├── DrayTek Vigor130.md ├── IPv6-Firewall.md ├── L2TP-Setup.md ├── OpenVPN-client.md ├── OpenVPN-server.md ├── PPPoE.md ├── README.md ├── aws-site-to-site-connection.md ├── basicSetup.md ├── cli.md ├── dns.md ├── dual-wan.md ├── dynamic-dns.md ├── example-dhcp.md ├── example-nat.md ├── example-snmp.md ├── example-syslog.md ├── port-forwarding.md └── squidguard.md /DrayTek Vigor130.md: -------------------------------------------------------------------------------- 1 | # DrayTek Vigor 130 2 | Although the DrayTek Vigor 130 had nothing to do with Ubiquiti or EdgeRouter it is still a great Modem that can work perfectly together with an EdgeRouter. 3 | For this reason here are some information about the device. 4 | 5 | ## Default IP 6 | By default the device has the IP: `192.168.1.1` so you have to configure your computer to use an IP Address from the `192.168.1.1/24` range. 7 | 8 | Just connect the device to your computer and open [192.168.1.1](http://192.168.1.1) 9 | 10 | ## Default Credentials 11 | Username: *admin* 12 | 13 | Password: *admin* 14 | 15 | ## After connection to a computer 16 | - Update the firmware. Download the latest firmware [here](https://www.draytek.com/support/latest-firmwares/) 17 | - Unzip the zip file and use xxx.all for just an firmware update or xxx.rst for firmware update and default reset. 18 | - As written [here](http://www.draytek.com/download_de/Vigor130/) the xxx.rst is prefered. 19 | - change the default credentials. Use a good password. (System Maintenance -> Administrator Password) 20 | -------------------------------------------------------------------------------- /IPv6-Firewall.md: -------------------------------------------------------------------------------- 1 | # Configure IPv6 Firewall 2 | Unfortunately there is no option to configure IPv6 Firewall via the GUI 3 | 4 | ## Basic Firewall Options 5 | This basic firewall allows users to ping a IPv6 device from the internet. All other traffic to the device is blocked (default-action drop). 6 | 7 | ``` 8 | set firewall ipv6-name ipv6-fw default-action drop 9 | set firewall ipv6-name ipv6-fw description 'IPv6 firewall' 10 | set firewall ipv6-name ipv6-fw rule 1 action accept 11 | set firewall ipv6-name ipv6-fw rule 1 log disable 12 | set firewall ipv6-name ipv6-fw rule 1 protocol icmpv6 13 | set firewall ipv6-name ipv6-fw rule 1 description 'allow ICMPv6 traffic' 14 | set firewall ipv6-name ipv6-fw rule 10 action accept 15 | set firewall ipv6-name ipv6-fw rule 10 state established enable 16 | set firewall ipv6-name ipv6-fw rule 10 state related enable 17 | ``` 18 | 19 | ## Allow one host to be publicly accessible 20 | ``` 21 | set firewall ipv6-name ipv6-fw rule 4 action accept 22 | set firewall ipv6-name ipv6-fw rule 4 description 'allow access to host x' 23 | set firewall ipv6-name ipv6-fw rule 4 destination address '2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx' 24 | ``` 25 | -------------------------------------------------------------------------------- /L2TP-Setup.md: -------------------------------------------------------------------------------- 1 | # L2TP Setup 2 | 3 | If you have problems with the connection, please restart the l2tp service: 4 | 5 | ```bash 6 | sudo su 7 | /etc/init.d/xl2tpd status # should not be started 8 | /etc/init.d/xl2tpd restart # restart the service 9 | ``` 10 | 11 | ## setup firewall 12 | ``` 13 | set firewall name WAN_LOCAL rule 80 action accept 14 | set firewall name WAN_LOCAL rule 80 description 'Allow l2tp vpn' 15 | set firewall name WAN_LOCAL rule 80 destination port 500 16 | set firewall name WAN_LOCAL rule 80 log disable 17 | set firewall name WAN_LOCAL rule 80 protocol udp 18 | set firewall name WAN_LOCAL rule 90 action accept 19 | set firewall name WAN_LOCAL rule 90 description 'Allow l2tp vpn' 20 | set firewall name WAN_LOCAL rule 90 destination port 4500 21 | set firewall name WAN_LOCAL rule 90 log disable 22 | set firewall name WAN_LOCAL rule 90 protocol udp 23 | set firewall name WAN_LOCAL rule 100 action accept 24 | set firewall name WAN_LOCAL rule 100 description 'Allow l2tp vpn' 25 | set firewall name WAN_LOCAL rule 100 destination port 1701 26 | set firewall name WAN_LOCAL rule 100 ipsec match-ipsec 27 | set firewall name WAN_LOCAL rule 100 log disable 28 | set firewall name WAN_LOCAL rule 100 protocol udp 29 | set firewall name WAN_LOCAL rule 110 action accept 30 | set firewall name WAN_LOCAL rule 110 description 'Allow l2tp vpn' 31 | set firewall name WAN_LOCAL rule 110 log disable 32 | set firewall name WAN_LOCAL rule 110 protocol esp 33 | ``` 34 | 35 | ## setup ip sec 36 | ```bash 37 | set vpn ipsec auto-firewall-nat-exclude disable 38 | # also works if you don't specify the ipsec-interface (this is the wan interface) 39 | # set vpn ipsec ipsec-interfaces interface eth0 40 | set vpn ipsec nat-networks allowed-network 0.0.0.0/0 41 | set vpn ipsec nat-traversal enable 42 | ``` 43 | 44 | ## create user accounts 45 | ```bash 46 | set vpn l2tp remote-access authentication local-users username john password supersecret 47 | ``` 48 | 49 | ## setup ip range for remote users 50 | ```bash 51 | set vpn l2tp remote-access authentication mode local 52 | set vpn l2tp remote-access client-ip-pool start 172.19.1.20 53 | set vpn l2tp remote-access client-ip-pool stop 172.19.1.70 54 | ``` 55 | 56 | ## setup PSK for remote users 57 | ```bash 58 | set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret 59 | set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret supersecretpreshareskey 60 | set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 61 | ``` 62 | 63 | ## set public IP 64 | ```bash 65 | set vpn l2tp remote-access outside-address 66 | # if you don't have a static IP address you can use 0.0.0.0 instead 67 | ``` 68 | 69 | ## set DNS Server for clients 70 | ``` 71 | set vpn l2tp remote-access dns-servers server-1 8.8.8.8 72 | ``` 73 | 74 | ## don't forget to set NAT if you haven't already 75 | ```bash 76 | set service nat rule 5003 description NAT-L2TP 77 | set service nat rule 5003 log disable 78 | # set correct outbound interface 79 | set service nat rule 5003 outbound-interface eth0 80 | set service nat rule 5003 protocol all 81 | # set correct source address ranche 82 | set service nat rule 5003 source address 172.19.1.0/24 83 | set service nat rule 5003 type masquerade 84 | ``` 85 | 86 | ## troubleshooting 87 | If you have problems setting up L2TP consider to take a look at the following log files: 88 | - /var/log/messages 89 | - /var/log/charon.log 90 | - note that the usernames aren't logged. 91 | 92 | I you want to see who is currently connected just type: "show interfaces" 93 | -------------------------------------------------------------------------------- /OpenVPN-client.md: -------------------------------------------------------------------------------- 1 | # OpenVPN config (Client) 2 | This tutorial describes how to configure the EdgeRouter as a OpenVPN Client. 3 | 4 | Usefull links: 5 | - [Youtube: EdgeRouter OpenVPN to Private Internet Access!](https://www.youtube.com/watch?v=B9dXiKhDVl0) 6 | - [Youtube: Dedicated Private Internet VLAN and Wireless Network](https://www.youtube.com/watch?v=_TBj5MYmgQc) 7 | 8 | ## Basic setup 9 | First you need to ssh into your EdgeRouter. Then create a directory where you store your OpenVPN files. 10 | 11 | ``` 12 | sudo su 13 | mkdir -p /config/auth/example 14 | ``` 15 | 16 | In this example I have the following files: 17 | - ca.crt (Root CA) 18 | - client.key (User private key) 19 | - client.crt (User certificate) 20 | - openvpn-static-key-v1.key (for tls-auth) 21 | - example.ovpn (OpenVPN client configuration (see below)) 22 | 23 | Make sure that `key.pem` has `chmod 600` 24 | 25 | ## Example of the OpenVPN config-file 26 | This file could differ depending on your openvpn server setup. 27 | ``` 28 | client 29 | dev tun 30 | proto udp 31 | remote vpn.example.com 32 | resolv-retry infinite 33 | nobind 34 | persist-key 35 | persist-tun 36 | key-direction 1 37 | remote-cert-tls server 38 | auth-nocache 39 | auth SHA512 40 | cipher AES-256-GCM 41 | 42 | # files 43 | ca /config/auth/example/ca.crt 44 | cert /config/auth/example/client.crt 45 | key /config/auth/example/key.pem 46 | tls-auth /config/auth/example/openvpn-static-key-v1.key 1 47 | 48 | ``` 49 | 50 | ## Setup the interface 51 | If you already configured you EdgeRouter as a OpenVPN server then you need to change the network inteface from `vtun0` to something else (e.g. `vtun1`) 52 | 53 | ``` 54 | configure 55 | set interfaces openvpn vtun0 description 'example vpn' 56 | set interfaces openvpn vtun0 config-file /config/auth/example/example.ovpn 57 | commit 58 | save 59 | ``` 60 | 61 | 62 | 63 | ## Setup an extra VLAN for clients 64 | ``` 65 | # create a new vlan (VLAN 10) 66 | set interfaces switch switch0 vif 10 address 192.168.40.1/24 67 | set interfaces switch switch0 vif 10 description 'example VLAN' 68 | set interfaces switch switch0 vif 10 mtu 1500 69 | ``` 70 | 71 | ## Setup a DHCP server 72 | ``` 73 | set service dhcp-server shared-network-name EXAMPLE-LAN authoritative disable 74 | set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 default-router 192.168.40.1 75 | set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 dns-server 1.1.1.1 76 | set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 domain-name example.com 77 | set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 lease 86400 78 | set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 