Edge OS

Setup notes for Ubiquiti Edge OS.


The most recent firmware update (~2019-10) has added telemetry to ubiquity devices; disabled by default.

Block or blackhole trace.svc.ui.com.

Disable UBNT Discovery Service

The UBNT Discovery Service enables other UBNT devices the ability to discover this device.


This is exposed externally and exploitable. Disable this service.

set service ubnt-discover disable
set service ubnt-discover-server disable

Create DHCP Static Entries

Create DNS / Host Entries

CNAME for IP lookups without DNS; static /etc/hosts mapping.

Simulates NAT Reflection by statically adding multiple hostnames to the hosts file. Works with subdomains as well. This will provide an internal or custom IP for a given DNS request.


Modifications should only be done via the GUI or CLI; do not modify /etc/hosts manually as these are not recognized/kept by the system across upgrades and restores.

Hairpin NAT (Internal Only NAT Reflection)

Generally split-DNS is better to use than Hairpin NAT as it allows more control. This will enable you to redirect internal requests destined for your external IP to another internal destination based on selected criteria. You will need to do this for every subnet on the network.

This may be used for faking subdomains, assuming there is a wildcard DNS setup on your Registrar and it resolves to your public IP.

Deleted DHCP Host Still Resolves in DNS

When deleting a DHCP host, the DNS reservation should be removed as well. However there is a bug in which these hosts are never deleted.

0644 root root /etc/hosts EdgeOS CLI.
#Delete hosts which are no longer used and reboot the router.

DNS Hostnames not Resolving

DHCP server on the edgerouter needs to update the hosts file when new IP’s are issued.

Allow Subnet (Wifi) Traffic Internet Only Access

May be applied to any subnet that should only have Internet access.

Create network group that contains all private IPv4 addresses.

Prevent Wifi Traffic from Reaching Internal Networks

Only Allow DNS Traffic to Router

DNAT for Captive DNS

Force all DNS queries regardless of destination server to a specific DNS server.


Do not enable this for the custom DNS server!

Add a Destination NAT Rule for each interface serving internal networks:

Add Masquerade NAT Rule for each interface serving internal networks. This enables appropriate transparent DNS lookups (Clients will think that they are resolving from the DNS they requested, not the actual DNS server serving responses):


local image.

Captive DNS Exceptions

Allow for specific client exceptions to DNAT rules. These should be an exception and not the rule. Keep this list small.

Create a Source Address Group to manage all clients for the exception:

Add an additional Destination NAT Rule for each interface serving internal networks:

Custom SSL Certifcate for Webface

A custom SSL certifcate may be used to serve HTTPS router traffic. Turn on EdgeOS SSH.

Combine private key and certifcate into one file, copy to EdgeOS.
cat privkey.pem cert.pem > server.pem
Backup existing cert and restart webface (EdgeOS CLI).
cp /etc/lighttpd/server.pem /etc/lighttpd/server.pem.Backup
mv /tmp/server.pem /etc/lighttpd/server.pem
kill -SIGINT $(cat /var/run/lighttpd.pid)
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

Dump Configuration via CLI Command Export

Export the list of CLI commands to manually re-create the current configuration of the router.

show configuration commands

Dump Configuration to JSON-like file

Show a JSON-like representation of the current router configuration.

show configuration all


  1. Creating DNS Entries

  2. How to Create a GuestLAN Firewall Rule