For those that use my script for installing a LetsEncrypt cert in the Unifi Controller, I’ve made some small changes to update it to inject the new root certificates.
Category: Ubiquiti
EdgeRouter and Unifi routers are built on top of Linux with Netfilter/iptables. This gives them quite a bit of flexibility compared to other routing platforms systems based on proprietary operating systems.
Understanding how rules are applied in the netfilter stack are important in building an effective firewall.
IN and OUT Target Direction
IN and OUT rules are specifically for routing and only apply to packets that are going through the router, not originating from the router.
IN is processed first, and is the direction you should be using when trying to control what packets coming in on an interface should be doing.
For example, if you want to prevent your GUEST (eth2) network on 172.16.1.0/24 from communicating with your LAN (eth1) on 192.168.1.0/24…
set firewall name GUEST-IN rule 10 action drop set firewall name GUEST-IN rule 10 description 'Drop traffic from GUEST to LAN' set firewall name GUEST-IN rule 10 log disable set firewall name GUEST-IN rule 10 protocol all set firewall name GUEST-IN rule 10 source address 172.16.1.0/24 set firewall name GUEST-IN rule 10 destination address 192.168.1.0/24 set interfaces ethernet eth2 firewall in name GUEST-IN
Basically, you want to act on packets as early on in the stack as possible.
OUT rules are handled in the same way as IN rules and handled after IN rules. Because they are both handled in the netfilter FORWARD chain, they are technically handled in the same way and mostly are separated just for the benefit of the user.
LOCAL Target Direction
LOCAL rules are specifically for controlling traffic directed at the router and have no impact on routed traffic.
For example, if you wanted to restrict access to SSH from the WAN (eth0)…
set firewall name WAN-IN rule 10 action drop set firewall name WAN-IN rule 10 description 'Drop SSH connections from WAN' set firewall name WAN-IN rule 10 log disable set firewall name WAN-IN rule 10 protocol tcp set firewall name WAN-IN rule 10 destination port 22 set interfaces ethernet eth0 firewall in name WAN-IN
LOCAL rules are applied to the netfilter INPUT chain. There is no way to add rules to the netfilter OUTPUT chain unless you directly insert them in via iptables.
IHere’s what you need to do to run the Unifi Controller on Debian Buster:
Add the following to /etc/apt/sources.list:
deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 mainDo:
wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | apt-key add -(thx u/theinvisibleman_ for the key update info on his post here)
Grab:
http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
http://security.debian.org/debian-security/pool/updates/main/o/openjdk-8/openjdk-8-jre-headless_8u232-b09-1~deb9u1_amd64.debDo:
dpkg -i <package deb file>To install both of those packages. Then:
apt-get updateAnd install the mongodb packages:
apt-get install mongodb-org-server mongodb-org-tools mongodb-org-shellThis should give you all you need to install the controller deb.
If I missed any depends, let me know as I threw this together after the fact and may have forgotten something.
Since ~ 2012, UBNT has had their series gigabit capable routers, known as the EdgeRouter line. There’s been a few generations of these over the years, focusing on either price or performance points. It can be confusing when trying to find the best one to suit your needs, so lets do an overview of the different models and what they each bring to the table.
All of the ERs have pretty much the same software features, so we won’t go into too much detail on software unless its an important distinction.
First Generation (Cavium)
EdgeRouter Lite
This is the original EdgeRouter model – inexpensive (sub-$120 USD), capable of near wirespeed routing with its hardware offloading and accelerated IPSec VPN. Has three gigabit ethernet ports, and can do various routing protocols such as BGP, OSPF, RIP, etc.
There are two versions of these – the original plastic ones and the newer metal case ones. The original plastic ones have known issues with the DRAM and flash drives.
Old, but if you can find one cheap (either metal case, or a plastic one with the USB flash drive replaced), they make a great inexpensive CPE – however their CPU is pretty slow and anemic making for poor performance with OpenVPN, QoS, and other CPU bound uses.
EdgeRouter 5 POE
Basically an ERL with an integrated switch and passive 24v and 48v POE support (not 802.11af/at). These can power an older Unifi AP that supports 24v passive, or some AirMax type devices.
Has same performance limitations as the ERL.
EdgeRouter 8
Rack mounted ER, faster CPU, and 8 gigabit copper ethernet ports. Better performance with CPU bound applications/services such as OpenVPN and QoS. Has all of the same software and offload capabilities as the ERL.
EdgeRouter Pro 8
Another rack mounted ER with a step up in performance from the ER8. Has two SFP ports and six copper ethernet ports (two are shared). Was top of the line performer for routing until EdgeRouter Infinity was released.
Although a solid performer, the ER8 and ERP8 are both outclassed by the newer ER4/6/12/Infinity models. If you can find them inexpensively, they make a good router for sub-gigabit connections.
“1.5” Generation (MediaTek)
EdgeRouter X
This little router has a great price/performance ratio – for under $60 USD you get a 5 port router (built in switch) that is able to be powered over 24v passive poe, and is capable of outputting 24v passive for some Unifi APs. Performance is almost equal to the ERL in many cases, with it performing better for some tasks like OpenVPN.
It does however have some limitations – offloading can be hit or miss performance wise, especially with the 2.0 firmware. There is a single gigabit link between the internal switch and the CPU, which limits the theoretical max routing performance. It also lacks a serial port, making it a pain to recover if you lock yourself out.
These units tend to be my ‘go-to’ for customers needing an inexpensive router while leaving room for future growth.
EdgeRouter X SFP
An ERX with an added SFP port and 24v passive POE on all five copper gigabit ports.
EdgeRouter 10X (new!)
An ERX with double the RAM, double the flash storage, and double the ports! The 10 port integrated switch make this router a nice router/switch combo, perfect for small offices and home users.
This device somewhat straddles the older ERX and the newer ER4/6/12/Infinity line – not as good performance as the 2nd generation of ERs, but an improvement over the original ERX.
The serial port has been readded, and this device can only run the new EdgeOS 2.x software.
2nd Generation (Cavium)
EdgeRouter Infinity (AKA ER-8-XG)
UBNT’s first 10G router – 8 SFP+ ports and one gigabit copper. 16 CPU cores, 16GB of DDR4 RAM, and up to 80Gbps throughput. This beast of a router was the first in the newest generation of routers, and packs quite a bit of performance in 1U. It has dual PSUs.
The internal SFP+ banks can be quirky – they are split into two banks of 4. If you want to run 1G SFP modules in some, you have to switch one bank (either 1-4 or 4-8) to being for 1G only.
For ~ $1850 USD, it’s not a bad price if you need > 1G performance.
EdgeRouter 4/6P/12/12P
UBNT’s newest line of routers – these are in the same CPU family as the Infinity, but are focused on 1G performance and price point. Since they all have the same general performance, we’ll just point out the differences in what each offers hardware wise:
- ER4 – Base model, 3 gigabit copper ports, 1 SFP port
- ER6P – 5 gigabit copper ports, 1 SFP port. 24v passive POE on copper ports
- ER12 – 10 gigabit copper ports (integrated switch), 2 SFP ports, 24v passive POE pass-through
- ER12P – 10 gigabit copper ports (integrated switch), 2 SFP ports, 24v passive POE on copper ports
These units are optional rack mount, with a bracket kit available. They are passively cooled, small form factor, in a durable metal case.
Overview
When you have your own IPv4/IPv6 address space, it’s advantageous to announce it via your router to your ISP – especially if you have multiple providers (multi-homing). Even the lowest end EdgeRouters such as the ER-X and ERL can do a full BGP table.
The Prefix Lists
The prefix lists are used to control what routes you get from your ISP, as well as the ones you send (announce).
policy {
prefix-list BGP-ISP-From {
rule 10 {
action permit
le 24
prefix 0.0.0.0/0
}
}
prefix-list BGP-ISP-To {
rule 10 {
action permit
prefix 192.0.2.0/24
}
}
prefix-list6 BGP-ISPv6-From {
rule 10 {
action permit
le 64
prefix 0::/0
}
}
prefix-list6 BGP-ISPv6-To {
rule 10 {
action permit
le 48
prefix 2001:DB8::/32
}
}
}The -From prefix lists are for routes you receive (imported) from your ISP, while the -To lists are for routes being exported (announced) to your provider. In the case of IPv4, the smallest globally accepted size most if not all providers announce is /24. For IPv6, the smallest globally accepted size is /48.
‘le’ means any prefix smaller (ie: ‘le 48’ won’t allow a /64 IPv6 prefix from your ISP’s routing table, but it will allow a /32). ‘ge’ means any prefix greater (ie: ‘ge 56’ won’t allow a /48, but will allow a /56, /64, or even /128).
In the above examples, 192.0.2.0/24 is your IPv4 netblock, and 2001:DB8::/32 is your IPv6 one. 0.0.0.0/0 and 0::/0 means match all.
The Route Maps
While you can just use prefix lists with BGP to control routes imported and exported, route maps give you much more flexibility and control, and can even include AS path matching.
policy {
route-map BGP-ISPv6-From {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list BGP-ISPv6-From
}
}
}
}
}
route-map BGP-ISPv6-To {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list BGP-ISPv6-To
}
}
}
}
}
route-map BGP-ISP-From {
rule 10 {
action permit
match {
ip {
address {
prefix-list BGP-ISP-From
}
}
}
}
}
route-map BGP-ISP-To {
rule 10 {
action permit
match {
ip {
address {
prefix-list BGP-ISP-To
}
}
}
}
}
}Like the prefix lists, -To and -From are your specific directions in and out (import and export). They’re pretty self explanatory and reference the prefix lists used before.
BGP Protocol Configuration
protocols {
bgp 65501 {
address-family {
ipv6-unicast {
network 2001:DB8::/32 {
}
}
}
neighbor 100.64.100.1 {
remote-as 65502
route-map {
export BGP-ISP-To
import BGP-ISP-From
}
soft-reconfiguration {
inbound
}
update-source 100.64.100.2
}
neighbor fd00::1 {
address-family {
ipv6-unicast {
route-map {
export BGP-ISPv6-To
import BGP-ISPv6-From
}
}
}
remote-as 65502
soft-reconfiguration {
inbound
}
update-source fd00::2
}
network 192.0.2.0/24 {
}
parameters {
router-id 100.64.100.2
}
redistribute {
connected {
}
kernel {
}
static {
}
}
}
}In the above example, our local router has the IPv4 address of 100.64.100.2 and the IPv6 address of fd00::2 with an ASN of 65501. The BGP enabled router on our ISP side is 100.64.100.1 and fd00::1 with an ASN of 65502. We are assuming that our routers are connected over a non-shared link within one hop. If the BGP router is more than one hop away, you need to configure ‘ebgp-multihop’ with the appropriate amount of hops away your ISP’s router is.
Showing BGP Information
[email protected]:~$ show ip bgp neighbor BGP neighbor is 100.64.100.2, remote AS 65502, local AS 65501, external link BGP version 4, remote router ID 100.64.100.2 BGP state = Established, up for 01w0d05h Last read 01w0d05h, hold time is 90, keepalive interval is 30 seconds Neighbor capabilities: Route refresh: advertised and received (old and new) 4-Octet ASN Capability: advertised and received Address family IPv4 Unicast: advertised and received Address family IPv4 Multicast: received Received 2838376 messages, 0 notifications, 0 in queue Sent 20788 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is 100.64.100.1 For address family: IPv4 Unicast BGP table version 6603726, neighbor version 6603716 Index 2, Offset 0, Mask 0x4 Inbound soft reconfiguration allowed Community attribute sent to this neighbor (both) Inbound path policy configured Outbound path policy configured Route map for incoming advertisements is *BGP-ISP-From Route map for outgoing advertisements is *BGP-ISP-To 688930 accepted prefixes 1 announced prefixes Connections established 1; dropped 0 External BGP neighbor may be up to 1 hops away. Local host: 100.64.100.2, Local port: 60803 Foreign host: 100.64.100.1, Foreign port: 179 Nexthop: 100.64.100.1 BGP connection: shared network BGP neighbor is fd00::1, remote AS 65502, local AS 65501, external link BGP version 4, remote router ID 100.64.100.1 BGP state = Established, up for 01w0d05h Last read 01w0d05h, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received (old and new) 4-Octet ASN Capability: advertised and received Address family IPv4 Unicast: advertised Address family IPv6 Unicast: advertised and received Received 686685 messages, 0 notifications, 0 in queue Sent 10394 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is fd00::2 For address family: IPv4 Unicast BGP table version 6603726, neighbor version 6603716 Index 1, Offset 0, Mask 0x2 Inbound soft reconfiguration allowed Community attribute sent to this neighbor (both) 0 accepted prefixes 0 announced prefixes For address family: IPv6 Unicast BGP table version 858622, neighbor version 858620 Index 1, Offset 0, Mask 0x2 Community attribute sent to this neighbor (both) Inbound path policy configured Outbound path policy configured Route map for incoming advertisements is *BGP-ISPv6-From Route map for outgoing advertisements is *BGP-ISPv6-To 49892 accepted prefixes 1 announced prefixes Connections established 1; dropped 0 Local host: fd00::2, Local port: 179 Foreign host: fd00::1, Foreign port: 8044 Nexthop: 100.64.100.1 Nexthop global: fd00::1 BGP connection: shared network