If you are like me, you don't call an all-in-one spaceship a router. I like things to do what they are supposed to do, so in my home network I have a separate device for every task. When it comes to home routers, I think the Ubiquiti EdgeRouter X is pretty unbeatable in the price vs. features category. I won't sing odes about how nice the interface or how great the command line is. All I will say is that this little piece of hardware is probably one of the most reliable devices I've ever had. Too bad they discontinued it.
Nevertheless, I did find an EdgeRouter X SFP, which is basically the same. It's always nice to have a backup, in case my trusty old one decides to go sleep with the fishes. I used the wizard to set up the basic operating mode, then since it runs Linux (vyatta on 1.x), I went for the command line 🤪 The official documentation on Ubiquiti's site is great, but I gathered all I needed in one place. I hope you'll also find it useful. Here we go!
Update the EdgeRouter firmware
Check if there is enough space in /tmp directory (as of now 80-90 MB should be enough)
show system storage
check /tmp space
Download the firmware to /tmp
curl https://dl.ui.com/firmwares/edgemax/v1.10.11/ER-e50.v1.10.11.5274269.tar > /tmp/ER-e50.v1.10.11.5274269.tar
Checksum the file, just to be sure
sha256sum /tmp/ER-e50.v1.10.11.5274269.tar
Check to see if enough space on / (root) for the new firmware
show system storage
Check if you have a backup image (older version)
show system image (storage)
If there is not enough space, you can delete the backup image (the one without default boot)
delete system image
Install the new firmware
add system image /tmp/ER-e50.v1.10.11.5274269.tar
Check if the new image is selected for the default boot image
show system image
If something goes wrong during the upgrade, you can swap between boot images
set system image default-boot
Reboot the router
reboot
Check if the upgrade was successfull show version
Note - Other ways to get the latest firmware:
Download the image directly from the Ubiquiti website using HTTPS.add system image https://dl.ui.com/.../firmware.tar
Downloading the image from a remote server using TFTP, FTP or SCP.add system image tftp://ip-address/firmware.tar
add system image scp://ip-address/firmware.tar
add system image ftp://ip-address/firmware.tar
Copying the firmware from another machine to the routerscp ~/Desktop/<filename> username@<ip-address>:/home/ubnt/<filename>
Upgrading the Edgerouter bootloader
After rebooting the router for the firmware upgrade, you may encounter a similar MOTD like the one below:
Boot image can be upgraded to version [ e50_002_4c817 ].
Run "add system boot-image" to upgrade boot image.
This is because, on most EdgeRouter models, the bootloader version is not updated automatically with a firmware upgrade and must be updated manually. The EdgeRouter bootloader controls functions such as the LED boot behavior, configuration/driver loading and much more.
To upgrade the bootloader version run
add system boot-image
Reboot the router again
reboot
Check if the upgrade was successfull or a boot-image update is available
show system boot-image
Configure the default firewall
Enter configuration mode.
configure
Configure the WAN_IN firewall policy (already created by wizard).
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal LAN'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
Configure the WAN_LOCAL firewall policy (already created by wizard).
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
Configure the WAN_OUT firewall policy
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT description 'Internal LAN to WAN'
set firewall name WAN_OUT rule 20 action reject
set firewall name WAN_OUT rule 20 description 'Reject invalid state'
set firewall name WAN_OUT rule 20 state invalid enable
Attach the firewall policies to the WAN interface in the inbound and local direction.
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall out name WAN_OUT
or for PPPoE (in PPPoE scenario eth0
only carries ppp encapsulated packets. These packets won't hit the routing engine at all, so an iptables rule on eth0
would be futile). In this example the PPPoE interface is on eth0
set interfaces ethernet eth0 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 pppoe 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 pppoe 0 firewall in name WAN_OUT
Note: EdgeRouter firewall policies only become active when they are attached to an interface + direction.
Commit the changes and save the configuration
commit ; save
Other useful commands
Create new user and delete the default
set system login user <username> authentication plaintext-password <password>
set system login user <username> level admin
delete system login user ubnt
sudo rm -r /home/ubnt
Set the router hostname
set system host-name YourNewHostname
Set timezone
set system time-zone Europe/Athens
Change default HTTPS GUI port
set service gui https-port 60443
Change default SSH port
set service ssh port 60022
Set pre-login SSH banner
set system login banner pre-login "\n\t-~===__._Welcome_to_MyRouter_.__===~-\n\n\tThis system is restricted to authorized users only.\n\tYour data and all activities on this system are logged.\n\tUnauthorized access will be fully investigated and reported\n\tto the appropriate law enforcement agencies.\n\n"
Delete pre-login banner, go back to default
delete system login banner ; set system login banner
Set post-login SSH banner
set system login banner post-login "\nMessage of the day\n"
Delete post-login banner, go back to default
delete system login banner post-login "\nMessage of the day\n"
Set system DNS servers
set system name-server <ip-address1>
set system name-server <ip-address2>
Check DNS servers used by the router and statistics
show dns forwarding nameservers
show dns forwarding statistics
Set router to only use the system DNS servers (without those from ISP)
set service dns forwarding system
Set subnet domain-name
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name mylan.local
Disable ipv6
set system ipv6 disable
Reconnect PPPoE
disconnect interface pppoe0
connect interface pppoe0
This is set by the wizard for PPPoE - Below commands will 'fix' connectivity to remote sites where ICMP is blocked and PMTU is broken:
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1452
See System Logs dmesg
or cat /var/log/messages
Bandwidth test with iperf (though not relevant when run from the EdgeRouter)
iperf3 -c public.iperf.server -p <port>
(add -R for reverse)
Show config (and also export them)
show configuration
or add | tee config.txt
to also export them to you home folder
Check hardware offloading status
show-ubnt-offload
Enable (disable) hardware offload
set system offload hwnat enable (disable)
set system offload ipsec enable (disable)
- WARNING: IPsec offload on ER-X platform is causing problems to L2TP remote-access VPN and IPV6 site-to-site IPSec VPN. You should not enable IPsec offload if you are using any of above. IPv4 site-to-site IPsec VPN is working correctly with IPsec offload. PPTP VPN is working correctly with IPsec offload. Only ER-X/ER-X-SFP/EP-R6 models are affected by this issue. This issue is to be fixed in future release.
Links you may need
Configure L2TP IPsec VPN Server
Official guide for EdgeRouter TFTP recovery
EdgeRouter - Device LED Statuses
That is all for this note. And one more thing...
If you cannot do great things, do small things in a great way.