mjp66 / ubiquiti Goto Github PK

Hi there,

First of all I really like you guide. It was very usefull too me in the past to get understanding about some networking principles.
So now I'm a little further with experimenting and wondering the following thing:
Why do you choose to split eth 1 and 2 in seperate physical lan's and why not choose to VLAN them too? Is there some benefit or do I miss some technical background here?

Thanks!

In sect 53 firewall rule 3, there's an empty destination group entry. Is the destination group entry supposed to be empty in rule 3? In the other rules where destination group is empty, there's no text at all in the backup styled config. But this one has destination group, but with no setting. I wanted to make sure this wasn't a typo.

I left off at step 33. I needed to reboot my computer so I unplugged the ethernet cable to the ER-X. Now I cannot get back into the config GUI. I've tried every permutation of static 192.168.1.100 and/or DHCP on my computer with an ethernet connection on the ER-X in every port (except eth5). I even power cycled the ER-X and that didn't work. How does one get back to the management console after doing your setup? Thanks in advance for a quick reply.

I have used the same setup in the guide, and I'm having issues getting the guest portal to appear to guests connecting to the Guest Net (192.168.6.0/24). The UniFi controller is on the Home Net (IP: 192.168.3.10) and I've tried adding a new rule in the HOME_OUT ruleset to allow packets originating from WIFI_GUEST_GROUP and destined for 192.168.3.10, with states INVALID, NEW, RELATED, ESTABLISHED like so:

firewall {
all-ping enable
broadcast-ping disable
group {
address-group DNS_SERVERS_GROUP {
address 1.1.1.1
address 9.9.9.9
description "Cloudflare and Quad9 DNS Servers"
}
address-group HOME_GROUP {
address 192.168.3.0/24
description "Home Group"
}
address-group MULTIPLE_GROUP {
address 192.168.3.0/24
address 192.168.4.0/24
address 192.168.6.0/24
address 192.168.7.0/24
description "Multiple Groups"
}
address-group WIFI_GUEST_GROUP {
address 192.168.6.0/24
description "Wi-Fi Guest Group"
}
address-group WIFI_IOT_GROUP {
address 192.168.7.0/24
description "Wi-Fi IOT Group"
}
address-group WIRED_IOT_GROUP {
address 192.168.4.0/24
description "Wired IOT Group"
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name HOME_OUT {
default-action accept
description "Home Out"
rule 10 {
action accept
description "Allow Wired Iot Replies"
log disable
protocol all
source {
group {
address-group WIRED_IOT_GROUP
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop Rest-Of Wired Iot Traffic"
log disable
protocol all
source {
group {
address-group WIRED_IOT_GROUP
}
}
}
rule 30 {
action accept
description "Allow Wi-Fi Guest Hotspot"
destination {
address 192.168.3.10
}
log enable
protocol all
source {
group {
address-group WIFI_GUEST_GROUP
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow Wi-Fi Guest Replies"
log disable
protocol all
source {
group {
address-group WIFI_GUEST_GROUP
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 60 {
action accept
description "Allow Wi-Fi Iot Replies"
log disable
protocol all
source {
group {
address-group WIFI_IOT_GROUP
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 70 {
action drop
description "Drop Rest-Of Wi-Fi Iot Traffic"
log disable
protocol all
source {
group {
address-group WIFI_IOT_GROUP
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow WireGuard"
destination {
port 5184
}
log disable
protocol udp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WIFI_GUEST_LOCAL {
default-action drop
description "Wi-Fi Guest Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67-68
}
log disable
protocol udp
}
rule 2 {
action accept
description "Allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
}
name WIFI_IOT_LOCAL {
default-action drop
description "Wi-Fi IOT Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67-68
}
log disable
protocol udp
}
rule 2 {
action accept
description "Allow Only DNS_SERVERS_GROUP"
destination {
group {
address-group DNS_SERVERS_GROUP
}
port 53
}
log disable
protocol tcp_udp
}
}
name WIRED_IOT_LOCAL {
default-action drop
description "Wired IOT Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67-68
}
log disable
protocol udp
}
rule 2 {
action accept
description "Allow Only DNS_SERVERS_GROUP"
destination {
group {
address-group DNS_SERVERS_GROUP
}
port 53
}
log disable
protocol tcp_udp
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}

The connected clients get the correct url (ex.: http://192.168.3.10:8880/...) , but timeout on connecting to that url.

