[[[TOC]]]
This tutorial will walk you through setting up a Ubiquiti EdgeRouter Lite for use in a SOHO environment using CLI commands. Below physical architecture diagram of the network we will be creating:
[[image:erl_soho.png|medium|link=source]]
# Login to ERL via SSH, go to configure mode
{{{
configure
}}}
——
=Interfaces=
In this section, we will setup our network interfaces per the above physical network diagram. Note that the WAN IP is assigned via DHCP in this configuration.
# eth0 (LAN)
{{{
edit interfaces ethernet eth0
set description “LAN”
set address 192.168.69.254/24
set duplex auto
set speed auto
top
}}}
# eth1 (WLAN)
{{{
edit interfaces ethernet eth1
set description “WLAN”
set address 192.168.68.254/24
set duplex auto
set speed auto
top
}}}
# eth2 (WAN – DHCP)
{{{
edit interfaces ethernet eth2
set description “WAN”
set address dhcp
set duplex auto
set speed auto
top
}}}
——
=User Management=
This step is to create a new user to replace the default `ubnt` user
# Create new user – //Note: the plain text password will be encrypted upon commit//
{{{
edit system login user new_user
set authentication plaintext-password “new_pass”
set full-name “New User”
set level admin
top
commit
}}}
# Logout, then log back in as the new user
# Delete the default `ubnt` user
{{{
delete system login user ubnt
}}}
——
=DHCP Server=
Now we will create DHCP servers for the LAN and WLAN subnets. We need to create one server per subnet.
# Global DHCP options
{{{
edit service dhcp-server
set disabled false
set dynamic-dns-update enable true
top
}}}
# LAN Subnet
{{{
edit service dhcp-server shared-network-name LAN_DHCP
set authoritative disable
edit subnet 192.168.69.0/24
set default-router 192.168.69.254
set dns-server 192.168.69.254
set domain-name dlasley.net
set lease 86400
set start 192.168.69.100 stop 192.168.69.200
top
}}}
# WLAN Subnet
{{{
edit service dhcp-server shared-network-name WLAN_DHCP
set authoritative disable
edit subnet 192.168.68.0/24
set default-router 192.168.68.254
set dns-server 192.168.68.254
set domain-name dlasley.net
set lease 86400
set start 192.168.68.100 stop 192.168.68.200
top
}}}
=Forward DNS Requests=
In the DHCP servers that we just setup, we defined the router address as the primary DNS server. We will now need to enable DNS forwarding on both the LAN and WLAN interfaces in order to support this setting.
# Enable DNS forwarding
{{{
edit service dns forwarding
set cache-size 1000
set listen-on eth0
set listen-on eth1
top
}}}
——
=Dynamic DNS Updater=
This process will allow your ERL to automatically update a supported Dynamic DNS service upon WAN DHCP renewal, and is completely optional.
- Create an account with a supported service provider. As of now, they are:
- [[http://dnspark.com/|DNS Park]]
- [[http://www.dslreports.com/|DSL Reports]]
- [[http://dyn.com|DynDNS]]
- [[http://web.easydns.com/|Easy DNS]]
- [[http://www.namecheap.com/|Name Cheap]]
- [[http://www.sitelutions.com/|SiteLutions]]
- [[http://www.zoneedit.com/|ZoneEdit]]
- Set the service provider, login, and password. Modify the service from `dyndns` to your service provider, and the username/password to match your credentials.
{{{
edit service dns dynamic interface eth2 service dyndns
set login $USERNAME
set password $PASSWORD
}}} - Set the hostname to update, modifying my domain for yours. You can also repeat this step for multiple host names.
{{{
set host-name $DOMAIN_NAME
}}} - Move back to the top of the config
{{{
top
}}}
——
=WAN Masquerading=
Now we will need to setup WAN masquerading (to allow local machines access to the internet). If you also need to add port forwarding rules (to allow inbound traffic), check out [[nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip|this tutorial]]
# Configure NAT rule for WAN Masquerading
{{{
edit service nat rule 5000
set description WAN_MASQ
set log disable
set outbound-interface eth2
set protocol all
set type masquerade
top
}}}
——
=SNMP=
# Now we will configure SNMP settings
{{{
edit service snmp
set community public authorization ro
set contact “David Lasley”
set location “Server Room”
top
}}}
——
=Basic Firewall=
We will now configure a basic firewall that is not recommended in a production environment. We will set it up to allow any outbound traffic from LAN, WLAN, or the router itself, but will drop all inbound traffic.
# Set global firewall rules
{{{
edit firewall
set all-ping enable
set broadcast-ping disable
set conntrack-expect-table-size 4096
set conntrack-hash-size 4096
set conntrack-table-size 32768
set conntrack-tcp-loose enable
set ipv6-receive-redirects disable
set ipv6-src-route disable
set ip-src-route disable
set log-martians enable
set receive-redirects disable
set send-redirects enable
set source-validation disable
set syn-cookies enable
top
}}}
# Create ruleset for WAN->(W)LAN. We will add rules to drop Invalid packets and accept established ones.
{{{
edit firewall name WAN_IN
set description “Inbound WAN to (W)LAN”
set default-action drop
set rule 5000 action accept
set rule 5000 description “Allow Established/Related”
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable
set rule 5001 action drop
set rule 5001 description “Drop Invalid”
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable
top
}}}
# Create ruleset for WAN->Local (router). We will add rules to drop Invalid packets and accept established ones. //Note that this is basically identical to the last ruleset, except it will be applied to traffic destined for the router//
{{{
edit firewall name WAN_LOCAL
set description “Inbound WAN to Local Router”
set default-action drop
set rule 5000 action accept
set rule 5000 description “Allow Established/Related”
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable
set rule 5001 action drop
set rule 5001 description “Drop Invalid”
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable
top
}}}
# Add firewall rules to WAN interface
{{{
edit interfaces ethernet eth2 firewall
set in name WAN_IN
set local name WAN_LOCAL
top
}}}
——
=Define System Settings=
Now we will set the system settings such as hostname, nameserver, time zones, etc.
# Hostname & domain name
{{{
set system host-name erl-001
set system domain-name dlasley.net
}}}
# Nameservers
{{{
set system name-server 8.8.8.8
set system name-server 8.8.4.4
}}}
# Timezone – //Timezones can be listed by traversing the directories in `/usr/share/zoneinfo/`//
{{{
set system time-zone America/Los_Angeles
}}}
# Add Debian repositories (optional). Make sure to perform an `apt-get update` if you do this.
{{{
edit system package
set repository wheezy components ‘main contrib non-free’
set repository wheezy distribution wheezy
set repository wheezy url http://http.us.debian.org/debian
set repository wheezy-security components main
set repository wheezy-security distribution wheezy/updates
set repository wheezy-security url http://security.debian.org
top
}}}
** Note that versions prior to Firmware 1.7 were based on Debian `squeeze` instead of `wheezy`
——
=Final Config=
[[file:erl_base_soho_config.boot|Attached is the final configuration that will be generated with this tutorial. I have left the default ubnt/ubnt user in this configuration.]] You can upload this file to `/config/config.boot` using SCP, or follow the directions [[http://wiki.ubnt.com/System_-_Configuration_Management_%26_Device_Maintenance|here]] to upload via the WebUI.
Leave a Reply