Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

randye007

n3wb
Joined
Aug 17, 2021
Messages
2
Reaction score
0
Location
Canada
Thank-you for posting this @guykuo!

Will you be posting a follow-up how-to like you did for the Ubiquiti ER-X?

Cheers,
Randy

Ubiquity has discontinued shipping the EdgeRouter X. It was an amazing little machine for its time, especially at $60.
Getting one now costs much more. I no longer recommend this pathway to network isolation.

I have since transitioned to PFsense on a fanless firewall appliance. The initial setup cost is more, but setup is much easier than with the EdgeRouter X. VPN is simpler to implement. Supports 2.5 gb speed network speed. PFsense is actively improved and PFblocker ad blocking has been very effective. Very happy with making the upgrade. The speed, ease of configuration, and enhanced capabilities easily justify the cost differential. On the other hand, paying inflated prices for rare, discontinued EdgeRouterX's is not worth doing.

To implement PFSense, I got a bare bones Mini PC with 2.5 gb ports, 128 GB mSATA drive, and 16 GB RAM. That's actually FAR more RAM and storage than needed, but going smaller capacity wasn't going to save many dollars.

$266 MOGINSOK Firewall Appliance Mini PC, Intel Celeron J4125 Quad Core 4xIntel I225 2.5G Ethernet VPN Router PC AES-NI HDMI VGA Barebone NO RAM NO SSD (Be sure to get one with AES-NI)

$32 Transcend 128GB SATA III 6GB/S MSA230S mSATA SSD 230S Solid State Drive TS128GMSA230S

$47 G.Skill Ripjaws SO-DIMM Series 16GB (1 x 16GB ) 260-Pin (PC4-19200) DDR4 2400 CL16-16-16-39 1.20V SO-DIMM Memory Model F4-2400C16S-16GRS

My PFSense firewall box is at about 2-3% CPU, 5% RAM, and 1% storage on average. It's a huge jump up in speed and capacity. Also, PFSense has a larger user base for support. Tons of how-to videos are on line.
 

srvfan

Getting comfortable
Joined
Dec 12, 2020
Messages
576
Reaction score
2,245
Location
USA
Just stumbled across this thread and am curious as I currently utilize an EdgeRouterX in front of my home network. I've had this router for a couple of years, and love it as it was so versatile with setting up internal VPN, VLANs, etc. and works well with my switches. I notice Ubiquiti has placed a newer firmware on their download site (I think dated 18-July?), but I wonder how long this router will be supported? I guess when they do stop the support, it will be open season for security threats/attacks on this equipment.

From what I have seen, a lot of people give the pfsense a thumbs up; however, I wonder about the security of this option. I am a complete networking noob, but when I hear open-source, it automatically throws up questions of security.
 

observant1

Pulling my weight
Joined
Dec 2, 2018
Messages
141
Reaction score
105
Location
alabama
Wow, I shouldn't have partied so much at the tech schools/classes I was fortunate enough to go to on the company dime back in the day.....things have also come a long way.
 

105437

BIT Beta Team
Joined
Jun 8, 2015
Messages
1,636
Reaction score
693
My network is entirely Ubiquiti Unifi. PoE switch, regular switch, APs and a USG-3P gateway (router). I'm looking to isolate my 16 IP cams and really don't know where to start.
 

tech_junkie

Pulling my weight
Joined
Sep 2, 2022
Messages
332
Reaction score
238
Location
South Dakota
All ports configured with address of no address - ?what does this mean?
That means you are not using the lan ports as managed ports (which is the mode that is commonly used).
Assigning them an ip address, only allows traffic requests from that port to the rest of the network has to come from the machine with the same ip address assigned to that port.

Since you wanted to know what that meant.
 

usaf_pride

Pulling my weight
Joined
Mar 10, 2017
Messages
277
Reaction score
163
@guykuo, great writeup.
I was wondering if you couldn't create a Firewall/NAT Group with your security camera IP's and then create a firewall rule in WAN_Local (I think that is the right one vs. WAN_IN) to reject all connections from that Group?
While not isolated on a VLAN, it would prevent internet access from those IP's.

My setup is ER-X -> USW24PoE
All security cameras are connected to the USW24PoE along with the 3-WiFi AP's. VLANS on switch0 (switch0.1 and that was a hassle to setup) for guest and IOT device separation. While I could add a separate VLAN for the security cameras, if the intent is to block outbound access, then it seems the above approach would work. I do recognize that if there was a hack on the cameras, it would also have access to the trusted network.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,647
Reaction score
1,158
@guykuo, great writeup.
I was wondering if you couldn't create a Firewall/NAT Group with your security camera IP's and then create a firewall rule in WAN_Local (I think that is the right one vs. WAN_IN) to reject all connections from that Group?
While not isolated on a VLAN, it would prevent internet access from those IP's.

My setup is ER-X -> USW24PoE
All security cameras are connected to the USW24PoE along with the 3-WiFi AP's. VLANS on switch0 (switch0.1 and that was a hassle to setup) for guest and IOT device separation. While I could add a separate VLAN for the security cameras, if the intent is to block outbound access, then it seems the above approach would work. I do recognize that if there was a hack on the cameras, it would also have access to the trusted network.
I personally won't allow "chinese"/untrusted devices in my inner LAN. See it like an onion network: WAN = outside, VPN is DMZ, untrusted = IPC Vlan, trusted = LAN. I only allow access FROM LAN to anything. However IPC can NEVER contact LAN, nor WAN (except for push notification & NTP). However VPN is the only one which can contact IPC Vlan (to be able to use DMSS from WAN - eg 4g).

Which means you simply add a "deny all" on your IPC_VLAN to "internal/local".

Hope this helps!
CC
 
Top