Edgerouter Security, Part2

Resetting and connecting to the edgerouter.

  1. Factory reset edgerouter (press and hold resetbutton while applying power. Keep pressed for 10 sec.
  2. Set IP on your PC to 192.168.1.2/24
  3. Connect to 192.168.1.1 via SSH with username “ubnt” and password “ubnt”

Create a new login user

The first security step is to create your own new user

configure
set system login user mynewusername authentication plaintext-password mynewlongpassword
commit

Log out and back in with your new user. Now you can delete the original “ubnt” user

configure
delete system login user ubnt
commit

Basic interface setup and internet connection

First a little important general system settings

set system host-name myedge
set system domain-name mydomain.com
set system name-server 8.8.8.8
set system time-zone Europe/Copenhagen

Now we remove the original IP address from ETH0 and set a static IP to 192.168.10.1 on ETH2. We also set up a DHCP server for that LAN.

delete interfaces ethernet eth0 address
set interfaces ethernet eth2 address 192.168.10.1/24
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 default-router 192.168.10.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 dns-server 192.168.10.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 start 192.168.10.10 stop 192.168.10.100
set service dns forwarding listen-on eth2
commit

Now we loose our connection to the Edgerouter.

  1. Set PC’s interface back to DHCP
  2. Move PC’s ethernet cable to ETH2
  3. Connect your ISP’s ethernet cable to ETH0
  4. Connect to 192.168.10.1 which is the routers new management IP.

Now we can set up the ISP. I put my ISP’s router into bridge mode because I want to do all the setup myself in the Edgerouter. My ISP provider provides my outside IP via DHCP.

configure
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN_Internet

We also need to setup outbound NAT in order to translate all internal traffic through ETH0 to the ISP

set service nat rule 5000 description "Outbound NAT"
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade
commit
exit

It is now a good time to check that we actually got an IP from the ISP

show dhcp client leases

Now the PC should have connection to the internet.

Tighten down management

Right now the Edgerouter can be managed from everywhere. This should only be allowed from internal networks. I decided never to use the web gui, so there is no need to expose it.

configure
set service ssh listen-address 192.168.10.1
delete service gui
commit
save
exit

Upgrading the firmware

Now that I have a working config with an internet connection, I went to ubiqiti’s website to find the link for the most recent firmware.

add system image http://dl.ubnt.com/firmwares/edgemax/v1.9.0/ER-e100.v1.9.0.4901118.tar
reboot

Now we should be on the newest firmware level.

What do we have?

Now we have a functional router for connecting to the internet. It’s management interface can’t be reached from the outside world. It has our own (hopefully not guessable) username and password. In part 2 i will tighten it down even more.

2 thoughts to “Edgerouter Security, Part2”

  1. For unskilled user, not familiar with CLI, I wouldn’t delete the GUI interface….

    So instead of:
    set service ssh listen-address 192.168.10.1
    delete service gui

    I would do:
    set service ssh listen-address 192.168.10.1
    set service gui listen-address 192.168.10.1

    1. You have a good point here. The reason I decided to get rid of the GUI, is that all the setup with google authenticator can be bypassed by starting a console session from the web GUI! I would like to know if there is a way of disabling this.

Leave a Reply

Your email address will not be published. Required fields are marked *