Use Aussie Broadband's Framed Route on a Ubiquiti EdgeRouter
I use Aussie Broadband (which I'll refer to as "ABB") as my NBN provider and wanted an additional public IP address to allow some of my projects to have their own public facing address without any link to my main network. ABB provides these via a technique called a Framed Route. I'm not a trained networking person so I thought I'd Google how to set it up - ABB provides no documentation or support, but usually Google is a good place to start. Zilch. Go ahead, try… there is virtually nothing out there on how to use it in a practical sense.
I'm sharing here because maybe it could be useful to others - but also as a memory jogger if I need to do it again.
UPDATE 1: Since writing this original article, user GoshDarnIT on the Ubiquiti UnFi forums found a way to achieve multiple-IPs on a UDMP (Ubiquiti Dream Machine Pro) without the extra steps mentioned below. Read the thread here. The only downside I can see is that you are creating an unsupported modification on the UDMP and this may be overwritten or stop working based on regular updates.
UPDATE 2: I am now running EdgeOSv2.0.9-hotfix.6 on the Edgerouter and Unifi Network Version 7.4.150 on the UDMP and it's all still working as per below. I have also upgraded from FTTN to FTTP.
UPDATE 3: For various reasons I've now repeated this process on a Mikrotik router and wrote it up here
UPDATE 4: Someone sent me a note to let me know that if you use the Edgerouter setup wizard, it will break something and the instructions below won't work. Do not ignore Step 1 "Perform a Factory Reset"
My Desired Outcome:
• No Double-NAT for either of my two networks
• Both networks fully segregated and fully accessible publicly with separate IP addresses
• Use a Ubiquiti EdgeMax or UniFi (e.g. USG, UDMP, etc.) as the router since I had these already
• Maintain full functionality of my existing UniFi Dream Machine Pro based network including Unifi Networking and Protect CCTV
TL;DR - To save you reading the whole article here are some quick takeaways:
• ABB only allows connecting to their network via DHCP - this is a key point (refer here and here)
• The consequence is that you cannot enter the additional IPs as Static in your router and so lots of the guides on assigning static WAN IPs to internal networks won't work! In particular you cannot mix DHCP and Static WAN IPs in Ubiquiti Unifi or EdgeMax products.
• If you only ask ABB for one additional IP it will be /32 - but if you buy multiples you could get a /28-/31 - this is important for a reason you can read about below
Possible Options (that didn't meet my requirements, but are easy if you just want to get the Framed Route working quickly):
These instructions are specific to the Ubiquiti EdgeRouter line but other routers could have these features
1. If you are getting multiple IP addresses (/28 or /31) then there is a special easy solution that will work out-of-the-box on the Edgerouter. Just read this article on Distributing Public IP Addresses Using a Transit Address. Note that you will be "wasting" one of the addresses since the interface itself needs an address. This is a big down-side and also a reason why a /32 won't work since a /32 doesn't have a spare address to waste.
2. If you only got a /32 and option 1 won't work, then you can use 1:1 NAT as described here. Using this method you are technically "double-NATting" which I wanted to avoid.
My Preferred Solution - PPPoE Server:
The principles mentioned here should also work on all sorts of other routers that offer a PPPoE server. My specific solution uses a Ubiquiti EdgeRouter 4 (ER-4). Though these same instructions should work for any of the EdgeRouter line. In particular the EdgeRouter X is an incredibly cheap device. At this time the Ubiquiti Unifi range doesn't support this feature as a server, but certainly can work as a client behind the EdgeRouter.
