Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 13
Registered: ‎03-02-2013
Kudos: 2

Re: Basic SOHO/Home Config

Thanks for these example configs, I thought id fire this up and have it running in 10 min flat over my lunch break last night. Boy was I wrong. My first configs were awful and network performance reflected that.

Blazing fast now
Thanks again
New Member
Posts: 8
Registered: ‎09-22-2012
Kudos: 1

Re: Basic SOHO/Home Config

Estou utilizando o EdgeMax Lite e uma RP 750GL para hotspot no meu provedor de internet, tenho 88 clientes, sendo que na hora de pico (A noite) fica entre 60 a 75 cliente on-line e tenho uma latencia de 10ms, estou satisfeito com ele, poderia ser melhor se fosse multi-wan, so isso, fora isso o equipamento e nota 10, olha que uso o basico com ele.
Member
Posts: 191
Registered: ‎04-02-2013
Kudos: 132
Solutions: 2

Re: Basic SOHO/Home Config

I found that I wanted the Bridged config and had to create the .tar.gz file manually.  Here that file is if anyone needs it!

Attachment
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

bradynapier wrote:

I found that I wanted the Bridged config and had to create the .tar.gz file manually.  Here that file is if anyone needs it!


Thanks.  

 

BTW, the lastest version v1.1 support load just a raw config.boot file without requiring the tar.gz of the whole config directory.  See EdgeMAX v1.1 Release Notes 

EdgeMAX Router Software Development
New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config

[ Edited ]

I can to get to the web gui and ssh locally but how do I enable Web Gui and SSH on the wan port?

 

I believe I have the ports open on my firewall because I can see the rules being hit but can not access the edgemax web gui or ssh remotely.

Established Member
Posts: 1,200
Registered: ‎06-14-2012
Kudos: 988
Solutions: 80
Contributions: 9

Re: Basic SOHO/Home Config

Add the WAN interface addresses to the ssh and gui listen address statements.

 

set service ssh listen-address <wanaddress>
set service gui listen-address <wanaddress>

 If your WAN address is dynamic, then you will need to remove the listen-address statements all together.

 

delete service ssh listen-address
delete service gui listen-address

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

hermster wrote:

I can to get to the web gui and ssh locally but how do I enable Web Gui and SSH on the wan port?

 

I believe I have the ports open on my firewall because I can see the rules being hit but can not access the edgemax web gui or ssh remotely.


There are 2 things you'd need to change to access either GUI or SSH from the outside.

1) On the WAN_LOCAL firewall allow tcp destination port 443 for the GUI and/or tcp port 22 for SSH

2) The example config has both the GUI and SSH to only listen on the LAN address, so you'd either need to add the WAN address or disable the listen-address option all together.

 

Note: allowing GUI or SSH access from the WAN does open you up to potential threats so you'd better have a strong password.  You WILL see attempted connection when those ports are open, so I would add logging to the firewall rule that allows that access.  If you know the source address from the outside that you'll be using, then you can make it more secure by change the firewall rule to only accept from a specific address(es).  Another thing you can do is to change the default port that SSH and/or GUI run on.

EdgeMAX Router Software Development
New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config

Great that worked.. is listen-port the command to change the port number?  Did someone make this SOHO config with the eth0 and 1 bridged and with VPN?  

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config

[ Edited ]

hermster wrote:

Did someone make this SOHO config with the eth0 and 1 bridged and with VPN?  


In post 13 of this thread I added a pptp remote-access vpn.  Is that what you're looking for or some other flavor of VPN.

EdgeMAX Router Software Development
New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config

I want the VPN with ports 0 and 1 bridged along with DYNDNS.. which i think i can figure out.  

New Member
Posts: 12
Registered: ‎04-11-2013
Kudos: 58

Re: Basic SOHO/Home Config

Hi - I recently purchased the EdgeMax Lite.  I would like to understand if the configuration provided in this post, which I think is the same the one provide (ubnt_erl_2lan_w_dhcp.tar.gz) here:

http://www.smallnetbuilder.com/lanwan/lanwan-howto/32014-how-to-configure-your-ubiquiti-edgerouter-l...

 
is at least as secure as a properly configured consumer router offered by Netgear or Linksys etc. I am new to router/network scripting, but I am not new Linux/Unix OS's or writing scripts.
 
