VPN and VLAN with Ubiquity EdgeRouterX 
Introduction
After moving into a new house I needed to adapt my network to a larger area to cover with WIFI and a different physical layout. This time I'm documenting it so I won't forget what I learned.One of the features of this house is the presence of ethernet cables to each room of import that start from the utility closet. Unfortunately there is only one cable to each room. I want a main network, a VPN and a guest network isolated from the main network. This is how I did it.
Physical setup
Physically my network has a basic two tier star layout a central node, connecting to Telenet's cable modem, which distributes to a device in each room/floor. The figure below contains more detail.The central node is an Ubiquity Edgerouter X. Both of my room/floor devices are TP-Link devices running OpenWRT. Strictly speaking they both could function as the Edgerouter X does. Being refurbished, however, they been demoted to switch/access point role.

Logical setup
The general aim is to have the single connection to the internet with a NAT with multiple networks behind it.- Main network: 192.168.2.0/24
- Guest network: 192.168.42.0/24
- VPN network: 10.10.10.0/24
Getting there
Basic setup
I started from the basic setup wizard that comes with EdgeOS. This will allow you to select the internet side of your connection and setup a subnet behind a NAT (masquerading). It also sets up IPv6 prefix delegation for you. This worked out of the box on my Telenet modem only setup.This will result in a dashboard looking like this:

Note the LAN ip being applied to the 'switch0' interface.
Firewall
As the default firewall looked somewhat clunky I decided to go for the fully fledged zone based firewall. Unfortunately this is not fully supported in the GUI of EdgeOS so we'll have to connect to SSH and configure it there. There's an added advantage to using the cli to configure the Edgerouter. In the process of figuring out the firewall I locked myself out several times. Luckily the cli has a two phase save. First you make your changes active by executing the 'commit' command, then you persist your changes accross reboots by executing 'save'. If you lock yourself out you can simply reboot the router and fix the problem.The basic firewall setup has two zones: WAN and LAN. There is a third zone for the device itself.
We will first establish some behaviours that we will later use to attach to each zone.
Let's start by establishing the first primitive: a rule that drops everything except for traffic to already established connections. We need to do this both for ipv4 as for ipv6.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| configure edit firewall name allow-est-drop-inv set default-action drop set enable-default-log set rule 1 action accept set rule 1 state established enable set rule 1 state related enable set rule 2 action drop set rule 2 log enable set rule 2 state invalid enable top edit firewall ipv6-name allow-est-drop-inv-6 set default-action drop set enable-default-log set rule 1 action accept set rule 1 state established enable set rule 1 state related enable set rule 2 action drop set rule 2 log enable set rule 2 state invalid enable set rule 100 action accept set rule 100 protocol ipv6-icmp top |
The next primitive allows all connections.
code:
1
2
3
4
5
6
7
8
9
10
11
| edit firewall copy name allow-est-drop-inv to name allow-all set name allow-all default-action accept delete name allow-all enable-default-log top edit firewall copy ipv6-name allow-est-drop-inv-6 to ipv6-name allow-all-6 set ipv6-name allow-all-6 default-action accept delete ipv6-name allow-all-6 enable-default-log top |
The last primitive allows icmp, dns and dhcp only.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| edit firewall copy name allow-est-drop-inv to name lan-local-out edit name lan-local-out set rule 100 action accept set rule 100 protocol icmp set rule 600 description "Allow DNS" set rule 600 action accept set rule 600 destination port 53 set rule 600 protocol tcp_udp set rule 700 description "Allow DHCP" set rule 700 action accept set rule 700 destination port 67,68 set rule 700 protocol udp top edit firewall copy ipv6-name allow-est-drop-inv6 to ipv6-name lan-local-out6 edit ipv6-name lan-local-out6 set rule 100 action accept set rule 100 protocol ipv6-icmp set rule 600 description "Allow DNS" set rule 600 action accept set rule 600 destination port 53 set rule 600 protocol tcp_udp set rule 700 description "Allow DHCP" set rule 700 action accept set rule 700 destination port 67,68 set rule 700 protocol udp top |
We can now attach the appropriate primitive to each zone.
The local-zone i.e. the device itself:
code:
1
2
3
4
5
6
7
8
| edit zone-policy zone local set default-action drop set local-zone set from WAN firewall name lan-local-out set from WAN firewall ipv6-name lan-local-out6 set from LAN firewall name allow-all set from LAN firewall ipv6-name allow-all-6 top |
LAN is allowed to connect to anything on the router. WAN is only allowed to icmp, dns and dhcp. DHCP is necessary to acquire an IP address from your ISP. DNS is necessary for name resolution and ICMP is necessary for IPv6 prefix delegation.
The next zone is the WAN zone.
code:
1
2
3
4
5
6
7
8
| edit zone-policy zone WAN set default-action drop set interface eth0 set from LAN firewall name allow-all set from LAN firewall ipv6-name allow-all-6 set from local firewall name allow-all set from local firewall ipv6-name allow-all-6 top |
This configures the WAN zone to receive traffic from freely from both LAN and the router itself. It also binds the WAN zone to eth0.
The last zone (for now) is the LAN zone.
code:
1
2
3
4
5
6
7
8
| edit zone-policy zone LAN set default-action drop set interface switch0 set from WAN firewall name allow-est-drop-inv set from WAN firewall ipv6-name allow-est-drop-inv-6 set from local firewall name allow-all set from local firewall ipv6-name allow-all-6 top |
This configures the LAN zone only to receive traffic from WAN which is related to a traffic that a LAN member sent initially. The router itself is allowed to connect to the LAN without restrictions.
Now we have the new firewall rules in place we can delete the old ones.
code:
1
2
3
4
5
| delete interfaces ethernet eth0 firewall delete firewall name WAN_IN delete firewall name WAN_LOCAL delete firewall ipv6-name WAN_IN delete firewall ipv6-name WAN_LOCAL |
Now test your changes by running
code:
1
| commit |
If everything keeps working persist accross boot by running
code:
1
| save |
It's important to be conservative when using save. I managed to lock myself out several times when setting this up. Reboot because I didn't save yet saved my bacon many times.
VPN
The next step is to add a vpn so I can access my network from the outside.There's a myriad of articles on how to setup an OpenVPN instance with certificates so I'm only focussing on the challenges on doing so on an EdgeRouter X.
The setup for the server side is like this:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| configure set interfaces openvpn vtun1 set interfaces openvpn vtun1 description "OpenVPN server" set interfaces openvpn vtun1 mode server set interfaces openvpn vtun1 encryption aes256 set interfaces openvpn vtun1 hash sha256 set interfaces openvpn vtun1 server topology subnet set interfaces openvpn vtun1 server subnet 10.10.10.0/24 set interfaces openvpn vtun1 server push-route 192.168.2.0/24 set interfaces openvpn vtun1 server name-server 192.168.2.1 set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun1 tls cert-file /config/auth/host.pem set interfaces openvpn vtun1 tls key-file /config/auth/host-decrypted.key set interfaces openvpn vtun1 tls dh-file /config/auth/dh2048.pem set interfaces openvpn vtun1 openvpn-option "--port 1194" set interfaces openvpn vtun1 openvpn-option --tls-server set interfaces openvpn vtun1 openvpn-option "--comp-lzo yes" set interfaces openvpn vtun1 openvpn-option --persist-key set interfaces openvpn vtun1 openvpn-option --persist-tun set interfaces openvpn vtun1 openvpn-option "--keepalive 10 120" set interfaces openvpn vtun1 openvpn-option "--user nobody" set interfaces openvpn vtun1 openvpn-option "--group nogroup" commit |
The default encryption of OpenVPN is rather weak, as is the default hashing algorithm. An upgrade is in order hence the aes256 and sha256.
The certificate files are placed deliberately in /config because in that case they are included in the backup mechanism that the EdgeRouter supports.
If you were to connect like this it wouldn't work because the firewall still needs to be configured.
The first step is a modification to the incoming connections on the router itself. Port 1194 on UDP needs to be allowed.
code:
1
2
3
4
5
6
| edit firewall edit ipv6-name lan-local-out6 set rule 800 description "Allow OpenVpn" set rule 800 action accept set rule 800 destination port 1194 set rule 800 protocol udp |
Now we can connect but we won't be able to do much because everything is still firewalled.
We first need to create a VPN zone.
code:
1
2
3
4
5
6
7
8
9
10
| edit zone-policy zone VPN set default-action drop set interface vtun1 set from WAN firewall name allow-est-drop-inv set from WAN firewall ipv6-name allow-est-drop-inv-6 set from local firewall name allow-all set from local firewall ipv6-name allow-all-6 set from LAN firewall name allow-all set from LAN firewall ipv6-name allow-all-6 top |
Basically the VPN zone is the same as a LAN zone. In addition it accepts traffic from LAN.
The other zones need tweaking to accept traffic from VPN.
code:
1
2
3
| edit zone-policy zone LAN set from VPN firewall name allow-all set from VPN firewall ipv6-name allow-all-6 |
code:
1
2
3
| edit zone-policy zone local set from VPN firewall name allow-all set from VPN firewall ipv6-name allow-all-6 |
Commit, test and save et voila VPN.
Guest network
Now I want to add a guest network spanning both my access points that is distinct and isolated from my main network.The solution will create a VLAN with id 3 over the network.
Wireless router config
The first job is to create an additional SSID on one of the radios.All my wireless radios are on OpenWRT devices but the DHCP and the routing to WAN will live on the Edgerouter.
In LUCI on the OpenWRT routers creating a new SSID pretty easy.

Enter the new SSID and a network name in the create box e.g. guest . Afterwards the configuration looks something like the screenshot (with an SSID).
This will create a new interface which we will modify.
Select the interface and go to the Physical settings tab.

We'll create a bridge over the wireless adapter and the eth0.3 interface.
In the main tab the interface should either have no address or receive one through DHCP.
In the Advanced tab make sure to uncheck Use default route otherwise if the interface has an address any packets received on the other interface (which you are currently configureing your device on) will be routed through the guest network. You may be locked out of the device.

Routing config
VLAN
On the dashboard you can add a VLAN interface on switch0 with id 3.
Next we make switch0 vlan aware and make eth2 and eth4 accept traffic for VLAN id 4. Don't configure any pvid.

Firewall
We need another zone for the guest LAN.code:
1
2
3
4
5
6
7
8
| edit zone-policy zone LAN2 set default-action drop set interface switch0.3 set from WAN firewall name allow-est-drop-inv set from WAN firewall ipv6-name allow-est-drop-inv-6 set from local firewall name allow-all set from local firewall ipv6-name allow-all-6 top |
Then we will need to allow traffic to wan.
code:
1
2
3
4
| edit zone-policy zone WAN set from LAN2 firewall name allow-all set from LAN2 firewall ipv6-name allow-all-6 top |
Local should treat LAN2 as WAN and only allow DNS and dhcp.
code:
1
2
3
4
| edit zone-policy zone local set from LAN2 firewall name lan-local-out set from LAN2 firewall ipv6-name lan-local-out6 top |
Conclusion
We have setup a basic a basic internet connection, an OpenVPN service and a guest network on a constellation of an Ubiquiti EdgeRouterX and two TP-Link routers running OpenWRT.The next challenge is to configure the VLAN to allow the Digibox to be directly connected to the Telenet modem. I am still working on that.