I’ve been a Google Fiber user (and fan) since the service first hit Provo, Utah. I have a vacation home there, so while I don’t get to benefit from the Gigabit speeds on a daily basis, I certainly take advantage of it while I’m there.
Because it’s a vacation home, I rely on a number of home-automation technologies to monitor and control the place when I’m gone. I use an ecobee remote thermostat to pre-heat or pre-cool the house before I arrive. I can send a text to turn the gas water heaters on and off via a water heater timer. I can watch exterior security cameras from my phone. And I can remotely monitor and arm/disarm the alarm system.
Why the Google Fiber Network Box is No Longer Cutting It
Some of the the home automation technologies I use rely on port-forwarding, which is how you “crack open” the network’s firewall just enough to access specific devices on the other side. In addition to remote control of smart devices, I also use port-forwarding to remotely access the desktop systems, servers, and network devices that stay online in the house while I’m away. Port forwarding worked great for the first couple years of Google Fiber’s service, until they recently “upgraded” the user interface of their Google Fiber Network Box (GFNB)…. and I hope the quotes around “upgraded” are enough for you to hear the sarcastic tone in my voice.
In what appears to be an effort to simplify the Google Fiber Network Box interface, they removed a number of features that advanced users rely on. The worst victim was port-forwarding. While it’s still technically allowed, Google Fiber restricts forwarding only to network devices with reserved DHCP address (meaning you can’t forward to any device with a static IP address), and they also opened a huge security hole by forcing you to forward FROM and TO the same port number. Not only does that limit you to accessing only one Windows Remote Desktop on port 3389, or only one device’s embedded web server on port 80, but those commonly-known port numbers are accessible from the WAN side of the network, meaning they’re much easier to scan and attack. This “upgrade” was unacceptable to me, and when Google Fiber’s support staff told me they couldn’t “downgrade” me back to the original interface, I decided to take matters into my own hands.
Enter the Ubiquiti EdgeRouter Lite.
I was already a fan of Ubiquiti (UBNT) products. I use their NanoStation at our Eastern Washington cabin to blast WiFi into the back yard, out onto the beach, and half way across the lake. At our main house, I use their UAP-PRO access point to fill the house with strong WiFi signal (read about that here) and a secure guest network, with an EdgeRouter-POE as the house’s primary router. It’s fair to say I’m a UBNT fanboy.
So when I read in some Google Fiber Support threads (like this one) that it might be possible to replace the GFNB with a Ubiquiti EdgeRouter, I got excited. I picked up an EdgeRouter Lite on Amazon for less than $100, and looked forward to my next trip to Utah to set it up.
Before I go further, I need to repeat the warning I made in my article on installing the UAP-PRO access point: this is not a task for the casual geek. Configuring and tweaking a UBNT EdgeRouter to replace a Google Fiber Network Box requires a certain comfort level with networking, routers, and the Linux command line. This hack is unsupported by Google Fiber, so they won’t help you, and if you call them, they will tell you just to plug your GFNB back in. You can get some help in the UBNT EdgeMAX Forum, and possibly from non-Google employees in the Google Fiber Support Forum, but for the most part… you’re on your own. I chime in on those forums’ conversations from time to time, but I don’t answer support questions here on my blog or via email.
Before You Start
This guide assumes the following:
- You’re comfortable with networks, routing, and the Linux command line.
- You already have a functioning Google Fiber setup at your home.
- You have a terminal application (like PuTTY) on your computer (OSX and Linux clients already have a built-in terminal client).
- You have a UBNT EdgeRouter Lite set to factory defaults.
- You’ve upgraded the EdgeOS firmware on your EdgeRouter to at least version 1.7.
- You’re not trying to do this with the cheaper EdgeRouter X – it doesn’t have the horsepower to work properly in this role. The two best options for this are the EdgeRouter Lite or an EdgeRouter POE. These instructions are specific to the EdgeRouter Lite, but can be easily modified for the ER-POE (update: scroll to the bottom for ER-POE instructions).
