Edgerouter is running a fork of Vyatta, VyOS docs
Note! If you cant find any usb to serial interface, look for mounted interface with dmesg
in roder to find mounted interface
ls -ltr /dev/*usb*
screen /dev/tty.usbserial-AI038TPF 115200
$ show version
ER-X - https://dl.ui.com/firmwares/edgemax/v2.0.9-hotfix.5/ER-e50.v2.0.9-hotfix.5.5554172.tar
ER-4 - https://dl.ui.com/firmwares/edgemax/v2.0.9-hotfix.5/ER-e300.v2.0.9-hotfix.5.5554172.tar
$ add system image https://dl.ui.com/.../firmware.tar
OR
$ scp ~/Downloads/ER-e50.v2.0.9-hotfix.5.5554172.tar <ip-of-edgerouter>:/tmp
$ add system image /tmp/ER-e50.v2.0.9-hotfix.5.5554172.tar
Checking upgrade image...Done
Preparing to upgrade...Done
Clearing directory /var/cache/apt (1.1M)...Done
Copying upgrade image...Done
Removing old image...Done
Checking upgrade image...Done
Copying config data...Done
Finishing upgrade...Done
Upgrade completed
$ show system image
$ reboot
$ ssh ubnt@<ip-of-edgerouter>
configure
set system login user <user> authentication plaintext-password <secret>
set system login user <user> level admin
commit
save
exit
logout
$ ssh ubnt@<ip-of-edgerouter>
configure
delete system login user ubnt
commit
save
exit
logout
$ scp ~/.ssh/id_rsa.pub <ip-of-edgerouter>:/tmp
$ ssh <user>@<ip-of-edgerouter>
configure
loadkey <user> /tmp/id_rsa.pub
commit
save
exit
sudo chown -R <user> /home/<user>
logout
$ ssh <user>@<ip-of-edgerouter>
exit
If you can successfully login to EdgeRouter, a step to hardening security on your EdgeRouter is to remove option to use plain text password.
NOTE! Make sure you can access with your public key before disabling plaintext authentication.
$ ssh <user>@<ip-of-edgerouter>
configure
set service ssh disable-password-authentication
commit
save
exit
logout
$ ssh <user>@<ip-of-edgerouter>
configure
set system domain-name example.local
set system host-name example
set system time-zone Europe/Stockholm
set system name-server <ip-of-edgerouter> # Or leave blank, if running pi-hole specify pi-hole ip
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
commit
save
exit
logout
$ ssh <user>@<ip-of-edgerouter>
configure
set service gui listen-address <ip-of-edgerouter>
set service ssh listen-address <ip-of-edgerouter>
commit
save
exit
logout
$ ssh <user>@<ip-of-edgerouter>
configure
set system offload hwnat enable
commit
save
logout
$ ssh <user>@<ip-of-edgerouter>
configure
set system offload ipv4 forwarding enable
commit
save
Example: wss://<domain>:<port>+<id>+allowSelfSignedCertificate
$ ssh <user>@<ip-of-edgerouter>
configure
delete service unms disable
set service unms connection generic UNMS <uisp-key>
commit
save
curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
configure
set system static-host-mapping host-name router.your.house inet 10.0.1.1
set service gui cert-file /config/ssl/server.pem
set service gui ca-file /config/ssl/ca.pem
set system task-scheduler task renew.acme executable path /config/scripts/renew.acme.sh
set system task-scheduler task renew.acme interval 1d
set system task-scheduler task renew.acme executable arguments '-d router.your.house'
sudo /config/scripts/renew.acme.sh -d router.your.house
commit
save
Using mkcert by Filippo Valsorda to create a CA cert for localhost.
