Last active
January 11, 2020 01:11
-
-
Save AjkayAlan/75c90615070cb3b59e933faf17b7124f to your computer and use it in GitHub Desktop.
Setup for my basic settings with a Ubiquiti ERL 3 (EdgeRouter Lite 3)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Plug in ethernet to eth0, connect to laptop, and set static IP to 192.168.1.10, subnet mask 255.255.255.0 | |
| # TODO: Script this so I dont need to touch the gui | |
| # Navigate to 192.168.1.1, login using ubnt for username and password | |
| # Run basic setup wizard, and set the following settings: | |
| ### Internet Port: eth0 | |
| ### DHCP | |
| ### Enable the default firewall | |
| ### Enable DHCPv6 Prefix Delegation, /56, default firewall | |
| ### LAN port: eth1, enable dhcp | |
| ### Set password to whatever you want | |
| ### Apply settings, and click the restart box | |
| # While restarting, flip existing eth0 cable to eth1, and plug modem to eth0. After it's available, run the following: | |
| ssh ubnt@192.168.1.1 | |
| configure | |
| # Option 1 - Ignore ISP DNS and use Cloudflare DNS instead | |
| delete system name-server | |
| set system name-server 127.0.0.1 | |
| set interfaces ethernet eth0 dhcp-options name-server no-update | |
| set interfaces ethernet eth0 dhcpv6-pd no-dns | |
| set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns | |
| set service dns forwarding name-server 1.1.1.1 | |
| set service dns forwarding name-server 1.0.0.1 | |
| set service dns forwarding name-server 2606:4700:4700::1111 | |
| set service dns forwarding name-server 2606:4700:4700::1001 | |
| # Option 2 - Use Pi-Hole (assuming its on .5) | |
| delete system name-server | |
| set system name-server 127.0.0.1 | |
| set interfaces ethernet eth0 dhcp-options name-server no-update | |
| set interfaces ethernet eth0 dhcpv6-pd no-dns | |
| set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns | |
| set service dns forwarding name-server 192.168.1.5 | |
| set service dns forwarding name-server 2604:2d80:4a90:8e01:6725:3263:ee41:ddff | |
| ## 2A - Redirect all DNS traffic over port 53 to PiHole | |
| ## Purpose: Capture DNS requests that are hardcoded (i.e. chromecast) and redirect | |
| set service nat rule 5911 description "Translate DNS to Internal" | |
| set service nat rule 5911 log disable | |
| set service nat rule 5911 outbound-interface eth1 | |
| set service nat rule 5911 protocol tcp_udp | |
| set service nat rule 5911 type masquerade | |
| set service nat rule 5911 destination address 192.168.1.5 | |
| set service nat rule 5911 destination port 53 | |
| set service nat rule 5911 source address 192.168.1.5-192.168.1.254 | |
| set service nat rule 1 description "Captive DNS" | |
| set service nat rule 1 inbound-interface eth1 | |
| set service nat rule 1 log disable | |
| set service nat rule 1 protocol tcp_udp | |
| set service nat rule 1 type destination | |
| set service nat rule 1 destination address !192.168.1.5 | |
| set service nat rule 1 destination port 53 | |
| set service nat rule 1 source address !192.168.1.5 | |
| set service nat rule 1 inside-address address 192.168.1.5 | |
| set service nat rule 1 inside-address port 53 | |
| ## 2B (if using DNS over HTTPS) - Block All DNS Attempts Going Out Of WAN Over Port 53 | |
| ## Purpose: Forces DNS requests that are hardcoded (i.e. chromecast) fallback | |
| set firewall name WAN_OUT default-action accept | |
| set interfaces ethernet eth0 firewall out name WAN_OUT | |
| set firewall name WAN_OUT rule 1 action reject | |
| set firewall name WAN_OUT rule 1 description 'Reject Port 53' | |
| set firewall name WAN_OUT rule 1 protocol tcp_udp | |
| set firewall name WAN_OUT rule 1 destination port 53 | |
| # Enable offloading | |
| set system offload ipv4 forwarding enable | |
| set system offload ipv4 gre enable | |
| set system offload ipv4 vlan enable | |
| set system offload ipv6 forwarding enable | |
| set system offload ipv6 vlan enable | |
| set system offload ipsec enable | |
| # Enable UPnP | |
| set service upnp2 listen-on eth1 | |
| set service upnp2 wan eth0 | |
| set service upnp2 nat-pmp enable | |
| set service upnp2 secure-mode enable | |
| # Commit and save settings, and exit configuration mode | |
| commit ; save | |
| exit | |
| ## Other useful things | |
| renew dhcpv6-pd interface eth0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment