Ubiquiti EdgeRouter Lite SOHO Network Design

By |Last updated on |Featured, Home Networking|27 Comments

This project describes the Ubiquiti EdgeRouter Lite (and EdgeRouter 4), EdgeSwitch 24 and UniFi Access Point network design for a SOHO (Small Office/Home Office) network.

Home networks are rapidly becoming more complex and taking on the characteristics of small enterprise networks. My network has almost 30 IP connected devices ranging from PCs to smart TVs to Internet of Things (IoT) which are notorious for poor security safeguards. I completely disabled remote access and held off buying a NAS over security concerns. A network upgrade was needed for better security, management and monitoring.

My home network used to be fairly simple – a cable modem, consumer-grade WiFi router and PoE switch in a “flat network” configuration. This worked well enough but lacked many advanced features and capabilities including long-term manufacturer support, regular firmware updates to fix security vulnerabilities, firewall, traffic monitoring, logging, VLAN and OpenVPN support. After extensive research I chose the Ubiquiti EdgeRouter Lite due it’s excellent performance, robust features, sub $100 price and extensive user support.

The EdgeRouter Lite is a high-end consumer / small business class device that has a fairly steep learning curve if you’re not a “router guy” (or girl) who configures networks on a regular basis. I learned by reading the User Guide (.pdf) which is mainly a GUI walk-through) and especially the EdgeMAX forums, Knowledge Base, Layman’s firewall explanation and Vyatta Firewall Reference Guide. The Vyatta Firewall Best Practices Guide is also helpful. The EdgeRouter operating system is based on Vyatta 6.3 so the firewall guides are relevant.

Ubiquiti EdgeRouter Lite Home Network Design

It’s tempting to plug in the router and begin configuring the network but that will likely result in confusion and problems. “If you fail to plan, you are planning to fail.” – Benjamin Franklin. A methodical and well documented approach is best.

Define the Network Requirements

I began by defining my network requirements. What do I want from my home network? What applications and services should it support? My requirements are:

  • Fast – ready for 1 Gigabit Internet.
    I currently have 120 Mbps download / 24 Mbps upload cable modem service but looking forward to affordable 1 Gbps Internet service.
  • Security – configurable firewall with logging to drop “bad” Internet traffic, thwart hackers and scanners, isolate Guest WiFi and manage Internet of Things (IoT) devices that I don’t fully trust.
  • Secure Remote Access – I wanted a highly secure and encrypted means for Internet remote access to my home network from my iPhone and laptop. The EdgeRouter supports OpenVPN which is configured to listen on TCP Port 443 so it looks like normal HTTPS web traffic to get through corporate firewalls that otherwise block VPNs.
    • A corollary is port-forwarding shall NOT be enabled. All remote access must go through the VPN tunnel.
  • VLAN Support – to isolate and segment the LAN network for performance and security. No more “flat networks” for me.
  • WiFi – The majority of home network devices are wireless. Guest and private wireless network support, fast 802.11ac, VLAN support and network management/monitoring capabilities. The UniFi Access Point fit the bill.

Network Inventory

I inventoried all of my network clients (desktop/laptops, printer, network video recorder/cameras, home automation controller, Ethernet wall jacks, etc. etc.) and created an Excel spreadsheet itemizing the make, model #, MAC address, Serial #, port number/service, firmware version (only if manual upgrades are required), user name, password and LAN IP address (dynamic or manual/static assignment). It’s the only way to keep track because everything has to be migrated from the old network and assigned to a new VLAN, subnet and static LAN IP if not dynamically assigned.

EdgeRouter Lite (ER3) Home Network Design

My home network diagram was inspired by the EdgeMAX – VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology tutorial. It was drawn in Microsoft Visio using the EdgeMAX stencils:

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

This layout is called a “router on a stick“. The network diagram defines the key information needed to configure and managed the network:

  • Physical ports and connectivity.
  • VLAN IDs and IP subnets.
  • EdgeSwitch 802.1Q VLAN connections and attached network clients.
  • Dynamic DNS (DDNS) host name.
  • WiFi SSIDs
  • Firmware versions so I know what’s installed when an upgrade is needed.
  • Login credentials – although having this in the diagram acceptable for my personal use, good security practice would document this information elsewhere. The diagram is sanitized for publication. I deleted the “ubnt” factory default Admin user account as you should too.

EdgeRouter Lite Physical Network

The physical network is mounted in a 19 inch wide by 22 RU wall mount rack. Two APC Smart-UPS SMX750 Rack/Tower battery backup units are on the floor (not shown) to power the rack:

EdgeRouter Lite Home Network Wall Rack

EdgeRouter Lite Home Network Wall Rack

The EdgeRouter Lite is rack mounted using the WaveGuard Universal Rackmount adapter.

My network components are:

UniFi Access Point Ceiling Mount

The UniFi Access Point is mounted on drywall ceiling in the upstairs hallway. The WiFi signal strength is excellent throughout the house including the basement:

UniFi Access Point - Drywall Ceiling Mount

UniFi Access Point – Drywall Ceiling Mount

I installed the metal backing plate between the attic joists where there aren’t any 120VAC electric cables that could cause interference with the Cat6 UTP (Unshielded Twisted Pair) cable. The backing plate is normally intended for use with drop ceiling acoustic tiles but I liked it better than using the included plastic drywall anchors. It was simple enough to place the plastic mounting bracket against the ceiling in the upstairs hallway, mark and drill four 1/8 inch dia holes for the M3x50 flat head screws, then install the screws and tighten the lock nuts. A 1/2 inch dia hole was drilled to feed the Cat6 cable and Ethernet plug through the ceiling. I left a generous length of cable inside the attic for a service loop:

UniFi Access Point Installation Ceiling Backing Plate

UniFi Access Point Installation Ceiling Backing Plate

The Cat6 cable is plugged into the UniFi Access Point (AP) then the AP is snapped onto the plastic mounting bracket:

UniFi Access Point Installation - Cat6 Ethernet Cable and Ceiling Bracket

UniFi Access Point Installation – Cat6 Ethernet Cable and Ceiling Bracket

My UAP-AC is square shaped but the mounting bracket system is the same for the round models.

EdgeRouter Lite External Cooling Fan

The EdgeRouter Lite doesn’t have an internal cooling fan and can get very warm; this is normal. As an upgrade I bought a Coolerguys Quiet 120mm AC Powered Receiver/Component Cooling Fan. The fan operates on 5 volts DC from the included power supply. It’s absolutely quiet and vibration free. I set the fan on top of the EdgeRouter so it blows downward forcing air into the top vents and out the rear vents:

Ubiquiti EdgeRouter Lite External Cooling Fan

Ubiquiti EdgeRouter Lite External Cooling Fan

The fan does an amazing job! The EdgeRouter case now feels cool to my touch:

Ubiquiti EdgeRouter Lite: Coolerguys Quiet 120mm AC Powered Cooling Fan

Ubiquiti EdgeRouter Lite: Coolerguys Quiet 120mm AC Powered Cooling Fan

Side view of the 120mm cooling fan sitting on the EdgeRouter Lite:

Ubiquiti Edgerouter Lite Cooling Fan: Side View

Ubiquiti EdgeRouter Lite Cooling Fan: Side View

Synology Network Attached Storage (NAS) Upgrade

I’ve since upgraded my network with the following changes:

  • Installed a Digital Watchdog CUBE-LX 6TB enterprise class Network Video Recorder (NVR). The CUBE-LX has a beautiful user interface and advanced capabilities. It’s expensive but worth it.
  • Added a Synology DS216+II NAS with 6TB of storage.
    The NAS is “always on” with minimal power consumption when idle and takes the file sharing/storage load off my desktop PC. It’s amazingly simple to install hard disk drives and the DiskStation Manager learning curve is short.
  • Added another rack-mount shelf for the NVR (top left) and NAS (top right):
EdgeRouter Lite SOHO Network Wall Rack Upgrade