start 192.168.40.10 stop 192.168.40.100 79 | ``` 80 | 81 | ## Setup NAT & routing 82 | ``` 83 | # setup NAT 84 | set service nat rule 5020 description NAT-EXAMPLE-VPN 85 | set service nat rule 5020 log disable 86 | set service nat rule 5020 outbound-interface vtun0 87 | set service nat rule 5020 source address 192.168.40.0/24 88 | set service nat rule 5020 type masquerade 89 | 90 | # setup routing 91 | set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 92 | 93 | set firewall modify VPN_EXAMPLE_ROUTE rule 10 description 'Subnet to VPN' 94 | set firewall modify VPN_EXAMPLE_ROUTE rule 10 source address 192.168.40.0/24 95 | set firewall modify VPN_EXAMPLE_ROUTE rule 10 modify table 1 96 | 97 | # apply the firewall route to VLAN 10 98 | set interfaces switch switch0 vif 10 firewall in modify VPN_EXAMPLE_ROUTE 99 | ``` 100 | -------------------------------------------------------------------------------- /OpenVPN-server.md: -------------------------------------------------------------------------------- 1 | # OpenVPN config (Server) 2 | This tutorial describes how to setup a OpenVPN server on a EdgeRouter. 3 | 4 | ## Create certificates 5 | Here is a list with files that you need. You can use the Software XCA for that 6 | - ca.crt (Root CA) 7 | - server.crt (Server Certificate) 8 | - To prevent MITM Attacks make sure you set 9 | - X509v3 Key Usage: Digital Signature, Key Encipherment 10 | - X509v3 Extended Key Usage: TLS Web Server Authentication 11 | - server.key (Key File for the Server Certificate) 12 | - dh.pem (Diffie–Hellman key exchange key; Good is 2048 bit) 13 | - revocation-list.crl (Optional; Certificate Revocation List) 14 | 15 | After you create the files copy all of them into `/config/auth/` 16 | 17 | For you client config: Make sure `remote-cert-tls server` is set. 18 | 19 | ## Basic OpenVPN configuration 20 | ``` 21 | configure 22 | set interfaces openvpn vtun0 23 | set interfaces openvpn vtun0 mode server 24 | set interfaces openvpn vtun0 server name-server 1.1.1.1 # change to your prepered one 25 | set interfaces openvpn vtun0 server domain-name example.com # change to your prefered one 26 | # set your network 27 | set interfaces openvpn vtun0 server push-route 192.168.178.0/24 28 | # set the ranche for the openvpn clients. Clients will receive a IP address from this subnet 29 | set interfaces openvpn vtun0 server subnet 192.168.177.0/24 30 | ``` 31 | 32 | ## Certificate setup 33 | As described above. Make sure you private key has `chmod 600`. 34 | 35 | ``` 36 | set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt 37 | set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt 38 | set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem 39 | set interfaces openvpn vtun0 tls key-file /config/auth/server.key 40 | # optional: set revocation list 41 | set interfaces openvpn vtun0 tls crl-file /config/auth/revocation-list.crl 42 | ``` 43 | 44 | ## Configure logging 45 | ``` 46 | set interfaces openvpn vtun0 openvpn-option "--log /var/log/openvpn.log" 47 | set interfaces openvpn vtun0 openvpn-option "--status /var/log/openvpn-status.log" 48 | set interfaces openvpn vtun0 openvpn-option "--verb 7" 49 | ``` 50 | 51 | ## Firewall configuration 52 | Don't forget to set NAT for the openvpn clients 53 | 54 | ``` 55 | set firewall name XXX rule XX action accept 56 | set firewall name XXX rule XX description 'Allow OpenVPN' 57 | set firewall name XXX rule XX destination port 1194 58 | set firewall name XXX rule XX log disable 59 | set firewall name XXX rule XX protocol udp 60 | ``` 61 | -------------------------------------------------------------------------------- /PPPoE.md: -------------------------------------------------------------------------------- 1 | # Point-to-Point Protocol over Ethernet 2 | This article will explain how to configure your EdgeRouter as a PPPoE client. 3 | 4 | ## Example PPPoE configuration 5 | Plug the 'internet' into port eth0. This was tested with ppoe credentials from the ISP "Deutsche Telekom". 6 | 7 | ``` 8 | set interfaces ethernet eth0 description WAN 9 | set interfaces ethernet eth0 duplex auto 10 | set interfaces ethernet eth0 ip 11 | set interfaces ethernet eth0 pppoe 0 default-route auto 12 | # configure your firewall on pppoe0 and not on eth0 13 | set interfaces ethernet eth0 pppoe 0 firewall in name WAN_IN 14 | set interfaces ethernet eth0 pppoe 0 firewall local name WAN_LOCAL 15 | set interfaces ethernet eth0 pppoe 0 mtu 1492 # this is important 16 | set interfaces ethernet eth0 pppoe 0 name-server none # set your own dns server. Don't use the one from your ISP 17 | set interfaces ethernet eth0 pppoe 0 password 00000000 18 | set interfaces ethernet eth0 pppoe 0 user-id 0000000000001111111111110001@t-online.de 19 | set interfaces ethernet eth0 speed auto 20 | ``` 21 | 22 | ## Using a draytek vigor 130 as a "pure" modem 23 | - https://www.draytek.de/einrichtung-internet-mit-t-online.html 24 | - https://www.youtube.com/watch?v=6Whbg_KnumM 25 | - make sure you run the lastest firmware of the draytek vigor 130 !!! 