Ubiquiti ER-X and 22.03.4 = Disaster, Help!

I have an ER-X 5-port that was running 19.0? (can't remember exactly) with my AC-AP-Lite AP on eth0 and WAN on eth4. I was having issues and wanted to upgrade to 22.03.4. I understand that a few things changed including DSA and device name, so I forced upgrade through LuCI and ignored the scary messages. I ended up soft-bricking the device because (among other things) /etc/config/network needed updating. Removed the cover, used my serial-to-USB converter and got in and saw the device was alive and responding with a prompt and log messages. Ok, so far so good.

I updated br-lan to tie the LAN ports together and assign the ports, and I could at least get back into the router without using the serial port, so half way there. However, no amount of configuration is allowing the WAN to connect to either eth0 or eth4. Both of them seem to be assigned to eth0.2 in the new config but I don't know what's going on.

What I would like is to get my WAN connection back and routed to my LAN and have proper standard network configuration files. I don't care which port is used for which for this. I'm really disappointed in the upgrade process and this DSA transition was totally fluffed over from a documentation perspective based on the lack of configs.

Could someone please provide any valid /etc/config/network file for this device? Or advice on how to configure the physical interfaces to be assigned to WAN/WAN6 and route to LAN? TIA.

DSA is such a major change that you cannot use any swconfig syntax. It is not compatible at all.

I'd recommend that you make a backup -- you can use this as a human readable reference to remind you of the general configuration you had.

Once you've got a backup, reset the router to defaults. Do not attempt to restore the backup. You need to configure everything from scratch.

You will need to learn DSA -- this tutorial should be helpful. We can also help you through the process. To help, we'll need a detailed description of what you want the end result to do (what VLANs on what ports, what subnets/addresses per VLAN, etc.).


Thanks for the quick response. Let me reset to defaults, plod through the DSA tutorial and report back shortly. My hope was that I could restore a known working default config but it looks like I have to do this the hard way (unless someone else can provide some info).

EDIT: One BIG question: what about WAN configuration and routing to it from the bridged LANs? The guide doesn't say anything about creating the WAN for IPv4 and IPv6 and assigning it to a physical interface. I get the bridging LAN and WAN part. Again, all I want is eth0/1/2/3 to be bridged and eth4 to be my WAN (or eth0 WAN and eth1/2/3/4 LAN).

I'm going to be a bit pedantic here, but for a good reason. You do not want a bridge. A bridge is the software equivalent of a switch (Layer 2), and this would not allow routing (Layer 3) that you need. What you want is for eth0-3 to be bridged together (i.e. forming your LAN's physical interfaces) and eth4 setup as it's own, independently routed port associated with the wan interface.

If you're not using VLANs, it should be as simple as ensuring the br-lan contains eth0-eth3 (add or remove accordingly), and then the wan interface should have device eth4. Off hand, I don't know how the ER-X is setup in the default configuration, but your request so far should be pretty straight forward.

Feel free to post the default config if you need help with this, or if you need verification, post your the file once it has been modified.

I wouldn't call it a disaster, but I wouldn't use 22.03.x on ER-X either, because this patch didn't make it in 22.03: 2 Gbps WAN/LAN NAT Routing on ramips MT7621 devices
But when you'll switch to the next release containing that patch you'll want eth0 as WAN so you might want to rethink your setup a little (and maybe switch to master builds).

Hope you can recover it. I would wait really to use the 22.03.4 even if they said is stable.

I use the ER-X with 22.03.3 without any problems so far and happy at the moment. I found that is not a good idea to upgrade when you have it on production. When I was going from 22.03.2 to 22.03.3

I use as:

  • WireGuard Server
  • DDNS Services
  • SQM Cake
  • DNS Https Proxy
  • Adblock Lean (testing)

This how it looks on my /etc/network so you can see how the devices are tagged. Ignore the WireGuard Server Config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdb5:59e6:afa4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask ''
	option ipaddr 'Redacted'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'Redacted'
	option password 'Redacted'
	option ipv6 '0'
	option peerdns '0'
	list dns ''
	list dns ''

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'Redacted'
	option listen_port 'Redacted'
	list addresses 'Redacted'

config wireguard_wg0
	option description 'Redacted'
	option public_key 'Redacted'
	option private_key 'Redacted'
	option preshared_key 'Redacted'
	list allowed_ips 'Redacted'
	option route_allowed_ips 'Redacted'
	option endpoint_host 'Redacted'
	option endpoint_port 'Redacted'
	option persistent_keepalive 'Redacted'

Ok I think I have it all sorted out finally and thank you to all that helped!!