EdgeRouter Lite SOHO Network Wall Rack Upgrade

The revised network design is:

EdgeRouter Home Network Design with Synology NAS DS Video for Roku Player WiFi

EdgeRouter Home Network Design with Synology NAS DS Video for Roku Player WiFi

Changes to the network design are:

  • VLAN70 (NAS) for the Synology NAS on switch port 21 for fine-grained access control policies and access logging.
  • VLAN80 (IoT WiFi) to isolate Roku players and other untrusted devices. Added IOT_WIFI_PROTECT firewall rules.
  • Enabled switch port 23 on VLAN1 as an alternate Management port and for port mirroring.
    I learned the hard way to when I enabled port mirroring on switch port #2 connected to my Admin PC to run a WireShark packet capture and locked myself out of the switch admin interface (because port mirroring is a listen-only setting). Fortunately I’d not saved the changes to the boot config, so rebooting the EdgeSwitch cleared the setting.
  • Adjusted firewall rules to allow LAN-to-WAN Internet access for the Digital Watchdog NVR for Ubuntu security patches, e-mail notifications, NTP synchronization, DW Spectrum software updates and online camera license key validation. Unsolicited Internet WAN-to-LAN requests are still blocked.

EdgeRouter 4 Upgrade

The EdgeRouter 4 (ER4) has double the CPU cores, CPU frequency and memory with better Packets-per-Second (PPS) performance compared to an EdgeRouter 3 (ER3). The ER4 is affordable at roughly twice the cost of an ER3. The main reason I upgraded is faster OpenVPN performance because it’s a heavy load on the CPU. My ER4 network diagram:

EdgeRouter 4 Small Office Home Office (SOHO) Network Design

EdgeRouter 4 Small Office Home Office (SOHO) Network Design

The most significant change is I’ve isolated the insecure WiFi thermostats on VLAN 80 (IoT WiFi) which maps to a unique wireless network (SSID) on the Ubiquiti Access Point. My configuration files for the above network are:

The EdgeSwitch VLAN Wizard summary screen illustrates the VLAN definitions and port memberships:

Ubiquiti EdgeSwitch VLAN Summary Screen

Ubiquiti EdgeSwitch VLAN Summary Screen

EdgeRouter 4 Rack Mount Kit

I bought an EdgeRouter 4 Rack Mount Kit for my 19 inch wall rack:

Ubiquiti EdgeRouter 4 Rack Mount Kit

Ubiquiti EdgeRouter 4 Rack Mount Kit

The rack mount kit has a sliding ear that adjusts to fit the router. Screws for the ears and rack (not shown) are included:

Ubiquiti EdgeRouter 4 - Adjustable Rack Mount Bracket

Ubiquiti EdgeRouter 4 – Adjustable Rack Mount Bracket

The EdgeRouter 4 mounted in the wall rack:

EdgeRouter 4 Network Wall Rack

EdgeRouter 4 Network Wall Rack

The EdgeRouter 4 runs cool – just slightly warm to the touch – so I didn’t bother with the cooling fan used with the ER3.

This project is continued in Ubiquiti EdgeRouter Lite SOHO Network Configuration.

Best,

Bob Jackson

Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.

27 Comments

  1. Ryan November 28, 2016 at 10:45 am - Reply

    Hi,

    Not sure how to contact you, I’ve tried your config but I’m having issue, if you can read this please respond.

    thanks,
    Ryan P

    • Bob Jackson November 28, 2016 at 12:30 pm - Reply

      Hi – briefly explain your setup and issue. If you have questions about my setup, please ask.

