Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

guykuo

Getting comfortable
Jul 7, 2018
681
1,926
Sammamish, WA
Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

(This topic began as an inquiry regarding interest. Enough desire was shown to proceed. Main content is later in this thread)
Main content begins at Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks


Introduction
The Ubiquity EdgeRouter X is a low cost ($62), highly configurable, stable, managed router that can safeguard your surveillance network from cameras "phoning home" while still giving you full access to cameras from your computer. Unfortunately, configuring an EdgeRouter X is difficult and requires considerable network knowledge. The router arrives from factory as little more than a switch. Once configured, it is a powerful device, but many steps are required to configure the router into a useful router and firewall.

For someone well versed in network wiring, protocols, and router rules, that process can require hours of painstaking work.
This topic provides provide a faster, easier path via a pre-configured settings file.


Configuration Features

WAN 0 (eth0)
- This connects to the internet and expects to receive its WAN address via DHCP. Typically your cable modem in bridge mode would connect to this.

LAN 1 Main (eth1) - Main, general purpose network that has full access to WAN and all other LANs. Because main LAN has full access to other LAN's, your main computer can connect with surveillance, and IOT devices.

Guest WiFi (eth0.1003) - VLAN 1003 for guest access WiFi access points. Access only to internet, but no LAN's

LAN 2 Surveillance (ETH2) - Isolated LAN that cannot access the internet nor any other LAN. Cameras and NVR/PC live on this isolated network. Only the NVR/PC is (optionally) granted special access to WAN. Cameras cannot access anything on the outside world. They even must get NTP time from the EdgeRouter X.

LAN 3 Limited - A limited LAN for IOT devices. Limited LAN 3 can reach internet, but no other LAN's

LAN 4 Limited - Another limited LAN. Limited LAN 4 can reach internet, but no other LAN's

OpenVPN server (vtun0) - OpenVPN tunneling for remote access. This is an advanced setup feature. For security purposes, it is not pre-built in my configuration file. Instead I supply instructions for building the OpenVPN service on your EdgeRouter.

Notes:
Each LAN is physically separate, and on different ip ranges.
LoopBack (aka Hairpin NAT) works with EdgeRouter X. You can use same DynDNS name inside and outside of your network.
We will not be using the EdgeRouter X's pass through POE.

Network Wiring

  • NEVER NEVER connect an ethernet cable between different LANs. They must remain separate. Their only interconnection is via the EdgeRouter X.
  • Each LAN coming out of the EdgeRouter gets connected to a physically separate switch. For instance, LAN 1 Main would connect to a regular network switch. Then, your regular network devices would connect to that Main LAN switch.
  • Your Surveillance LAN 2 would be well served with a POE+ switch into which your surveillance cameras and recording PC connect.
  • If you use an NVR and it implements its own subnet, your cameras can alternatively connect to the NVR.
 
Last edited:
@guykuo - Great post. Thanks for taking a stab and doing this. I am looking for a wired router that can handle OpenVPN and the ER-X seemed like a likely candidate. Haven't bought it yet though. Some hesitation. I watched some setup videos on youtube and the basic router settings I'm okay with, but anything beyond that would be a challenge. Even more so, setting up the OpenVPN, if it requires command line programming. Realistically that could be a problem for my feeble brain.

For my network, I was only expecting a WAN and single LAN setup. The camera network will be on a separate subnet connected to a second NIC in the BI host computer. Besides the WAN input, I was expecting to connect three devices to the router and all would be on the same LAN: wireless router for family room, office desktop, office switch (office desktop, VOIP box, BI Host). Are you saying that it's recommend to connect all these devices to a switch and then connect the switch to a single LAN port on the ER-X rather than a direct connection?

I would welcome any documentation that would assist though it seems like it would be a huge time sync on your part. Thanks!
 
Interesting note on Ubiquiti gear. All my Dahua cameras get their POE from Ubiquiti switches. Any detail to share on that note?


Sent from my iPhone using Tapatalk
 
Interesting note on Ubiquiti gear. All my Dahua cameras get their POE from Ubiquiti switches. Any detail to share on that note?
I thought GUYKUO's note was in reference to the pass-through POE feature on the ER-X. See the attached data sheet. The ER-X can be powered by POE and also pass that POE through on one port.
 

Attachments

I am referring only to the EdgeRouter X. It only has POE passthrough system, not actual POE iby itself. With so many cameras and POE+ needed in systems, I don't use POE on the EdgeRouter X, but have POE+ switches deeper in the camera LAN. So, yes. I think it is appropriate to have Ubiquity switches supply POE. My configuration on the EdgeRouterX rather redefines the ports to be physically sensible. Eth0 for WAN, Eth1 for Main LAN, Eth2 for Surveillance, Eth3 and Eth4 for IOT. I simply like that port order rather than some weird one in the middle for WAN. That is also easier for newbies to plug in correctly when I deploy ER-X's for computer illiterate users.

For each LAN, I use a separate, physical switch. Basically airgap isolate the wired devices so even if VLAN tagging isn't obeyed or stripped, the devices still are limited to their assigned degree of access. Naturally, this means the firewall rules in the EdgeRouter X must work. I initially thought a step by step build up of the ports, LANS, and rules would be a reasonable way to get the info out there. Thinking about it more, I think it is more hazardous because that leaves network younglings needing to get every rule definition correct. It is super easy to screw up security with a badly thought out rule. Hence, the idea to distribute a pre-configured, working setup and then have people configure from there.
 
My setup:

I have the EdgeRouter X behind a Comcast modem/router. Only things connected to the ERX are my iMac, the BlueIris PC, the POE switches, and 15 cameras. My intent is to have the cameras unable to send/receive with the world. The computers can initiate conversations to the outside world but the world can not. I do not remotely view any cameras or BlueIris. At some point I may set up a ?Stunnel? connection to the PC. I don't want to use a VPN.

The following is from my notes last year. Some steps may be missing or wrong.

Physically my connections are:
eht0 - WAN
eth1 - LAN
eth2 - NVR, i.e., the BlueIris PC
eth3 - POE Switch in Broom Closet
eth4 - POE Seitch in Garage
switch0 - eth2, eth3, and eth4

By having the PC and cameras connected to switch0 there is no overhead within the router and no filtering between them is possible. Switch0 looks like an ordinary dumb switch and runs at full speed. However I can still implement firewall rules between switch0 and the WAN or LAN.

I ran the <WAN+2LAN2> Wizard to create two LANs and enable the default firewall rules. No VLANs used.

Current Router Setup:
  1. eth0 (WAN) - Address - use DHCP
  2. eth1 (LAN) - Address - Manually define IP address on 192.168.2.1/24
  3. switch0 -
    1. manually define IP address on 192.168.1.1/24
    2. No VLAN enabled
    3. Switch0 ports - eth2, eth3, and eth4
    4. All ports configured with address of no address - ?what does this mean?
  4. Firewall/NAT
    1. Port Forwarding - Hairpin NAT enabled. nothing else
    2. NAT -default masquerade for WAN enabled
  5. Firewall/NAT Groups (network-group is subset of possible address-group)
    1. Camera_Group - 192.168.1.0/25 - used as source under Cameras_In and destination under Camera_Out in firewall
    2. NVR_Group - 192.168.1.128/25 - used as source under Cameras_Local Firewall
    3. LAN_Group - 192.168.2.0/24
    4. Router_Group - 192.168.1.0/24 and …2.0/24
  6. Firewall Policies
    1. Camera In (switch0 In) - default accept
      1. Input from cameras passing through router to WAN or LAN
      2. Drop Invalid
      3. Drop from Camera Group to WAN (eth0)
      4. Default accept
    2. Camera Local (switch0 local)- default accept (currently allowing everything except invalid)
      1. Input from cameras directed at router
      2. Allow established/related
      3. Drop Invalid
      4. Allow BI (NVR Group) to access Router
      5. Default accept
    3. Camera Out (switch0 Out)
      1. Output to cameras from WAN or LAN
      2. Drop Invalid
      3. Drop from WAN (eth0) to Camera (Cameras Group)
      4. Default accept
    4. WAN In - default rule from wizard
    5. WAN Out - default rule from wizard
 
  • Like
Reactions: windguy
Are you saying that it's recommend to connect all these devices to a switch and then connect the switch to a single LAN port on the ER-X rather than a direct connection?

In my configuration, I use every port (other than the WAN port) of the EdgeRouter X to implement a separate LAN. It's not a recommended vs not recommended issue. There simply are not three ports on the same LAN in my configuration. I intentionally implement multiple, separate LAN's for more flexible isolation. Consequently, a separate switch is needed if more than one device needs to be connected to a LAN. Fortunately, gigabit switches are cheap. A nice consequence of separate switches is the Edgerouter's is forced to carry minimal local traffic. It only needs to route packets that traverse between LAN's or the WAN. Cameras video ---> POE switch ----> Recording PC traffic happens without traversing the EdgeRouter fabric.

Mind you, the EdgeRouter can handle a fair amount of traffic. You easily handle two Main LAN PC's remotely viewing multicamera streams from the recording PC while other users are streaming Netflix and web browsing.

Dean's configuration uses the switch function of the EdgeRouterX to link three ports on his camera LAN. I use those ports to implement some "limited" LANs for IOT devices or guest networks (when VLAN guest support isn't available on WiFi access points). That difference gives a hint at the flexibility possible with an EdgeRouter.
 
Last edited:
@guykuo - thanks for the explanation. I think I get it. I'm sure you already figured out I'm pretty handicapped when it comes to networking. Using the "switch function" of the ER-X, Dean created a subnet for the camera network to isolate it from the rest of the LAN network and to prevent the cameras from having access to the WAN. Can you do that and still have the ability to VPN to the BI host through the WAN port? I set up a second NIC on the BI host connected to a POE switch on a subnet and all cameras are connected to this POE switch. The other NIC on the BI host is connected to the "house LAN" and main router using DHCP.
 
Can you do that and still have the ability to VPN to the BI host through the WAN port?

Yes. OpenVPN comes in through WAN port and links to the main LAN. Once the OpenVPN link is established, it is like being on the main LAN. The main LAN (and hence VPN) has access to everything. You can access your BI machine on the camera LAN.

Cameras cannot initiate a connection to the WAN or any other LAN. They can only connect to devices on the camera LAN and get NTP from the EdgeRouter. The BlueIris PC is allowed special access to create a connection to the WAN and other LANs, but you could turn that off if desired. I allow my recorder computer special access because it is a daily use machine for browsing the web and watching local network media. It does all that while simultaneously recording and displaying the cameras.

A simpler method for outside access is port forwarding to your BlueIris PC. That would skip the need for a VPN, but leave you only with the protection implemented by BlueIris.

The main challenge with setting up OpenVPN on the EdgeRouterX is needing to do work in the command line environment. Don't panic. I have instructions that turn it into a series of cut and pastes. Not rocket science, but you'll need to follow a bunch of instructions methodically.

Although I could distribute a config with OpenVPN already configured, that would be a bad idea. Better if users have their own distinct license authority to generate certificates. Don't want one that is identical to everyone else. With such power granted to the VPN connection, you really want the VPN locked tight with private certificates.

Your dual NIC setup in the BI machine should already isolate your cameras from accessing the outside world. That is unless you did some unusual stuff to make the BI machine also route packets between the NIC's.

Also, you are on a recording PC instead of an NVR. If people are worried about firmware on cameras phoning home, why shouldn't they also be worried about NVR firmware doing nefarious stuff? A recording PC side steps that little issue.
 
Last edited:
@guykuo - Thanks for the reply and explanation. Ha, you added more info after I read your post last night. My head was spinning a bit before going to sleep trying to sort that out. But with your added explanation, things are gelling a bit more with a fresh mind. I reread Dean's post and your talk and I'm starting to understand the versatility of the ER-X a little bit better. Pretty cool product and for only $60.

Below is a network diagram of my proposed system. At the ER-X, I could setup ETH0 for WAN and SWITCH0 for ports ETH1-4 rather than add a separate switch since I only need one LAN network, unless you see a reason otherwise. This was my original design but not knowing that each port was configurable and not switched by default out of the box.

Regarding your proposal on how best to offer help in setting up OpenVPN, that sounds very reasonable. You definitely have a great knack for explaining complex concepts in plain understandable terms. That's very helpful for me and appreciated. I knew a while back that the ER-X was the best solution for me since I needed a wired router that has OpenVPN, but I was aware that the complexity of setting it up was beyond what I might be able to handle. Maybe now, with your help, I can integrate this device without pulling out what little remaining hair I have. I suspect there are others in this same position and your proposed tutorials and config files would help them. Many thanks!

new home network diagram v3.jpg
 
  • Like
Reactions: Blue65
@guykuo - Thanks for the reply and explanation. Ha, you added more info after I read your post last night. My head was spinning a bit before going to sleep trying to sort that out. But with your added explanation, things are gelling a bit more with a fresh mind. I reread Dean's post and your talk and I'm starting to understand the versatility of the ER-X a little bit better. Pretty cool product and for only $60.

Below is a network diagram of my proposed system. At the ER-X, I could setup ETH0 for WAN and SWITCH0 for ports ETH1-4 rather than add a separate switch since I only need one LAN network, unless you see a reason otherwise. This was my original design but not knowing that each port was configurable and not switched by default out of the box.

Regarding your proposal on how best to offer help in setting up OpenVPN, that sounds very reasonable. You definitely have a great knack for explaining complex concepts in plain understandable terms. That's very helpful for me and appreciated. I knew a while back that the ER-X was the best solution for me since I needed a wired router that has OpenVPN, but I was aware that the complexity of setting it up was beyond what I might be able to handle. Maybe now, with your help, I can integrate this device without pulling out what little remaining hair I have. I suspect there are others in this same position and your proposed tutorials and config files would help them. Many thanks!

View attachment 54261

I personally do not follow you putting all your cams in a physically seperated network while you have all the bells and whistles to hook your POE switch into a vlan. One of the use cases might be that IF your BI pc has an issue, you can still connect to the VPN server (on your ER-X) and watch your cams "in direct mode". But in your diagram, that won't be possible. On the other hand, your setup avoids any bandwidth leakage from cams into your "main" network.

Choices choices choices :)

In any case, with the ER-X, almost everything is possible, but keep in mind that the vSwitch is underperforming than a "native" switch, that's the reason why in your design (and mine) I offload all "switching" traffic.

Good luck!
CC
 
  • Like
Reactions: windguy
I personally do not follow you putting all your cams in a physically seperated network while you have all the bells and whistles to hook your POE switch into a vlan.

I agree. Wire your network like this...
.camera network scheme.jpeg

The EdgeRouter will do the desired isolation of the camera network while still allowing your Main LAN computers (and VPN) to administer and view cameras directly. It is also useful for remotely power cycling cameras on "smart" POE switches. All my POE+ switches have remote management. That lets me reboot any camera that gets into trouble. That is super handy when I'm out of town and notice a camera is wonky. It's rare, but nice to be able to fix things remotely. Changed to smart POE switches after a trip that included half my cameras going off line for some reason. Could not do anything about the system being crippled until returning home. Now I can reach in and reboot any camera.
 
@guykuo

I would support this to no end. I don't think a lot of people understand the benefit of the UI line of hardware. We are currently building and I'm in the middle of pulling all the communications cable in the house. Once we are done the network side of the house will be all unifi hardware because I want this level of control amoungst all the hardware and I want the details and insight into the traffic movement in and out of my network. I'm staying with the unifi switches though as you have the ability to vlan an indipendent port so you don't need all these different switches.
 

Attachments

  • network setup.jpg
    network setup.jpg
    35.8 KB · Views: 205
MAIN TOPIC CONTENT BEGINS WITH THIS POST

This topic covers the Ubiquity Network EdgeRouter-X specifically and features my pre-made configuration for creating a secure but flexible network. The ER-X is capable of many variations other than the configuration I have created, but for purposes of clear discussion, we will only be covering details of my particular configuration for the ER-X

Obtain EdgeRouter-X
This topic is specifically for this model. The ER-X is fast enough for WAN (internet) connections up to about 800 mbps. Gigabit fiber customers should use a faster model. Other models are available, but they are outside the scope of intended topic.

These run about $62 at Amazon. Includes power supply for the ER-X. You supply your own ethernet cables. At this price, it delivers a lot of capability for little monetary risk. It is also very stable. You can expect it to easily run a year without need for reboot. Of course, all your network equipment should be on a UPS. I prefer sine-wave UPS where possible.

Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X

Screen Shot 2020-01-20 at 11.59.50 AM.jpg


Download Kuo Pre-configured Settings File
kuo preconfigured for IPCAMTALK edgeos_ubnt_20200124.tar.zip


My preconfigured file is attached to this post.

Actual file name should actually end with with a .gz extension, but this forum will not accept files with a .gz extension.
I have renamed the file with .zip for upload here.

Please change the .zip on the end of the filename to .gz before use.
Do NOT unzip the file, just rename the filename to be...

kuo preconfigured for IPCAMTALK edgeos_ubnt_20200124.tar.gz

In case you worry about the config file having been tampered, its SHA256 checksum via shasum -a 256 is
32bc2209bbfae76f61332d7f36c66279d9b31d023cb20fed454e17fc9e9358f3
 

Attachments

Last edited:
As an Amazon Associate IPCamTalk earns from qualifying purchases.
Obtain Current Firmware
We update the ER-X firmware before doing any other configuration.
Download the firmware now because you will lack internet access during the initial setup process.

Obtain current firmware file from
Screen Shot 2020-01-20 at 11.46.13 AM.jpg

As of this writing, firmware is EdgeRouter ER-X/ER-X-SFP/EP-R6/ER-10X: Firmware v2.0.8
The download button is to the right of the firmware file.

(Do not download the GPL Archive. That is not what you want)

You should receive a firmware tar file. Save it on your computer for later.
ER-e50.v2.0.8.5247496.tar
 
Last edited:
  • Like
Reactions: Arjun
Factory Reset

Nothing except the power supply should get attached to the ER-X in this step.
Follow either method in Ubiquity's instructions...

There are two methods to reset the EdgeRouter to factory defaults. I tend to use the power-on reset when working with a new EdgeRouterX.

• Power-on reset: Disconnect power from the EdgeRouter. Press and hold the Reset button while connecting power to the EdgeRouter. The port LEDs will light up in sequential order. Keep holding the Reset button until the LED on the last port starts flashing, and then release the button.

• Runtime reset: The EdgeRouter should be running after bootup is complete. Press and hold the Reset button for about 10 seconds until the eth4 LED starts flashing and then becomes solidly lit. After a few seconds, the LED will turn off, and the EdgeRouter will automatically reboot.
 
Last edited:
First Login

The ER-X after a factory reset state is at IP 192.168.1.1

Set your computer to 192.168.1.xxx IP range and address for initial configuration
Set your computer network settings to ethernet with a static address & range that can reach the factory reset ER-X.
Screen Shot 2020-01-20 at 11.36.50 AM.jpg

Log In
Point your browser at 192.168.1.1

Log in with the default ubnt credentials
Default username = ubnt
Default password = ubnt

Screen Shot 2020-01-20 at 11.37.59 AM.jpg

Answer NO to using the wizard.
We are not going to use the wizard.
Screen Shot 2020-01-24 at 9.35.10 PM.jpg
 
Last edited:
Update Router Firmware
IMPORTANT: Do NOT disconnect power, ethernet connection or close web page until entire firmware update process completes.

Click "System" at bottom of window to display the System Panel.
Screen Shot 2020-01-20 at 12.24.28 PM.jpg


Scroll up to find "Upgrade System Image" section.
Screen Shot 2020-01-20 at 12.25.09 PM.jpg
Upload your previously obtained Ubiquity firmware tar file. (NOT my pre-config file!!!!)
It will take about three minutes for the firmware to upload and prep.
When the ER-X asks to reboot, let it reboot. Yes, you're sure.

Let the firmware flashing fully take place. Your browser will keep trying to connect during the flashing process, but I have never seen my browser actually reconnect by itself. After 1 to 2 minutes, the firmware payload is already in the ER-X. You can safely attempt manual reconnection by visiting 192.168.1.1 It will probably be 3 to 4 minutes before you can reconnect.
 
Last edited:
  • Like
Reactions: Arjun
Upload Kuo's Pre-Configured Settings

Log into the ER-X once more as ubnt/ubnt

Open System panel at bottom of window.
Scroll to find "Restore Config"

Upload my kuo preconfigured for IPCAMTALK edgeos_ubnt_20200124.tar.gz file

Allow several minutes for the configuration to be applied and router restarted.

At this point, you are naturally UNABLE to reconnect to the ER-X. The freshly uploaded configuration has completely remapped the ER-X.
The ER-X is now at a different address 192.168.91.1 and the ethernet port for MAIN LAN is eth1.

MOVE your ethernet cable from eth0 to eth1 of the ER-X

Set your computer network to ethernet / DHCP. Let the EdgeRouter assign your computer an address via DHCP

Screen Shot 2020-01-24 at 9.44.48 PM.jpg

Your ER-X is now configured with separate LAN's and a full set of isolation rules.
 
Last edited:
  • Like
Reactions: Arjun
Change User Password and Create User Accounts

The pre-configuration file has a default admin account defined. You should immediately change its password.

Log into ER-X at 192.168.91.1

default username = admin
default username = admin

Click on Users tab to see the list of current users.
Use Actions pull down menu to change admin password to a complex password. (Don't lose this password!!!)
Screen Shot 2020-01-20 at 12.53.54 PM.jpg
I also recommend adding some other user accounts for...

- admin level account as a backup admin
- operator level account for viewing status of router

For purposes of this tutorial, I will keep using just the admin account, but DEFINITELY change the admin account password!!!
 
Last edited:
  • Like
Reactions: Arjun