Adding an EdgeRouter X to my LAN

Finally I got around to buying an EdgeRouter X after folk here suggested it would speed up my VPN connections.

I need a couple of clues / advice as to the best way to set this up and integrate it into my LAN.

I have a FritzBox modem/router. Whatever happens I need that for my WiFi, VoIP and DECT. Obvs its connected to the POTS for my FTTC. The FritzBox is known to have a slow processor and it can't do decent VPN speeds, thus the EdgeRouter.

Between the Fritz and an Ethernet five port hub/switch I have about six or seven LAN cables.

Along with the EdgeRouter I've bought a new Ethernet 'smart' switch (TP-Link). The plan is for all of my LAN to run through this one switch, the older smaller one will be retired and the FritzBox relocated.

The simple way is just to have the EdgeRouter do my VPN. But does it need to be my main router, handle DHCP and DNS for example. Or how can I tell it to ask the Fritz for those?

My Fritz is at 182.168.1.1, I've set the EdgeRouter to be on 192.168.1.2 and plan to make the switch 192.168.1.3. Seems reasonable as they all have web interfaces.

Is having two routers a problem? I'm still going to have one or other do port forwarding, should I leave that on the Fritz or basically pass all my routing requirements over to the EdgeRouter?

Where would you start?

Thanks!

I don't think I'll be able to give step by step instructions.
What you want to do is possible but involves some learning as you go.

From my own experience I couldn't apply everything all at once and needed to progressively add configuration for each use case.

Something that is useful in any case is having handy is the list of other VPN endpoints and what type of VPN they are using.

EdgeRouter does not have to be your main router, especially if the incoming broadband is xDSL, and like you I continue to use the Fritz for Wi-Fi.

(However if i had need of multiple WiiFi access points I might pair EdgeRouter with an xDSL modem and retire the Fritz.)

When your EdgeRouter is ready to start accepting connections,
for IPsec based VPNs, you can certainly have Fritz forward the 500/udp and 4500/udp
This is the same as my approach.

For Wireguard, Fritz can forward 51820/udp
For me that would be a PC or VM rather that the EdgeRouter, but I don't current accept WG connections from the Internet.
If Wireguard becomes a first-class citizen on EdgeRouter like the direction it's going on pfSense I'll still end up with a mix of types.

I would recommend having systems on your LAN use your EdgeRouter as their only DNS server, so that it can resolve private namespaces (DNS suffixes), including for the EdgeRouter itself.
EdgeRouter can then be set to forward DNS queries (for anything it can't answer) to the Fritz.

For example my namespaces look like:
hostname.home.lan (on the normal network)
hostname.wg.home.lan (hosts reachable via wireguard VPN)
hostname.sitename.orgname.lan (hosts reachable at a workplace site via VPN)


As you can see, I've chose this so that EdgeRouter should be able to answer anything ending in .lan
(or else know who does have the answer)
and should never forward that to Fritz, avoiding DNS leakage.
This kind of scheme isn't possible on the Fritz itself as you can't even change the DNS domain name, but is possible when you run your own internal DNS service.

People sometimes make the mistake of handing out the 2nd DNS server as an Internet-based service such as 8.8.8.8 but that will be counter productive if using VPN.

It can be helpful to make sure all your internal hostnames have a FQDN in Edgerouter, particularly for hosts which run services you would like to connect to (by name).
These can be under either of these sections:

system static-host-mapping host-name
or
service dns forwarding options host-record=

Edited by prlzx (Fri 23-Jul-21 00:11:52)

In reply to a post by prlzx:

From my own experience I couldn't apply everything all at once and needed to progressively add configuration for each use case.

That is sage advice. Plan it out well in advance and get the basics right and working and add / alter as you go.

Scattering network functions across boxes can be far more difficult to manage, maintain and diagnose any issues, especially in a moderately complex setup.

Personally I would ditch the Fritz in your situation. Get a DSL modem and maintain all the firewall/routing/VPN functionality in one place on the Ubiquiti box. If you then at some point migrate to FTTP then it will be a dead easy migration.

In reply to a post by prlzx:

I don't think I'll be able to give step by step instructions.

No, of course not, I wouldn't expect that. All I need is a few clues, an overall strategy to help the penny drop. I'm happy to learn as I go. For example, as explained to me somewhere here earlier, if I'm port forwarding _into_ the ER-X for VPN, how does it know where to go to get back out? I need to set the 'next hop' and that needs to be the FritzBox (as it's connected to the WAN)? So I need a couple of clues about that.

And BTW, in case it's not clear or I'm unusual, I'm not using VPN to circumvent geo restrictions or for any paranoid reasons. The internet connection here is 'normal'. The VPN is for file sharing between sites and for when in a cafe and don't want to be exposed on their insecure WiFi (because I am paranoid!).

the list of other VPN endpoints and what type of VPN they are using.

Everything (site-to-site) is FritzBox using its built-in VPN. So - and here I think a penny is dropping - I need to configure the ER-X VPN, then I can port forward to it and the VPNs will still operate, it doesn't matter that its ER-X one end and FB the other. (But the plan is to have EdgeRouters at each site otherwise there's no throughput gain.)

I would recommend having systems on your LAN use your EdgeRouter as their only DNS server, so that it can resolve private namespaces (DNS suffixes), including for the EdgeRouter itself.

Mmmm... At the moment everything just gets DNS from the FB without my setting anything up. If the EX-R is doing DNS, how does my Mac know that? And my iPad which will be on the FB WiFi, how does it 'know'?

Can I leave the DNS for now, until I get the VPN running? What you have looks interesting but I need to learn a bit more first.

Thanks

In reply to a post by Pheasant:

Personally I would ditch the Fritz in your situation. Get a DSL modem and maintain all the firewall/routing/VPN functionality in one place on the Ubiquiti box. If you then at some point migrate to FTTP then it will be a dead easy migration.

I do have an old Openreach ECI modem I could do this with. And I agree, but... the FB is my WiFi, VoIP and DECT phone so I can't just remove it. (Well I could but I'd need to buy a WiFi thing and a VoIP thing and a DECT thing and that's too many things for the moment.)

If the EX-R is doing DNS, how does my Mac know that? And my iPad which will be on the FB WiFi, how does it 'know'?

Well, when your ER-X DNS is populated, you can tell FB's DHCP server to give out the address of ER-X as the DNS server (instead of the FB itself by default).
Sometimes it's forgotten that DHCP informs more than just a minimal IP/Subnet (and optional default Gateway).

You can leave DNS on the FB for now, but the only reason that works is all traffic goes though the FB regardless of whether it's going to be tunneled.
If the FB is eventually no longer doing the VPN tunnels it will cease to know about the IP ranges or hosts associated with remote sites.

I do tend to rant about DNS but that's from having worked in environments where it was not managed well.
If you find yourself hard-coding IPs everywhere or having to type IPs in your browser address bar, or to reach a network share it's a clue some names are missing.

Edited by prlzx (Sat 24-Jul-21 03:36:09)

Forgot to mention in first reply,
if you are using either of the networks
192.168.0.0/24
192.168.1.0/24

It's generally a pain in the long run as you almost guarantee an address or routing conflict with another site, but especially if needing remote access when visiting another house.

The private address space has much more to choose from.
10.0.0.0/8 is commonly used by large enterprises but 172.16.0.0/12 less so,
and you can easily choose a /16 from which to carve out your own subnets.

For example, if you prefer to stick with subnets of familiar 192.168.0.0/16,
and have 15 or less sites you can do something like this:

Site 1 = 192.168.16-31.*
Site 2 = 192.168.32-47.*
Site 3 = 192.168.48-63.*
…

Watch out if using VMware, Virtualbox or similar because they create additional NICs and Networks under 192.168. too.

Visit any forum on VPN and you'll see people begging for ways to make it work without renumbering when they have invested alot of time already.

In reply to a post by prlzx:

Forgot to mention in first reply

I should have mentioned it in my OP. I seemed to learn I needed different sites to be on different subnets for VPN to work before I started so its never been an issue for me. I have four sites using 192.168.n.0/24 where n is either 1,2,3 or 4. (But not really as we have a 'system'.)

For example, if you prefer to stick with subnets of familiar 192.168.0.0/16,
and have 15 or less sites you can do something like this

That allows me to have VLANs if I understand correctly? We have very small networks with a few users on each and I can't see a reason to split them up. Sure I could put my IoT devices on a different VLAN but doesn't that mean I'd need to swop my Mac/iPhone over to the same VLAN in order to control them. For example there are some Philips Hue lights here which get turned on and off either using the app or by Siri via Apple Home. Sounds confusing.

Of course the FritzBox has a 'guest' network which we do use and I will want to ensure that is still available.

Thanks

In reply to a post by prlzx:

When your EdgeRouter is ready to start accepting connections,
for IPsec based VPNs, you can certainly have Fritz forward the 500/udp and 4500/udp
This is the same as my approach.

Can you share your secret sauce settings on the EdgeRouter? I'm port forwarding 500 & 4500 and have set the ER-X VPN as the FritzBox. But the FritzBox at the remote end is saying in its logs

IKE error 0x2026

which means "no proposal chosen".

How should I choose my proposal?

Thanks

A proposal is nothing more than an offering of an encryption algorithm (including cipher and hash types) that an endpoint is willing to agree to. Each side can provide a list of such proposals (which may be just one as long as they agree).

In the Edgerouter CLI you can run

show vpn log tail

then wait for a VPN connection attempt or try to initiate one. CTRL+C to break out of the live log.
There are a couple of articles that might help you.

https://help.ui.com/hc/en-us/articles/115006567467-E...

https://en.avm.de/service/knowledge-base/dok/FRITZ-B...

However this article might have more information on what algorithms the Fritzbox actually supports in talking to something else, as it hides that level of detail from you when linking up 2 or more Fritzboxes.

https://en.avm.de/service/knowledge-base/dok/FRITZ-B...

On EdgeRouter-X I am currently using the following for IKE:
ike-group give-this-a-name {
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}

and for ESP:
esp-group give-this-a-name {
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}

For example, it looks like to work with Fritzbox you'll need to drop back to ikev1 in your key-exchange.

Edited by prlzx (Mon 26-Jul-21 15:32:49)