Needing help setting up an Edgerouter X behind an Asus RT-86U

[Jessie.slimer]

I just got an Edgerouter X and a UAP-AC-LR access point in order to set up a seperate network for my iot devices. I'm very green to networking, but have been watching a lot of tutorials online on configuring this thing.

I've got a decent grasp on it, but I think where I am running into issues is because everything I am watching is using the edgerouter as the primary and only router. I would like to keep and use my Asus for everything, and setup one wired/wireless iot network on the edgerouter. I have read @guykuo 's awesome writeup on setting up for multiple networks, but I don't need anything near that elaborate. I may use his config file and tinker with it, but I'm trying to set something up simple first.

While I'm sure I will have other questions for anyone willing to help, my first would be whether it's necessary to bridge my wan through the Asus to the ER, or can I just hand out a local ip from Asus to the ER?

All of my iot devices will be on the 192.168.1.x network of the edgerouter and need access to the internet but no access to each other. If possible, I would like to be able to access my printer, Chromecasts, and Hubitat home automation hub from our phones which will be on the main 192.168.50.x network on the Asus.

My desired setup will be ISP->Asus RT-86u->ER X->IoT network

Thanks in advance

 

[mikeynags]

You can definitely do what you are looking to do. First thing I would do is follow this guide to setup the edge router EdgeRouter - Beginners Guide to EdgeRouter

You can set it up as a DHCP WAN setup. Do this with a laptop plugged into it locally first to run thru the setup wizard. Once you have completed that, you can plug the WAN port into your Asus router. You'll need some type of controller setup to configure the AP. I've kept this high level as there are a bunch of options out there for this and the writeup @guykuo put together should be your guide to locking down your IoT network on the ER-X.

 

[SpacemanSpiff]

I just got an Edgerouter X and a UAP-AC-LR access point in order to set up a seperate network for my iot devices. I'm very green to networking, but have been watching a lot of tutorials online on configuring this thing.

I've got a decent grasp on it, but I think where I am running into issues is because everything I am watching is using the edgerouter as the primary and only router. I would like to keep and use my Asus for everything, and setup one wired/wireless iot network on the edgerouter. I have read @guykuo 's awesome writeup on setting up for multiple networks, but I don't need anything near that elaborate. I may use his config file and tinker with it, but I'm trying to set something up simple first.

While I'm sure I will have other questions for anyone willing to help, my first would be whether it's necessary to bridge my wan through the Asus to the ER, or can I just hand out a local ip from Asus to the ER?

All of my iot devices will be on the 192.168.1.x network of the edgerouter and need access to the internet but no access to each other. If possible, I would like to be able to access my printer, Chromecasts, and Hubitat home automation hub from our phones which will be on the main 192.168.50.x network on the Asus.

My desired setup will be ISP->Asus RT-86u->ER X->IoT network

Thanks in advance

Cursory look at the RT-86u docs does not show any VLAN options. So, odds are you cannot set-up multiple DHCP schemes via the Asus. The simplest set-up might be assigning the Asus DMZ port to the Edgerouter connection, and the edge router will do it's own DHCP assignment to the Iot devices via the UAP-AC-LR

Will the printer, Chromecasts, and Hubitat home automation hub reside on the main network (192.168.50.x)?

 

[Jessie.slimer]

Thanks for the replies. I haven't had much time to play with it, but have gotten it to work on a basic level (at least without all the network segmentation rules) after figuring out I need to disable the wan in firewall on the ERx so that I can access it from my Asus.

I just assigned the ERx a wan address of 192.168.50.100, which is on the Asus Lan, and am using the masquerade function on the edgerouter.

All of my iot devices, printers, chromecasts will be on the ERx 192.168.1.x network, as well as my access point.

Now I just have to work on getting everything locked down so they can't get to anything on my Asus router.

 

[Jessie.slimer]

I am messing with this a little more tonight, and am trying to partially isolate my edgerouter from my asus router. I do not want any IoT devices (on the Edgerouter) to access my main router that is in front(Asus), but would like to access the Edgerouter from my Asus network. With the ER plugged into a LAN port of my ASUS, the ASUS assigns it an ip of 192.168.50.144. My local networks on the edgerouter have internet access and I can access the edgerouter GUI from the ASUS network (great). If I set a firewall rule in the Edgerouter GUI to drop all outbound traffic to the entire Asus network (192.168.50.0/24), it blocks the edgerouter from being able to access anything on the Asus network, including the router itself. I cannot ping anything or log into the Asus GUI at 192.168.50.1 (great again)

However, with this firewall enabled, the IoT loses the internet access it had. I cannot ping anything on the internet or open any webpages. Is there a way that I can only block access to the Asus local network but still allow the traffic to pass through it to the internet? I tried poking around but do not see anything. Maybe I have to set up a static route to the internet or something?

 

[mikeynags]

I would recommend you read this article by @guykuo first and do some testing - you can absolutely run this router plugged into you Asus and prevent the cameras from getting to the Internet.

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

Overview of LAN's Created I recommend labeling the ports to indicate their usage as above. I may interchangeably call the camera LAN 2, the surveillance LAN 2) Notice that the defined LANs are numbered to match their associated ethernet port number. I do that to simplify later...

ipcamtalk.com

 

[Jessie.slimer]

I did read that, but my use is a bit different, as I need my Lan to have full internet access but not access other local networks. Also, since I'm cascading routers it's a little more tricky (at least for me) versus the edgerouter being directly exposed to the internet.

I'm not putting any cameras on my Edgerouter. I use a dual NIC on my Blue Iris computer for that.

 

[mikeynags]

Your best bet will be to create multiple networks/VLANs for this. I'm doing something similar and I do have the networks completely separate and unable to talk to each other with only a couple of firewall rules poked for admin purposes. It's totally doable. Some of the articles at Ubiquiti are helpful as well. Try checking out this one: EdgeRouter - Beginners Guide to EdgeRouter

 

[mikeynags]

Here is another good one: EdgeRouter - How to Create a WAN Firewall Rule

 

[Jessie.slimer]

I've been able to isolate my networks on the edgerouter, that's easy enough. The problem is blocking the networks on the upstream router, but still being able to punch through that router to the internet.

I really want to keep the Asus router, but I'm starting to see how much easier it will be if I just use one router.

I'm going to try to play with DMZ and static routing settings on the Asus tonight to see if I can get internet passed through, despite the firewall rules.

Thanks for the input.

 

[Jessie.slimer]

After some more tinkering, I got it working. I had the default rule for my Edgerouter's iot LAN to WAN set to drop when it should have been set to allow. I figured that by setting rule number 1 to allow an OUT connection to 192.168.50.1 (Asus router/internet gateway) would have let the packets through to the internet, but they were being dropped by the default rule. Probably because the ERx does not consider these packets to have a destination of 192.168.50.1, but the internet instead (0.0.0.0). I learned that the default rule is used when all other rules are not used (true).

Changed default rule to allow and set a firewall rule to drop all packets to my ASUS lan and now I get internet on my iot lan, but can not access the Asus router or the Asus lan. All is good.

Now to find out if there is a way to access the ERx lan from my Asus lan.

I must say, the Edgerouter X is a pretty incredible, versatile piece of equipment for very little money.