equipment:edgerouterx
This is an old revision of the document!
Table of Contents
Setup EdgeRouter X
This will guide you through the setup of the EdgeRouter X.
Connect
- Plug in using PoE injection or 12V 0.5Amp Power adapter
- Connect computer to ETH0
- Setup computer with 192.168.1.XXX address
- Connect to EdgeRouter at 192.168.1.1 (note: I don't actually use this IP block)
- Probably need to accept any exceptions / agree to connect
- Login with “ubnt” “ubnt”
Initial Setup
- Run Wizards
- Choose WAN+2LAN2: This will make eth0 internet port and with “only use one LAN” checked will make the other 4 ports a network
- DHCP
- Enable the default firewall
- Only use one LAN
- Apply, Apply Changes, Reboot
- Must now plug computer into port 1, 2, 3, or 4
- Must now plug internet connection into port 0
- Navigate back to 192.168.1.1
- Login with “ubnt” “ubnt”
Setting up with CenturyLink Quantum Fiber
- This service provider requires traffic from the ONT to go to a router set to VLAN 201
- From Dashboard click Add Interface –> Add VLAN
- VLAN ID: 201
- Interface: eth0
- Description: Internet
- MTU: 1500
- Address: Use DHCP
Update firmware from EdgeRouter site
- Download latest firmware
- Go to “System”
- Upload a file button in the “Upgrade System Image”
- Select file
- Reboot
Firewall/NAT
Port Forwarding
- WAN interface: eth0 (or eth0.201 if needed)
- Hairpin NAT: enabled
- LAN interface: switch0
- Port Forwarding rules if unraid/ Nginx:
80 Both 192.168.1.X 180 HTTP tomcat 443 Both 192.168.1.X 1443 HTTPS tomcat 22 Both 192.168.1.X SSH brimble
- Port Forwarding rules if standalone:
80 Both 192.168.1.X HTTP tomcat 443 Both 192.168.1.X HTTPS 22 Both 192.168.1.X SSH brimble 32400 Both 192.168.1.X Plex
Firewall Polices
- Setup VPN:
- login to command line using CLI button or SSH
- Enter configuration mode
configure
- Add firewall rules for the L2TP traffic
set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description ike set firewall name WAN_LOCAL rule 30 destination port 500 set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description esp set firewall name WAN_LOCAL rule 40 log disable set firewall name WAN_LOCAL rule 40 protocol esp set firewall name WAN_LOCAL rule 50 action accept set firewall name WAN_LOCAL rule 50 description nat-t set firewall name WAN_LOCAL rule 50 destination port 4500 set firewall name WAN_LOCAL rule 50 log disable set firewall name WAN_LOCAL rule 50 protocol udp set firewall name WAN_LOCAL rule 60 action accept set firewall name WAN_LOCAL rule 60 description l2tp set firewall name WAN_LOCAL rule 60 destination port 1701 set firewall name WAN_LOCAL rule 60 ipsec match-ipsec set firewall name WAN_LOCAL rule 60 log disable set firewall name WAN_LOCAL rule 60 protocol udp
- Configure the server authentication settings
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username <username> password <secret>
- Define the IP address pool
set vpn l2tp remote-access client-ip-pool start 192.168.100.90 set vpn l2tp remote-access client-ip-pool stop 192.168.100.99
- Define DNS server(s) used by VPN
set vpn l2tp remote-access dns-servers server-1 <address> (currently 8.8.8.8) set vpn l2tp remote-access dns-servers server-2 <address> (currently 8.8.4.4)
- Define WAN interface which will receive L2TP requests (this one is for DHCP, see link for others)
set vpn l2tp remote-access dhcp-interface eth0
- Define IPsec interface
set vpn ipsec ipsec-interfaces interface eth0
- Commit changes and save
commit ; save
- Parental Controls
- Add Ruleset
- Add New Rule
- Enter Description (Xbox)
- Action: Drop
- Protocol: All protocols
- State: All checked
- IPsec: Don't match on IPsec packets
- P2P: None
- Enter MAC Address of item in Source
- Set Start Time and Stop Time (UTC)
- Configuration
- Description: Parental Controls
- Default Action: Accept
- Interfaces
- Interface: switch0
- Direction: in
- Repeat for each device you would like to limit
- Xbox
- VizioTV
- AppleTVLR
- J3DS
- M3DS
- WiiU
- NintendoSwitch
- NAT
- default
- Firewall/NAT groups
- default
- Guest network setup: Guest network
Services
- DHCP Server
- Static MAC/IP Mapping
RaspberryPi 192.168.1.2 brimNAS 192.168.1.3 BrimblecomAP 192.168.1.4 brimble 192.168.1.5 brimblebu 192.168.1.6 Onkyo 192.168.1.9 Vonage 192.168.1.10 MichaelsMBP 192.168.1.11 MeredithsMacEth 192.168.1.12 MeredithsMacWifi 192.168.1.13 Kids-PC 192.168.1.14
- Details
- Range Start 192.168.1.100
- Range Stop 192.168.1.255
- Router 192.168.1.1
- DNS
- 192.168.1.1 to use ISPs
- 192.168.1.2 if using PiHole
- 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
- DNS
- Cache Size 150
- Interface switch0
- Dynamic DNS
- Interface: eth0
- Service: noip
- Hostname: brimble.com
- Login: mdbrim
- Password: “noip password”
- Protocol: noip
- Note: if more are needed (shouldn't be) do Custom for service and call them noip2, noip3, etc
Other Settings
Hardware offload
- login to command line using CLI button or SSH
- Enter configuration mode
configure
- enable hwnat offload
set system offload hwnat enable
- commit and save
commit ; save
User setup
- Use “Users” button to change username / password
PoE Passthrough
- Use “Actions/PoE” button on eth4 line on “Dashboard”
- PoE: Passthrough
- Save
equipment/edgerouterx.1679961592.txt.gz · Last modified: by dirk
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
