Random Information ...others might find it interesting too.

Unofficial FreeBSD images for Ubiquiti Networks EdgeRouter LITE

Introduction

These images are provided as is, they're not considered production quality although they might work just fine. They are made for my own personal use but someone might have use for them too. These are all vanilla installs of FreeBSD except one difference, pf is compiled into the kernel as modules aren't supported on this platform. Please note that these builds do not have debugging enabled, hence "real world" (release) performance.

Requirements

  • 16Gbyte USB flash drive
    I've successfully used SanDisk USB 3.0 Cruzer Extreme 16Gb flash drives
  • USB extension cable (optional, usually you need it if you want to close the cover afterwards)
  • Serial to USB (TTL) adapter, or a native serial port
  • Philips-head screwdriver

Installation

  • Open the case
  • Gently remove the barebone USB flash drive
  • Connect your serial cable/adapter (115200 baud)
    Once you're done power up the device and you'll find yourself in U-boot mode. At the prompt paste the following line but one at a time to enable FreeBSD boot as well as keeping Linux. Due to word wrapping the first line isn't displayed correctly so copy the code block into an editor without word wrap enabled.
setenv bootlinux 'fatload usb 0 $loadaddr vmlinux.64;bootoctlinux $loadaddr coremask=0x3 root=/dev/sda2 rootdelay=15 rw rootsqimg=squashfs.img rootsqwdir=w mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@3072k (eeprom)'
setenv bootfreebsd 'fatload usb 0 $loadaddr kernel;bootoctlinux $loadaddr numcores=2'
bootcmd=run bootlinux;run bootfreebsd
saveenv
  • Power off the device and install your new flash drive If you use an extension cable just drill a small hole so you're able to put the top back on again
  • Done

Configuration

By default only interface #0 is enabled using DHCP without any firewall enabled. To configure you need to login as root (no password) using a serial connection.

Following steps will give you a fully working setup with SSH enabled:

  • Set current time
    ntpdate ntp.kth.se
  • Enable SSH
    echo 'sshd_enable="YES"' >> /etc/rc.conf
  • Add a valid user that's a member of group "wheel"
    adduser
  • Reboot to enable SSH

Since SSH is up you can use any SSH client you want, login as your new user and run su root to access root user.

If you want to want to use it as a router here are the following steps as root:

  • Setup your timezone properly tzsetup
  • Populate your ports tree (takes a while)
    For further information on how to manage your ports please refer to the handbook.
    portsnap fetch && portsnap extract
  • Build pkg
    cd /usr/ports/ports-mgmt/pkg install clean
  • Install ISC's DHCP Server
    Just go with the defaults unless you know that you need something more, this also includes the dependencies which it'll ask about. To save you some time, don't enable ICU-features (its broken on mips, even on Linux) and it will fail after an hour or so.
    cd /usr/ports/net/isc-dhcp43-server/ && make install clean
  • Install Perl
    cd /usr/ports/lang/perl5.18 && make install clean
  • Install OpenNTPd
    cd /usr/ports/net/openntpd/ && make install clean
  • Edit /etc/rc.conf and enable your installed software, change interface setup if needed
    Here's a sample what it should look like:
#################
#### rc.conf ####
#################

# Enable gateway (routing) functionality
gateway_enable="YES"

# Set hostname
hostname="erl"

# Setup network interfaces: octe0 (extif), octe1 (intif)
ifconfig_octe0="SYNCDHCP"
ifconfig_octe1="inet 192.168.2.1  netmask 255.255.255.0"

# Disable sendmail until we need it
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Inetd is evil and we dont need it
inetd_enable="NO"

# Enable packet filter as firewall
pf_enable="YES"
pf_logd="YES"
pf_rules="/etc/pf.conf"

# Enable SSH
sshd_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

# Enable openntpd
# Set time immediately at startup
openntpd_enable="YES"
openntpd_flags="-s"

# Enable ISC DHCP Server
dhcpd_enable="YES"
dhcpd_flags=""
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="octe1"

# Enable ftpproxy (needed if you use packet filter (pf))
ftpproxy_enable="YES"

# Enable OpenVPN
#openvpn_enable="YES"
#openvpn_configfile="/usr/local/etc/openvpn/mydomain/server.conf"
#openvpn_dir="/usr/local/etc/openvpn/mydomain/keys"
  • Add the following lines to /etc/sysctl.conf at the end to enable routing
net.inet.ip.forwarding=1   
net.inet.ip.random_id=1   
net.inet.ip.portrange.first=1024   
  • Create a basic config for DHCPd in /usr/local/etc/dhcpd.conf
##################################
#### DHCPd configuration file ####
##################################

##########################
#### Generic settings ####
##########################

# Set default lease to 23h (time to refresh)
default-lease-time 82800;

# Set default lease deadline to 24h
max-lease-time 86400;

# Set default domain-name
option domain-name "homenetwork.local";

# Set nameservers
option domain-name-servers 8.8.8.8, 8.8.4.4;

# This is the main DHCP server
authoritative;

# Deny duplicated leases
deny duplicates;

# LAN
    subnet 192.168.2.0 netmask 255.255.255.0 {
        option routers 192.168.2.1;
        option broadcast-address 192.168.2.255;
        range 192.168.2.240 192.168.2.254;
    }

##################
### Static IPs ###
##################

# Static IP for PS3
#   host ps3 {
#   hardware ethernet 00:28:11:1d:b4:b3;
#       fixed-address 192.168.2.15;
#   }
  • Setup a basic firewall rules in /etc/pf.conf
#################################
#### Packet Firewall Ruleset ####
#################################

###################
#### Variables ####
###################

# External interface
ext_if="octe0"

# Internal interface
int_if="octe1"

# Follow RFC1918 and don't route to non-routable IPs
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"

# Set allowed ICMP types
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

####################################
#### Options and optimizations #####
####################################

# Set interface for logging (statistics)
set loginterface $ext_if

# Drop states as fast as possible without having excessively low timeouts
set optimization aggressive

# Block policy, either silently drop packets or tell sender that request is blocked
set block-policy return

# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0

# Scrub traffic and make PS3s happy behind NAT
#scrub from 192.168.2.15 to any no-df random-id fragment reassemble
scrub on $ext_if all

#######################
#### NAT & Proxies ####
#######################

# Enable NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Redirect ftp connections to ftp-proxy
rdr pass on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021

# Enable ftp-proxy (active connections)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Anchors needs to be set after nat/rdr-anchor
anchor "ftp-proxy/*"

################################
#### Rules inbound (int_if) ####
################################

# Pass on everything
pass in quick on $int_if inet all

#################################
#### Rules outbound (int_if) ####
#################################

# Pass on everything
pass out quick on $int_if inet all

################################
#### Rules inbound (ext_if) ####
################################

# Drop packets from non-routable addresses directly
block drop in quick on $ext_if from $nonroute to any

# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }

# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types

# Allow FTPs to connect to our FTP-proxy
pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy

# Block everything else
block in on $ext_if all

#################################
#### Rules outbound (ext_if) ####
#################################

# Drop packets to non-routable addresses directly
block drop out quick on $ext_if from any to $nonroute
pass out on $ext_if all
  • Reboot

Since it's a vanilla install please refer to the FreeBSD Handbook for more information on how to configure your FreeBSD OS.

Download

These images are compressed using 7-zip and are raw images that can be written using dd or USB Image Tool.

FreeBSD 11-CURRENT r278472 - Download
FreeBSD 11-CURRENT r272938 - Download
FreeBSD 11-CURRENT r267486 - Download