IMPORTANT: There are a few 'gotchas' that are not well documented:
• This setup requires using the CLI since not all features are presented in the GUI
• The Users that you can create in the GUI are not the same as those you create in the CLI and won't work as PPPoE or VPN users
• These instructions are based on Firmware v2.0.9-hotfix.2
Step 1: Perform a Factory Reset on the EdgeRouter
DO NOT IGNORE THIS STEP (See Update 4 above)
Step 2: Initial Basic Configuration
Set your computer to fixed IP: 192.168.1.2 / Mask: 255.255.255.0
Plug ethernet wire into eth0 port
Navigate to https://192.168.1.1 and accept the insecure connection
Username = ubnt and Password = ubnt
Use the Basic Setup Wizard
Create a new admin user
Then click Apply / Apply Changes / Reboot / Yes, I'm Sure
Step 3: Connect to the router and configure
Plug internet cable from NBN Modem into eth0 port
Set computer for DHCP and plug into eth1 port
Connect to https://192.168.1.1 and click on CLI on the top right
(alternatively, connect via SSH using the credentials from Step 2 which I find easier)
From the CLI you will enter the following (replace bob and secret with your desired username and password):
configure
set service pppoe-server authentication mode local
set service pppoe-server authentication local-users username bob password secret
set service pppoe-server client-ip-pool start 203.120.20.200
set service pppoe-server client-ip-pool stop 203.120.20.200
set service pppoe-server dns-servers server-1 202.142.142.142
set service pppoe-server dns-servers server-2 202.142.142.242
set service pppoe-server interface eth1
set service pppoe-server mtu 1492
commit; save; exit
NOTE: The above assumes that the additional /32 address that was assigned to you by ABB was 203.120.20.200/32 - change accordingly to your own address. If you have more than one address then you can define the start and stop pool addresses to encompass all of your addresses. Also I've used the official ABB DNS servers of 202.142.142.142 and 202.142.142.242 but you can also use other public DNS services like 1.1.1.1 and 8.8.8.8
Step 4: Test the connection
With your computer plugged into eth1 you should be able to create a PPPoE connection. For example, on a Mac, go to System Preferences - Network. Press the + on the bottom left. Select Interface: PPPoE, Ethernet: Ethernet and make a Service Name. Then click Create. Then simply enter the Account Name and Password you gave in Step 3 (bob and secret in my example) and click Apply and then click Connect. You will see that you are connected to the internet with your new public IP address. You can now plug a router or any other device that has a PPPoE client into this port and access your new "Frame Routed" IP by setting up PPPoE.
Step 5: And one more thing...
In my case I also needed to create an SNAT rule, not sure why. I did this via the GUI of the EdgeMax going to Firewall/NAT tab, then NAT tab, then "+ Add Source NAT Rule" with the following settings:
Description: (Anything you want)
Enable: CHECK
Outbound Interface: eth0
Translation: Use Masquerade
Exclude from NAT: CHECK
Protocol: All Protocols
Src Address: 203.120.20.200 (this is the address in the client IP pool in Step 3)
Once you hit Save you need to place this rule above the "masquerade for WAN" rule which is there by default.
Subsequently I found this thread which I think says the same thing.
Step 6: Next steps…
This is out of scope for this article, but I also did a few other things to finish off the configuration. Information about these additional steps are in the notes at the bottom of this article.
1. Move from default ACL to Zone Based Firewall (My Config Example Here)
2. Create "Guest" network (Refer the firewall rules from the point above)
3. Enable Hardware Offloading (see here)
4. Set up config versioning on ER-4 (see here)
5. Make sure your config backups are not corrupted (see here)
6. Configure L2TP VPN into the Edge Router (see here)
6a. Configure OpenVPN - a bit harder (see here)
6b. Configure WireGuard VPN - a bit harder still (see here) or (see here for Wizard)
7. Block VPN users from management interface of ER-4 (that's in my zone routing config above)
8. Enable IPv6 (see here) - but needs a hack (see here)
9. Enable Let'sEncrypt to create valid certificate - (see here)
Info I relied upon (thanks to anyone who contributed to these threads):
1. UI Community - Thread on PPPoE Server: [here]
2. UI Community - Thread on PPPoE Server Config: [here]
3. UI Community - Thread on PPPoE Server without RADIUS: [here]
4. UI Community - Thread about ABB and Framed Route: [here]
5. UI Community - Thread about avoiding double-NAT: [here]
6. UI Community - Thread about VIF: [here]
7. UI Community - Thread about Zone-Based Firewall: [here]
8. UI Community - Thread about IPv6 Firewall Rules [here]
9. UI Community - Massive Link Farm with ER stuff [here]
10. UI Document - Distributing Public IPs: [here]
11. UI Document - Zone-Based Firewall: [here]
12. UI Document - Manage and Version Config: [here]
13. UI Document - Manage Config Files: [here]
14. UI Document - Using tcpdump to debug: [here]
15. Reddit - Thread about avoiding double-NAT: [here]
16. Reddit - Thread about blocking local interfaces #1: [here]
17. Reddit - Thread about blocking local interfaces #2: [here]
18. GitHub - Interesting stuff about IPv6 at the bottom: [here]
19. Blog about Zone-Based Firewall: [here]
20. YouTube - Multiple WAN on UDMP (WONT WORK WITH FRAMED ROUTE): [here]
21. My Thread on Reddit: [here]
22. My Thread on UI Community Forum [here]
23. My Thread on Whirlpool: [here]
24. Another Thread on Whirlpool: [here]
Posted: 14-Mar-2022
Updated: 23-May-2023
I'm sharing here because maybe it could be useful to others - but also as a memory jogger if I need to do it again.
