- It seems that every firmware update, whatever was done to get nextdns into the router, will be gone, so you will have to redo the steps or at least some, if you confirm that it has happened.
- However there is locations where the config might be persisted on router reset.
/config/scripts/post-config.d/or/config/user-data/
- I recommend not configuring the router through the UI, after reset, but by SSH after enablig it. That can prevent bad configuration, re-requiring the router reset.
- Make sure to have NTP enabled and configured. To avoid bugs.
- You can do through the UI CLI or using SSH, if you have enabled it and set a port.
- You can delete any configuration done, by using
delete, e.g.,delete firewall all-ping. - These steps were confirmed to be working after a complete hardware reset.
- You can check the current commands set through
show configuration commands, you can grep specific ones if needed. - To check whether DNS forwarding is working, use
show dns forwarding statistics. - If you need checking whether you should use the current settings that use
switch0, check withshow interfaces - Use the proper ip depending on the port cable is connected. Be
192.168.1.1or192.168.2.1
I updated the configs based on latest firmware update >3.0.
If after a router reset, the only thing needed, if already through the UI, is setting the stronger password and enabling SSH on port 22 or of your choice.
After logging into SSH (ssh ubnt@192.168.1.1), enter configuration mode by typing configure
If SSH connection failed after used previously, try remove the lines with the
192.168.1.1from~/.ssh/known_hosts.
Use the commands below
# GUI / System
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers disable
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service unms disable
set system host-name ubnt
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system time-zone UTC
# Optionally disable analytics and crash report
set system analytics-handler send-analytics-report false
set system crash-handler send-crash-report false
# Disable IPV6 if you are not going to use.
set system ipv6 disable
# Firewall
set firewall all-ping disable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation strict # If strict, breaks asymmetric routing, try enable or disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 log disable
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 30 description "Drop ICMP"
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol icmp
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 10 state new disable
set firewall name WAN_LOCAL rule 10 state invalid disable
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 description "Drop ICMP"
set firewall name WAN_LOCAL rule 30 action drop
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol icmp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
# Prevent DNS bypass on router
set service nat rule 100 description 'DNS redirect UDP'
set service nat rule 100 type destination
set service nat rule 100 inbound-interface switch0
set service nat rule 100 protocol udp
set service nat rule 100 source address 192.168.1.0/24
set service nat rule 100 destination port 53
set service nat rule 100 inside-address address 192.168.1.1
set service nat rule 100 inside-address port 53
set service nat rule 101 description 'DNS redirect TCP'
set service nat rule 101 type destination
set service nat rule 101 inbound-interface switch0
set service nat rule 101 protocol tcp
set service nat rule 101 source address 192.168.1.0/24
set service nat rule 101 destination port 53
set service nat rule 101 inside-address address 192.168.1.1
set service nat rule 101 inside-address port 53
set service nat rule 100 source address !192.168.1.1
set service nat rule 101 source address !192.168.1.1
# Optionals, may require additional setup.
set service ssh listen-address 192.168.1.1/24
set service gui listen-address 192.168.1.1/24
set service ssh disable-password-authentication
# Only if you have IPV6 enabled
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_LOCAL default-action drop
# Remove unsafe service
delete service telnet
# Enable hardware offload
# These can disable traffic analysis DPI, QoS and Smart Queues, but you get better processing and speed.
set system offload hwnat enable
set system offload ipsec enable
# If you want to see what traffic is going through. However, if you enable, you might not get full hardware offload.
set system traffic-analysis dpi enable
set system traffic-analysis export enable
# Disable SIP ALG
set system conntrack modules sip disable
# SYN Flood protection
set system conntrack tcp half-open-connections 1024
set system conntrack tcp loose enable
set system conntrack tcp max-retrans 3
# Prevents connection exhaustion attacks
set system conntrack table-size 262144
set system conntrack hash-size 65536
# Optionally set MTU and MSS Clamp - MSS should always be 40 less than MTU.
set interfaces ethernet eth0 pppoe 0 mtu 1400
set firewall options mss-clamp mss 1360
set firewall options mss-clamp interface-type all
Before you do this, if you are going to use NextDNS, you might want to do those steps first. Once you set the DHCP settings and
commit;save, the SSH access will be lost. You might need to set the cables back in their proper ports and restart the router.
You try using
commit-confirm 10to prevent lockouts in case of bad configs. It can rollback after minutes timer, unlessconfirmedis typed.
# DHCP
delete interfaces ethernet eth0 address
delete interfaces ethernet eth1 address
delete interfaces ethernet eth2 address
delete interfaces ethernet eth3 address
delete interfaces ethernet eth4 address
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces switch switch0 address 192.168.2.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces ethernet eth0 dhcp-options name-server no-update
set service dhcp-server use-dnsmasq enable
set service dhcp-server static-arp disable
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.200
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.10 stop 192.168.2.243
delete service dns forwarding system
set service dns forwarding cache-size 2048
set service dns forwarding listen-on eth1
set service dns forwarding listen-on switch0
set service nat rule 5000 description 'masquerade for WAN'
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 type masquerade
# Only if you are not going to use NextDNS. Use Cloudflare DNS instead. Or any other DNS option, would be through here.
# If you use this, do not set the "options server=" command.
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
By default, there is
dnsmasq, but noDOHsupport, tradeoff is less maintainance needed.
