My Lan configuration

Devices:

• EdgeRouter ERPoe-5
• EdgeSwitch ES-8-150W
• Unifi UAP

Inspired by:

• Ubiquiti EdgeRouter Lite Setup
• EDGEROUTER SECURITY
• EdgeMAX - VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology

EdgeRouter ERPoe-5 configuration

All the commands should be perform in the configure mode.

I don't mention when you should save your work (commit or a save command), but don't forget to do it when you think it's needed.

Using Major System numerotation (except for Management).

Network overview:

eth0: WAN - DHCP
eth1: Management (+VLAN) - 192.168.1.xxx
eth1.2: WiFi Home - 192.168.3.xxx
eth1.3: WiFi Guest - 192.168.71.xxx
eth2: Work - 192.168.47.xxx
eth3: Disconnected - 192.168.111.xxx
eth4: …

VLAN should be on the eth1 interface if you want to be able to activate VLAN offload. See: https://community.ubnt.com/t5/EdgeMAX/VLAN-offload/td-p/1676369

Reset to factory default (if needed)

(See: https://help.ubnt.com/hc/en-us/articles/205202620-EdgeMAX-Reset-router-to-factory-defaults)

Then connect to eth0 using ethernet and set static ip:

# ip link set enp0s25 up
# ip addr add 192.168.1.2/24 broadcast 192.168.1.255 dev enp0s25

If you've got internet connected with another interface, set it to the default:

# ip route add default via 192.168.42.1

Hardened the routeur

Create a new admin account, with a very strong password and an ssh key

configure
set system login user <mynewusername> authentication plaintext-password <mynewlongpassword>
set system login user <mynewusername> authentication public-keys <key-name> type ssh-rsa
set system login user <mynewusername> authentication public-keys <key-name> key <key_file>
set system login user <mynewusername> level admin
commit
save

Test you ssh public key connection!

Disable ssh password authentication

set service ssh disable-password-authentication

Remove default ubnt user

delete system login user ubnt

Configure the routeur

Global configurations

set service dns forwarding cache-size 400
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 208.67.220.220

set system host-name edgerouter
set system time-zone Europe/Paris
set system name-server 127.0.0.1
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system ntp server 3.pool.ntp.org
delete system ntp server 0.ubnt.pool.ntp.org
delete system ntp server 1.ubnt.pool.ntp.org
delete system ntp server 2.ubnt.pool.ntp.org
delete system ntp server 3.ubnt.pool.ntp.org


set system offload ipv4 forwarding enable
set system offload ipv4 gre enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system traffic-analysis dpi disable
set system traffic-analysis export disable

Configure the eth2/Management network

set service dhcp-server disabled false

# Configure Firewall and eth1
edit firewall name NO_IN
set default-action drop
set enable-default-log
top

edit interfaces ethernet eth1
set description "Management"
set address 192.168.1.1/24
top

edit service dhcp-server shared-network-name management
set authoritative disable
set subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.100
set subnet 192.168.1.0/24 default-router 192.168.1.1
set subnet 192.168.1.0/24 dns-server 192.168.1.1
set subnet 192.168.1.0/24 lease 86400
top
set service dns forwarding listen-on eth1

Allow the ssh and gui only from the Management network/vlan

set service ssh listen-address 192.168.1.1
set service gui listen-address 192.168.1.1

set service gui http-port 80
set service gui https-port 443

commit
save

Disconnect from eth0 and reconnect to eth1

Configure the firewall globally

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

Create firewall groups to manage more easily firewalls rules

edit firewall group network-group LAN
set description "LAN Networks"
set network 192.168.0.0/16
set network 172.16.0.0/12
set network 10.0.0.0/8
top

edit firewall group network-group BOGON
set network 0.0.0.0/8
set network 10.0.0.0/8
set network 100.64.0.0/10
set network 127.0.0.0/8
set network 169.254.0.0/16
set network 172.16.0.0/12
set network 192.0.0.0/24
set network 192.0.2.0/24
set network 192.168.0.0/16
set network 192.18.0.0/15
set network 198.51.100.0/24
set network 203.0.113.0/24
set network 224.0.0.0/4
set network 240.0.0.0/4
top

Add Firewall rules for WAN

edit firewall name WAN_IN
set default-action drop
set enable-default-log
top
edit firewall name WAN_IN rule 10
set description "Allow established connections"
set action accept
set protocol all
set log disable
set state established enable
set state invalid disable
set state new disable
set state related enable
top
edit firewall name WAN_IN rule 20
set description "Drop invalid state"
set action drop
set protocol all
set log disable
set state established disable
set state invalid enable
set state new disable
set state related disable
top
edit firewall name WAN_IN rule 30
set description "Drop BOGON source"
set action drop
set protocol all
set log disable
set source group network-group BOGON
top

edit firewall name WAN_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name WAN_LOCAL rule 10
set description "Allow established connections"
set action accept
set protocol all
set log disable
set state established enable
set state related enable
top
edit firewall name WAN_LOCAL rule 20
set description "Drop invalid state"
set action drop
set protocol all
set log disable
set state invalid enable
top

Configure eth0 for WAN

See: https://lafibre.info/remplacer-livebox/en-cours-remplacer-sa-livebox-par-un-routeur-ubiquiti-edgemax/msg428992/#msg428992

delete interfaces ethernet eth0 address # remove previous configurations

edit interfaces ethernet eth0
set description "WAN"
set duplex auto
set speed auto
top
edit interfaces ethernet eth0 vif 832
set address dhcp
set description FTTH
set egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
set firewall in name WAN_IN
set firewall local name WAN_LOCAL
top
edit interfaces ethernet eth0 vif 832 dhcp-options
set client-option "send vendor-class-identifier "sagem";"
set client-option "send user-class "\053FSVDSL_livebox.Internet.softathome.Livebox4";"
set client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX;"
set client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;"
set default-route update
set default-route-distance 210
set name-server update
top
commit
save

Don't forget to commit and save before continuing.

Configure NAT

edit service nat
set rule 5000 description "Masquerade for WAN"
set rule 5000 log disable
set rule 5000 outbound-interface eth0.832
set rule 5000 protocol all
set rule 5000 type masquerade
top

You can connect WAN cable to eth0.

If your public address IP is not available on the eth0.832 interface (ip addr show to check), run:

configure
run renew dhcp interface eth0.832

Now, try to ping for example Google's DNS server:

ping 8.8.8.8

If it's working, you can now harden the Management network:

set interfaces ethernet eth2 firewall in name NO_IN

Configure Work Network

edit firewall name WORK_IN
set default-action accept
set enable-default-log
top
edit firewall name WORK_IN rule 10 
set description "Drop LAN network group"
set action drop
set protocol all
set log disable
set destination group network-group LAN
top

edit firewall name DHCP_DNS_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name DHCP_DNS_LOCAL rule 10
set description "Accept DHCP"
set action accept
set protocol udp
set destination port 67
top
edit firewall name DHCP_DNS_LOCAL rule 20
set description "Allow DNS"
set action accept
set protocol udp
set destination port 53
top

edit interfaces ethernet eth1
set description "Work"
set address 192.168.10.1/24
set firewall in name WORK_IN
set firewall local name DHCP_DNS_LOCAL
top

edit service dhcp-server shared-network-name work
set authoritative disable
set subnet 192.168.10.0/24 start 192.168.10.10 stop 192.168.10.100
set subnet 192.168.10.0/24 default-router 192.168.10.1
set subnet 192.168.10.0/24 dns-server 192.168.10.1
set subnet 192.168.10.0/24 lease 86400
top
set service dns forwarding listen-on eth1

Add LOCAL Firewall rules

See EdgeMAX - Add access control list (ACL) to understand LOCAL and IN rules.

edit firewall name DHCP_DNS_MDNS_LOCAL
set default-action drop
set enable-default-log
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 10
set  description "Accept DHCP"
set action accept
set protocol udp
set destination port 67
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 20
set description "Allow DNS"
set action accept
set protocol udp
set destination port 53
top
edit firewall name DHCP_DNS_MDNS_LOCAL rule 30
set description "Accept mDNS"
set action accept
set destination port 5353
set protocol udp
top

Add IN firewall rules

edit firewall name COMPARTMENTALIZE_IN
set default-action accept
set enable-default-log
top
edit firewall name COMPARTMENTALIZE_IN rule 10
set description "Drop LAN network group"
set action drop
set protocol all
set log disable
set destination group network-group LAN
set state new enable
top

edit firewall name RESTRICTED_IN
set default-action drop
set enable-default-log
top
edit firewall name RESTRICTED_IN rule 10
set description "Allow established connections"
set action accept
set state established enable
set state related enable
top

Configure Wifi Home vLAN

edit interfaces ethernet eth2 vif 2
set description "Home"
set address 192.168.22.1/24
set firewall local name DHCP_DNS_MDNS_LOCAL
top

edit service dhcp-server shared-network-name home
set authoritative disable
set subnet 192.168.22.0/24 start 192.168.22.10 stop 192.168.22.100
set subnet 192.168.22.0/24 default-router 192.168.22.1
set subnet 192.168.22.0/24 dns-server 192.168.22.1
set subnet 192.168.22.0/24 lease 86400
top

set service dns forwarding listen-on eth2.2

Configure Guest/IoT vLAN

edit interfaces ethernet eth2 vif 3
set description "Guest"
set address 192.168.23.1/24
set firewall in name COMPARTMENTALIZE_IN
set firewall local name DHCP_DNS_MDNS_LOCAL
top

edit service dhcp-server shared-network-name guest
set authoritative disable
set subnet 192.168.23.0/24 start 192.168.23.10 stop 192.168.23.100
set subnet 192.168.23.0/24 default-router 192.168.23.1
set subnet 192.168.23.0/24 dns-server 208.67.222.222
set subnet 192.168.23.0/24 dns-server 208.67.220.220
set subnet 192.168.23.0/24 lease 86400
top
set service dns forwarding listen-on eth2.3

For Disconnected

edit interfaces ethernet eth3
set description "Disconnected"
set address 192.168.30.1/24
set firewall in name RESTRICTED_IN
set firewall local name DHCP_DNS_LOCAL
top

edit service dhcp-server shared-network-name disconnected
set authoritative disable
set subnet 192.168.30.0/24 start 192.168.30.10 stop 192.168.30.100
set subnet 192.168.30.0/24 dns-server 192.168.30.1
set subnet 192.168.30.0/24 default-router 192.168.30.1
set subnet 192.168.30.0/24 lease 86400
top

Activate Chromecast across subnets

See: http://www.cron.dk/edgerouter-and-chromecast/

Install bcast relay

See the link below.

Then configure bCast relay service

set service mdns repeater interface eth2.2
set service mdns repeater interface eth2.3

edit service bcast-relay id 1
set description "Chromecast relay"
set interface eth2.2
set interface eth2.3
set port 10102
top

Configure Synology NAS

To be able to access Synology NAS from a different vLAN, you should set the Default Gateway into the IP configuration.