Configuring EdgeRouters

Update 2026: Firmware 3.0.1 released. With new UI and Wireguard support. Wow. For a +10 year router... Installation is the same.

If you are like me, you don't call an all-in-one spaceship a router. I like things to do what they are supposed to do, so in my home network I have a separate device for every task. When it comes to home routers, I think the Ubiquiti EdgeRouter X is pretty unbeatable in the price vs. features category. I won't sing odes about how nice the interface or how great the command line is. All I will say is that this little piece of hardware is probably one of the most reliable devices I've ever had. Too bad they discontinued it.

Nevertheless, I did find an EdgeRouter X SFP, which is basically the same. It's always nice to have a backup, in case my trusty old one decides to go sleep with the fishes. I used the wizard to set up the basic operating mode, then since it runs Linux (vyatta on 1.x), I went for the command line 🤪 The official documentation on Ubiquiti's site is great, but I gathered all I needed in one place. I hope you'll also find it useful. Here we go!

Update the EdgeRouter firmware

Check if there is enough space in /tmp directory (as of now 80-90 MB should be enough)

show system storage
# check /tmp space

Download the firmware to /tmp

curl https://dl.ui.com/firmwares/edgemax/v1.10.11/ER-e50.v1.10.11.5274269.tar > /tmp/ER-e50.v1.10.11.5274269.tar

Checksum the file, just to be sure

sha256sum /tmp/ER-e50.v1.10.11.5274269.tar

Check to see if enough space on / (root) for the new firmware

show system storage

Check if you have a backup image (older version)

show system image storage

If there is not enough space, you can delete the backup image (the one without default boot)

delete system image

Install the new firmware

add system image /tmp/ER-e50.v1.10.11.5274269.tar

Check if the new image is selected for the default boot image

show system image

If something goes wrong during the upgrade, you can swap between boot images

set system image default-boot

Now you should wait 3-5 minutes. Trust me on this. Then, reboot the router

reboot

Check if the upgrade was successfull

show version

Note - Other ways to get the latest firmware:

# Download the image directly from the Ubiquiti website using HTTPS
add system image https://dl.ui.com/.../firmware.tar

# Downloading the image from a remote server using TFTP, FTP or SCP
add system image tftp://ip-address/firmware.tar
add system image scp://ip-address/firmware.tar
add system image ftp://ip-address/firmware.tar

# Copying the firmware from another machine to the router
scp -P <ssh port> ~/Downloads/ER-e50.v3.0.1.5862409.tar user@<router-ip>:/tmp

Upgrading the Edgerouter bootloader

After rebooting the router for the firmware upgrade, you may encounter a similar MOTD like the one below:

Boot image can be upgraded to version [ e50_002_4c817 ].
Run "add system boot-image" to upgrade boot image.

This is because, on most EdgeRouter models, the bootloader version is not updated automatically with a firmware upgrade and must be updated manually. The EdgeRouter bootloader controls functions such as the LED boot behavior, configuration/driver loading and much more.

To upgrade the bootloader version run

add system boot-image

Reboot the router again

reboot

Check if the upgrade was successfull or a boot-image update is available

show system boot-image

Configure the default firewall

Enter configuration mode.

configure

Configure the WAN_IN firewall policy (already created by wizard).

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal LAN'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable

Configure the WAN_LOCAL firewall policy (already created by wizard).

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable

Configure the WAN_OUT firewall policy

set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT description 'Internal LAN to WAN'
set firewall name WAN_OUT rule 20 action reject
set firewall name WAN_OUT rule 20 description 'Reject invalid state'
set firewall name WAN_OUT rule 20 state invalid enable

Attach the firewall policies to the WAN interface in the inbound and local direction.

set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall out name WAN_OUT

or for PPPoE (in PPPoE scenario eth0 only carries ppp encapsulated packets. These packets won't hit the routing engine at all, so an iptables rule on eth0 would be futile). In this example the PPPoE interface is on eth0

set interfaces ethernet eth0 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 pppoe 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 pppoe 0 firewall out name WAN_OUT

Note: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

Commit the changes and save the configuration

commit ; save

Other useful commands

Create new user and delete the default

set system login user <username> authentication plaintext-password <password>
set system login user <username> level admin
delete system login user ubnt
sudo rm -r /home/ubnt

Set the router hostname

set system host-name YourNewHostname

Set timezone

set system time-zone Europe/Athens

Change default HTTPS GUI port

set service gui https-port 60443

Change default SSH port

set service ssh port 60022

Set pre-login SSH banner

set system login banner pre-login "\n\t-~===__._Welcome_to_MyRouter_.__===~-\n\n\tThis system is restricted to authorized users only.\n\tYour data and all activities on this system are logged.\n\tUnauthorized access will be fully investigated and reported\n\tto the appropriate law enforcement agencies.\n\n"

Delete pre-login banner, go back to default

delete system login banner ; set system login banner

Set post-login SSH banner

set system login banner post-login "\nMessage of the day\n"

Delete post-login banner, go back to default

delete system login banner post-login "\nMessage of the day\n"

Set system DNS servers

set system name-server <ip-address1>
set system name-server <ip-address2>

Check DNS servers used by the router and statistics

show dns forwarding nameservers
show dns forwarding statistics

Set router to only use the system DNS servers (without those from ISP)

set service dns forwarding system

Set subnet domain-name

set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name mylan.local

Disable ipv6

set system ipv6 disable

Reconnect PPPoE

disconnect interface pppoe0
connect interface pppoe0

This is set by the wizard for PPPoE - Below commands will 'fix' connectivity to remote sites where ICMP is blocked and PMTU is broken:

# if you don't know your connection type for sure - sets it on all if's
set firewall options mss-clamp interface-type all

# for pppoe use
set firewall options mss-clamp interface-type pppoe

# set mss
set firewall options mss-clamp mss 1452

See System Logs

dmesg
# or
cat /var/log/messages

Bandwidth test with iperf (though not relevant when run from the EdgeRouter)

iperf3 -c public.iperf.server -p <port>
# add -R for reverse

Show config (and also export them)

show configuration
# or add "| tee config.txt" to also export them to you home folder

Check hardware offloading status

show ubnt offload

Enable (disable) hardware offload

set system offload hwnat enable # or disable
set system offload ipsec enable # or disable

• WARNING: IPsec offload on ER-X platform is causing problems to L2TP remote-access VPN and IPV6 site-to-site IPSec VPN. You should not enable IPsec offload if you are using any of above. IPv4 site-to-site IPsec VPN is working correctly with IPsec offload. PPTP VPN is working correctly with IPsec offload. Only ER-X/ER-X-SFP/EP-R6 models are affected by this issue. This issue is to be fixed in future release.

Links you may need

Configure L2TP IPsec VPN Server

Official guide for EdgeRouter TFTP recovery

EdgeRouter - Device LED Statuses

That is all for this note. And one more thing...

If you cannot do great things, do small things in a great way.