Skip to Content

EdgeRouter X PPPoE Firewall

Important firewall information for PPPoE on EdgeRouter X

Published : 15 November 2021


Important firewall information for PPPoE on EdgeRouter X

The Ubiquiti EdgeRouter ER-X is still one of the cheapest, decent, router / firewalls around. It has five, gigabit capable ports that are configurable in a multitude of ways, and is a serious step up from the ISP supplied plastic boxes of yore. Another way of looking at it is this; It is a fully functional linux computer with a built-in 5 port gigabit switch, with SSH and Telnet CLI, and a HTTP GUI that lets you configure it to do what you want it to. If you can imagine a configuration, the EdgeRouter ER-X is probably capable of it. There is a lot of information about the EdgeRouter ER-X on the Internet, walking you through setting it up to operate in various environments, but after trawling through endless youtube videos and forums, the crucial thing that was preventing me from setting mine up was noticably absent.

The problem for the non-network engineer, is that fresh out of the box, it does nothing. If you press the reset button and hope to still be connected to the Internet afterwards, you are going to be disappointed. That is not to say that the EdgeRouter ER-X is in any way bad, it just requires a little more effort to get going than the typical talktalk plastic box.

Too many words, skip to the end.

Only when you get an Internet connection that is faster than 100Mbps, and you want to do more with it than just surfing eBay and FaceBook, will this really interest you. You are either filthy rich, have cable, or you have a FTTP connection and an ONT. My own setup is FTTP, and an Huawei ONT that offers me an RJ45 jack to connect to the Internet on.

EdgeRouter ER-X, all 4½ inches of it.

EdgeRouter ER-X, all 4½ inches of it.

My ISP requires me to login to their network with PPPoE, after which they let me use eBay and FaceBook as much as I want!

Back to the EdgeRouter ER-X, you must configure at least one of the five ports to be a WAN port, which connects to your ONT via patch cable. This can be done using the GUI or the CLI. (This initial setup is widely described in words and/or moving pictures all over the Internet, so I'm not going to repeat the process here). But getting back to the WAN port, let us say you've chosen eth0 for this task, the PPPoE is assigned to eth0 and you enter your login details via the GUI or CLI to complete that bit of the setup. The important bit is here, once you have setup PPPoE on your chosen ethernet port, you never, ever mention that port again, the firewall is ignorant of the port's very existence, trying to make firewall rules using eth0 as a source or destination is doomed to failure, eth0 no longer exists. It is replaced by PPPoE0, so while you are watching informative youtube videos about writing firewall rules, every time they mention WAN or eth0, you use PPPoE0 in your rule.

Of the other four ports, one or more of them will run NAT/masquerade and connect to your own internal network. The rest of the ports are yours to do with as you wish, you could have another WAN port to a second ISP via a DSL, 3/4/5G or Satellite modem, but the same rule applies, once you have created a PPPoE connection on an ethernet port, as far as the firewall is concerned, the port ceases to exist, the firewall rules must refer to PPPoE(n) for the EdgeRouter ER-X to function correctly.

The port forwarding feature is very simple and needs no secret sauce to operate, your minecraft server will be online in no time, once your firewall is running correctly. The only thing that impeded my successful setup was using the right name in the firewall rules, I was writing eth0 instead of PPPoE0 and then putting my entire network online with no functioning firewall. This is bad. The first thing to do once your connection allows, is to go to Steve Gibson's ShieldsUP! and check your firewall's functionality, and be prepared to pull the plug if things don't seem right.

One thing to note is the 'Auto firewall' feature in the advanced settings under the Port Forwarding tab which seems to skip any and all rules you may create that try to Drop or Reject traffic from know bad actors. This can be rectified by creating proper rules and rule order under WAN_IN and specifying the destinations under the NAT tab.

TL;DR - Conclusion.

This probably applies to all of the Ubiquiti EdgeRouters running EdgeOS, but most folks buying the 24 port EdgeRouters at eye watering prices, probably already know what they are doing. This is meant to be useful to the average hobbyist, not a professional network engineer.

If this is old news to you, then this article is not aimed at you, it was written to help people get their EdgeRouter ER-X up and running, and not fall into the same trap as me when trying to create a sane firewall setup.

Fake SD memory cards Powering a Raspberry Pi The Raspberry Pi single board computer