Created : | last update :

Clear DNS Forwarding Cache via SSH Call¶

ssh user@  'sudo /opt/vyatta/bin/sudo-users/ -- clear-cache '

SSH via RSA keys¶

SSH to the Edge Router : Copy the public identify to /tmp folder

prevail :

loadkey  [your user ] /tmp/

Check that the keys are working by opening new seance disable Password Authentication

 put service ssh disable-password-authentication
commit  ; save

suffice. enable Password Authentication if needed.

delete service ssh disable-password-authentication

Hardening EdgeRouter¶

This will change the GUI to port 8443, disable old cyphers, only will listen on inner Network. assuming your EdgeRouter IP is, if not change it accordingly. SSH to the Edge Router

 stage set service gui listen-address
 set service gui https-port  8443
 set service gui older-ciphers disable
 rig service ssh listen-address
 set service ssh protocol-version v2
 specify service ubnt-discover disable
commit  ; save

Hardware Offloading¶

For Devices: ER-X / ER-X-SFP / EP-R6 Enable hwnat and ipsec unload.


 hardened system offload hwnat  enable
 set system offload ipsec  enable

commit  ; save

disable hwnat and ipsec offload.


 sic system offload hwnat disable
 set system offload ipsec disable

commit  ; save

For Devices: ER-4 / ER-6P / ERLite-3 / ERPoE-5 / ER-8 / ERPro-8 / EP-R8 / ER-8-XG Enable IPv4/IPv6 and ipsec offload.


 set system offload ipv4 forwarding  enable
 set system offload ipv4 gre  enable
 determined system offload ipv4 pppoe  enable
 set system offload ipv4 vlan  enable

 bent system offload ipv6 forwarding  enable
 set system offload ipv6 pppoe  enable
 sic system offload ipv6 vlan  enable

 jell system offload ipsec  enable

commit  ; save

disable IPv4/IPv6 and ipsec offload.


 set system offload ipv4 forwarding disable
 dress system offload ipv4 gre disable
 specify system offload ipv4 pppoe disable
 jell system offload ipv4 vlan disable

 set system offload ipv6 forwarding disable
 set system offload ipv6 pppoe disable
 set system offload ipv6 vlan disable

 set system offload ipsec disable

commit  ; save

disable Auto DHCP hots :

 fructify service dhcp-server hostfile-update disablecommit
commit  ; save

Update the Host File Manually :

 set system static-host-mapping host-name inet
commit  ; save

Show DNS Forwarding

show service dns forwarding

Show Hosts Config

cat /etc/hosts

Guest Wifi With Ubiquiti EdgeRouter and Unifi Access Points¶

EdgeRouter Configuration¶

From the Dashboard, click Add Interface and blue-ribbon VLAN. Interface Set up the VLAN ID as You like for this example will use idaho 1003 and attach it to the physical interface of your LAN. Give it an IP address in the range of a private IP jam, but make certain you end it in a /24 to specify the proper subnet ( I primitively did /32 as I though it was supposed to be the accurate IP address ). vlan Click on the Services pill. Click Add DHCP Server. set it up like to the image below. DHCP Click on the DNS tab key under services. Click Add Listen interface and select the VLAN interface. Make surely you hit save. dns At this point, you should be able to connect to your Guest Network and get in touch to the Internet. however, you ’ ll be able to access the EdgeRouter a well as other devices on your LAN. adjacent matter you have to do is secure the VLAN. Click on Firewall/NAT and then click on Add Ruleset. This is for packets coming into the router destined for somewhere else ( not the router ). Set up the default policy for Accept. Click Save. firewall rules From the Actions menu next to the Ruleset, click Interfaces. firewall rules Select your VLAN interface and the in management. firewall rules Click Rules and then Add New Rule. Click on Basic and name it LAN. Select Drop as the Action. firewall rules Click Destination and enter or whatever your LAN IP stove is. then pawl Save. This will drop all packets from the VLAN destined for your LAN. Save. firewall rules repeat 1 and 2 above ( name it GUEST_LOCAL ). From the Interface, select the VLAN interface and the local direction. however, set up the default policy as Drop. Add a new rule. Set it to Accept on UDP port 53. firewall rules firewall rules Save. Let ‘s proceed to set up the Uifi AP

Unifi Configuration¶

If you want to limit your Guest Users Bandwidth, read/write head over to User Groups and create a new user group called Guest. Enter bandwidth limits that are allow for your Internet Speed. I used 6000 down and 2500 up. Unifi_limit now go to the Wireless Networks section and create a new network called “ Guest ” or whatever you want to call it. Make indisputable it is enabled, give it WiFi security identify, check the “ Guest policy ” option, enter the VLAN Id you used previously and choose the Guest User Group. save ! Unifi_SSDID make. Test Your New Guest Wifi by connecting to the Guest Wifi and browse to a web site.

EdgeRouter OpenVPN Configuration 443/TCP¶

This Guide is based on Original steer form ubnt support with modifications to the VPN port and protocol For the determination of this article, it is assumed that the rout and interface configurations are already in place and that reachability has been tested. ssh to the EdgeRouter Make certain that the date/time is set correctly on the EdgeRouter.

show date
Thu Dec  28  14:35:42 UTC  2017

Log in as the settle user.

sudo su

Generate a Diffie-Hellman ( DH ) key file and put it in the /config/auth directory. This Will take some prison term …

openssl dhparam -out /config/auth/dh.pem -2  4096

Change the current directory.

 certificate of deposit /usr/lib/ssl/misc

Generate a root security ( replace with your desire passphrase ).

 ./ -newca

exmaple : PEM Passphrase : nation diagnose : US express Or state name : New York vicinity list : New York constitution mention : Ubiquiti organizational Unit name : Support common name : root Email Address : NOTE: The Common Name needs to be unique for all certificates. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

Generate the waiter certificate.

./ -newreq

exmaple : state identify : US state Or province name : New York vicinity name : New York constitution name : Ubiquiti organizational Unit name : Support common name : server Email Address : Sign the server security. if you want to change the certificate passing sidereal day habit : export default_days=”3650″ with the rate of days you desire

./ -sign

Move and rename the server certificate + key to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

Generate, sign and move the client1 certificates.

./ -newreq

common appoint : client1

./ -sign
mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

( Optional ) Repeat the process for client2.

./ -newreq

common mention : client2

./ -sign
mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key

Verify the contents of the /config/auth directory.

ls -l /config/auth

You should have those files :

  • cacert.pem
  • cakey.pem
  • client1.key
  • client1.pem
  • client2.key
  • client2.pem
  • dh.pem
  • server.key
  • server.pem

Remove the password from the node + waiter key. This allows the clients to connect using only the put up certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key

Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

revert to operational mode.


Enter configuration mode.


If EdgeRouter ‘s Interface is on port 433, you must change it.

 sic service gui https-port  8443
commit  ; save

Add a firewall rule for the OpenVPN traffic to the local firewall policy.

 set firewall name WAN_LOCAL rule  30 action accept
 set firewall name WAN_LOCAL rule  30 description OpenVPN
 place firewall name WAN_LOCAL rule  30 destination port  443
 hardened firewall name WAN_LOCAL rule  30 protocol tcp

configure the OpenVPN virtual tunnel interface. push-route – the router for vpn connection name-server – default gateway of the route above

 set interfaces openvpn vtun0 mode server
 specify interfaces openvpn vtun0 server subnet
 fit interfaces openvpn vtun0 server push-route
 set interfaces openvpn vtun0 server name-server
 typeset interfaces openvpn vtun0 openvpn-option --duplicate-cn
 set interfaces openvpn vtun0 local-port  443
edit interfaces openvpn vtun0
 bent openvpn-option  `` -- push redirect-gateway ''
 set protocol tcp-passive
commit  ; save

Link the server certificate/keys and DH key to the virtual burrow interface.

 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
 typeset interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
 set interfaces openvpn vtun0 tls key-file /config/auth/server.key
 arrange interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
commit  ; save

Add DNS forwarding to the new vlan vtun0 to get DNS answer. DNS

Exmaple for clinet.opvn Config¶

dev tun
proto udp
remote   443
resolv-retry infinite
verb  3
ca cacert.pem
cert client1.pem
key client1.key

EdgeRouter Free Up space by Cleaning Old Firmware¶

ssh to the EdgeRouter :

delete system image

SpeedTest Cli on Edge Router¶

ssh to the Edge Router.
installation :

curl -Lo speedtest-cli
chmod +x speedtest-cli

run from the same directory :

./speedtest-cli --no-pre-allocate

based on hypertext transfer protocol : //

Enable NetFlow on EdgeRouter to UNMS¶

The most desirable rate to enable NetFlow is your Default gateway router. UNMS supports NetFlow version 5 and 9. UNMS entirely record flow data for IP ranges defined below. Whenever UNMS receives any data from a router, the condition of NetFlow changes to Active. To show interfaces and pick the right interface : \

show interfaces

model shape for EdgeRouter :

 set system flow-accounting interface pppoe0
 place system flow-accounting ingress-capture post-dnat
 jell system flow-accounting disable-memory-table
 jell system flow-accounting netflow server port  2055
 set system flow-accounting netflow version  9
 specify system flow-accounting netflow engine-id  0
 rig system flow-accounting netflow enable-egress engine-id  1
 typeset system flow-accounting netflow timeout expiry-interval  60
 rig system flow-accounting netflow timeout flow-generic  60
 adjust system flow-accounting netflow timeout icmp  60
 set system flow-accounting netflow timeout max-active-life  60
 set system flow-accounting netflow timeout tcp-fin  10
 set system flow-accounting netflow timeout tcp-generic  60
 bent system flow-accounting netflow timeout tcp-rst  10 
 set system flow-accounting netflow timeout udp  60

Leave a Reply

Your email address will not be published.