Ubiquiti EdgeRouter Lite (UBNT ERLite-3) Update - still works great for my family, and for my VMware vSphere, Windows, and Linux home lab

Posted by Paul Braren on Jul 11 2017 (updated on May 1 2018) in
  • Network
  • VMware
  • ESXi
  • HowTo
  • HomeLab
  • SmartHome
  • Ubiquiti

    • This article was originally intended for my audience at The Greater Boston Network Users Group at their July 11th meetup. Until I'm able to do a complete configuration walk through, this spot in a recent "Network Enthusiast" EdgeRouter video I created gives you a good look at how DNS is supposed to work in Windows + Linux and/or VMware vSphere home lab environments, only using this little metal box router. Look mom, no Microsoft AD/DNS/DHCP required!

    Shop

    This Ubiquiti EdgeRouter Lite (aka, UBNT ERLite-3) is available at Amazon, B&H, Newegg, and Wiredzone. These are affiliate links, full disclosure below.

    Product Page

    • Ubiquiti EdgeRouter Lite
      Model-Comparison
      Steve Gibson brags about his beloved $65 "EdgeRouter X" on many Security Now podcast episodes, an even smaller router that uses the same firmware family. But the EdgeRouter X doesn't specify that it can also do a million packets per second. I wanted something fast enough for my home's 300Mbps/30Mbps connection, with a bit of future-proofing for even faster internet speeds someday. Even with a year of daily heavy use already behind me, I don't suspect I'll want or need to swap my ERLite-3 for some years to come.

    EdgeOS User Guide

    EdgeRouter Datasheet

    Firmware Download

    Status Update

    The ERLite-3 has been around since 2013, still pictured in it's original plastic body on Amazon. They're made of metal now, and has gained a lot functionality ever since through regular firmware updates, see full history here. This "networking enthusiast" router has enjoyed a lot of popularity in the market, with mostly-favorable reviews on Amazon and on Ubiquiti's forum. I've personally owned two of these little ~$90 routers for about a year, one dedicated to my traveling home datacenter right, and the other used heavily full time by my entire family, with better reliability than every consumer router I've used before it.

    TinkerTry-UBNT-EdgeRouter-Lite-with-eero-cropped
    ETH0 at left is connected to my cable modem, ETH1 connected to my gigabit switch, one of my 3 eero Wi-Fi devices is pictured at right, using SlimRun gigabit wired backhauls to the same gigabit home network.
    883710450961133569

    I rely on my ERLite-3 for all my home network routing, DNS, and DHCP functions, leaving the Wi-Fi duties to my wired-backhaul eero 3 pack Wi-Fi that I configured for bridge mode. This combination, wired up to my DCOSIS 3.0 SB6183 cable modem, gives me a consistent 300 MBps down and 30 Mbps up speed from anywhere in my home, whether I'm wired or wireless. Hard to not be happy with that.

    The deployment overview will hopefully help newbies make this little metal box behave much more consumer-router-like. Don't bother configuring the router with the default firmware, update it first! All the steps are detailed below.

    Firmware

    1.9.1.1 - Current Version

    Download here. This is the latest release, it arrived in April 2017, and was just a security update, with no new features since December 2016's 1.9.1 release. Read all about 1.9.1.1 in the forums and release notes. You can also see future release announcements at the EdgeMAX Updates Blog that even features a handy RSS feed.

    1.9.7

    1.9.7 is in beta now, sign-up for access to the beta forums. When 1.9.7 is released, it might not have the DNS shortname fix incorporated, and it won't have OpenVPN vulnerability fixes, but 1.9.7-hotfix.1 will.

    2.0.x

    Future release with many new features and fixes. Date TBD.

    VPN server

    L2TP IPsec VPN Server

    It works, both split and tunnel all settings from iOS tested over LTE just fine, but:

    1. can't be used in conjunction with UPnP, causes only first tunnel connection to work, subsequent connections from same or any other device require router reboot, note that UPnP shouldn't be turned on anyway, which I explained back in my consumer router days here and here.

    OpenVPN vulnerabilities

    I personally haven't gone through the admittedly better, but more-complex OpenVPN configuration process. But for those who have, they may have spotted that there were some OpenVPN vulnerabilities recently discovered by Guido Vranken's fuzzing techniques, see:

    Insecure-about-using-public-WiFi-Connect-to-your-home’s-OpenVPN-appliance-for-free-Network-Diagram-Page-1-2014-Jul-22

    with OpenVPN patches already released for OpenVPN's installable versions of VPN servers intended for actual servers (not this router). The Hyper-V and ESXi Virtual Appliances have unfortunately been neglected since 3rd quarter of 2016, which is a shame, since I used to enjoy the occasional use of that OpenVPN VMware appliance, see also:

    Implementation of dnsmasq coming soon, we hope

    • dnsmasq seems more desirable for DNS/DHCP, since it may eliminate duplicate DNS admin overhead (see screenshots below), but it won't be available until the 2.x firmware release.
      correction, see Jul 31 2017 update below!

    How to properly configure DHCP and DNS for properly for mixed OS home labs

    Meanwhile, while we wait for the Ubiquiti to get to 2.x, there a very workable way to have robust DHCP and DNS (not DDNS) for your current Windows, Linux, and VMware hypervisors & VMs. I've been using this method extensively for a year now, hasn't let me down for the ERLite-3. While these weren't the most intuitive steps for me to figure out initially (dogged determination/trial-and-error), now that they're documented, implementing them is easy

    For proper VMware forward (both FQDN and shortname) and reverse (IP) DNS lookups, which happens to help Windows and Linux systems also get to know one another on a first name or full name or IP basis, here's the steps.

    Prepare your router

    1. Download latest firmware

      If your ERLite-3 is new, be sure to update the firmware first before bothering to configure anything at all! 1.9.1 is available here, with video that guides you through the simple firmware update process here, using a laptop/PC/mac directly attached to eth1.

      EdgeMAX - Upgrade Firmware via Web GUI

    2. Reboot

      When the firmware update is complete, you will be prompted to reboot.

    3. Use the Setup Wizard to turn it into a consumer-like router

      a. click on Wizards tab, along the left-edge under Setup Wizards choose WAN+2LAN2
      b. under Internet port (eth0)
      c. under Firewall, ensure checkbox is on for Enable the default firewall
      d. under LAN port (eth1) is where you create your network router/gateway IP address and subnet mask, most will like the defaults of 192.168.1.1 / 255.255.255.0
      e. under (Optional) Secondary LAN port (eth2), this is where you create a second network router/gateway IP address and subnet mask, most home and SOHO users won't need this, and will choose to uncheck the Enable the DHCP server checkbox like I did, although some may choose to isolate their WiFi access points onto this separate network if they can run a backhaul cable right to this port (or via a switch), giving them better visibility into just the traffic generated by their Wi-Fi devices using EdgeMAX Traffic Analysis tab, with a live overview of traffic flow that's leveraging the optional Deep Packet Inspection (DPI), which doesn't seem to slow traffic down at all

    4. Create a DHCP Reservation

      a. Power up your network-connected device, which by default will request a DHCP lease.
      b. in your ERLite-3 Web UI, nagivate to
      DHCP Server / Actions / View Leases / Map Static IP [change the IP and/or Name to those desired] / Save / Close

    5. Create a DNS shortname/FQDN/IP entry

      a. in your ERLite-3 Web UI, nagivate to
      Wizards / DNS host names / Static host names / Host name [enter FQDN name] / Alias [enter short name], / IP Address [enter your available IP Address], then and click OK

    Admittedly, implementing the DHCP reservations and making the name entry is easy enough, it's maintaining the discipline to make all future changes in both places that is a bit tougher. Maybe dnsmasq will change all that, hopefully eliminating the need to both create a lease entry and create a duplicate DNS entry. But in all releases to date, the DHCP Lease GUI doesn't yet support dnsmasq.

    Screenshots

    Taken with 1.9.1.1 firmware loaded.

    2017-07-12_0-41-34
    The main Dashboard view, it's what you see when you first log into the router with your browser.
    2017-07-12_10-21-31
    Traffic Analysis view is availabe because I've turned on Deep Packet Inspection and left it on, which seemingly hasn't slowed things down at all.
    2017-07-12_10-17-55
    DHCP Server Static MAC/IP Mapping view.
    2017-07-12_10-13-32
    DNS hosts names wizard.

    Jul 31 2017 Update

    New firmware has arrived! See Release Notes v1.9.7, forum thread, and ERLite-3 download.

    I have not finished testing v1.9.7 yet, but these two lines in the notes looked very promising:

    [Dnsmasq] Fix bug when DHCP leases were not showing if dnsmasq was enabled
    [Dnsmasq] Preserve lease file after reboot. Discussed here

    as well as this comment by VMVN4565 in this forum post:

    ER-X SFP updated fine via GUI.

    so I dove right in and did the upgrade on my second router that's used for my traveling home datacenter demonstrations. I will update this post accordingly, as I learn how this firmware release behaves. So far, implementing dnsmasq isn't quite as it's documented by Ubiquity here:

    • EdgeRouter - Using dnsmasq for DHCP Server
      see also screenshot below, but this particular section seemed promising, making me very glad I might not have to wait for a v2.x release to get dnsmasq with a GUI after all, and that the move might be eased by this automatic migration:

      When using dnsmasq, the entries configured under "static-mapping" will be translated to statically assigned A records in dnsmasq (using the dnsmasq host-record directive). If a client with a static-mapping entry sends a DHCP request with a different client-name, that client-name will be ignored.

    My first tests seem to be going well, so far, with all static DHCP leases migrated over to the dynamic section, just as the above paragraph describes. In other words, I can now just pick my new device's DHCP lease from the GUI, set a reserved IP for it, and I'm done. No more duplicate efforts to add them to the Wizard / DNS host name / Static host names area anymore, they automatically appear in the Dynamic host names area right below it. Nice! I can't get shortname DNS queries to work yet though, but FQDN and reverse are working just fine.

    Reading the forum posts further, this comment looks more worrisome to me:

    After an upgrade from v1.9.1 to v1.9.7 Hairpin NAT does not work.

    so this is something I'll definitely need to test, as I use hairpinning regularly. I'll also be re-testing IPSEC and maybe even a secure way to configure UPnP for use with whole-home network usage monitoring via NetWorx, we'll see. With 1.9.1.1, turning on UPnP would cause my IPSEC VPN to only work once, with all subsequent connection attempts failing.

    upgrade-to-ubnt-v1.9.7
    On July 31 2017, I began upgrading my TinkerTry home network from 1.9.1.1 to 1.9.7, after making sure I had my current configuration saved of course!
    ssh-session-of-post-update-dnsmasq-configuration-by-TinkerTry
    Me testing literal copy-and-paste of Ubiquiti's instructions, just to see what happens.

    This is what happens if you take every line of instruction way too literally, just me testing it verbatim, ready to reset to known-good easily at any point I scrogg things. I have some more tweaking of their instructions to do, to get this right. I do wish there was a GUI for this migration from ISC DHCPD to dnsmasq.

    Aug 01 2017

    Testing still underway. Rather important I get lab testing right, so when I deploy it into "production," aka, running my family's home network, it better run well! It also has to do all the basics I need it to do for all my VMware vSphere infrastructure and VMs as well, keeping my Linux and Windows OSs talking to one another on a first name and full name (FQDN) basis.

