Hi

I'm a noob trying to help my noob friend to get rid of the cwap box provided by his ISP. He has TDC FTTH that goes to a mediaconverter and then to this HomeBox as they call it. The same setup as this guy http://zensonic.dk/?p=702 . But we cannot make it work and i suspect its something stupid that we are missing. We are using the Edgerouter POE and the wizard config from WAN-2LAN2 and selecting DHCP with VLAN 101 for the WAN interface. We are replicating the MAC from the HomeBox to the WAN interface to make it easy since they could be a 2 hour window before the DHCP from the ISP refreshes. We are seeing his WAN IP on the WAN interface when we set it up with VLAN101 but there is no internet connection from the switch0 ports. We have tried to create a vlan for switch0.101 but that didnt help. Currently the Edgerouter is unplugged since it dosnt work and i dont have the config with me.

If someone could point me in the right direction i would be very grateful.

BR

Anders

We provide internet to several locations in town. We currently have a 10G internet connection with a /23 that comes into a Cisco 6505. We carve that up into /28 and /29 subnets and vlan them out to our different properties in town. We have a 10Gb connection to the city fiber network and 1Gb connections from the city fiber network to each property. Bandwidth at each property is configured for 200Mb down, burstable to 1Gb. The city network is configured as a full mesh. At each property we have a Ubiquity Edge-Router Pro for the edge device. We have the Edge-Router doing NAT for 40 to 400 clients. There is a couple bridges configured on the Edge-Routers, 1 to bring a vlan from the 6506 for any clients that has a public IP address and another one for a management VLAN for our Cisco switches on site. Each Edge-Router is then connected to up to 20 Cisco 3550 or 3560 switches to feed each client. Each client will have a 100Mb connection.

The issue we are having is at random times the internet will drop out. We can run a continuous ping while connected to a client side and we are not able to ping the router. Pings on the management vlan have no issues. We have run wireshark and we dont see any issues. No massive amounts of broadcast to indicate a broadcast storm. The only weird thing is we see a bunch of ARP requests coming from the router during the timeouts. The Cisco switches are configured with port protected mode, STP portfast and bpduguard. No timeout issues with the 6506. Any one have an idea?

I have two ERPros with IPSEC site-to-site vpn.

On the remote site, I have a ES-24 port switch after the ERPro. For some reason, I can only ping devices that are tagged on the remote switch. If a port on the ES is marked U, no ping. They are all on the same VLAN (40) with the same subnet.

The remote ERPro has eth0 as the WAN and eth1 as the LAN. Eth1 is untagged VLAN 40 on the switch.

Eth 10-20 are T and I can see all the devices on it. Eth 6-9 and 21-23 are U and I can't ping any of them. There's no firewall set on these devices that would block it.

Any idea what's going on?

So, this all started when I came across the problem of google docs not loading, while other pages would load just fine.  Then it evolved into some pages not loading (timing out almost) while others would load.  I can do a speed test and get great results.  We are on a 180 Mbit down, 30 Up.

When I do sudo conntrack -C, I notice that when the number is below 3000, things are running pretty good, but when it goes above that (like now, it's at 5000+), not so good.  My students really notice it with Google docs not connecting but other pages working fine (this is mainly on their chromebooks).

We have 80 students and about 40 faculty that live on campus.  Streaming seems to be fine when loading pages isn't.

I did the below, it did not help.  Ideas? (also, offloading is all turned off)

Current config is:

eth0 - WAN

eth1 - LAN1

eth2 - Disabled

I would like to add a 2nd WAN on eth2. If I run the wizard, I will lose my current settings. How can I turn eth2 in to a WAN connection manually, and set it up?

Thanks in advance.

I'm tryign to setup an EdgeRouter Pro that is connected to an existing firewall. Here is my current setup that is fairly basic for testing.

Firewall Interface: 10.1.0.1

ERPro

eth0 (LAN) 172.30.200.254/24

eth3 (to firewall) 10.1.0.2

I did not select any configuration wizards when starting, so firewall is off, nat if off and there are no rulesets set.

I've added route set protocols static route 0.0.0.0/0 next-hop 10.1.0.1 

From the CLI I can ping 172.30.200.254, 10.1.0.2 and 10.1.0.1

When I plug eth0 into a switch with my laptop and configure my laptop for IP: 172.30.200.10 SM: 255.255.255.0 GW: 172.30.200.254 I can ping 172.30.200.254 and 10.1.0.1 but I can't get to 10.1.0.2.  

I've checked the firewall route and rules and they are all in place, but I can't figure out what I'm missing here.

I'm still learning more about advanced networking, so any help would be greatly appreciated.

On a side note, if I physically route the cables for the firewall <-> ERPro through the same switch, it works and I can get to 10.1.0.2 and out to the net.

I have an EdgeSwitch 16-XG setup to route between several VLANs.

ip helper is enabled on the EdgeSwitch

ip helper is configured on each VLAN with the EdgeRouter set as the server.

The default route is to a EdgeRouter 

eth0: LAN

eth1: WAN

eth2: LAN ( hooked up to the EdgeSwitch ) ( I have a /30 subnet for connecting the EdgeSwitch and the EdgeRouter )

I have enabled IP helper on the EdgeSwitch and I have configured DHCP servers for eah of the subnets.

10.25.0.0/22 <- default subnet for eth0

10.22.4.0/24 <- reachable on eth2 via a route ( VLAN 2004 interface ip 10.22.4.1 on the EdgeSwitch )

10.22.10.0/24 <- reachable on eth2 via route ( VLAN 2010 interface ip 10.22.10.1 on the EdgeSwitch )

When setting the devices to static IP address I can ping everything from everything.  Pinging accross the VLANs works as well as pinging across the EdgeRoute (device on eth0 pinging a device on eth2 )

So I think my routes and connectivity are OK.

When a device on one of the VLANs on the EdgeSwitch does a DHCP request I see the packet reach the EdgeRouter (tcpdump) and I see lease is created is on the 10.25.0.0 scope , not the expected 10.22.4.0 scope.

tcpdump output

23:56:36.507089  In 04:18:d6:a0:21:a1 ethertype IPv4 (0x0800), length 344: 10.22.4.1.68 > 10.30.1.25.67: BOOTP/DHCP, Request from 20:47:47:b6:98:d2, length 300

I am guessing there is some configuration I am missing on the EdgeRouter to handle the relayed requests properly.

This is a lab setup, the production setup with have the DHCP reqests relayed to a Windows server.

I am having trouble getting a LAN subnet to bind with a specific WAN static IP.  

eth0= XX.XXX.XXX.165/24    Cable Modem STATIC IP #1

eth1= XX.XXX.XXX.XX/23     VDSL DHCP IP

eth0+eth1= bond group 'G'

eth2=XX.XXX.XXX.104/24     Cable Modem STATIC IP #2

eth6=192.168.98.1/24         Gaming subnet

eth7=192.168.99.1/24         General subnet

No matter what I do the 192.168.98.0 subnet traffic always chooses eth0. It even identifies to game servers as XX.XXX.XXX.165 instead of .104.  

However, if I disable both eth0 and eth 1 it DOES work with eth2 as I want it to.  What am I missing.  I tried following the guides.  

I want bond group G to handle all traffic in the .99 net and eth2 to handle all traffic for .98 net.

I will be doing multiple vlans down the road but I want to successfully administer this type of rule before adding more confusion to my small brain. 

TIA,

Jack

I'm wanting to set up a VLAN that can be reached from the LAN (untagged), but cannot generate traffic to it.  As if the clients inside the VLAN were in the WAN and the LAN was behind a NAT.  This would hold devices such as IP cams.  What's the magic incantation for that?  

Thanks 

I've notived today that my dynamic DNS settings have the password in cleartext instead of encrypted passwords.

Can this be changed?

dns {
dynamic {
interface eth0 {
service dyndns {
host-name cml.yodude.co.uk
login loginName
password ThisIsPlaintText!
}
}

Hi,

As portforwarding sometimes fails at client locations we are not always able to manage the edgerouter from remote.

I have set up an ubuntu box at the office running openvpn. I installed the client on a remote edgerouter using following commands

configure
set interfaces openvpn vtun0 config-file /config/vpn-client1.ovpn
commit
save
exit

The edgerouter was connected to the vpn server and it all seemed well. However after several minutes i lost connection to the edgerouter.

I went to the location. The local lan didn't have any internet connectivity anymore. I logged in to the edgerouter and disabled the vtun0 interfaces. I saw several static routes dissappear and the internet access was working egain.

How can I exclude the local lan from the vpn connection. I only need to acces the gui and ssh through the vpn.

There is no ip conflict. all subnets are different.

Thanks

This unit has been working for 11.5 months perfectlly and is a great performer as combined with the UniFi AC Pro that I have coupled to it.

However , this morning it just stopped. My wife was watching a movie and it stop half way - out of the blue.

A while ago I upgraded it to 1.9 and no problems since. 

