Ubiquiti EdgeRouter X - thoughts and tips

root's picture

I have been using EdgeRouter X for about five months now and it is amazing! It has awesome features at an affordable price. Win win situation in my book.
Truth to be told, it is not for average consumer. I am not saying it is difficult to be configured but to benefit fully from it you need to know linux and networking.

For example, you have Port Forwarding and NAT.
You can easily configure port forwarding via "Port Forwarding" but most features you get is if you configure it via "NAT" if you know what you are doing there.
I hope I will have time to prepare another page just for that. It is an interesting journey.

As with all products, it is impossible to have them all so I must mention you cannot use jumbo frames with this one (aka MTU of 9000).
If you attempt to set it up as 9000, the following error will be shown: The max allowed MTU on this platform is 2018.
For me is not a problem but for some of you could be so take that in consideration.

In short, what I like about it is:
1. Linux based (EdgeOS)
2. Easy to use web interface with many options
3. Ssh connectivity to the operating system and not just a set of commands but a full access to the operating system.
You will have to enable this via web management interface.

fmbp16:Desktop florian$ ssh zero
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

Linux zero 3.10.107-UBNT #1 SMP Fri Feb 21 10:42:32 UTC 2020 mips
Welcome to EdgeOS
Last login: Wed Feb  3 21:57:38 2021 from 192.168.10.10
zero@zero:~$ sudo su -
root@zero:~# uptime
 21:58:30 up 169 days, 47 min,  1 user,  load average: 1.16, 1.21, 1.22
root@zero:~# id
uid=0(root) gid=0(root) groups=0(root)

Having console access can bring you a lot of nice information. For example, the CPU is MIPS 1004Kc.
For more information about what it can offer, please visit the presentation page: https://www.ui.com/edgemax/edgerouter-x/

Before moving forward, I have prepared also a useful tutorial on youtube regarding 7 things I believe you must know how to do:

1. 0:28 - How to connect to it first time and configuration
2. 1:17 - How to change the default password and create/delete users
3. 2:19 - How to set up passwordless connection via SSH
4. 3:16 - Hardware offloading (https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading)
5. 4:26 - Firmware upgrade
6. 5:30 - Backup configuration
7. 5:51 - Restore configuration

And if you like written tutorials, following I would like to show you a few command line tricks that you may need.

How to enable hardware offloading:

I have wrote an article about hardware offloading here.
On this device is the same principle: offloading is used to execute functions of the router using the hardware directly, instead of a process of software functions.
Better to check on the support website before deciding if you want this enabled or not: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading.
I have enabled it.

Commands to be executed:
configure
set system offload hwnat enable
set system offload ipsec enable
commit ; save

You will have to reboot in order for changes to take effect.

Output of an execution:
zero@zero:~$ configure
[edit]
zero@zero# set system offload hwnat enable
[edit]
zero@zero# set system offload ipsec enable
[edit]
zero@zero# commit ; save
[ system offload ipsec enable ]
This change will take effect when the system is rebooted.

WARNING : IPsec offload on ER-X platform is causing problems to L2TP remote-access VPN.
          and IPV6 site-to-site IPSec VPN
          You should *not* enable IPsec offload if you are using any of above.

          Other VPN modes are not affected by this issue:
             * IPv4 site-to-site IPsec VPN is working correctly with IPsec offload.
             * PPTP VPN is working correctly with IPsec offload.

          Only ER-X/ER-X-SFP/EP-R6 models are affected by this issue.

          This issue is to be fixed in future release.


Saving configuration to '/config/config.boot'...
Done
[edit]
zero@zero#

Update the boot loader after firmware upgrade:

In short, bootloader controls some functions like LED boot behavior, configuration/driver loading and so on and this on most EdgeRouter models is not updater automatically and it must be done manually.
More information you can get here: https://help.ui.com/hc/en-us/articles/360009932554-EdgeRouter-How-to-Update-the-Bootloader

Command to execute:

add system boot-image

Example:
fmbpro:~ florian$ ssh zero@192.168.10.1
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

zero@192.168.10.1's password: 
Boot image can be upgraded to version [ e50_002_4c817 ].
Run "add system boot-image" to upgrade boot image.
zero@zero:~$ 
zero@zero:~$ 
zero@zero:~$ add system boot-image
Uboot version [e50_001_1e49c] is about to be replaced
Warning: Don't turn off the power or reboot during the upgrade!
Are you sure you want to replace old version? (Yes/No) [Yes]: Yes
Preparing to upgrade...Done
Copying upgrade boot image...Done
Checking boot version: Current is e50_001_1e49c; new is e50_002_4c817 ...Done
Checking upgrade image...Done
Writing image...Done
Upgrade boot completed
zero@zero:~$

How to add ssh key on your EdgeRouter (min 2:19 in the video above):

Commands to be executed:

NOTE: replace KEY with the actual key you want to add :)

configure
set system login user zero authentication public-keys mbp type ssh-rsa
set system login user zero authentication public-keys mbp key KEY
commit 
save 
exit
Execution example:

NOTE: my key is scrambled :P

zero@zero:~$ cd .ssh
zero@zero:~/.ssh$ ls -la
total 4
drwxr-x---    2 zero     users          232 Aug 18 19:27 .
drwxr-xr-x    3 zero     users          504 Aug 18 20:29 ..
-rw-r--r--    1 root     root            90 Aug 18 19:27 authorized_keys
zero@zero:~/.ssh$ cat authorized_keys
# Automatically generated by Vyatta configuration
# Do not edit, all changes will be lost
zero@zero:~/.ssh$ configure
[edit]
zero@zero# set system login user zero authentication public-keys mbp type ssh-rsa
[edit]
zero@zero# set system login user zero authentication public-keys mbp key ABunchOfCharactersThatIsTheSSHKey
[edit]
zero@zero# commit
[edit]
zero@zero# save
Saving configuration to '/config/config.boot'...
Done
[edit]
zero@zero# exit
exit
zero@zero:~/.ssh$ cat authorized_keys
# Automatically generated by Vyatta configuration
# Do not edit, all changes will be lost
ssh-rsa ABunchOfCharactersThatIsTheSSHKey mbp
zero@zero:~/.ssh$

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.