti made even simple for any users since it will automatically add firewall rules if the user creates port forwarding rule(s).

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN-IN default-action drop
set firewall name WAN-IN description "From Internet traffic to LAN"
set firewall name WAN-IN enable-default-log
set firewall name WAN-IN rule 1 action drop
set firewall name WAN-IN rule 1 description "Deny Invalid"
set firewall name WAN-IN rule 1 log enable
set firewall name WAN-IN rule 1 state invalid enable
set firewall name WAN-IN rule 3 action accept
set firewall name WAN-IN rule 3 description "Allow established/related state"
set firewall name WAN-IN rule 3 log disable
set firewall name WAN-IN rule 3 state established enable
set firewall name WAN-IN rule 3 state related enable
set firewall name WAN-LOCAL default-action drop
set firewall name WAN-LOCAL description "From Internet traffic to the router"
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 1 action drop
set firewall name WAN-LOCAL rule 1 description "Drop invalid state"
set firewall name WAN-LOCAL rule 1 log disable
set firewall name WAN-LOCAL rule 1 state invalid enable
set firewall name WAN-LOCAL rule 3 action accept
set firewall name WAN-LOCAL rule 3 description "Allow Established"
set firewall name WAN-LOCAL rule 3 log disable
set firewall name WAN-LOCAL rule 3 state established enable
set firewall name WAN-LOCAL rule 3 state related enable
set interfaces ethernet eth0 firewall in name WAN-IN
set interfaces ethernet eth0 firewall local name WAN-LOCAL
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable

While the configuration above is good enough. I recommend to add the following rules as well. These IPs should not be coming from the Internet anyway so why not block them?

set firewall group network-group BOGON network 0.0.0.0/8
set firewall group network-group BOGON network 10.0.0.0/8
set firewall group network-group BOGON network 100.64.0.0/10
set firewall group network-group BOGON network 127.0.0.0/8
set firewall group network-group BOGON network 169.254.0.0/16
set firewall group network-group BOGON network 172.16.0.0/12
set firewall group network-group BOGON network 192.0.0.0/24
set firewall group network-group BOGON network 192.0.2.0/24
set firewall group network-group BOGON network 192.168.0.0/16
set firewall group network-group BOGON network 192.18.0.0/15
set firewall group network-group BOGON network 198.51.100.0/24
set firewall group network-group BOGON network 203.0.113.0/24
set firewall group network-group BOGON network 224.0.0.0/4
set firewall group network-group BOGON network 240.0.0.0/4
set firewall name WAN-IN rule 2 action drop
set firewall name WAN-IN rule 2 description "Drop BOGON source"
set firewall name WAN-IN rule 2 source group network-group BOGON
set firewall name WAN-LOCAL rule 2 action drop
set firewall name WAN-LOCAL rule 2 description "Drop BOGON source"
set firewall name WAN-LOCAL rule 2 source group network-group BOGON

Once everything is configured, do not forget to commit and save the changes by issuing the commit;save command.

Final Words

The configuration listed here should be enough for majority of the home users. If you are an advanced user and/or IT professional, you may want to consider reading the part two. Though, not every advanced features are covered – only the ones I personally use at the time of writing.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

I talked about EdgeRouter Lite in my previous blog here but I did not talk about the Web UI or CLI at all. In this blog post, I will share the basic use of the EdgeOS command line interface (CLI).

The Network Operating System (NOS) used by Ubiquiti on their EdgeRouter series is called EdgeOS – a fork and port of Vyatta Core 6.3. In fact, one of the developers of EdgeOS came from Vyatta that worked closely with the VyOS main developer, which is another fork of Vyatta Core.

I’ve never touched Vyatta so I am still a newbie with EdgeOS. I am, however, familiar with Junos OS and EdgeOS has that similar look and feel to it. The set and show commands are very similar to Junos OS. Any users who are only familiar with IOS/NX-OS might feel a little lost but ? is helpful, just like in Cisco.

Accessing CLI

There are three ways on how to access the CLI on EdgeRouter series. The first one is by using the console port. The console port is set differently than a lot of networking devices that I’ve used so one shouldn’t expect that their saved console profile used for Cisco would work on EdgeRouter series. The key difference is the baud rate which is set to 115200.

The second way of accessing the CLI is by using the Web UI, as shown below. Personally, I do not like accessing it via the Web UI because I cannot copy and paste configurations and I have to log in twice just to access the CLI.

