Edgerouter Config - Would this translate to Vyos LTS?

I think I have what is a reasonable vanilla EdgeRouter config. Is there a quickish way to test whether whats defined is supported on a Vyos install, before I crack out a VM and manually try and craft the same thing?

firewall {
all-ping enable
broadcast-ping enable
group {
    address-group countries-allowed {
    }
    address-group dns-servers {
        address 192.168.68.24
    }
    address-group nets4-blacklist {
    }
    address-group private-nets {
        address 192.168.0.0/16
        address 172.16.0.0/12
        address 10.0.0.0/8
    }
    address-group wireguard-allowed {
        address 192.168.32.0/24
        address 192.168.112.0/24
    }
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify vpn-routing {
        rule 10 {
            action modify
            destination {
                group {
                    address-group private-nets
                }
            }
            modify {
                table main
            }
        }
        rule 100 {
            action modify
            modify {
                table 100
            }
            source {
                group {
                    address-group wireguard-allowed
                }
            }
        }
    }
    name lan-local {
        default-action accept
    }
    name lan-wan {
        default-action accept
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name lan-wg0 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name lan-wg1 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name lan-wg2 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name lan-wgwifi {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name local-lan {
        default-action accept
    }
    name local-wan {
        default-action accept
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name local-wg0 {
        default-action accept
    }
    name local-wg1 {
        default-action accept
    }
    name local-wg2 {
        default-action accept
    }
    name local-wgwifi {
        default-action accept
    }
    name wan-lan {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wan-local {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
        rule 400 {
            action accept
            destination {
                port 51820
            }
            protocol udp
        }
        rule 410 {
            action accept
            destination {
                port 51822
            }
            protocol udp
        }
    }
    name wan-wg0 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wan-wg1 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wan-wg2 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wan-wgwifi {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wg0-lan {
        default-action drop
    }
    name wg0-local {
        default-action drop
    }
    name wg0-wan {
        default-action drop
    }
    name wg0-wg1 {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wg0-wg2 {
        default-action drop
    }
    name wg0-wgwifi {
        default-action drop
        rule 100 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wg1-lan {
        default-action accept
    }
    name wg1-local {
        default-action accept
    }
    name wg1-wan {
        default-action drop
    }
    name wg1-wg0 {
        default-action accept
    }
    name wg1-wg2 {
        default-action drop
    }
    name wg1-wgwifi {
        default-action drop
    }
    name wg2-lan {
        default-action accept
    }
    name wg2-local {
        default-action accept
    }
    name wg2-wan {
        default-action accept
        rule 110 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name wg2-wg0 {
        default-action drop
    }
    name wg2-wg1 {
        default-action drop
    }
    name wg2-wgwifi {
        default-action drop
    }
    name wgwifi-lan {
        default-action accept
    }
    name wgwifi-local {
        default-action accept
    }
    name wgwifi-wan {
        default-action drop
    }
    name wgwifi-wg0 {
        default-action accept
    }
    name wgwifi-wg1 {
        default-action drop
    }
    name wgwifi-wg2 {
        default-action drop
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.112.1/24
        description "Mullvad (Wifi)"
        duplex auto
        firewall {
            in {
                modify vpn-routing
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.68.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify vpn-routing
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address dhcp
        description Swisscom
        dhcp-options {
            client-option "send vendor-class-identifier "100008,0001";"
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        mac A0:B5:49:0A:6D:C0
        speed auto
    }
    ethernet eth5 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    wireguard wg0 {
        address 10.65.140.116/32
        description "Mullvad (default route)"
        mtu 1420
        peer TMOEAxpcv5xz+PvcvqP0Iy4+px+hrCJUJHGcy45DVQI= {
            allowed-ips 0.0.0.0/0
            endpoint 185.200.118.100:51820
        }
        private-key /config/wireguard/wg0.key
        route-allowed-ips false
    }
    wireguard wg1 {
        address 192.168.32.1/24
        description "VPN +LAN +Mullvad"
        firewall {
            in {
                modify vpn-routing
            }
        }
        listen-port 51820
        mtu 1420
        peer 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= {
            allowed-ips 192.168.32.100/32
        }
        peer Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= {
            allowed-ips 192.168.32.102/32
        }
        peer s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= {
            allowed-ips 192.168.32.101/32
        }
        private-key /config/wireguard/wg1.key
        route-allowed-ips false
    }
    wireguard wg2 {
        address 10.0.10.1/24
        description "VPN +LAN +Swisscom"
        listen-port 51822
        mtu 1420
        peer 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= {
            allowed-ips 10.0.10.100/32
        }
        peer Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= {
            allowed-ips 10.0.10.102/32
        }
        peer s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= {
            allowed-ips 10.0.10.101/32
        }
        private-key /config/wireguard/wg2.key
        route-allowed-ips false
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description "HTTP Reverse Proxy"
        forward-to {
            address 192.168.68.49
            port 80
        }
        original-port 80
        protocol tcp
    }
    rule 2 {
        description "HTTPS Reverse Proxy"
        forward-to {
            address 192.168.68.49
            port 443
        }
        original-port 443
        protocol tcp
    }
    rule 3 {
        description Plex
        forward-to {
            address 192.168.68.28
            port 32400
        }
        original-port 32400
        protocol tcp
    }
    rule 4 {
        description "Postfix SMTP"
        forward-to {
            address 192.168.68.15
            port 25
        }
        original-port 25
        protocol tcp
    }
    rule 5 {
        description "Postfix SMTPS"
        forward-to {
            address 192.168.68.15
            port 465
        }
        original-port 465
        protocol tcp
    }
    rule 6 {
        description "Postfix Submission"
        forward-to {
            address 192.168.68.15
            port 587
        }
        original-port 587
        protocol tcp
    }
    rule 7 {
        description "Dovecot IMAP"
        forward-to {
            address 192.168.68.15
            port 143
        }
        original-port 143
        protocol tcp
    }
    rule 8 {
        description "Dovecot IMAPS"
        forward-to {
            address 192.168.68.15
            port 993
        }
        original-port 993
        protocol tcp
    }
    rule 9 {
        description "Dovecot POP3"
        forward-to {
            address 192.168.68.15
            port 110
        }
        original-port 110
        protocol tcp
    }
    rule 10 {
        description "Dovecot POP3S"
        forward-to {
            address 192.168.68.15
            port 995
        }
        original-port 995
        protocol tcp
    }
    rule 11 {
        description "Dovecot ManageSieve"
        forward-to {
            address 192.168.68.15
            port 4190
        }
        original-port 4190
        protocol tcp
    }
    wan-interface eth4
}
protocols {
    static {
        route 10.0.0.0/8 {
            blackhole {
            }
        }
        route 172.16.0.0/12 {
            blackhole {
            }
        }
        route 192.168.0.0/16 {
            blackhole {
            }
        }
        table 100 {
            interface-route 0.0.0.0/0 {
                next-hop-interface wg0 {
                }
            }
            route 0.0.0.0/0 {
                blackhole {
                    distance 255
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name WireGuard {
            authoritative disable
            subnet 192.168.112.0/24 {
                default-router 192.168.112.1
                dns-server 192.168.68.24
                lease 3600
                start 192.168.112.100 {
                    stop 192.168.112.163
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    gui {
        cert-file /config/ssl/server.pem
        http-port 80
        https-port 443
        listen-address 192.168.68.1
        older-ciphers disable
    }
    nat {
        rule 5000 {
            description "Policy sNAT: masquerade for WAN"
            outbound-interface eth4
            protocol all
            type masquerade
        }
        rule 5100 {
            description "Policy sNAT: masquerade for WireGuard"
            outbound-interface wg0
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.68.1
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
    upnp2 {
        acl {
            rule 10 {
                action deny
                external-port 3074
                local-port 0-65535
                subnet 192.168.68.0/24
            }
        }
        listen-on eth2
        nat-pmp enable
        secure-mode enable
        wan eth4
    }
}
system {
    domain-name phillipmcmahon.com
    host-name router
    login {
    }
    name-server 192.168.68.24
