Edgerouter Security, Part2

Resetting and connecting to the edgerouter.

  1. Factory reset edgerouter (press and hold resetbutton while applying power. Keep pressed for 10 sec.
  2. Set IP on your PC to
  3. Connect to via SSH with username “ubnt” and password “ubnt”

Create a new login user

The first security step is to create your own new user

set system login user mynewusername authentication plaintext-password mynewlongpassword

Log out and back in with your new user. Now you can delete the original “ubnt” user

delete system login user ubnt

Basic interface setup and internet connection

First a little important general system settings

set system host-name myedge
set system domain-name mydomain.com
set system name-server
set system time-zone Europe/Copenhagen

Now we remove the original IP address from ETH0 and set a static IP to on ETH2. We also set up a DHCP server for that LAN.

delete interfaces ethernet eth0 address
set interfaces ethernet eth2 address
set service dhcp-server shared-network-name vlan10 subnet default-router
set service dhcp-server shared-network-name vlan10 subnet dns-server
set service dhcp-server shared-network-name vlan10 subnet start stop
set service dns forwarding listen-on eth2

Now we loose our connection to the Edgerouter.

  1. Set PC’s interface back to DHCP
  2. Move PC’s ethernet cable to ETH2
  3. Connect your ISP’s ethernet cable to ETH0
  4. Connect to which is the routers new management IP.

Now we can set up the ISP. I put my ISP’s router into bridge mode because I want to do all the setup myself in the Edgerouter. My ISP provider provides my outside IP via DHCP.

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN_Internet

We also need to setup outbound NAT in order to translate all internal traffic through ETH0 to the ISP

set service nat rule 5000 description "Outbound NAT"
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade

It is now a good time to check that we actually got an IP from the ISP

show dhcp client leases

Now the PC should have connection to the internet.

Tighten down management

Right now the Edgerouter can be managed from everywhere. This should only be allowed from internal networks. I decided never to use the web gui, so there is no need to expose it.

set service ssh listen-address
delete service gui

Upgrading the firmware

Now that I have a working config with an internet connection, I went to ubiqiti’s website to find the link for the most recent firmware.

add system image http://dl.ubnt.com/firmwares/edgemax/v1.9.0/ER-e100.v1.9.0.4901118.tar

Now we should be on the newest firmware level.

What do we have?

Now we have a functional router for connecting to the internet. It’s management interface can’t be reached from the outside world. It has our own (hopefully not guessable) username and password. In part 2 i will tighten it down even more.

2 thoughts to “Edgerouter Security, Part2”

  1. For unskilled user, not familiar with CLI, I wouldn’t delete the GUI interface….

    So instead of:
    set service ssh listen-address
    delete service gui

    I would do:
    set service ssh listen-address
    set service gui listen-address

    1. You have a good point here. The reason I decided to get rid of the GUI, is that all the setup with google authenticator can be bypassed by starting a console session from the web GUI! I would like to know if there is a way of disabling this.

Leave a Reply

Your email address will not be published. Required fields are marked *