# DNS - NextDNS - Only if using dnsmasq (non-DOH) directly.
set service dns forwarding options server=45.90.30.0
set service dns forwarding options server=45.90.28.0
set service dns forwarding options server=2a07:a8c1::
set service dns forwarding options server=2a07:a8c0::
set service dns forwarding options add-cpe-id=YOUR_PROFILE
# Additionals
set service dns forwarding options edns-packet-max=1232
set service dns forwarding options no-resolv
set service dns forwarding options stop-dns-rebind
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Optional
set service dns forwarding options no-negcache # Delete if there is NXDOMAIN issues happening.
set service dns forwarding options no-hosts # Only if you do not need /etc/hosts
# These below may not be secure to be used. You can delete, if previously added.
delete service dns forwarding options dnssec-check-unsigned
delete service dns forwarding options dnssec-no-timecheck
delete service dns forwarding options all-servers
delete service dns forwarding options strict-order
# Unsure
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
# Do NOT use this option, it will most likely default to your ISP DNS. Delete instead, if set.
delete service dns forwarding dhcp eth0
# Only use these if using the CLI instead of dnsmasq suggestion from the NextDNS website.
# If you are going to use NextDNS CLI, before setting the folowing settings, install the CLI and make sure it works.
set system name-server 127.0.0.1
set service dns forwarding options server=127.0.0.1#53053
In case you get dnsmasq failures, there might be misconfigurations, check
/etc/dnsmasq.conf
- Once you are done, type
commitandsaveafter. - You should be able to exit by typing
exit. Or a single commandcommit;save;exit. - (Optional) After exiting, use the commands or a router restart. Only if you have installed/added your DNS of choice.
sudo systemctl restart dnsmasqrelease dhcp interface eth0renew dhcp interface eth0
After choosing to whether use the CLI and server option or name-server, as long as all else is properly set, it should be completely working, having an IP, Router IP and DNS as Router IP set. It might be automatically done if you have service responsible activated, even if you change it after, no external change should be required, just a
commit;save.
If you are using NextDNS CLI
nextdns.conf
By default, it might be on
/config/nextdns/nextdns.conf/nextdns config list
Put your nextdns id into profile
profile YOUR_NEXTDNS_ID
auto-activate false
control /var/run/nextdns.sock
max-ttl 0s
report-client-info false
max-inflight-requests 256
discovery-dns
mdns disabled
setup-router false
listen 127.0.0.1:53053
cache-size 0
cache-max-age 0s
detect-captive-portals false
bogus-priv true
log-queries false
use-hosts false
timeout 5s
Alternatives that may result in better DNS perf. But may not reflect changes on NextDNS dashboard immediately.
cache-size 10000
cache-max-age 10m
If you choose NextDNS, you can check if it's enabled at https://test.nextdns.io/ and protocol should be "DOH".
If you choose Cloudflare DNS, check at https://www.cloudflare.com/ssl/encrypted-sni/ by pressing the check button.
Before you do this, in case you get locked out of the router, for whatever configuration, do the same process before a reset. Set the manual ip and the router ip as gateway. That should make you able to access the router again. Without needing a reset.
If you have to reset the router for whatever reason, you can reset, and you might be encountered with Connecting or Identifying after, you might need to use ETH0 cable port and set the IP manually.
Your machine IP can be anything like 192.168.1.10, Netmask 255.255.255.0 and IP Gateway you set the router IP 192.168.1.1.
Then you can open the page through the browser using the same router IP, do the basic configurations, after it will ask to restart.
You can then change back to ETH1 cable port, remove the manual IP and put automatic again, you can then open through browser again.
- Press and hold the reset button.
- The port LEDs will start light up in sequence starting from port 1 and ending at the last port.
- Continue holding the reset button for approximately 10 seconds until the LED on port 1 lights up again.
- Release the reset button.
- The EdgeRouter will reboot, wait for the reboot to complete.
- If you decide to use dnscrypt-proxy, in EdgeRouter X, you choose the mipsle option to be compatible.
- If you follow steps from DNSCrypt tutorial which works, in the toml config file, if you are going to use NextDNS, you only need to set those config they require and change
require_dnssectotrue. But do not forget them like the listen port change, otherwise it will conflict and not work. - You will be able to check status with
sudo systemctl status dnscrypt-proxyor restart with it instead of status. - You might end up also needing to change the toml config file path, if the current setup does not work, you can by altering the file at
/etc/systemd/system/dnscrypt-proxy.service.
- https://github.com/nextdns/nextdns/wiki/EdgeOS
- https://www.justinho.com/blog/2020/09/03/cleanedgerouter.html
- https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained
- https://3os.org/infrastructure/ubiquiti/edge-router/
- https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-EdgeOS
- https://yeri.be/nextdns-edgerouter-redirecting-dns-requests
- https://community.ui.com/questions/NextDNS-setup-on-a-ER-X/e8f5e9f8-ef93-4d5d-8b91-8e1cae7a48f4#answer/e50c770a-81c1-4590-9582-cebfb333d089
- https://chrisatech.wordpress.com/2022/11/01/nextdns-on-edgerouter-using-dnsmasq/
- https://community.ui.com/questions/NextDNS-with-keeping-Dnsmasq-on-EdgeRouter/3141381a-ea95-47c2-aa30-2715560a333b
- https://www.youtube.com/watch?v=f_jG6_G4dXM
- https://floating.io/2019/01/edgerouter-dns-forwarding-and-the-routers-hostname/
- https://github.com/confirm/edgerouter-dnsmasq-updater/blob/master/README.md
- https://help.ui.com/hc/en-us/articles/205202620-EdgeRouter-Reset-to-Factory-Defaults
- https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway
- https://www.erianna.com/wireguard-ubiquity-edgeos/
- https://blog.usman.network/posts/wireguard-vpn-on-a-ubiquiti-edgerouter/
- https://help.ui.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS
- https://chameth.com/dns-over-tls-on-edgerouter-lite/
- https://github.com/darkgrue/Ubiquiti-DNSCrypt-Proxy-2-Configuration-Scripts