Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Established Member
Posts: 1,200
Registered: ‎06-14-2012
Kudos: 988
Solutions: 80
Contributions: 9

Basic SOHO/Home Config

[ Edited ]

[Edit by UBNT-stig] Note: the example configurations in this thread are still valid, however starting in v1.3.0 there is a basic setup wizard that will give you a similar configuration with less hassle.

 

Setup is for a simple home or SOHO type environment.

Eth0 is labeled for the wired network and eth1 is labeled for the wireless network. It doesn't really matter which.

These two networks are segmented, but there are no controls between them.

Eth2 is the WAN interface and is configured for DHCP.

Both LAN segments provide DHCP, DNS, UPnP and NTP. Recursive DNS is provided by OpenDNS.

The GUI and SSH are accessible only from eth0 and eth1.

A raw config.boot is attached as well.

Disclaimer: I don't run ACL based firewall, so I may have missed something in the policy.

set 'firewall' 'all-ping' 'enable'
set 'firewall' 'broadcast-ping' 'disable'
set 'firewall' 'conntrack-expect-table-size' '4096'
set 'firewall' 'conntrack-hash-size' '4096'
set 'firewall' 'conntrack-table-size' '32768'
set 'firewall' 'conntrack-tcp-loose' 'enable'
set 'firewall' 'ipv6-receive-redirects' 'disable'
set 'firewall' 'ipv6-src-route' 'disable'
set 'firewall' 'ip-src-route' 'disable'
set 'firewall' 'log-martians' 'enable'
set 'firewall' 'name' 'eth0_in' 'default-action' 'accept'
set 'firewall' 'name' 'eth0_in' 'description' 'Wired network to other networks.'
set 'firewall' 'name' 'eth0_local' 'default-action' 'accept'
set 'firewall' 'name' 'eth0_local' 'description' 'Wired network to router.'
set 'firewall' 'name' 'eth1_in' 'default-action' 'accept'
set 'firewall' 'name' 'eth1_in' 'description' 'Wireless network to other networks'
set 'firewall' 'name' 'eth1_local' 'default-action' 'accept'
set 'firewall' 'name' 'eth1_local' 'description' 'Wireless network to router.'
set 'firewall' 'name' 'eth2_in' 'default-action' 'drop'
set 'firewall' 'name' 'eth2_in' 'enable-default-log'
set 'firewall' 'name' 'eth2_in' 'description' 'Internet to internal networks'
set 'firewall' 'name' 'eth2_in' 'rule' '1' 'action' 'accept'
set 'firewall' 'name' 'eth2_in' 'rule' '1' 'state' 'established' 'enable'
set 'firewall' 'name' 'eth2_in' 'rule' '1' 'state' 'related' 'enable'
set 'firewall' 'name' 'eth2_in' 'rule' '2' 'action' 'drop'
set 'firewall' 'name' 'eth2_in' 'rule' '2' 'log' 'enable'
set 'firewall' 'name' 'eth2_in' 'rule' '2' 'state' 'invalid' 'enable'
set 'firewall' 'name' 'eth2_local' 'default-action' 'drop' set 'firewall' 'name' 'eth2_local' 'enable-default-log'
set 'firewall' 'name' 'eth2_local' 'description' 'Internet to router'
set 'firewall' 'name' 'eth2_local' 'rule' '1' 'action' 'accept'
set 'firewall' 'name' 'eth2_local' 'rule' '1' 'state' 'established' 'enable'
set 'firewall' 'name' 'eth2_local' 'rule' '1' 'state' 'related' 'enable'
set 'firewall' 'name' 'eth2_local' 'rule' '2' 'action' 'drop'
set 'firewall' 'name' 'eth2_local' 'rule' '2' 'log' 'enable'
set 'firewall' 'name' 'eth2_local' 'rule' '2' 'state' 'invalid' 'enable'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'eth2_local' 'rule' '5' 'protocol' 'icmp'
set 'firewall' 'receive-redirects' 'disable'
set 'firewall' 'send-redirects' 'enable'
set 'firewall' 'source-validation' 'disable'
set 'firewall' 'syn-cookies' 'enable'
set 'interfaces' 'ethernet' 'eth0' 'address' '192.168.1.1/24'
set 'interfaces' 'ethernet' 'eth0' 'firewall' 'in' 'name' 'eth0_in'
set 'interfaces' 'ethernet' 'eth0' 'firewall' 'local' 'name' 'eth0_local'
set 'interfaces' 'ethernet' 'eth1' 'address' '192.168.2.1/24'
set 'interfaces' 'ethernet' 'eth1' 'firewall' 'in' 'name' 'eth1_in'
set 'interfaces' 'ethernet' 'eth1' 'firewall' 'local' 'name' 'eth1_local'
set 'interfaces' 'ethernet' 'eth2' 'address' 'dhcp'
set 'interfaces' 'ethernet' 'eth2' 'firewall' 'in' 'name' 'eth2_in'
set 'interfaces' 'ethernet' 'eth2' 'firewall' 'local' 'name' 'eth2_local'
set 'interfaces' 'loopback' 'lo'
set 'service' 'dhcp-server' 'disabled' 'false'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'authoritative' 'enable'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'description' 'Wired Network - Eth1'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'subnet' '192.168.1.0/24' 'default-router' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'subnet' '192.168.1.0/24' 'dns-server' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'subnet' '192.168.1.0/24' 'lease' '86400'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'subnet' '192.168.1.0/24' 'ntp-server' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wired-eth0' 'subnet' '192.168.1.0/24' 'start' '192.168.1.10' 'stop' '192.168.1.100'
.1.0/24' 'time-server' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'authoritative' 'enable'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'description' 'Wireless Network - Eth2'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'default-router' '192.168.2.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'dns-server' '192.168.2.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'lease' '86400'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'ntp-server' '192.168.2.1'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'start' '192.168.2.10' 'stop' '192.168.2.100'
set 'service' 'dhcp-server' 'shared-network-name' 'wireless-eth1' 'subnet' '192.168.2.0/24' 'time-server' '192.168.2.1'
set 'service' 'dns' 'forwarding' 'cache-size' '150'
set 'service' 'dns' 'forwarding' 'listen-on' 'eth0'
set 'service' 'dns' 'forwarding' 'listen-on' 'eth1'
set 'service' 'dns' 'forwarding' 'system'
set 'service' 'gui' 'https-port' '443'
set 'service' 'gui' 'listen-address' '192.168.1.1'
set 'service' 'gui' 'listen-address' '192.168.2.1'
set 'service' 'nat' 'rule' '5010' 'outbound-interface' 'eth2'
set 'service' 'nat' 'rule' '5010' 'type' 'masquerade'
set 'service' 'ssh' 'listen-address' '192.168.1.1'
set 'service' 'ssh' 'listen-address' '192.168.2.1'
set 'service' 'ssh' 'port' '22'
set 'service' 'ssh' 'protocol-version' 'v2'
set 'service' 'upnp' 'listen-on' 'eth0' 'outbound-interface' 'eth2'
set 'service' 'upnp' 'listen-on' 'eth1' 'outbound-interface' 'eth2'
set 'system' 'host-name' 'ubnt'
set 'system' 'ipv6' 'disable'
set 'system' 'login' 'user' 'ubnt' 'authentication' 'encrypted-password' '$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.'
set 'system' 'login' 'user' 'ubnt' 'level' 'admin'
set 'system' 'name-server' '208.67.222.222'
set 'system' 'name-server' '208.67.220.220'
set 'system' 'ntp' 'server' '0.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '1.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '2.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '3.ubnt.pool.ntp.org'
set 'system' 'syslog' 'global' 'facility' 'all' 'level' 'notice'
set 'system' 'syslog' 'global' 'facility' 'protocols' 'level' 'debug'
set 'system' 'time-zone' 'UTC'
Attachment
Highlighted
Established Member
Posts: 1,200
Registered: ‎06-14-2012
Kudos: 988
Solutions: 80
Contributions: 9

Re: Basic SOHO/Home Config

[ Edited ]

Because esseph is needy...

Here is a version with eth0 and eth1 bridged. Everything else is the same but adjusted for the bridge instead.

Disclaimer: I don't run ACL based firewall, so I may have missed something in the policy.

set 'firewall' 'all-ping' 'enable'
set 'firewall' 'broadcast-ping' 'disable'
set 'firewall' 'conntrack-expect-table-size' '4096'
set 'firewall' 'conntrack-hash-size' '4096'
set 'firewall' 'conntrack-table-size' '32768'
set 'firewall' 'conntrack-tcp-loose' 'enable'
set 'firewall' 'ipv6-receive-redirects' 'disable'
set 'firewall' 'ipv6-src-route' 'disable'
set 'firewall' 'ip-src-route' 'disable'
set 'firewall' 'log-martians' 'enable'
set 'firewall' 'name' 'LAN_IN' 'default-action' 'accept'
set 'firewall' 'name' 'LAN_IN' 'description' 'Internal network to Internet'
set 'firewall' 'name' 'LAN_LOCAL' 'default-action' 'accept'
set 'firewall' 'name' 'LAN_LOCAL' 'description' 'Internal network to router'
set 'firewall' 'name' 'WAN_IN' 'default-action' 'drop'
set 'firewall' 'name' 'WAN_IN' 'description' 'Internet to internal networks'
set 'firewall' 'name' 'WAN_IN' 'rule' '1' 'action' 'accept'
set 'firewall' 'name' 'WAN_IN' 'rule' '1' 'state' 'established' 'enable'
set 'firewall' 'name' 'WAN_IN' 'rule' '1' 'state' 'related' 'enable'
set 'firewall' 'name' 'WAN_IN' 'rule' '2' 'action' 'drop'
set 'firewall' 'name' 'WAN_IN' 'rule' '2' 'log' 'enable'
set 'firewall' 'name' 'WAN_IN' 'rule' '2' 'state' 'invalid' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'default-action' 'drop'
set 'firewall' 'name' 'WAN_LOCAL' 'description' 'Internet to router'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '1' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '1' 'state' 'established' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '1' 'state' 'related' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '2' 'action' 'drop'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '2' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '2' 'state' 'invalid' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'
set 'firewall' 'receive-redirects' 'disable'
set 'firewall' 'send-redirects' 'enable'
set 'firewall' 'source-validation' 'disable'
set 'firewall' 'syn-cookies' 'enable'
set 'interfaces' 'bridge' 'br0' 'address' '192.168.1.1/24'
set 'interfaces' 'bridge' 'br0' 'aging' '300'
set 'interfaces' 'bridge' 'br0' 'description' 'LAN'
set 'interfaces' 'bridge' 'br0' 'firewall' 'in' 'name' 'LAN_IN'
set 'interfaces' 'bridge' 'br0' 'firewall' 'local' 'name' 'LAN_LOCAL'
set 'interfaces' 'bridge' 'br0' 'hello-time' '2'
set 'interfaces' 'bridge' 'br0' 'max-age' '20'
set 'interfaces' 'bridge' 'br0' 'priority' '0'
set 'interfaces' 'bridge' 'br0' 'stp' 'false'
set 'interfaces' 'ethernet' 'eth0' 'bridge-group' 'bridge' 'br0'
set 'interfaces' 'ethernet' 'eth1' 'bridge-group' 'bridge' 'br0'
set 'interfaces' 'ethernet' 'eth2' 'address' 'dhcp'
set 'interfaces' 'ethernet' 'eth2' 'description' 'WAN'
set 'interfaces' 'ethernet' 'eth2' 'firewall' 'in' 'name' 'WAN_IN'
set 'interfaces' 'ethernet' 'eth2' 'firewall' 'local' 'name' 'WAN_LOCAL'
set 'interfaces' 'loopback' 'lo'
set 'service' 'dhcp-server' 'disabled' 'false'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'authoritative' 'enable'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'description' 'LAN Network - br0'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'default-router' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'dns-server' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'lease' '86400'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'ntp-server' '192.168.1.1'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'start' '192.168.1.10' 'stop' '192.168.1.100'
set 'service' 'dhcp-server' 'shared-network-name' 'LAN-br0' 'subnet' '192.168.1.0/24' 'time-server' '192.168.1.1'
set 'service' 'dns' 'forwarding' 'cache-size' '150'
set 'service' 'dns' 'forwarding' 'listen-on' 'br0'
set 'service' 'dns' 'forwarding' 'system'
set 'service' 'gui' 'https-port' '443'
set 'service' 'gui' 'listen-address' '192.168.1.1'
set 'service' 'nat' 'rule' '5010' 'outbound-interface' 'eth2'
set 'service' 'nat' 'rule' '5010' 'type' 'masquerade'
set 'service' 'ssh' 'listen-address' '192.168.1.1'
set 'service' 'ssh' 'port' '22'
set 'service' 'ssh' 'protocol-version' 'v2'
set 'service' 'upnp' 'listen-on' 'br0' 'outbound-interface' 'eth2'
set 'system' 'host-name' 'ubnt'
set 'system' 'ipv6' 'disable'
set 'system' 'login' 'user' 'ubnt' 'authentication' 'encrypted-password' '$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.'
set 'system' 'login' 'user' 'ubnt' 'level' 'admin'
set 'system' 'name-server' '208.67.222.222'
set 'system' 'name-server' '208.67.220.220'
set 'system' 'ntp' 'server' '0.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '1.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '2.ubnt.pool.ntp.org'
set 'system' 'ntp' 'server' '3.ubnt.pool.ntp.org'
set 'system' 'syslog' 'global' 'facility' 'all' 'level' 'notice'
set 'system' 'syslog' 'global' 'facility' 'protocols' 'level' 'debug'
set 'system' 'time-zone' 'UTC'
Attachment
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

