This will guide you through the setup of the EdgeRouter X.

• Plug in using PoE injection or 12V 0.5Amp Power adapter
• Connect computer to ETH0
• Setup computer with 192.168.1.XXX address
• Connect to EdgeRouter at 192.168.1.1 (note: I don't actually use this IP block)
• Probably need to accept any exceptions / agree to connect
• Login with “ubnt” “ubnt”

• Run Wizards
• Choose WAN+2LAN2: This will make eth0 internet port and with “only use one LAN” checked will make the other 4 ports a network
  • DHCP
  • Enable the default firewall
  • Only use one LAN
• Apply, Apply Changes, Reboot
• Must now plug computer into port 1, 2, 3, or 4
• Must now plug internet connection into port 0
• Navigate back to 192.168.1.1
• Login with “ubnt” “ubnt”

• This service provider requires traffic from the ONT to go to a router set to VLAN 201
• From Dashboard click Add Interface –> Add VLAN
  • VLAN ID: 201
  • Interface: eth0
  • Description: Internet
  • MTU: 1500
  • Address: Use DHCP

• Download latest firmware
• Go to “System”
• Upload a file button in the “Upgrade System Image”
• Select file
• Reboot

• WAN interface: eth0 (or eth0.201 if applicable)
• Hairpin NAT: enabled
• LAN interface: switch0
• Port Forwarding rules if unraid/ Nginx:

  80      Both  192.168.1.X  180   HTTP tomcat
  443     Both  192.168.1.X  1443  HTTPS tomcat
  22      Both  192.168.1.X        SSH brimble

• Port Forwarding rules if standalone:

  80      Both  192.168.1.X  HTTP tomcat
  443     Both  192.168.1.X  HTTPS
  22      Both  192.168.1.X  SSH brimble
  32400   Both  192.168.1.X  Plex

• Setup VPN:
  • login to command line using CLI button or SSH
  • Enter configuration mode

    configure

  • Add firewall rules for the L2TP traffic

    set firewall name WAN_LOCAL rule 30 action accept
    set firewall name WAN_LOCAL rule 30 description ike
    set firewall name WAN_LOCAL rule 30 destination port 500
    set firewall name WAN_LOCAL rule 30 log disable
    set firewall name WAN_LOCAL rule 30 protocol udp
    
    set firewall name WAN_LOCAL rule 40 action accept
    set firewall name WAN_LOCAL rule 40 description esp
    set firewall name WAN_LOCAL rule 40 log disable
    set firewall name WAN_LOCAL rule 40 protocol esp
    
    set firewall name WAN_LOCAL rule 50 action accept
    set firewall name WAN_LOCAL rule 50 description nat-t
    set firewall name WAN_LOCAL rule 50 destination port 4500
    set firewall name WAN_LOCAL rule 50 log disable
    set firewall name WAN_LOCAL rule 50 protocol udp
    
    set firewall name WAN_LOCAL rule 60 action accept
    set firewall name WAN_LOCAL rule 60 description l2tp
    set firewall name WAN_LOCAL rule 60 destination port 1701
    set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
    set firewall name WAN_LOCAL rule 60 log disable
    set firewall name WAN_LOCAL rule 60 protocol udp

  • Configure the server authentication settings

    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
    
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access authentication local-users username <username> password <secret>

  • Define the IP address pool

    set vpn l2tp remote-access client-ip-pool start 192.168.100.90
    set vpn l2tp remote-access client-ip-pool stop 192.168.100.99

  • Define DNS server(s) used by VPN

    set vpn l2tp remote-access dns-servers server-1 <address> (currently 8.8.8.8)
    set vpn l2tp remote-access dns-servers server-2 <address> (currently 8.8.4.4)

  • Define WAN interface which will receive L2TP requests (this one is for DHCP, see link for others)

    set vpn l2tp remote-access dhcp-interface eth0

  • Define IPsec interface

    set vpn ipsec ipsec-interfaces interface eth0

  • Commit changes and save

    commit ; save

  • Link: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

• Parental Controls
  • Add Ruleset
  • Add New Rule
    • Enter Description (Xbox)
    • Action: Drop
    • Protocol: All protocols
    • State: All checked
    • IPsec: Don't match on IPsec packets
    • P2P: None
    • Enter MAC Address of item in Source
    • Set Start Time and Stop Time (UTC)
  • Configuration
    • Description: Parental Controls
    • Default Action: Accept
  • Interfaces
    • Interface: switch0
    • Direction: in
  • Repeat for each device you would like to limit
    • Xbox
    • VizioTV
    • AppleTVLR
    • J3DS
    • M3DS
    • WiiU
    • NintendoSwitch
• NAT
  • default
• Firewall/NAT groups
  • default

• Guest network setup: Turn on Guest Hotspot in unifi, create new wifi network and select “guest” as type.

• DHCP Server
  • Static MAC/IP Mapping

    brimNAS          192.168.1.4
    BrimblecomAP     192.168.1.5
    BrimDownstairsAP 192.168.1.6
    hoobs            192.168.1.7

  • Details
    • Range Start 192.168.1.100
    • Range Stop 192.168.1.255
    • Router 192.168.1.1
    • DNS
      • 192.168.1.1 to use ISPs
      • 192.168.1.2 if using PiHole
      • 8.8.8.8 / 8.8.4.4 (or others) if hardcoding

• DNS
  • Cache Size 150
  • Interface switch0
  • Dynamic DNS (new)
    • Interface: eth0.201
    • Service: easydns
    • Hostname: brimble.com
    • Login: mdbrim
    • Password: “easydns token”
    • Protocol: easydns
    • Server: BLANK!
  • Dynamic DNS (old)
    • Interface: eth0
    • Service: noip
    • Hostname: brimble.com
    • Login: mdbrim
    • Password: “noip password”
    • Protocol: noip
    • Note: if more are needed (shouldn't be) do Custom for service and call them noip2, noip3, etc

• login to command line using CLI button or SSH
• Enter configuration mode

  configure

• enable hwnat offload

  set system offload hwnat enable

• commit and save

  commit ; save

• Link: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading

• Use “Users” button to change username / password

• Use “Actions/PoE” button on eth4 line on “Dashboard”
  • PoE: Passthrough
  • Save