====== Setup EdgeRouter X ======
This will guide you through the setup of the [[EdgeRouter X]].
===== Connect =====
* Plug in using PoE injection or 12V 0.5Amp Power adapter
* Connect computer to ETH0
* Setup computer with 192.168.1.XXX address
* Connect to EdgeRouter at 192.168.1.1 (note: I don't actually use this IP block)
* Probably need to accept any exceptions / agree to connect
* Login with "ubnt" "ubnt"
===== Initial Setup =====
* Run Wizards
* Choose WAN+2LAN2: This will make eth0 internet port and with "only use one LAN" checked will make the other 4 ports a network
* DHCP
* Enable the default firewall
* Only use one LAN
* Apply, Apply Changes, Reboot
* Must now plug computer into port 1, 2, 3, or 4
* Must now plug internet connection into port 0
* Navigate back to 192.168.1.1
* Login with "ubnt" "ubnt"
===== Setting up with CenturyLink Quantum Fiber =====
* This service provider requires traffic from the ONT to go to a router set to VLAN 201
* From Dashboard click Add Interface --> Add VLAN
* VLAN ID: 201
* Interface: eth0
* Description: Internet
* MTU: 1500
* Address: Use DHCP
===== Update firmware from EdgeRouter site =====
* Download latest firmware
* Go to "System"
* Upload a file button in the "Upgrade System Image"
* Select file
* Reboot
===== Firewall/NAT =====
==== Port Forwarding ====
* WAN interface: eth0 (or eth0.201 if applicable)
* Hairpin NAT: enabled
* LAN interface: switch0
* Port Forwarding rules if unraid/ Nginx:80 Both 192.168.1.X 180 HTTP tomcat
443 Both 192.168.1.X 1443 HTTPS tomcat
22 Both 192.168.1.X SSH brimble
* Port Forwarding rules if standalone:80 Both 192.168.1.X HTTP tomcat
443 Both 192.168.1.X HTTPS
22 Both 192.168.1.X SSH brimble
32400 Both 192.168.1.X Plex
==== Firewall Polices ====
* Setup VPN:
* login to command line using CLI button or SSH
* Enter configuration modeconfigure
* Add firewall rules for the L2TP trafficset firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description l2tp
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
* Configure the server authentication settingsset vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username password
* Define the IP address poolset vpn l2tp remote-access client-ip-pool start 192.168.100.90
set vpn l2tp remote-access client-ip-pool stop 192.168.100.99
* Define DNS server(s) used by VPNset vpn l2tp remote-access dns-servers server-1 (currently 8.8.8.8)
set vpn l2tp remote-access dns-servers server-2 (currently 8.8.4.4)
* Define WAN interface which will receive L2TP requests (this one is for DHCP, see link for others)set vpn l2tp remote-access dhcp-interface eth0
* Define IPsec interfaceset vpn ipsec ipsec-interfaces interface eth0
* Commit changes and savecommit ; save
* Link: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
* Parental Controls
* Add Ruleset
* Add New Rule
* Enter Description (Xbox)
* Action: Drop
* Protocol: All protocols
* State: All checked
* IPsec: Don't match on IPsec packets
* P2P: None
* Enter MAC Address of item in Source
* Set Start Time and Stop Time (UTC)
* Configuration
* Description: Parental Controls
* Default Action: Accept
* Interfaces
* Interface: switch0
* Direction: in
* Repeat for each device you would like to limit
* Xbox
* VizioTV
* AppleTVLR
* J3DS
* M3DS
* WiiU
* NintendoSwitch
* NAT
* default
* Firewall/NAT groups
* default
* Guest network setup: Turn on Guest Hotspot in unifi, create new wifi network and select "guest" as type.
==== Services ====
* DHCP Server
* Static MAC/IP MappingbrimNAS 192.168.1.4
BrimblecomAP 192.168.1.5
BrimDownstairsAP 192.168.1.6
hoobs 192.168.1.7
* Details
* Range Start 192.168.1.100
* Range Stop 192.168.1.255
* Router 192.168.1.1
* DNS
* 192.168.1.1 to use ISPs
* 192.168.1.2 if using PiHole
* 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
* DNS
* Cache Size 150
* Interface switch0
* Dynamic DNS (new)
* Interface: eth0.201
* Service: easydns
* Hostname: brimble.com
* Login: mdbrim
* Password: "easydns token"
* Protocol: easydns
* Server: BLANK!
* Dynamic DNS (old)
* Interface: eth0
* Service: noip
* Hostname: brimble.com
* Login: mdbrim
* Password: "noip password"
* Protocol: noip
* Note: if more are needed (shouldn't be) do Custom for service and call them noip2, noip3, etc
===== Other Settings =====
==== Hardware offload ====
* login to command line using CLI button or SSH
* Enter configuration modeconfigure
* enable hwnat offloadset system offload hwnat enable
* commit and savecommit ; save
* Link: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading
==== User setup ====
* Use "Users" button to change username / password
==== PoE Passthrough ====
* Use "Actions/PoE" button on eth4 line on "Dashboard"
* PoE: Passthrough
* Save