Resetting and connecting to the edgerouter.
- Factory reset edgerouter (press and hold resetbutton while applying power. Keep pressed for 10 sec.
- Set IP on your PC to 192.168.1.2/24
- Connect to 192.168.1.1 via SSH with username “ubnt” and password “ubnt”
Create a new login user
The first security step is to create your own new user
configure set system login user mynewusername authentication plaintext-password mynewlongpassword commit
Log out and back in with your new user. Now you can delete the original “ubnt” user
configure delete system login user ubnt commit
Basic interface setup and internet connection
First a little important general system settings
set system host-name myedge set system domain-name mydomain.com set system name-server 8.8.8.8 set system time-zone Europe/Copenhagen
Now we remove the original IP address from ETH0 and set a static IP to 192.168.10.1 on ETH2. We also set up a DHCP server for that LAN.
delete interfaces ethernet eth0 address set interfaces ethernet eth2 address 192.168.10.1/24 set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 default-router 192.168.10.1 set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 dns-server 192.168.10.1 set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 start 192.168.10.10 stop 192.168.10.100 set service dns forwarding listen-on eth2 commit
Now we loose our connection to the Edgerouter.
- Set PC’s interface back to DHCP
- Move PC’s ethernet cable to ETH2
- Connect your ISP’s ethernet cable to ETH0
- Connect to 192.168.10.1 which is the routers new management IP.
Now we can set up the ISP. I put my ISP’s router into bridge mode because I want to do all the setup myself in the Edgerouter. My ISP provider provides my outside IP via DHCP.
configure set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description WAN_Internet
We also need to setup outbound NAT in order to translate all internal traffic through ETH0 to the ISP
set service nat rule 5000 description "Outbound NAT" set service nat rule 5000 log disable set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 protocol all set service nat rule 5000 type masquerade commit exit
It is now a good time to check that we actually got an IP from the ISP
show dhcp client leases
Now the PC should have connection to the internet.
Tighten down management
Right now the Edgerouter can be managed from everywhere. This should only be allowed from internal networks. I decided never to use the web gui, so there is no need to expose it.
configure set service ssh listen-address 192.168.10.1 delete service gui commit save exit
Upgrading the firmware
Now that I have a working config with an internet connection, I went to ubiqiti’s website to find the link for the most recent firmware.
add system image http://dl.ubnt.com/firmwares/edgemax/v1.9.0/ER-e100.v1.9.0.4901118.tar reboot
Now we should be on the newest firmware level.
What do we have?
Now we have a functional router for connecting to the internet. It’s management interface can’t be reached from the outside world. It has our own (hopefully not guessable) username and password. In part 2 i will tighten it down even more.
For unskilled user, not familiar with CLI, I wouldn’t delete the GUI interface….
So instead of:
set service ssh listen-address 192.168.10.1
delete service gui
I would do:
set service ssh listen-address 192.168.10.1
set service gui listen-address 192.168.10.1
You have a good point here. The reason I decided to get rid of the GUI, is that all the setup with google authenticator can be bypassed by starting a console session from the web GUI! I would like to know if there is a way of disabling this.