EdgeRouter Configuration in 3 minutes

EdgeRouters come with eth0 as the default LAN port. This configuration keeps eth0 has LAN, and configures eth1 as WAN. So if you hardware reset/lose configuration, you don’t have to go swapping cables.

# static your IP, and ssh to 192.168.1.1 on eth0

# create new user
configure
set system login user mynewusername authentication plaintext-password mynewlongpassword
set system login user mynewusername level admin
commit

# login as new user, delete ubnt
configure
delete system login user ubnt
commit
save

# set system settings
set system host-name myedge
set system domain-name mydomain.com
set system name-server 8.8.8.8
set system time-zone America/Los_Angeles
# see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones 

# default is eth0 192.168.1.1, and to have eth0 as internal, so keep it that way
# configure eth1 as WAN port

delete interfaces ethernet eth0 address
set interfaces ethernet eth0 address 10.242.0.1/24
set service dhcp-server shared-network-name vlan10 subnet 10.242.0.1/24 default-router 10.242.0.1
set service dhcp-server shared-network-name vlan10 subnet 10.242.0.1/24 dns-server 10.242.0.1
set service dhcp-server shared-network-name vlan10 subnet 10.242.0.1/24 start 10.242.0.10 stop 10.242.0.100
set service dhcp-server shared-network-name vlan10 authoritative enable
set service dhcp-server shared-network-name vlan10 subnet 10.242.0.1/24 lease 86400

# add dhcp reservations
# https://help.ubnt.com/hc/en-us/articles/204952254-EdgeRouter-Configure-DHCP-Server-on-EdgeRouter
# https://help.ubnt.com/hc/en-us/articles/204960064-EdgeRouter-UniFi-Controller-DHCP-Options
set service dhcp-server shared-network-name vlan10 subnet 10.242.0.101/24 static-mapping mystatichostname mac-address FF:FF:FF:FF:FF:FF

# set interface
set service dns forwarding listen-on eth0
commit

# connect WAN to eth1
configure
set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description WAN_Internet

#enable outbound NAT
set service nat rule 5000 description "Outbound NAT"
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade
commit

#make sure DHCP got an IP
run show interfaces

save

#only have mgmt on specific iface
set service ssh listen-address 10.242.0.1
set service gui listen-address 10.242.0.1

# apply latest firmware
# https://help.ubnt.com/hc/en-us/articles/205146110-EdgeRouter-Upgrading-EdgeOS-Firmware
# https://www.ubnt.com/download/edgemax
show system image
show system image storage
delete system image
add system image https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e300.v1.10.1.5067768.tar

reboot

#ensure hwoffloads are enabled
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv6 forwarding enable
#if er-x
set system offload hwnat enable
commit
save

# add ssh key
create ed.pub in ~
configure
loadkey ubnt ed.pub
set service ssh disable-password-authentication
# test ssh and confirm you can connect, then continue
commit
save

# disable insecure ciphers from webui
configure
set service gui older-ciphers disable
commit
# test you can access webUI
save

#firewall
set firewall log-martians enable
set firewall ip-src-route disable
set firewall all-ping enable

#drop everything from internetz
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "WAN_IN"
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set interfaces ethernet eth1 firewall in name WAN_IN

#firewall the router itself
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "WAN_IN internet to edgerouter"
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable

set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 state invalid enable

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ssh
set firewall name WAN_LOCAL rule 30 destination port 22
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol tcp

# allow openvpn
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description 'Allow OpenVPN'
set firewall name WAN_LOCAL rule 40 destination port 1194
set firewall name WAN_LOCAL rule 40 protocol udp

set interfaces ethernet eth1 firewall local name WAN_LOCAL

Further reading