Edgerouter Lite Configuration

Consult the EdgeRouter Lite User Guide for information on accessing the EdgeOS configuration interface for the first time. Bascially, the steps are: connect a machine to the eth0 port on the ERL, manually configure your machine to have an address in the 192.168.1.x subnet, then point your web browser at 192.168.1.1. This will bring up the configuration interface in your browser.

Edgerouter Lite Configuration

To make changes to the configuration you must enter configuration mode by entering the configure command. Configuration mode has show and set commands for displaying and modifying configuration variables, respectively, along with an assortment of other commands.

The configuration itself is hierarchical, with sections which may contain settings or subsections. For example there is a interfaces section which holds the configurations for network interfaces and a firewall section which contains the firewall rules.

Changes made while in configuration mode are staged until they are committed with the commit command, at which point they go into effect, or they can be discarded using the discard command. To save the changes to the default configuration use the save command, and the exit command will return to operational mode. The default configuration is stored in a plain text file at /config/config.boot.

The SOHO Edgemax Example in the Edgemax Wiki is a good resource in that it tells you what the configuration changes are. But when I tried to follow it, I screeched to an early halt because the first thing it has you do is change your LAN connection to from the default port 0 (eth0) to port 1 (eth1). If you are not careful how you do this, you end up disconnected from the router admin and need to reset to start all over again.

This post in the Ubiquiti Forums also has some basic SOHO configurations with PPPoE client and PPTP remote-access server for the three port EdgeRouter Lite and a basic SOHO configuration for the newer five port EdgeRouter-POE.

5) Respond to the prompt to reboot the router to apply the configuration. When the reboot starts, move your computer from port 0 to port 1. This is because both configurations change the LAN connection from port 0 to port 1. Connect your modem or internet connection device to port 0. Wait about a minute for the router to reboot.

The config.boot file is the only thing you need to edit if you want to modify a configuration offline. But you must then tar and gzip the entire config folder contents before you can use the Restore Config button. If you try to just restore the config.boot file using that button, you will get an error. I used 7-zip to tar, then gzip the tar file before upload.

This is a two-part series on how to configure EdgeRouter Lite in a home environment using the command line interface. Part one will mostly focus on what I think is a typical home environment (US only) with optional configurations. The configurations covered here should be enough to get a home user going.

Part two will talk about mostly my configuration, which I think is not a typical home network setup. Though, I am not doing a lot of fancy stuff with my router. Mostly, just adding functionality for my wants and/or needs.

UPDATE: While there are some security related configurations covered in this series, there are still some security concerns with the configuration. That said, I created the Hardening EdgeRouter Lite series to address some of the security concerns. Please check the links above.

To create a new account, issue the following commands below. Do not worry about the plaintext part of the syntax. Once the configuration has been committed, it will automatically change it to an encrypted password.

This section talks about everything system related, like DNS, NTP, time zone, etc. The configuration statements below shows how to configure the domain name of the router, desired host name, DNS server, time zone, and NTP servers. The NTP statements below are set by default.

The traffic analysis configuration is optional. Traffic analysis uses deep packet inspection (DPI) which allows EdgeOS to know what applications are traversing the router and integrate it with the traffic analysis feature so users can see which IP addresses are using the most bandwidth and what application. Not all applications will be categorized properly.

Next one is DNS forwarding services. This configuration statements direct the system to forward DNS requests to name servers configured on the router. I believe the default DNS cache is set to 128 entries.

The firewall configuration can be pretty simple. With the set port-forward auto-firewall enable command, Ubiquiti made even simple for any users since it will automatically add firewall rules if the user creates port forwarding rule(s).

Committed changes are not persistent across reboots. Use the save command to write the changes to the plain-text configuration file, which is available at /config/config.boot. Note - using ? reveals that save can also save the configuration to a SCP, FTP, or TFTP location.

This article was originally intended for my audience at The Greater Boston Network Users Group at their July 11th meetup. Until I'm able to do a complete configuration walk through, this spot in a recent "Network Enthusiast" EdgeRouter video I created gives you a good look at how DNS is supposed to work in Windows + Linux and/or VMware vSphere home lab environments, only using this little metal box router. Look mom, no Microsoft AD/DNS/DHCP required!

I personally haven't gone through the admittedly better, but more-complex OpenVPN configuration process. But for those who have, they may have spotted that there were some OpenVPN vulnerabilities recently discovered by Guido Vranken's fuzzing techniques, see:

This is what happens if you take every line of instruction way too literally, just me testing it verbatim, ready to reset to known-good easily at any point I scrogg things. I have some more tweaking of their instructions to do, to get this right. I do wish there was a GUI for this migration from ISC DHCPD to dnsmasq.

Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

If having trouble, first ping the local IP of the device, then ping the hostname, then ping the hostname with the domain-name. This should help you narrow down where your DNS configuration issue might be.

This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)

Enhancements and bug fixes[UNMS] Fix bug when configuration was randomly reset to default values after upgrade if UNMS service was configured. Discussed here[SSH] Fix security vulnerability via SSH when operator user was able to read/write configuration and gain full admin privileges[OpenVPN] Backport patch for multiple OpenVPN vulnerabilities (CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521). Discussed here.Updated software componentsn/a

Once I got to the commit command listed above, the resolution of the problem was seen immediately. I was able to reconnect my VPN right away, no need to reboot my ER3-Lite. Tried it out for a day, still working great. So I then typed save to preserve this new configuration across reboots, and finally exited my SSH session. Done! Everything about my ER3-Lite is configured exactly the way I always wanted it to work, I can now move on to so many other projects.

To setup the router for a standard Small Office, Home Office configuration, you can follow the SOHO example on the Ubiquiti Wiki or just download the configuration and upload it to the router. Version 1.3.0 also includes a Wizards tab which only has a single wizard so far but it allows you to create a SOHO configuration pretty easily. You have your LAN connected to eth0, your WAN (from the DSL or cable modem) connected to eth1, and a second, separate LAN connected to eth2.

After I went through the wizard, I switched my computer back to DHCP instead of the static configuration. It pulled all of the information it needed, and I was again able to browse the web. I went around and reset some devices so they would pull a new IP and was able to connect to them right away. I explored the EdgeOS user interface to find where to create static reservations and other settings.

Try this in the CLI: configureset interfaces ethernet eth0commitsaveexitThat should make the port active again in the GUI. If that does not resolve the issue please email support@ubnt.com with the configuration attached.

I have a Ubiquiti EdgeRouter Lite that I use as a staging platform for systems in production. Because I have had to reconfigure the VPN so many times on this device, I created a simple Python tool to run through the entire process for me. Instructions for installing/using the script are detailed below; if you would like to read a tutorial on how to do everything manually, check out [[configure-openvpn-with-x-509-ubiquiti-edgerouter-lite]] 2ff7e9595c