modified on 23 September 2013 at 19:56 ••• 146,852 views

SOHO Edgemax Example

From Ubiquiti Wiki

Jump to: navigation, search

This article is an example of how a small office might configure their EdgeRouter to connect the office with the Internet.

Note: if you're not interested in learning how to do it and just want an example configuration, this forum thread mrjester's Basic SOHO/HOME Config

There are three networks:

  1. WAN - dhcp client (getting public address from ISP)
  2. LAN -
  3. WLAN -


Physical Network Diagram

caption Network Diagram

Setup Interfaces

From the dashboard tab we can configure the IP address on the interfaces and give optional descriptions.

caption Setup the Interfaces

Note: this example is using DHCP client to request a addresss. If you have static IP addresses see adding static IP, gateway, name server

Create New User

One of the first things you'll want to do is get rid of the default 'ubnt' user (or at least change it to a strong password). In these next 3 screenshots we'll first create a new user.

caption New user

We can't delete a user that is still logged in, so we'll logout and back in as our new users.

caption New user

Now we can delete the default user account.

caption Delete default user

Setup DHCP servers

We'll create 2 dhcp servers 1) for the LAN subnet and 2) for the wireless LAN subnet.

caption DHCP Server

Configure DNS forwarding

In the previous DHCP server page we defined the dns server as the router's address, so we'll enable DNS forwarding to listen for DNS requests on both the LAN (eth0) and the WLAN (eth1).

caption DNS forwarding

Configure NAT

We're using private address on our LAN and WLAN, so we'll need a NAT Masquerade rule for outbound interface eth0.

caption NAT masquerade

Stateful Firewall

The following example firewall is just very basic (and not necessarily recommended). Basically this allow any traffic from LAN, WLAN or the router to be initiated out to Internet, but drop all traffic initiated from Internet.

Before we jump into the example we should first discuss the EdgeOS firewall terminology for IN, OUT, and LOCAL. Applying a firewall ruleset to the IN firewall of an interface affect traffic inbound on that interface but only the traffic forwarded through the router. OUT is traffic that has been forwarded through the router and about to leave exit out the interface. LOCAL is traffic destined for the router (for example if you wanted to use the web UI on the router you'd need to allow port 443 on LOCAL. In terms of using IN or OUT rules, some will say that IN is better because if you're going to drop a packet it's better to do it on input rather than go through the full packet processing path only to drop it before it leaves the router.

First we'll use the 'Add Ruleset' to create the WAN_IN and WAN_LOCAL Rulesets

caption Create Firewall Rulesets

Select to 'Edit Ruleset' on WAN_IN

caption Edit Firewall Ruleset

Click 'Add a New Rule'

caption Add Firewall rule to Ruleset

The first rule will 'accept' any packet that has state established or related

caption Allow Established

Select those state on the 'Advanced' tab

caption Advanced Firewall Rule tab

For the 2nd rule we'll drop packets that have state invalid set

caption Rule 2

Now apply this firewall ruleset to an interface/direction.

caption Firewall

Now we'll basically add the same 2 rules to WAN_LOCAL and then apply it to eth0/local.

caption Firewall

System Settings

Lastly we'll use the 'system' tab from the bottom of the page to configure our hostname, nameserver, domain name, time-zone and various other system settings. Notice that if you're ISP assigned you a static public address instead of using DHCP, then you would configure your gateway here.

caption System settings

The resulting config from this example can be seen at SOHO_Edgemax_Example_Config_Boot.