This guide has been incredibly helpful to me, despite the fact that I have the UniFi line of products (as opposed to the EdgeRouter line discussed within). I'd love to see it maintained, at least, if not grow to cover some of Ubiquiti's other lines (even if not, this has been quite instructive).

Are you taking donations?

Great job on the writeup. I'm currently using your config for my setup and am loving it. One thing I wish i knew where/how to do would be to add google fiber config to eth0. Below is a snippet of steve jenkins setup with google fiber, But I like your setup better just want to get rid of my fiber box. https://github.com/stevejenkins/UBNT-EdgeRouter-Example-Configs/blob/master/Google-Fiber/config.boot.erx

ethernet eth0 {
    description "Google Fiber Jack"
    duplex auto
    speed auto
    vif 2 {
        address dhcp
        description "Google Fiber WAN"
        dhcpv6-pd {
            pd 0 {
                interface switch0 {
                    host-address ::1
                    prefix-id :0
                    service slaac
                }
                interface switch0.102 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                prefix-length /56
            }
            rapid-commit enable
        }
        egress-qos "0:3 1:3 2:3 3:3 4:3 5:3 6:3 7:3"
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
            out {
                ipv6-name WANv6_OUT
                name WAN_OUT
            }
        }
    }
}

Thank you

Absolutely excellent guide. If it's no trouble, I suggest adding a link somewhere in the front pointing to this repo. If anything, you deserve props, and people should be able to easily get back to the source for updates, as I'm certain this guide is going to start popping up all over the place.

Your guide was plugged on the Security Now podcast, episode 641, hosted by Steve Gibson (the reviews were glowing):

https://www.grc.com/sn/sn-641.htm

Hello again,
thanks to your guide I've already set up home networks at two places. So far so good.
I was using BubbleUPnP for DLNA/Chromecast to stream my media (cloud and noncloud)
from my Android phone to Samsung Smart TV, since Google deliberately disabled Miracast
in the middle of Marshmallow version od Android. And also with DLNA I could have screen
off on my mobile.

But now with some updates to Android, BubbleUPnP for DLNA/Chromecast and my home
network reworked, it sadly doesn't work. I have all Smart TVs on WifiIOTNet because they
are from 2012/2013 and don't trust them. But it doesn't work even when I connect my
Android phone to WifiIOTNet. So I'm wondering if it's a home network configuration
problem, or Android / BubbleUPnP for DLNA/Chromecast problem.

PS I don't want to buy Chromecast or some other dongle only for casting media to my old
Smart TVs. BTW Chromecast is slightly better and very overpriced Miracast anyways (All my
TVs support Miracast).

I've got a Google Home Mini and some chromecast devices. Google says I need to enable UPnP. I know UPnP is better left off for security reasons, but I don't know what firewall rules Google would need. To turn UPnP on, I assume external interface is eth0, but what should I use for the internal interface?

do you know anybody who has port forwarding or port redirect experience on this router? i can't seem to get it working.

I got my EdgeRouter X all configured last night and my UAC-LITE will be here tomorrow. My open question is the definition of IoT devices. What would that all include? Might be worth including for documentation sake.

First of all, great document, it's truly well structured and in great detail, kudos.

I'm still going through the document and came across the following question on page 32.

When writing this guide, I was not able to figure out how to combine the Wired IOT Network (as 192.168.4.X) and
the Wi-Fi IOT Network (as 192.168.7.X) as a single Network / Subnet.
QUESTION: Is there a way to combine these two Networks / Subnets?

Take a look at this video
https://www.youtube.com/watch?v=kl9CkHhLm6k&index=23&list=WL
Basically all you have to do is set a pvid 6 to ETH1 and not configure ETH1 Address Manually.
It's supposed to be faster as well, as it does hardware switching instead of software switching.

Let us know if you see an issue with this approach.

I think if someone just bought the Access Point, it gets auto adopted before you see the screen in the guide. May want to put a note about that as I didn't need to adopt my access point when I got to that step.

When I add a controller that can run all the time, I might have to adopt it on there though.

First, thank you very much for all the work you put into this. Everything appears to be nicely researched, and it serves incredibly well as a crash course into the ER line (which I certainly needed).

There's something towards the end I was curious about--is there any particular reason that traffic from the IOT + Guest VLANs needs to be filtered in HOME_OUT? Judging by the diagram, if WIRED_IOT_IN (as an example) had a default accept + rules to drop new packets destined towards secure subnets, you'd eliminate a fair amount of packet pushing. It also seems to answer the question/issue at the bottom of page 68; you could do away with HOME_OUT entirely, and the vast majority of other traffic wouldn't be penalized. I may very well be missing something obvious that creates the need for rules on the _OUT side, though.

Similarly, for the question on page 64, I assume it's because invalid packets are an exception, rather than the norm; they'll never match the accept, and the priority should be getting the other 99% of legitimate traffic to its destination. Granted you're only looking at one extra rule in this particular instance, but an extra check is an extra check.

Hello,

I love the guide! It is very well put together, and I appreciate the time you've put into this.

I've run into an issue, it appears that you are using controller version 5.4.11, which uses the classic settings.

The latest controller version is 6.0.43. There is a whole new settings page (Beta). It allows you to swap back to the Classic Settings, but it doesn't have all of the same options.

Perhaps I did something wrong? Otherwise, it looks like this may be something to add to the to update list.

Thanks!

Hi Mike - Thanks for all of your efforts in creating this guide.

I am trying to setup an edgerouter 10X with your guide, but I am stuck at 56. WIRED_IOT_LOCAL - Rule 1 - Allow DHCP

What should I put for source?

name WIRED_IOT_LOCAL {
default-action drop
description "Wired Iot Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67-68
}
log disable
protocol udp
source {
}
}

Thank you very much.

I cannot find any mentions on NETv4_switch0.7 address group as well as NETv4_switch0.6, NETv4_switch0.7, NETv4_switch0.8

I followed your guide, but was having an issue with the mDNS repeater not working. I found that I had to add the UDP destination port 5353 to the VLAN LOCAL rulesets.

Hi Mike - Thanks for all of your efforts in creating this guide. It has been very helpful and instructive. The Ubiquiti Device Discovery Service has been much in the news as of late as a potential vulnerability. According to the Ubiquiti posting regarding this service, they state that "The EdgeRouter will not be discoverable by WAN clients if firewall policies from the Basic Setup wizard are applied.". (https://help.ubnt.com/hc/en-us/articles/204976244-EdgeRouter-Ubiquiti-Device-Discovery). Am I correct in assuming that since we have applied the basic firewall policies on the WAN interface, that this is not a vulnerability concern for us. It is unclear from the news coverage that this is primarily a user misconfiguration issue. Perhaps adding some comments in the guide regarding this would be helpful. Thanks again for your time and efforts on this project.

On page 70 you have:
name WIFI_IOT_LOCAL {
default-action drop
description "Wired Iot Local"

Shouldn't the description be "Wifi Iot Local"

Hi, thanks for the great guide. I've followed almost all of it, except for not having a Wired Separate network. I have installed Wireguard (33.x) on my ERX and my Android phone and through WG, I am able to view IP cameras that are on my Home net (3.x), but not able to view those on the WiFi IoT net (7.x). I can view all cameras when I'm on the Home net (3.x). Is this expected behavior?

I have tried adding 33.x to the Home user group and I've tried copying the HOME_LOCAL firewall rules to make a WG_LOCAL (changing interface to wg0), but haven't been successful. Do you know what I can do to view WIFI IOT devices from Wireguard?

Thanks!

I really like the idea of what you've done here and I might be interested in making one or two suggestions based on my own setup I've got working. Unfortunately, because the main file is a PDF, GitHub treats it as a binary file which makes it very difficult to diff it to see what's changed in a commit or to submit pull requests.

I wondered if you'd considered uploading the document in a more "diff-friendly" format? If you still wanted to have a PDF for people to download, maybe the PDF could be built and uploaded as a release periodically.

Is the show configuration commands.txt script still up to date? I notice it shows as 10 months old, but there have been a number of changes to the PDF file.

One thing I've found useful now I'm version controlling my own config, is to extract at least the config.boot file from the .tar.gz archive and version control that? It's this that contains the bulk of the configuration (on my setup anyway) - certainly all the interesting stuff! Again, the .tar.gz file could be uploaded when making a release.

No worries if you'd prefer to keep it as-is 😄

Hello @mjp66 👋🏽 ,

I just want to take this chance to thank you for this amazing resource. Like you, I was very worried about the security issues with consumer networking equipment and switched over to a similar setup circa 2018. I got everything up and running back then, but I always had this nagging feeling at the back of my mind wondering if I had done things correctly or understood everything well. Your guide has been indispensable allaying many of my worries, so again, thank you very much!

• Alam

P.S. Sorry I had to use a Github Issue, I couldn't find any other way to contact you.

So far, I have followed your guide to the letter, up to section 61. Everything seems to work as expected, EXCEPT that while I can connect to my PIA VPN, it seems to allow no traffic through? I am directly connected to the eth3 port, and have not yet configured wireless; Since I switch it on and off on my computer, I would rather not attempt to set it up for the entire router until I get more experienced with the jargon/understanding.

Have you encountered this at all in your testing? I followed the same DNS rules that you did, but from the log files for the VPN, it seems to attempt to set my local DNS
d.add ServerAddresses * 209.222.18.222 209.222.18.218 set State:/Network/Service/523422D-D506-4238-A77A-F05F8A5E0271/DNS

The Ubiquiti forums are full of people trying to get PIA to work with their router, but none seem to address people who just want to allow the connection through.

small corrections in : Ubiquiti Home Network.pdf

section 24, if user updates timezone, remind to save this change.
section 52 page 2, description does not match name 'wifi_iot_local'

Thank you for the excellent document! I really can't wait until I can add an access point to go through the rest of this PDF.

edit: from document dated 01/21/2018

Section 18 on page 26 reads, "This allows us to provide for an additional Network." but should state, "Un-bundling the interface from switch0 enables a separate physical network."

i.e. an additional network can be achieved by adding a logical VLAN but you are choosing to implement an additional network on the physical switch port.

hi - this new edgeRouter-10X appears to eliminates the need to have the auxiliary switch:

https://store.ui.com/collections/routing-switching/products/edgerouter-10x

have you tried it? is it worth updating the instructions over?

First - thanks for the great guide. I have wanted to set something like this up for a long time and the SecurityNow plug for your document shoved me off the fence.

I've configured my setup nearly identical to your guide, with the exception that I added a second UAC-AP-LR on the eth2 rather than configure a wired second network. Everything related to that is working great.

The issue I'm having is that I need to have the devices connected on my WiFi IoT network be able to communicate with each other. I tried editing the Firewall rules related to that segment but nothing I did seems to matter. While I can connect to the internet from the devices, and access them from my Home Network, they cannot ping or resolve each other on the segment.

My use case is that I have a simple web cam running on a raspberry pi that I would like to have publicly available via a second server running IIS. I also have some work related systems that communicate to various sensors I've got running throughout my environment. I need to be able to aggregate the data on those devices to a central host.

I hope I've explained the issue well enough, and thanks again for putting together this guide.

Instead of what you proposed to communicate with the IOT network, could you have used the MDNS service. please see https://www.youtube.com/watch?v=1mjdkki2pIY. thanks

Mike,
thanks for this guide, it made a big difference for me getting started with the erx.
thanks for keeping grc updated on your doings, it was how I found this guide.
Two queries, one quad 9 related.
On quad 9 setup, using dnsmasq, there is a section where you use the cli to allow local hostname resolution. Having done that, my system nameserver is, in order, 127.0.0.1, 9.9.9.9, 149.112.112.112.
I am hoping that is as it should be... Also not sure I've discerned the correct instructions for setting the dns forwarding, currently I am showing a forwarding list of switch0... that differs with the previous version of your setup where eth1, switch0, eth2... again hoping I've understood as you intended

Another enhancement that I have not succeeded in, is sorting out bonjour broadcasts for enabling my appleprint and appleplay stuff... I would like to keep the internet connections of my players and printers on either the wired or wireless iot nets, but bonjour, I am reading, does not cross subnets... there is a lot of discussion about using the mdns repeater service, where I think I am failing is sorting out the rules in this setup for allowing the multicasts to be accepted by the subnets without blowing open holes I'd rather not ... any insights or help you can offer would be appreciated

first off, AWESOME JOB, mike. i wish i had this guide rather than the "quick-start" pamphlet that came with the router.

it would be interesting to see something even more "dumbed-down" to my level. i am thinking of instructions that make this Ubiq router as easy as the typical DLink/Netgear/Linksys router. Maybe with all the ports using the same subnet, like what the typical router does.

The section should begin:

Near the bottom of the screen select the "System" button. Reference Figure 9 - System Button.

I'm still working my way through this but I have to say I am very impressed at the level of detail you've put into this! Great job!

It currently shows "This example will involve allowing an SSDP rely from" but I believe you mean relay.

Very useful guide! I am going through it to assist me setting up our home network. I have two roommates and one works from home so I'm currently setting him up with his own "work" port and the rest of the house going through the various switches I have located in the house.

2019_05_18 was a pretty big change. I re-configured an ER-X from scratch, updating the guide and screen-shots as I went. Therefore, I've added a new reference backup/config file.

NewSections: 4, 32, 38, 39, 40, 58, 75, 78, 82, 83, 84, 85, 86, 87, 88, 90.
UpdatedSections: 52, 54, 60.
NotableChanges: Pages75-78, Pages111-114, 'RFC-1918'.

I've included a document difference, for this release, created with my favorite program "Beyond Compare". I am not affiliated with them. Their exported difference reports are natively generated as html files, but github will not accept html files. I had to print-as a PDF file, and my PC only supports a limited number of sizes. So the attached file is not in an optimal (i.e. wide) format. Hopefully this information is still useful to somebody.

Diffs_2019_02_04 vs 2019_05_18.pdf

-Mike

When I setup my EdgeRouter X, my download speed went from 113 Mbps to 53Mbps. This is on a wired connection.

In section 23 you state:

"I used the same range start and range stop values (38 and 253) that the wan+2lan2 wizard used within the DHCP servers for LAN1 and LAN2."

Should be 38 and 243.

Hi, many thanks for your most detailed guide. I firstly got version from October from a random google search on a random website. I spent some time upgrading and basic setting of my router and now I found your source and updated version!

Before I ask some questions I have an answer to your question in chapter 22. 'How do you restore using the ISP’s resolvers?' I had to figure it out, because other DNS was causing me some troubles and it seems that my ISP DNS is better for now. CLI commands are following (for eth0 as ISP connection):

configure
delete service dns forwarding system
set service dns forwarding listen-on eth0
commit
save
exit

My main question is for your Home Network (192.168.3.X). You have almost no dedicated part for that. Does it mean that the setting (for DHCP and such) is done mainly by the initial Wizard setting and then you modify a thing here and there while configuring other networks? I have situation with only one LAN and no secure wired network or wired IOT network and I'll be using two Unify UAP-LR access points. So I'm mainly interested in more WiFi Networks and only one LAN setting. I've stopped at DHCP setting, because I don't know if I stay with Wizard setting or I edit it somehow like you in chapter 18. for eth2?

And the other question is dnsmasq vs ISC. In your October version the dnsmasq was bugged and your only choice was ISC. What is the situation now and what is better to use?

Thank you!
mpeg.

Hi Mike,
I've reviewed the closed "issues" reported to your excellent guide and don't believe it is already.
So, let me try to give something back :-)

In page 38, you ask "QUESTION: Is there a way to combine the Wired IOT Network and the WiFi IOT Network?"

The hardware switch chip will only support one switch group - but you could theoretically bridge two other ports. This would result in slower throughputs as the bridging is handled in software instead of in hardware. Another downside would be that you need another access point next to the one already in use (which is part of switch0).
As an alternative, you could add a managed switch and assign a VLAN for the combined_IOT networks. In the managed switch, you could combine the wired and wireless clients into one network segment (this would require you to move the access point to the managed switch too, so you can assign the various VLANs to the access point there)

So, in my view it would be possible but at some cost.

My question in return would be: what is the reason you would want to combine these ?
For my IoT networks the security setup is very restrictive - I only want the IoT devices to access the internet and not have communications between each other.

Excellent guide (got here via Security Now as I'm sure a lot of people did).

One thing I have been wrestling with is NAT hairpinning and the related firewall rules on the ER-X. I would like devices on my Wifi Guest Net to be able to access services on the Home Wired Network (like Plex, or a web site which are available via the WAN IP and port forwarding).

I have the VLAN isolation working for my WiFi IoT Net and Wifi Guest Net, and the LOCAL rules (for DNS/DHCP) on those networks works as well. But a device connected to the Guest wifi cannot connect to services on the wired home network.

Could you possibly add a section relating to hairpinning?

Thanks!

I am trying to setup a SAMBA server on VLAN 7 (wifi IOT eth4 switch0,7) and to have other computers access that SAMBA computer but I cannot get the two devices to ping. I can ping all devices from the Wired home network (eth3). The configuration is as explain in the documentation with the exception of Quad 9 used instead of OpenDNS.

config.boot.zip

Hi,

Thanks for such a comprehensive guide! I'm only just starting to work through it and am learning some new things as I go, but there's one thing I'm not clear on and wonder if you would mind clarifying for me?

If I understand correctly, the "Wired Home Net" and "Wifi Home Net" are in the same subnet and VLAN so any Home device can communicate with any other Home device (wired or wifi).

This doesn't appear to be the case for the "Wired IOT Net" and "Wifi IOT Net". They look to be on separate subnets/VLANs. Am I right in thinking that a wired IOT device will be able to communicate with another wired IOT device and a wifi IOT device will be able to communication with another wifi IOT device; but a wired IOT device will not be able to communicate with a wifi IOT device?

In which case do we essentially have two completely separate IOT networks? If so, is there any particular reason why it's setup this way? Why not put them on the same subnet/VLAN, like the Home Networks?

Using Steve Gibson's DNS Benchmark shows a rather slow DNS result when the EdgerouterX is configured as in the PDF. I learned quite a bit going through the PDF, so I can probably just reconfigure this myself, but I thought I'd mention it here, since there might be a change offered in the next revision of the PDF.

[https://i.stack.imgur.com/UUzza.jpg]DNS Benchmark showing 9.9.9.9 is slow and 192.168.3.1 is slow.

I followed the config up to section 64 - setting up UniFi. When I plugged my UniFi into eth4, my browser didn't see any devices. So I tried plugging UniFi into my laptop and the browser saw the UniFi. I wasn't sure if my EdgeRouger was setup correctly. When I tried to connect to the router, I wouldn't. On eth1 EdgeRouter would assign an IP to me, but I couldn't get to the GUI. On ports eth2, eth3, eth4 I didn't even get an IP. So I did a factory reset. Then I thought I could just upload the file edgeos_ubnt_20170221.tar.gz to my router, hoping this was the same as the config in the manual, but I didn't get any IPs assigned to any ports. So I factory reset again. Is there a backup file that matches the manual?

Have had my ER-X for several weeks now set up per your excellent document and it's working great! Have forwarded several folks towards your write-up and the ER-X.

Quick question - is there a troubleshooting procedure document you can recommend for troubleshooting ER-X filters?

I've got an NTP server on my IOT_wired and while the clients on Home_Net can see and sync to it without issue...when I issue the "remote" ntpq -p 192.168.4.50 (where 4.50 is the NTP server) I get no response like its being filtered. Opening up the NTP UDP port (as well as opening it up to both UDP and TCP) didn't help. I'm probably doing something brain-dead...but have no idea how to troubleshoot where the cute little packets are getting lost. :)

thanks much,
ben

The description for the Ubiquiti Home Network.pdf states 'Added Multi AP / Managed SW Info.', but I don't seem to be able to find the info in the pdf. It seems that it is the same version from before, but I am not sure if I am missing it.

Thanks for a great guide!

Thank you very much, Mike for the amazing guide. You have made low cost, secure and flexible networking for those with minimal networking skills - like me.

Knowing you have spent a lot of time on the Guide and fielding questions from users, I tried for hours and hours to see if I could figure out the solution to the problem, but I give up. I do not believe this is an "issue" but ignorance on my part. Background, I have an EdgeX router, loaded with your latest configuration and a UniFi AP.

The problem is certain sites do not load using a computer or IoT devices cannot communicate with a website. Google.com and yahoo.com load fine. When trying to reach microsoft.com I receive a cannot communicate with server error; amazon.com I receive an invalid security certificate.

Thank you or others in advance for any help.

bestcea

Hi Mike

Just noticed Britannic has a newer and completely rewrote version of the Adblock / Blacklisting package:
https://community.ubnt.com/t5/EdgeMAX/DNS-Adblocking-amp-Blacklisting-dnsmasq-Configuration/td-p/2215008
https://github.com/britannic/blacklist

I've replaced the old one with this one on my ER-X, seems to be working fine. Up to you, of course, whether you want to update Chapter 72 or not.

Hope its OK to leave these here, only small problems.

In your firewall rules your description reads '... reples', should be 'replies'.

Section 66

The Open Properties Button is on the 'Devices' screen, not the 'Dashboard'.

Thanks for a great guide, I've just gone all the way through and configured my ER-X and it worked flawlessly. Learnt a load too.

Regards.

Do you know of any low-cost VLAN aware switches? Do they need to be configured separately? Would it be less painful to get the Unifi Switches?