Ubiquiti Edgerouter Tutorial

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Ubiquiti Edgerouter Tutorial

1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ... | 57

25 posts

Geek
+1 received by user: 1

#1809038 29-Jun-2017 16:14

Nice work.

I have actually been thinking about moving the existing patch panel, and putting in a bigger rack setup so I can do something similar.

The photo gives me some ideas.

ArdRigh

25 posts

Geek
+1 received by user: 1

#1813106 5-Jul-2017 10:39

I ended up going with a CloudKey, USG, and a PoE switch.

I haven't added the wireless yet, but process was seamless getting everything running and updating the various firmwares.

I see they've dropped a 5.5.x version of the controller so will look at updating to that before I configure too much more.

dmartora

75 posts

Master Geek
+1 received by user: 1

ID Verified

Lifetime subscriber

#1819189 10-Jul-2017 21:18

michaelmurfy:

You can do this via timed Firewall rules: https://community.ubnt.com/t5/EdgeMAX/Time-control-parental-controll/td-p/1035259

I've never tried this nor have any need to however.

So, without abusing your generosity... I'm looking for help on how to apply a policy-based vpn service to the router.

I'm quickly learning that this incredibly powerful router is somewhat limited in its configurability if one purely relies on the GUI. Which then means it is severly limited by me and my inability to work out how to use the CLI.

I have an AppleTV (Gen 4)which has a static IP. I want all of its traffic to route through to a VPN service. I currently used expressVPN, and which has a username/password/shared plus server configuration when applied through a manual setup.

Whilst some of this information can be entered through the GUI, there's no where to add the logon type details, then I end up lost. I've tried locating some EdgeMax wizards to download in the hope that would simplify things for me, but I failed at that too.

Any ideas of how to make this idiot proof for me?

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#1819230 10-Jul-2017 22:10

ArdRigh:

I ended up going with a CloudKey, USG, and a PoE switch.

I haven't added the wireless yet, but process was seamless getting everything running and updating the various firmwares.

I see they've dropped a 5.5.x version of the controller so will look at updating to that before I configure too much more.

How are you finding it?

dmartora:

So, without abusing your generosity... I'm looking for help on how to apply a policy-based vpn service to the router.

I'm quickly learning that this incredibly powerful router is somewhat limited in its configurability if one purely relies on the GUI. Which then means it is severly limited by me and my inability to work out how to use the CLI.

I have an AppleTV (Gen 4)which has a static IP. I want all of its traffic to route through to a VPN service. I currently used expressVPN, and which has a username/password/shared plus server configuration when applied through a manual setup.

Whilst some of this information can be entered through the GUI, there's no where to add the logon type details, then I end up lost. I've tried locating some EdgeMax wizards to download in the hope that would simplify things for me, but I failed at that too.

Any ideas of how to make this idiot proof for me?

I wish I could help here but I really can't. The only thing I've done is a site-to-site VPN from my router to another router that I manage via OpenVPN. The only thing I can really recommend here is to ask on the Ubiquiti forums as the guys there are very helpful and there is bound to be somebody who has done what you're wanting there.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

dmartora

75 posts

Master Geek
+1 received by user: 1

ID Verified

Lifetime subscriber

#1822956 15-Jul-2017 17:03

michaelmurfy:

I wish I could help here but I really can't. The only thing I've done is a site-to-site VPN from my router to another router that I manage via OpenVPN. The only thing I can really recommend here is to ask on the Ubiquiti forums as the guys there are very helpful and there is bound to be somebody who has done what you're wanting there.

Thanks for your guidance, I've tried the forums, I'm really coming up against a brick wall. If anyone has any insights I would appreciate it.

It's taking me ages just to understand bits but I am still trying though, and I have managed to get the router set up and working. I just want to take the next step in configuring it and now I'm lost in a world I clearly don't (yet) understand.

I have an expressVPN account subscription, which allows OpenVPN configuration. I have downloaded the OpenVPN configuration file (single file *.ovpn - let's call it: doessomething.ovpn). No idea what to do with it really.

