Ubiquiti EdgeRouter-X

closeHey, just so you know ... this post is now about 3 years and 1 month old. Please keep that in mind as it very well may contain broken links and/or outdated information.

“Infrastructures are essential to everyday life, but they are always the supporting player, never the goal. It is only when there is trouble that the infrastructure is noticed …” -Donald Norman, The Invisible Computer

Ubiquiti ER-X

There was nothing wrong with my almost 5-year old Buffalo router, but after hearing Steve Gibson talk about the $50 Ubiquiti EdgeRouter-X on episode #569 of the Security Now! podcast, I knew it was time to replace the Buffalo.

Unlike most consumer/home routers, the ER-X has no built-in wireless. It’s a router, not an access point. This wasn’t a problem for me since I hadn’t been using the Buffalo for wireless since I had put in the Ubiquity UniFi AP two years ago (and now my AP and new router are from the same manufacturer). Also unlike your average consumer router, the ER-X has five logical interfaces behind its five physical ports (eth0 – eth4). This means you can configure the individual ports however you want. Each port can be its own separate subnet, you can group ports into a switch, bridge ports, etc. (I’m using the traditional 1 WAN port (eth0) plus 4 switched ports (eth1 – eth4) setup). The ER-X can be powered with the included AC brick, or via (non-standard, not 802.3af) 24V passive PoE input on eth0 (which can then do PoE passthru to eth4 to power, say, a UniFi AP). For now I’m using the AC adapter and not PoE.

For the past 9 years I’ve run DD-WRT on my home routers but now, with the ER-X, I’m learning Ubiquiti’s EdgeOS. It’s got a pretty slick interface, although not all of the router’s features are available to configure through the GUI (like setting up a PPTP VPN connection), so some command line interface (CLI) interaction is required. SSH’ing into the router and using the shell to set the more advanced options should be familiar to anyone with Linux experience (once you learn a few Ubiquiti-specific configuration commands).

The driving factor behind switching routers was attempting to re-organize my home network with three separate, isolated segments:

I’m still finalizing the configuration, but so far I’ve set up the three wireless SSIDs on the UniFi AP and tagged two of them (guest and IoT) with VLANs. On the ER-X, I created the two VLANs (on the switch), tagged them on eth4 (the port connected to the AP), set up DHCP servers for the three segments on 192.168.1.0, 192.168.5.0, and 192.168.10.0 and confirmed that the wireless devices on a VLAN get an IP address on the corresponding subnet.

I’ve been having some problems with the firewall setup, so I still have some items to get working:

  • allow pings from VLAN1 to VLAN10 (for Nagios monitoring)
    • update: I wasn’t able to get this working so I put the (previously unused) wireless adapter in my server on the VLAN10 network so it had access to ping devices on that network
  • guest devices on VLAN5 can’t find the UniFi controller on VLAN1 so they don’t load the captive guest portal
    • update: I gave up trying to get this to work. I tried all sorts of firewall rules and other suggestions from people on the EdgeMAX forums but just could not get unauthorized guest devices on VLAN5 to see the UniFi controller
  • learn how to write firewall rules for true subnet separation (except for the Nagios requirement above)
    • update: I got these working using this information as a baseline (along with help from EdgeMAX forum members). Basically I wrote two pairs of rules (one IN and one LOCAL for the guest and IoT VLANs) that prevent them from talking to the primary LAN and each other.
  • separate a wired device on eth2 to be part of VLAN10
    • update: after re-doing some setup from scratch, I got this working on eth1 by setting the PVID to 10 for that port in switch0
  • NAT hairpin/loopback for the VLANs
    • update: despite having switch0.5 added as a LAN interface on the Port Forwarding tab, enabling the “Hairpin NAT” checkbox, and suggestions from the EdgeMAX forums members (like DNAT rules) I cannot get devices on the guest VLAN5 to access local services (like access to this blog).

The ER-X is a pretty advanced device for $50 and I’m looking forward to learning more about advanced networking topics as I tweak it. Just so long as my family can deal with the home network going down a lot as I make mistakes. 🙂

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *