- It seems that every firmware update, whatever was done to get nextdns into the router, will be gone, so you will have to redo the steps or at least some, if you confirm that it has happened.
- Make sure to have NTP enabled and configured. To avoid bugs.
- You can do through the UI CLI or using SSH, if you have enabled it and set a port.
- You can delete any configuration done, by using
delete, e.g.,delete firewall all-ping. - These steps were confirmed to be working after a complete hardware reset.
After logging into SSH, enter configuration mode by typing configure
Use the commands below
# GUI / System
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers disable
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service unms disable
set system host-name ubnt
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system time-zone UTC
# Optionally disable analytics and crash report
set system analytics-handler send-analytics-report false
set system crash-handler send-crash-report false
# Disable IPV6 if you are not going to use.
set system ipv6 disable
# Firewall
set firewall all-ping disable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 log disable
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 30 description "Allow ICMP"
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol icmp
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 10 state new disable
set firewall name WAN_LOCAL rule 10 state invalid disable
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 description "Allow ICMP"
set firewall name WAN_LOCAL rule 30 action drop
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol icmp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
# Only if you have IPV6 enabled
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_LOCAL default-action drop
# If you want to see what traffic is going through
set system traffic-analysis dpi enable
set system traffic-analysis export enable
# Remove unsafe service
delete service telnet
# Enable hardware offload
set system offload hwnat enable
set system offload ipsec enable
# Disable SIP ALG
set system conntrack modules sip disable
# Optionally set MTU and MSS Clamp - MSS should always be 40 less than MTU.
set interfaces ethernet eth0 pppoe 0 mtu 1400
set firewall options mss-clamp mss 1360
set firewall options mss-clamp interface-type all
If you are going to use NextDNS CLI, before setting name-server to 127.0.0.1, install the CLI.
# DNS
delete system name-server
set system name-server 127.0.0.1
set interfaces ethernet eth0 dhcp-options name-server no-update
set service dhcp-server use-dnsmasq enable
set service dhcp-server static-arp disable
delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.200
delete service dns forwarding system
set service dns forwarding cache-size 1000
set service dns forwarding listen-on eth0
set service dns forwarding options server=127.0.0.1#53053
set service dns forwarding options strict-order
set service dns forwarding options no-resolv
set service dns forwarding options stop-dns-rebind
set service dns forwarding options no-negcache
set service dns forwarding options no-hosts
set service dns forwarding options all-servers
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned
set service dns forwarding options dnssec-no-timecheck
# Do NOT use this option, it will most likely default to your ISP DNS. Delete instead, if set.
delete service dns forwarding dhcp eth0
# Only if you are not going to use NextDNS. Use Cloudflare DNS instead. Or any other DNS option, would be through here.
# If you use this, do not set the "options server=" command.
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
# Optional
set service dns forwarding listen-on switch0
set service dns forwarding options except-interface=eth1
In case you get dnsmasq failures, there might be misconfigurations, check
/etc/dnsmasq.conf
- Once you are done, type
commitandsaveafter. - You should be able to exit by typing
exit. Or a single commandcommit;save;exit. - (Optional) After exiting, use the commands or a router restart. Only if you have installed/added your DNS of choice.
sudo systemctl restart dnsmasqrelease dhcp interface eth0renew dhcp interface eth0
After choosing to whether use the CLI and server option or name-server, as long as all else is properly set, it should be completely working, having an IP, Router IP and DNS as Router IP set. It might be automatically done if you have service responsible activated, even if you change it after, no external change should be required, just a
commit;save.
nextdns.conf
By default, it might be on
/config/nextdns/nextdns.conf
Put your nextdns id into profile
profile YOUR_NEXTDNS_ID
auto-activate false
control /var/run/nextdns.sock
max-ttl 0s
report-client-info false
max-inflight-requests 256
discovery-dns
mdns disabled
setup-router false
listen 127.0.0.1:53053
cache-size 0
cache-max-age 0s
detect-captive-portals false
bogus-priv true
log-queries false
use-hosts false
timeout 5s
If you choose NextDNS, you can check if it's enabled at https://test.nextdns.io/ and protocol should be "DOH".
If you choose Cloudflare DNS, check at https://www.cloudflare.com/ssl/encrypted-sni/ by pressing the check button.
Before you do this, in case you get locked out of the router, for whatever configuration, do the same process before a reset. Set the manual ip and the router ip as gateway. That should make you able to access the router again. Without needing a reset.
If you have to reset the router for whatever reason, you can reset, and you might be encountered with Connecting or Identifying after, you might need to use ETH0 cable port and set the IP manually.
Your machine IP can be anything like 192.168.1.10, Netmask 255.255.255.0 and IP Gateway you set the router IP 192.168.1.1.
Then you can open the page through the browser using the same router IP, do the basic configurations, after it will ask to restart.
You can then change back to ETH1 cable port, remove the manual IP and put automatic again, you can then open through browser again.
- Press and hold the reset button.
- The port LEDs will start light up in sequence starting from port 1 and ending at the last port.
- Continue holding the reset button for approximately 10 seconds until the LED on port 1 lights up again.
- Release the reset button.
- The EdgeRouter will reboot, wait for the reboot to complete.
- If you decide to use dnscrypt-proxy, in EdgeRouter X, you choose the mipsle option to be compatible.
- If you follow steps from DNSCrypt tutorial which works, in the toml config file, if you are going to use NextDNS, you only need to set those config they require and change
require_dnssectotrue. But do not forget them like the listen port change, otherwise it will conflict and not work. - You will be able to check status with
sudo systemctl status dnscrypt-proxyor restart with it instead of status. - You might end up also needing to change the toml config file path, if the current setup does not work, you can by altering the file at
/etc/systemd/system/dnscrypt-proxy.service.
- https://github.com/nextdns/nextdns/wiki/EdgeOS
- https://www.justinho.com/blog/2020/09/03/cleanedgerouter.html
- https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained
- https://3os.org/infrastructure/ubiquiti/edge-router/
- https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-EdgeOS
- https://yeri.be/nextdns-edgerouter-redirecting-dns-requests
- https://community.ui.com/questions/NextDNS-setup-on-a-ER-X/e8f5e9f8-ef93-4d5d-8b91-8e1cae7a48f4#answer/e50c770a-81c1-4590-9582-cebfb333d089
- https://chrisatech.wordpress.com/2022/11/01/nextdns-on-edgerouter-using-dnsmasq/
- https://community.ui.com/questions/NextDNS-with-keeping-Dnsmasq-on-EdgeRouter/3141381a-ea95-47c2-aa30-2715560a333b
- https://www.youtube.com/watch?v=f_jG6_G4dXM
- https://floating.io/2019/01/edgerouter-dns-forwarding-and-the-routers-hostname/
- https://github.com/confirm/edgerouter-dnsmasq-updater/blob/master/README.md
- https://help.ui.com/hc/en-us/articles/205202620-EdgeRouter-Reset-to-Factory-Defaults
- https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway
- https://www.erianna.com/wireguard-ubiquity-edgeos/
- https://blog.usman.network/posts/wireguard-vpn-on-a-ubiquiti-edgerouter/
- https://help.ui.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS
- https://chameth.com/dns-over-tls-on-edgerouter-lite/
- https://github.com/darkgrue/Ubiquiti-DNSCrypt-Proxy-2-Configuration-Scripts