Last active
April 16, 2023 05:17
-
-
Save albertogg/9e452a30a2ed5a053265 to your computer and use it in GitHub Desktop.
EdgeRouter Lite configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This configuration is based on the Wizard config and also the these ones: | |
# https://blog.dlasley.net/2013/06/initial-configuration-ubiquiti-edgerouter-lite/ | |
# http://lg.io/2015/01/11/the-ubiquiti-edgerouter-configuring-this-extremely-lowcost-enterprisegrade-router-for-home-use.html | |
# | |
# Create simple firewall rules for Inbound wan to lan and local router | |
edit firewall | |
set all-ping enable | |
set broadcast-ping disable | |
set ipv6-receive-redirects disable | |
set ipv6-src-route disable | |
set ip-src-route disable | |
set log-martians enable | |
show | |
top | |
edit firewall name WAN_IN | |
set default-action drop | |
set description | |
set description "Inbound WAN to (W)LAN" | |
set rule 10 action accept | |
set rule 10 description "Allow established/related" | |
set rule 10 log disable | |
set rule 10 protocol all | |
set rule 10 state established enable | |
set rule 10 state related enable | |
set rule 10 state invalid disable | |
set rule 10 state new disable | |
show | |
set rule 20 action drop | |
set rule 20 description "Drop invalid state" | |
set rule 20 log disable | |
set rule 20 protocol all | |
set rule 20 state established disable | |
set rule 20 state new disable | |
set rule 20 state invalid enable | |
set rule 20 state related disable | |
show | |
top | |
edit firewall name WAN_LOCAL | |
set default-action drop | |
set description "Inbound WAN to local router" | |
set rule 10 action accept | |
set rule 10 description "Allow established/related" | |
set rule 10 log disable | |
set rule 10 protocol all | |
set rule 10 state established enable | |
set rule 10 state invalid disable | |
set rule 10 state new disable | |
set rule 10 state related enable | |
show | |
set rule 20 action drop | |
set rule 20 description "Drop invalid state" | |
set rule 20 log disable | |
set rule 20 protocol all | |
set rule 20 state established disable | |
set rule 20 state invalid enable | |
set rule 20 state new disable | |
set rule 20 state related disable | |
show | |
top | |
# Save the current firewall configuration | |
commit | |
save | |
# Add the firewall configuration that we just create to the eth0 (internet) | |
edit interfaces ethernet eth0 firewall | |
set in name WAN_IN | |
set local name WAN_LOCAL | |
show | |
top | |
# Save the interface with the firewall configuration | |
commit | |
save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edit interfaces ethernet eth0 | |
set address dhcp | |
set description Internet | |
set duplex auto | |
set speed auto | |
show | |
top | |
edit interfaces ethernet eth1 | |
set address 10.0.1.1/24 | |
set description Local | |
set duplex auto | |
set speed auto | |
show | |
top | |
edit interfaces ethernet eth2 | |
set address 10.0.2.1/24 | |
set description "Local 2" | |
set duplex auto | |
set speed auto | |
show | |
top | |
commit | |
save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Traffic Policy shaper for downloading... | |
# Based on my shitty internet it should be like this. | |
edit traffic-policy shaper downstream | |
set bandwidth 1mbit | |
set description "Home download shaper for 1mbit" | |
set default bandwidth 25% | |
set default burst 1k | |
set default ceiling 100% | |
set default priority 5 | |
set default queue-type fair-queue | |
set class 10 description "Highest priority for DNS, SSH and ICMP" | |
set class 10 bandwidth 10% | |
set class 10 burst 1k | |
set class 10 ceiling 100% | |
set class 10 priority 7 | |
set class 10 queue-type fair-queue | |
set class 10 queue-limit 10 | |
set class 10 match ssh ip destination port 22 | |
set class 10 match ssh ip dscp lowdelay | |
set class 10 match ssh ip protocol tcp | |
set class 10 match dns ip destination port 53 | |
set class 10 match icmp ip protocol icmp | |
set class 20 description "Highest upload bandwith for gaming" | |
set class 20 bandwidth 60% | |
set class 20 burst 1k | |
set class 20 ceiling 100% | |
set class 20 priority 6 | |
set class 20 queue-type fair-queue | |
set class 20 match playstation ip destination address 10.0.1.5/32 | |
set class 30 description "Trash bandwidth and priority for torrents" | |
set class 30 bandwidth 5% | |
set class 30 burst 1k | |
set class 30 ceiling 100% | |
set class 30 priority 1 | |
set class 30 queue-type fair-queue | |
set class 30 match transmission ip destination port 51413 | |
# commit changes and test this out. | |
top | |
commit | |
# set all the download traffic policy to an interface. | |
# In my case the LAN (out) I'm using is eth1. | |
set interfaces ethernet eth1 traffic-policy out downstream | |
# Traffic policy for uploading... | |
edit traffic-policy shaper upstream | |
set bandwidth 256kbit | |
set description "Home upload shaper for 256kbit" | |
set default bandwidth 20% | |
set default ceiling 100% | |
set default priority 5 | |
set default queue-type fair-queue | |
set class 10 description "Highest priority for DNS, SSH and ICMP" | |
set class 10 bandwidth 10% | |
set class 10 burst 1k | |
set class 10 ceiling 100% | |
set class 10 priority 7 | |
set class 10 queue-type fair-queue | |
set class 10 match ssh ip source port 22 | |
set class 10 match ssh ip dscp lowdelay | |
set class 10 match ssh ip protocol tcp | |
set class 10 match dns ip source port 53 | |
set class 10 match icmp ip protocol icmp | |
set class 20 description "Highest upload bandwith for gaming" | |
set class 20 bandwidth 65% | |
set class 20 burst 1k | |
set class 20 ceiling 100% | |
set class 20 priority 6 | |
set class 20 queue-type fair-queue | |
set class 20 match playstation ip source address 10.0.1.5/32 | |
set class 30 description "Trash bandwidth and priority for torrents" | |
set class 30 bandwidth 5% | |
set class 30 burst 1k | |
set class 30 ceiling 80% | |
set class 30 priority 1 | |
set class 30 queue-type fair-queue | |
set class 30 match transmission ip source port 51413 | |
# commit changes and test this out. | |
top | |
commit | |
# In my case the WAN (IN) I'm using is eth0. | |
set interfaces ethernet eth0 traffic-policy out upstream |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DHCP configuration of subnets 10.0.1.0/24 and 10.0.2.0/24 | |
edit service dhcp-server | |
set disabled false | |
set hostfile-update enable | |
show | |
top | |
# subnet 10.0.1.0/24 | |
edit service dhcp-server | |
set shared-network-name LAN subnet 10.0.1.0/24 start 10.0.1.40 stop 10.0.1.139 | |
set shared-network-name LAN subnet 10.0.1.0/24 default-router 10.0.1.1 | |
set shared-network-name LAN subnet 10.0.1.0/24 dns-server 8.8.8.8 | |
set shared-network-name LAN subnet 10.0.1.0/24 dns-server 8.8.4.4 | |
set shared-network-name LAN subnet 10.0.1.0/24 lease 86400 | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> ip-address <custom-ip> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> mac-address <mac-address> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> ip-address <custom-ip> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> mac-address <mac-address> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> ip-address <custom-ip> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> mac-address <mac-address> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> ip-address <custom-ip> | |
set shared-network-name LAN subnet 10.0.1.0/24 static-mapping <identifier-name> mac-address <mac-address> | |
show | |
top | |
# subnet 10.0.2.0/24 | |
edit service dhcp-server | |
set shared-network-name LAN subnet 10.0.2.0/24 start 10.0.2.40 stop 10.0.2.139 | |
set shared-network-name LAN2 subnet 10.0.2.0/24 default-router 10.0.2.1 | |
set shared-network-name LAN2 subnet 10.0.2.0/24 dns-server 8.8.8.8 | |
set shared-network-name LAN2 subnet 10.0.2.0/24 dns-server 8.8.4.4 | |
set shared-network-name LAN2 subnet 10.0.2.0/24 lease 21600 | |
show | |
top | |
# Save the DHCP configuration for the two subnets | |
commit | |
save | |
# DNS caching settings | |
edit service dns | |
set forwarding cache-size 1000 | |
set forwarding listen-on eth1 | |
set forwarding listen-on eth2 | |
show | |
top | |
# Always show GUI on HTTPS | |
edit service gui | |
set https-port 443 | |
show | |
top | |
# Connect to the internet via eth0 | |
edit service nat | |
set rule 5010 outbound-interface eth0 | |
set rule 5010 type masquerade | |
show | |
top | |
# Normal SSH configuration on port 22 using protocol 2 | |
edit service ssh | |
set port 22 | |
set protocol-version v2 | |
show | |
top | |
# Bittorrent and things... | |
edit service upnp2 | |
set listen-on eth1 | |
set wan eth0 | |
show | |
top | |
# Save DNS, GUI, SSH and UPNP2 configuration | |
commit | |
save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set system host-name <name> | |
set system time-zone America/Caracas | |
set system name-server 8.8.8.8 | |
set system name-server 8.8.4.4 | |
set system login user <username> | |
edit system login user <username> | |
set authentication plaintext-password <password> # password will be stored encrypted after commit | |
set full-name "Full Name" | |
set level admin | |
commit | |
save | |
# IF you change the your key remember that to run the loadkey command | |
# you need to be in configuration mode e.g. type configure :) | |
# copy your public ssh-key to the router in oder to connect with it | |
scp ~/.ssh/id_rsa.pub [email protected]:~/id_rsa.pub | |
# login again with your newly created user because we are going to delete the default one | |
loadkey <username> ~/id_rsa.pub # load the ssh-key to the new user | |
set service ssh disable-password-authentication | |
delete system login user ubnt | |
commit | |
save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Backup the config | |
cat /config/config.boot | |
# Download and add it directly in the router | |
add system image http://dl.ubnt.com/firmwares/edgemax/v1.9.0/ER-e100.v1.9.0.4901118.tar | |
# Or download it locally and upload it via scp | |
scp ER-e100.v1.9.0.4901118.tar [email protected]: | |
# Then add it to the system | |
add system image ER-e100.v1.9.0.4901118.tar | |
# Check the version before and after the reboot | |
show version | |
# Last but not least, reboot | |
reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment