Last week the EdgeRouter I use for my office did not come back after a reboot or perhaps I was too impatient, so I tried to reset it and that is when things went wrong.

Long story short, somehow I got the router into a state where it would not boot up anymore and the only way into it was the console port, for which I did not have a cable. Then I managed to find an old article which messed up my the routers USB drive so things took a turn for the worst. But fear not, it all worked out in the end, even though the only help I got from UBNT support was absolute zilch.

Here I outline some useful links for anyone else that may run into this issue, but mostly so I have it documented for next time ;). Before I get started here, the credit on everything here goes to others who documented this well on various locations.

Connecting to the console

In order to connect to the console, you will need a USB to RJ45 cable. I bought one off of Amazon which worked great right out of the box for me.

In order to connect (on a Mac), all you need to do is run:

> ls -ltr /dev/*usb*
crw-rw-rw-  1 root  wheel   21,   3 Jul  17 15:48 /dev/cu.usbserial-AI038TPF
crw-rw-rw-  1 root  wheel   21,   2 Jul  17 08:56 /dev/tty.usbserial-AI038TPF

> screen /dev/tty.usbserial-AI038TPF 115200

Useful links

There are a few links that were helpful here and I have them listed here, but I am going to outline what I had to do ultimately since I followed the first one and it messed me up more.

(ARCHIVED) EdgeRouter – Last Resort Recovery – DO NOT USE, Only as reference.

Recovering an unresponsive Ubiquiti EdgeRouter Lite router – DO NOT USE, Only as reference

EdgeRouter – Manual TFTP Recovery – Try this link first.

mkeosfs – easily generate USB image for EdgeRouter

mkeosimg

The third link above is perhaps the first thing you should try if you have not messed up your router bad enough, but I had to use the 4th and 5th links.

The EdgeRouter’s USB Drive

I kept reading about this, and could not believe that there was a usb drive in the edge router, but I guess ultimately that was a good design for when it goes bad and these routers used to have a history of the drives going bad.

There are three screws on the back of the router that you can open and the router comes apart (Note: you may void your warranty by doing this). Then the flash drive is right in your face.

Recovering the file system

Once the USB drive is unplugged, connect it to your PC/Mac and run the commands to recreate the drive. I found the easiest way was to use the mkeosdrive script provided in the last link above.

I ran the commands below, but if you read the GitHub site properly, there is a way to recreate the drive and include your backup in there as well.

# Get the path to the USB drive
> sudo disk -l

# Then run the command to create the drive
> sudo ./mkeosdrive /dev/sdb ER-e100.v2.0.4.5199165.tar

Rebooting the router

Once the USB drive is ready, plug it back into your router, close things up. Then just wire it up and wait for it to boot. It should be back to normal.

I also found other links where folks talk about creating a backup of the USB drive in case something like this happens again, but what are the chances of that……right? 😉

read more

This is going to be a multi-part post about securing your home/business network and separating your IoT devices into their own to keep them and yourself “safer”. With the explosion of IoT in the recent years, it is hard to find anything without some sort of “smart” capabilities. Whether it is a TV, Sonos, Nest thermostat, or even a fridge or a washing machine, more and more manufacturers are adding internet capabilities to their devices. This could be a topic of its own, but we are here to discuss network security. For most home owners with regular wireless gateways, there simply isn’t any possibility of creating a complex network with the stock firmware. To boot, most devices encourage or expect you to install the device on the same network as your PC or mobile so it can more easily connect. You have to either be lucky enough to own a router that can be upgraded to one of the open source firmware options, or do your research and purchase a router that is supported. Of those supported devices, you still have to be lucky enough to have one that will work well with the custom firmware. In some cases, you may have poor WiFi signal or lose a WiFi band (more about this later). The other option, is to use a used/cheap business class router. Some of these are actually cheaper than the higher end wireless routers. No matter the path you choose, you have to do lots of searching and learn a lot about networking to be able to do this sort of setup. So for the rest of this article, I’m going to provide an overview of the options and then get deeper into how the network should be setup. Follow up articles will detail specific applications or devices and how they should be setup.

Consumer grade hardware and custom firmware

This is the first option that we talked about. Here you could go with a router like the Asus AC-RT66U or the Linksys WRT series, but make sure to do your due diligence and confirm that the router you have or you want to get is supported. This includes reading the forums on other users that have setup these routers to see if they have run into issues or not. Here are some of your options for custom firmware:

• DD-WRT – This is perhaps the most popular option and the one with the widest support for consumer grade routers. Its UI layout is smart enough that basic setup should be a breeze, but it is capable of so much more if you spend the time to dig into it.
• Tomato – This one has a few versions, but I’ve linked to the more popular version of it. This is like DD-WRT on Steriods since it also provides you live refresh and better statistics tracking right out of the box.
• Advanced Tomato – This is the same as Tomato but with much nicer UI. I really enjoyed using this briefly. If you like Tomato, you’e gonna love this.
• OpenWRT / LEDE – LEDE was a fork of OpenWRT, but they have recently announced that they are merging again. This has the least number of supported devices and relieves are less frequent, but if you know your networking, its the best option. This is the only one that includes a package manager UI to you can add other packages easily through the UI. This also makes it easier to add functionality that the other firmwares may not provide out of the box.

Note: This is not for the faint of heart. you could brick your router and have a hell of a time getting it back to its stock firmware, so proceed with caution.

Business grade hardware

As a stepping stone, I recommend you play around by installing one of the custom firmwares mentioned previously on the router that you have so you get familiar with the concepts, and once you get fed up of fighting to get things working, you move up to business grade hardware. I am assuming that you are not reading this far unless you’re a noob. The options here are endless and so are the expenses, so I’ll stick to the option that I’ve had experience with (installing at costomer locations), which gives you a big bang for the buck. Ubiquiti! They provide a range of wired and wireless products that are pretty much in line with high end consumer devices in price, but from a stability and functionality perspective, they are flawless (as much as can be). For example, an Edge Router Lite 3 plus a Unifi AC Pro model can cost less than a Linksys Max-Stream AC4000 MU-MIMO Wi-Fi Tri-Band Router and provide way more functionality and most probably better performance. Setting up a network in a 2700sq.ft. space, I ended up replacing two wireless routers, with just the one Unifi AC Pro. Of course had to use the Edge Router Lite as well since the Unifi by itself does not have everything you need, and you may need a (managed) switch as well if setting up a more complex VLAN. The one downside to the Unifi line of products is that they require a controller software be running on a PC or the cloud key so you can control them (i.e. there is no web interface without the controller software), but still this is a great setup.

The Network

Now the real part. As Spiderman’s wise uncle Ben said, “With great power comes great responsibility.” So the more smart devices you have (more power), the more you need to be careful (responsible). There have been numerous articles about many smart devices that have been either communicating in the open (intentionally or otherwise) or are left open to hacking, so it only makes sense to separate these devices from the rest of your network. We’ll start with the base setup and then make things more complicated optionally. Lets talk in more detail about how this should work:

• VLAN 10 is the business/home network. Computers and devices on this network have full internet access, as well as full access to the IoT network (VLAN 20).
• VLAN 20 is the IoT network. This network is isolated from both the business/home network and the guest network. You could provide full internet access to this network or optionally limit access here as well to well known protocols like HTTP/S, DNS, NTP, etc.
• VLAN 30 is the guest network which should not have access to either of the other networks; just Internet. Again, internet access here could be limited to just a few protocols as well. You could further protect yourself and your guests by using the AP isolation feature of your Wireless Access Point if it has it.

Where things get complicated is when you try to setup the firewall rules to make all this work and depending on your router the instructions are different. I’ll cover the details of the setup in future articles. read more

There is a good article on how to calculate the broadcast IP based on your IP address and net mask on eHow. What I have here is a quick utility to facilitate things.

read more