Ubiquity Router Configuration Notes

Ubiquity EdgeRouters provides a decent router system for advanced home or small business. This post outlines some of my configuration notes with dnsmasq, L2TP VPN, RADIUS authentication, and dual WAN.

After getting gigabit fiber to my home, I decided it was time to upgrade my home router from the junk router offerings typically available. I have so-far been impressed with the Ubiquity EdgeRouter Pro. I have also installed the Ubiquity EdgeRouter Lite for others and was happy with the setup and performance of that for typical use.

The EdgeRouter devices allow for dual WAN load balance or failover options. It also has VPN capabilities. I decided to document some typical configuration settings that may be useful, for later reference. Without the personnel and infrastructure for maintaining certificate authorities and certificates for users such as with OpenVPN, I found L2TP to be a decent choice for home users or small businesses while still being moderately secure which just uses a shared key for everyone and an individual password. Radius authentication, could potentially be a point for denial of service attacks to lock out users depending on the setup.

An important thing to note about these EdgeRouters in their setup and designing their network use is that these are not switches. Configuring bridging or using the device as a switch will have a significant performance penalty as it will use software-based routing instead of accelerated hardware routing.

The setup notes below assume you used the setup wizard previously, as that produces much of the configuration needed (For example, with dual WAN/failover). Without it, or with a manually configured/modified setup, the configuration might vary on some items such as names of firewall, load balancing groups, etc.

Configure Dnsmasq

* Note that at the time of this blog entry, Google has announced several security issues with Dnsmasq. EdgeRouter should be updated with at least Firmware v1.9.7+hotfix.4 (should be available the week of October 9, 2017) or patch the system manually. Details are available at the Ubiquity community forums regarding dnsmasq vulnerabilities.

Setting up DNS forwarding and Dnsmasq allows the router to use your DHCP lease names for local DNS host name resolution without having to manage static entries by hand. This assumes eth1 and eth2 are LAN networks (Primary and Guest LAN, for example) to serve DNS on. Replace the 192.168.1.0/24 address space, listening port(s), DNS servers and domain name with your own values. See Ubiquity community forums on using dnsmasq for more information.

configure
delete service dns forwarding
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding cache-size 400
set service dns forwarding options "listen-address=192.168.1.1"
delete system name-server
set system name-server 127.0.0.1
##uncomment lines below if desired or if using static WAN in order to use your own static DNS servers
#set service dns forwarding name-server 8.8.8.8
#set service dns forwarding name-server 8.8.4.4
set system domain-name internal.example.com
set service dhcp-server use-dnsmasq enable
commit
save

Configure L2TP VPN

This assumes eth0 and eth1 are load balanced/failover WAN ports. Adjust ports/address space and authentication secret as necessary. Optionally, set a proper MTU value for your WAN network.

In my limited testing so far, I was unable to get this working in a failover WAN configuration so I only used my primary WAN eth0. It seemed like half of my traffic was dropping and I was unable to reliably establish connections.

Per Ubiquity forums, there is an issue when establishing multiple connections from the same network. If I recall correctly, an OpenSwan update corrected this issue. A future update to the Ubiquity firmware should resolve this issue when they upgrade to that OpenSwan release.

configure
delete vpn
set vpn ipsec ipsec-interfaces interface eth0
 
##SINGLE DHCP WAN
set vpn l2tp remote-access dhcp-interface eth0
 
##SINGLE STATIC WAN (Replace with Static WAN IP)
set vpn l2tp remote-access outside-address X.X.X.X
 
##LOADBALANCED/FAILOVER DHCP WAN
#set vpn l2tp remote-access dhcp-interface eth1
 
##LOADBALANCED/FAILOVER STATIC WAN
#set vpn ipsec ipsec-interfaces interface eth1
 
##LOADBALANCED GATEWAY
#set vpn l2tp remote-access outside-address 0.0.0.0
set vpn l2tp remote-access client-ip-pool start 192.168.1.200
set vpn l2tp remote-access client-ip-pool stop 192.168.1.249
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret YOURPRESHAREDSECRETGOESHERE
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
#set vpn l2tp remote-access mtu 1472
set vpn l2tp remote-access authentication require mschap-v2
commit
save

Add L2TP VPN Authentication

Decide whether to use Local or RADIUS authentication.

Local Authentication

configure
set vpn l2tp remote-access authentication mode local
 
##For every new user, run below
#set vpn l2tp remote-access authentication local-users username NEWUSER password NEWPASSWORD
 
##Delete a user
#delete vpn l2tp remote-access authentication local-users username OLDUSER
##Show users
#show vpn l2tp remote-access authentication local-users|more
 
commit
save

RADIUS Authentication

configure
##Replace with IP and Key to RADIUS server
set vpn l2tp remote-access authentication radius-server 192.168.1.X key YOURRADIUSKEY
set vpn l2tp remote-access authentication mode radius
commit
save

Firewall Rules

You will need to add firewall rules for the VPN. You will want to ensure that the rules will not overwrite existing ones.

configure
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "Allow IKE"
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
 
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description "Allow L2TP"
set firewall name WAN_LOCAL rule 40 destination port 1701
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol udp
 
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description "Allow ESP"
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol esp
 
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description "Allow NAT-T"
set firewall name WAN_LOCAL rule 60 destination port 4500
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
 
commit
save

Additional Notes

  • I could not get my Windows 10 client to connect in one network. The issue appeared to be because I was behind a double NAT. I had to add a Registry key to loosen the security around this as follows:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\
    AssumeUDPEncapsulationContextOnSendRule = 2
  • I had an issue where I had three LAN networks (DMZ/Main/Guest) with dual WAN load-balancing/failover and VPN traffic wouldn’t work from the last LAN I had setup to use (eth4). Since I added the third LAN network by hand instead of the setup wizard, it never added the interface to the firewall load balancing group. If you setup a new port manually, ensure you set it up with the load balancing group, as necessary, similar to the following.
    configure
    set interfaces ethernet eth4 firewall in modify balance
    commit
    save
Share

About ipaul

My name is Paul Hassinger, the founder of ipaul.com. I have been an avid user of computers since a child. I started when I was about 10 years old working on an Atari computer. Since then, I grew and have had exposure to all types of technologies. I started using FIDONet on a BBS as a child and grew to the Internet. My first graphical world wide web experience was in 1993 using Mosaic. Over time I've worked with both small and large computing systems even maintaining systems serving millions of users on some of the largest social networking sites. I hope to use this blog to capture what I've learned over the years and what I do in my daily life so that others and myself may find the information useful.