One of the nice things with these example configurations from mrjester is that it keeps the pre-configured address of 192.168.1.1 on eth0 and instead uses eth2 as the WAN interface. That eliminates some of the start-up hassle of changing addresses/cables/ports.

To make this even easier to use from the GUI I've taken mrjester's config.boot file and stored it in a format the GUI can consume. So to load this sample configuration.

1) Download Basic SOHO config to your laptop.

 

EDIT: Basic SOHO config with PPPoE client   (for 3 port ER-Lite)

          Basic SOHO config with PPTP remote-access server (for 3 port ER-Lite)

          Basic SOHO config for 5 port ER-POE  (for 5 port ER-POE)

          Basic SOHO config for 5 port ER-PoE bridge eth0 & switch0  (for 5 port ER-PoE)

2) Plug the laptop into the routers port 0 and change the IP address on the laptop to something in the same subnet as 192.168.1.0/24

static_ip.png


3) verify that you can ping the router

stig-mac$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.648 ms
^C
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.648/0.648/0.648/0.000 ms

4) point your browser at 192.168.1.1, log in, and click the System tab in the bottom bar and click the Restore Config

restore_config (1).png


5) Select the file you downloaded in step #1 and then you'll be prompted to reboot:

restore_config2.png


Once you've reboot, you should of course change the default password or even better created your own user and delete the ubnt account.

EdgeMAX Router Software Development
Attachment
New Member
Posts: 5
Registered: ‎01-30-2013
Kudos: 3

Re: Basic SOHO/Home Config

Thanks for that, I've been running pfsense in a filtered bridge config so it would be nice to be able to drop the ERL in as a replacement without needing to change things.
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

I took the sample config post #3 and modified it for a pppoe connection. Use the same steps as in post #3, but upload this config instead: Basic SOHO config using pppoe
Once you've rebooted it, you'll need to log in to the CLI to change the pppoe username and password:

ubnt@ubnt:~$ configure 
ubnt@ubnt# show interfaces ethernet eth2 pppoe 0
default-route auto
firewall {
in {
name pppoe-in
}
local {
name pppoe-local
}
out {
modify pppoe-out
}
}
mtu 1492
name-server auto
password secret
user-id joe

ubnt@ubnt# set interfaces ethernet eth2 pppoe 0 user-id <your userid>
ubnt@ubnt# set interfaces ethernet eth2 pppoe 0 password <your password>
ubnt@ubnt# commit
ubnt@ubnt# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
ubnt@ubnt:~$
EdgeMAX Router Software Development
Attachment
Member
Posts: 148
Registered: ‎04-28-2011
Kudos: 5
Solutions: 1

Re: Basic SOHO/Home Config

hey stig, thanks for that pppoe one, works here in Aus!!

only issue and i guess its just some config changes but i need to change the eth0 subnet and dhcp server to 192.168.100.254/24

i add the ip to the eth0 in the gui, disable the 1.1 dhcp server and add my own reflecting the 100.0/24 subnet

once i do this, router kicks me out, even if i static set ip to 192.168.100.1
i cannot access it again or the internet


can you assist
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

hey stig, thanks for that pppoe one, works here in Aus!!

only issue and i guess its just some config changes but i need to change the eth0 subnet and dhcp server to 192.168.100.254/24

i add the ip to the eth0 in the gui, disable the 1.1 dhcp server and add my own reflecting the 100.0/24 subnet

once i do this, router kicks me out, even if i static set ip to 192.168.100.1
i cannot access it again or the internet


can you assist
Without seeing the config we'd only be guessing.
EdgeMAX Router Software Development
Member
Posts: 148
Registered: ‎04-28-2011
Kudos: 5
Solutions: 1

Re: Basic SOHO/Home Config

Hi, Its your PPPoE config as above, however here is a snippet

I need my LAN ip to be 192.168.100.254 and a DHCP server activated on that

replacing 192.168.1.1


ubnt@RTR1:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify pppoe-out {
default-action accept
description "TCP clamping"
rule 1 {
action modify
modify {
tcp-mss 1452
}
protocol tcp
tcp {
flags SYN
}
}
}
name eth0-in {
default-action accept
description "Wired network to other networks."
}
name eth0-local {
default-action accept
description "Wired network to router."
}
name eth1-in {
default-action accept
description "Wireless network to other networks"
}
name eth1-local {
default-action accept
description "Wireless network to router."
}
name pppoe-in {
default-action drop
description "Internet to internal networks"
rule 1 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name pppoe-local {
default-action drop
description "Internet to router"
rule 1 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
rule 5 {
action accept
description "ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description LAN
firewall {
in {
name eth0-in
}
local {
name eth0-local
}
}
}
ethernet eth1 {
address 192.168.2.1/24
description WLAN
firewall {
in {
name eth1-in
}
local {
name eth1-local
}
}
}
ethernet eth2 {
description PPPOE
pppoe 0 {
default-route auto
firewall {
in {
name pppoe-in
}
local {
name pppoe-local
}
out {
modify pppoe-out
}
}
mtu 1492
name-server auto
password ****************
user-id *********
}
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name wired-eth0 {
authoritative disable
description "Wired Network - Eth1"
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
ntp-server 192.168.1.1
start 192.168.1.10 {
stop 192.168.1.100
}
time-server 192.168.1.1
}
}
shared-network-name wireless-eth1 {
authoritative disable
description "Wireless Network - Eth2"
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
ntp-server 192.168.2.1
start 192.168.2.10 {
stop 192.168.2.100
}
time-server 192.168.2.1
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
system
}
}
gui {
https-port 443
listen-address 192.168.1.1
listen-address 192.168.2.1
}
nat {
rule 5010 {
log disable
outbound-interface pppoe0
protocol all
type masquerade
}
}
snmp {
community snmp {
}
}
ssh {
listen-address 192.168.1.1
listen-address 192.168.2.1
port 22
protocol-version v2
}
upnp {
listen-on eth0 {
outbound-interface pppoe0
}
listen-on eth1 {
outbound-interface pppoe0
}
}
}
system {
host-name RTR1
ipv6 {
disable
}
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 61.9.194.49
name-server 61.9.195.193
ntp {
server 0.au.pool.ntp.org {
}
server 1.au.pool.ntp.org {
}
server 2.au.pool.ntp.org {
}
server 3.au.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
ubnt@RTR1:~$
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

Hi, Its your PPPoE config as above, however here is a snippet

I need my LAN ip to be 192.168.100.254 and a DHCP server activated on that

replacing 192.168.1.1
Since you're getting rid of the address on eth0, I suggest plugging your laptop into eth1. You'll get an address in the 192.168.2.0/24 subnet. Then:

1) point your browser at 192.168.2.1
2) delete dhcp server for 192.168.1.0/24
3) delete address on eth0 and replace with 192.168.100.254/24
4) add dhcp server for new subnet
EdgeMAX Router Software Development
Member
Posts: 148
Registered: ‎04-28-2011
Kudos: 5
Solutions: 1

Re: Basic SOHO/Home Config

thanks, done that and the internet works and DHCP on new range

i cannot access the router via webgui or ssh on that interface but, is there a something blocking me
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

thanks, done that and the internet works and DHCP on new range
i cannot access the router via webgui or ssh on that interface but, is there a something blocking me


configure
delete service gui listen-address 192.168.1.1
set service gui listen-address
commit
save
exit

Same thing for "service ssh".
EdgeMAX Router Software Development
Member
Posts: 148
Registered: ‎04-28-2011
Kudos: 5
Solutions: 1

Re: Basic SOHO/Home Config

Great thanks

Can you have a quick look at my config and check all is secure and my router is ready to go!

also, is UPNP enabled in this one?
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

Here's another example configurations which starts with mrjesters config in post #1, then add config for PPTP remote VPN and open the appropriate firewall rules for it. Follow the steps in post #3 with the config below:

 

Basic SOHO config with PPTP server

The additional firewall rules are for the WAN local interface (eth2) and allow tcp destination port 1723 (PPTP) and protocol GRE.

pptp_fw.png



The PPTP remote-access VPN config looks like:

ubnt@ubnt# show vpn
pptp {
remote-access {
authentication {
local-users {
username joe {
password secret
}
}
mode local
}
client-ip-pool {
start 10.15.0.1
stop 10.15.0.254
}
dhcp-interface eth2
dns-servers {
server-1 8.8.8.8
}
mtu 1492
}
}



Note: currently the GUI only support PPTP with a static outside address, but these examples configuration have been using DHCP client to get a dynamic address. Therefore this part of the config had to be done via the CLI. Instead of configuring "outside-address" we have configure the "dhcp-interface".

The "client-ip-pool" I used in this example is from 10.15.0.0/24. This was picked arbitrarily and you could use any private address range (rfc1918 private internets).

Before using this example you'll want to delete the test ''local-user'' and either define your own "local-users" or configure it to use radius authentication.

ubnt@ubnt:~$ configure 

ubnt@ubnt# edit vpn pptp remote-access authentication

ubnt@ubnt# delete local-users username joe

ubnt@ubnt# set local-users username password

ubnt@ubnt# set local-users username password

ubnt@ubnt# top

ubnt@ubnt# commit

ubnt@ubnt# save

ubnt@ubnt# exit
exit



Or to use radius:

ubnt@ubnt:~$ configure 

ubnt@ubnt# edit vpn pptp remote-access authentication

ubnt@ubnt# delete local-users

ubnt@ubnt# set mode radius

ubnt@ubnt# set radius-server key

ubnt@ubnt# commit

ubnt@ubnt# save
Saving configuration to '/config/config.boot'...
eDone

ubnt@ubnt# exit
exit



If you want to access the VPN from inside your network, you may need to add a NAT masquarade rule for the PPTP client-ip-pool. In this example I added the following:

pptp_nat.png

EdgeMAX Router Software Development
Attachment
New Member
Posts: 31
Registered: ‎08-06-2010
Kudos: 12
Solutions: 1

Re: Basic SOHO/Home Config

The link (for the "Basic SOHO config restore file")in UBNT-stig's post # 3 is not working.
UNBT-stig, can you look into that and correct the link? Thanks,
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

The link (for the "Basic SOHO config restore file")in UBNT-stig's post # 3 is not working.
UNBT-stig, can you look into that and correct the link? Thanks,
Sorry about that - try now.
EdgeMAX Router Software Development
New Member
Posts: 31
Registered: ‎08-06-2010
Kudos: 12
Solutions: 1

Re: Basic SOHO/Home Config

Nice, it's working now - THANKS!!!!!
New Member
Posts: 5
Registered: ‎05-05-2008

Re: Basic SOHO/Home Config

Colud someone helpme to create a default DROP to de LAN out... Wih exception of knowed port´s like 80,443,25,110,etc...
I´ve tried without luke...
Thanks
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 346
Solutions: 288

Re: Basic SOHO/Home Config

Colud someone helpme to create a default DROP to de LAN out... Wih exception of knowed port´s like 80,443,25,110,etc...

I´ve tried without luke...

Thanks


Could you post your firewall configuration?
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

Colud someone helpme to create a default DROP to de LAN out... Wih exception of knowed port´s like 80,443,25,110,etc...

I´ve tried without luke...

Thanks

Assuming you're using the example config where eth2 is the WAN port, something like this may work:
configure 
set firewall group port-group OK_PORTS port 53
set firewall group port-group OK_PORTS port 80
set firewall group port-group OK_PORTS port 443
set firewall group port-group OK_PORTS port 25
set firewall group port-group OK_PORTS port 110
set firewall group port-group OK_PORTS port 123
commit

set firewall name WAN_OUT default-action drop
set firewall name WAN_OUT rule 10 destination group port-group OK_PORTS
set firewall name WAN_OUT rule 10 action accept
commit

set interfaces ethernet eth2 firewall out name WAN_OUT
commit
save
exit


This could've been done from the GUI also, but it's too early on a monday morning to be making screen shots. ;-)
EdgeMAX Router Software Development
New Member
Posts: 5
Registered: ‎05-05-2008

Re: Basic SOHO/Home Config

Thank´s a lot... i will try!!
Reply