What I am trying to do is have all the traffic from a particular device (and only that device) on my internal network (let's call that device 192.168.10.223) routed through to use the VPN. All other traffic can merrily fall out of the router through what ever my ISP decides.

The router is set up fine (I think). It does its job well. The router is set up as shown in this pic:

Any advice from anyone would be (really, really... really) appreciated. If I need to remove it from this thread and create another, let me know.

Thanks in advance

fe31nz

1295 posts

Uber Geek
+1 received by user: 423

#1823024 15-Jul-2017 21:00

I don't think you can do OpenVPN in an Edgerouter from the GUI - you have to use the CLI. Depending on what is in the .ovpn file, it may be as simple as storing the file somewhere under your /config directory (I have mine in /config/auth/openvpn) and then adding some CLI commands to set up a tunnel interface with that file, something like this:

set interfaces openvpn vtun0 config-file /config/auth/openvpn/dosomething.ovpn
set interfaces openvpn vtun0 enable

You would then need to set up routing so that the traffic to and from the IP address of the device you want to have using the OpenVPN connection is routed via the vtun0 tunnel - that may be able to be done from the GUI once you have created the vtun0 interface in the CLI.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

LordFarthing

10 posts

Wannabe Geek

#1824426 18-Jul-2017 14:39

I am switching over to Bigpipe UFB with a static IP, and this presents me a chance to do some hardware upgrade as well. Been using a Fritz 7490 and now planning to get an ERL-3 and repurpose the Fritz as an AP. I currently run a Synology NAS , accessible via VPN and using DynDNS. My question is, do I plug the NAS onto the ERL or onto the ERL-3 ? Which option is 'easier' to configure (port forwards, f/w rules, etc..) and achieved on the ERL ?

Thanks!

ArdRigh

25 posts

Geek
+1 received by user: 1

#1825971 20-Jul-2017 15:54

michaelmurfy:

ArdRigh:

I ended up going with a CloudKey, USG, and a PoE switch.

I haven't added the wireless yet, but process was seamless getting everything running and updating the various firmwares.

I see they've dropped a 5.5.x version of the controller so will look at updating to that before I configure too much more.

How are you finding it?

So far it has been good. Applied a couple of CloudKey updates that have been released.

I changed my configuration a couple of times, so the network devices aren't on the default range, which caused some dramas adopting the USG. A couple of commands via SSH got around that.

So now I have 3 VLANs; an untagged management range, a tagged DMZ range for port forwarding devices, and a tagged general range. With WiFi tagged on the general range.

Using VLAN tagging and DHCP from the USG has been interesting. I had to set switch ports to specific VLANs so DHCP worked, otherwise hosts wouldn't get addresses. I m not sure if there's a better way to get that working?

The web interface is pretty slick and the Ubiquiti forums and community site have been helpful. I am considering whether to try the Beta channel 5.6.x releases for some of the feature updates.

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#1825974 20-Jul-2017 15:57

Ive added a second wifi network on a vlan to start moving devices off the general lan again line I had before I got all the unifi stuff.

Finding that the vlans are not making it thru all the switches to all the APs, and since there is no IP on the vlan interface of the AP, its hard to go plugging in at various places and seeing what responds and what doesnt. Also DHCP seems to not be getting thru all the switches on the vlans since the phone which is statically configured will work fine in the shed on the speaker network, but the speakers when out there will connect but not get an IP so just sit there flashing their light. Bring the speaker into the house near an AP plugged into the main switch and they connect up and work just fine.

Im at the CBF troubleshooting it stage with the unifi stuff and have just moved the SSID back to the untagged lan and things are working, but the LG crap speakers seem to freak out with something else on the network most of the time and crash. When on their own vlan with just them and the phone, they worked great for days.

Richard rich.ms

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1826005 20-Jul-2017 16:47

I really don't like the VLAN implementation on the Unifi switches. They have just made it too simple, which actually makes it hard to achieve what you want. When you have had years of terms like edge, trunk, tagged, untagged etc. It gets kind of annoying when you have to go configure a "network" and then set that on the ports you want. And then I haven't managed to make it do what I would call a normal "edge" port - ie the VLAN might be tagged on the trunk port, so you set an edge port with the VLAN so egress packets get untagged as they leave the edge port. But no, doens't work like that.

The UBNT EdgeSwitch is how I like it. Or just ol' faithful Allied Telesis if the customer is willing to pay.

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#1826012 20-Jul-2017 17:03

My old tenda switches were simple how I liked it, add vlan numbers and then a crapload of checkboxes to choose what went where. The dropdown list and edit thing on the unifi is confusing as to what it will actually achieve. I also think the dhcp guard is on even tho I didnt choose it since it breaks DHCP. Motivation to play exhausted with other things needing to be done.

Richard rich.ms

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

Swemoph

46 posts

Geek
+1 received by user: 7

#1826859 21-Jul-2017 23:50

Thanks for the tutorial! Got it all working but just a quick question. My firewall configuration was set to pppoe/in and pppoe/local rather than eth0.10 like in your screenshot - is this a issue or can I leave it as is?

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#1826863 22-Jul-2017 00:46

Swemoph:

Thanks for the tutorial! Got it all working but just a quick question. My firewall configuration was set to pppoe/in and pppoe/local rather than eth0.10 like in your screenshot - is this a issue or can I leave it as is?

Yep pppoe0 is what you want to have it set to if you're using an ISP with PPPoE. I have it set as eth0.10 since that is what my ISP provides me.

dmartora

75 posts

Master Geek
+1 received by user: 1

ID Verified

Lifetime subscriber

#1827505 23-Jul-2017 11:05

fe31nz:

I don't think you can do OpenVPN in an Edgerouter from the GUI - you have to use the CLI. Depending on what is in the .ovpn file, it may be as simple as storing the file somewhere under your /config directory (I have mine in /config/auth/openvpn) and then adding some CLI commands to set up a tunnel interface with that file, something like this:

set interfaces openvpn vtun0 config-file /config/auth/openvpn/dosomething.ovpn
set interfaces openvpn vtun0 enable

You would then need to set up routing so that the traffic to and from the IP address of the device you want to have using the OpenVPN connection is routed via the vtun0 tunnel - that may be able to be done from the GUI once you have created the vtun0 interface in the CLI.

This must be really painful to read for most of you. So, what you mentioned does make more sense to me, but...It's all taking some (significant) time to click with me.

In reality, I am prepared to pay for support now and would kill for some step by step instructions to make it simpler for me and was wondering if anyone knew of any out there, or might even provide some (paid) support, I am certainly not looking to take advantage of goodwill. If I asked a builder mate to do a job... he'd likely charge me something, so I don't see the difference.

The challenge I have is that whilst everywhere I have asked for help have been helpful and tried to guide me, they all assume that I'm not the idiot that I obviously am. Believe it or not, I have searched the net quite extensively but I'm either not getting something glaringly obvious (quite likely) or there's a some secret black-art to doing this for which I haven't learned the appropriate handshake.

As mentioned:

We can assume the router works fine and dandy (which it does).
I have an expressVPN account subscription which allows OpenVPN configuration. I have downloaded the OpenVPN configuration file (dosomething.ovpn) and has also provided a username and password for wherever that might be needed. I've no idea what to do with it now, and no idea if it is the only file I need or whether I have to create/generate/find some others.
I have no idea how to get the file(s) onto the router

At a basic level, I'd simply like to know what to do with the *.ovpn file, whether I need (to create) any other files, the easiest way to get the file(s) on my router, and how to configure the vpn service using the command line (accepting the router gui isn't capable). In reading that, it still seems like I'm asking a lot.

Once that bit is done, I'll then worry about the policy based usage.

Again, any help at all from anyone would be appreciated. Feel free to patronise, I clearly need small words and limited syllables.

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#1827513 23-Jul-2017 11:29

https://community.ubnt.com/t5/EdgeMAX/OpenVPN-Client-Setup-for-Private-Internet-Access/td-p/1154803

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ... | 57