Option to go the SSL cert route with Let´s Encrypt there is several diffrent to choose from. Ex. ubnt-letsencrypt by Jesse Miller
$ ssh <user>@<ip-of-edgerouter>
configure
set system static-host-mapping host-name <hostname> inet <ip-of-edgerouter>
commit
save
exit
Create certificate
$ mkcert <ip-of-edgerouter> <hostname>
cat <ip-of-edgerouter>+1-key.pem <ip-of-edgerouter>+1.pem > server.pem
Backup existing certificate file
$ ssh <user>@<ip-of-edgerouter>
sudo cp /etc/lighttpd/server.pem /etc/lighttpd/.server-OLD.pem
exit
Copy new certificate file to user home dir of your router
scp /path/to/server.pem <user>@<ip-of-edgerouter>:/home/<user>/server.pem
Copy new certificate file from user home dir and enable the certificate
$ ssh <user>@<ip-of-edgerouter>
sudo cp /home/<user>/server.pem /etc/lighttpd/server.pem
# Kill webserver service by PID
sudo kill -SIGINT $(cat /var/run/lighttpd.pid)
# Start webserver
sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
exit
Check your connection with curl
If done correctly, one way of checking is to use curl. If you get a redirect to a SSL protocol port, i.e 443, the certificate is installed correctly in your router.
$ curl -I http:/<ip-of-edgerouter>
HTTP/1.1 301 Moved Permanently
Location: https://<ip-of-edgerouter>:443/
Date: Sun, 11 Jan 2015 07:46:13 GMT
Server: Server
$ ssh <user>@<ip-of-edgerouter>
configure
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 1 action accept
set firewall name WAN_IN rule 1 description "Allow established connections"
set firewall name WAN_IN rule 1 state established enable
set firewall name WAN_IN rule 1 state related enable
set firewall name WAN_IN rule 2 action drop
set firewall name WAN_IN rule 2 log enable
set firewall name WAN_IN rule 2 description "Drop invalid state"
set firewall name WAN_IN rule 2 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 1 action accept
set firewall name WAN_LOCAL rule 1 description "Allow established connections"
set firewall name WAN_LOCAL rule 1 state established enable
set firewall name WAN_LOCAL rule 1 state related enable
set firewall name WAN_LOCAL rule 2 action drop
set firewall name WAN_LOCAL rule 2 log enable
set firewall name WAN_LOCAL rule 2 description "Drop invalid state"
set firewall name WAN_LOCAL rule 2 state invalid enable
set firewall group address-group Trusted_IPs address 1.2.3.4
set firewall group address-group Trusted_IPs description "External Trusted IPs"
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow Established / Related Traffic"
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description "Allow Trusted IPs"
set firewall name WAN_IN rule 20 source group address-group Trusted_IPs
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 description "Drop Invalid State"
set firewall name WAN_IN rule 30 log enable
set firewall name WAN_IN rule 30 protocol all
set firewall name WAN_IN rule 30 state established disable
set firewall name WAN_IN rule 30 state invalid enable
set firewall name WAN_IN rule 30 state new disable
set firewall name WAN_IN rule 30 state related disable
set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 description "Drop ICMP"
set firewall name WAN_IN rule 40 icmp type 8
set firewall name WAN_IN rule 40 protocol icmp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_IN
commit
save
exit
set firewall group ipv6-address-group Trusted_IPv6s description "External Trusted IPv6s"
set firewall group ipv6-address-group Trusted_IPv6s ipv6-address 2001:db8::1/64
set firewall ipv6-name WANv6_IN description "IPv6WAN to internal"
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description "Allow Established / Related Traffic"
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 10 log disable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description "Allow ICMPv6"
set firewall ipv6-name WANv6_IN rule 30 log disable
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description "IPv6 packets from internet to router"
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established and related packets"
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid packets"
set firewall ipv6-name WANv6_LOCAL rule 20 log enable
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow ICMPv6 packets"
set firewall ipv6-name WANv6_LOCAL rule 30 log enable
set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description "Allow dhcpv6"
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-name WANv6_LOCAL rule 50 action accept
set firewall ipv6-name WANv6_LOCAL rule 50 description "Allow SSH and web traffic from trusted sources"
set firewall ipv6-name WANv6_LOCAL rule 50 destination port 80,443,22
set firewall ipv6-name WANv6_LOCAL rule 50 source group ipv6-address-group Trusted_IPv6s
set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
commit
save
$ ssh <user>@<ip-of-edgerouter>
configure
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set service nat rule 5010 description "Masquerade for WAN"
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
commit
save
exit
$ ssh <user>@<ip-of-edgerouter>
configure
set interfaces ethernet eth3 description LAN
set interfaces ethernet eth3 address 192.168.1.1/24
set service dhcp-server disabled false
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.150 stop 192.168.1.254
set service dns forwarding listen-on eth3
commit
save
exit