Setting up a gateway on Ubiquiti EdgeRouter: Difference between revisions
| (27 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
| ==  | '''== Updated 26/09/2025 - KC6GNJ ==''' | ||
| '''== Updated 16/05/2020 - M0MUX ==''' | |||
| == The Definitive Document on "Setting up a gateway on Ubiquiti EdgeRouter" (Draft) == | |||
| EdgeRouter is a low-cost, "prosumer"-grade router made by Ubiquiti. | |||
| All routers in the product family, such as EdgeRouter X, EdgeRouter Lite, and EdgeRouter PoE, run the EdgeOS router operating system. EdgeOS is an OEM fork of Vyatta (now owned by Brocade) and VyOS (an open-source fork). Since the EdgeOS fork from Vyatta, VyOS has continued development.  It is likely that the instructions below will not work with the current VyOS. | |||
| EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built-in support for the IPIP tunneling protocol. | |||
| This guide was created based on the experiences of various individuals setting up a gateway to AMPRNet using the EdgeRouter PoE5 and ER-6P models. | |||
| Other models should work since they all use the same OS; it should work with minimal adjustment, if any.  The main differences between models are  | |||
| that some have a switch interface that can be hardware offloaded for better performance. If you don't have a model that supports the switch interface, you can use the Linux kernel-based "bridge" interface. | |||
| This guide is specific to only one tunnel to the master AMPRnet gateway at UCSD. This guide doesn't cover the setup of tunnels to other gateways. | |||
| == Assumptions / Prereqs == | |||
| •	You have already registered with AMPRNet and got your 44Net allocation at https://portal.ampr.org.   | |||
| •	You should be seeing your allocation in the encap.txt file before you go further. It can be reviewed at http://44.0.0.1//encap.txt | |||
| •	You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org | •	You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org | ||
| •	Your EdgeRouter is upgraded to the latest EdgeOS (currently version v3.0.0), although these instructions should work with 2.0.9 | |||
| •	You have backed up the current version of your router. Just in case (see below). | |||
| •	You have a standard working NAT setup | |||
|         •    Interface eth0 is your connection to your ISP (WAN) | |||
|         •    Interface eth1 is your home LAN, where your computers are connected behind NAT | |||
|         •    Interface eth2 will be the port that will provide your 44Net allocation | |||
| == The objective == | |||
| Interface eth2 will be used as our AMPRNet LAN, where computers and other devices with assigned AMPRNet addresses will connect via an IPIP tunnel to the UCSD AMPRNet gateway via your current Internet provider. | |||
| ==  | == Warning!! == | ||
| The authors do not assume responsibility if you bork/brick/wedge your router. Please ensure that you back up your EdgeRouter configuration before making any changes. Also, ensure you know how to restore your configuration and how to reset your router to factory defaults if everything else fails. | |||
| == Initial setup == | |||
| Open the CLI using the GUI button or connect using an ssh client such as ssh itself (Unix/Linux/Mac/newer releases of Windows) or PuTTY (Windows) to the LAN IP address of the router. For fresh factory reset routers, plug your laptop into eth0 and set up your computer to have an IP address of 192.168.1.x address.  You would ssh into 192.168.1.1 with the user of 'ubnt' and the password of 'ubnt'. If you have an existing LAN with a DHCP server, plug the LAN into port eth1 on the Edgerouter.  It will pick up an IP address in your LAN's prefix.  You will need to track down the IP address it got via your current router.  | |||
| Most Edgerouters come with a "console" serial port.  You can pick up a cisco-compatible USB to RJ-45 serial port from Amazon or other locations for about $10. It is highly recommended you use the console port as if you local yourself out of the network side of the Edgerouter, you can fix your "mistake" on the console port; | |||
| '''You need to establish a Gateway for your 44 network, that the clients will route through.''' | |||
| We are going to use the 44net allocation of 44.131.252.64/28 | |||
| The gateway will be the next usable IP in the block: 44.131.252.65 | |||
| Enter configuration mode | Enter configuration mode | ||
| <pre> | |||
| configure | |||
| # Set the AMPRNet network assignment you have received to eth2 (Gateway we just decided on) | |||
| set interfaces ethernet eth2 address 44.131.252.65/28 | |||
| # Now commit the changes | |||
| commit | |||
| </pre> | |||
| Set the AMPRNet network assignment you have received to  | |||
| Now commit the changes | |||
| == Setting up the tunnel == | == Setting up the tunnel == | ||
| [ From here down needs serious re-work - Tim KC6GNJ] | |||
| Just in case you already have tunnels  | |||
| In configuration mode enter the following commands | In configuration mode enter the following commands | ||
| <pre> | |||
| set interfaces tunnel tun44 local-ip <put the external ip assigned to you by your ISP> | |||
| set interfaces tunnel tun44 remote-ip 169.228.34.84 | |||
| set interfaces tunnel tun44 encapsulation ipip | |||
| set interfaces tunnel tun44 description "Tunnel to AMPRNet gateway" | |||
| Now commit the changes | # Now commit the changes | ||
| commit ; save | |||
| </pre> | |||
| To verify your input so far, enter the following command | To verify your input so far, enter the following command | ||
| <pre> | |||
| show interfaces tunnel tun44 | |||
| </pre> | |||
| The output should look like this | The output should look like this | ||
| <pre> | |||
| description "Tunnel to AMPRNet gateway" | |||
| encapsulation ipip | |||
| local-ip <your assigned ISP address> | |||
| remote-ip 169.228.34.84 | |||
| </pre> | |||
| == Setting up source address routing policy == | == Setting up source address routing policy == | ||
| Line 85: | Line 94: | ||
| You should get something similar to this routing table | You should get something similar to this routing table | ||
| Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP | |||
|        Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP | |||
|         O - OSPF, IA - OSPF inter area |         O - OSPF, IA - OSPF inter area | ||
|         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 |         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 | ||
| Line 91: | Line 101: | ||
|         > - selected route, * - FIB route, p - stale info |         > - selected route, * - FIB route, p - stale info | ||
|         IP Route Table for VRF "default" |         IP Route Table for VRF "default" | ||
|         S    *> 0.0.0.0/0 [210/0] via <your ISP default gateway>,  |         S    *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth0 | ||
|         C    *> <your ISP network> is directly connected,  |         C    *> <your ISP network> is directly connected, eth0 | ||
|         C    *> 127.0.0.0/8 is directly connected, lo |         C    *> 127.0.0.0/8 is directly connected, lo | ||
| 0.0.0.0/0 basically means "every ip address" | 0.0.0.0/0 basically means "every ip address" | ||
| Line 100: | Line 109: | ||
| We want to make sure the following happen: | We want to make sure the following happen: | ||
| • Normal routing for your home computers LAN is maintained | • Normal routing for your home computers LAN is maintained. | ||
| • Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed. | • Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed. | ||
| Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel | Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0 | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet' | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network - in my case 44.252.131.64/28> | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 modify table 1 | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# set interfaces ethernet eth2 firewall in modify SOURCE_ROUTE | ||
| Now commit the changes | Now commit the changes | ||
|          • ubnt@ubnt:~ |          • ubnt@ubnt:~# commit ; save ; exit | ||
| == Smoke test == | == Smoke test == | ||
| To test our configuration, we first need to connect a computer to the EdgeRouter interface  | To test our configuration, we first need to connect a computer to the EdgeRouter interface eth2 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS. | ||
| To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in) | To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in) | ||
| Line 144: | Line 153: | ||
|         • Select tun0 as the interface and select in as the direction. |         • Select tun0 as the interface and select in as the direction. | ||
|         • Finish by pressing the Save Ruleset button. |         • Finish by pressing the Save Ruleset button. | ||
| == Example Config == | |||
| This is from my working ER4. | |||
|   firewall modify SOURCE_ROUTE { | |||
|          rule 10 { | |||
|              action modify | |||
|              description "traffic to ampr" | |||
|              modify { | |||
|                  table 5 | |||
|              } | |||
|              source { | |||
|                  address 44.131.252.64/28 | |||
|              } | |||
|          } | |||
|      } | |||
|   firewall name 44Net_IN { | |||
|          default-action drop | |||
|          description "44Net in" | |||
|          rule 10 { | |||
|              action accept | |||
|              description "Allow established/related" | |||
|              log disable | |||
|              state { | |||
|                  established enable | |||
|                  related enable | |||
|              } | |||
|          } | |||
|          rule 20 { | |||
|              action accept | |||
|              description ICMP | |||
|              log disable | |||
|              protocol icmp | |||
|          } | |||
|          rule 30 { | |||
|              action drop | |||
|              description "Drop invalid state" | |||
|              state { | |||
|                  invalid enable | |||
|              } | |||
|          } | |||
|      } | |||
|    interfaces ethernet eth3 { | |||
|          address 44.131.252.65/28 | |||
|          description 44.131.252.65/28 | |||
|          duplex auto | |||
|          firewall { | |||
|              in { | |||
|                  modify SOURCE_ROUTE | |||
|              } | |||
|              local { | |||
|              } | |||
|              out { | |||
|              } | |||
|          } | |||
|          ip { | |||
|          } | |||
|          speed auto | |||
|      } | |||
|    interfaces tunnel tun0 { | |||
|          description "Tunnel to AMPRNet" | |||
|          encapsulation ipip | |||
|          firewall { | |||
|              in { | |||
|                  name 44Net_IN | |||
|              } | |||
|          } | |||
|          ip { | |||
|          } | |||
|          local-ip 80.235.222.210 | |||
|          multicast disable | |||
|          remote-ip 169.228.34.84 | |||
|          ttl 255 | |||
|      } | |||
|    protocols static { | |||
|          table 5 { | |||
|              interface-route 0.0.0.0/0 { | |||
|                  next-hop-interface tun0 { | |||
|                  } | |||
|              } | |||
|          } | |||
|         } | |||
| [[Category:How-To Guides]] | |||
Latest revision as of 15:17, 28 September 2025
== Updated 26/09/2025 - KC6GNJ ==
== Updated 16/05/2020 - M0MUX ==
The Definitive Document on "Setting up a gateway on Ubiquiti EdgeRouter" (Draft)
EdgeRouter is a low-cost, "prosumer"-grade router made by Ubiquiti.
All routers in the product family, such as EdgeRouter X, EdgeRouter Lite, and EdgeRouter PoE, run the EdgeOS router operating system. EdgeOS is an OEM fork of Vyatta (now owned by Brocade) and VyOS (an open-source fork). Since the EdgeOS fork from Vyatta, VyOS has continued development. It is likely that the instructions below will not work with the current VyOS.
EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built-in support for the IPIP tunneling protocol. This guide was created based on the experiences of various individuals setting up a gateway to AMPRNet using the EdgeRouter PoE5 and ER-6P models. Other models should work since they all use the same OS; it should work with minimal adjustment, if any. The main differences between models are that some have a switch interface that can be hardware offloaded for better performance. If you don't have a model that supports the switch interface, you can use the Linux kernel-based "bridge" interface.
This guide is specific to only one tunnel to the master AMPRnet gateway at UCSD. This guide doesn't cover the setup of tunnels to other gateways.
Assumptions / Prereqs
• You have already registered with AMPRNet and got your 44Net allocation at https://portal.ampr.org. • You should be seeing your allocation in the encap.txt file before you go further. It can be reviewed at http://44.0.0.1//encap.txt • You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org • Your EdgeRouter is upgraded to the latest EdgeOS (currently version v3.0.0), although these instructions should work with 2.0.9 • You have backed up the current version of your router. Just in case (see below). • You have a standard working NAT setup
       •    Interface eth0 is your connection to your ISP (WAN)
       •    Interface eth1 is your home LAN, where your computers are connected behind NAT
       •    Interface eth2 will be the port that will provide your 44Net allocation
The objective
Interface eth2 will be used as our AMPRNet LAN, where computers and other devices with assigned AMPRNet addresses will connect via an IPIP tunnel to the UCSD AMPRNet gateway via your current Internet provider.
Warning!!
The authors do not assume responsibility if you bork/brick/wedge your router. Please ensure that you back up your EdgeRouter configuration before making any changes. Also, ensure you know how to restore your configuration and how to reset your router to factory defaults if everything else fails.
Initial setup
Open the CLI using the GUI button or connect using an ssh client such as ssh itself (Unix/Linux/Mac/newer releases of Windows) or PuTTY (Windows) to the LAN IP address of the router. For fresh factory reset routers, plug your laptop into eth0 and set up your computer to have an IP address of 192.168.1.x address. You would ssh into 192.168.1.1 with the user of 'ubnt' and the password of 'ubnt'. If you have an existing LAN with a DHCP server, plug the LAN into port eth1 on the Edgerouter. It will pick up an IP address in your LAN's prefix. You will need to track down the IP address it got via your current router.
Most Edgerouters come with a "console" serial port. You can pick up a cisco-compatible USB to RJ-45 serial port from Amazon or other locations for about $10. It is highly recommended you use the console port as if you local yourself out of the network side of the Edgerouter, you can fix your "mistake" on the console port;
You need to establish a Gateway for your 44 network, that the clients will route through.
We are going to use the 44net allocation of 44.131.252.64/28
The gateway will be the next usable IP in the block: 44.131.252.65
Enter configuration mode
configure # Set the AMPRNet network assignment you have received to eth2 (Gateway we just decided on) set interfaces ethernet eth2 address 44.131.252.65/28 # Now commit the changes commit
Setting up the tunnel
[ From here down needs serious re-work - Tim KC6GNJ]
Just in case you already have tunnels
In configuration mode enter the following commands
set interfaces tunnel tun44 local-ip <put the external ip assigned to you by your ISP> set interfaces tunnel tun44 remote-ip 169.228.34.84 set interfaces tunnel tun44 encapsulation ipip set interfaces tunnel tun44 description "Tunnel to AMPRNet gateway" # Now commit the changes commit ; save
To verify your input so far, enter the following command
show interfaces tunnel tun44
The output should look like this
description "Tunnel to AMPRNet gateway" encapsulation ipip local-ip <your assigned ISP address> remote-ip 169.228.34.84
Setting up source address routing policy
Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP. In addition, all your private ip addresses are being masqueraded before getting to the outside world. Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route
You should get something similar to this routing table
      Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
      O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      > - selected route, * - FIB route, p - stale info
      IP Route Table for VRF "default"
      S    *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth0
      C    *> <your ISP network> is directly connected, eth0
      C    *> 127.0.0.0/8 is directly connected, lo
0.0.0.0/0 basically means "every ip address"
We want to make sure the following happen:
• Normal routing for your home computers LAN is maintained.
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
       • ubnt@ubnt:~# set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
       • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
       • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network - in my case 44.252.131.64/28>
       • ubnt@ubnt:~# set firewall modify SOURCE_ROUTE rule 10 modify table 1
       • ubnt@ubnt:~# set interfaces ethernet eth2 firewall in modify SOURCE_ROUTE
Now commit the changes
• ubnt@ubnt:~# commit ; save ; exit
Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth2 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration. In configuration mode enter the following
• ubnt@ubnt:~$ save
Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
      • Select the Firewall/NAT tab
      • Select firewall policies tab
There should be two rulesets
      o WAN_IN
      o WAN_LOCAL
For each rule, press the actions button on the right and select the interfaces option.
      • Press the + Add Interface button.
      • Select tun0 as the interface and select in as the direction.
      • Finish by pressing the Save Ruleset button.
Example Config
This is from my working ER4.
 firewall modify SOURCE_ROUTE {
        rule 10 {
            action modify
            description "traffic to ampr"
            modify {
                table 5
            }
            source {
                address 44.131.252.64/28
            }
        }
    }
 firewall name 44Net_IN {
        default-action drop
        description "44Net in"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description ICMP
            log disable
            protocol icmp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
  interfaces ethernet eth3 {
        address 44.131.252.65/28
        description 44.131.252.65/28
        duplex auto
        firewall {
            in {
                modify SOURCE_ROUTE
            }
            local {
            }
            out {
            }
        }
        ip {
        }
        speed auto
    }
  interfaces tunnel tun0 {
        description "Tunnel to AMPRNet"
        encapsulation ipip
        firewall {
            in {
                name 44Net_IN
            }
        }
        ip {
        }
        local-ip 80.235.222.210
        multicast disable
        remote-ip 169.228.34.84
        ttl 255
    }
  protocols static {
        table 5 {
            interface-route 0.0.0.0/0 {
                next-hop-interface tun0 {
                }
            }
        }
       }