I uploaded the above configuration which establishes two separate networks (eth1 & eth2) and the uplink/wan on eth0.  Prior to the installing the EdgeMax, I had a similar setup utilizing a switch uplinked to the WAN and downlinked two routers. I still have one router in place between the EdgeMax and my network because I am unsure how secure this basic configuration is as compared to my previous setup utlizing a consumer Netgear router.
 
Is it safe to remove the Netgear router in between the EdgeMax and my network?
 
I plan to learn the scripting side at some point in the future, but I would prefer to use the GUI for now as I am also affriad a scripting mistake could cause a security issue.
 
Thank you in advance for any insight/help.
Aaron
Emerging Member
Posts: 45
Registered: ‎04-10-2013
Kudos: 14
Solutions: 1

Re: Basic SOHO/Home Config


one1otter wrote:

Hi - I recently purchased the EdgeMax Lite.  I would like to understand if the configuration provided in this post, which I think is the same the one provide (ubnt_erl_2lan_w_dhcp.tar.gz) here:

http://www.smallnetbuilder.com/lanwan/lanwan-howto/32014-how-to-configure-your-ubiquiti-edgerouter-l...

 
is at least as secure as a properly configured consumer router offered by Netgear or Linksys etc.


I'm far from an expert on firewalls in routers, but I believe consumer-level routers almost universally have preconfigured SPI (Stateful Packet Inspection) firewalls.  Other firewall features are just additions - like blocking certain domains, time-controlled blocking for parental controls, etc., but the basic core firewall is SPI.

 

Take a look at the firewall tab in the ERL GUI and you'll see it recognizes "states" (established, invalid, new, related) - that's what an SPI firewall is.  It recognizes the state of each packet and acts on it.  So it is an SPI firewall, by definition.

 

It should be quite secure, it's set to drop all incoming packets not requested by an internal network client and that's that.  Pretty basic but if every unsolicited external packet is dropped it should be at least as secure as a consumer-level router.  Other consumer firewall features (port forwarding, etc.) only serve to open up this rather absolute lock down, actually making it a little less secure.

Technicolor DCM476 - Ubiquiti EdgeRouter Lite - NETGEAR GS108T switch - ASUS RT-N66U (as AP)
New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config

[ Edited ]

Can someone post a config with the VPN from post 13 and ports 1 and 2 bridged?  Can not seem to get it to work correctly.

New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config

So my VPN client connects ok and I get an IP address but I can access any addresses on the 192 subnet.. I've attached my config

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    group {
        port-group OK_PORTS {
            description "Router Local Ports"
            port 822
            port 8443
            port 5900
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Internal network to Internet"
    }
    name LAN_LOCAL {
        default-action accept
        description "Internal network to router"
    }
    name WAN_IN {
        default-action drop
        description "Internet to internal networks"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            description "Allow PPTP"
            destination {
                port 1723
            }
            log enable
            protocol tcp
        }
        rule 4 {
            action accept
            description "Allow GRE for PPTP VPN"
            log disable
            protocol gre
        }
        rule 5 {
            action accept
            description "ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
        rule 6 {
            action accept
            description "Ports forward to router"
            destination {
                group {
                    port-group OK_PORTS
                }
            }
            log enable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 192.168.1.99/24
        aging 300
        description LAN
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        hello-time 2
        max-age 20
        priority 0
        stp false
    }
    ethernet eth0 {
        bridge-group {
            bridge br0
        }
        duplex auto
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name LAN-br0 {
            authoritative disable
            description "LAN Network - br0"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.99
                dns-server 192.168.1.99
                lease 86400
                ntp-server 192.168.1.99
                start 192.168.1.100 {
                    stop 192.168.1.200
                }
                static-mapping paulsimac {
                    ip-address 192.168.1.200
                    mac-address c8:2a:14:1d:f6:95
                }
                time-server 192.168.1.99
            }
        }
    }
    dns {
        dynamic {
            interface eth2 {
                service dyndns {
                    host-name XXX.homeip.net
                    login XXXX
                    password XXX
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on br0
            listen-on eth2
            system
        }
    }
    gui {
        https-port 8443
    }
    nat {
        rule 1 {
            description VNC_iMAC
            destination {
                address 192.168.1.200
                port 5900
            }
            inbound-interface br0
            inside-address {
                port 5900
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5010 {
            description "masquerade from br0 LAN"
            log disable
            outbound-interface eth2
            protocol all
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
        rule 5020 {
            description "masquerade PPTP subnet"
            log disable
            outbound-interface eth2
            protocol all
            source {
                address 10.15.0.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 822
        protocol-version v2
    }
    upnp {
        listen-on br0 {
            outbound-interface eth2
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        user admin {
            authentication {
                encrypted-password $6$YphN9MssZgybYyq$MMNmji1atQknV06QqQB7Sh6l.GvS.Hy6u6LwcS7/SW1ysoKoU27owCQo/n/klYgnsGVMqMcRJsaHQixYHwQ760
                plaintext-password ""
            }
            full-name "Hermarys Admin"
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username admin {
                        password XXXXX
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.15.0.1
                stop 10.15.0.254
            }
            dhcp-interface eth2
            dns-servers {
                server-1 8.8.8.8
            }
            mtu 1492
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.1.0.4543695.130312.1019 */

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config


hermster wrote:

So my VPN client connects ok and I get an IP address but I can access any addresses on the 192 subnet.. I've attached my config


Did you set up your client to use the VPN as the default gateway (for example on Windows there is a checkbox for this) or set up static routes on the client?

New Member
Posts: 22
Registered: ‎08-29-2011
Kudos: 5

Re: Basic SOHO/Home Config


UBNT-ancheng wrote:

hermster wrote:

So my VPN client connects ok and I get an IP address but I can access any addresses on the 192 subnet.. I've attached my config


Did you set up your client to use the VPN as the default gateway (for example on Windows there is a checkbox for this) or set up static routes on the client?


Where is this option on OSX?

Member
Posts: 199
Registered: ‎04-14-2013
Kudos: 78
Solutions: 5

Re: Basic SOHO/Home Config

@ UBNT-stig & mblackmore

 

Your posts here and here show tcp-clamping modify rule with default-action configured.

 

The default-action in the modify rule, how is this done? In 1.1.0 the CLI doesn't seem to support this setting. 

 

modify pppoe-out {
        default-action accept
        description "TCP clamping"
        rule 1 {
            action modify
            modify {
                tcp-mss 1452
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }

 

CLI only allows to set default-action under name and not modify.

 

ubnt@ubnt# set firewall name test 
default-action      description         enable-default-log  rule                
[edit]
ubnt@ubnt# set firewall modify test 
description         enable-default-log  rule                
[edit]
ubnt@ubnt# set firewall modify test default-action accept
The specified configuration node is not valid
Set failed
[edit]
ubnt@ubnt# 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

That was probably done with the previous version (v1.0.2). In v1.1.0 the setting was removed and the behavior defaults to "accept" so it's no longer necessary to set the default action. We should update those configs of course. Thanks for reporting this.

Member
Posts: 199
Registered: ‎04-14-2013
Kudos: 78
Solutions: 5

Re: Basic SOHO/Home Config

[ Edited ]

Understand the reasoning, but the default is set to DROP. It requires a manual ACCEPT rule.

 

ubnt@ubnt# show firewall modify
 modify pppoe0-out {
     rule 1 {
         action modify
         modify {
             tcp-mss 1452
         }
         protocol tcp
         tcp {
             flags SYN
         }
     }
     rule 1000 {
         action accept
     }
 }
[edit]
ubnt@ubnt# exit
shexit
oubnt@ubnt:~$ show firewall modify 
--------------------------------------------------------------------------------
IPv4 Modify Firewall "pppoe0-out":

 Active on (pppoe0,OUT)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
1     modify   tcp       416      25968                                   
  condition - tcp tcp-flags SYN TCPMSS set 1452                                 

1000  accept   all       4020885  255456413                               

10000 drop     all       0        0                                       

ubnt@ubnt:~$ 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

Ah that looks like a problem with the "show" command. When I looked at the iptables directly it does show a "RETURN" action, which is "accept". Can you confirm this with the iptables command "sudo iptables -t mangle -L pppoe0-out -vn"? If that is the case of course we'll need to fix the show command (probably has a hard-coded action somewhere). Thanks for catching this.

Reply