The third way of accessing the CLI is by using SSH – enabled by default. This is the most common and preferred way of accessing networking devices.

Note: My Mac mini has an alias called rtr that I use to connect to my router, which makes it easier to type than ssh networkjutsu@rtr command.

Mac-mini:~ Andrew$ rtr
********************************************************************
*                                                                  *
* * * *                    NETWORKJUTSU                      * * * *
* * * *                   WARNING NOTICE:                    * * * *
*   This system is restricted solely to NetworkJutsu authorized    *
*   users for legitimate business purposes only. The actual or     *
*   attempted unauthorized access, use, or modification of this    *
*   system is strictly prohibited by NetworkJutsu. Unauthorized    *
*   users are subject to disciplinary proceedings and/or           *
*   criminal and civil penalties under state, federal, or other    *
*   domestic and foreign laws. The use of this system may be       *
*   monitored and recorded for administrative and security reasons *
*   Anyone accessing this system expressly consents to such        *
*   monitoring and is advised that if monitoring reveals possible  *
*   evidence of criminal activity, NetworkJutsu may provide the    *
*   evidence of such activity to law enformencent officials. All   *
*   users must comply with NetworkJutsu instructions regarding the *
*   protection of NetworkJutsu information assets.                 *
*                                                                  *
********************************************************************
networkjutsu@rtr.networkjutsu.local's password:
Linux rtr 3.10.20-UBNT #1 SMP Fri Jan 29 20:11:31 PST 2016 mips64
Welcome to EdgeOS
Last login: Sat Apr  9 13:50:05 2016 from 192.168.1.200
networkjutsu@rtr:~$

Command Modes

When a user first logs in to the router, he/she is in operational mode. The dollar sign prompt is an indicator that the user is in operational mode. For the people who are only familiar with Cisco IOS, the operational mode is essentially the User EXEC mode. It provides access to operational commands for showing and clearing information, enabling or disabling debug commands, configuring terminal settings, loading and saving configuration, and restarting the router. The example below shows the commands available in operational mode.

networkjutsu@rtr:~$ ?
Possible completions:
  add           Add an object to a service
  clear         Clear system information
  configure     Enter configure mode
  connect       Establish a connection
  copy          Copy data
  debug         Enable debugging of specified routing protocol
  delete        Delete a file
  disconnect    Take down a connection
  generate      Generate an object
  initial-setup Enter initial configuration dialog
  no            Disable or reset operational variable
  ping          Send Internet Control Message Protocol (ICMP) echo request
  ping6         Send IPv6 Internet Control Message Protocol (ICMP) echo request
  reboot        Reboot the system
  release       Release specified variable
  rename        Re-name something.
  renew         Renew specified variable
  reset         Reset a service
  restart       Restart a service
  set           Set system or shell options
  show          Show system information
  shutdown      Shutdown the system
  telnet        Telnet to <hostname|IPv4 address>
  terminal      Control terminal behaviors
  traceroute    Track network path to <hostname|IPv4 address>
  traceroute6   Track network path to <hostname|IPv6 address>
  update        Run an update command

To enter configuration mode, enter configure command. To exit the configuration mode, enter exit command.

networkjutsu@rtr:~$ configure
[edit]
networkjutsu@rtr# exit
exit
networkjutsu@rtr:~$

For users who are familiar with Junos OS, I would assume that they noticed the [edit] prompt section. That prompt indicates where the user is at in the hierarchical configuration tree. The example below shows the commands available in the configuration mode.

networkjutsu@rtr# ?
Possible completions:
  confirm       Confirm prior commit-confirm
  comment       Add comment to this configuration element
  commit        Commit the current set of changes
  commit-confirm
                Commit the current set of changes with 'confirm' required
  compare       Compare configuration revisions
  copy          Copy a configuration element
  delete        Delete a configuration element
  discard       Discard uncommitted changes
  edit          Edit a sub-element
  exit          Exit from this configuration level
  load          Load configuration from a file and replace running configuration
  loadkey       Load user SSH key from a file
  merge         Load configuration from a file and merge running configuration
  rename        Rename a configuration element
  rollback      Rollback to a prior config revision (requires reboot)
  run           Run an operational-mode command
  save          Save configuration to a file
  set           Set the value of a parameter or create a new element
  show          Show the configuration (default values may be suppressed)

Command Completion

Majority, if not all, of the NOS out there provide command completion feature to save keystrokes. However, in Cisco IOS/NX-OS, typing the first few characters of a command is fine as long as it does not match any other commands. In EdgeOS, it will give an error message to the user when the command is not fully spelled out. I find this very annoying because I am so used to just typing the first few characters of the commands without hitting Tab key in Cisco IOS/NX-OS.

networkjutsu@rtr:~$ sh conf
sh: conf: No such file or directory
networkjutsu@rtr:~$ show config
Possible completions:
 configuration Show running configuration

Viewing Configuration

Displaying the configuration on EdgeOS can be done in both operational and configuration mode. The difference between the two are the available options. In the operational mode, viewing just a section of configuration tree is not as easy compared to the configuration mode because the user has to know the commands. In configuration mode, the Tab or ? key is available to guide the users on what command they are looking for.

What is nice about viewing the configuration in operational mode is the option to see the configuration in a set format compared to tree structure format. This doesn’t seem like it is available in configuration mode. In Junos OS, this can be accomplished easily by using the show | display set command. By displaying the set format, it makes it easy to save a text file for template purposes.

networkjutsu@rtr:~# run show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group BOGON {
            network 0.0.0.0/8
<-- Output omitted for brevity -->
networkjutsu@rtr:~# run show configuration commands | match "firewall group network-group BOGON"
set firewall group network-group BOGON network 0.0.0.0/8
<-- Output omitted for brevity -->

Notice that the command was ran under the configuration mode but with the run command in front of the operational mode commands. EdgeOS allows the users to issue operational mode commands under configuration mode if they do not wish to exit out of it. This is the same as the do command in Cisco IOS.

The example below shows how to display the whole configuration and by section using in the configuration mode.

networkjutsu@rtr# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         network-group BOGON {
             network 0.0.0.0/8
<-- Output omitted for brevity -->
networkjutsu@rtr# show firewall group network-group BOGON
 network 0.0.0.0/8
<-- Output omitted for brevity -->

Adding or Modifying Configuration

Adding and/or modifying configuration changes to the router is done by issuing the set command in configuration mode. Though, I also noticed that there are a couple of configurable items in operational mode as well.

networkjutsu@rtr:~$ set
Possible completions:
  <OPTION>      Bash builtin set command
  date          Set date and time
  system        Set system operational parameters
networkjutsu@rtr#
Possible completions:
  confirm	Confirm prior commit-confirm
  comment	Add comment to this configuration element
  commit	Commit the current set of changes
  commit-confirm
  		Commit the current set of changes with 'confirm' required
  compare	Compare configuration revisions
  copy		Copy a configuration element
  delete	Delete a configuration element
  discard	Discard uncommitted changes
  edit		Edit a sub-element
  exit		Exit from this configuration level
  load		Load configuration from a file and replace running configuration
  loadkey	Load user SSH key from a file
  merge		Load configuration from a file and merge running configuration
  rename	Rename a configuration element
  rollback	Rollback to a prior config revision (requires reboot)
  run		Run an operational-mode command
  save		Save configuration to a file
  set		Set the value of a parameter or create a new element
  show		Show the configuration (default values may be suppressed)
[edit]

If the user wants to view the configuration changes made so far then this can be done in two ways: using the show and compare command. Personally, I would use the latter command especially when I’ve done a lot of configuration changes because using the previous command requires to either show the whole configuration or specific configuration tree.

networkjutsu@rtr# set system host-name EdgeRouterLite
[edit]
networkjutsu@rtr# show system host-name
>host-name EdgeRouterLite
[edit]
networkjutsu@rtr# compare
[edit service]
+lldp {
+}
[edit system]
>host-name EdgeRouterLite
[edit]

As one may have noticed, the plus sign (+) next to the lldp means that this statement has been added to the configuration, but the configuration change hasn’t been committed yet. The right angle bracket (>) means that a running configuration statement was modified. In this case, the host name was changed from rtr to EdgeRouterLite.

Deleting Configuration

In Cisco IOS and NX-OS, the no command is how to negate the configuration statement(s). In EdgeOS, the delete command is used to negate the configuration statement(s).

networkjutsu@rtr# delete interfaces ethernet eth1 address 192.168.0.1/24
[edit]
networkjutsu@rtr# compare
[edit interfaces ethernet eth1]
-address 192.168.0.1/24
[edit]

The minus sign (-) next to the address means that the statement has been deleted from the configuration, but the configuration change hasn’t been committed yet.