    ntp {
        server 216.239.35.0 {
        }
        server 216.239.35.4 {
        }
        server 216.239.35.8 {
        }
        server 216.239.35.12 {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    task-scheduler {
        task loadBlackList {
            executable {
                path /config/scripts/post-config.d/loadBlackList.sh
            }
            interval 1d
        }
        task loadCountryList {
            executable {
                path /config/scripts/post-config.d/loadCountryList.sh
            }
            interval 1d
        }
    }
    time-zone Europe/Zurich
}
traffic-control {
    smart-queue Stability {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 160mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 50mbit
        }
        wan-interface eth4
    }
}
zone-policy {
    zone lan {
        default-action drop
        from local {
            firewall {
                name local-lan
            }
        }
        from wan {
            firewall {
                name wan-lan
            }
        }
        from wg0 {
            firewall {
                name wg0-lan
            }
        }
        from wg1 {
            firewall {
                name wg1-lan
            }
        }
        from wg2 {
            firewall {
                name wg2-lan
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-lan
            }
        }
        interface eth2
    }
    zone local {
        default-action drop
        from lan {
            firewall {
                name lan-local
            }
        }
        from wan {
            firewall {
                name wan-local
            }
        }
        from wg0 {
            firewall {
                name wg0-local
            }
        }
        from wg1 {
            firewall {
                name wg1-local
            }
        }
        from wg2 {
            firewall {
                name wg2-local
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-local
            }
        }
        local-zone
    }
    zone wan {
        default-action drop
        from lan {
            firewall {
                name lan-wan
            }
        }
        from local {
            firewall {
                name local-wan
            }
        }
        from wg0 {
            firewall {
                name wg0-wan
            }
        }
        from wg1 {
            firewall {
                name wg1-wan
            }
        }
        from wg2 {
            firewall {
                name wg2-wan
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-wan
            }
        }
        interface eth4
    }
    zone wg0 {
        default-action drop
        from lan {
            firewall {
                name lan-wg0
            }
        }
        from local {
            firewall {
                name local-wg0
            }
        }
        from wan {
            firewall {
                name wan-wg0
            }
        }
        from wg1 {
            firewall {
                name wg1-wg0
            }
        }
        from wg2 {
            firewall {
                name wg2-wg0
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-wg0
            }
        }
        interface wg0
    }
    zone wg1 {
        default-action drop
        from lan {
            firewall {
                name lan-wg1
            }
        }
        from local {
            firewall {
                name local-wg1
            }
        }
        from wan {
            firewall {
                name wan-wg1
            }
        }
        from wg0 {
            firewall {
                name wg0-wg1
            }
        }
        from wg2 {
            firewall {
                name wg2-wg1
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-wg1
            }
        }
        interface wg1
    }
    zone wg2 {
        default-action drop
        from lan {
            firewall {
                name lan-wg2
            }
        }
        from local {
            firewall {
                name local-wg2
            }
        }
        from wan {
            firewall {
                name wan-wg2
            }
        }
        from wg0 {
            firewall {
                name wg0-wg2
            }
        }
        from wg1 {
            firewall {
                name wg1-wg2
            }
        }
        from wgwifi {
            firewall {
                name wgwifi-wg2
            }
        }
        interface wg2
    }
    zone wgwifi {
        default-action drop
        from lan {
            firewall {
                name lan-wgwifi
            }
        }
        from local {
            firewall {
                name local-wgwifi
            }
        }
        from wan {
            firewall {
                name wan-wgwifi
            }
        }
        from wg0 {
            firewall {
                name wg0-wgwifi
            }
        }
        from wg1 {
            firewall {
                name wg1-wgwifi
            }
        }
        from wg2 {
            firewall {
                name wg2-wgwifi
            }
        }
        interface eth1
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */

Hi @philipmcmahon, I actually migrated my 4400~ line config between edgerouter lite to vyos 1.3 rolling without too many difficulties.

Here is my brain dump, reasonably accurate but no guarantees.

  • The firewall itself was basically copy paste (luckily! as it was the biggest part)
  • From memory, your groups may not translate as EdgeOS was more lenient, it allowed addresses and networks to mix, VyOS you need to make addresses and networks separately, so proper syntax.
  • In VyOS I found group names largely do not work in things like DHCP, NAT, etc, only in firewall as opposed to EdgeOS
  • Not sure about the wireguard stuff as never had it set up in EdgeOS
  • Not sure about the port forward stuff you are using, as I used NAT directly, and that needed some command syntax changes but easy enough to figure out
  • DHCP, some differences, cant remember specifics but was easy to migrate, things like authoritative disable
  • No services/gui section
  • NAT definitely different, its configured similarly but its set nat source or set nat destination etc
  • No UBNT/UNMS
  • Didnt use UPNP so not sure
  • System NTP is different, have to set up listen interface or it does not update
  • System offload section, dont need
  • Task-scheduler never used, no comment but believe this is not in VyOS
  • I did not use traffic control
  • Zone policy was copy/paste from memory

I dont have my erl3 anymore, cant recall if it has show configuration commands (while not in configure mode) - USE it.

Enjoy and good luck if you are yet to do it.

1 Like

Very much appreciate the input, worked my way through the config conversation over the weekend, and this week. Was also contacted directly by the support folks at Vyos who gave me some great help.

Main points of the conversion were as follows.

  • Groups and addresses don’t mix. Easily fixed.

  • Wireguard was just as easy to set up and working perfectly. Policy based routing works as like it does on the edgerouter.

  • Port forwarding was the section that expanded the most. Each single edgerouter entry needed a DNAT, SNAT and hairpin rule set up, along with the corresponding firewall entry in the zone definitions.

  • Dumped all service, UBNT/UNMS and system offload elements of course.

  • UPNP is not supported but easy to work around.

  • Traffic control is also working great.

  • Still to do, the task scheduler and script conversions to run on Vyos. Task scheduler is supported.

Final config file attached, removed user login section, is below. Works great on an apu2. I am just a home user, don’t need super powerful route/firewall hardware.

Why did you change platform?

config.boot.txt (29.9 KB)

Hey man easiest way i have found to visiualise network setips is with gns3 …you can add all kinds of stuff and they also have vyos option.
Can run mikrotik and even a linux pc.
If you need more info let me know…

Nice work!
I didnt have any issue with the erl3, it performed as good as it should, however my issue is with Ubiquity themselves. They now make watches, cameras, everything seems muddied now and they have lost direction and then https://www.theregister.co.uk/2020/01/29/ubiquiti_data_collection_policy/ and https://www.reddit.com/r/Ubiquiti/comments/evncu7/you_spoke_we_didnt_listen_ubiquiti_says_unifi/ sealed the deal, I’m out…
I am still using the AP AC Pro and Lite but will see how I go with that.

The second part was prior to the data collection thing, I wanted to virtualize it anyway as I run a good server with about 15 VM and added second old laptop as server that hosts backup DC (DNS, domain, DHCP, backup pihole, backup VPN, and now backup router :slight_smile:

Just allows me to have internet failover when my servers PSU blows up (again), im changing main server hardware, or even for just patching taking the server down.

The exact same reason as me.

I’ve been using edgemax series for years. All was good hardware wise. Then slowly maintenance started to crawl. Answers for the forums stopped coming from Ubiquiti, and it’s clear now that’s it’s only going to get worse.

I didn’t want to have to invest in changing to Unifi, and for my setup I’d have to work around the management tools in order to hack the setup I want.

I’ll add back my VLAN setup for device and wifi segregation now I’ve got vyos up and running.

I’d been keen to know how you have setup your redundancy on the network connection, mostly as a learning opportunity. If you have time to give my config the once over and make recommendations I’d be very happy.

One issue I wasn’t able to solve was getting my wireguard to connect both internally and externally using the same external IP in the client config. I can connect when I’m outside of my network, but not when I’m in my network. I feel I’m missing s/d nat and/or hairpin rules to allow that. I tried adding those for port 51820 and 51822 to match the existing firewall rules from WAN to LOCAL but still no joy.