For some reason, the changes between 19.04 (last version I had IIRC) during the upgrade process via LUCI prevented me from going into the web interface directly (and, for some reason, using Putty with a patch cable to the middle Ethernet port). In my case, I used the serial port inside the ER-X connected to a Silicon Image CP2102 USB-to-UART with the ground, tx and rx pins connected.

Once in there, I reconfigured the /etc/config/network file using Putty with vi similar to a-z's but without the wireguard and using dhcp instead of pppoe, username and password options, obviously (and similar, as it turned out, to the default). Went into the LUCI (being lazy), reset the router to defaults to wipe the previous config and then re-edited the network file which now looked a lot like a-z's but had to force the MAC address on the WAN interfaces to the one the cable modem was filtering access on. I rebooted and it now works like a charm.

What I believe could have done instead is upgrade, wait for reboot a minute or two, hold the reset button for ten seconds to reset the ER-X to defaults, then add the MAC addresses for the WAN side.

I greatly appreciate everyone's help and patience here, so thank you!

psherman: I misunderstood how routes were established, and for some reason I thought routes were established in an implied way by bridging a LAN with a WAN. My mistake, mea culpa.

znevna: Fair enough on the versions. It would be nice to have a recommended version for the hardware with some notes on the release pages. My application is hardly high-performance where I need such high routing bandwidth (yay Comcast!), but I look forward to these changes in the future. The SoC seems plenty powerful enough for most applications and part of why I run OpenWRT is because I can block domains (e.g. ads) in the same hardware and remain fanless.

Special note to any hardware designers for routers and other similar embedded products who may read this: please always break out the serial or JTAG interface to the outside of the device unless the threat model demands otherwise, because it's 100x easier and cheaper in the long run to unbrick in the field for the incremental cost of a connector than to send the device back.

In serial or SSH CLI, the command firstboot is the same as Luci "reset to defaults."

Other Edgerouter models do have a serial "console" port on the outside. This is considered an enterprise-level feature. Most buyers of consumer type routers would have no use for it.

In serial or SSH CLI, the command firstboot is the same as Luci "reset to defaults."

I couldn't recall the command, but good to know! I don't think I would've really had to have gone to the serial console at all if I had just held reset for ten seconds. But you never know.

Other Edgerouter models do have a serial "console" port on the outside. This is considered an enterprise-level feature. Most buyers of consumer type routers would have no use for it.

I personally don't consider any Ubiquiti products to be consumer level even though I'm using them for personal and home office/home lab use. The ER-X, IMHO, is a small router/switch combo targeted at SMB markets, just as Unifi primarily IMHO is. It just happens to come with enough included tools to be manageable at SMB scale and small Enterprise scale.

To that point, IIRC ER-X did not even come with WAN routing enabled out of the box, so you'd have to install Java on a PC, then Ubiquiti's management server (or plug a patch cable and force your network to a fixed addres) then go in while navigating through the browser's cert warning and configure the ER-X to route LAN to WAN and probably update the firmware. Less onerous than, say, a Catalyst 3560 where you need to know IOS commands, but clearly neither Cisco nor Ubiquiti is consumer grade where you plug the cable modem into the "Internet" port and the Wi-Fi is built in and self-guiding and self-updating and maybe spying (cough TPlink cough). That's why (again IMHO) having a little 9-pin DIN or a 4-pin recessed header on the outside of the case to unbrick, especially when Ubiquiti's own firmware updates have bricked their devices.

1 Like