    My plan is to help refine and simplify the entire process of configuring this router when it's first unboxed, greatly improving the out-of-box experience for new owners, especially those trying to configure a VMware VCSA-friendly network (forward FQDN and shortname & reverse lookups), with no need for Active Directory or Windows Server licenses, and no need for Linux skills required. Might be a pipe dream, but I try!

    This is a heavily modified version, for my home network which doesn't feature these items that the original author uses in his example, I am:

    • using the Feature Wizard named WAN+2LAN2, and was at firmware v1.9.1.1 on my ERLite-3
    • using a domain named lab.local
    • using a System name server 127.0.0.1 (found in the "System" button at the bottom, under "Name Server", "System name server:")
    • my router is set to 10.10.1.1, but many folks may prefer 192.168.1.1
    • using ETH1 (I'm not using ETH2)
    • using no VLANs (removed 2nd line of step 3)
    • ok with the author's use of Google DNS 8.8.8.8, so I stuck with it, avoids the need for you to lookup the name of your ISP's DNS, but I realize some may prefer to use OpenDNS 208.67.222.222
    • already have a system domain name (removed step 5)
    • already have a DHCP domain in use that works fine, with no need to create new ones (removed step 6)
    • already use just the webUI for all DHCP reservations, and after the upgrade, I removed all the Static host mappings anyway, since they were all auto-migrated to the Dynamic host names area, and from here forward, I just fire up a new device, find it in DHCP leases, give it a reservation, and I'm done, forward and reverse lookup instantly work from all Windows and Linux PCs and VMs on my network! This all boils down to the shorter instruction set below.

    Disclaimer: I'm no networking expert. While you may find these instructions helpful, published here for informational purposes and my own reference. I cannot possibly provide support should you run into issues, there's so much that can go wrong. Please instead post your v1.9.7 question(s) in UBNT's excellent forum.

    Step 1: Back up your configuration

    Click on the System button along the bottom edge of the Web UI.
    Select Configuration Management & Device Maintenance / Back Up Config / Download backup config file / Download and save the file in a secure location.

    Step 2: Establish a baseline

    TinkerTry-pre-ping

    Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping 10.10.1.97 -n 1
ping vcsa.lab.local -n 1
ping vcsa -n 1
nslookup 10.10.1.97
nslookup vcsa.lab.local
nslookup vcsa

    Step 3: Upgrade from 1.9.1.1 to 1.9.7

    See Release Notes v1.9.7, forum thread, then download your ERLite-3 firmware, and save it in a folder you'll remember.
    Then along the bottom edge of the EdgeRouter's Web UI, click:
    System / Configuration Management & Device Maintenance / Upgrade System Image / Upload system image: / Upload a file / navigate to the ER-e100.v1.9.7.5001798.tar file you downloaded, click on the Open button

    Step 4: Enable dnsmasq for DHCP

    Currently, this feature must be enabled using the CLI as there is not a webUI option to enable dnsmasq. Open an SSH session and authenticate. I would not recommend the CLI icon in the Web UI, instead, a separate SSH client is preferred for many reasons, including easy cut-and-paste.

    Enter the following commands: 

    configure
set service dhcp-server use-dnsmasq enable

    Step 5: Adjust DNS Forwarding, DHCP, and System settings

    To allow local hostname resolution across networks, the following changes will need to be made to allow clients to use the router address as the DNS server, configure DNS forwarding options, and set the system name-server. This will also require setting a domain-name on the router and adding this domain-name to the dhcp-server(s) to distribute to clients so local hostnames resolve properly across networks.

    A. Set system name-server to loop back to the router itself, which will forward requests to the DNS servers set in the DNS forwarding settings.

    set system name-server 127.0.0.1

    B. Set global name-servers to resolve all external resolutions. Note, you should be sure that a public DNS server is not manually set on a client on the same network. For example, if an address like 8.8.8.8 is manually set on the client, it will prefer that address over the router's address issued by the DHCP-Server, so it won't be able to resolve names on your local network.

    set service dns forwarding name-server 8.8.8.8

    C. Set DNS forwarding listen-on address for all LAN interfaces including VLANs.

    set service dns forwarding listen-on eth1

    D. Set system domain-name.

    set system domain-name lab.local

    E. Enable Turn on UPnP2 - Optional - all UPnP is off by default, UPnP2 is the more secure kind with no GUI way to activate it. Works with NetWorx' "Monitor my router rather than this computer" feature).

    set service upnp2 listen-on eth1
set service upnp2 nat-pmp enable
set service upnp2 secure-mode enable
set service upnp2 wan eth0

    F. Use commit to make all changes active and persistent.

    commit

    Step 6: View Leases

    With the release of v1.9.7, and after following the instructions above, DCHP leases are now shown in the webUI, much like they did when using (default) ISC DHCPD for DHCP. You can choose any of the Leases, and configure a reservation.

    Step 7: Testing local DNS

    Try browsing the web from a system attached to ETH1, if it works, now try the web UI for something on your local network by Linux-based (no NETBIOS) device that you've given a DNS reservation too, such as https://vcsa.lab.local and if that works, you're really done.

    If having trouble, first ping the local IP of the device, then ping the hostname, then ping the hostname with the domain-name. This should help you narrow down where your DNS configuration issue might be.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping 10.10.1.97 -n 1
ping vcsa.lab.local -n 1
ping vcsa -n 1
nslookup 10.10.1.97
nslookup vcsa.lab.local
nslookup vcsa

    Step 8: Testing remote DNS via IPSEC VPN (if you use VPN)

    On mobile cellular connected device outside of your network, connect the IPSEC VPN, then see if DNS works by trying a Web UI or SSH session to a known device on your home network, using IP first, then FQDN then shortname next.

    Step 9: Testing hairpinning

    If you use port forwarding, try accessing that device as if you're remote, but you're actually on your private LAN. If hairpinning is working, your access should work fine.

    Step 10: Save your configuration

    Prior to step 7, you should make sureyou've tested out all crucial functionality.

    A. If your testing went well, to make all the changes you made persist across reboots, save your configuration.

    save

    you are done!

    B. If your testing didn't go well and you don't wish to troubleshoot it, you can easily revert your configuration.

    exit discard

    This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:
    System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)

    Aug 02 2017 Update

    Added UPnP2 implementation steps to the configuration procedure above, which was using techniques discussed in this UBNT thread.

    Aug 10 2017 Update

    A new firmware hotfix has arrived, I have not tried it yet. It's called EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1, filename:
    EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1

    • Download

    • Release Notes

      [Release Notes v1.9.7+hotfix.1]

      Changelog

      Changes since v1.9.7

      New features
      n/a

      Enhancements and bug fixes
      [UNMS] Fix bug when configuration was randomly reset to default values after upgrade if UNMS service was configured. Discussed here
      [SSH] Fix security vulnerability via SSH when operator user was able to read/write configuration and gain full admin privileges
      [OpenVPN] Backport patch for multiple OpenVPN vulnerabilities (CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521). Discussed here.
      Updated software components
      n/a

    Aug 14 2017 Update

    I have made the move to EdgeRouter Lite v1.9.7+hotfix.1, the next few days of heavy use will reveal whether I'm happy with it or not. So far, so good.

    EdgeRouter Lite v1.9.7+hotfix.1

    Aug 22 2017 Update

    My issue with L2TP/IPSec VPN failure after the first connection struck again, for the first time I've seen it happen on v1.9.7, so it was time to figure out why, especially with travel to VMworld coming up this weekend. Then I found this UBNT forum comment:

    • L2TP over IPsec and UPNP2

      Sometime ago I reported that I was having issues with my L2TP/IPsec over the cellular network .... my symptoms where that I was timing out consequently my VPN connection failed until I rebooted my ERL --- after reboot my VPN would work for a period of time then time out again.

