EdgeRouter Lite FTW
I've recently installed an EdgeRouter Lite 3 (ERL-3) in my home network to facilitate my internet connection and provide service to my local networks.
I've setup my ERL-3 in a fairly basic matter at this moment however it's serving its purpose and doing so in an absolute fantastic manner.
This basic blog post is simply covering the configuration I'm running at this moment. I've broken the configuration sections into top level categories for further clarification, however, these sections are really one large config file as found in /config/config.boot.
Firewall Configuration
The Firewall configuration is fairly basic at this moment though it's worth noting that I am setting an MSS clamp of 1460. This is to ensure an MTU of 1500 is actually enforced which is required by my ISP. This may not be something you need but it is something you should pay attention to.
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1460
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
Interface Configuration
On eth0, which is my WAN, I have DHCP set for both IPv6 and IPv4. This is connected to my modem which is bridge mode passing the public IP address to my ERL-3. My ISP provides a /56 and I have prefix delegation setup for my local LAN. My primary link for the local LAN is eth1 which is a "172.16.24.0/24" CIDR. I do have eth2 setup on a CIDR of "192.168.1.0/24" however I'm not using it.
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 1 {
interface eth1 {
host-address ::1
prefix-id 1
service slaac
}
prefix-length /56
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 172.16.24.2/22
description eth1
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
speed auto
}
ethernet eth2 {
address 192.168.1.2/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
Service Configuration
My DHCP server is using the default dhcp server. I wanted to use dnsmaq however I've not gotten it to work as of yet. As for the DNS I've setup 4 resolvers bouncing between OpenDNS and Google DNS with a preference for IPv6 and OpenDNS as its the first resolver listed.
service {
dhcp-server {
disabled false
dynamic-dns-update {
enable true
}
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 172.16.24.0/22 {
default-router 172.16.24.2
dns-server 172.16.24.2
domain-name rk-home
lease 86400
start 172.16.24.100 {
stop 172.16.27.255
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 750
listen-on eth1
listen-on eth2
name-server 2620:0:ccc::2
name-server 208.67.222.222
name-server 2001:4860:4860::8888
name-server 8.8.8.8
options localise-queries
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
System configuration
As for the system configuration I've left most of it fairly stock for now. I basically set the domain-name, host-name, and enabled basic traffic analysis.
system {
domain-name rk-home
host-name edge1
login {
user ubnt {
authentication {
encrypted-password $CHANGE_THIS_TO_A_HASHED_PASSWORD
}
level admin
}
}
name-server 127.0.0.1
name-server ::1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
host-name edge1 {
inet 172.16.24.2
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export enable
}
}
This device, along with the configuration above is sitting in front of my AFI-R HD.
In future posts, I intend to dive further into the ELR-3 config tweaking and tuning it to achieve the best possible performance. I also intend on developing some simple automation to reshape my network devices without setting everything up by hand.