Ubiquiti EdgeRouter Lite SOHO Network Configuration

By | Last updated on |Home Networking|20 Comments

This project explains the factory new Ubiquiti EdgeRouter Lite SOHO network configuration with firewall rules and VLANs. As described in the project introduction, I created my SOHO network design diagram before taking the EdgeRouter Lite (ER3) out of the box:

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

To view and save the full size network diagram from a desktop browser:

  • Click on the above diagram. It will open in a pop-up window.
  • Right mouse click on the image.
  • Depending on your browser:
    • Google Chrome: select “Open image in a new tab”
    • Firefox: select “View image”
    • Microsoft Edge: select “Save picture as”

Project series index:

Ubiquiti EdgeRouter Lite SOHO Network Configuration

Factory New Startup Config: WAN+2LAN Wizard

The EdgeRouter Lite (ER3) was initially configured using the WAN+2LAN Wizard (see Chapter 12 in the EdgeOS User Guide). My Windows 10 desktop computer is manually configured with a 192.168.1.100 static IP address and connected to port eth0 per the Quick Start Guide. I opened a web browser and entered the ER3 URL https://192.168.1.1/ and logged in with the default ubnt/ubnt user name and password. The WAN+2LAN Wizard is very simple and configures eth1 as the WAN/Internet port. After running the wizard I began my customizing the configuration using the ER3 web GUI but mostly via the Command Line Interface (CLI). I prefer the CLI for configuring firewall rules because I think the GUI firewall editor is confusing.

Per the above diagram my ER3 interfaces (Ethernet ports) are:

  • eth0 – Internet WAN to the cable modem. My ISP assigns a DHCP address.
  • eth1 – LAN to the EdgeSwitch 24. DHCP range 10.10.0.1/24
  • eth2 – Local 2 to the NetGear WiFi router I was using before buying the ER3 with the default DHCP range of 192.168.2.1/24.

The interface Description and IP address scheme are changed by selecting DashboardActionsConfig for eth1 and eth0 respectively:

EdgeRouter Lite Interface Configuration for eth0

EdgeRouter Lite Interface Configuration for eth0

Because I’ve changed the eth1 interface IP address my desktop computer was disconnected when the changes are saved. I changed my Windows 10 PC IP address back to DHCP and connected eth0 to the cable modem. The cable modem has to be rebooted to detect the EdgeRouter MAC address and allocate a new DHCP WAN IP address.

The EdgeRouter port eth1 is connected to the EdgeSwitch port eth0. The desktop PC is connected to the EdgeSwitch port eth2 which gives me access to the EdgeRouter to continue customizing router and switch configuration.

Ubiquiti EdgeSwitch VLAN Configuration

The EdgeSwitch VLAN configuration was straightforward by following the excellent EdgeMAX – VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology tutorial. Everything was configured using the EdgeSwitch GUI. The network diagram (see above) was indispensable to map everything out and configure the EdgeSwitch. Note: The following screen grab shows the VLAN Wizard which I didn’t use; it shown here because it’s a compact display of the VLAN port settings:

Ubiquiti Edgeswitch VLAN Port Configuration

Ubiquiti Edgeswitch VLAN Port Configuration

Migrating from a WiFi Router to an EdgeRouter Lite and UniFi Access Point

My old network consisted of a cable modem, Netgear WNDR 4500 WiFi router and a Netgear 24 port switch in a “flat network” configuration… meaning no VLANs. I setup the EdgeRouter, EdgeSwitch and UniFi AP-AC access point in parallel with the old network because it would take time to tune the new network and migrate all the network clients.

My wife and kids smartphones, tablets, laptops and Roku players only use WiFi and I didn’t want to disrupt their Internet access while configuring the new network. I therefore plugged the Netgear WiFi router WAN/Internet port into the EdgeRouter Lite eth2 LAN port and it just “worked”! (Recall eth2 “Local 2” was configured via the WAN+2LAN Wizard.) I hadn’t configured port forwarding on the Netgear router, which would have been blocked by the EdgeRouter firewall, so remote access wasn’t a concern. The old Netgear WiFi router is shown at the top right of the following diagram:

Ubiquiti EdgeRouter Lite SOHO Network Migration with Consumer-grade WiFi Router

Ubiquiti EdgeRouter Lite SOHO Network Migration with Consumer-grade WiFi Router

A picture of my messy wall rack with the old and new network gear during the EdgeRouter migration. The Netgear WiFi router is mostly hidden behind the rack on the bottom shelf. I’ve yet to mount the UniFi Access Point to the hallway ceiling:

Home Network Migration from WiFi Router to EdgeRouter Lite

Home Network Migration from WiFi Router to EdgeRouter Lite

And the wall rack after the network migration is complete:

EdgeRouter Lite Home Network Wall Rack

EdgeRouter Lite Home Network Wall Rack

EdgeRouter Lite Configuration

Some key points about my setup are:

  • The EdgeRouter is the DNS, DHCP, NTP and OpenVPN server.
  • VLANs are configured to partition the network by functional area: Video (security cameras), VoIP, IoT, Home and Guest Wifi, etc.
    • VLANs also make it easier to configure highly specific firewall rules.
  • All unsolicited (state = new) traffic connections from the Internet are dropped by default.
    • Only OpenVPN connections are allowed from the Internet.
  • Guest WiFi is isolated from the LAN and can only reach the Internet.
  • Security cameras on the Video VLAN are isolated and cannot make new connections to the Internet nor probe the other VLANs.
    This prevents a rogue or malware infected camera from autonomously sending traffic the Internet, possibly leaking private information or participating in a DDoS attack.
  • Firewall rules block BOGONS and various scanners including Shodan.io and ShadowServer.org.
    Blocking scanners is a whack-a-mole job and I update the block lists by monitoring the log (/var/log/messages).
  • UPnP is not enabled due to security vulnerabilities.

My sanitized EdgeRouter Lite configuration (passwords and sensitive data replaced with generic values) as output by ubnt@ubnt:~$ show configuration command is:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Shodan {
            description "Shodan and other scanners"
            address 208.180.20.97
            address 198.20.69.74
            address 198.20.69.98
            address 198.20.70.114
            address 198.20.99.130
            address 93.120.27.62
            address 66.240.236.119
            address 71.6.135.131
            address 66.240.192.138
            address 71.6.167.142
            address 82.221.105.6
            address 82.221.105.7
            address 71.6.165.200
            address 188.138.9.50
            address 85.25.103.50
            address 85.25.43.94
            address 71.6.146.185
            address 71.6.158.166
            address 198.20.87.98
            address 66.240.219.146
            address 209.126.110.38
            address 104.236.198.48
            address 184.105.247.196
            address 141.212.122.112
            address 125.237.220.106
            address 192.81.128.37
            address 74.82.47.2
            address 216.218.206.66
            address 37.187.114.171
            address 184.105.139.67
            address 54.81.158.232
            address 141.212.122.144
            address 141.212.122.128
            address 54.206.70.29
        }
        network-group BOGONS {
            description BOGONS
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
        network-group Blocklist {
            description "Block scanners by CIDR"
            network 74.82.47.0/24
            network 184.105.139.0/24
            network 184.105.247.0/24
            network 216.218.206.0/24
            network 185.35.62.0/24
            network 185.35.63.0/24
        }
        network-group LAN_NETWORKS {
            description "RFC1918 LAN Networks"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
        network-group VIDEO_VLAN {
            description "Video Camera VLAN subnet"
            network 10.10.1.0/24
        }
        network-group VIDEO_VLAN_BLOCK_NETS {
            description "Drop Video Camera traffic to other VLANs"
            network 10.10.2.0/24
            network 10.10.4.0/24
            network 10.10.5.0/24
            network 10.10.6.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_PROTECT_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop LAN_NETWORKS"
            destination {
                group {
                    network-group LAN_NETWORKS
                }
            }
            protocol all
        }
    }
    name GUEST_PROTECT_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 20 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            protocol udp
        }
    }
    name VIDEO_VLAN_IN {
        default-action accept
        rule 20 {
            action drop
            destination {
                group {
                    network-group VIDEO_VLAN_BLOCK_NETS
                }
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action drop
            description "Drop BOGONS"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 40 {
            action drop
            description "Blocklisted CIDRs"
            log enable
            protocol all
            source {
                group {
                    network-group Blocklist
                }
            }
        }
        rule 50 {
            action drop
            description "Drop Shodan scanners"
            log enable
            protocol all
            source {
                group {
                    address-group Shodan
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action drop
            description "Drop Shodan scanners"
            log enable
            protocol all
            source {
                group {
                    address-group Shodan
                }
            }
        }
        rule 40 {
            action drop
            description "Drop BOGONS"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 50 {
            action drop
            description "Blocklisted CIDRs"
            log enable
            protocol all
            source {
                group {
                    network-group Blocklist
                }
            }
        }
        rule 60 {
            action accept
            description OpenVPN
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
    }
    name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Accept Established/Related security camera to WAN"
            log disable
            protocol all
            source {
                group {
                    network-group VIDEO_VLAN
                }
            }
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Block security camera initiated connections to WAN"
            log enable
            protocol all
            source {
                group {
                    network-group VIDEO_VLAN
                }
            }
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.0.1/24
        description LAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server update
        }
        duplex auto
        speed auto
        vif 10 {
            address 10.10.1.1/24
            description "Video - Security Cameras"
            firewall {
                in {
                    name VIDEO_VLAN_IN
                }
            }
            mtu 1500
        }
        vif 20 {
            address 10.10.2.1/24
            description "VoIP - Vonage ATA"
            mtu 1500
        }
        vif 30 {
            address 10.10.3.1/24
            description "WLAN Private"
            mtu 1500
        }
        vif 40 {
            address 10.10.4.1/24
            description "WLAN Guest"
            firewall {
                in {
                    name GUEST_PROTECT_IN
                }
                local {
                    name GUEST_PROTECT_LOCAL
                }
            }
            mtu 1500
        }
        vif 50 {
            address 10.10.5.1/24
            description "IoT - Home Automation Controller"
            mtu 1500
        }
        vif 60 {
            address 10.10.6.1/24
            description "Gaming & General Use"
        }
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "OpenVPN server"
        hash sha256
        local-port 443
        mode server
        openvpn-option --comp-lzo
        openvpn-option "--tls-auth /config/auth/ta.key 0"
        openvpn-option "--verb 5"
        openvpn-option --tls-server
        openvpn-option "--cipher AES-256-CBC"
        openvpn-option "--tls-cipher DHE-RSA-AES256-SHA"
        openvpn-option --float
        protocol tcp-passive
        server {
            name-server 10.10.0.1
            push-route 10.10.0.0/24
            push-route 10.10.1.0/24
            push-route 10.10.5.0/24
            subnet 10.99.99.0/24
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/server.pem
            dh-file /config/auth/dh2048.pem
            key-file /config/auth/server.key
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.10.0.0/24 {
                default-router 10.10.0.1
                dns-server 10.10.0.1
                lease 86400
                start 10.10.0.38 {
                    stop 10.10.0.243
                }
                static-mapping MyAPAC_UniFi_AP-AC {
                    ip-address 10.10.0.3
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        shared-network-name VLAN10_Video {
            authoritative disable
            subnet 10.10.1.0/24 {
                default-router 10.10.1.1
                dns-server 10.10.1.1
                lease 86400
                start 10.10.1.50 {
                    stop 10.10.1.60
                }
            }
        }
        shared-network-name VLAN20_VoIP {
            authoritative disable
            subnet 10.10.2.0/24 {
                default-router 10.10.2.1
                dns-server 10.10.2.1
                lease 86400
                start 10.10.2.50 {
                    stop 10.10.2.100
                }
                static-mapping Vonage_ATA {
                    ip-address 10.10.2.2
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name VLAN30_WLAN_Private {
            authoritative disable
            subnet 10.10.3.0/24 {
                default-router 10.10.3.1
                dns-server 10.10.3.1
                lease 86400
                start 10.10.3.50 {
                    stop 10.10.3.100
                }
                static-mapping EPSON_PRINTER_HOST_NAME {
                    ip-address 10.10.3.2
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name VLAN40_WLAN_Guest {
            authoritative disable
            subnet 10.10.4.0/24 {
                default-router 10.10.4.1
                dns-server 10.10.4.1
                lease 86400
                start 10.10.4.50 {
                    stop 10.10.4.75
                }
            }
        }
        shared-network-name VLAN50_IoT {
            authoritative disable
            subnet 10.10.5.0/24 {
                default-router 10.10.5.1
                dns-server 10.10.5.1
                lease 86400
                start 10.10.5.1 {
                    stop 10.10.5.10
                }
            }
        }
        shared-network-name VLAN60_Gaming {
            authoritative disable
            subnet 10.10.6.0/24 {
                default-router 10.10.6.1
                dns-server 10.10.6.1
                lease 86400
                start 10.10.6.50 {
                    stop 10.10.6.100
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name MyER3.dyndns.org
                    login MyLoginName
                    password *********
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on eth1.10
            listen-on eth1.20
            listen-on eth1.30
            listen-on eth1.40
            listen-on eth1.50
            listen-on eth1.60
            listen-on vtun0
        }
    }
    gui {
        http-port 80
        https-port 8443
        older-ciphers disable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name MyER3
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password
            }
            full-name Bob
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}

The above “pretty print” configuration is for human eyes only and cannot be loaded or executed by the EdgeRouter. The executable EdgeRouter commands are displayed by ubnt@ubnt:~$ show configuration commands which outputs a long list of set statements:

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group address-group Shodan description 'Shodan and other scanners'
set firewall group address-group Shodan address 208.180.20.97
set firewall group address-group Shodan address 198.20.69.74
...etc

EdgeRouter Lite Configuration Download Files

The configuration files can be downloaded for study and/or to configure your EdgeRouter.

Download the print configuration file:

and the CLI command file:

This project is continued EdgeRouter Lite SOHO Network Firewall Rules.

Thanks,

Bob

 

Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.

20 Comments

  1. Rashmi January 22, 2017 at 1:43 am - Reply

    This is an excellent guide, I have the same setup mostly minus the NVR. Instead of the Edgemax switch I have 2 Netgear Prosafe switches, do you know how to setup VLAN for those devices?

    Also how do I setup openVPN on edgemax Lite router, any guide would be great.

    Thanks, looking forward to more guides for Edgemax Lite.

    • Bob Jackson January 22, 2017 at 1:04 pm - Reply

      See How to Create Layer 2 VLANs on NETGEAR ProSAFE Switches at the Netgear Support site.

      There are two different OpenVPN configurations:
      1) Site-to-Site VPN for connecting EdgeRouters at two different locations or offices for routing traffic between LANs over the Internet.
      2) Client / Server VPN for remote connections from laptops, smartphones, etc. to the EdgeRouter. I configured the Client/Server VPN to remotely connect to my Edgerouter home network. This is far more secure than Port Forwarding for remote access to IP cameras and other devices.

      I’ve yet to write-up the Client/Server OpenVPN tutorial, but the basics are as follows…
      * Download and install OpenVPN.
      I downloaded the Windows 10 64-bit installer. The package includes the Easy-RSA shell scripts (i.e. Windows .bat files).
      * Follow the Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients instructions.

      The CA and keys are created on the Personal Computer (PC) instead of the Edgerouter. A PC is so much faster because it has a better CPU and does in minutes what takes nearly 1/2 hour on the Edgerouter Lite. The Root CA Key (ca.key) stays on the PC which is more secure and this file should not be kept on the EdgeRouter. See the “Key Files” table at the previous link.

      I really like the Viscosity OpenVPN client for the PC/laptop. SparkLabs (authors of Viscosity) has a nice tutorial using the EdgeMax GUI: https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-ubiquiti-edgerouter-edgeos-and-viscosity/ although I configured everything using the CLI similar to Logan Marchione’s tutorial.

      The OpenVPN learning curve is fairly steep. I studied the docs for a full day and after the initial setup I realized I’d made a mistake, tore everything down and rebuilt the setup in about an hour.

      There’s a lot of great information on the EdgeMax forums. Just take note that you’re following either the Site-to-Site or Client/Server setup.

      • Rashmi March 28, 2017 at 2:49 pm - Reply

        Should I be running a cable from 1 of my netgear switches to another? Or do you think I should separate switches?

        This is what I am thinking for VLANs:

        1. Management

        2. Video (security) – will be adding camera but contemplating whether to use insteon/foscam or use a NVR like your setup.

        3. IoT (lot of insteon devices)

        4. Home Wifi

        5. Guest Wifi

        6. Media

        I will make a diagram so you understand what I am trying to accomplish, can you send me your email address so I can post my diagram.

        Thanks

        • Bob Jackson March 28, 2017 at 7:16 pm - Reply

          > Should I be running a cable from 1 of my netgear switches to another?
          Trunking from one switch should be OK. What’s the switch model number(s)?

          My e-mail is bob[at]handymanhowto.com.

          • Rashmi March 31, 2017 at 4:47 pm - Reply

            I have Netgear Prosafe 24 port (model: GS724Tv4) and 16 port (Model: GS716Tv3) switches.

  2. Rashmi January 22, 2017 at 6:16 pm - Reply

    Thanks, I will go ahead and try openVPN installation. Is there a fee for using openVPN and what is it?

    Also I am going to make a diagram similar to yours and perhaps ask some questions regarding my setup if that is ok with you?

    Thanks again

    • Bob Jackson January 23, 2017 at 6:04 pm - Reply

      The OpenVPN download I referenced in my last reply is free as is the EdgeRouter library. The Viscosity client is optional and requires the purchase of a license.

      If you have a question about my setup I’m happy to help but it’s best to search & ask questions on the EdgeMax Support forum.

  3. CDR Scowl December 1, 2017 at 12:10 am - Reply

    Hello Bob

    Thanks again for posting this guide for the complete setup of an Edgerouter Lite.

    Here are a couple of extra settings I added to your config for my own security reasons:

    Force router administration login services to listen on specific subnets:
    set service ssh listen-address 10.10.0.1
    set service gui listen-address 10.10.0.1

    Used to ensure IPv6 is disabled:
    set system ipv6 disable
    set system ipv6 disable-forwarding
    set system ipv6 strict-dad

    BTW

    Have you made any changes to your config since you posted this setup?

  4. CDR Scowl December 1, 2017 at 12:28 am - Reply

    Sorry, I forgot this one:

    set service gui older-ciphers disable

    From Ubiquiti site: EdgeRouter software release v1.8.5 and newer support for using only newer (stronger) ciphers for HTTPS. Note that older ciphers are required for wider browser compatibility, but if that is not a concern, they can be disabled by this setting.

    • Bob Jackson December 1, 2017 at 7:31 pm - Reply

      Older ciphers are disabled. You’ll see it in the config link in the previous reply.

  5. CDr Scowl December 1, 2017 at 12:43 am - Reply

    Hi Bob

    I used these settings to enable the No-IP Dynamic DNS service to function on my router:

    Settings for No-IP Dynamic DNS Service to work (WAN is eth1):

    set service dns dynamic interface eth1 service custom-noip host-name your.domain.org
    set service dns dynamic interface eth1 service custom-noip login youruserid
    set service dns dynamic interface eth1 service custom-noip password yourpassword
    set service dns dynamic interface eth1 service custom-noip protocol noip
    set service dns dynamic interface eth1 service custom-noip server dynupdate.no-ip.com
    set system task-scheduler task dyndns_update executable arguments ‘update dns dynamic interface eth1’
    set system task-scheduler task dyndns_update executable path /opt/vyatta/bin/vyatta-op-cmd-wrapper
    set system task-scheduler task dyndns_update interval 7d

    • Bob Jackson December 1, 2017 at 7:35 pm - Reply

      I use DynDNS:
      set service dns dynamic interface eth0 service dyndns host-name MyER3.dyndns.org
      set service dns dynamic interface eth0 service dyndns login
      set service dns dynamic interface eth0 service dyndns password

  6. Rashmi December 21, 2017 at 6:29 pm - Reply

    Regarding your post about not opening port forwarding except port 443, I currently have several ports open for plex (runs on freenas) which is accessed locally by my smart tv, roku, raspberry pi and also remotely via the app on my phone.

    Besides plex, I have ports open for sonarr, radarr, etc. How and what is the best way to access these applications locally?

    Thanks

    • Bob Jackson December 22, 2017 at 3:38 pm - Reply

      No quite sure what you’re wanting to do. Port Forwarding (Internet to LAN) is typically only needed for remote access to the home network, but not it’s not very secure.

      Instead of port forwarding, I use OpenVPN to remotely connect to my home network over port 443. A firewall rule allows port 443 traffic which is subject to immediate authentication by OpenVPN:

      set firewall name WAN_LOCAL rule 60 action accept
      set firewall name WAN_LOCAL rule 60 description OpenVPN
      set firewall name WAN_LOCAL rule 60 destination port 443
      set firewall name WAN_LOCAL rule 60 log disable
      set firewall name WAN_LOCAL rule 60 protocol tcp

      Connection attempts which lack the OpenVPN TLS authentication key are silently dropped by OpenVPN before a login attempt is possible.

      When the OpenVPN client is successfully authenticated (PC, smartphone, etc) it’s behaves as if it’s a local LAN client. I then access the router, security cameras, desktop PC, WiFi thermostat, Synology NAS or Plex server (if I had a Plex).

      These tutorials may help:
      * EdgeRouter Lite SOHO Network Firewall Rules
      * Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial

      Thanks,
      Bob

  7. Rashmi December 22, 2017 at 10:25 pm - Reply

    Thanks, that makes sense. Another question I have is, I am looking to purchasing a NVR (lorex 4k with 6 4k POE cameras), what is the best way to hook it up?

    Is there any benefit to hook them up to the switch as opposed to the NVR since the cameras require POE and my goal was to use CAT5e to power the camera. My current switch (Netgear Prosafe 24 port is not POE capable).

    If I do hook them up to the switch instead of NVR, how do I use the hdmi port on the nvr to view the camera if they aren’t physically attached to it?

    Also, what changes do I need to make on the Unifi AP Pro in terms of VLAN if I followed your guide, I have the newer circle AP Pro.

    Thanks

    • Bob Jackson December 23, 2017 at 6:02 pm - Reply

      If the cameras are connected to the NVR PoE ports, the cameras will be a different subnet behind the NVR. You’ll have to log into the NVR to access the cameras. Camera configuration options may be limited by whatever is supported by the NVR interface, especially if the cameras are not made by the NVR manufacturer.

      In the past, I had a Hikvision DS-7616NI-E2/8P NVR which has PoE ports and more recently a Digital Watchdog CUBE-LX which does not have PoE ports. My preference is to always connect cameras to a PoE switch for the following reasons:
      * Direct LAN access to the cameras and the NVR in the same subnet/VLAN.
      * The EdgeSwitch has forward facing RJ-45 ports. Easy to check Ethernet port status and disconnect a camera if it freezes and needs rebooting.
      * If you have more cameras than NVR ports, you’ll have to upgrade to a PoE switch to increase port capacity.

      But if you’re on a budget there’s nothing wrong with running the cameras off the NVR ports.

  8. cdr Scowl January 11, 2018 at 3:32 pm - Reply

    Hi Bob

    I’m not sure if this is the right page to post this, so please feel free to move or post an iteration of it yourself if you think it is suitable for your site.

    People may want to take an image of their router’s storage / USB stick. The internal EdgeRouter USB drive has a history of failing. Once it fails, you can’t update/ re-flash the image and the router won’t boot up. Of course, opening up your device will void your warranty, but having a bricked router isn’t good either.

    This link mentions a couple of options: https://community.ubnt.com/t5/EdgeMAX/EdgeMax-rescue-kit-now-you-can-reinstall-EdgeOS-from-scratch/td-p/514857/page/22 Here is another that is cross linked: https://community.ubnt.com/t5/EdgeMAX/mkeosfs-easily-generate-USB-image-for-EdgeRouter/td-p/1748092

    I went the route of shutting down / remove power. Disassemble the router and remove the USB storage drive. I imaged the original device which is a 4 gig stick and I restored the image to a larger 16 gig drive. (Note that not all drives will work and I used a USB 2.0 drive to ensure compatibility) I then resized the partitions. I did leave space for over-provisioning, but I am unsure if there is a facility in the system to utilize it. I set aside the stock drive in case of failure. When I finally have things set up the way I want, I will re-image again. That with a current config backup would get me back up fairly quick since I have a replacement drive (I bought two drives since they were so cheap $6).

    All this being said, the first link I posted (long thread) contains a link to a script to create a replacement drive from any valid firmware and the router wouldn’t require opening until the internal drive failed. I’d suggest waiting until your warranty expires before opening your EdgeRouter if you have any concerns.

    Regards

  9. cjlee89 March 29, 2018 at 2:48 pm - Reply

    What software did you use to make the diagram?

Leave A Comment