Skip to content

Instantly share code, notes, and snippets.

@psilore

psilore/er4-inital-setup.md

Last active November 23, 2023 02:42
Show Gist options
  • Save psilore/0436d2f47c1a202d3a070360e2466ec7 to your computer and use it in GitHub Desktop.
Save psilore/0436d2f47c1a202d3a070360e2466ec7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
er4-inital-setup.md

EdgeRouter 4 initial setup

Edgerouter is running a fork of Vyatta, VyOS docs

Connect to console

Find serial interface

Note! If you cant find any usb to serial interface, look for mounted interface with dmesg in roder to find mounted interface

ls -ltr /dev/*usb*

Connect to console

screen /dev/tty.usbserial-AI038TPF 115200

Update system image

Show version

$ show version

System images

ER-X - https://dl.ui.com/firmwares/edgemax/v2.0.9-hotfix.5/ER-e50.v2.0.9-hotfix.5.5554172.tar
ER-4 - https://dl.ui.com/firmwares/edgemax/v2.0.9-hotfix.5/ER-e300.v2.0.9-hotfix.5.5554172.tar

Add image directly directly from Ubiquiti (HTTPS)

$ add system image https://dl.ui.com/.../firmware.tar

OR

Manually download and copy to router

$ scp ~/Downloads/ER-e50.v2.0.9-hotfix.5.5554172.tar <ip-of-edgerouter>:/tmp

Add image

$ add system image /tmp/ER-e50.v2.0.9-hotfix.5.5554172.tar
Checking upgrade image...Done
Preparing to upgrade...Done
Clearing directory /var/cache/apt (1.1M)...Done
Copying upgrade image...Done
Removing old image...Done
Checking upgrade image...Done
Copying config data...Done
Finishing upgrade...Done
Upgrade completed

Verify system image

$ show system image

Restart the router

$ reboot

Setup user

Login to router and add a new user

$ ssh ubnt@<ip-of-edgerouter>
configure
set system login user <user> authentication plaintext-password <secret>
set system login user <user> level admin
commit
save
exit
logout

Remove default user

$ ssh ubnt@<ip-of-edgerouter>
configure
delete system login user ubnt
commit  
save  
exit
logout

Add a public ssh key to EdgeRouter

$ scp ~/.ssh/id_rsa.pub <ip-of-edgerouter>:/tmp
$ ssh <user>@<ip-of-edgerouter>
configure  
loadkey <user> /tmp/id_rsa.pub  
commit  
save  
exit
sudo chown -R <user> /home/<user>
logout

Sanity check

$ ssh <user>@<ip-of-edgerouter>
exit

Disable plain text password authentication

If you can successfully login to EdgeRouter, a step to hardening security on your EdgeRouter is to remove option to use plain text password.
NOTE! Make sure you can access with your public key before disabling plaintext authentication.

$ ssh <user>@<ip-of-edgerouter>
configure
set service ssh disable-password-authentication
commit  
save  
exit
logout

Setup Edgerouter 4

System setup

$ ssh <user>@<ip-of-edgerouter>
configure
set system domain-name example.local
set system host-name example
set system time-zone Europe/Stockholm
set system name-server <ip-of-edgerouter> # Or leave blank, if running pi-hole specify pi-hole ip
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
commit
save
exit
logout

Disable router to listen externally for GUI and SSH

$ ssh <user>@<ip-of-edgerouter>
configure
set service gui listen-address <ip-of-edgerouter>
set service ssh listen-address <ip-of-edgerouter>
commit
save
exit
logout

Enable offloading (ER-X, MediaTek based)

$ ssh <user>@<ip-of-edgerouter>
configure
set system offload hwnat enable
commit
save
logout

Enable offloading (ER-4, Cavium based)

$ ssh <user>@<ip-of-edgerouter>
configure
set system offload ipv4 forwarding enable
commit
save

Add UISP key

Example: wss://<domain>:<port>+<id>+allowSelfSignedCertificate

$ ssh <user>@<ip-of-edgerouter>
configure
delete service unms disable 
set service unms connection generic UNMS <uisp-key> 
commit 
save

Lets encrypt certificate

curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
configure
set system static-host-mapping host-name router.your.house inet 10.0.1.1
set service gui cert-file /config/ssl/server.pem
set service gui ca-file /config/ssl/ca.pem
set system task-scheduler task renew.acme executable path /config/scripts/renew.acme.sh
set system task-scheduler task renew.acme interval 1d
set system task-scheduler task renew.acme executable arguments '-d router.your.house'
sudo /config/scripts/renew.acme.sh -d router.your.house
commit
save

Add CA certificate for localhost

Using mkcert by Filippo Valsorda to create a CA cert for localhost.
Option to go the SSL cert route with Let´s Encrypt there is several diffrent to choose from. Ex. ubnt-letsencrypt by Jesse Miller