Discarding Configuration

Let’s say the user made a mistake and needed to back out of the changes quick. For example, the user incorrectly made changes to a wrong router and quickly realized it. The user could use the delete command but may take few minutes to type all of the commands. Luckily, EdgeOS provides a way to discard all of the uncommitted changes.

networkjutsu@rtr# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
networkjutsu@rtr# exit discard
exit
networkjutsu@rtr:~$

Another way of discarding changes without exiting is by using the discard command.

networkjutsu@rtr# compare
[edit system]
>host-name Router
[edit]
networkjutsu@rtr# discard
Changes have been discarded
[edit]

Committing Configuration Changes

One of the differences between Junos OS and Cisco IOS/NX-OS is that changes made on the latter takes effect right away. In Junos OS, or any NOS that is similar to it, any configuration changes do not take effect until the user issue the commit command.

networkjutsu@rtr# commit
[ service lldp ]
Starting lldpd...
[edit]

Saving Configuration

If one wants to keep all of the configuration changes even after reboot then use the save command. By default, the configuration is saved to /config directory. The example below shows how to commit and save the configuration in one line.

networkjutsu@rtr# delete service lldp
[edit]
networkjutsu@rtr# commit;save
[ service lldp ]
Stopping lldpd...
Saving configuration to '/config/config.boot'...
Done
[edit]

Thoughts

It is understandable that a user would feel intimidated configuring a device on CLI if he/she is unfamiliar with the command syntax. While EdgeOS’ Web UI has come a long way, a lot of the features are still only configurable under CLI so one should get comfortable using it. I am sure that Ubiquiti has plans to keep adding features that are configurable using the Web UI but it is probably safe to assume that it won’t be for quite some time.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

This blog post is the very first part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

TL;DR: Looking for a home router with some SMB/Enterprise features and not afraid of using CLI? Buy the EdgeRouter Lite.

A few months ago, I bought the EdgeRouter Lite. Before buying the router, I was running Palo Alto Networks PA-200 for a few months to play with it but I was not happy with the throughput I was getting when everything was turned on (App-ID, Threat Prevention, PAN-DB URL filtering, etc). My 150 Mbps download went down to around 50 Mbps. To be fair, Palo Alto Networks does list it accurately in their hardware spec sheet. While I could’ve turned everything off and stick with the PA-200, I wanted to move it to the side and just make it a home lab device. To fully play with the PA-200 and other stuff on my plate, I wanted to redesign my home network; hence, the purchase of EdgeRouter Lite and TP-LINK TL-SG2008.

Specifications

For $99 (MSRP), the router provides a lot of features that I will never use at home. The official spec sheet is located here but for your convenience, I’ve listed some of its specs below. There is a lower end Ubiquiti router for $49, EdgeRouter X. This is perfect for those looking for low budget router with some SMB/enterprise features. It offers the same software capabilities but the biggest difference is under the hood. The EdgeRouter X only has 256 MB RAM, 256 MB code storage, and the processor is different and could affect performance because it does not have the same hardware accelerated features of EdgeRouter Lite. While the processor does have some hardware accelerated features (e.g. HW NAT), I believe it is still not supported by EdgeOS at this time of writing (hardware acceleration on EdgeRouter X has been supported since v1.8.5). The things that are hardware accelerated in the EdgeRoute Lite are found here.

Hardware:

Max Power Consumption: 7W
Interfaces: (1) RJ45 Serial Port and (3) 10/100/1000 Ethernet Ports
Layer 3 Forwarding Performance: 1 Mpps
Processor: Dual-core 500 MHz, MIPS64 with Hardware Acceleration for packet processing (Cavium Octeon CN5020)
Flash storage: 2 GB
RAM: 512 MB DDR2 RAM

Software:

Interface/Encapsulation: Ethernet, 802.1Q (VLAN), PPPoE, GRE, IP in IP, 802.3ad (LACP), and Bridging
Addressing: Static IPv4/IPv6 Addressing, DHCP/DHCPv6
Routing: Static routes, OSPFv2/OSPFv3, RIP/RIPng, BGP (with IPv6 support)
Security: ACL-Based Firewall, Zone-Based Firewall (ZBF)
VPN: IPSec Site-to-Site and Remote Access, OpenVPN Site-to-Site and Remote Access, PPTP Remote Access, L2TP Remote Access, and PPTP Client
Services: DHCP/DHCPv6 Server, DHCP/DHCPv6 Relay, Dynamic DNS, DNS Forwarding, VRRP, RADIUS Client, Web Caching, and PPPoE Server
QoS: FIFO, Stochastic Fairness Queueing, Random Early Detection (RED), Token Bucket Filter, Deficit Round Robin, Hierarchical Token Bucket, and Ingress Policing
Management: Web UI, CLI (Console, SSH, Telnet), SNMP, NetFlow, LLDP, NTP, UBNT Discovery Protocol, Logging

New to v1.8: MPLS, VPLS, and more!

Why did I buy EdgeRouter Lite?

Some of the reasons why I bought the EdgeRouter Lite are the following:

IEEE 802.1Q

The main reason why I bought the EdgeRouter Lite was the 802.1Q (VLAN) capability. I needed to separate my devices to different VLANs especially the VMs in my ESXi home lab. One of the things that pushed me to have VLAN capability is the F5 BIG-IP LTM home lab. I really wanted to set it up properly and mimic a similar setup found in an enterprise. Though, the current topology is very simple right now. That topology will change in the future once I am comfortable with F5 BIG-IP LTM.

While I do have old Cisco routers capable of VLAN, they are not gigabit capable, consumes a lot of power, and loud. The ERLite-3 is very small, consumes little power, and fanless. Yes, I could have done a virtual router or firewall and run it on my VMware ESXi since it is on 24/7/365 but I did not want to do that. I did, however, played with pfSense on a VM for a very short amount of time years ago.

Firewall capability

Advanced firewall capability is a nice addition to my home network. I have some services open for me, friends, and family to connect from the Internet to my home servers so being able to create different zones and apply rules is really a great addition. Now, I can create a DMZ for services that are open to the whole world and have rules that allow or deny traffic to and/or from the DMZ. I decided to not take advantage of the Zone-Based Firewall feature in EdgeOS and stayed with the ACL-style configuration. Mostly because I read that the ZBF/ZBFW does slow the boot up times of the router. While my router shouldn’t reboot that often, I know for sure that people in the house would complain if it takes a long time for them to connect to the Internet if the router reboots. Also, I also did not want to write a whole lot of rules. I had seven interfaces on the router so if my calculation is correct, that would mean I need 56 zone rulesets.

While ZBF/ZBFW is a great feature, there are still limitations with the firewall capabilities of EdgeRouter Lite. It is understandable because it is not really a firewall so expecting it to be is unfair. That said, I took the DMZ interface out of the router and move it to a virtualized pfSense. Geo-based IP filtering is back, yay! I actually mentioned in my SSH Brute Force Attack blog post that I had it when I was using Palo Alto Networks PA-200. The Geo-based IP filtering significantly reduced the brute force attacks to my box.

VPN capability

Another capability that I like is the VPN capability. While I had been running L2TP over IPsec using my Synology DS1812+, it is nice to finally move the functionality to the edge. I am no longer port forwarding anything to my NAS. While I didn’t see much traffic on these ports, it is better to be safe than sorry. The SSH brute force attack incident has been a good lesson.

Thoughts

Before I bought the router, I have done a good amount of research so I was confident that I will be happy with the purchase. I have been running it for almost three months and I am happy to report that I couldn’t be happier with the outcome of my purchase. While I am barely using all of its capabilities, it is pretty inexpensive to justify the home router upgrade. Yes, it does not have wireless capabilities like my all-in-one Netgear router/AP/switch but it is more capable router than the Netgear. I still use my Netgear router but as an AP and switch to add more ports to my TP-LINK TL-SG2008. I also have Ruckus 7363 running at home that is dedicated only for 5 GHz devices.

This router is not for people who are not willing to configure a lot of the advanced features via CLI. While Ubiquiti has been adding more features to the Web UI in each of their release, it is still missing a lot of advanced features that would be nice to have in the Web UI. For example, the Web UI still does not have L2TP over IPsec or OpenVPN configuration. Users who wish to take advantage of this feature means that they will need to hit the CLI. I do not have a lot of experience with Config Tree because I like the CLI more. I do want to point out that Web UI supports IPsec Site-to-Site and PPTP configuration.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.