Ubiquiti EdgeRouter X: Initial Setup & Config - cfloquetprojects/homelab GitHub Wiki

EdgeRouter X PreFlight:

  • EdgeRouter X is made by Ubiquiti Networks and includes 5 physical ports with two including PoE capabilities.
  • Upon first installation we should factory reset the device, which can be done in a variety of ways outlined by Ubiquiti here.
  • I also made sure to download the latest firmware for the product I was working with, which was available for free at Ubiquiti's download site.

Initial Console Connection & Networking:

  • Ensure the router has been reset using the docs I linked above, and also ensure that the device you wish to manage this router from is connected to the router's eth0 port.
  • We also need to set a static IP of 192.168.1.2/24 for our managing device, as this will be used to communicate with the default gateway at 192.168.1.2.
  • Using your preferred remote CLI client (I used PuTTY) SSH into your EdgeRouter and login using the default factory username/password of ubnt:ubnt:
  • Now we enable configure mode using configure and we can set our preferred hostname as well as create our named user:
configure
set system host-name edge01
set system login user cfloquet authentication plaintext-password "your_pw_here"
set system login user cfloquet level admin
set system login user cfloquet level admin
  • Now that we've got our basics down, we can edit some of the interfaces for future use using descriptions and also set eth1 IP address allowing us to reconnect after our initial setup.
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
delete interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 address 10.0.1.1/24
  • Let's take care of our WAN networking while we are within config mode, if you know your public IP and would like to set it statically than you should not set eth0 to DHCP.
set interfaces ethernet eth0 address dhcp
set system gateway-address 192.168.1.1
set system name-server 8.8.8.8
  • We will need some source NAT rules to translate the addresses in the packets we are transmitting, and with EdgeOS these source NAT rules must be above the ID number 5000.
set service nat rule 5010 description "NAT from LAN to WAN"
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 source address 10.0.1.0/24
set service nat rule 5010 type masquerade
set service dns forwarding listen-on eth1
  • Now all that is left to do within SSH is to first commit, then save, and then finally exit before rebooting.
  • If you are curious to see some of the work we did in config we can see the interfaces using show interfaces
  • Be sure to unplug your ethernet connection from your computer to eth0 and plug it into eth1, while also plugging in an ISP or other WAN cable into eth0 to provide internet access.
  • You will also need to change the static IP of your workstation from the original address of 192.168.1.2/24 to 10.0.1.2/24 depending on the LAN you defined.

Setting Up Segmented Networks:

  • We will be configuring our home network lab into three disparate networks: DMZ, MGMT, and LAN, with each having their own zone/interface:
  • For now lets continue defining the IPs and subnets for these interfaces:
configure
set interfaces ethernet eth2 description DMZ
set interfaces ethernet eth2 address 10.0.2.1/29
set service dns forwarding listen-on eth2
set interfaces ethernet eth3 description MGMT
set interfaces ethernet eth3 address 10.0.3.1/28
set service dns forwarding listen-on eth3
  • Now we should configure NAT between the newly created DMZ and MGMT networks and the outside WAN:
### Below is for DMZ
set service nat rule 5020 description "NAT from DMZ to WAN"
set service nat rule 5020 outbound-interface eth0
set service nat rule 5020 source address 10.0.2.0/29
set service nat rule 5020 type masquerade
set service dns forwarding listen-on eth2
### Below is for MGMT
set service nat rule 5030 description "NAT from MGMT to WAN"
set service nat rule 5030 outbound-interface eth0
set service nat rule 5030 source address 10.0.3.0/28
set service nat rule 5030 type masquerade
set service dns forwarding listen-on eth3
  • Now we should set up the distinct zones and firewalls attached to those zones that will prevent unauthorized traffic.
set firewall name WAN-to-LAN default-action drop
#set firewall name WAN-to-DMZ default-action drop
#set firewall name WAN-to-MGMT default-action drop
set firewall name LAN-to-WAN default-action accept
#set firewall name DMZ-to-WAN default-action drop
#set firewall name MGMT-to-WAN default-action accept
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable
set firewall name WAN-to-LAN rule 1 description "Allow established connections"
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
commit
save
set zone-policy zone WAN interface eth0
set zone-policy zone LAN interface eth1
set zone-policy zone DMZ interface eth2
set zone-policy zone MGMT interface eth3
commit save