- You have a wireless access point to replace the WiFi antenna(s) you’ll lose when you disconnect the GFNB. I used a Linksys E4200 v1 running DD-WRT and configured in AP mode, but I also highly recommend the UBNT UAP or UAP-PRO.
It’s also important to note that I do not use Google Fiber TV at my Provo House (I prefer DirecTV). From what I understand, it’s totally possible to use an EdgeRouter in place of the GFNB if you also have Google Fiber TV, but it requires some additional steps (which I’ll discuss further below). For now, start with the network portion of the guide, then add the TV service steps next.
Upgrading the EdgeOS Firmware
Before you disconnect your old Google Fiber Network Box and temporarily lose Internet service, download the 1.7 firmware and install it on your EdgeRouter Lite. Make sure you also reset the router to factory defaults (either before or after the firmware upgrade).
EdgeRouter + Google Fiber Configuration Script
All of the configuration tasks required to convert an EdgeRouter Lite into a device that can replace the Google Fiber Network Box can now be accomplished by copying and pasting a series of commands from a script into the command line.
A user named Atlantisman originally started this thread in the Google Fiber Support Forums in 2013, looking for a better solution over the GFNB. It’s been an active thread since, and the primary source for info on hacking your way around the GFNB. Atlantisman developed an initial version of a configuration script and posted it on his blog in August 2014. He then updated it when the EdgeRouter’s EdgeOS v1.6 came out. His script will still work to get you up and running, but because it was based on EdgeOS v1.6, it’s missing a few of the additional features that are available in EdgeOS v1.7. Other users in that thread, including Rick Hornsby, TK, and CompTech, have also made additional tweaks to the settings and script, and now it’s my turn to build on their work and offer my own tweaks.
The most up-to-date version of my script will always be available as a GitHub Gist, and will auto-update here:
Use the “view raw” option to download the script to a text file on your local system before attempting to configure your EdgeRouter.
Alternatively, I’ve created a config.boot file that is identical to how the config.boot file on your EdgeRouter would look after running the script on a factory-default router. Unfortunately, you can’t simply upload a config.boot file by itself via the EdgeMAX GUI (the GUI actually expects a larger tar.gz file with the config.boot file stored in a specific location), but if you’re comfortable with the vi editor and/or the EdgeRouter CLI, you can copy my config.boot file onto the EdgeRouter directly, reboot it, and be done.
My Google Fiber + ERL config.boot file is also a GitHub gist here:
What the Script Does
If you’re familiar with the EdgeRouter CLI and settings, you can read through either of my above gists to see what happens when you run the script or use my pre-built config.boot file. But in general terms, here’s what happens:
- The eth0 port is configured to connect to your LAN on the 192.168.1.1/24 network. If you prefer a different subnet (like 192.168.0.1 or 192.168.2.1), edit the files before using them. Atlantisman’s original script uses the 192.168.2.1/24 network, but I went with the 192.168.1.1/24 network because that’s already the factory default.
- The eth1 port is configured to connect to your Google Fiber Network Jack. A VLAN (eth1.2) is also configured to access the Google Fiber WAN, QoS settings are applied, and masquerading to the WAN for the VLAN is configured. This is the true “secret sauce” as to why this works.
- Multiple settings to enable IPv6 on the Google Fiber network are configured.
- A touch of my own to the script, the eth2 port is configured as a local configuration port. This allows you to hard-wire a laptop directly to the EdgeRouter without disconnecting anything, manually give it an IP address, and access the EdgeRouter’s GUI or CLI via 192.168.3.1. Because the ERL’s ports aren’t hardware switched (some of the ER-POE’s are), it’s not recommended to simply configure eth2 as an additional LAN port on your primary subnet, which is why I decided to at give eth2 at least some useful function in this setup. You may never need to use it, but I figured why waste a perfectly good Ethernet port?
- A basic firewall (which supports IPv6) is configured.
- MSS clamping is enabled at 1460 (you can play with different settings yourself).
- Port forwarding is enabled and configured for the correct LAN and WAN ports.
- A DHCP server is enabled for the local network (you can edit the IP range later).
- DNS forwarding and caching is enabled.
- UPnP (updated in v1.7) is enabled.
- Timezone, system name servers, and the local hostname are set.
- Hardware offloading is enabled, which is required to reach speeds over the half-Gigabit(ish) level.
And that’s pretty much it!
Physically Connecting the EdgeRouter to your Network
As long as you’ve already downloaded the script and/or config.boot file to whatever system you plan to use to configure your router, you can unplug and disconnect the Google Fiber Network Box and replace it with your EdgeRouter… even before you configure it. Make the physical network connections like this:
- Console port: Don’t connect anything
- eth0: Connect via Ethernet cable to a switch on your LAN
- eth1: Connect via Ethernet cable to the Google Fiber Network Jack (the one with the blue light on it shown below)
- eth2: Don’t connect anything
You could also connect your laptop or desktop system via Ethernet to the EdgeRouter’s eth0 port, then connect that port to your LAN switch when you’re done setting it up, but it’s just as easy to configure it from a system that’s already connected to your LAN through the same switch or a downstream switch.
By default, eth0 on the EdgeRouter is configured for the 192.168.1.1/24 network. Because it doesn’t have an active DHCP server (yet), you’ll need to manually configure your computer to something like 192.168.1.4 w/ Netmask 255.255.255.0. Once you can ping 192.168.1.1 from your computer, you’re good to go.
Now you just need to decide if you want to use the script or the config.boot file to configure your EdgeRouter. Both accomplish the same thing.
Connect to the EdgeRouter via Terminal
Regardless of which approach you use, you’ll first need to connect to the EdgeRouter CLI via a terminal application.
Use your terminal application to connect to 192.168.1.1 (or [email protected] if on Linux or Mac). Both the default admin username and password are ubnt.
Become the root user with:
% sudo su
Now you’re ready for the magic!
Configure your EdgeRouter Using the Script
To configure with the script, copy and paste each section of the configuration script directly onto the command line. If you try to do the whole thing at once, it sometimes chokes.
FYI – there will be a slight delay after each commit statement.
Configure your EdgeRouter Using the config.boot File
To configure your EdgeRouter using my Google Fiber + ERL config.boot file, you’ll need to copy the file onto the EdgeRouter. There are a number of ways to do this, such as using scp to copy it from another local Linux system, but the easiest is probably to use vi to create a new file and paste the contents of the new config.boot.
First, copy the contents of my config.boot file above, then create a blank config.boot file in /home/ubnt with:
# vi /home/ubnt/config.boot
Paste the contents (with P), then write and quit the file (:wq).
Now copy that new file over the EdgeRouter’s default config.boot file with:
# cp /home/ubnt/config.boot /config/config.boot
Load and commit new configuration into the EdgeRouter with:
Reboot and Test
Once the EdgeRouter configuration has been changed (whether by script or copying my config.boot file) reboot the router with:
It will ask you to confirm, and then it will reboot. It should only take a couple minutes, but while you’re waiting, change your computer’s network settings back to DHCP.
Within a few minutes, your computer should receive a DHCP address and be able to access the Internet. Perform a speed test to make sure you’re still seeing fast speeds.
This was my first test result after the changeover:
Replacing the Google Fiber Network Box’s WiFi
One thing you lost when you unplugged your Google Fiber Network Box is a set of WiFi antennas to allow wireless clients to access your network. But that’s no big loss.. the GFNB WiFi antennas are notoriously lame. The cheapest way to replace them is to install DD-WRT on a wireless router you might already have, and configure it as a stand-alone access point.
For Google TV Users
If you also have Google TV service, you’ll need to apply a second script to add some additional features to your configuration. Atlantisman also wrote the original script for this, but he uses slightly different IP addressing and firewall rules names in his original script, so I did some very minor tweaking to his Google Fiber TV Service script so that it matches up with my configuration script and config.boot file. My version of the script is stored as a GitHub Gist here.
