Setting up EdgeMAX (Ubiquiti Edgerouter X)

[Theo]

Hellooo,

I recently got an Edgerouter X, set it up for the most basic of things ( QoS, actually having internet access) however since im a network noob I was wondering if people who had more knowledge on this had anything to suggest .

Do I need to add any firewall rules except the ones it already has? 

Thank you!

[Guest]

Post your config and we can let you know..

[Blake]

4 hours ago, Theo said:

Hellooo,

I recently got an Edgerouter X, set it up for the most basic of things ( QoS, actually having internet access) however since im a network noob I was wondering if people who had more knowledge on this had anything to suggest .

Do I need to add any firewall rules except the ones it already has? 

Thank you!

post config, or if your lazy, just use the GUI, make sure you update the firmware first (1.8a is the latest?, but that's alpha, so go 1.7), gives you access to the wizard to do it for you.

 

But in all seriousness, it's pretty basic config work, just run the wizard then export the config/boot file and use that as a template/starting point. when you have your config setup, upload the new config, do a re-boot and your good. Give it 30mins or so and you'll understand the syntax and what not. Don't focus so much on the commands as they change between vendors (Cisco and HP's CLI/config files are very similar).

[Theo]

11 hours ago, Windspeed36 said:

Post your config and we can let you know..

My bad, here it is

8 hours ago, Blake said:

post config, or if your lazy, just use the GUI, make sure you update the firmware first (1.8a is the latest?, but that's alpha, so go 1.7), gives you access to the wizard to do it for you.

 

But in all seriousness, it's pretty basic config work, just run the wizard then export the config/boot file and use that as a template/starting point. when you have your config setup, upload the new config, do a re-boot and your good. Give it 30mins or so and you'll understand the syntax and what not. Don't focus so much on the commands as they change between vendors (Cisco and HP's CLI/config files are very similar).

Yeah i got to 1.7, since im quite new to networking I just wanted to ask if theres any firewall rules that i should add. Its in a home environment so I dont need advanced stuff yet, and when I do ill go learn it.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.254
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
traffic-control {
    smart-queue low {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 200mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 12mbit
        }
        wan-interface eth0
    }
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.0.4783374.150622.1533 */

[Blake]

12 hours ago, Theo said:

My bad, here it is

Yeah i got to 1.7, since im quite new to networking I just wanted to ask if theres any firewall rules that i should add. Its in a home environment so I dont need advanced stuff yet, and when I do ill go learn it.
 

Hidden Content

 

I only gave it a quick glance, but it looks fine for home usage.

Go read up on http://vyos.net/wiki/Zone-policy_example and http://vyos.net/wiki/Firewall_groups for more details

 

Also I don't 'think' the X supports offloading, but you might want to double check that as it will increase throughput.

[Guest]

52 minutes ago, Blake said:

I only gave it a quick glance, but it looks fine for home usage.

Go read up on http://vyos.net/wiki/Zone-policy_example and http://vyos.net/wiki/Firewall_groups for more details

 

Also I don't 'think' the X supports offloading, but you might want to double check that as it will increase throughput.

Nah as far as I am aware because of the hardware limitations, they don't support offloading. It is afterall, a switch running a virtual router.

[Theo]

8 hours ago, Blake said:

I only gave it a quick glance, but it looks fine for home usage.

Go read up on http://vyos.net/wiki/Zone-policy_example and http://vyos.net/wiki/Firewall_groups for more details

 

Also I don't 'think' the X supports offloading, but you might want to double check that as it will increase throughput.

Alright thanks, ill check out those links too

7 hours ago, Windspeed36 said:

Nah as far as I am aware because of the hardware limitations, they don't support offloading. It is afterall, a switch running a virtual router.

I saw you mention this on another post too, however in theory it should be "better" than most of the wireless routers that are around 200-250 euros ( from what i have read so far)

[Trikein]

I notice you have traffic-control enabled. Was this on purpose or by default?

 

Also, might want to run a firewall scanner just to look for any obvious holes. Here is one I bumped into on google, but there are lots of options. Free with account creation.

[Theo]

5 hours ago, Trikein said:

I notice you have traffic-control enabled. Was this on purpose or by default?

 

Also, might want to run a firewall scanner just to look for any obvious holes. Here is one I bumped into on google, but there are lots of options. Free with account creation.

That was default, ill probably turn it off.

Thanks for the link, will check it out