26 | 27 | ## NAT configuration 28 | If you are using NAT and PPPoE then you have to configure NAT on the interface **pppoe**. 29 | 30 | ``` 31 | set service nat rule 5010 description 'Masquerade for WAN' 32 | set service nat rule 5010 log disable 33 | set service nat rule 5010 outbound-interface pppoe0 34 | set service nat rule 5010 protocol all 35 | set service nat rule 5010 source address 10.10.0.0/16 36 | set service nat rule 5010 type masquerade 37 | ``` 38 | 39 | ## Configure TCP MMC clamping 40 | If you don't set the correct TCP mms-clamp value some sites will not load correctly. 41 | 42 | ``` 43 | set firewall options mss-clamp interface-type all 44 | set firewall options mss-clamp mss 1412 45 | ``` 46 | 47 | ## Troubleshoot 48 | Here are some usefull commands that could help you troubleshoot your PPPoE connection 49 | 50 | ``` 51 | show pppoe-client 52 | show interfaces pppoe pppoe0 log 53 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EdgeRouter-Stuff 2 | Some Information about the Ubiquiti's EdgeOS 3 | 4 | If you have comments / find errors /suggestions feel free to contact me / create a merge request. Thanks. -------------------------------------------------------------------------------- /aws-site-to-site-connection.md: -------------------------------------------------------------------------------- 1 | # AWS Site-to-Site VPN 2 | AWS has the option to create a Site-to-Site VPN tunnel from your AWS VPC to your home/office Network. This tutorial shows you how to configure your EdgeRouter to create a tunnel. 3 | 4 | Although there is the option to use BGP for routing we will just configure a static route. 5 | 6 | ## Prerequisite 7 | You need to have a static IPv4 Address. 8 | 9 | ## AWS Site 10 | Login to your AWS Console and click on VPC -> Virtual Private Network (VPN) -> Customer Gateways -> and create a new Customer Gateway. 11 | 12 | Next Virtual Private Gateway: Create a new Virtual Private Gateway for your VPC 13 | 14 | After that click on Site-to-Site VPN Connections and create a new Site-to-Site connection. AWS will create two servers with two different IP addresses. It is recommended that you configure both tunnels. 15 | 16 | Download the configuration file by clicking on *Download Configuration* and just select *Generic* as the Vendor. 17 | 18 | 19 | ## Configure your Router 20 | First you need to configure the virtual interface. Change the IP Address according to configuration file that you downloaded in the previous step. 21 | 22 | ``` 23 | set interfaces vti vti0 address 169.254.41.130/30 # Inside IP Addresses -> Customer Gateway 24 | set interfaces vti vti0 description 'AWS VPC FRA' # just a name. 25 | set interfaces vti vti0 mtu 1436 # specified in the configuration file 26 | ``` 27 | 28 | Next set a static route. Change the subnet according to your AWS VPC Network. 29 | ``` 30 | set protocols static interface-route 10.20.0.0/16 next-hop-interface vti0 31 | ``` 32 | 33 | Now you can configure ipsec. 34 | ``` 35 | set vpn ipsec auto-firewall-nat-exclude enable 36 | set vpn ipsec esp-group AWS compression disable 37 | set vpn ipsec esp-group AWS lifetime 3600 38 | set vpn ipsec esp-group AWS mode tunnel 39 | set vpn ipsec esp-group AWS pfs enable 40 | set vpn ipsec esp-group AWS proposal 1 encryption aes128 41 | set vpn ipsec esp-group AWS proposal 1 hash sha1 42 | set vpn ipsec ike-group AWS dead-peer-detection action restart 43 | set vpn ipsec ike-group AWS dead-peer-detection interval 15 44 | set vpn ipsec ike-group AWS dead-peer-detection timeout 30 45 | set vpn ipsec ike-group AWS ikev2-reauth no 46 | set vpn ipsec ike-group AWS key-exchange ikev1 47 | set vpn ipsec ike-group AWS lifetime 28800 48 | set vpn ipsec ike-group AWS proposal 1 dh-group 2 49 | set vpn ipsec ike-group AWS proposal 1 encryption aes128 50 | set vpn ipsec ike-group AWS proposal 1 hash sha1 51 | # change to your WAN Interface 52 | set vpn ipsec ipsec-interfaces interface eth6 53 | set vpn ipsec nat-networks allowed-network 0.0.0.0/0 54 | set vpn ipsec nat-traversal enable 55 | ``` 56 | 57 | You also need to to configure the site-to-site connection 58 | 59 | ``` 60 | # replace with your AWS VPN Server IP. You can find the public IP in the AWS config file. 61 | set vpn ipsec site-to-site peer authentication mode pre-shared-secret 62 | # set your AWS PSK here 63 | set vpn ipsec site-to-site peer authentication pre-shared-secret 