Ubiquiti Edgerouter Tutorial

End of an era.
I will be no-longer updating this thread as I don't personally run an Edgerouter anymore. The below is still relevant considering Ubiquiti have largely stopped updating the Edgerouter line but I can no-longer provide any help.

If you're considering buying an Edgerouter new then I would consider other options (for example, Mikrotik) instead due to the fact Ubiquiti seem to have abandoned the EdgeOS line of products and have not issued software updates for quite some time.

----

I've lost count on how many times I've been asked to write a tutorial however because my current router has a rather complex configuration on it I could never get a chance to do it. Truth is, the Edgerouter has to be one of the most rock solid routers I've ever used and in the 2 years I've had it, it's never needed a complete reconfigure. Apologies for it taking a while to come up with a guide (I've had Earthquakes, flooding as well as work and family commitments to adhere to). I initially created this guide with the Edgerouter PoE however have updated it to reflect both the Edgerouter 4 and later firmware.

Also I better say it, a huge thanks to Go Wireless for providing me an Edgerouter 4 to replace my ageing Edgerouter Lite!

Configuration Guide Parameters:

This configuration will assume you're on a UFB / Vodafone FibreX connection - for VDSL / ADSL connections it is advisable to get a Draytek DV130 to put in bridge mode. I won't be writing a guide for this as I simply don't have any way to test anymore.

Getting Started:

Once you get your new EdgeRouter before you plug it in use your existing internet connection and navigate to the Ubiquiti Firmware site to grab the latest version of the firmware for your router model.

1) Connect your Edgerouter to your PC / Switch via "eth0" - leave your ONT out of it for now. The Edgerouter will take up-to 5mins to initially boot.
2) Set an IP on your computer in the 192.168.1.0/24 range:

2) Navigate to https://192.168.1.1 in your web browser (Chrome or Firefox) - since the Edgerouter uses a self-signed certificate you can ignore the certificate warning.
3) Login with username + password ubnt. We'll be changing this.
3) When it asks you to do the "Basic Setup" wizard we'll be clicking "No" just at the moment. It just brings you into the Wizards screen.
4) If you're needing to update your firmware click "System" and scroll down to "Upload system image" - upload the file you've prepared earlier. When the router is done uploading it'll ask nicely if it can reboot to apply the firmware.

Bring in the Wizard!

Now you've got your Edgerouter on its latest firmware and you're back in the web interface you can now wrangle the Wizards within. Back when I first set up my Edgerouter we never had these so honestly, this generation should be grateful.

1) Click on Wizards up near the top - it'll bring you to this screen:

2) We'll be running the WAN+2LAN2 wizard. My configuration is for UFB / DHCP over VLAN 10 (same as Orcon and Vodafone FibreX) however I'll also show you how to do PPPoE. This wizard is really straightforward. For the Edgerouter PoE and the newer Edgerouters there are some additional options relating to ports 2,3,4 of which Edgerouter Lite users can disregard.

For UFB over IPoE (including Vodafone Fibre X):

Internet Connection Type: DHCP
VLAN: Yes, your internet connection is on a VLAN - tick this box and your VLAN ID is 10.
Enable the default firewall.
Do not tick Bridging - this will severely hinder the performance of the Edgerouter.

For UFB / VDSL / ADSL PPPoE:

Internet Connection Type: PPPoE (enter your ISP provided account name + password. BigPipe / Skinny / Spark has to be anything but blank for both, for 2degrees this is usually your 2degrees login name you use to login via the website @snap.net.nz along with the password you also use to login)
VLAN: If you're on BigPipe, Skinny, bridging with a Draytek or on an ISP that doesn't offer VLAN then keep this unticked, otherwise change this to VLAN 10.
Enable the default firewall.
Do not tick Bridging - this will severely hinder the performance of the Edgerouter.

Edgerouter PoE users:

Configure your LAN Ports eth2 to eth4 - we'll be using 192.168.2.1/24 for this guide with eth1 as our primary LAN. These interfaces are switched in hardware and so you can use these for your main network.

Once completed your configuration should look something like this:

Hit Apply - a prompt will come up asking if you're sure.

The router will ask to reboot to apply its configuration - like a good router you need to confirm 3x before it'll actually reboot.

Getting Internet:

Now, you'll want to connect your ONT, that Vodafone "CNT" (Cable Network Terminal - now we can see why they didn't call it that) or your Draytek to the router:

eth0: ONT, CNT or Modem.
eth1: Your switch.
eth2-eth4: Unused (unless if you're using the Edgerouter PoE you'll want to connect your AP to this).

Additional things:

You'll note that doing a Speedtest you may get really really poor speeds like this:

You can see this in the console if you type "show ubnt offload".

The reason is the wizards don't enable offloading by default. Open up the Console (top right), log in with the same user you use for the WebUI and type these directly into the terminal:

configure
set system offload ipv4 vlan enable
set system offload ipv4 pppoe enable
set system offload ipv4 forwarding enable
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable
commit
save
exit

Note - If you're on Orcon or another provider doing IPoE instead of PPPoE you should instead use vlan offloading on IPv6 to prevent performance issues.

For the Edgerouter X:

configure
set system offload hwnat enable
set system offload ipsec enable
commit
save

Here is a Speedtest taken directly after those commands (no reboot required):

I've found on the Edgerouter 4 and later versions of the firmware that offloading is enabled by default however not enabled for VLAN.

Port Forwarding + Hairpin NAT:

Something you'll also want to do is select your WAN interface under the Port Forwarding screen for Hairpin NAT. Select this beside "WAN Interface" and add your LAN interfaces under here. From this screen, it is straight forward to enable Port Forwarding. Hit Apply once you're done.

UPnP:

This is useful for gaming, torrent downloads or anything else requiring port forwards. I don't recommend enabling it if you don't need it else you may become part of a massive DDOS attack.

If however you want to it is best to go via the console and use the following example (where your WAN is PPPoE):

configure
edit service upnp2
set listen-on eth1
set nat-pmp enable
set secure-mode enable
set wan pppoe0
commit
save

Replace listen-on with your LAN interface and wan with your outside interface (pppoe0, eth0).

Firewall (Vitally important!):

It is always worth going into Firewall/NAT and looking at your Firewall Policies to ensure you've got the correct interfaces enabled. Check these:

Further information here: https://www.geekzone.co.nz/forums.asp?forumid=66&topicid=205740&page_no=52#2574525

IPv6:

Note: The below is for 2degrees (prefix-length /56). Adapt as required for your ISP but should work with Voyager also. You can configure this in the wizard (totally untested) however the instructions below are for if you're needing to manually configure it if you missed configuring it in the wizard or need a reference.

PPPoE Configuration:

Clean up your old configuration first - note, all configuration needs to be done under the "configure" command for it to work. When cleaning up rules, if you've never used IPv6 before it is quite common for this to error - don't worry about it, just move on to the next step depending on your ISP configuration:

configure
delete interface eth0 pppoe 0 dhcpv6-pd
delete interface eth0 pppoe 0 vif 10 dhcpv6-pd
delete interface eth0 pppoe 0 ipv6
delete interface eth1 ipv6
commit
save

Then set dhcpv6-pd up on your WAN interface (eth0 pppoe 0)
NOTE: Please pay attention to the below - don't blindly copy and paste it. If you're on a VLAN you'll need to edit the commands with "vif 10" like so: "interfaces ethernet eth0 vif 10..."

set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 enable
edit interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0
set prefix-length /56
set interface eth1 host-address ::1
set interface eth1 prefix-id :0
set interface eth1 service slaac
top
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only
commit
save

Regarding prefix-only - set this if you're on 2degrees and Voyager to avoid 100% CPU use and excessive logging on your Edgerouter. Untested on other ISP's.

If you're wanting eth2 or any internal VLAN's set up for IPv6 then basically repeat with "eth2 prefix-id :2" and so-on. If you've got your own internal DNS you're wanting to use you'll need to run "set no-dns" above also.

Set a default route:

set protocols static interface-route6 ::/0 next-hop-interface pppoe0
commit
save

If you're on Voyager:

Since Voyager don't support full a full 1500byte MTU on PPPoE (VDSL + UFB) it is important to enable MSS Clamping on both the IPv4 and IPv6 protocols to prevent problems. The following works well from my testing:

set firewall options mss-clamp interface-type pppoe
set firewall options mss-clamp mss 1452
set firewall options mss-clamp6 interface-type pppoe
set firewall options mss-clamp6 mss 1432
commit
save

IPoE (Orcon, Trustpower & Vodafone):

This is a little easier... We're assuming eth0 is your WAN interface with VLAN 10:

edit interfaces ethernet eth0 vif 10 dhcpv6-pd pd 0
set prefix-length /56
set interface eth1 host-address ::1
set interface eth1 prefix-id :0
set interface eth1 service slaac
top
commit
save

ISP's issuing a /32 over DHCP (IPoE) (thanks to @3l3m3nt):

There is a longstanding bug with EdgeOS. With some IPoE providers they may issue a /32 IPv4 address over DHCP (subnet 255.255.255.255). This causes the default route to drop.

The bug is caused by the file /etc/dhcp3/dhclient-exit-hooks.d/vyatta-dhclient-p2p where in line 16 it reads:

if [ "$old_ip_address" != "new_ip_address" ]

while it should read:

if [ "$old_ip_address" != "$new_ip_address" ]

(the second $ is missing). This can simply be fixed by running:

sudo sed -i 's/"new_ip_address"/"$new_ip_address"/g' /etc/dhcp3/dhclient-exit-hooks.d/vyatta-dhclient-p2p

This has been mentioned to Ubiquiti multiple times over the years with no firmware fix.

Firewall Rules (applies to all IPv6 configurations):

For Firewalling since I don't want to make a massive post the firewall configuration I use is available on https://www.geekzone.co.nz/downloads/er_v6.txt - Don't just copy and paste this, ensure it is going to work for you before using it. I personally use a little bit of a different configuration since I have different needs however this configuration will just enable a basic firewall that drops all incoming except related and allows ICMPv6 (ping). Despite later Edgerouter configuration getting a bit better with IPv6 it is still recommended to reboot it after making any IPv6 related changes.

Changing IP / Moving to a Static IP:

This has become a little bit of a thing lately since some providers are doing CG-NAT. If your ISP changes you either to a Static IP address or from CG-NAT to Dynamic you don't normally need to do anything. If in doubt, reboot your router.

-----
If you've got any questions then feel free to fire away below. My record during this tutorial of the Chrome Dinosaur game is 8296.

Last edited: 20/10/2023

michaelmurfy

mentalinc

MyHeritage

t0ny

antoniosk

michaelmurfy

tieke

Earbanean

michaelmurfy

Earbanean

mentalinc

nicmair

nicmair

michaelmurfy

eclipse

michaelmurfy

mentalinc