$ ssh <user>@<ip-of-edgerouter>
configure
set system static-host-mapping host-name <hostname> inet <ip-of-edgerouter>
commit
save
exit

Create certificate

$ mkcert <ip-of-edgerouter> <hostname>
cat <ip-of-edgerouter>+1-key.pem <ip-of-edgerouter>+1.pem > server.pem

Backup existing certificate file

$ ssh <user>@<ip-of-edgerouter>
sudo cp /etc/lighttpd/server.pem /etc/lighttpd/.server-OLD.pem
exit

Copy new certificate file to user home dir of your router

scp /path/to/server.pem <user>@<ip-of-edgerouter>:/home/<user>/server.pem

Copy new certificate file from user home dir and enable the certificate

$ ssh <user>@<ip-of-edgerouter>
sudo cp /home/<user>/server.pem /etc/lighttpd/server.pem
# Kill webserver service by PID
sudo kill -SIGINT $(cat /var/run/lighttpd.pid)
# Start webserver
sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
exit

Check your connection with curl
If done correctly, one way of checking is to use curl. If you get a redirect to a SSL protocol port, i.e 443, the certificate is installed correctly in your router.

$ curl -I http:/<ip-of-edgerouter>
HTTP/1.1 301 Moved Permanently
Location: https://<ip-of-edgerouter>:443/
Date: Sun, 11 Jan 2015 07:46:13 GMT
Server: Server

Firewall

$ ssh <user>@<ip-of-edgerouter>
configure
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 1 action accept
set firewall name WAN_IN rule 1 description "Allow established connections"
set firewall name WAN_IN rule 1 state established enable
set firewall name WAN_IN rule 1 state related enable
set firewall name WAN_IN rule 2 action drop
set firewall name WAN_IN rule 2 log enable
set firewall name WAN_IN rule 2 description "Drop invalid state"
set firewall name WAN_IN rule 2 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 1 action accept
set firewall name WAN_LOCAL rule 1 description "Allow established connections"
set firewall name WAN_LOCAL rule 1 state established enable
set firewall name WAN_LOCAL rule 1 state related enable
set firewall name WAN_LOCAL rule 2 action drop
set firewall name WAN_LOCAL rule 2 log enable
set firewall name WAN_LOCAL rule 2 description "Drop invalid state"
set firewall name WAN_LOCAL rule 2 state invalid enable
set firewall group address-group Trusted_IPs address 1.2.3.4
set firewall group address-group Trusted_IPs description "External Trusted IPs"
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow Established / Related Traffic"
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description "Allow Trusted IPs"
set firewall name WAN_IN rule 20 source group address-group Trusted_IPs
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 description "Drop Invalid State"
set firewall name WAN_IN rule 30 log enable
set firewall name WAN_IN rule 30 protocol all
set firewall name WAN_IN rule 30 state established disable
set firewall name WAN_IN rule 30 state invalid enable
set firewall name WAN_IN rule 30 state new disable
set firewall name WAN_IN rule 30 state related disable
set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 description "Drop ICMP"
set firewall name WAN_IN rule 40 icmp type 8
set firewall name WAN_IN rule 40 protocol icmp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_IN
commit
save
exit

Firewall ipv6

set firewall group ipv6-address-group Trusted_IPv6s description "External Trusted IPv6s"
set firewall group ipv6-address-group Trusted_IPv6s ipv6-address 2001:db8::1/64
set firewall ipv6-name WANv6_IN description "IPv6WAN to internal"
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description "Allow Established / Related Traffic"
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 10 log disable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description "Allow ICMPv6"
set firewall ipv6-name WANv6_IN rule 30 log disable
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description "IPv6 packets from internet to router"
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established and related packets"
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid packets"
set firewall ipv6-name WANv6_LOCAL rule 20 log enable
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow ICMPv6 packets"
set firewall ipv6-name WANv6_LOCAL rule 30 log enable
set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description "Allow dhcpv6"
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-name WANv6_LOCAL rule 50 action accept
set firewall ipv6-name WANv6_LOCAL rule 50 description "Allow SSH and web traffic from trusted sources"
set firewall ipv6-name WANv6_LOCAL rule 50 destination port 80,443,22
set firewall ipv6-name WANv6_LOCAL rule 50 source group ipv6-address-group Trusted_IPv6s
set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
commit
save

WAN

$ ssh <user>@<ip-of-edgerouter>
configure
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set service nat rule 5010 description "Masquerade for WAN"
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
commit
save
exit

LAN

$ ssh <user>@<ip-of-edgerouter>
configure
set interfaces ethernet eth3 description LAN
set interfaces ethernet eth3 address 192.168.1.1/24
set service dhcp-server disabled false
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.150 stop 192.168.1.254
set service dns forwarding listen-on eth3
commit
save
exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment