Oddly, it’s quite hard to find Ubiquiti hardware in the UK, but i’ve previously sourced equipment from an eBay distributor (http://stores.ebay.co.uk/ubntshop/) and they were able to provide the best price for the ERL.
I fired the first EdgeRouter up and starting getting to know the webUI. It didn’t take long, but seemed very basic. Even for my relatively simple requirements i’d need to get to know the CLI. The official Ubiquiti Edgemax support forum (https://community.ubnt.com/t5/EdgeMAX/bd-p/EdgeMAX) was a great place to start.
An important thing to note is that the Edgemax operating system is based on Vyatta, so you if you struggle to find an Edgemax specific solution to a problem you may be able to find a Vyatta solution which will work on your Ubiquiti hardware.
IP Addresses
One of the first decisions was an IP addressing scheme. I decided to use 192.168.x.y;
- where x represents the site (in increments of 10 to allow for future splitting) and
- y will be the same at every site for the router & file server
The DHCP range will be from .1 to .199
Firmware Upgrade
I should have done this a little earlier, but when configuring the system parameters I was reminded to check for a firmware upgrade and found the shipped unit was running a pretty outdated v1.1 (the current at the time of posting is v1.5). So I went ahead and upgraded.
Default Configuration (WAN + 2LAN)
The new firmware has a great wizard to get you started. I chose the WAN + 2LAN setup and was immediately up and running with the router providing internet connectivity to the LAN. However, at this point in time double NAT is occurring as the internet connection is provided by a BT HomeHub3 (which doesn’t support bridge mode).
ADSL Modem
To avoid the double NAT scenario it was necessary to purchase an ADSL modem. There don’t appear to be many to chose from, I opted for the Draytek Vigor 120. Absolutely no configuration of the modem was required, I simply plugged it in and set the ERL WAN connection to use PPoE with login credentials;
username: bthomehub@btbroadband.com password: BT
…and voila!
VPN
Initially during testing I placed both Edgerouters side by side, set static IP addresses (8.10.0.1 and 8.20.0.1) on connected them with an ethernet cable. Unfortunately, I was unable to get an IPSec tunnel established using the WebUI, but after looking at some sample configs on the forum I was able to get it working using the CLI.
I had to then modify 3 elements to get it working on-site;
- the peer to use the dynamic hostname
- the local-ip to use 0.0.0.0
- the interface to use pppoe0
vpn {
ipsec {
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 15
timeout 30
}
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface pppoe0
}
nat-traversal enable
site-to-site {
peer dynamic-hostname.com {
authentication {
mode pre-shared-secret
pre-shared-secret secret
}
connection-type initiate
default-esp-group FOO0
ike-group FOO0
local-ip 0.0.0.0
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
subnet 192.168.20.0/24
}
remote {
subnet 192.168.10.0/24
}
}
}
}
}
}
This was working well but if either internet connection dropped or router got rebooted the VPN wouldn’t automatically come back up. Supposedly dead-peer-detection should take care of this, but it doesn’t appear to be working. I decided to create a simple workaround using a cron script;
#!/bin/bash run=/opt/vyatta/bin/vyatta-op-cmd-wrapper $run show vpn ipsec sa | grep "up" if [ $? == 1 ] then $run restart vpn fi
The following command creates a cron job to run the script every 5 minutes;
set system task-scheduler task vpn_monitor executable path /config/scripts/vpn_monitor.sh set system task-scheduler task vpn_monitor interval 5m
By placing the script in /config/scripts you ensure it remains after a firmware upgrade and is included in configuration backups.
Static-Host-Mapping
We want to block a few websites (namely facebook) and rather than overcomplicating things with url-filtering / squidguard, we’ve simply set a few static host mappings;
set static-host-mapping host-name facebook.com inet 127.0.0.1
We also set a static host map for file server at the other site (as the DNS server on the local router doesn’t have any knowledge of hostnames/ip addresses serviced by the other site). Maybe at a later date I will try and find out if I can forward DNS requests to the other site before going out to the internet?
Backup
Every time I make a configuration change I download a config backup.
On one occasion the backup failed to download and the WebUI became unresponsive (rebooting the router fixed things, but the backup still wouldn’t download). I later discovered this was due to size of the /config folder after installing squidguard and downloading the category database. As I wasn’t going to be using this initially I simply removed it.
MS Distribution (UK) http://www.msdist.co.uk/ are pretty good for most Ubiquiti hardware in the UK, and recently did a next-day delivery for me while I was back in the UK on one of the new UVC Cameras. Not sure how they compare on price, but service is great.
ERL £80 inc P&P from ubntshop on eBay. £100 plus P&P from msdist (looks like you need to register before they will even tell you how much delivery is).
UVC Dome £100 inc P&P from ubntshop on eBay. £130 plus P&P from msdist.
That’s more than 30% more expensive!
Hello, I tried to use your script but it seems that vyatta does not validate the file although I created the file.
this is what it says:
File /config/scripts/vpn.sh does not exist or is not executable
Value validation failed
Set failed
thanks for your help
have you tried running the script? it was quite a while ago i set it all up, but i may have had to chmod +x to make it executable?
Hi, this solution seems to be simple, but it’s not working fo me. I’ve made the script (via notepad, saved with .sh). Copied it to config/scripts/. Make it executable (chmod +x) and set up the scheduler (5m and for test also 2m – none of this variants works). I can’t see any logs for IPsec restart (even none with error), but i see these logs if I execute “restart vpn” manualy. Unfortunately I’ve to test it without the pppoe up beause I´ve to bring the router funcional to the customer premises (access to DSL line). The topology is almout the same, ERL with pppoe + modem in bridge mode. One IPsec point-to-point + L2TP over IPsec. Any ideas? Thanks a lot.