Devices:
Inspired by:
- Ubiquiti EdgeRouter Lite Setup
- EDGEROUTER SECURITY
- EdgeMAX - VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology
All the commands should be perform in the configure
mode.
I don't mention when you should save your work (commit
or a save
command), but don't forget to do it when you think it's needed.
Using Major System numerotation (except for Management
).
Network overview:
eth0: WAN - DHCP
eth1: Management (+VLAN) - 192.168.1.xxx
eth1.2: WiFi Home - 192.168.3.xxx
eth1.3: WiFi Guest - 192.168.71.xxx
eth2: Work - 192.168.47.xxx
eth3: Disconnected - 192.168.111.xxx
eth4: …
VLAN should be on the eth1 interface if you want to be able to activate VLAN offload. See: https://community.ubnt.com/t5/EdgeMAX/VLAN-offload/td-p/1676369
(See: https://help.ubnt.com/hc/en-us/articles/205202620-EdgeMAX-Reset-router-to-factory-defaults)
Then connect to eth0
using ethernet and set static ip:
# ip link set enp0s25 up
# ip addr add 192.168.1.2/24 broadcast 192.168.1.255 dev enp0s25
If you've got internet connected with another interface, set it to the default:
# ip route add default via 192.168.42.1
configure
set system login user <mynewusername> authentication plaintext-password <mynewlongpassword>
set system login user <mynewusername> authentication public-keys <key-name> type ssh-rsa
set system login user <mynewusername> authentication public-keys <key-name> key <key_file>
set system login user <mynewusername> level admin
commit
save
Test you ssh public key connection!
set service ssh disable-password-authentication
delete system login user ubnt
set service dns forwarding cache-size 400
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 208.67.220.220
set system host-name edgerouter
set system time-zone Europe/Paris
set system name-server 127.0.0.1
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system ntp server 3.pool.ntp.org
delete system ntp server 0.ubnt.pool.ntp.org
delete system ntp server 1.ubnt.pool.ntp.org
delete system ntp server 2.ubnt.pool.ntp.org
delete system ntp server 3.ubnt.pool.ntp.org
set system offload ipv4 forwarding enable
set system offload ipv4 gre enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system traffic-analysis dpi disable
set system traffic-analysis export disable
set service dhcp-server disabled false
# Configure Firewall and eth1
edit firewall name NO_IN
set default-action drop
set enable-default-log
top
edit interfaces ethernet eth1
set description "Management"
set address 192.168.1.1/24
top
edit service dhcp-server shared-network-name management
set authoritative disable
set subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.100
set subnet 192.168.1.0/24 default-router 192.168.1.1
set subnet 192.168.1.0/24 dns-server 192.168.1.1
set subnet 192.168.1.0/24 lease 86400
top
set service dns forwarding listen-on eth1
set service ssh listen-address 192.168.1.1
set service gui listen-address 192.168.1.1
set service gui http-port 80
set service gui https-port 443
commit
save
Disconnect from eth0
and reconnect to eth1
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
edit firewall group network-group LAN
set description "LAN Networks"
set network 192.168.0.0/16
set network 172.16.0.0/12
set network 10.0.0.0/8
top
edit firewall group network-group BOGON
set network 0.0.0.0/8
set network 10.0.0.0/8
set network 100.64.0.0/10
set network 127.0.0.0/8
set network 169.254.0.0/16
set network 172.16.0.0/12
set network 192.0.0.0/24
set network 192.0.2.0/24
set network 192.168.0.0/16
set network 192.18.0.0/15
set network 198.51.100.0/24
set network 203.0.113.0/24
set network 224.0.0.0/4
set network 240.0.0.0/4
top
edit firewall name WAN_IN
set default-action drop
set enable-default-log
top
edit firewall name WAN_IN rule 10
set description "Allow established connections"
set action accept
set protocol all
set log disable
set state established enable
set state invalid disable
set state new disable
set state related enable
top
edit firewall name WAN_IN rule 20
set description "Drop invalid state"
set action drop
set protocol all
set log disable
set state established disable
set state invalid enable
set state new disable
set state related disable
top
edit firewall name WAN_IN rule 30
set description "Drop BOGON source"
set action drop
set protocol all
set log disable
set source group network-group BOGON
top
edit firewall name WAN_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name WAN_LOCAL rule 10
set description "Allow established connections"
set action accept
set protocol all
set log disable
set state established enable
set state related enable
top
edit firewall name WAN_LOCAL rule 20
set description "Drop invalid state"
set action drop
set protocol all
set log disable
set state invalid enable
top
delete interfaces ethernet eth0 address # remove previous configurations
edit interfaces ethernet eth0
set description "WAN"
set duplex auto
set speed auto
top
edit interfaces ethernet eth0 vif 832
set address dhcp
set description FTTH
set egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
set firewall in name WAN_IN
set firewall local name WAN_LOCAL
top
edit interfaces ethernet eth0 vif 832 dhcp-options
set client-option "send vendor-class-identifier "sagem";"
set client-option "send user-class "\053FSVDSL_livebox.Internet.softathome.Livebox4";"
set client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX;"
set client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;"
set default-route update
set default-route-distance 210
set name-server update
top
commit
save
Don't forget to commit
and save
before continuing.
edit service nat
set rule 5000 description "Masquerade for WAN"
set rule 5000 log disable
set rule 5000 outbound-interface eth0.832
set rule 5000 protocol all
set rule 5000 type masquerade
top
You can connect WAN cable to eth0.
If your public address IP is not available on the eth0.832 interface (ip addr show
to check), run:
configure
run renew dhcp interface eth0.832
Now, try to ping for example Google's DNS server:
ping 8.8.8.8
If it's working, you can now harden the Management
network:
set interfaces ethernet eth2 firewall in name NO_IN
edit firewall name WORK_IN
set default-action accept
set enable-default-log
top
edit firewall name WORK_IN rule 10
set description "Drop LAN network group"
set action drop
set protocol all
set log disable
set destination group network-group LAN
top
edit firewall name DHCP_DNS_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name DHCP_DNS_LOCAL rule 10
set description "Accept DHCP"
set action accept
set protocol udp
set destination port 67
top
edit firewall name DHCP_DNS_LOCAL rule 20
set description "Allow DNS"
set action accept
set protocol udp
set destination port 53
top
edit interfaces ethernet eth1
set description "Work"
set address 192.168.10.1/24
set firewall in name WORK_IN
set firewall local name DHCP_DNS_LOCAL
top
edit service dhcp-server shared-network-name work
set authoritative disable
set subnet 192.168.10.0/24 start 192.168.10.10 stop 192.168.10.100
set subnet 192.168.10.0/24 default-router 192.168.10.1
set subnet 192.168.10.0/24 dns-server 192.168.10.1
set subnet 192.168.10.0/24 lease 86400
top
set service dns forwarding listen-on eth1
See EdgeMAX - Add access control list (ACL) to understand LOCAL
and IN
rules.
edit firewall name DHCP_DNS_MDNS_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 10
set description "Accept DHCP"
set action accept
set protocol udp
set destination port 67
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 20
set description "Allow DNS"
set action accept
set protocol udp
set destination port 53
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 30
set description "Accept mDNS"
set action accept
set destination port 5353
set protocol udp
top
edit firewall name COMPARTMENTALIZE_IN
set default-action accept
set enable-default-log
top
edit firewall name COMPARTMENTALIZE_IN rule 10
set description "Drop LAN network group"
set action drop
set protocol all
set log disable
set destination group network-group LAN
set state new enable
top
edit firewall name RESTRICTED_IN
set default-action drop
set enable-default-log
top
edit firewall name RESTRICTED_IN rule 10
set description "Allow established connections"
set action accept
set state established enable
set state related enable
top
edit interfaces ethernet eth2 vif 2
set description "Home"
set address 192.168.22.1/24
set firewall local name DHCP_DNS_MDNS_LOCAL
top
edit service dhcp-server shared-network-name home
set authoritative disable
set subnet 192.168.22.0/24 start 192.168.22.10 stop 192.168.22.100
set subnet 192.168.22.0/24 default-router 192.168.22.1
set subnet 192.168.22.0/24 dns-server 192.168.22.1
set subnet 192.168.22.0/24 lease 86400
top
set service dns forwarding listen-on eth2.2
edit interfaces ethernet eth2 vif 3
set description "Guest"
set address 192.168.23.1/24
set firewall in name COMPARTMENTALIZE_IN
set firewall local name DHCP_DNS_MDNS_LOCAL
top
edit service dhcp-server shared-network-name guest
set authoritative disable
set subnet 192.168.23.0/24 start 192.168.23.10 stop 192.168.23.100
set subnet 192.168.23.0/24 default-router 192.168.23.1
set subnet 192.168.23.0/24 dns-server 208.67.222.222
set subnet 192.168.23.0/24 dns-server 208.67.220.220
set subnet 192.168.23.0/24 lease 86400
top
set service dns forwarding listen-on eth2.3
edit interfaces ethernet eth3
set description "Disconnected"
set address 192.168.30.1/24
set firewall in name RESTRICTED_IN
set firewall local name DHCP_DNS_LOCAL
top
edit service dhcp-server shared-network-name disconnected
set authoritative disable
set subnet 192.168.30.0/24 start 192.168.30.10 stop 192.168.30.100
set subnet 192.168.30.0/24 dns-server 192.168.30.1
set subnet 192.168.30.0/24 default-router 192.168.30.1
set subnet 192.168.30.0/24 lease 86400
top
See: http://www.cron.dk/edgerouter-and-chromecast/
See the link below.
set service mdns repeater interface eth2.2
set service mdns repeater interface eth2.3
edit service bcast-relay id 1
set description "Chromecast relay"
set interface eth2.2
set interface eth2.3
set port 10102
top
To be able to access Synology NAS from a different vLAN, you should set the Default Gateway
into the IP configuration.