  2. Paul May 8, 2017 at 9:08 pm - Reply

    Hi Bob,
    Thanks for the write-up. I am thinking of installing an EdgeRouter lite.
    One thing, while the fan will force air through the EdgeRouter as positioned, it is fighting against the natural flow of air. If you can put it under the EdgeRouter, that will improve the efficiency of the cooling by letting the warmer air rise as it naturally wants to do.

    • Bob Jackson May 9, 2017 at 2:37 pm - Reply

      Hi,
      The external fan will not fit underneath the EdgeRouter Lite rackmount adapter. A fan blowing down on the router more effectively circulates air over the chips and CPU heat sink. If the fan were under the router the air flow would mostly be blocked by the bottom of the circuit board which is fairly sparse with few heat generating components. The natural convective air flow is negligible compared to the force of the fan.

      Thanks,
      Bob

  3. Scott July 16, 2017 at 11:03 pm - Reply

    Hi Bob-
    Could have sworn I read/saw somewhere in one of these tutorials or a reply from you, that you had sent the Visio version of the diagram to someone else or made it available somewhere online… Or was that just my wishful thinking? If you have already, or are willing to share it, could you please publish the link or could we arrange some other method of where I could? I know they can get pretty large… My reason for asking is because I REALLY like what you’ve done here, but due to the logistics of where things are located at my place or where they are on my current network, I need to make a few minor modifications. Like you mentioned, having the diagram in place before you start makes things MUCH SIMPLER rather than trying to manage it in your head… I do have a copy of Visio Pro available from work and also a copy of Omnigraffle Pro (for my personal Mac OS &/or iOS devices).

    Thanks again for posting these “HowTos”, they are AWESOME!

    Scott

    • Bob Jackson July 17, 2017 at 8:20 am - Reply

      Thanks for the compliments! It’s straightforward to make your own Visio network diagram using the EdgeMAX stencils. Some shapes I created from scratch (servers, laptop, smartphone, tablet, etc.) for a most consistent look.

      • Ahmed September 15, 2017 at 9:00 am - Reply

        Bob,
        I came across your page and really love your work. As it is possible to make a new diagram, your diagram is by far the best I have seen, very clean and detailed. If you don’t mind I still prefer to pivot off of yours and tweak it for my needs than starting all over.

        Thank you,
        Ahmed

  4. John August 19, 2017 at 8:10 pm - Reply

    Bob; thanks for posting your setup! I’m doing pretty much the same thing and your series will help me significantly. One question: I want to move off of VLAN 1 for management and move it to VLAN 10. Is this possible? Basically following the goals of http://wahlnetwork.com/2014/09/30/building-new-network-design-lab/

    Hardware:
    1 x ERLite-3
    1 x ES-24-Lite
    1 x TS-8-Pro (POE for cameras & AP)
    1 x UAP-AC-PRO
    6 x UVC-G3s

    Goals:
    1. Migrate from a 10.10.10.0/24 network to a series of 172.7.x.0/24 networks
    2. Create a series of unique VLANs for Home (20), Wireless (30), NFS (40), and Network Cameras (50)
    3. Change the Management VLAN from 1 to 10
    4. Setup interVLAN-routing

    • Bob Jackson August 20, 2017 at 11:01 am - Reply

      There’s nothing magic about the default VLAN 1 ID. If you prefer VLAN 10 for management change it on the router and the switch. Create VLAN 10 first with the same configuration/membership as VLAN 1 and once it’s working you can disable VLAN 1.

      The 10.10. to 172.7. subnet migration requires planning and LAN device inventory. I migrated from a WiFi router & NetGear switch on a 192.168. subnet to the 10.10. network on the EdgeRouter & EdgeSwitch as explained in Ubiquiti EdgeRouter Lite SOHO Network Configuration. It helps to create a table listing all your network devices, including the make/model, MAC Address, static or dynamic IP address assignment, current static IP address (if applicable), future static IP address (if applicable) and device login credentials.

      If all your LAN clients on the 10.10. subnet are pulling DHCP dynamic IP addresses then moving those to 172.7. is just a client reboot. Devices with DHCP static leases (a.k.a. static IP addresses) such as my IP cameras needed care because once I changed the camera IP to the new subnet it immediately drops off the old network. If I did everything right the camera comes up on the EdgeRouter/EdgeSwitch network when I moved the Ethernet cable from the NetGear switch (old network) to the EdgeSwitch (new network).

      > 4. Setup interVLAN-routing
      The EdgeRouter will route between VLANs by default. If you want to isolate the Guest network or otherwise limit routing between VLANs then you have to configure firewall rules.

      • John August 23, 2017 at 2:57 pm - Reply

        Thanks for the reply Bob!

  5. Mark September 7, 2017 at 5:35 pm - Reply

    Hi,
    This site is great.Thanks for sharing .You didn’t mention Hikvision NVR in your setup.On the network diagram are IP cameras and NVR connected to the switch.Caould cameras be connected to the NVR and NVR to the switch?I have a network switch which doesn’t support POE.
    Thanks

    • Bob Jackson September 7, 2017 at 7:26 pm - Reply

      You could connect the IP cameras to the Hikvision NVR on-board PoE ports, but I preferred connecting the cameras to the EdgeSwitch to minimize NVR dependencies and simplify administration. My recommendation is to upgrade to a PoE switch if possible. I’ve since replaced the Hikvision NVR with a Digital Watchdog BlackJack CUBE-LX.

      • Mark September 8, 2017 at 9:19 am - Reply

        Thank you for your reply.We only moved into the new house recenly.There are on average 2-3 CAT6 cables running from every room into the utility room.Also have two CAT6 cables going up to the attic to be able to fit ceiling access point in the landing.
        Your setup is high quality which I can’t afford something like that at the moment.I’m thinking of getting PoE switch (was looking tp-link or netgear) that would support Hikvision IP cameras.In order to save I would get some cheap NVR connected to the switch via ethernet cable (would this work).
        In future I would be adding home automation controller and NAS server.
        Thanks again for you time.

  6. Ken Perkins September 10, 2017 at 10:48 am - Reply

    Bob,

    Great guides. A couple of questions: Are you taking advantage of multiple vlans on the Syno? How is access done on the syno? through the ERL or over Layer 2? Why didn’t you consider a larger Syno and use it for video as well as NAS? Even if you don’t want to use the Syno surveillance app you could run your own in a docker container.

    I’m basically doing the exact same thing as you and I’m having some trouble designing my VLANs around figuring out if wired/wireless ports need to share a VLAN for things like Apple Airplay to work. The only solution is clearly testing. :) Thanks again.

    • Bob Jackson September 10, 2017 at 1:16 pm - Reply

      The Synology NAS has it’s own VLAN 70 for isolation. Access is restricted via ER3 firewall rules and user account management on the Synology Disk Station Manager (DSM). Recall that remote access to my home network and the NAS is only allowed via OpenVPN. However, I did create a firewall pinhole to allow DSM LAN-to-Internet access for software updates, but the DSM must initiate the Internet connection as all “new” WAN-to-LAN requests are dropped.

      I chose the 6TB Synology because it’s sufficient storage for my current needs and I had two WD Red 3TB NAS hard drives on hand. I store BluRay videos (.mp4) in a NAS video folder and installed the Video Station app. The DS Video app works well on Roku and iPad.

      > Even if you don’t want to use the Syno surveillance app you could run
      > your own in a docker container
      Maybe but I already have a Digital Watchdog Blackjack CUBE-LX NVR which is really nice.

      > I’m having some trouble designing my VLANs around figuring out if
      > wired/wireless ports need to share a VLAN for things like Apple Airplay to work
      I reconfigured my network and firewall rules to isolated the Roku 3 player and enable the Roku DS Video app. Call me paranoid but the Roku has Linux-based O/S and I didn’t the possibility it could explore the LAN. DS Video won’t work on the Unifi AP Guest WiFi due to built-in policy restrictions, so I created a new “IoT WiFi” SID and put it on VLAN 80. The IoT WiFi firewall rules only allow “Guest”-like Internet and Synology NAS video folder access. The Roku user account on DSM is read-only to the video folder as well.

      You could probably do something similar for Apple Airplay.

      The revised network diagram with VLAN 80 IoT WiFi: Edgerouter Home Network Design with Synology NAS DS Video for Roku Player WiFi

      And EdgeRouter configuration commands (.txt file).

      The Roku firewall configuration elements are:
      set firewall group address-group Roku address 10.10.8.101
      set firewall group address-group Roku description 'Roku streaming media players'
      # add more streaming player LAN IPs here as needed for smart TVs, Chromecast, Roku, etc.

      The Roku LAN isolation rules are (see the config commands link above for details):
      * IOT_WIFI_PROTECT_IN
      * IOT_WIFI_PROTECT_LOCAL

      WAN_OUT firewall pinhole for NAS software updates:
      set firewall name WAN_OUT rule 40 action accept
      set firewall name WAN_OUT rule 40 description 'Accept Synology NAS connections to WAN'
      set firewall name WAN_OUT rule 40 log enable
      set firewall name WAN_OUT rule 40 protocol all
      set firewall name WAN_OUT rule 40 source address 10.10.7.2
      set firewall name WAN_OUT rule 40 state new enable

      VLAN 80:
      set interfaces ethernet eth1 vif 80 description 'IoT WiFi'
      set interfaces ethernet eth1 vif 80 firewall in name IOT_WIFI_PROTECT_IN
      set interfaces ethernet eth1 vif 80 firewall local name IOT_WIFI_PROTECT_LOCAL
      set interfaces ethernet eth1 vif 80 mtu 1500

      DHCP – Roku is assigned a static LAN IP address:
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI authoritative disable
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 default-router 10.10.8.1
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 dns-server 10.10.8.1
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 lease 86400
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 start 10.10.8.50 stop 10.10.8.100
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 static-mapping Roku3_Living_Room ip-address 10.10.8.101
      set service dhcp-server shared-network-name VLAN80_IOT_WIFI subnet 10.10.8.0/24 static-mapping Roku3_Living_Room mac-address 'xx:xx:xx:xx:xx:xx'

      DNS – required for Roku Internet access to Netflix, Amazon, more apps, firmware updates, etc.:
      set service dns forwarding listen-on eth1.80

      and of course configure the new VLAN 80 on the EdgeSwitch and Unifi Access Point.

      Thanks,
      Bob

  7. Ken Perkins September 11, 2017 at 4:44 pm - Reply

    Bob,

    Doing a bit more research in your above linked most recent commands and I have a couple of questions:

    I see two lines that appear confusing at a glance:

    > set firewall name WAN_OUT default-action accept
    > set firewall name GUEST_PROTECT_IN default-action accept

    If I understand both of these rules *allow* by default connections from LAN->WAN and LAN->WLAN_PRIVATE. Is that a mistake? I wouldn’t think you’d need the explicit rule for the Syno (set firewall name WAN_OUT rule 40 action accept) when the default is to accept.

    Sorry if this seems mundane but I’ve been using an ERL for about a year and found that surprising.

    • Bob Jackson September 11, 2017 at 5:42 pm - Reply

      Hi,
      The GUEST_PROTECT_IN default action-accept rule is straight from the UBNT Support article EdgeRouter – How to Protect a Guest Network on EdgeRouter. The default rule is triggered only if my rule 10 ‘Accept Established/Related’ and rule 20 ‘Drop LAN_NETWORKS’ aren’t matched. If the default was set to “drop” then Guest WiFi clients would be blocked from the Internet.

      > set firewall name WAN_OUT default-action accept
      > I wouldn’t think you’d need the explicit rule for the Syno
      > (set firewall name WAN_OUT rule 40 action accept) when the default
      > is to accept.
      My WAN_OUT rule 40 has a key distinction as it allows “new” connections to the Internet.

      set firewall name WAN_OUT default-action accept
      ... other rules ...
      set firewall name WAN_OUT rule 40 action accept
      set firewall name WAN_OUT rule 40 description 'Accept Synology NAS connections to WAN'
      set firewall name WAN_OUT rule 40 log enable
      set firewall name WAN_OUT rule 40 protocol all
      set firewall name WAN_OUT rule 40 source address 10.10.7.2
      set firewall name WAN_OUT rule 40 state new enable

      Without the explicit “new enable” state the EdgeRouter blocks Synology initiated connections to the Internet. I originally thought as you the “default-accept rule” would allow it and was puzzled when it didn’t work. Added the “state new enable” and success!

      Thanks,
      Bob

  8. Rashmi November 7, 2017 at 4:44 pm - Reply

    Hi,

    Just wanted your help to figure something out. Is it possible for some VLANs to access the NAS VLAN or will all of them have access to NAS VLAN?

    In your updated diagram of NAS and Watchdog, If I have (24 port) switch that goes from port 23 to another switch (16 port) port 1, how do I go about trunking management, Gaming and NAS VLAN so other devices on 2nd switch have access to NAS VLAN too?

    Does that make sense?

  9. Ahmad December 10, 2017 at 4:40 am - Reply

    Hi,
    out of scope question, which software did you use to draw the diagram?
    thanks

  10. kurt augustin January 25, 2018 at 8:35 am - Reply

    Good Day,

    How did you draw the links ( connectors) in your diagram? I am designing my diagram and these connections are ideal. Thank you

    • Bob Jackson January 25, 2018 at 10:12 pm - Reply

      I used Microsoft Visio to make the diagram. The network connections are illustrated this image.

      For example, the Port 24 connection is composed of:
      1. A rectangle with rounded corners having a text label “Port 24”.
      2. 4-1/2 point weight straight line.
      3.a. To make the rounded elbow, draw a horizontal line then a connected vertical line so it’s a single item.
      3.b. Right click the 90 degree elbow, select Format –> Line from the pop-up menu.
      3.c. Change the weight to 4-1/2 points and Round Corner @ 0.3125 inches.
      3.d. Copy & paste, then rotate the rounded elbow as needed for different network connections.

  11. Nate August 3, 2018 at 12:27 am - Reply

    Hi Bob,

    Thanks for the great series! I’m going through your articles (and all of the comments) as I am setting up my EdgeRouter and UniFi NanoHD.

    Is there a particular reason you gave the Wired IoT VLAN (50) and the Wireless IoT VLAN (80) separate VLAN IDs? Essentially, devices on those networks are treated the same, correct?

    Just curious!

    • Bob Jackson August 7, 2018 at 7:02 pm - Reply

      I could’ve combined both wired and wireless IoT devices on the same VLAN. My strategy is to create VLANs per functional group, e.g. VLAN 10 – IP video security cameras, VLAN 70 – NAS, etc. with the necessary firewall rules.

      At the moment I don’t have much in the way of wired IoT devices (other than cameras) but if/when I do deploy a bunch of new devices (smart faucets and showers?), I’ll probably segment then in a new VLAN. For now, Wired IoT VLAN 50 is a catchall.

  12. Michael Gerber August 20, 2018 at 5:58 am - Reply

    Hi Bob,

    Firstly, thanks for the great article! I’m using your approach as the basis for our future setups.

    I am, however, interested to know what your approach and opinion is on the ACL vs Zone Based Firewalls as discussed in this article:
    http://www.forshee.me/2016/03/02/ubiquiti-edgerouter-lite-setup-part-2-firewall-setup.html

Leave A Comment