Router:Ubiquiti EdgeRouter Lite

From AAISP Support Site
Revision as of 18:04, 30 July 2017 by TomJepp (talk | contribs)

The Ubiquiti EdgeRouter Lite can be used as a router (with a suitable modem) with A&A's services.

This configuration was tested with a UBNT EdgeRouter Lite running v1.9.1 firmware, and a BT ECI FTTC modem.

You'll need

  • an ADSL or FTTC modem, or a fibre ONT (for FTTP). A&A's supplied modems & routers can be configured into a bridge mode for this.

Assumptions

  • eth0 is plugged directly into the modem or ONT
  • eth1 will be used for your LAN
  • You're using a Home::1 or similar service with one IPv4 address for WAN.
  • Your internal LAN IPv4 range is 192.168.0.0/24, of which you'll use 100 -> 149 for DHCP.
  • A&A have allocated you 2001:8b0:db8::/48 and your internal LAN IPv6 range is 2001:8b0:db8:1234::/64. You'll need to change these values in the configuration to match your actual setup.
  • You have some familiarity with the EdgeRouter Lite and EdgeOS.

Configuration

Don't just blindly copy & paste this whole configuration!

Pay attention to the comments (lines starting with #) - they give a basic overview of what each section does.

You'll need to change the IPv6 addresses in this configuration to match the ones shown for you on the control pages, and add your username and password.

Depending on the modem you are using, you may also need to make the changes listed in the comments for a lower MTU.

# Network interface configuration
# eth0 - the WAN interface
# You'll need to reduce the MTU to 1500 if you don't have a modem that allows you to use baby jumbos
set interfaces ethernet eth0 description 'Ethernet interface for PPPoE'
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 mtu 1508
set interfaces ethernet eth0 speed auto

# eth1 - the LAN interface
set interfaces ethernet eth1 description 'Local LAN interface'
set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 address '2001:8b0:db8:1234::1/64'
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 speed auto

# IPv6 SLAAC configuration - this will hand out IP addresses to your local LAN
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0
set interfaces ethernet eth1 ipv6 router-advert managed-flag false
set interfaces ethernet eth1 ipv6 router-advert max-interval 600
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:8b0:db8:1234::1'
set interfaces ethernet eth1 ipv6 router-advert other-config-flag false
set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' on-link-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' valid-lifetime 2592000
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth1 ipv6 router-advert send-advert true

# eth2 is unused!
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto

set interfaces loopback lo

# PPPoE configuration - this is your connection to A&A
# You'll need to reduce the MTU to 1492 if you don't have a modem that allows you to use baby jumbos
# You'll also need to add your connection username & password on the user-id and password lines
set interfaces ethernet eth0 pppoe 0 default-route force
set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 pppoe 0 ipv6 enable
set interfaces ethernet eth0 pppoe 0 mtu 1500
set interfaces ethernet eth0 pppoe 0 name-server auto
set interfaces ethernet eth0 pppoe 0 password 'your password here'
set interfaces ethernet eth0 pppoe 0 user-id 'your username here'

# Add a default route for IPv6 traffic (this lets you access the internet over IPv6!)
set protocols static interface-route6 '::/0' next-hop-interface pppoe0

# A few basic firewall settings
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

# Add some firewall groups that'll be useful for creating firewall rules
set firewall group ipv6-network-group LAN-v6 ipv6-network '2001:8b0:db8:1234::/64'
set firewall group network-group LAN-v4 network 192.168.0.0/24

# internet_in-v6 is for traffic from the internet to the local LAN
set firewall ipv6-name internet_in-v6 default-action reject

set firewall ipv6-name internet_in-v6 rule 1 description 'Allow incoming ICMP'
set firewall ipv6-name internet_in-v6 rule 1 action accept
set firewall ipv6-name internet_in-v6 rule 1 protocol icmp

set firewall ipv6-name internet_in-v6 rule 9999 description 'Allow return traffic for established and related connections'
set firewall ipv6-name internet_in-v6 rule 9999 action accept
set firewall ipv6-name internet_in-v6 rule 9999 state established enable
set firewall ipv6-name internet_in-v6 rule 9999 state related enable

# local-v6 is for traffic from all sources to the router itself
set firewall ipv6-name local-v6 default-action reject

set firewall ipv6-name local-v6 rule 1 description 'Allow incoming ICMP'
set firewall ipv6-name local-v6 rule 1 action accept
set firewall ipv6-name local-v6 rule 1 protocol ipv6-icmp

set firewall ipv6-name local-v6 rule 2 description 'Allow connections from the LAN'
set firewall ipv6-name local-v6 rule 2 action accept
set firewall ipv6-name local-v6 rule 2 source group ipv6-network-group LAN-v6

set firewall ipv6-name local-v6 rule 9999 description 'Allow return traffic for established and related connections'
set firewall ipv6-name local-v6 rule 9999 action accept
set firewall ipv6-name local-v6 rule 9999 state established enable
set firewall ipv6-name local-v6 rule 9999 state related enable

# internet_in-v4 is for traffic from the internet to the local LAN
set firewall name internet_in-v4 default-action reject

set firewall name internet_in-v4 rule 1 description 'Allow incoming ICMP'
set firewall name internet_in-v4 rule 1 action accept
set firewall name internet_in-v4 rule 1 protocol icmp

set firewall name internet_in-v4 rule 9999 description 'Allow return traffic for established and related connections'
set firewall name internet_in-v4 rule 9999 action accept
set firewall name internet_in-v4 rule 9999 state established enable
set firewall name internet_in-v4 rule 9999 state related enable

# local-v4 is for traffic from all sources to the router itself
set firewall name local-v4 default-action reject

set firewall name local-v4 rule 1 description 'Allow incoming ICMP'
set firewall name local-v4 rule 1 action accept
set firewall name local-v4 rule 1 protocol icmp

set firewall name local-v4 rule 2 description 'Allow connections from the LAN'
set firewall name local-v4 rule 2 action accept
set firewall name local-v4 rule 2 source group network-group LAN-v4

set firewall name local-v4 rule 9999 description 'Allow return traffic for established and related connections'
set firewall name local-v4 rule 9999 action accept
set firewall name local-v4 rule 9999 state established enable
set firewall name local-v4 rule 9999 state related enable

# Optionally clamp the TCP MSS size to cope with smaller MTUs
# These lines are commented out by default, but you'll need to use them if your modem doesn't support baby jumbos
# set firewall options mss-clamp interface-type pppoe
# set firewall options mss-clamp mss 1452

# Assign firewall rule sets to network interfaces
set interfaces ethernet eth1 firewall local ipv6-name local-v6
set interfaces ethernet eth1 firewall local name local-v4
set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name internet_in-v6
set interfaces ethernet eth0 pppoe 0 firewall in name internet_in-v4
set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name local-v6
set interfaces ethernet eth0 pppoe 0 firewall local name local-v4

# Enable internal DHCP
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router 192.168.0.1
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server 192.168.0.1
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.100 stop 192.168.0.149
set service dhcp-server use-dnsmasq disable

# Enable internal DNS
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

# Limit the web GUI to listening on your LAN only
set service gui http-port 80
set service gui https-port 443
set service gui listen-address 192.168.0.1
set service gui older-ciphers enable

# Limit the SSH server to listening on your LAN only
set service ssh listen-address 192.168.0.1
set service ssh listen-address '2001:8b0:db8:1234::1'

# Handle NAT for the internet connection
set service nat rule 5999 outbound-interface pppoe0
set service nat rule 5999 source address 192.168.0.0/24
set service nat rule 5999 type masquerade

# These offload settings are the best compromise from my personal experience
# as PPPoE download speeds are generally low enough on A&A connections to not need hardware acceleration
# If you don't use VLANs internally, you might enable ipv6 pppoe offload and disable ipv6 vlan offload for better IPv6 download performance
# as you can only have one of those two enabled at once
set system offload hwnat disable
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe disable
set system offload ipv6 vlan enable

# Set up QoS to keep your internet connection usable when doing lots of traffic
# You'll need to adjust the upload rate based on your connection's upload sync rate
set traffic-control smart-queue wan-qos upload rate 20mbit
set traffic-control smart-queue wan-qos wan-interface pppoe0