SOHO Edgemax Example
From Ubiquiti Wiki
This article is an example of how a small office might configure their EdgeRouter to connect the office with the Internet.
Note: if you're not interested in learning how to do it and just want an example configuration, this forum thread mrjester's Basic SOHO/HOME Config
There are three networks:
- WAN - dhcp client (getting public address from ISP)
- LAN - 172.16.0.1/24
- WLAN - 172.16.1.1/24
Physical Network Diagram
From the dashboard tab we can configure the IP address on the interfaces and give optional descriptions.
Note: this example is using DHCP client to request a addresss. If you have static IP addresses see adding static IP, gateway, name server
Create New User
One of the first things you'll want to do is get rid of the default 'ubnt' user (or at least change it to a strong password). In these next 3 screenshots we'll first create a new user.
We can't delete a user that is still logged in, so we'll logout and back in as our new users.
Now we can delete the default user account.
Setup DHCP servers
We'll create 2 dhcp servers 1) for the LAN subnet and 2) for the wireless LAN subnet.
Configure DNS forwarding
In the previous DHCP server page we defined the dns server as the router's address, so we'll enable DNS forwarding to listen for DNS requests on both the LAN (eth0) and the WLAN (eth1).
We're using private address on our LAN and WLAN, so we'll need a NAT Masquerade rule for outbound interface eth0.
The following example firewall is just very basic (and not necessarily recommended). Basically this allow any traffic from LAN, WLAN or the router to be initiated out to Internet, but drop all traffic initiated from Internet.
Before we jump into the example we should first discuss the EdgeOS firewall terminology for IN, OUT, and LOCAL. Applying a firewall ruleset to the IN firewall of an interface affect traffic inbound on that interface but only the traffic forwarded through the router. OUT is traffic that has been forwarded through the router and about to leave exit out the interface. LOCAL is traffic destined for the router (for example if you wanted to use the web UI on the router you'd need to allow port 443 on LOCAL. In terms of using IN or OUT rules, some will say that IN is better because if you're going to drop a packet it's better to do it on input rather than go through the full packet processing path only to drop it before it leaves the router.
First we'll use the 'Add Ruleset' to create the WAN_IN and WAN_LOCAL Rulesets
Select to 'Edit Ruleset' on WAN_IN
Click 'Add a New Rule'
The first rule will 'accept' any packet that has state established or related
Select those state on the 'Advanced' tab
For the 2nd rule we'll drop packets that have state invalid set
Now apply this firewall ruleset to an interface/direction.
Now we'll basically add the same 2 rules to WAN_LOCAL and then apply it to eth0/local.
Lastly we'll use the 'system' tab from the bottom of the page to configure our hostname, nameserver, domain name, time-zone and various other system settings. Notice that if you're ISP assigned you a static public address instead of using DHCP, then you would configure your gateway here.
The resulting config from this example can be seen at SOHO_Edgemax_Example_Config_Boot.