Ubiquiti Edgemax Dual WAN With Failover Initial Setup

Preface

A while ago, i decided to convert my home network to more “professional” gear. My existing setup had been performing great for years, but as line speeds continue to increase, and the number of connected devices seem to skyrocket, the network had gotten more and more sluggish, and the recent router hijacks just made me even more determined to get something that i have greater control over.

Years ago i ran my own router on a Soekris net4801 running pfSense, but line speeds eventually got faster than what the Soekris could keep up with, and i ended up on consumer hardware. I did run with my Time Capsule as my main router for 6 months or so, and while they perform great, i really don’t like the idea of my router containing all my backups, especially when i have no way of telling what goes on with that device. I ended up on a Cisco rv042g instead,

My regular internet line is a 50/50 Mbit fiber, and because my employer requires me to connect through a dedicated ADSL line, i have one of those as well. Searching for Dual-WAN routers narrowed the field. The Cisco had been great, but it bugged me that i could only set it to failover or load-balance. What i want is failover with some traffic going to the backup link. That narrowed the field quite a bit.

I ended up with two options, a “do it yourself” box with pfSense, or the new kid on the block, the EdgeRouter Lite which claims it can do 1 million pps and costs less than $100.

After reading raving reviews of the EdgeRouter, and realizing that the board i was going to run pfSense on was only capable of routing 85mb/sec and cost $235, i figured i’d give it a spin.

This is not your average consumer router though. The EdgeRouter runs Vyatta which is based of Debian Linux, but with a really powerful command line syntax for setting things up.

I searched the web for something similar to my setup, but couldn’t find anything readily available, so here is my attempt at documenting the setup process for myself, in the hope that others will find it useful.

I used this guide as inspiration for the basic setup.

Setting it up

In the following i will be setting up the EdgeRouter Lite for running a dual WAN / single LAN with WAN failover.

  • eth0 is LAN
  • eth1 is WAN1
  • eth2 is WAN2 (failover)

login to the EdgeRouter (ERL) and enter configure mode

configure

Interfaces

Here we will setup the network Interfaces

eth0 => LAN

edit interfaces ethernet eth0
set description "LAN"
set address 192.168.1.1/24
top

eth1 => WAN1

edit interfaces ethernet eth1
set description "WAN1"
set address dhcp
top

eth2 => WAN2

edit interfaces ethernet eth2
set description "WAN2"
set address dhcp
top

Users

The ERL ships with a default user of ubnt/ubnt, which we will replace with our own user.

Create a new user, the plaintext password will be encrypted on commit!

edit system login user new_user
set full-name "username"
set authentication plaintext-password "password"
set level admin
top
commit

Now logout of the router, and login as your newly created user.

Delete the default ubnt user

delete system login user ubnt

DNS Forwarding

In the next section we’re going to setup a DHCP server, and we’ll need to setup DNS servers for that. The following sets up a standard DNS forwarding service. There’s a bug (not acknowledged by Ubiquiti) that causes the router to write the WAN DNS servers to /etc/resolv.conf - even if you setup system dns servers. So if you use OpenDNS or similar, make sure you check resolv.conf.

edit service dns forwarding
set cache-size 1000
set listen-on eth0
top

DHCP Server

edit service dhcp-server
set disabled false
set dynamic-dns-update enable true
top

edit service dhcp-server shared-network-name LAN
set authoritative disable
edit subnet 192.168.1.0/24
set default-router 192.168.1.1
set dns-server 192.168.69.1
set domain-name somewhere.dk
set lease 86400
set start 192.168.1.50 stop 192.168.69.250
top

WAN Masquerading

Next we setup masquerading, which means your inside IP’s masquerade as the public IP of the router. We need a masquerade rule for each WAN interface, other than the interface name they’re identical.

edit service nat rule 5000
set description WAN_MASQ
set log disable
set outbound-interface eth1
set protocol all
set type masquerade
top

edit service nat rule 5001
set description WAN_MASQ
set log disable
set outbound-interface eth2
set protocol all
set type masquerade
top

Basic Firewall

First we setup some basic settings like ip forwarding, connection tracking etc.

edit firewall
set all-ping enable
set broadcast-ping disable
set conntrack-expect-table-size 4096
set conntrack-hash-size 4096
set conntrack-table-size 32768
set conntrack-tcp-loose enable
set ipv6-receive-redirects disable
set ipv6-src-route disable
set ip-src-route disable
set log-martians enable
set receive-redirects disable
set send-redirects enable
set source-validation disable
set syn-cookies enable
top

Next we’ll create a basic firewall for WAN input.

edit firewall name WAN_IN
set description "Inbound WAN to (W)LAN"
set default-action drop

set rule 5000 action accept
set rule 5000 description "Allow Established/Related"
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable

set rule 5001 action drop
set rule 5001 description "Drop Invalid"
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable

top

Local Firewall

The local firewall is a firewall that is there to protect the router itself. It filters traffic destined directly for the router. It is similar to the firewall above, but implemented separately so that when we poke holes in the WAN_IN firewall, we don’t open up the router at the same time.

edit firewall name WAN_LOCAL
set description "Inbound WAN to Local Router"
set default-action drop

set rule 5000 action accept
set rule 5000 description "Allow Established/Related"
set rule 5000 log disable
set rule 5000 protocol all
set rule 5000 state established enable
set rule 5000 state invalid disable
set rule 5000 state new disable
set rule 5000 state related enable

set rule 5001 action drop
set rule 5001 description "Drop Invalid"
set rule 5001 log disable
set rule 5001 protocol all
set rule 5001 state established disable
set rule 5001 state invalid enable
set rule 5001 state new disable
set rule 5001 state related disable

top    

Add firewall rules to interfaces

Next we apply the firewall rules to the WAN interfaces.

edit interfaces ethernet eth1 firewall
set in name WAN_IN
set local name WAN_LOCAL
top

edit interfaces ethernet eth2 firewall
set in name WAN_IN
set local name WAN_LOCAL
top

Basic system settings

set system host-name EdgeRouterLite 
set system domain-name somewhere.dk

set system name-server 8.8.8.8
set system name-server 8.8.4.4

set system time-zone Europe/Copenhagen

Load Balancing

Load balancing on EdgeOS requires multiple things to be setup. First we configure the actual load-balancer with the interfaces to be balanced, along with a route-test to determine if the link is alive.

Add eth1 to the load balancer.

edit load-balance group lb-default interface eth1 route-test
set initial-delay 60
set interval 100
set type ping target ping.ubnt.com
top

Add eth2 to the load balancer.

edit load-balance group lb-default interface eth2
set failover-only
edit route-test
set initial-delay 60
set interval 100
set type ping target ping.ubnt.com
top

Next we create firewall rules for modifying the routing table for failover.

There’s a bug with Hairpin NAT and load balancing, so this is a little hack that forces inbound traffic to use the main routing table discussed here

edit firewall modify lb rule 1
set action modify
set destination group address-group ADDRv4_eth0
set modify table main
up

then to setting up the actual modification

edit rule 10
set action modify
set modify lb-group lb-default
top

Apply firewall rules to our LAN interface so that all outbound traffic is routed according to the rules we just setup.

edit interface ethernet eth0 firewall in
set modify lb
top

Hairpin NAT

Hairpin NAT allows you to reach your public IP’s from the inside network. Basically it converts your inside address to the external address, and then back to the internal address. The 1.4.x software has a new configuration option for automatically setting up firewall, nat and hairpin nat, but unfortunately it doesn’t work with multiple WANs (or LANs), so for now we’re stuck with the “old way”.

edit service nat rule 5002
set description "Hairpin_MASQ"
set destination address 192.168.1.0/24
set log disable
set outbound interface eth0
set protocol all
set source address 192.168.1.0/24
set type masquerade
top

Apply changes and save

commit
save

You now how a basic dual wan router working. I didn’t setup load balancing since one of my links is significantly slower than the other, which means the load balancing is actually a degradation of service in my case.

Wrapping up

I’ve been running with this router now for a few weeks, and i must say i’m very pleased.

This is my (primary) WAN throughput with my old Cisco RV042g

Cisco RV042g throughput

And here’s one of my current throughput on the same line with the EdgeRouter.

EdgeRouter Lite Throughput


See also