64 | set vpn ipsec site-to-site peer connection-type initiate 65 | set vpn ipsec site-to-site peer description 'VPC tunnel 1' 66 | set vpn ipsec site-to-site peer ike-group AWS 67 | set vpn ipsec site-to-site peer ikev2-reauth inherit 68 | # set your local WAN address 69 | set vpn ipsec site-to-site peer local-address 70 | set vpn ipsec site-to-site peer vti bind vti0 71 | set vpn ipsec site-to-site peer vti esp-group AWS 72 | ``` 73 | 74 | Configure your firewall so that NAT is disabled for AWS traffic 75 | 76 | ``` 77 | set service nat rule 5011 description no-nat-aws 78 | set service nat rule 5011 exclude 79 | set service nat rule 5011 log disable 80 | set service nat rule 5011 outbound-interface vti0 81 | # replace with your aws subnet 82 | set service nat rule 5011 source address 10.20.0.0/16 83 | set service nat rule 5011 type masquerade 84 | ``` 85 | -------------------------------------------------------------------------------- /basicSetup.md: -------------------------------------------------------------------------------- 1 | # Basic EdgeOS Setup 2 | 3 | ## Out of the Box 4 | - Plug an ethernet Cable into eth0 5 | - Configure your PC/Notebook Ethernet Card to use the IP Address 192.168.1.5/24. Set no default Gateway 6 | - Open a Webbrowser and go to https://192.168.1.1 7 | - Login with the default Credentials: ubnt/ubnt 8 | - Update your Firmware: Click on System (on the bottom left) and scroll down to *Upgrade System Image* 9 | - Download the latest Image from the Ubiquitis website and upload the image to the Router 10 | 11 | ### Firmware Upgrade via CLI 12 | Go to the [Ubiquiti's Firmware Website](https://www.ubnt.com/download/edgemax) and copy the URL 13 | 14 | ``` 15 | add system image https://dl.ubnt.com/firmwares/edgemax/v1.9.7/ER-e200.v1.9.7.5001803.tar 16 | show system image 17 | reboot 18 | ``` 19 | 20 | Info: If you restart the device all PoE devices are also restarting 21 | 22 | ## After Firmware Update 23 | - Change the default Username / Password: Log back in and click on Users. Create a new User (be carefull with uper and lowercase). Logout and Log back in with the newly created User 24 | - Set an default Gateway and default DNS Server: click on System and fill in the blanks :D 25 | 26 | ## Serial Console 27 | If you have an adapter your device will probably be `/dev/ttyUSB0`. Download putty and use this device. Set the bitrate to *115200* 28 | 29 | For more information see: [How to Connect to Serial Console](https://help.ubnt.com/hc/en-us/articles/205202630-EdgeRouter-How-to-Connect-to-Serial-Console) 30 | -------------------------------------------------------------------------------- /cli.md: -------------------------------------------------------------------------------- 1 | # Command Line Interface 2 | This site sould give you a basic overview about the CLI of your EdgeRouter. 3 | 4 | In the background the device runs a VyOS. That means you can use the standard VyOs commands. 5 | 6 | VyOs is based on Debian. If you type `sudo su` you get a `/bin/bash` 7 | 8 | ## Basic Stuff 9 | `configure` -> go into the configuration mode (you can compare that to *conf t* on cisco devices) 10 | `commit` -> commits the changes 11 | `save` -> saves the chanes 12 | 13 | Allways run `commit` and `save` if you want to save your configuration. 14 | 15 | *exit* brings you back into "normal mode" 16 | 17 | ## Show the running config 18 | `show configuration` gives you an "human readable" version of the configuration. `show configuration commands` displays a configuration that you can use for later purpose e.g. copy and paste it to a new device to make a 1to1 backup. 19 | 20 | `show ip route` is similar to *Cisco IOS*: it gives you a list of all routes. 21 | 22 | ### Basic Configuration - System 23 | Command | Function 24 | --- | --- 25 | `configure` | go into configuration mode 26 | `set system host-name foobar` | set your router hostname to *foobar* 27 | `set system domain-name 8.8.8.8` | set the default DNS server 28 | `set system gateway-address 123.123.123` | set the default Gateway 29 | `set system ntp server 0.ubnt.pool.ntp.org` | set the ntp server (active per default). You can specify multiple NTP Server 30 | `set system time-zone Europe/Berlin` | set your timezone (use tab if you are in a different timezone) 31 | `set system login banner pre-login "This is a test \nAnd this is a new line\n"` | set a banner (simular to banner in the cisco world) 32 | 33 | the `delete` command can delete a configuration (simular to e.g. `no shutdown` in the cisco world). E. g.: `delete system domain-name` 34 | 35 | ### Basic Configuration - Service 36 | Command | Function 37 | --- | --- 38 | `show dhcp leases` | show ip address, MAC adress, pool and client name 39 | 40 | 41 | ### Create a new System User 42 | replace ** with your username and ** with your **strong** password. The password is stored encrypted so this is the only time you see the password in plain text. 43 | 44 | ``` 45 | set system login user authentication plaintext-password 46 | set system login user level admin 47 | # optional: set full name 48 | set system login user full-name 'Firstname Lastname' 49 | 50 | ``` 51 | Now test if you can login with the new user and then delete the default user *ubnt*. This only works if the user isn't logged in (either via ssh or GUI). 