    I went ahead and typed the following command, to see which Apple device in my home network was initiating a port 4500, which is also used for L2TP/IPSec:

    show upnp2 rules

    and tada, there it was, whatever device is at IP Address 10.10.1.228 is using port 4500. Time for a quick visit to my EdgeMAX Web UI to pop on over to Services / Actions / Leases, and search for .228, and it's one of my son's systems, a Mac Mini. No problem at all, time to fix this issue via SSH by simply blocking port 4500 UPnP on my 10.10.1.0 network:

    configure
set service upnp2 acl rule 15 action 'deny'
set service upnp2 acl rule 15 description 'Block Port 4500 utilized by ATC'
set service upnp2 acl rule 15 external-port '4500'
set service upnp2 acl rule 15 local-port '0-65535'
set service upnp2 acl rule 15 subnet '10.10.1.0/24'
commit
save
exit
    2017-08-22_11-14-57

    Once I got to the commit command listed above, the resolution of the problem was seen immediately. I was able to reconnect my VPN right away, no need to reboot my ER3-Lite. Tried it out for a day, still working great. So I then typed save to preserve this new configuration across reboots, and finally exited my SSH session. Done! Everything about my ER3-Lite is configured exactly the way I always wanted it to work, I can now move on to so many other projects.

    I'll likely be adding this to my configuration procedure, as documented above.

    Aug 24 2017 Update

    Well, it's back, the Mac Mini has taken port 4500 again. It seem the better fix might be to make this change to the Mac Mini configuration, addressing the problem at the source:

    Change made, let's see how it goes.

    Sep 06 2017 Update

    It's actually not just the 4500 via UPnP issue, it's an OS counter that runs out, so after a few days of operation, Networx live display of the router's speeds show 0. The full function of Networx is immediately restored by just restarting the router. Well, that's a rather disruptive workaround. I'm still on the lookout for a better solution. Anybody gone one?

    I've also now gone to:

    and so far, it seems to be working the same way as the previous 1.9.7 releases. This has been a busy few months of bug releases by UBNT.

    Nov 16 2017 Update

    There's a new DNS on this planet's interwebs, see the big announcement made yesterday over at IBM:

    53388

    Nov 17 2017 Update

    I'm excited to have just published a detailed article on a promising new DNS service, see:

    Interested in settings up Quad9 on your EdgeRouter?

    How to change your EdgeRouter DNS forwarding

    Step 1: Back up your configuration

    Click on the System button along the bottom edge of the Web UI.
    Select Configuration Management & Device Maintenance / Back Up Config / Download backup config file / Download and save the file in a secure location.

    Step 2: Establish a baseline

    nslookup-commands--TinkerTry

    Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network, and cnn.com is external

    nslookup vcsa.lab.local
nslookup cnn.com

    Make note of the results.

    Step 3: See what your DNS is set to, delete it, then add 9.9.9.9

    Currently, this feature must be enabled using the CLI as there is not a webUI option to set DNS forwarding. Open an SSH session and authenticate. I would not recommend the CLI icon in the Web UI, instead, a separate SSH client is preferred for many reasons, including easy cut-and-paste.

    Enter the following commands, one line at a time, to see what dns forwarding you have, delete whatever is there, then set the new single dns forwarding to 9.9.9.9, then commit the change and test whether the commit worked:

    show dns forwarding nameservers
configure
show service dns forwarding
delete service dns forwarding name-server 8.8.8.8
delete service dns forwarding name-server 8.8.4.4
show service dns forwarding
set service dns forwarding name-server 9.9.9.9
show service dns forwarding
commit
exit
show dns forwarding nameservers
    dns-forwarder-change-to-quad9-session
    In this example, I have only one DNS set to Cloudflare DNS at 1.1.1.1, and I change it to Quad9 DNS at 9.9.9.9, then save my changes so they'll persist across reboots.

