Rpi4 / er-x single arm setup (Solution added to OP for ease of access)

trevormcooper · January 1, 2024, 6:17pm

a while back i was toying with running a single arm laptop on a stick, however i recently came into a rpi4, and the ue306 adapter i have for usb ethernet is bad(according to a lot of reading iv done) i unfortunatly lost all my config files due to a reformat so im starting from scratch,

im looking for a set of config files i can setup my rpi4 and my erx (both have openwrt on them) to run as a router on a stick. i can modify the files myself. i believe all i need to do to the rpi4 is set lan to eth0.2 and wan to eth0.1 and wan6 to eth0.1

erx - port 0 (wan in)
erx - port 1 (rpi4)
erx - port 2,3 available for use for any device
erx - port 4 (management ip 10.10.1.1)

EDIT: below is the final setup that allowed me to use a rpi4 router on a stick with an openwrt managed switch

(network file)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:419c:0e07::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth0:u*'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'eth4:u*'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'br-lan.20'
        option proto 'none'

config interface 'management'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'

(dhcp file)

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'management'
        option interface 'management'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

(firewall file)

config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        list   network          'management'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

trevormcooper · January 1, 2024, 6:46pm

im particularly curious about dsa vs just bridging all 5 ports, is there config differences?

psherman · January 1, 2024, 7:09pm

I assume you're running 23.05 on both the RPi 4 and the ER-X?

Your ER-X uses DSA, so it isn't a "vs" situation -- although the combinations of ports defined in the bridge, of course, depend on the desired outcome.

Based on your description, ports eth-eth3 must be in a common bridge. eth4 could be split out and treated separately, but I'd recommend keeping it in the br-lan for increased flexibility.

Setting up your ER-X, I'd recommend have:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:t'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth0:u*'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth4:u*'

Then setup networks accordingly.... the wan (VLAN 2) will be unmanaged; lan (VLAN 1) will simply be edited from the standard config to change the address and device, and then management (VLAN 4) will have the address you've specified.

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'br-lan.2'
        option proto 'none'

config interface 'mgmt'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '10.10.1.1'
        option netmask '255.255.255.0'

You'll probably want to disable the DHCP server on the lan and create one for mgmt. You'll also want to add the mgmt network to the lan firewall zone (at least for now).

On the Pi, you'll configure the lan and wan like this (omitting other things like the loopback and such):

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

That should do what you want.

Also, make sure that your ER-X has the latest bootloader installed (this needs to be done with EdgeMax firmware) -- this is important because old versions of the bootloader would bridge all ports during the early boot process, and that will cause problems with your wan connection. Additionally, the latest bootloader has a pretty reliable TFTP recovery process.

trevormcooper · January 1, 2024, 7:15pm

prior to installing 23.05 on the er-x i had the latest firmware installed, so i am assuming the bootloader is updated, would there be a way to know this via the luci ui?

psherman · January 1, 2024, 7:20pm

IIRC, the bootloader was included with the EdgeMax firmware, but might have still required a manual process to upgrade it.

There is no way that I am aware of to query this in OpenWrt (LuCI or CLI), but you can use the LEDs as a method to find out:

In both cases, the TFTP recovery mode is initiated by holding the reset button for an extended period of time:

Press and hold the reset button.

The port LEDs will start light up in sequence starting from port 1 and ending at the last port.

Continue holding the reset button for approximately 30 seconds until all the port LEDs light up.

**NOTE:**The difference between resetting the EdgeRouter to factory defaults and entering the TFTP recovery mode is the length of time the reset button is pressed. See the Reset to Factory Defaults article for more information.

Release the reset button.

The port LEDs will continuously turn on and off while the TFTP recovery mode is active.

ATTENTION: The TFTP recovery process is indicated by the port LEDs continuously lighting up in sequence. See the image below.

If you're not currently up to date, here is the information about doing that:

trevormcooper · January 1, 2024, 11:33pm

so i have been digging, but not having a ton of luck,

If I have a working openwrt 23.05 install on my er-x but cannot get the TFTP lights going, can I sysupgrade it back to default and update the boot loader? If so where can I find a compatible image? Everything I find is talking about using a tty adapter

psherman · January 1, 2024, 11:38pm

I have never actually flashed an ER-X with OpenWrt (and thus I can't speak with authority about flashing back to stock)... but there is info in the device info page:

https://openwrt.org/toh/ubiquiti/edgerouter_x_er-x_ka#reverting_to_stock_firmware

trevormcooper · January 1, 2024, 11:41pm

alrighty, follow up, is the bootloader important once i get my config setup? will it lose the setup or somthing?

psherman · January 1, 2024, 11:44pm

Flashing back to the vendor firmware will necessarily wipe out your OpenWrt config. However, you can work on the config now, get it working, and then make a backup. That backup can be easily restored once you put OpenWrt back onto the device.

trevormcooper · January 1, 2024, 11:45pm

thats fair, with your notes above, if i edit the /config/network file and basically just erase whats present, and type up what you listed, is there any other primary changes that need to be made? firewall or anything of the sort?

sounds like ill need to get a usb/tty cable to flash it back, which is somthing iv been wanting to learn about so no biggy

psherman · January 1, 2024, 11:48pm

I think I covered everything, but keep in mind that I omitted parts of the config that were not relevant to the immediate task (so the loopback address, ULA, etc... w bunch of stuff that should stay there). But you'll see what needs to be left alone, edited, added, and deleted once you're actually getting into it.

Feel free to post your config when you're basically done but before you reboot the device.

This is what we'll want to see:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

trevormcooper · January 1, 2024, 11:51pm

you got it, do you like programs like putty/winscp for modifying files from outside the device itself, i could do it all via VI but thats a bit painful

psherman · January 1, 2024, 11:53pm

That's up to you... I personally make my edits using vi on the device itself, but you can transfer the file to your computer, make the edits, and then push it back. Just make sure you use a proper plain text editor that doesn't insert the windows type hidden characters.

trevormcooper · January 2, 2024, 1:30am

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:t'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth0:u*'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth4:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.56.3'
        option netmask '255.255.255.0'
        option gateway '192.168.56.2'
        option dns '192.168.56.2'

config interface 'management'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'management'
        option start '100'
        option limit'150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'management'
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

trevormcooper · January 2, 2024, 1:31am

give me a moment i messed that up lol

psherman · January 2, 2024, 1:31am

Yeah... I was going to say... lol

But one thing to note -- there should have been other things in the /etc/config/network file -- I hope you didn't delete all of it.

trevormcooper · January 2, 2024, 1:35am

i didnt right click in VI to copy so i was pasting the same thing over and over lmao, (covid brain) should look right now?

trevormcooper · January 2, 2024, 1:37am

assuming you were talking about the loopback and the ula prefix

psherman · January 2, 2024, 1:37am

yeah, and many you've probably got some mac address stanzas in there, too.

trevormcooper · January 2, 2024, 1:39am

i updated my previous dump comment with all the correct pastings, how did i do? used VI to edit everything