I recycled it and it will not boot up as such. The console light goes green and if I insert a cable into a socket it lights up and seems to accept the cable.  However I cannot ping the unit with any IP number.

I did a switched on reset and same result

I did a power on reset and same result.

I have waited for up to 20 seconds during the above resets to see the flash on the last port and nothing in both cases above.

The unit switch on but seems stuck and now I am unsure as to what to do.

I do not have rollover usb to rj45 cable in order to tftp the latest .bin file to 192.168.1.20. Maybe I need to get one?

I fortunately have a backup of the setup so if I can get it going I can restore.

Lastly, the unit was very hot (it does run hot) - maybe cooked?

Any ideas?

I have EP-R6 (ver 1.9) configured as a switch.  The switch passes several VLAN from a 5 port Tough Switch.    I know how to tag and untag ports in a particular VLAN.

The EP-R6 is connnected to a trunk port on a TS.  That port carriers 3 VLANS.

The EP-R6 switch port is assigend an IP.   How can I set the VLAN that I want to manage the switch in?

When I untag the TS port in VLAN 10 I can reach the EP-6R.

When I tag all the VLAN I want to carry to the EP-R6 I cannot reach the EP-R6.  I need to tell te EP-R6 that I will manage it in a particular VLAN as we do with tough Switch.

I currently have an EdgeRouter X connected to a VDSL service (80/20) via an HG612 (Openreach) modem.

I have enabled QoS to try and keep latency under control while downloading, but we still seem to be getting problems with pings when the router is under load.

Right now there is a download on one of the machines which is running at around 35Mbps, or half of our WAN bandwidth (user is on powerline hence the max 35Mbps rate). However, if I try to ping the router (192.168.1.1) from my PC I currently get results like this:

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=65ms TTL=64
Reply from 192.168.1.1: bytes=32 time=74ms TTL=64
Reply from 192.168.1.1: bytes=32 time=29ms TTL=64
Reply from 192.168.1.1: bytes=32 time=88ms TTL=64

Naturally this would normally show <1ms so I'm trying to understand what is causing the latency to be so high to the router. I have ruled out the cable or switch, by connecting a laptop straight into the ERX, which returned similar results.

Router config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password **removed**
            user-id **removed**
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password **removed**
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export enable
    }
}
traffic-control {
    smart-queue fq_codel {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 75mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 18.5mbit
        }
        wan-interface eth0
    }
}

Hey all, 

Sorry if this post is a little confusing, the terminaology is still fairly new to me. 

I recently got an edge router x and have configured the port forwarding so I can get into a server I have on my network. I usually get to this though some DDNS (noip for instance) while I'm not local.

Anyway the issue is that while this work perfectly fine outside of the network, inside I the connection is refused and I then have to use the local IP to get into the server. Is there a way to configure this such that I can always go though my DDNS even when I am on the same network? 

Thanks a lot!

hey guys, 

it looks like i've got a pretty weird problem,

i have a VPN server set up behind Edgerouter, and using L2TP.

i then have forwarded 500, 1701 and 4500 port to that IP.

However, whenever i try to connect to it, i've got 'authentication failed' error. 

then i checked the log of VPN server, there wasnt even a log entry. 

Tried using another computer as VPN server, same issue.

Tried to connect inside LAN using a 192. IP, same issue, authentication failed, no log entry.

so i started to think maybe EdgeRouter is blocking authentication? maybe?

anyone having the same issue? anyone knows a fix?

i know there is something called 'VPN passthroug', does it has anything to do with that? can anyone please explain what is it??  thanks a lot!

So i used the ERL for a long while and then switched to a PFsense box to run some tests with that.

after 6 months of using the PFsense box I decided that the ERL should be more than capable for my network setup and went to switch back.

I connected the ERL and went to get connected to it and got no response. Tried both hard reset methods and couldnt get it to respond...

did some google searching and fourm searching and found that if i had a Console cable i could get a better idea as to what is going on... (the other most common problem being the Flash memory goes bad...)

Finding a console cable proved to be difficult and led me to an amazon purchase that has taken a few months to arrive....  then after that I find out that NONE, yes NONE!, of the computrers I have contain a serial port...

$30 later buying a USB to Serial adapter and I am getting the following errors when connected via Console with Putty.

SQUASHFS error: Unable to read data cache entry [1b53f90]
SQUASHFS error: Unable to read page, block 1b53f90, size cece
SQUASHFS error: Unable to read data cache entry [1b53f90]
SQUASHFS error: Unable to read page, block 1b53f90, size cece

So I am fairly certain i have a Bad flash memory chip so now the goal is to get a new one and get it loaded but how do I reload the OS onto the new flash chip?

I am trying to setup a Dynamic DNS on ClouDNS, where I get my DNS servers hosted.  For Dynamic entries they have a choice of the following to choose from as an IP update:

URL

wget

PERL

Python

PHP

Which one can I use with the EdgeRouter GUI or which one should I look at to find the info the GUI is looking for ?

I have been trying to get an IPSec VPN to work between an ER-L and an Adtran 3448. I have a dual wan setup with 2 load balancing groups. One that points subnet 172.168.0.0/24 to WAN 1 with WAN 2 as a failover only and one that points subnet 172.16.20.0/24 to WAN 2 with WAN 1 as a failover only. Whole thing works great. Now im trying to getup a VPN between this router and another. I do not have a static IP on the ER-L end but the IP doesnt ever change with the ISP. Either way its only a temporary setup to test a deployment at a site that will have dual wan static IPs. So I programmed everything as if eth0 was a static IP with the exception of the automatically generated static routes for dhcp.

The link shows up and I can ping the far end 192.168.125.0/24 ONLY with /bin/ping -I eth1 and ONLY after I manually generate a static route in the table pointing 192.168.125.0/24 to interface eth0. VTI might be an option down the road if we replace all of the routers in every site with edgerouters and route through OSPF but for now it has to be manually setup. 

Local subnets are 172.16.0.0/24, 172.16.20.0/24

Remote subnet is 192.168.125.0/24

Here is my config: 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group VPN_NET {
            address 192.168.225.0/24
            description ""
        }
        network-group LAN_NETS {
            description ""
            network 172.16.0.0/24
            network 172.16.20.0/24
            network 192.168.125.0/24
        }
        network-group VOIP_NET {
            description ""
            network 172.16.20.0/24
        }
        port-group ROUTER_ACCESS {
            port ssh
            port https
            port telnet
        }
    }
    ipv6-name IPV6_WAN_IN {
        default-action drop
        rule 1 {
            action accept
            description "Allow established sessions"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow ICMPv6"
            protocol icmpv6
        }
    }
    ipv6-name IPV6_WAN_LOCAL {
        default-action drop
        rule 1 {
            action accept
            description "Allow established sessions"
            state {
                established enable
                related enable
            }
        }
        rule 10 {
            action drop
            description "Drop invalid connections"
            state {
                invalid enable
            }
        }
        rule 15 {
            action accept
            protocol icmpv6
        }
        rule 20 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify Failover {
        rule 10 {
            action modify
            destination {
                group {
                    network-group LAN_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            modify {
                lb-group Failover
            }
        }
    }
    modify Wan2Primary {
        enable-default-log
        rule 10 {
            action modify
            destination {
                group {
                    network-group LAN_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            modify {
                lb-group Wan2Primary
            }
        }
    }
    name VOIP_OUT {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow IP"
            destination {
                group {
                }
            }
            log disable
            protocol all
            source {
                group {
                    address-group VOIP_ALLOW
                }
            }
        }
        rule 2 {
            action drop
            description "Block VPN"
            destination {
            }
            log disable
            protocol all
            source {
                address 192.168.225.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "packets from Internet to LAN & WLAN"
        enable-default-log
        rule 1 {
            action accept
            description "allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 10 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow PPTP"
            destination {
                port 1723
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description "Allow GRE for PPTP VPN"
            log disable
            protocol gre
        }
        rule 40 {
            action accept
            description "Allow Ping"
            log disable
            protocol icmp
            source {
                address 20.20.20.20
            }
        }
        rule 50 {
            action accept
            description "Allow SNMP"
            log disable
            protocol udp
            source {
                address 20.20.20.20
            }
        }
        rule 60 {
            action accept
            description "Allow IKE"
            destination {
                port 500
            }
            log disable
            protocol udp
            source {
            }
        }
        rule 70 {
            action accept
            description "Allow L2TP"
            destination {
                port 1701
            }
            log enable
            protocol udp
            source {
            }
        }
        rule 80 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 90 {
            action accept
            description "Allow NAT-T"
            destination {
                port 4500
            }
            log disable
            protocol udp
            source {
            }
        }
        rule 100 {
            action accept
            description OpenVPN
            destination {
                port 1194
            }
            log disable
            protocol udp
        }
        rule 110 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 111 {
            action accept
            description "OpenVPN 2"
            destination {
                port 1192
            }
            log disable
            protocol udp
        }
    }
    name vtun1_OUT {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow VoIP"