UPDATE 1: Since writing this original article, user GoshDarnIT on the Ubiquiti UnFi forums found a way to achieve multiple-IPs on a UDMP (Ubiquiti Dream Machine Pro) without the extra steps mentioned below. Read the thread here. The only downside I can see is that you are creating an unsupported modification on the UDMP and this may be overwritten or stop working based on regular updates.
UPDATE 2: I am now running EdgeOSv2.0.9-hotfix.6 on the Edgerouter and Unifi Network Version 7.4.150 on the UDMP and it's all still working as per below. I have also upgraded from FTTN to FTTP.
UPDATE 3: For various reasons I've now repeated this process on a Mikrotik router and wrote it up here
UPDATE 4: Someone sent me a note to let me know that if you use the Edgerouter setup wizard, it will break something and the instructions below won't work. Do not ignore Step 1 "Perform a Factory Reset"
My Desired Outcome:
• No Double-NAT for either of my two networks
• Both networks fully segregated and fully accessible publicly with separate IP addresses
• Use a Ubiquiti EdgeMax or UniFi (e.g. USG, UDMP, etc.) as the router since I had these already
• Maintain full functionality of my existing UniFi Dream Machine Pro based network including Unifi Networking and Protect CCTV
TL;DR - To save you reading the whole article here are some quick takeaways:
• ABB only allows connecting to their network via DHCP - this is a key point (refer here and here)
• The consequence is that you cannot enter the additional IPs as Static in your router and so lots of the guides on assigning static WAN IPs to internal networks won't work! In particular you cannot mix DHCP and Static WAN IPs in Ubiquiti Unifi or EdgeMax products.
• If you only ask ABB for one additional IP it will be /32 - but if you buy multiples you could get a /28-/31 - this is important for a reason you can read about below
Possible Options (that didn't meet my requirements, but are easy if you just want to get the Framed Route working quickly):
These instructions are specific to the Ubiquiti EdgeRouter line but other routers could have these features
1. If you are getting multiple IP addresses (/28 or /31) then there is a special easy solution that will work out-of-the-box on the Edgerouter. Just read this article on Distributing Public IP Addresses Using a Transit Address. Note that you will be "wasting" one of the addresses since the interface itself needs an address. This is a big down-side and also a reason why a /32 won't work since a /32 doesn't have a spare address to waste.
2. If you only got a /32 and option 1 won't work, then you can use 1:1 NAT as described here. Using this method you are technically "double-NATting" which I wanted to avoid.
My Preferred Solution - PPPoE Server:
The principles mentioned here should also work on all sorts of other routers that offer a PPPoE server. My specific solution uses a Ubiquiti EdgeRouter 4 (ER-4). Though these same instructions should work for any of the EdgeRouter line. In particular the EdgeRouter X is an incredibly cheap device. At this time the Ubiquiti Unifi range doesn't support this feature as a server, but certainly can work as a client behind the EdgeRouter.
IMPORTANT: There are a few 'gotchas' that are not well documented:
• This setup requires using the CLI since not all features are presented in the GUI
• The Users that you can create in the GUI are not the same as those you create in the CLI and won't work as PPPoE or VPN users
• These instructions are based on Firmware v2.0.9-hotfix.2
Step 1: Perform a Factory Reset on the EdgeRouter
DO NOT IGNORE THIS STEP (See Update 4 above)
Step 2: Initial Basic Configuration
Set your computer to fixed IP: 192.168.1.2 / Mask: 255.255.255.0
Plug ethernet wire into eth0 port
Navigate to https://192.168.1.1 and accept the insecure connection
Username = ubnt and Password = ubnt
Use the Basic Setup Wizard
Create a new admin user
Then click Apply / Apply Changes / Reboot / Yes, I'm Sure
Step 3: Connect to the router and configure
Plug internet cable from NBN Modem into eth0 port
Set computer for DHCP and plug into eth1 port
Connect to https://192.168.1.1 and click on CLI on the top right
(alternatively, connect via SSH using the credentials from Step 2 which I find easier)
From the CLI you will enter the following (replace bob and secret with your desired username and password):
configure
set service pppoe-server authentication mode local
set service pppoe-server authentication local-users username bob password secret
set service pppoe-server client-ip-pool start 203.120.20.200
set service pppoe-server client-ip-pool stop 203.120.20.200
set service pppoe-server dns-servers server-1 202.142.142.142
set service pppoe-server dns-servers server-2 202.142.142.242
set service pppoe-server interface eth1
set service pppoe-server mtu 1492
commit; save; exit
NOTE: The above assumes that the additional /32 address that was assigned to you by ABB was 203.120.20.200/32 - change accordingly to your own address. If you have more than one address then you can define the start and stop pool addresses to encompass all of your addresses. Also I've used the official ABB DNS servers of 202.142.142.142 and 202.142.142.242 but you can also use other public DNS services like 1.1.1.1 and 8.8.8.8
Step 4: Test the connection
With your computer plugged into eth1 you should be able to create a PPPoE connection. For example, on a Mac, go to System Preferences - Network. Press the + on the bottom left. Select Interface: PPPoE, Ethernet: Ethernet and make a Service Name. Then click Create. Then simply enter the Account Name and Password you gave in Step 3 (bob and secret in my example) and click Apply and then click Connect. You will see that you are connected to the internet with your new public IP address. You can now plug a router or any other device that has a PPPoE client into this port and access your new "Frame Routed" IP by setting up PPPoE.
Step 5: And one more thing...
In my case I also needed to create an SNAT rule, not sure why. I did this via the GUI of the EdgeMax going to Firewall/NAT tab, then NAT tab, then "+ Add Source NAT Rule" with the following settings:
Description: (Anything you want)
Enable: CHECK
Outbound Interface: eth0
Translation: Use Masquerade
Exclude from NAT: CHECK
Protocol: All Protocols
Src Address: 203.120.20.200 (this is the address in the client IP pool in Step 3)
Once you hit Save you need to place this rule above the "masquerade for WAN" rule which is there by default.
Subsequently I found this thread which I think says the same thing.
Step 6: Next steps…
This is out of scope for this article, but I also did a few other things to finish off the configuration. Information about these additional steps are in the notes at the bottom of this article.
1. Move from default ACL to Zone Based Firewall (My Config Example Here)
2. Create "Guest" network (Refer the firewall rules from the point above)
3. Enable Hardware Offloading (see here)
4. Set up config versioning on ER-4 (see here)
5. Make sure your config backups are not corrupted (see here)
6. Configure L2TP VPN into the Edge Router (see here)
6a. Configure OpenVPN - a bit harder (see here)
6b. Configure WireGuard VPN - a bit harder still (see here) or (see here for Wizard)
7. Block VPN users from management interface of ER-4 (that's in my zone routing config above)
8. Enable IPv6 (see here) - but needs a hack (see here)
9. Enable Let'sEncrypt to create valid certificate - (see here)
Info I relied upon (thanks to anyone who contributed to these threads):
1. UI Community - Thread on PPPoE Server: [here]
2. UI Community - Thread on PPPoE Server Config: [here]
3. UI Community - Thread on PPPoE Server without RADIUS: [here]
4. UI Community - Thread about ABB and Framed Route: [here]
5. UI Community - Thread about avoiding double-NAT: [here]
6. UI Community - Thread about VIF: [here]
7. UI Community - Thread about Zone-Based Firewall: [here]
8. UI Community - Thread about IPv6 Firewall Rules [here]
9. UI Community - Massive Link Farm with ER stuff [here]
10. UI Document - Distributing Public IPs: [here]
11. UI Document - Zone-Based Firewall: [here]
12. UI Document - Manage and Version Config: [here]
13. UI Document - Manage Config Files: [here]
14. UI Document - Using tcpdump to debug: [here]
15. Reddit - Thread about avoiding double-NAT: [here]
16. Reddit - Thread about blocking local interfaces #1: [here]
17. Reddit - Thread about blocking local interfaces #2: [here]
18. GitHub - Interesting stuff about IPv6 at the bottom: [here]
19. Blog about Zone-Based Firewall: [here]
20. YouTube - Multiple WAN on UDMP (WONT WORK WITH FRAMED ROUTE): [here]
21. My Thread on Reddit: [here]
22. My Thread on UI Community Forum [here]
23. My Thread on Whirlpool: [here]
24. Another Thread on Whirlpool: [here]
Posted: 14-Mar-2022
Updated: 23-May-2023
© 2022-2024 VK2.NET