What are you setting up?
I’ve been wanting to re-do my existing home office network after downsizing from my usual enterprise-level CISCO routers and switches in my remote office. After a discussion on Slack with my PaaS Security team mates, I thought I’d look into an edgerouterx for security reasons, and with an EdgeSwitch caught my eye and inevitably a unifi AP had to be thrown in there as well.
I’m setting up a “secure” home network where I create network partitions (VLANs) to section off different devices according to their security “profile”.
Mainly security. But it’s good to know how your network is setup, and make conscious verifiable decisions about what devices can and should be able to “talk” to each other. For example people who visit your house and need to use the internet don’t need to be able to browse your network shares, or link up to your printer. And for my current work situation in particular, the work laptop needs to be isolated on its own so the corporate network probing that comes with it is contained.
The high-level overview of connectivity and what we’re configuring at different points in the design looks like this:
The ‘MyRepublic’ router is temporary as I setup & configured the network without disrupting the existing internet connection for the rest of the house. Once its all go, the ONT will go directly to the EdgeRouter X.
List of hardware used in this setup:
Advanced Gigabit Router with PoE and SFP
- 5 x Gigabit RJ45 Ports (eth0-eth5/SFP)
- 1 x SFP Port
- 24V Passive PoE all RJ45 ports
- Firmware: EdgeOS v1.10.7
Managed 10-Port Gigabit Switch with PoE
- 8 x Gigabit RJ45 Ports
- 2 x SFP Ports
- 24V Passive PoE all RJ45 ports
- Firmware: v1.1.0
802.11ac Dual Radio Access Point
- Dimensions ∅160 x 31.45 mm
- 2.4 GHz Speed 300 Mbps
- 5 GHz Speed 867 Mbps
- 1 x 10/100/1G RJ45 Port
Essentially, the data flow goes from devices connected to the UAP, or EdgeSwitch, up to the EdgeRouter, is routed or firewalled accordingly, and is dropped or continues out into the internet via the Optical Network Terminal (ONT).
The main crux of the whole setup is the EdgeRouterX which we will setup in the commonly known ‘Router-on-a-stick’ configuration i.e. all downstream devices will flow upstream to the router along a single cable, get routed, and carry on (or drop) from there.
To start with, we will setup the initial interfaces as follows:
Key points of this layer:
- assinging the 172.16.x.x range on the EdgeRouter’s LAN interfaces to avoid clashes with the upstream router DHCP range locked on 192.168.x.x.
- upstream router (MyRepublic) has DHCP enabled for our downstream WAN interface
- configure Out-of-Band (OOB) Management interface first and work from this connection to configure everything in case a misconfig locks you out.
- setup all downstream devices to DHCP on the eth1 interface to pickup an IP for Management interfaces, and then statically map thos IPs on the EdgeRouter to pin them in place.
EdgeRouter X (initial setup)
To connect to the EdgeRouter X when you power it up for the first time, use the ‘eth0’ port and open a browser to the https://192.168.1.1 default IP address.
default login/password: ubnt/ubnt
Next, go to the ‘Wizards’ section, and choose ‘Basic Setup’:
The wizards good for getting everything in the ballpark, but don’t stress about it too much because we’ll configure things specifically afterwards anyway.
- eth0 is our WAN/internet port, set to DHCP to pick up an IP from upstream
- enable default firewall, which we will add to later
- only use one LAN for now, just means we configure one address space for all.
The EdgeRouterX will ask you if it can reboot, you say yes.
Once the EdgeRouterX is rebooted, you can do the following:
- connect a cable from a free LAN port on the MyRepublic router (or whatever the upstream router is) to the EdgeRouterX eth0 port.
- connect your PC/laptop to any ‘eth*‘ port on the EdgeRouterX (eth1-eth4)
- your PC/laptop should pick up a ‘172.16.1.x’ address due to the DHCP server we setup on that network.
- open a browser to ‘https://172.16.1.1’ - this is your new management interface IP.
If you need to factory reset your EdgeRouterX (I did a couple of times) to get to a known state, see “EdgeRouterX Reset to Factory Defaults” in References section below.
This step isn’t mandatory and you can continue setting things up without it, but here are the steps to have one just in case.
When you run the ‘Basic Setup’ wizard and specify that we only use ONE LAN, this meant all the LAN ports (eth1, eth2, eth3, eth4) were put into a ‘switch0’ interface.
What we need to do here, is separate out those ethX ports from the switch0 so we can use one for our OOB-MGMT port.
If you try to just assign an IP address to one of the ethX ports, you’ll get an error about assigning IP address to a switchport interface (or something, can’t remeber the exact error).
Find the interface named ‘switch0’ and click the ‘Action>Config’ from the dropdown.
Click the ‘Vlan’ tab and you see this
Uncheck any or all of the ethX checkboxes.
Click ‘Save’ and exit back to the ‘Dashboard’ window.
Now setup the OOB-MGMT, by picking an ethX port. I’m using eth4 configured as follows:
- ‘Manually define IP address’ = 172.16.5.1/24
(Optional) You can setup a DHCP service for this network ‘172.16.5.0/24’ if you want to automatically get an IP address in the correct range by plugging into the eth4 port.
Click ‘Services’ Click ‘+ Add DHCP Server’
Then setup a DHCP Server along these lines
Now, plug your PC/laptop into eth4 and you should be assigned an IP in the 172.16.5.x range, and can now open up the EdgeRouterX management GUI at https://172.16.1.1.
Before we move to configure the EdgeSwitch, connect a network cable from eth1 of the EdgeRouterX to port 8 of the EdgeSwitch.
The EdgeSwitch, after you connected the network cable from eth1 of the EdgeRouterX to port 8 of the switch, will recieve an IP address from the DHCP service we set up.
On the EdgeRouterX, if you look at DHCP service setup by the ‘Basic Setup’ wizard, you will see this:
The range starts at ‘172.16.1.10’, so the EdgeSwitch should be on this IP address as this is the first and only device we’ve plugged into our setup so far.
Go to https://172.16.1.10
default username/passwd = ubnt/ubnt
When logged in, for now, have a look at the ‘Port summary’ on the main page, and it looks something like this:
Key points for the setup:
- Plug the Unifi AP AC Lite into Port 1
- Update ‘Port name’ for Port 1 to “Unifi AP AC Lite”
- Enable PoE to 24v, from the drop-down menu (options: Off, 24V)
- Update ‘Port name’ for Port 8 to “ER-X Uplink”
That’s it for the EdgeSwitch 10XP for now… let’s setup the Unifi AP AC Lite!
AP AC Lite
The AP is a little bit more involved because you interact with the Unifi AP using a network controller software, which you have to install and host somewhere on the network that the AP can reach.
This updates our diagram a little bit, adding the controller service running from IP address 172.16.5.2 on port 8443:
Install Unifi Network Controller
Follow the official documentation for setting up the network controller: “Unifi- How to Set Up a UniFi Network Controller
You need a Unifi account to login to the controller. If you don’t have an account, go to https://account.ui.com/ to create one.
For my Ubuntu setup, I did the following:
- Download installer from https://www.ui.com/download/unifi/
- Run the installer on my server
- Check service status, stop, restart:
- To start UniFi if the webpage prompt does not appear:
sudo service unifi start
- To stop the UniFi service:
sudo service unifi stop
- To restart the UniFi service:
sudo service unifi restart
- To see the status of UniFi service:
sudo service unifi status
- To start UniFi if the webpage prompt does not appear:
- Run through the setup wizard when you browse to
After the setup, you can now visit the network controller management UI (in my case) on https://172.16.5.2:8443 (this PC is on my OOB-MGMT interface).
Login with your unifi account
And here’s your ‘Default’ SITE
I created a new ‘site’ from the drop-down menu and had to move an already setup UAP into that which cleared the device of all the Wifi’s and Networks I had previously setup. So be careful if you want to move devices to different site, that they will be cleared before moving.
Technically, at this point if you’ve followed the official setup documentation you should be looking at your UAP device in your ‘Devices’ section like this:
with a ‘connected’ status
If not, you may want to look at a couple of things
I had a scenario where the UAP would be trying to update the firmware of the UAP as part of setup, but would then fail and get a ‘disconnected’ status.
Why was this happening?
The answer was: DNS. It’s always DNS.
The UAP was trying to call out to the internet to resolve and connect to a domain and pull down the firmware update. Things weren’t resolving and the activity was failing.
The solution was to enable DNS forwarding on the EdgeRouterX for these interfaces (i.e. eth1). Our DHCP server had told everyone to resolve via it’s interface, but when requests from the UAP reached it, it hadn’t been instructed it was allowed to do anything with it.
On the EdgeRouterX, go to ‘Services’->’DNS’
- Click ‘+ Add Listen interface’
- Click ‘Save’
If you go back to your UAP and retry the update & provisioning steps you should be okay now.
Right, this has been long enough and its only Part 1 of 3!
In the next installment we setup the VLANs across all three devices.