This usher assumes that :
- You have a residential, rather than a commercial, internet connection, and thus that you do not have a fixed IP address on the WAN side (if you do not know what this means, you do!)
- You will be plugging your modem into the Edgerouter via ethernet, rather than via an SFP optical cable (again, if you don’t know what this means, you will!)
- You will be using the Edgerouter with a switch
You will need
Before you begin, make certain that you have the follow :
- A computer with an ethernet port (or, if your computer doesn’t have one, as is the case with all modern Apple Macintosh models, an adapter)
- An ethernet cable
- A pen
Before you start
If you have a combination modem/router from your ISP ( internet service provider ), you will need to put it into “ bridge mode ” before you start. basically, this will turn your combination modem/router into barely a modem, and prevent the problems that arise from your having two routers on the lapp network. The instructions that came with your particular modem/router model should explain how to do this.
warn If you have AT & T Fiber, this is not possible without a fortune more employment ,. This is because the modem/router that AT & T provides is needed to authenticate with the network, and therefore it can not by bypassed .
Make your initial connection to the Edgerouter
Use an ethernet cable to connect your computer to the Edgerouter ’ s
eth0 larboard .
following, you ’ ll need to bring up the in-built, browser-based GUI. Out of the box, the default IP address of the Edgerouter is
192.168.1.1. Because there is no DHCP server, you ’ ll necessitate to manually edit your computer ’ sulfur TCP/IP settings so you can connect. You should use :
IPv4 Address :
Subnet Mask :
Apply these settings. then open your darling network browser and navigate to
https://192.168.1.1. Ignore any warnings about SSL certificates .
Run the setup wizard
The beginning thing you ’ ll see is a login screen. The default username is
ubnt, and the default password is
ubnt. Log in .
once logged in, agree to start with the default option charming .
In the Internet port (eth0 or eth3/SFP ) section, set “ Port ” to
eth0, “ Internet connection type ” to
DHCP, and make certain that “ VLAN, ” “ IPv4 Firewall, ” “ IPv6 Firewall, ” and “ DHCPv6 PD ” are unbridled .
Do not check “ Bridge LAN interfaces into a single network ” in the “ Bridging ” area .
In the LAN port (eth1) section, enroll
10.0.1.1 before the
255.255.255.0 after it .
Ignore the (Optional) Secondary LAN ports (eth2) section .
ultimately, in the User setup area, select “ Create raw admin exploiter ” and set up a new exploiter with a new password. Make certain you write down the details .
warn When you set up a new exploiter, the Edgerouter will delete the default one. thus cook sure you write down the details correctly .
Move your ethernet cable from eth0 to eth1
After you ’ ve click
Apply, you need to physically move the ethernet cable that is connected from your computer from the Edgerouter ’ s
eth0 port to the Edgerouter ’ s
eth1 larboard .
next, you ’ ll need to set your computer to accept an IP address via DHCP, rather than manually .
After about a minute, the Edgerouter should come back up, and your computer should be assigned an IP address. immediately you can navigate to the GUI at
Setting up your modem
The next step is to set up your internet association. To do this, run an ethernet cable from your modem to the Edgerouter ’ s
eth0 interface. In most cases you ’ ll need to restart the modem having done this. In some cases, you may need to restart the Edgerouter, besides .
Test your internet connection
once your modem comes second up, your Edgerouter should show an IP address in the
eth0 field :
SSH into the Edgerouter
The rest of the setup march outlined in this steer will be performed via the command line. Some of the things we are about to do can be done via the GUI, but when you are doing a lot of shape at once, the command line is much more effective. furthermore, it ’ randomness effective to know how to control the router should you lose entree to the GUI .
To gain SSH access to the Edgerouter, we will need :
- The IP address of the Edgerouter. This was the address you set using the wizard. In the example above, this is is
- The username you set using the wizard (e.g.
