Posted by virantha on Fri 22 August 2014

Setting up the Edgemax EdgeRouter Lite (ERLite-3) in a Home Environment

This is just my cheat sheet on setting up the EdgeRouter ERLite-3 in a home environment. I recently migrated to this after a long search for a low-power firewall and router solution. Prior to getting this beauty, I'd migrated my stand-alone PC running Ipcop/Smoothwall to a Xen virtual machine firewall, which unfortunately had some usability issues.

1   Command-line interface

Although the gui is fairly responsive, a lot of the features are only exposed through the underlying command line. The Ubiquiti EdgeOS products run a fork of the open-source Vyatta firewall OS, and you can usually find what you're looking for with a quick web search.

You can either access the CLI through the GUI (seems to have issues running on Safari though), or directly through ssh. The former has issues with timeouts, however, for long-running jobs.

Once you're in the command-line, you are in regular mode. To switch to changing the configuration, type:

configure

Once you are done making configuration changes with 'set' commands, you'll want to commit the changes to the current firewall state. After doing that, if everything looks good, you'll want to save the changes to /config/config.boot

commit
save
exit

2   Setting up DynDNS

If you use No-IP.com you have to rely on the built-in dyndns service but modify the server setting as detailed in this post.

set service dns dynamic interface eth1 service dyndns server dynupdate.no-ip.com
set service dns dynamic interface eth1 service dyndns host-name <host>
set service dns dynamic interface eth1 service dyndns login <username>
set service dns dynamic interface eth1 service dyndns password <password>

To force update the dynamic interface:

update dns dynamic interface eth1

To get the status (from regular mode)

show dns dynamic status

To schedule this using the built-in task scheduler (1.5.0 firmware)

set system task-scheduler task dyndns_update executable path /opt/vyatta/bin/vyatta-op-cmd-wrapper
set system task-scheduler task dyndns_update executable arguments "update dns dynamic interface eth1"
set system task-scheduler task dyndns_update interval 7d

3   Setting up web filtering using SquidGuard

First, get the blacklists

update webproxy blacklists

Will take a long time to build the adult database. You probably want to do it in a ssh terminal and not in the web CLI, because the latter will timeout.

set service webproxy listen-address 192.168.9.1
set service webproxy url-filtering squidguard allow-ipaddr-url
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category malware
set service webproxy url-filtering squidguard block-category phishing
set service webproxy url-filtering squidguard auto-update update-hour 15
set service webproxy url-filtering squidguard redirect-url "http://192.168.9.1/cgi-bin/squidGuard-simple.cgi?targetclass=%t&url=%u"

I'm not convinced I'll stick with the ad blocks, as the redirects cause my browsing sessions to sometimes fail.

4   QOS for VOIP calls

Taken directly from this page

Assumes your LAN is on eth0, Internet is eth1, and 30/6Mbps connection.

# Set-up the details of the DownStream Policy
set traffic-policy shaper DownStream description "DownStream QoS policy"
set traffic-policy shaper DownStream bandwidth 30000kbit
set traffic-policy shaper DownStream class 10 description "RTP"
set traffic-policy shaper DownStream class 10 bandwidth 25%
set traffic-policy shaper DownStream class 10 ceiling 100%
set traffic-policy shaper DownStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper DownStream class 20 description "SIP"
set traffic-policy shaper DownStream class 20 bandwidth 5%
set traffic-policy shaper DownStream class 20 ceiling 100%
set traffic-policy shaper DownStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper DownStream default bandwidth 70%
set traffic-policy shaper DownStream default ceiling 100%
#  Set-up the details of the UpStream Policy
set traffic-policy shaper UpStream description "UpStream QoS policy"
set traffic-policy shaper UpStream bandwidth 6000kbit
set traffic-policy shaper UpStream class 10 description "RTP"
set traffic-policy shaper UpStream class 10 bandwidth 50%
set traffic-policy shaper UpStream class 10 ceiling 100%
set traffic-policy shaper UpStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper UpStream class 20 description "SIP"
set traffic-policy shaper UpStream class 20 bandwidth 10%
set traffic-policy shaper UpStream class 20 ceiling 100%
set traffic-policy shaper UpStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper UpStream default bandwidth 40%
set traffic-policy shaper UpStream default ceiling 100%
# Apply the policies to the interfaces
set interfaces ethernet eth0 traffic-policy out DownStream
set interfaces ethernet eth1 traffic-policy out UpStream
# Commit, Save, and Exit

5   Installing Pound Reverse Proxy

First, follow the instructions here to add Debian packages with apt.

configure
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution squeeze
set system package repository wheezy url http://http.us.debian.org/debian

set system package repository wheezy-security components main
set system package repository wheezy-security distribution squeeze/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit
sudo apt-get update

Then, install Pound:

sudo apt-get install pound

You'll need to set the bind port to something other than 80, and follow the rest of the instructions here.

6   Setting up VPN (for example, your iOS device)

Follow the procedure here . Here is the relevant configuration after following all the commands:

admin@ubnt# show vpn ipsec
 auto-firewall-nat-exclude disable
 ipsec-interfaces {
     interface eth1
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable

admin@ubnt# show vpn l2tp
 remote-access {
     authentication {
         local-users {
             username virantha {
                 password **************
             }
         }
         mode local
     }
     client-ip-pool {
         start 192.168.101.2
         stop 192.168.101.100
     }
     dhcp-interface eth1
     dns-servers {
         server-1 192.168.9.1
     }
     ipsec-settings {
         authentication {
             mode pre-shared-secret
             pre-shared-secret **************
         }
         ike-lifetime 3600
     }
     mtu 1492
 }

admin@ubnt# show firewall name WAN_LOCAL
 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 1 {
         action accept
         description "Allow L2tp"
         destination {
             port 500,1701,4500
         }
         log disable
         protocol udp
     }
     rule 2 {
         action accept
         description ESP
         log disable
         protocol esp
     }
    .
    .
    .
 }

If for some reason you forget all the passwords and secrets, you can get a list of them by doing:

configure
show vpn l2tp

Category: Tech

Tags: router

© Virantha Ekanayake. Built using Pelican. Modified svbhack theme, based on theme by Carey Metcalfe