Apply it the same way as the configuration script, as described above.
Google Fiber IPv6 Considerations
Google won’t allocate your IPv6 addresses immediately. You’ll likely have to wait until overnight until you see the IPv6 addresses for the WAN and LAN interfaces in the GUI. I’ve tried everything I can think of to kickstart the process, to no avail. You just have to wait.
Now that you’re online with an EdgeRouter instead of a Google Fiber Network Box, there are a few final steps you should take.
First, access the GUI via a web browser to https://192.168.1.1/, and use ubnt as the username and password to gain access.
Go to the Users tab, then fill in the info to add a new administrative user. Use something other than the obvious “admin” or “root.” Once that user is created, go to the top left corner of the GUI (where it says Welcome ubnt) and log out. Log back in as the newly created user, go back to the Users tab, then delete the ubnt user. Now you’re protected from default user/pass access.
You can poke around inside the web interface a bit more, and see how all the command line changes you made look in the GUI. In the Wizards tab, you can tinker with the MSS clamping settings, and adjust them to your liking. In the Services / DNS tab, you can tweak the size of your DNS forwarding cache size (I’ve been testing out 500 lately).
You can go to the Firewall/NAT tab and set up some port forwards, choosing any FROM and TO ports you want for any IP address on the LAN (which is what started me on this path in the first place).
Or you can just watch the Dashboard and monitor the Tx and Rx rates of each interface. Mine looks like this (my IPv4 and IPv6 WAN IP addresses are blacked out for security). Don’t be concerned that I’m using 192.168.0.1/24 for my private LAN address range on eth0. Pretend it reads 192.168.1.1/24 to match the config in this article:
But one thing you must do is wave goodbye to your sad little Google Fiber Network Box.
Congratulations! You’ve replaced your Google Fiber Network Box with a much more useful and flexible business-class router: the affordable, powerful, and downright lovable Ubiquiti EdgeRouter Lite!
As always, I welcome your questions, comments, and feedback below!
Update for ER5-POE Owners
I recently received a comment from fellow Google Fiber customer Bryan Klinger, who modified my EdgeRouter Lite (ERLite-3) example config.boot file to work on his EdgeRouter PoE (ER5-POE). He posted a gist of his ER5-POE config.boot here. Bryan’s config.boot file takes advantage of two primary advantages of the ER5-POE over the ERLite-3:
- He enables 48v PoE output on eth1 (the same port in my file) to power the Google Fiber jack directly from the EdgeRouter… which is awesome.
- Because the ER5-POE has additional ports, three of which are hardware switched (eth2, eth3, and eth4), his file uses eth0 as the Local Config Port and sets up eth2, eth3, and eth4 as a hardware switch (switch0), then uses switch0 throughout the script as the primary LAN interface (for port fowarding, dns caching, UPnP, etc.).
I created a Gist with a patch-styled diff between the two config.boot files so you can see easily see the differences here. Other minor differences in the file are the hostname, time zone, and a redacted admin password (the one in my example is encrypted, but it’s the default password). The ER5-POE is about $65 more on Amazon than the ERLite-3, but gives you the advantage of being able to power the Google Fiber jack directly from your EdgeRouter, and have two additional switched LAN ports at the router. For the additional money, that might just be the ideal Google Fiber router!
Big thanks to Bryan for sharing his config.boot for PoE EdgeRouter owners.
UPDATE: The diff file is based on my original Google Fiber config.boot, which did not yet include IPv6 settings. But you can still use the diff to see what you need to enable in my example config.boot to take advantage of the ER5-POE features, while still getting IPv6 connectivity.
- The “original” Google Fiber Network Box Support Thread
- Atlantisman’s original GFNB blog post and script
- Google Fiber + ERL thread on UBNT Forums
- Google Fiber TV Thread at UBNT Forums
- Flyover County Google Fiber blog posts #1 and #2