- The password you set using the wizard
Using the above variables, to SSH in to the Edgerouter, you ’ five hundred type :
At the password prompt, you ’ five hundred type your password, and then crusade
NOTE In most circumstances, you will not see your password appear on the screen as you type. This is a security standard. Simply type as usual, and then press
If successful, you will see an output that looks something like this :
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you acknowledge that you have read and understood the Ubiquiti License Agreement ( available in the Web UI at, by default, hypertext transfer protocol : //192.168.1.1 ) and agree to be bound by its terms .
linux 10.0.1.1 4.9.79-UBNT # 1 SMP Tue Mar 12 16:18:59 coordinated universal time 2019 mips64
Welcome to EdgeOS
last login : Tue May 7 10:12:59 2019 from 10.0.1.x
charles @ 10.0.1.1 : ~ $
Enter configuration mode
To make changes, you need to enter shape mode. To do this, you simply type :
You should see the come :
[ edit ]
charles @ 10.0.1.1 #
You are now able to edit the Edgerouter ’ randomness shape .
Set a hostname and disable unused ethernet ports
first, we will give the Edgerouter a name on the network — in this exercise,
router.your.house. Type the follow, followed by the hostname you want the Edgerouter to adopt :
set system static-host-mapping host-name router.your.house
future, we will label our active WAN interface (
eth0 ) and our active LAN port (
eth1 ), and disable the Edgerouter ’ s two unused ethernet ports — in this shell,
set interfaces ethernet eth0 description Internet set interfaces ethernet eth1 description LAN set interfaces ethernet eth2 description - set interfaces ethernet eth2 disable set interfaces ethernet eth3 description - set interfaces ethernet eth3 disable
To save these changes, prevail :
and then :
commit command saves the changes to the Edgerouter ; the
save command makes certain that those changes will persist after a boot. To get out of the configure modality wholly, you just type
exit, but we won ’ thymine do that so far .
adjacent, we will enable Universal Plug and Play. UPnP is a set of protocols that allows certain devices on your network to discover each early without the necessitate for manual settings. It can be specially utilitarian if you have a games console such as an XBox or Playstation 4 :
set service upnp listen-on eth1 outbound-interface eth0 commit save
Set a manual DNS server (optional)
If you intend to use the DNS servers provided by your ISP, or you don ’ triiodothyronine know what a DNS server is, you can ignore this gradation. Because you set up your “ Internet connection type ” to DHCP, the Edgerouter will mechanically inherit DNS servers from your ISP .
If, by contrast, you want to set a manual DNS waiter — for model, a Pi-Hole — you ’ ll lack to do that now. To do this, run ( this assumes that your DNS server is at
10.0.1.10 ) :
Read more: Medical Website Hosting | RemedyConnect
set service dns forwarding name-server 10.0.1.10 commit save
Set up your DHCP reservations (optional)
The Edgerouter will mechanically allocate every associate device an IP cover within the DHCP range. This IP address may change every 24 hours. For most devices, this is fine. For resources such as servers, however, it makes more sense to force the Edgerouter to pass out the lapp IP address every time so that you always know where to reach it. This is besides known as a “ setting a static IP. ”
To set a static IP, you need to know :
- The name and subnet of the DHCP server, which you can find in the GUI under
Services → DHCP Server
- The MAC (Media Access Control) address of the device to which you want to assign a static IP address
- The IP address you want to allocate to the device
Assuming that the DHCP server is called LAN1, that its subnet is 10.0.1.0/24, that the device you ’ re giving a static IP address is a server that you want to label “ Server, ” that the server ’ s MAC address is associate in arts : bb : two hundred : doctor of divinity : electrical engineering : ff, and that you want the Edgerouter to give it the home IP address 10.0.1.200, you ’ five hundred footrace :
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 static-mapping Server ip-address 10.0.1.200 set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 static-mapping Server mac-address aa:bb:cc:dd:ee:ff
You can set as many of these as you want. When done, run :
Set up an IPv4 firewall
following, we ’ ll set up a basic IPv4 firewall, and specify access to the router ’ randomness GUI and SSH interfaces—and to any net address translation ( NAT ) —to machines that have been explicitly added to a tilt of sure external information science :
set firewall group address-group Trusted_IPs address 188.8.131.52 set firewall group address-group Trusted_IPs description "External Trusted IPs" set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description "Allow Established / Related Traffic" set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action accept set firewall name WAN_IN rule 20 description "Allow Trusted IPs" set firewall name WAN_IN rule 20 source group address-group Trusted_IPs set firewall name WAN_IN rule 30 action drop set firewall name WAN_IN rule 30 description "Drop Invalid State" set firewall name WAN_IN rule 30 log enable set firewall name WAN_IN rule 30 protocol all set firewall name WAN_IN rule 30 state established disable set firewall name WAN_IN rule 30 state invalid enable set firewall name WAN_IN rule 30 state new disable set firewall name WAN_IN rule 30 state related disable set firewall name WAN_IN rule 40 action drop set firewall name WAN_IN rule 40 description "Drop ICMP" set firewall name WAN_IN rule 40 icmp type 8 set firewall name WAN_IN rule 40 protocol icmp set interfaces ethernet eth0 firewall in name WAN_IN set interfaces ethernet eth0 firewall local name WAN_IN commit save
With the above lines, we are :
- creating a group of trusted IPv4 addresses named “External Trusted IPs”;
- adding IP address
184.108.40.206to that group;
- setting up a rule (10) that allows through the firewall any traffic that is part of, or related to, an already established connection;
- setting up a rule (20) that allows traffic from the “External Trusted IPs” group;
- setting up a rule (30) that blocks any packets that cannot be identified;
- setting up a rule (40) that drops ICMP traffic by default;
- applying these rules to both the router itself (“local”) and to the traffic that passes through the router (“in”)
naturally, if you want to add more IPv4 addresses ( e.g.
987.654.3.21 to your trusted group, in this exemplify called
Trusted_IPs ), you ’ d just run multiple lines of this sort :
set firewall group address-group Trusted_IPs address 987.654.3.21
Port forwarding and NAT (optional)
adjacent, we need to make some exceptions to the above rules, so that certain types of IPv4 traffic can reach devices behind the router. There are two ways of “ poking a fix ” in the firewall : “ port forwarding ” and “ NAT. ” For the purposes of this lead, we will use port forwarding to allow certain types of traffic that originates from anywhere, and NAT to allow certain types of traffic that originates only from the IP addresses we placed on the Trusted IPs list .
Port forwarding (optional)
As explained above, we will use larboard forwarding to enable outside dealings to access certain resources on our network, regardless of where it originates. This can be utilitarian if, for example, you have a Plex Media Server on your network, and you want to be able to watch movies from it from anywhere in the world .
The inaugural gradation is to enable the auto-firewall and hairpin-nat, and to tie the port forwarding process to our WAN (
eth0 ) and LAN (
eth1 ) ports :
set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward lan-interface eth1 set port-forward wan-interface eth0
future, we need to set some rules. We need to know :
- Which port the outside traffic is coming in on (for Plex, for example, this is
- Whether the traffic is TCP, UDP, or both (Plex is TCP only)
- The internal IP address of the device we want to forward that traffic to (let’s assume we have a server running Plex at
- The port the internal device is listening on (this can be different, but in our Plex example, it is not by default, so we’d stick with
Given the variables above, to set a port-forwarding rule, we ’ vitamin d run :
set port-forward rule 1 description "Plex on Server" set port-forward rule 1 original-port 32400 set port-forward rule 1 protocol tcp set port-forward rule 1 forward-to address 10.0.1.2000 set port-forward rule 1 forward-to port 32400
We can set as many rules as we like using this rubric. obviously, each rule will need a different number .
When you ’ ve finished setting your rules, race :
Set up NAT (optional)
We ’ ll use NAT rules in pretty a lot the lapp way as above, except in this case we ’ ra going to limit access to the
Trusted_IPs list we established early. This can be utilitarian if, for exemplar, you have a server that you want to be able to access remotely via SSH, but which you don ’ t want fair anyone to be able to try to access .
here ’ s a sample rule :
set service nat rule 1 description "SSH for Server" set service nat rule 1 inbound-interface eth0 set service nat rule 1 log disable set service nat rule 1 protocol tcp set service nat rule 1 type destination set service nat rule 1 destination port 22 set service nat rule 1 inside-address address 10.0.1.200 set service nat rule 1 inside-address port 22 set service nat rule 1 source group address-group Trusted_IPs
The above rule tells the Edgerouter to examine any TCP traffic on port 22 that arrives on the WAN port (
eth0 ) and either :
- drop it if it did not originate from an IP address on the
- send it to port 22 on the server inside the network at
We can set as many rules as we like using this gloss. Again, each convention will obviously need a different phone number .
When you ’ ve finished setting your rules, run :
Set up IPv6 (optional)
Some ISPs offer IPv6 back. If you don ’ thymine know what this is, we ’ vitamin d recommend leaving it alone. If you do, running these lines should set you up :
set interfaces ethernet eth0 dhcpv6-pd pd 0 set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 60 set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 set interfaces ethernet eth1 ipv6 router-advert managed-flag true commit save
To confirm that this has worked, we need to exit the shape manner. To do this, we merely type :
now we can check to see if both
eth1 are running IPv6 correctly. To do this, we ’ ll ladder :
You should see an IPv6 cover under
eth0 and an IPv6 prefix under
Codes : S – State, L – Link, u – Up, D – Down, A – Admin Down
Interface IP Address S/L Description
——— ———- — ———–
eth0 220.127.116.11/21 u/u Internet
2001:558:6043:1e : e112 : d0a9:282a:197e/128
eth1 10.0.1.1/24 u/u LAN
2001 : db8 : :1/64
eth2 – A/D –
eth3 – A/D –
lo 127.0.0.1/8 u/u
Set up an IPv6 firewall (optional)
Because you have exited shape mode in club to test your IPv6 shape, you ’ ll motivation to get back in before you make the respite of your changes. To do this, type :
The first dance step is to set up a basic IPv6 firewall, as we did for IPv4 :
set firewall group ipv6-address-group Trusted_IPv6s description "External Trusted IPv6s" set firewall group ipv6-address-group Trusted_IPv6s ipv6-address 2001:db8::1/64 set firewall ipv6-name WANv6_IN description "IPv6WAN to internal" set firewall ipv6-name WANv6_IN rule 10 action accept set firewall ipv6-name WANv6_IN rule 10 description "Allow Established / Related Traffic" set firewall ipv6-name WANv6_IN rule 10 state established enable set firewall ipv6-name WANv6_IN rule 10 state related enable set firewall ipv6-name WANv6_IN rule 10 log disable set firewall ipv6-name WANv6_IN rule 20 action drop set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state" set firewall ipv6-name WANv6_IN rule 20 state invalid enable set firewall ipv6-name WANv6_IN rule 30 action accept set firewall ipv6-name WANv6_IN rule 30 description "Allow ICMPv6" set firewall ipv6-name WANv6_IN rule 30 log disable set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6 set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN set firewall ipv6-name WANv6_LOCAL default-action drop set firewall ipv6-name WANv6_LOCAL description "IPv6 packets from internet to router" set firewall ipv6-name WANv6_LOCAL rule 10 action accept set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established and related packets" set firewall ipv6-name WANv6_LOCAL rule 10 state established enable set firewall ipv6-name WANv6_LOCAL rule 10 state related enable set firewall ipv6-name WANv6_LOCAL rule 20 action drop set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid packets" set firewall ipv6-name WANv6_LOCAL rule 20 log enable set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL rule 30 action accept set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow ICMPv6 packets" set firewall ipv6-name WANv6_LOCAL rule 30 log enable set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6 set firewall ipv6-name WANv6_LOCAL rule 40 action accept set firewall ipv6-name WANv6_LOCAL rule 40 description "Allow dhcpv6" set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 set firewall ipv6-name WANv6_LOCAL rule 50 action accept set firewall ipv6-name WANv6_LOCAL rule 50 description "Allow SSH and web traffic from trusted sources" set firewall ipv6-name WANv6_LOCAL rule 50 destination port 80,443,22 set firewall ipv6-name WANv6_LOCAL rule 50 source group ipv6-address-group Trusted_IPv6s set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL commit save
The above firewall does the same as our IPv4 firewall, with three differences :
- Because we are dealing with IPv6 and not IPv4, we do not limit WAN_IN traffic by IP address or group;
- Because of this, we need
WANv6_LOCAL rule 50to limit IPv6 traffic to the router itself (we want to open ports 80, 443, and 22, so that we can access the router’s via SSH and via the GUI using IPv6);
WANv6_LOCAL rule 40allows dhcpv6 traffic through to the router itself. This allows your ISP to give your router its IPv6 information even though its IP addresses are not listed in your
External Trusted IPv6sgroup
If you have a standard setup, you won ’ t need to change any of this .