            log disable
            protocol all
            source {
                address 172.16.20.0/24
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                ipv6-name IPV6_WAN_IN
                name WAN_IN
            }
            local {
                ipv6-name IPV6_WAN_LOCAL
                name WAN_LOCAL
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
        }
        speed auto
        traffic-policy {
            out UpStream
        }
    }
    ethernet eth1 {
        address 172.16.0.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify Failover
            }
            local {
            }
        }
        speed auto
        traffic-policy {
            out Downstream
        }
        vif 20 {
            address 172.16.20.1/24
            description VOIP_VLAN
            firewall {
                out {
                    name VOIP_OUT
                }
            }
            mtu 1500
        }
    }
    ethernet eth2 {
        address dhcp
        description WAN2
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
        traffic-policy {
            out UpStream2
        }
    }
    loopback lo {
    }
    openvpn vtun0 {
        hash sha256
        mode server
        openvpn-option --comp-lzo
        openvpn-option "--link-mtu 1500"
        openvpn-option "--cipher AES-256-CBC"
        server {
            client client1 {
                ip 192.168.226.2
                push-route 172.16.20.0/24
                push-route 172.16.0.0/24
            }
            name-server 172.16.0.1
            subnet 192.168.226.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/CA.crt
            cert-file /config/auth/openvpn/server.crt
            crl-file /config/auth/openvpn/CA_crl.pem
            dh-file /config/auth/openvpn/dh1024.pem
            key-file /config/auth/openvpn/server.key
        }
    }
    openvpn vtun1 {
        firewall {
            out {
                name vtun1_OUT
            }
        }
        hash sha256
        local-port 1192
        mode server
        openvpn-option --comp-lzo
        openvpn-option "--link-mtu 1500"
        openvpn-option "--cipher AES-256-CBC"
        server {
            client client2 {
                ip 192.168.227.2
                push-route 192.168.125.0/24
            }
            client client3 {
                ip 192.168.227.3
            }
            name-server 172.16.0.1
            push-route 0.0.0.0/0
            push-route 172.16.20.0/24
            subnet 192.168.227.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/CA.crt
            cert-file /config/auth/openvpn/server.crt
            crl-file /config/auth/openvpn/CA_crl.pem
            dh-file /config/auth/openvpn/dh1024.pem
            key-file /config/auth/openvpn/server.key
        }
    }
}
load-balance {
    group Failover {
        interface eth0 {
            route-test {
                count {
                    failure 4
                    success 30
                }
                initial-delay 20
                interval 2
                type {
                    ping {
                        target 8.8.4.4
                    }
                }
            }
        }
        interface eth2 {
            failover-only
            route-test {
                count {
                    failure 4
                    success 30
                }
                initial-delay 20
                interval 2
                type {
                    ping {
                        target 8.8.4.4
                    }
                }
            }
        }
        lb-local enable
    }
    group Wan2Primary {
        interface eth0 {
            failover-only
            route-test {
                count {
                    failure 4
                    success 30
                }
                initial-delay 20
                interval 2
                type {
                    ping {
                        target 8.8.4.4
                    }
                }
            }
        }
        interface eth2 {
            route-test {
                count {
                    failure 4
                    success 30
                }
                initial-delay 5
                interval 2
                type {
                    ping {
                        target 8.8.4.4
                    }
                }
            }
        }
        lb-local disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    wan-interface eth0
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface eth0 {
                distance 1
            }
        }
        interface-route 192.168.125.0/24 {
            next-hop-interface eth0 {
            }
        }
        route 0.0.0.0/0 {
            next-hop 192.168.1.254 {
                distance 90
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth1.20
            name-server 8.8.8.8
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN 2"
            log enable
            outbound-interface eth2
            protocol all
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth1 {
            outbound-interface eth0
        }
        listen-on eth1.20 {
            outbound-interface eth0
        }
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        modules {
            sip {
                disable
            }
        }
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name CTS
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 2001:4860:4860::8888
    name-server 2001:4860:4860::8844
    ntp {
        server 0.ubnt.pool.ntp.org {
            noselect
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer 20.20.20.1 {
                authentication {
                    id 30.30.30.1
                    mode pre-shared-secret
                    pre-shared-secret **psk**
                }
                connection-type initiate
                ike-group FOO0
                ikev2-reauth inherit
                local-address 30.30.30.1
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 172.16.0.0/24
                    }
                    remote {
                        prefix 192.168.125.0/24
                    }
                }
            }
        }
    }
    }
}