52 | ``` 53 | delete system login user ubnt 54 | ``` 55 | 56 | ### Configuration Switch 57 | The Router can also act as a switch. Here is an example: 58 | ``` 59 | set interfaces switch switch0 address 172.22.1.1/24 60 | set interfaces switch switch0 mtu 1500 61 | set interfaces switch switch0 switch-port interface eth2 62 | set interfaces switch switch0 switch-port interface eth3 63 | set interfaces switch switch0 switch-port interface eth4 64 | set interfaces switch switch0 switch-port vlan-aware disable 65 | ``` 66 | 67 | ### Configuration DHCP Server 68 | ``` 69 | set service dhcp-server shared-network-name CLIENT-LAN authoritative disable 70 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 default-router 172.22.1.1 71 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 dns-server 8.8.8.8 72 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 lease 86400 73 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 start 172.22.1.10 stop 172.22.1.100 74 | ``` 75 | 76 | #### Configure static IP for device 77 | ``` 78 | set service dhcp-server shared-network-name MGMT-VLAN subnet 10.10.99.0/24 static-mapping cgn-monitor ip-address 10.10.99.11 79 | set service dhcp-server shared-network-name MGMT-VLAN subnet 10.10.99.0/24 static-mapping cgn-monitor mac-address '52:54:xx:xx:xx:xx' 80 | ``` 81 | -------------------------------------------------------------------------------- /dns.md: -------------------------------------------------------------------------------- 1 | # DNS 2 | The Edge Router can function as a little DNS Server. But keep in mind that this is only a basic DNS Server. You can only configure A Records. 3 | 4 | ## enable DNS 5 | Which Interface should be allowed to query the DNS Server ? 6 | 7 | ```bash 8 | set service dns forwarding listen-on eth2.10 9 | set service dns forwarding listen-on eth2.20 10 | set service dns forwarding listen-on eth2.30 11 | set service dns forwarding listen-on eth2 12 | ``` 13 | 14 | ## add an entry 15 | You just need the IP Address and the hostname. You have to give the "static-host-mapping" a name. In this case it's `cgn-qemu-01` but this has nothing to do with the DNS name. 16 | Just make sure that this is unique. 17 | 18 | ```bash 19 | set system static-host-mapping host-name cgn-qemu-01 alias cgn-qemu-01.example.com 20 | set system static-host-mapping host-name cgn-qemu-01 inet 10.10.99.130 21 | ``` 22 | 23 | You can also have more then one Hostname pointing to one IP Address 24 | 25 | ```bash 26 | set system static-host-mapping host-name cgn-vm-win10 alias cgn-vm-win10.example.com 27 | set system static-host-mapping host-name cgn-vm-win10 alias cgn-win-mgmt.example.com 28 | set system static-host-mapping host-name cgn-vm-win10 alias prtg.example.com 29 | set system static-host-mapping host-name cgn-vm-win10 inet 10.10.99.111 30 | 31 | ``` 32 | -------------------------------------------------------------------------------- /dual-wan.md: -------------------------------------------------------------------------------- 1 | # set nat for both interfaces 2 | 3 | ``` 4 | set load-balance group LB-GROUP interface eth3 failover-only 5 | set load-balance group LB-GROUP interface eth3 route-test initial-delay 60 6 | set load-balance group LB-GROUP interface eth3 route-test interval 10 7 | set load-balance group LB-GROUP interface eth3 route-test type ping target 8.8.8.8 8 | 9 | set load-balance group LB-GROUP interface pppoe0 route-test initial-delay 60 10 | set load-balance group LB-GROUP interface pppoe0 route-test interval 10 11 | set load-balance group LB-GROUP interface pppoe0 route-test type ping target 8.8.8.8 12 | 13 | set load-balance group LB-GROUP lb-local enable 14 | set load-balance group LB-GROUP lb-local-metric-change disable 15 | ``` -------------------------------------------------------------------------------- /dynamic-dns.md: -------------------------------------------------------------------------------- 1 | # Configure Dynamic DNS 2 | This tutorial explains how to configure dynamic dns. This can be usefull if your ISP only gives you a dynamic IP address (and not a static one) but you still want to access your edgerouter (e.g. connect via VPN). 