Ubiquiti EdgeRouter Lite SOHO Network Configuration

This project explains the factory new Ubiquiti EdgeRouter Lite SOHO network configuration with firewall rules and VLANs.

As described in the project introduction, I created my SOHO network design diagram before taking the EdgeRouter Lite (ER3) out of the box:

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

To view and save the full size network diagram from a desktop browser:

  • Click on the above diagram. It will open in a pop-up window.
  • Right mouse click on the image.
  • Depending on your browser:
    • Google Chrome: select “Open image in a new tab”
    • Firefox: select “View image”
    • Microsoft Edge: select “Save picture as”

Ubiquiti EdgeRouter Lite SOHO Network Configuration

Factory New Startup Config: WAN+2LAN Wizard

The EdgeRouter Lite (ER3) was initially configured using the WAN+2LAN Wizard (see Chapter 12 in the EdgeOS User Guide). My Windows 10 desktop computer is manually configured with a 192.168.1.100 static IP address and connected to port eth0 per the Quick Start Guide. I opened a web browser and entered the ER3 URL https://192.168.1.1/ and logged in with the default ubnt/ubnt user name and password. The WAN+2LAN Wizard is very simple and configures eth1 as the WAN/Internet port. After running the wizard I began my customizing the configuration using the ER3 web GUI but mostly via the Command Line Interface (CLI). I prefer the CLI for configuring firewall rules because I think the GUI firewall editor is confusing.

Per the above diagram my ER3 interfaces (Ethernet ports) are:

  • eth0 – Internet WAN to the cable modem. My ISP assigns a DHCP address.
  • eth1 – LAN to the EdgeSwitch 24. DHCP range 10.10.0.1/24
  • eth2 – Local 2 to the NetGear WiFi router I was using before buying the ER3 with the default DHCP range of 192.168.2.1/24.

The interface Description and IP address scheme are changed by selecting DashboardActionsConfig for eth1 and eth0 respectively:

EdgeRouter Lite Interface Configuration for eth0

EdgeRouter Lite Interface Configuration for eth0

Because I’ve changed the eth1 interface IP address my desktop computer was disconnected when the changes are saved. I changed my Windows 10 PC IP address back to DHCP and connected eth0 to the cable modem. The cable modem has to be rebooted to detect the EdgeRouter MAC address and allocate a new DHCP WAN IP address.

The EdgeRouter port eth1 is connected to the EdgeSwitch port eth0. The desktop PC is connected to the EdgeSwitch port eth2 which gives me access to the EdgeRouter to continue customizing router and switch configuration.

Ubiquiti EdgeSwitch VLAN Configuration

The EdgeSwitch VLAN configuration was straightforward by following the excellent EdgeMAX – VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology tutorial. Everything was configured using the EdgeSwitch GUI. The network diagram (see above) was indispensable to map everything out and configure the EdgeSwitch. Note: The following screen grab shows the VLAN Wizard which I didn’t use; it shown here because it’s a compact display of the VLAN port settings:

Ubiquiti Edgeswitch VLAN Port Configuration

Ubiquiti Edgeswitch VLAN Port Configuration

Migrating from a WiFi Router to an EdgeRouter Lite and UniFi Access Point

My old network consisted of a cable modem, Netgear WNDR 4500 WiFi router and a Netgear 24 port switch in a “flat network” configuration… meaning no VLANs. I setup the EdgeRouter, EdgeSwitch and UniFi AP-AC access point in parallel with the old network because it would take time to tune the new network and migrate all the network clients.

My wife and kids smartphones, tablets, laptops and Roku players only use WiFi and I didn’t want to disrupt their Internet access while configuring the new network. I therefore plugged the Netgear WiFi router WAN/Internet port into the EdgeRouter Lite eth2 LAN port and it just “worked”! (Recall eth2 “Local 2” was configured via the WAN+2LAN Wizard.) I hadn’t configured port forwarding on the Netgear router, which would have been blocked by the EdgeRouter firewall, so remote access wasn’t a concern. The old Netgear WiFi router is shown at the top right of the following diagram:

Ubiquiti EdgeRouter Lite SOHO Network Migration with Consumer-grade WiFi Router

Ubiquiti EdgeRouter Lite SOHO Network Migration with Consumer-grade WiFi Router

A picture of my messy wall rack with the old and new network gear during the EdgeRouter migration. The Netgear WiFi router is mostly hidden behind the rack on the bottom shelf. I’ve yet to mount the UniFi Access Point to the hallway ceiling:

Home Network Migration from WiFi Router to EdgeRouter Lite

Home Network Migration from WiFi Router to EdgeRouter Lite

And the wall rack after the network migration is complete:

EdgeRouter Lite Home Network Wall Rack

EdgeRouter Lite Home Network Wall Rack

EdgeRouter Lite Configuration

Some key points about my setup are:

  • The EdgeRouter is the DNS, DHCP, NTP and OpenVPN server.
  • VLANs are configured to partition the network by functional area: Video (security cameras), VoIP, IoT, Home and Guest Wifi, etc.
    • VLANs also make it easier to configure highly specific firewall rules.
  • All unsolicited (state = new) traffic connections from the Internet are dropped by default.
    • Only OpenVPN connections are allowed from the Internet.
  • Guest WiFi is isolated from the LAN and can only reach the Internet.
  • Security cameras on the Video VLAN are isolated and cannot make new connections to the Internet nor probe the other VLANs.
    This prevents a rogue or malware infected camera from autonomously sending traffic the Internet, possibly leaking private information or participating in a DDoS attack.
  • Firewall rules block BOGONS and various scanners including Shodan.io and ShadowServer.org.
    Blocking scanners is a whack-a-mole job and I update the block lists by monitoring the log (/var/log/messages).
  • UPnP is not enabled due to security vulnerabilities.

My sanitized EdgeRouter Lite configuration (passwords and sensitive data replaced with generic values) as output by ubnt@ubnt:~$ show configuration command is:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Shodan {
            description "Shodan and other scanners"
            address 208.180.20.97
            address 198.20.69.74
            address 198.20.69.98
            address 198.20.70.114
            address 198.20.99.130
            address 93.120.27.62
            address 66.240.236.119
            address 71.6.135.131
            address 66.240.192.138
            address 71.6.167.142
            address 82.221.105.6
            address 82.221.105.7
            address 71.6.165.200
            address 188.138.9.50
            address 85.25.103.50
            address 85.25.43.94
            address 71.6.146.185
            address 71.6.158.166
            address 198.20.87.98
            address 66.240.219.146
            address 209.126.110.38
            address 104.236.198.48
            address 184.105.247.196
            address 141.212.122.112
            address 125.237.220.106
            address 192.81.128.37
            address 74.82.47.2
            address 216.218.206.66
            address 37.187.114.171
            address 184.105.139.67
            address 54.81.158.232
            address 141.212.122.144
            address 141.212.122.128
            address 54.206.70.29
        }
        network-group BOGONS {
            description BOGONS
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
        network-group Blocklist {
            description "Block scanners by CIDR"
            network 74.82.47.0/24
            network 184.105.139.0/24
            network 184.105.247.0/24
            network 216.218.206.0/24
            network 185.35.62.0/24
            network 185.35.63.0/24
        }
        network-group LAN_NETWORKS {
            description "RFC1918 LAN Networks"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
        network-group VIDEO_VLAN {
            description "Video Camera VLAN subnet"
            network 10.10.1.0/24
        }
        network-group VIDEO_VLAN_BLOCK_NETS {
            description "Drop Video Camera traffic to other VLANs"
            network 10.10.2.0/24
            network 10.10.4.0/24
            network 10.10.5.0/24
            network 10.10.6.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_PROTECT_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop LAN_NETWORKS"
            destination {
                group {
                    network-group LAN_NETWORKS
                }
            }
            protocol all
        }
    }
    name GUEST_PROTECT_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 20 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            protocol udp
        }
    }
    name VIDEO_VLAN_IN {
        default-action accept
        rule 20 {
            action drop
            destination {
                group {
                    network-group VIDEO_VLAN_BLOCK_NETS
                }
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action drop
            description "Drop BOGONS"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 40 {
            action drop
            description "Blocklisted CIDRs"
            log enable
            protocol all
            source {
                group {
                    network-group Blocklist
                }
            }
        }
        rule 50 {
            action drop
            description "Drop Shodan scanners"
            log enable
            protocol all
            source {
                group {
                    address-group Shodan
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action drop
            description "Drop Shodan scanners"
            log enable
            protocol all
            source {
                group {
                    address-group Shodan
                }
            }
        }
        rule 40 {
            action drop
            description "Drop BOGONS"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 50 {
            action drop
            description "Blocklisted CIDRs"
            log enable
            protocol all
            source {
                group {
                    network-group Blocklist
                }
            }
        }
        rule 60 {
            action accept
            description OpenVPN
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
    }
    name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Accept Established/Related security camera to WAN"
            log disable
            protocol all
            source {
                group {
                    network-group VIDEO_VLAN
                }
            }
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Block security camera initiated connections to WAN"
            log enable
            protocol all
            source {
                group {
                    network-group VIDEO_VLAN
                }
            }
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.0.1/24
        description LAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server update
        }
        duplex auto
        speed auto
        vif 10 {
            address 10.10.1.1/24
            description "Video - Security Cameras"
            firewall {
                in {
                    name VIDEO_VLAN_IN
                }
            }
            mtu 1500
        }
        vif 20 {
            address 10.10.2.1/24
            description "VoIP - Vonage ATA"
            mtu 1500
        }
        vif 30 {
            address 10.10.3.1/24
            description "WLAN Private"
            mtu 1500
        }
        vif 40 {
            address 10.10.4.1/24
            description "WLAN Guest"
            firewall {
                in {
                    name GUEST_PROTECT_IN
                }
                local {
                    name GUEST_PROTECT_LOCAL
                }
            }
            mtu 1500
        }
        vif 50 {
            address 10.10.5.1/24
            description "IoT - Home Automation Controller"
            mtu 1500
        }
        vif 60 {
            address 10.10.6.1/24
            description "Gaming & General Use"
        }
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "OpenVPN server"
        hash sha256
        local-port 443
        mode server
        openvpn-option --comp-lzo
        openvpn-option "--tls-auth /config/auth/ta.key 0"
        openvpn-option "--verb 5"
        openvpn-option --tls-server
        openvpn-option "--cipher AES-256-CBC"
        openvpn-option "--tls-cipher DHE-RSA-AES256-SHA"
        openvpn-option --float
        protocol tcp-passive
        server {
            name-server 10.10.0.1
            push-route 10.10.0.0/24
            push-route 10.10.1.0/24
            push-route 10.10.5.0/24
            subnet 10.99.99.0/24
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/server.pem
            dh-file /config/auth/dh2048.pem
            key-file /config/auth/server.key
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.10.0.0/24 {
                default-router 10.10.0.1
                dns-server 10.10.0.1
                lease 86400
                start 10.10.0.38 {
                    stop 10.10.0.243
                }
                static-mapping MyAPAC_UniFi_AP-AC {
                    ip-address 10.10.0.3
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        shared-network-name VLAN10_Video {
            authoritative disable
            subnet 10.10.1.0/24 {
                default-router 10.10.1.1
                dns-server 10.10.1.1
                lease 86400
                start 10.10.1.50 {
                    stop 10.10.1.60
                }
            }
        }
        shared-network-name VLAN20_VoIP {
            authoritative disable
            subnet 10.10.2.0/24 {
                default-router 10.10.2.1
                dns-server 10.10.2.1
                lease 86400
                start 10.10.2.50 {
                    stop 10.10.2.100
                }
                static-mapping Vonage_ATA {
                    ip-address 10.10.2.2
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name VLAN30_WLAN_Private {
            authoritative disable
            subnet 10.10.3.0/24 {
                default-router 10.10.3.1
                dns-server 10.10.3.1
                lease 86400
                start 10.10.3.50 {
                    stop 10.10.3.100
                }
                static-mapping EPSON_PRINTER_HOST_NAME {
                    ip-address 10.10.3.2
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name VLAN40_WLAN_Guest {
            authoritative disable
            subnet 10.10.4.0/24 {
                default-router 10.10.4.1
                dns-server 10.10.4.1
                lease 86400
                start 10.10.4.50 {
                    stop 10.10.4.75
                }
            }
        }
        shared-network-name VLAN50_IoT {
            authoritative disable
            subnet 10.10.5.0/24 {
                default-router 10.10.5.1
                dns-server 10.10.5.1
                lease 86400
                start 10.10.5.1 {
                    stop 10.10.5.10
                }
            }
        }
        shared-network-name VLAN60_Gaming {
            authoritative disable
            subnet 10.10.6.0/24 {
                default-router 10.10.6.1
                dns-server 10.10.6.1
                lease 86400
                start 10.10.6.50 {
                    stop 10.10.6.100
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name MyER3.dyndns.org
                    login MyLoginName
                    password *********
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on eth1.10
            listen-on eth1.20
            listen-on eth1.30
            listen-on eth1.40
            listen-on eth1.50
            listen-on eth1.60
            listen-on vtun0
        }
    }
    gui {
        http-port 80
        https-port 8443
        older-ciphers disable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name MyER3
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password
            }
            full-name Bob
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}

The above “pretty print” configuration is for human eyes only and cannot be loaded or executed by the EdgeRouter. The executable EdgeRouter commands are displayed by ubnt@ubnt:~$ show configuration commands which outputs a long list of set statements:

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group address-group Shodan description 'Shodan and other scanners'
set firewall group address-group Shodan address 208.180.20.97
set firewall group address-group Shodan address 198.20.69.74
...etc

EdgeRouter Lite Configuration Download Files

The configuration files can be downloaded for study and/or to configure your EdgeRouter.

Download the print configuration file:

and the CLI command file:

This project is continued EdgeRouter Lite SOHO Network Firewall Rules.

Thanks,

Bob

 

Copyright © 2016 HandymanHowTo.com   Reproduction strictly prohibited.

,

No comments yet.

Leave a Reply