Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

Thank-you for posting this @guykuo!

Will you be posting a follow-up how-to like you did for the Ubiquiti ER-X?

Cheers,
Randy

Ubiquity has discontinued shipping the EdgeRouter X. It was an amazing little machine for its time, especially at $60.
Getting one now costs much more. I no longer recommend this pathway to network isolation.

I have since transitioned to PFsense on a fanless firewall appliance. The initial setup cost is more, but setup is much easier than with the EdgeRouter X. VPN is simpler to implement. Supports 2.5 gb speed network speed. PFsense is actively improved and PFblocker ad blocking has been very effective. Very happy with making the upgrade. The speed, ease of configuration, and enhanced capabilities easily justify the cost differential. On the other hand, paying inflated prices for rare, discontinued EdgeRouterX's is not worth doing.

To implement PFSense, I got a bare bones Mini PC with 2.5 gb ports, 128 GB mSATA drive, and 16 GB RAM. That's actually FAR more RAM and storage than needed, but going smaller capacity wasn't going to save many dollars.

$266 MOGINSOK Firewall Appliance Mini PC, Intel Celeron J4125 Quad Core 4xIntel I225 2.5G Ethernet VPN Router PC AES-NI HDMI VGA Barebone NO RAM NO SSD (Be sure to get one with AES-NI)

$32 Transcend 128GB SATA III 6GB/S MSA230S mSATA SSD 230S Solid State Drive TS128GMSA230S

$47 G.Skill Ripjaws SO-DIMM Series 16GB (1 x 16GB ) 260-Pin (PC4-19200) DDR4 2400 CL16-16-16-39 1.20V SO-DIMM Memory Model F4-2400C16S-16GRS

My PFSense firewall box is at about 2-3% CPU, 5% RAM, and 1% storage on average. It's a huge jump up in speed and capacity. Also, PFSense has a larger user base for support. Tons of how-to videos are on line.
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.
Just stumbled across this thread and am curious as I currently utilize an EdgeRouterX in front of my home network. I've had this router for a couple of years, and love it as it was so versatile with setting up internal VPN, VLANs, etc. and works well with my switches. I notice Ubiquiti has placed a newer firmware on their download site (I think dated 18-July?), but I wonder how long this router will be supported? I guess when they do stop the support, it will be open season for security threats/attacks on this equipment.

From what I have seen, a lot of people give the pfsense a thumbs up; however, I wonder about the security of this option. I am a complete networking noob, but when I hear open-source, it automatically throws up questions of security.
 
Wow, I shouldn't have partied so much at the tech schools/classes I was fortunate enough to go to on the company dime back in the day.....things have also come a long way.
 
My network is entirely Ubiquiti Unifi. PoE switch, regular switch, APs and a USG-3P gateway (router). I'm looking to isolate my 16 IP cams and really don't know where to start.
 
All ports configured with address of no address - ?what does this mean?

That means you are not using the lan ports as managed ports (which is the mode that is commonly used).
Assigning them an ip address, only allows traffic requests from that port to the rest of the network has to come from the machine with the same ip address assigned to that port.

Since you wanted to know what that meant.
 
@guykuo, great writeup.
I was wondering if you couldn't create a Firewall/NAT Group with your security camera IP's and then create a firewall rule in WAN_Local (I think that is the right one vs. WAN_IN) to reject all connections from that Group?
While not isolated on a VLAN, it would prevent internet access from those IP's.

My setup is ER-X -> USW24PoE
All security cameras are connected to the USW24PoE along with the 3-WiFi AP's. VLANS on switch0 (switch0.1 and that was a hassle to setup) for guest and IOT device separation. While I could add a separate VLAN for the security cameras, if the intent is to block outbound access, then it seems the above approach would work. I do recognize that if there was a hack on the cameras, it would also have access to the trusted network.
 
Last edited:
@guykuo, great writeup.
I was wondering if you couldn't create a Firewall/NAT Group with your security camera IP's and then create a firewall rule in WAN_Local (I think that is the right one vs. WAN_IN) to reject all connections from that Group?
While not isolated on a VLAN, it would prevent internet access from those IP's.

My setup is ER-X -> USW24PoE
All security cameras are connected to the USW24PoE along with the 3-WiFi AP's. VLANS on switch0 (switch0.1 and that was a hassle to setup) for guest and IOT device separation. While I could add a separate VLAN for the security cameras, if the intent is to block outbound access, then it seems the above approach would work. I do recognize that if there was a hack on the cameras, it would also have access to the trusted network.

I personally won't allow "chinese"/untrusted devices in my inner LAN. See it like an onion network: WAN = outside, VPN is DMZ, untrusted = IPC Vlan, trusted = LAN. I only allow access FROM LAN to anything. However IPC can NEVER contact LAN, nor WAN (except for push notification & NTP). However VPN is the only one which can contact IPC Vlan (to be able to use DMSS from WAN - eg 4g).

Which means you simply add a "deny all" on your IPC_VLAN to "internal/local".

Hope this helps!
CC
 
I have considered setting my EdgeRouter up as prescribed in this post, but am not overly concerned with tackling all of it yet as my cameras are segregated from the outside world and my network via a dual NIC.

I just started working 100% from home and would like for my work PC to not be on my regular LAN. Am I able to configure this portion of it? Or is it an all or nothing arrangement with the above setup?
 
I have considered setting my EdgeRouter up as prescribed in this post, but am not overly concerned with tackling all of it yet as my cameras are segregated from the outside world and my network via a dual NIC.

I just started working 100% from home and would like for my work PC to not be on my regular LAN. Am I able to configure this portion of it? Or is it an all or nothing arrangement with the above setup?

Yes you can certainly set this up that way if you are hard-wiring your work PC to the switch.

But if you can get by with wifi, what about setting up guest wifi just for the work PC?
 
Yes you can certainly set this up that way if you are hard-wiring your work PC to the switch.

But if you can get by with wifi, what about setting up guest wifi just for the work PC?
I use Samsung SmartThings for my automation and Wifi mesh, and it has the ability to have guest and internet only passwords (keeps the same SSID, which is nice. It must do some internal segregation), but the quality of some of my video meetings earlier were shit. However, I don't know how much of it was me and how much was the other end, but I did get a pop-up for bad quality.

I have an unused port in my office and can wire it accordingly in the rack. I may swap back over to Wifi and see how it goes, for now.
 
Yes you can certainly set this up that way if you are hard-wiring your work PC to the switch.

But if you can get by with wifi, what about setting up guest wifi just for the work PC?
I ended up following this video. It was pretty straight forward and worked perfectly for what I wanted to accomplish.

 
  • Like
Reactions: dmarz
I personally won't allow "chinese"/untrusted devices in my inner LAN. See it like an onion network: WAN = outside, VPN is DMZ, untrusted = IPC Vlan, trusted = LAN. I only allow access FROM LAN to anything. However IPC can NEVER contact LAN, nor WAN (except for push notification & NTP). However VPN is the only one which can contact IPC Vlan (to be able to use DMSS from WAN - eg 4g).

Which means you simply add a "deny all" on your IPC_VLAN to "internal/local".

Hope this helps!
CC

CC, need a little help with my EdgerouterX. VLAN's are all setup (guest, IOT) and Guest/IOT are blocked from the main network, and I can access form the main to the Guest/IOT. What I can't figure out is how to access the IOT when on VPN. Is this something you can provide some guidance on?
 
CC, need a little help with my EdgerouterX. VLAN's are all setup (guest, IOT) and Guest/IOT are blocked from the main network, and I can access form the main to the Guest/IOT. What I can't figure out is how to access the IOT when on VPN. Is this something you can provide some guidance on?
Haai!
There are different ways to solve this puzzle. Currently my VPN endpoint is (for various reasons) hiding in my main network. So when connecting from my mobile device (not on MAIN wifi), I can login through OpenVPN into the MAIN, and as all required video ports are open from MAIN to Guest, there is no obstruction in my way of working. If you would run your OpenVPN on your ER-X itself, you have to open these video ports from that openVPN landing zone towards your Guest vlan.

Good luck!
CC
 
Haai!
There are different ways to solve this puzzle. Currently my VPN endpoint is (for various reasons) hiding in my main network. So when connecting from my mobile device (not on MAIN wifi), I can login through OpenVPN into the MAIN, and as all required video ports are open from MAIN to Guest, there is no obstruction in my way of working. If you would run your OpenVPN on your ER-X itself, you have to open these video ports from that openVPN landing zone towards your Guest vlan.

Good luck!
CC

So if I wanted wide open access from VPN to IOT, I would need similar Firewall rules to WAN_Local?
 
So if I wanted wide open access from VPN to IOT, I would need similar Firewall rules to WAN_Local?

If your "default" firewall rule is DROP, then the answer is yes.

The easiest way to validate (debug) is to configure the rules, and check "log entry". Then you try opening your VPN, if that works, try opening your cams (eg DMSS). All attempts will be logged & outlined then you know which ports to open (and which not).