last, we ’ ll set up external entree to the devices behind the router. Because IPv6 does not use Network Address Translation, there are no NAT rules or port forward rules hera. rather, we need to set up a rule for every individual device. In the below example, we ’ re allowing IPv6 dealings to access TCP port 32400 on a server running Plex, the IP address of which is
set firewall ipv6-name WANv6_IN rule 40 description "Plex for server" set firewall ipv6-name WANv6_IN rule 40 log disable set firewall ipv6-name WANv6_IN rule 40 protocol tcp set firewall ipv6-name WANv6_IN rule 40 destination address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 set firewall ipv6-name WANv6_IN rule 40 destination port 32400
You can add as many of these are you need. If you need to open multiple ports, equitable add them in sequence, like this :
set firewall ipv6-name WANv6_IN rule 40 destination port 32400,22,80,3306
You can besides limit access by source IP, as in
LOCAL rule 50 above .
Set up dynamic DNS (optional)
Most residential ISPs do not give you a repair IP address, which can cause problems if you ’ re using DNS to access your router ( e.g., if you ’ ve pointed
router.your.house at the your router ’ randomness IP savoir-faire ). You can get around this by using a “ active DNS ” service. For this guide, we will use no-ip .
To make this work, you first need to get a detached dynamic DNS address from no-ip here, and then to tell your router to mechanically update no-ip when its IP address changes .
Assuming that the DNS address you got is
yourhome.ddns.net, your drug user account is
youraccount, and your password is
yourpassword, you ’ d run the following :
set service dns dynamic interface eth0 web dyndns set service dns dynamic interface eth0 service custom-noip host-name yourhome.ddns.net set service dns dynamic interface eth0 service custom-noip login youraccount set service dns dynamic interface eth0 service custom-noip password yourpassword set service dns dynamic interface eth0 service custom-noip protocol noip set service dns dynamic interface eth0 service custom-noip server dynupdate.no-ip.com
If you want to keep using your custom-make DNS address, you ’ d just set the following in your own DNS records :
router.your.house CNAME yourhome.ddns.net
That way, if your router ’ randomness address changes, it doesn ’ triiodothyronine topic. You ’ ll constantly be able to entree it from your customize domain name .
Add your router to UNMS (optional)
If you are running UNMS, you can add your Edgerouter to your setup by running the comply and including your UNMS key. You can find your winder inside UNMS by going to
Devices and clicking on
Add Ubiquiti Device, and then
Copy UNMS key and paste into device configuration :
delete service unms disable set service unms connection [UNMS key] commit save
Set up an SSL certificate (optional)
last, we will add an SSL certificate that corresponds to the hostname you barely set — in our exercise,
router.your.house. This will allow you to securely access the network interface ( GUI ) of your router both inside and outside your network .
If you do not own a knowledge domain name that you can point at your router — or if this is not authoritative to you, you can skip this step. If you do own a sphere name for this determination, set up an adenine record that points at the WAN IP address of the Edgerouter.
once that has been done — and the record has propagated, run the trace commands ( replacing
router.your.house with your own address, obviously ). Thanks to Github user j-c-m for this script :
curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash configure set system static-host-mapping host-name router.your.house inet 10.0.1.1 set service gui cert-file /config/ssl/server.pem set service gui ca-file /config/ssl/ca.pem set system task-scheduler task renew.acme executable path /config/scripts/renew.acme.sh set system task-scheduler task renew.acme interval 1d set system task-scheduler task renew.acme executable arguments '-d router.your.house' sudo /config/scripts/renew.acme.sh -d router.your.house commit save
nowadays, try to visit
https://router.your.house in your browser. It should load over hypertext transfer protocol without any errors. If, having run the script, you find that the GUI will not load, run :
delete service gui commit set service gui commit save