    Step 4: Test

    Back at the Windows command line.

    ipconfig /flushdns
nslookup vcsa.lab.local
nslookup cnn.com

    Make note of the results, comparing with what you got before, they should be about the same, but for local systems like my example of vcsa.lab.local, you'll need to substituate that with a local system's name that you actually use. Go ahead and try browsing the web to be sure your browsing seems to be functioning just fine too, of course.

    Step 5: Save your configuration

    Prior to saving the change you made above, you should make sure you've tested out all crucial functionality first.

    A. If your testing went well, to make all the changes you made persist across reboots, save your configuration.

    save

    you are done!

    B. If your testing didn't go well and you don't wish to troubleshoot it, you can easily revert your configuration.

    exit discard

    This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:
    System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)

    Next up, working on a simple and secure visit-this-URL way to confirm that 9.9.9.9 is your active DNS provider, and testing NTP setting-by-IP so it functions correctly during boot up, prepping for DNSSEC testing. Stay tuned!

    Quad9 9.9.9.9 might be a good Google 8.8.8.8 DNS alternative claiming better privacy & DNSSEC

    Nov 21 2017 Update

    After I used the System button at the bottom of the Web UI, I entered my syslog server name under System Log, Log to remove server, and set the Log Level to informational, details here. I apparently then managed to forget to set a firewall rule to allow syslogging to work at all, here's the fix.

    Set firewall rule to allow syslog traffic to pass

    On the Firewall/NAT tab, click on the Firewall Policies tab, then click on the Actions drop-down menu to the right of WAN_LOCAL, and select Edit Ruleset.

    Click on the Add New Rule button, and on the Basic tab, in the Description field, type Allow syslog, in the Action area, click Accept, and in the Protocol area, click UDP.

    Click on the Destination tab, and in the Port field, type 514 then click on the Save button, and wait for the save to complete.

    Now re-order this new rule, moving it up to the second to last position, right above the last row called Drop invalid state, then click on the Save Rule Order button.

    Mar 07 2018 Update

    I'm not finding a compelling reason (security or killer feature) that is luring me to move to 1.10.0 firmware anytime soon, but perhaps I'll test the next 1.10.x release on my second ER3-Lite that is mostly used for public vSphere 6.5U1 demos. Here's the forum anouncement thread:

    Apr 17 2018 Update

    With Quad9 and Cloudflare DNS now available, I've added an updated screenshot above that includes both.

    May 01 2018 Update

    I was able to fix my issue with Networx by cutting over to SNMP monitoring instead of UPnP2, which was never desirable anyway, even though I passed the GRC Shields Up test since it was only implemented on my LAN side. Here's how.

    Use a browser to log in to your EdgeRouter, and along the bottom edge, click

    1. System
    2. Back Up Config
    3. Download backup config
    4. Download
    5. and save it somewhere safe, with a clear, descriptive filename.

    Next, in an ssh session to my EdgeRouter:

    configure
delete service upnp
delete service upnp2
set service snmp community public authorization ro
commit
save
exit
exit

    If you are unsure, after the commit command, test everything out for a few hours, if all seems well, go on to typing save, then exit, then then exit again. This makes the changes persist through reboots. If it didn't go well, type exit discard, then exit, then exit again.

    If you find that in the coming days you wish you could revert to before any changes were made, that's fine, you saved your config which gives you the ability to go back using your browser:

    1. System
    2. Restore Config
    3. Upload config file:
    4. Upload a file

    See also my related UBNT forum post.

    I updated to NetWorx Version 6.1.1 64-bit installable, and it works quite nicely, with my home's upload and download speeds monitored live from up to 5 systems around my home, all covered by one well-worth-it $25 license, see also SoftPerfect's full set of utilities here that I admittedly haven't yet tested.

    See also at TinkerTry

    my-tinkertry-d-xeon-d-bundle-2-supermicro-superserver-bundle-2-of-joy

    replaced-linksys-with-eero-after-also-testing-luma
    How to install Ubiquiti EdgeMAX EdgeRouter firmware v1.9.1 onto UBNT ERLite-3

    See also

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi