Ubiquiti EdgeRouter Lite (UBNT ERLite-3) Update - still works great for my family, and for my VMware vSphere, Windows, and Linux home lab

Posted by Paul Braren on Jul 11 2017 (updated on Sep 6 2017) in
  • Networking
  • VMware
  • ESXi
  • HowTo
  • HomeLab
  • This article was originally intended for my audience at The Greater Boston Network Users Group at their July 11th meetup. Until I'm able to do a complete configuration walk through, this spot in a recent "Network Enthusiast" EdgeRouter video I created gives you a good look at how DNS is supposed to work in Windows + Linux and/or VMware vSphere environments, only using this little metal box router, no Microsoft AD/DNS/DHCP required!


    This Ubiquiti EdgeRouter Lite (aka, UBNT ERLite-3) is available at Amazon and Newegg.

    Product Page

    • Ubiquiti EdgeRouter Lite
      Steve Gibson brags about his beloved $65 "EdgeRouter X" on many Security Now podcast episodes, an even smaller router that uses the same firmware family. But the EdgeRouter X doesn't specify that it can also do a million packets per second. I wanted something fast enough for my home's 300Mbps/30Mbps connection, with a bit of future-proofing for even faster internet speeds someday. Even with a year of daily heavy use already behind me, I don't suspect I'll want or need to swap my ERLite-3 for some years to come.

    EdgeOS User Guide

    EdgeRouter Datasheet

    Firmware Download

    Status Update

    The ERLite-3 has been around since 2013, still pictured in it's original plastic body on Amazon. They're made of metal now, and has gained a lot functionality ever since through regular firmware updates, see full history here. This "networking enthusiast" router has enjoyed a lot of popularity in the market, with mostly-favorable reviews on Amazon and on Ubiquiti's forum. I've personally owned two of these little ~$90 routers for about a year, one dedicated to my traveling home datacenter right, and the other used heavily full time by my entire family, with better reliability than every consumer router I've used before it.

    ETH0 at left is connected to my cable modem, ETH1 connected to my gigabit switch, one of my 3 eero Wi-Fi devices is pictured at right, using SlimRun gigabit wired backhauls to the same gigabit home network.

    I rely on my ERLite-3 for all my home network routing, DNS, and DHCP functions, leaving the Wi-Fi duties to my wired-backhaul eero 3 pack Wi-Fi that I configured for bridge mode. This combination, wired up to my DCOSIS 3.0 SB6183 cable modem, gives me a consistent 300 MBps down and 30 Mbps up speed from anywhere in my home, whether I'm wired or wireless. Hard to not be happy with that.

    The deployment overview will hopefully help newbies make this little metal box behave much more consumer-router-like. Don't bother configuring the router with the default firmware, update it first! All the steps are detailed below.

    Firmware - Current Version

    Download here. This is the latest release, it arrived in April 2017, and was just a security update, with no new features since December 2016's 1.9.1 release. Read all about in the forums and release notes. You can also see future release announcements at the EdgeMAX Updates Blog that even features a handy RSS feed.


    1.9.7 is in beta now, sign-up for access to the beta forums. When 1.9.7 is released, it might not have the DNS shortname fix incorporated, and it won't have OpenVPN vulnerability fixes, but 1.9.7-hotfix.1 will.


    Future release with many new features and fixes. Date TBD.

    VPN server

    L2TP IPsec VPN Server

    It works, both split and tunnel all settings from iOS tested over LTE just fine, but:

    1. can't be used in conjunction with UPnP, causes only first tunnel connection to work, subsequent connections from same or any other device require router reboot, note that UPnP shouldn't be turned on anyway, which I explained back in my consumer router days here and here.

    OpenVPN vulnerabilities

    I personally haven't gone through the admittedly better, but more-complex OpenVPN configuration process. But for those who have, they may have spotted that there were some OpenVPN vulnerabilities recently discovered by Guido Vranken's fuzzing techniques, see:


    with OpenVPN patches already released for OpenVPN's installable versions of VPN servers intended for actual servers (not this router). The Hyper-V and ESXi Virtual Appliances have unfortunately been neglected since 3rd quarter of 2016, which is a shame, since I used to enjoy the occasional use of that OpenVPN VMware appliance, see also:

    Implementation of dnsmasq coming soon, we hope

    • dnsmasq seems more desirable for DNS/DHCP, since it may eliminate duplicate DNS admin overhead (see screenshots below), but it won't be available until the 2.x firmware release.
      correction, see Jul 31 2017 update below!

    How to properly configure DHCP and DNS for properly for mixed OS home labs

    Meanwhile, while we wait for the Ubiquiti to get to 2.x, there a very workable way to have robust DHCP and DNS (not DDNS) for your current Windows, Linux, and VMware hypervisors & VMs. I've been using this method extensively for a year now, hasn't let me down for the ERLite-3. While these weren't the most intuitive steps for me to figure out initially (dogged determination/trial-and-error), now that they're documented, implementing them is easy

    For proper VMware forward (both FQDN and shortname) and reverse (IP) DNS lookups, which happens to help Windows and Linux systems also get to know one another on a first name or full name or IP basis, here's the steps.

    Prepare your router

    1. Download latest firmware

      If your ERLite-3 is new, be sure to update the firmware first before bothering to configure anything at all! 1.9.1 is available here, with video that guides you through the simple firmware update process here, using a laptop/PC/mac directly attached to eth1.

      EdgeMAX - Upgrade Firmware via Web GUI
    2. Reboot

      When the firmware update is complete, you will be prompted to reboot.

    3. Use the Setup Wizard to turn it into a consumer-like router

      a. click on Wizards tab, along the left-edge under Setup Wizards choose WAN+2LAN2
      b. under Internet port (eth0)
      c. under Firewall, ensure checkbox is on for Enable the default firewall
      d. under LAN port (eth1) is where you create your network router/gateway IP address and subnet mask, most will like the defaults of /
      e. under (Optional) Secondary LAN port (eth2), this is where you create a second network router/gateway IP address and subnet mask, most home and SOHO users won't need this, and will choose to uncheck the Enable the DHCP server checkbox like I did, although some may choose to isolate their WiFi access points onto this separate network if they can run a backhaul cable right to this port (or via a switch), giving them better visibility into just the traffic generated by their Wi-Fi devices using EdgeMAX Traffic Analysis tab, with a live overview of traffic flow that's leveraging the optional Deep Packet Inspection (DPI), which doesn't seem to slow traffic down at all

    4. Create a DHCP Reservation

      a. Power up your network-connected device, which by default will request a DHCP lease.
      b. in your ERLite-3 Web UI, nagivate to
      DHCP Server / Actions / View Leases / Map Static IP [change the IP and/or Name to those desired] / Save / Close

    5. Create a DNS shortname/FQDN/IP entry

      a. in your ERLite-3 Web UI, nagivate to
      Wizards / DNS host names / Static host names / Host name [enter FQDN name] / Alias [enter short name], / IP Address [enter your available IP Address], then and click OK

    Admittedly, implementing the DHCP reservations and making the name entry is easy enough, it's maintaining the discipline to make all future changes in both places that is a bit tougher. Maybe dnsmasq will change all that, hopefully eliminating the need to both create a lease entry and create a duplicate DNS entry. But in all releases to date, the DHCP Lease GUI doesn't yet support dnsmasq.


    Taken with firmware loaded.

    The main Dashboard view, it's what you see when you first log into the router with your browser.
    Traffic Analysis view is availabe because I've turned on Deep Packet Inspection and left it on, which seemingly hasn't slowed things down at all.
    DHCP Server Static MAC/IP Mapping view.
    DNS hosts names wizard.

    Jul 31 2017 Update

    New firmware has arrived! See Release Notes v1.9.7, forum thread, and ERLite-3 download.

    I have not finished testing v1.9.7 yet, but these two lines in the notes looked very promising:

    [Dnsmasq] Fix bug when DHCP leases were not showing if dnsmasq was enabled
    [Dnsmasq] Preserve lease file after reboot. Discussed here

    as well as this comment by VMVN4565 in this forum post:

    ER-X SFP updated fine via GUI.

    so I dove right in and did the upgrade on my second router that's used for my traveling home datacenter demonstrations. I will update this post accordingly, as I learn how this firmware release behaves. So far, implementing dnsmasq isn't quite as it's documented by Ubiquity here:

    • EdgeRouter - Using dnsmasq for DHCP Server
      see also screenshot below, but this particular section seemed promising, making me very glad I might not have to wait for a v2.x release to get dnsmasq with a GUI after all, and that the move might be eased by this automatic migration:

      When using dnsmasq, the entries configured under "static-mapping" will be translated to statically assigned A records in dnsmasq (using the dnsmasq host-record directive). If a client with a static-mapping entry sends a DHCP request with a different client-name, that client-name will be ignored.

    My first tests seem to be going well, so far, with all static DHCP leases migrated over to the dynamic section, just as the above paragraph describes. In other words, I can now just pick my new device's DHCP lease from the GUI, set a reserved IP for it, and I'm done. No more duplicate efforts to add them to the Wizard / DNS host name / Static host names area anymore, they automatically appear in the Dynamic host names area right below it. Nice! I can't get shortname DNS queries to work yet though, but FQDN and reverse are working just fine.

    Reading the forum posts further, this comment looks more worrisome to me:

    After an upgrade from v1.9.1 to v1.9.7 Hairpin NAT does not work.

    so this is something I'll definitely need to test, as I use hairpinning regularly. I'll also be re-testing IPSEC and maybe even a secure way to configure UPnP for use with whole-home network usage monitoring via NetWorx, we'll see. With, turning on UPnP would cause my IPSEC VPN to only work once, with all subsequent connection attempts failing.

    On July 31 2017, I began upgrading my TinkerTry home network from to 1.9.7, after making sure I had my current configuration saved of course!
    Me testing literal copy-and-paste of Ubiquiti's instructions, just to see what happens.

    This is what happens if you take every line of instruction way too literally, just me testing it verbatim, ready to reset to known-good easily at any point I scrogg things. I have some more tweaking of their instructions to do, to get this right. I do wish there was a GUI for this migration from ISC DHCPD to dnsmasq.

    Aug 01 2017

    Testing still underway. Rather important I get lab testing right, so when I deploy it into "production," aka, running my family's home network, it better run well! It also has to do all the basics I need it to do for all my VMware vSphere infrastructure and VMs as well, keeping my Linux and Windows OSs talking to one another on a first name and full name (FQDN) basis.

    My plan is to help refine and simplify the entire process of configuring this router when it's first unboxed, greatly improving the out-of-box experience for new owners, especially those trying to configure a VMware VCSA-friendly network (forward FQDN and shortname & reverse lookups), with no need for Active Directory or Windows Server licenses, and no need for Linux skills required. Might be a pipe dream, but I try!

    This is a heavily modified version, for my home network which doesn't feature these items that the original author uses in his example, I am:

    • using the Feature Wizard named WAN+2LAN2, and was at firmware v1.9.1.1 on my ERLite-3
    • using a domain named lab.local
    • using a System name server (found in the "System" button at the bottom, under "Name Server", "System name server:")
    • my router is set to, but many folks may prefer
    • using ETH1 (I'm not using ETH2)
    • using no VLANs (removed 2nd line of step 3)
    • ok with the author's use of Google DNS, so I stuck with it, avoids the need for you to lookup the name of your ISP's DNS, but I realize some may prefer to use OpenDNS
    • already have a system domain name (removed step 5)
    • already have a DHCP domain in use that works fine, with no need to create new ones (removed step 6)
    • already use just the webUI for all DHCP reservations, and after the upgrade, I removed all the Static host mappings anyway, since they were all auto-migrated to the Dynamic host names area, and from here forward, I just fire up a new device, find it in DHCP leases, give it a reservation, and I'm done, forward and reverse lookup instantly work from all Windows and Linux PCs and VMs on my network! This all boils down to the shorter instruction set below.

    Disclaimer: I'm no networking expert. While you may find these instructions helpful, published here for informational purposes and my own reference. I cannot possibly provide support should you run into issues, there's so much that can go wrong. Please instead post your v1.9.7 question(s) in UBNT's excellent forum.

    Step 1: Back up your configuration

    Click on the System button along the bottom edge of the Web UI.
    Select Configuration Management & Device Maintenance / Back Up Config / Download backup config file / Download and save the file in a secure location.

    Step 2: Establish a baseline


    Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping -n 1
    ping vcsa.lab.local -n 1
    ping vcsa -n 1
    nslookup vcsa.lab.local
    nslookup vcsa

    Step 3: Upgrade from to 1.9.7

    See Release Notes v1.9.7, forum thread, then download your ERLite-3 firmware, and save it in a folder you'll remember.
    Then along the bottom edge of the EdgeRouter's Web UI, click:
    System / Configuration Management & Device Maintenance / Upgrade System Image / Upload system image: / Upload a file / navigate to the ER-e100.v1.9.7.5001798.tar file you downloaded, click on the Open button

    Step 4: Enable dnsmasq for DHCP

    Currently, this feature must be enabled using the CLI as there is not a webUI option to enable dnsmasq. Open an SSH session and authenticate. I would not recommend the CLI icon in the Web UI, instead, a separate SSH client is preferred for many reasons, including easy cut-and-paste.

    Enter the following commands:

    set service dhcp-server use-dnsmasq enable 

    Step 5: Adjust DNS Forwarding, DHCP, and System settings

    To allow local hostname resolution across networks, the following changes will need to be made to allow clients to use the router address as the DNS server, configure DNS forwarding options, and set the system name-server. This will also require setting a domain-name on the router and adding this domain-name to the dhcp-server(s) to distribute to clients so local hostnames resolve properly across networks.

    A. Set system name-server to loop back to the router itself, which will forward requests to the DNS servers set in the DNS forwarding settings.

    set system name-server

    B. Set global name-servers to resolve all external resolutions. Note, you should be sure that a public DNS server is not manually set on a client on the same network. For example, if an address like is manually set on the client, it will prefer that address over the router's address issued by the DHCP-Server, so it won't be able to resolve names on your local network.

    set service dns forwarding name-server

    C. Set DNS forwarding listen-on address for all LAN interfaces including VLANs.

    set service dns forwarding listen-on eth1

    D. Set system domain-name.

    set system domain-name lab.local 

    E. Enable Turn on UPnP2 - Optional - all UPnP is off by default, UPnP2 is the more secure kind with no GUI way to activate it. Works with NetWorx' "Monitor my router rather than this computer" feature).

    set service upnp2 listen-on eth1
    set service upnp2 nat-pmp enable
    set service upnp2 secure-mode enable
    set service upnp2 wan eth0

    F. Use commit to make all changes active and persistent.


    Step 6: View Leases

    With the release of v1.9.7, and after following the instructions above, DCHP leases are now shown in the webUI, much like they did when using (default) ISC DHCPD for DHCP. You can choose any of the Leases, and configure a reservation.

    Step 7: Testing local DNS

    Try browsing the web from a system attached to ETH1, if it works, now try the web UI for something on your local network by Linux-based (no NETBIOS) device that you've given a DNS reservation too, such as https://vcsa.lab.local and if that works, you're really done.

    If having trouble, first ping the local IP of the device, then ping the hostname, then ping the hostname with the domain-name. This should help you narrow down where your DNS configuration issue might be.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping -n 1
    ping vcsa.lab.local -n 1
    ping vcsa -n 1
    nslookup vcsa.lab.local
    nslookup vcsa

    Step 8: Testing remote DNS via IPSEC VPN (if you use VPN)

    On mobile cellular connected device outside of your network, connect the IPSEC VPN, then see if DNS works by trying a Web UI or SSH session to a known device on your home network, using IP first, then FQDN then shortname next.

    Step 9: Testing hairpinning

    If you use port forwarding, try accessing that device as if you're remote, but you're actually on your private LAN. If hairpinning is working, your access should work fine.

    Step 10: Save your configuration

    Prior to step 7, you should make sureyou've tested out all crucial functionality.

    A. If your testing went well, to make all the changes you made persist across reboots, save your configuration.


    you are done!

    B. If your testing didn't go well and you don't wish to troubleshoot it, you can easily revert your configuration.

    exit discard

    This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:
    System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)

    Aug 02 2017 Update

    Added UPnP2 implementation steps to the configuration procedure above, which was using techniques discussed in this UBNT thread.

    Aug 10 2017 Update

    A new firmware hotfix has arrived, I have not tried it yet. It's called EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1, filename:
    EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1

    • Download

    • Release Notes

      [Release Notes v1.9.7+hotfix.1]


      Changes since v1.9.7

      New features

      Enhancements and bug fixes
      [UNMS] Fix bug when configuration was randomly reset to default values after upgrade if UNMS service was configured. Discussed here
      [SSH] Fix security vulnerability via SSH when operator user was able to read/write configuration and gain full admin privileges
      [OpenVPN] Backport patch for multiple OpenVPN vulnerabilities (CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521). Discussed here.
      Updated software components

    Aug 14 2017 Update

    I have made the move to EdgeRouter Lite v1.9.7+hotfix.1, the next few days of heavy use will reveal whether I'm happy with it or not. So far, so good.

    EdgeRouter Lite v1.9.7+hotfix.1

    Aug 22 2017 Update

    My issue with L2TP/IPSec VPN failure after the first connection struck again, for the first time I've seen it happen on v1.9.7, so it was time to figure out why, especially with travel to VMworld coming up this weekend. Then I found this UBNT forum comment:

    • L2TP over IPsec and UPNP2

      Sometime ago I reported that I was having issues with my L2TP/IPsec over the cellular network .... my symptoms where that I was timing out consequently my VPN connection failed until I rebooted my ERL --- after reboot my VPN would work for a period of time then time out again.

    I went ahead and typed the following command, to see which Apple device in my home network was initiating a port 4500, which is also used for L2TP/IPSec:

    show upnp2 rules

    and tada, there it was, whatever device is at IP Address is using port 4500. Time for a quick visit to my EdgeMAX Web UI to pop on over to Services / Actions / Leases, and search for .228, and it's one of my son's systems, a Mac Mini. No problem at all, time to fix this issue via SSH by simply blocking port 4500 UPnP on my network:

    set service upnp2 acl rule 15 action 'deny'
    set service upnp2 acl rule 15 description 'Block Port 4500 utilized by ATC'
    set service upnp2 acl rule 15 external-port '4500'
    set service upnp2 acl rule 15 local-port '0-65535'
    set service upnp2 acl rule 15 subnet ''

    Once I got to the commit command listed above, the resolution of the problem was seen immediately. I was able to reconnect my VPN right away, no need to reboot my ER3-Lite. Tried it out for a day, still working great. So I then typed save to preserve this new configuration across reboots, and finally exited my SSH session. Done! Everything about my ER3-Lite is configured exactly the way I always wanted it to work, I can now move on to so many other projects.

    I'll likely be adding this to my configuration procedure, as documented above.

    Aug 24 2017 Update

    Well, it's back, the Mac Mini has taken port 4500 again. It seem the better fix might be to make this change to the Mac Mini configuration, addressing the problem at the source:

    Change made, let's see how it goes.

    Sep 06 2017 Update

    It's actually not just the 4500 via UPnP issue, its an OS counter that runs out, so after a few days of operation, Networx live display of the router's speeds show 0. The full function of Networx is immediately restored by just restarting the router. Well, that's a rather disruptive workaround. I'm still on the lookout for a better solution. Anybody gone one?

    I've also now gone to:

    and so far, it seems to be working the same way as the previous 1.9.7 releases. This has been a busy few months of bug releases by UBNT.

    See also at TinkerTry

    Includes the BOM (Build Of Materials)

    How to install Ubiquiti EdgeMAX EdgeRouter firmware v1.9.1 onto UBNT ERLite-3

    See also