3 | Prerequisite for this tutoiral is a valid domain that you own (e.g. example.com) and an free account at [cloudflare](https://www.cloudflare.com/). 4 | 5 | Note you have to create an *A Record* in your cloudflare dashboard beforehand. E. g. `router.example.com A 1.2.3.4`. 6 | 7 | Please replace 8 | - router.example.com -> with your subdomain 9 | - info@example.com -> with your cloudflare e-mail address 10 | - your-cloudflare-api-key -> with you cloudflare global API Key. For help look [here](https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys) (note this is not your cloudflare login password) 11 | - example.com -> with your domain 12 | 13 | ``` 14 | configure 15 | set service dns dynamic interface pppoe0 service custom-cloudflare host-name router.example.com 16 | set service dns dynamic interface pppoe0 service custom-cloudflare login info@example.com 17 | set service dns dynamic interface pppoe0 service custom-cloudflare password 18 | set service dns dynamic interface pppoe0 service custom-cloudflare protocol cloudflare 19 | set service dns dynamic interface pppoe0 service custom-cloudflare options zone=example.com 20 | commit 21 | save 22 | 23 | ``` 24 | 25 | ## Verify the configuration 26 | With `show dns dynamic status` you can list the status of the dynamic dns confguration. 27 | When you `ping router.example.com` the IP address of your router should appear. 28 | 29 | 30 | Source: https://help.ui.com/hc/en-us/articles/204976324-EdgeRouter-Custom-Dynamic-DNS 31 | -------------------------------------------------------------------------------- /example-dhcp.md: -------------------------------------------------------------------------------- 1 | # Example DHCP configuration 2 | 3 | ``` 4 | set service dhcp-server shared-network-name CLIENT-LAN authoritative disable 5 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 default-router 172.22.1.1 6 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 dns-server 172.21.7.147 7 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 lease 86400 8 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 domain-name example.com 9 | set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 start 172.22.1.10 stop 172.22.1.100 10 | ``` 11 | -------------------------------------------------------------------------------- /example-nat.md: -------------------------------------------------------------------------------- 1 | 2 | ## Configuration EdgeOS 3 | ``` 4 | configure 5 | set service nat rule 5000 description NAT-TO-WAN 6 | set service nat rule 5000 log disable 7 | set service nat rule 5000 outbound-interface eth0 8 | set service nat rule 5000 protocol all 9 | set service nat rule 5000 source address 172.22.1.0/24 10 | set service nat rule 5000 type masquerade 11 | commit && save && exit 12 | ``` 13 | 14 | 15 | ## Configuration VyOS 16 | ``` 17 | configure 18 | set nat source rule 100 description 'NAT-TO-ETH0' 19 | set nat source rule 100 outbound-interface 'eth0' 20 | set nat source rule 100 source address '192.168.99.0/24' 21 | set nat source rule 100 translation address 'masquerade' 22 | commit && save && exit 23 | ``` 24 | -------------------------------------------------------------------------------- /example-snmp.md: -------------------------------------------------------------------------------- 1 | # Setup Simple Network Management Protocol 2 | 3 | ## Setup SNMP v2 4 | 5 | ``` 6 | configure 7 | 8 | set service snmp description 'manage via PRTG' 9 | set service snmp community superSecretPassword authorization ro 10 | set service snmp contact 'John Bauer' 11 | set service snmp location Cologne 12 | 13 | commit 14 | save 15 | 16 | ``` 17 | 18 | ## Setup SNMP v3 19 | this is also possible 20 | 21 | -------------------------------------------------------------------------------- /example-syslog.md: -------------------------------------------------------------------------------- 1 | # Configure Device to log to a log-Server 2 | 3 | Our Syslog Server has the ip of: `10.10.99.111` 4 | 5 | We are logging everything ! (`level debug`) but you can set another level of log e.g. `level err` 6 | 7 | ``` 8 | configure 9 | set system syslog global facility all level notice 10 | set system syslog global facility protocols level debug 11 | set system syslog host 10.10.99.111 facility all level debug 12 | 13 | commit 14 | save 15 | exit 16 | ``` 17 | -------------------------------------------------------------------------------- /port-forwarding.md: -------------------------------------------------------------------------------- 1 | # Port Forwarding / Destination NAT 2 | 3 | ## Helpful links 4 | - https://help.ubnt.com/hc/en-us/articles/205231700-EdgeRouter-Destination-NAT 5 | - https://help.ubnt.com/hc/en-us/articles/217367937-EdgeRouter-Port-Forwarding 6 | - https://www.youtube.com/watch?v=7QSRNwFo6os 7 | 8 | ## intro 9 | Port Forwarding and destination NAT are the same thing. 10 | In this simple tutorial we are manually configuring D-NAT meaning that we manually set the firewall rules and configure D-NAT and **not** using Auto-Firewall or *port-forwarding* (which is the easy way). 11 | 12 | The advantage of manually configuring D-NAT is that you have more control about who can access port from the WAN. 13 | 14 | We are assuming that you have a public (static) IP on eth0 (here we using 1.2.3.4 as the WAN address) and a device on your LAN with a private IP (e.g. 172.22.1.10). This tutorial demonstrates show to *port forward* the port 8443 on a device with the IP 172.22.1.10 on the WAN IP 1.2.3.4 on port 8443. 15 | You could also configure another port on your WAN interface. 16 | 17 | ### set firewall: everyone can access port 8443 from WAN 18 | ``` 19 | set firewall name WAN_IN rule 20 action accept 20 | set firewall name WAN_IN rule 20 description 'Allow 8443' 21 | set firewall name WAN_IN rule 20 destination port 8443 22 | set firewall name WAN_IN rule 20 log disable 23 | set firewall name WAN_IN rule 20 protocol tcp 24 | ``` 25 | 26 | ### set firewall: only devices from the IP 2.3.4.5 can access all ports that are available 27 | ``` 28 | set firewall name WAN_IN rule 20 action accept 29 | set firewall name WAN_IN rule 20 description 'Allow user with specific IP on WAN_IN' 30 | set firewall name WAN_IN rule 20 log disable 31 | set firewall name WAN_IN rule 20 protocol all 32 | set firewall name WAN_IN rule 20 source address 2.3.4.5 33 | ``` 34 | 35 | ### configure D-NAT 36 | 37 | ``` 38 | set service nat rule 1 description 'some description' 39 | set service nat rule 1 destination address 1.2.3.4 # this is your WAN IP 40 | set service nat rule 1 destination group 41 | set service nat rule 1 destination port 8443 42 | set service nat rule 1 inbound-interface eth0 # the WAN Interface 43 | set service nat rule 1 inside-address address 172.22.1.10 # the internal device on your LAN 44 | set service nat rule 1 inside-address port 8443 # the port from the internal device that you want to forward 45 | set service nat rule 1 log enable # log every request 46 | set service nat rule 1 protocol tcp 47 | set service nat rule 1 type destination 48 | ``` 49 | -------------------------------------------------------------------------------- /squidguard.md: -------------------------------------------------------------------------------- 1 | # squidguard proxy 2 | You can use your Edge Router as a proxy server to block certain categories e.g. ads or malware. 3 | 4 | ## prerequisite 5 | SSH into your Edge Router and download the available catogories. Depending on your device this could take a few minutes (It took about 100 minutes on my device). 6 | 7 | ``` 8 | update webproxy blacklists 9 | ``` 10 | 11 | ## example config 12 | ``` 13 | set service webproxy cache-size 0 14 | set service webproxy default-port 3128 15 | set service webproxy listen-address 172.22.3.1 16 | set service webproxy mem-cache-size 5 17 | set service webproxy url-filtering squidguard block-category ads 18 | set service webproxy url-filtering squidguard block-category porn 19 | set service webproxy url-filtering squidguard default-action allow 20 | set service webproxy url-filtering squidguard redirect-url 'https://brainoftimo.com/not-for-you' 21 | ``` 22 | ## possible categories to block 23 | - ads 24 | - adult 25 | - aggressive 26 | - agressif 27 | - arjel 28 | - associations_religieuses 29 | - astrology 30 | - audio-video 31 | - bank 32 | - bitcoin 33 | - blog 34 | - celebrity 35 | - chat 36 | - child 37 | - cleaning 38 | - cooking 39 | - cryptojacking 40 | - dangerous_material 41 | - dating 42 | - ddos 43 | - dialer 44 | - download 45 | - drogue 46 | - drugs 47 | - educational_games 48 | - filehosting 49 | - financial 50 | - forums 51 | - gambling 52 | - games 53 | - hacking 54 | - jobsearch 55 | - lingerie 56 | - liste_blanche 57 | - liste_bu 58 | - local-ok-default 59 | - local-ok-url-default 60 | - mail 61 | - malware 62 | - manga 63 | - marketingware 64 | - mixed_adult 65 | - mobile-phone 66 | - phishing 67 | - porn 68 | - press 69 | - proxy 70 | - publicite 71 | - radio 72 | - reaffected 73 | - redirector 74 | - remote-control 75 | - sect 76 | - sexual_education 77 | - shopping 78 | - shortener 79 | - social_networks 80 | - special 81 | - sports 82 | - strict_redirector 83 | - strong_redirector 84 | - translation 85 | - tricheur 86 | - update 87 | - violence 88 | - warez 89 | - webmail 90 | --------------------------------------------------------------------------------