I have been using an ERL/Unifi setup for about 6 months with minimal issues until recently. I pay for 1000 Mbps from my ISP but I've only been able to get around 80 Mbps on the fast.com speed test. I started investigating and noticed that the orange light is on for eth0, which is WAN in my configuration. I unplugged the cable from the ERL and plugged it directly into my computer. My speed improved to 820 Mbps on the first test, so it appears obvious that the ERL is causing the slow down.

The only relevant setting I have been able to find is speed/duplex for eth0, which is set to auto negotiation. None of the other settings make a difference, and there isn't one for 1000 anyway. The only related posts I've seen reference changing out the cable, but this cable is built into the house and not easy to change. Plus, the speed result on my computer would seem to rule out an issue with the cable.

I welcome any suggestions about what I can change to resolve this issue or definitively determine if this is a hardware failure. 

Just rebooted and DHCP is nort working on eth1 and eth2 interfaces.  Not sure if this is a firewall issue or regular config issue.

Any assistance greatly appreciated.

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         network-group LAN_NETWORKS {
             description "All LAN Networks"
             network 192.168.0.0/16
             network 172.16.0.0/12
         }
         network-group LOCALNET {
             description 192.x
             network 192.168.0.0/17
         }
         network-group WIFINET {
             description 10.x
             network 10.10.90.0/24
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name PROTECT_IN {
         default-action accept
         rule 10 {
             action accept
             description "Accept Established/Related"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 20 {
             action accept
             description "Allow taba7"
             destination {
             }
             log disable
             protocol all
             source {
                 address 10.10.90.48
             }
             state {
                 established disable
                 invalid disable
                 new enable
                 related disable
             }
         }
         rule 30 {
             action accept
             description "Wireless to SMB 139"
             destination {
                 address 192.168.0.40
                 port 139
             }
             log disable
             protocol tcp_udp
             source {
                 group {
                     network-group WIFINET
                 }
             }
         }
         rule 40 {
             action accept
             description "Wireless to SMB 445"
             destination {
                 address 192.168.0.40
                 port 445
             }
             log disable
             protocol tcp_udp
             source {
                 group {
                     network-group WIFINET
                 }
             }
         }
         rule 50 {
             action accept
             description "Wireless to Minecraft"
             destination {
                 port 19132
             }
             log disable
             protocol tcp_udp
             source {
                 group {
                     network-group WIFINET
                 }
             }
         }
         rule 60 {
             action drop
             description "Drop LAN_NETWORKS"
             destination {
                 group {
                     network-group LAN_NETWORKS
                 }
             }
             log enable
             protocol all
         }
     }
     name PROTECT_LOCAL {
         default-action drop
         rule 10 {
             action accept
             description "Accept DNS"
             destination {
                 port 53
             }
             protocol udp
         }
         rule 20 {
             action accept
             description "Accept DHCP"
             destination {
                 port 67
             }
             protocol udp
         }
         rule 21 {
             action accept
             description "ssh test"
             destination {
                 port 22
             }
             log disable
             protocol tcp
             source {
                 group {
                     network-group LAN_NETWORKS
                 }
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 22 {
             action accept
             description "allowest allest from lanest"
             log disable
             protocol all
             source {
                 group {
                     network-group LOCALNET
                 }
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         enable-default-log
         rule 2 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 3 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 4 {
             action accept
             description "Linpi IMAPS"
             destination {
                 address 192.168.0.38
                 port 993
             }
             log disable
             protocol tcp
             source {
                 address 199.80.31.36
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 5 {
             action accept
             description "Linpi SSMTP"
             destination {
                 address 192.168.0.38
                 port 465
             }
             log disable
             protocol tcp
             source {
                 address 199.80.31.36
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 6 {
             action accept
             description "Minecraft PE"
             destination {
                 address 192.168.0.124
                 port 19132
             }
             log disable
             protocol tcp_udp
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             description SSH
             destination {
                 group {
                     address-group ADDRv4_eth1
                 }
                 port 22
             }
             log disable
             protocol tcp
             source {
                 address 199.80.31.36
                 group {
                 }
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPSEC IKE"
             destination {
                 port 500
             }
             log disable
             protocol tcp_udp
         }
         rule 40 {
             action accept
             description "Allow IPSEC NAT-T"
             destination {
                 port 4500
             }
             log disable
             protocol udp
         }
         rule 50 {
             action accept
             description "Allow IPSEC ESP"
             log disable
             protocol esp
         }
         rule 60 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 61 {
             action accept
             description "test DHCP"
             destination {
                 port 67
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related disable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         address 192.168.0.10/24
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         address 10.10.90.10/24
         description "Local 2"
         duplex auto
         firewall {
             in {
                 name PROTECT_IN
             }
             local {
                 name PROTECT_LOCAL
             }
         }
         speed auto
     }
     loopback lo {
     }
 }
 port-forward {
     auto-firewall disable
     hairpin-nat disable
     lan-interface eth1
     rule 1 {
         description SSH
         forward-to {
             address 192.168.0.10
             port 22
         }
         original-port 22
         protocol tcp
     }
     rule 2 {
         description "Linpi IMAPS"
         forward-to {
             address 192.168.0.38
             port 993
         }
         original-port 993
         protocol tcp
     }
     rule 3 {
         description "Linpi SSMTP"
         forward-to {
             address 192.168.0.38
             port 465
         }
         original-port 465
         protocol tcp
     }
     wan-interface eth0
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update enable
         shared-network-name LAN1 {
             authoritative disable
             subnet 192.168.0.0/24 {
                 default-router 192.168.0.10
                 dns-server 192.168.0.10
                 domain-name localnet
                 lease 86400
                 start 192.168.0.100 {
                     stop 192.168.0.243
                 }
             }
         }
         shared-network-name LAN2 {
             authoritative disable
             subnet 10.10.90.0/24 {
                 default-router 10.10.90.10
                 dns-server 10.10.90.10
                 domain-name localnet
                 lease 86400
                 start 10.10.90.38 {
                     stop 10.10.90.243
                 }
             }
         }
         use-dnsmasq disable
     }
     dns {
         dynamic {
             interface eth0 {
                 service afraid {
                     host-name
                     login
                     password
                     server
                 }
             }
         }
         forwarding {
             cache-size 150
             listen-on eth1
             listen-on eth2
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5000 {
             description "somebody VPN NONAT"
             destination {
                 address 172.16.1.0/28
             }
             exclude
             log disable
             outbound-interface eth0
             protocol all
             source {
                 address 192.168.0.0/24
             }
             type masquerade
         }
         rule 5001 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     upnp {
         listen-on eth1 {
             outbound-interface eth0
         }
     }
 }
 system {
     domain-name localnet
     host-name ubnt
     login {
         user ubnt {
             authentication {
                 encrypted-password
             }
             level admin
         }
         user ubntkey {
             authentication {
                 encrypted-password 
                 plaintext-password ""
                 public-keys  {
                     key 
                     type ssh-rsa
                 }
             }
             level operator
         }
     }
     name-server 192.168.0.10
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone America/New_York
 }

I have an ethernet connection in my building (witth a private IP address 192.168.1.x), and I wanted to use my ER8Pro to create my own private network that is not accessible by others in the building.  

I used the Wan+2Lan wizard to set up the router.   I plugged my building's ethernet cable into the WAN port (eth1), and my switch into eth0 and Unifi AP-lite into eth2.   It seems that my devices all get IP addresses from my ER8Pro, but they can't access the internet.  

Is it because the WAN port has a private IP address?  Or does anyone have any other suggestions?

THanks, 

I was able to update the firmware on my Edgerouter Lite and using the wizard setup selected wan-2LAN2. eth0 is now the WAN port which is connected to my Netgear wireless router. I use Comcast as my ISP using a dynamic IP. The Netgear IP Address range is 192.168.2.x.

What should be my IP address range be on the Lite?

Most of my devices will be connected via wireless.

How then should I be able to connect to the Edgerouter Lite?

Thank you for looking.

I've created a new internal VLAN which I want to share via a VPN Server (OpenVPN). I think that I have to create a bridge with the VLAN to make this. Is somewhere a easy guide on how to acomplish that?

Folks,

I'm trying to limit the upload for a single host on my network. Any thoughts on how to achieve that on EdgeRouter PoE (1.9.0)?

Here's what is going on: since my upload bandwidth is really tight, I need to limit my media center from using it all to torrent.

I can't set the limit on Deluge, since it does cap the download limit as well.

The media center has a fixed ip and uses a fixed port for this application.

The download doesn't have to be limited.

So I only need to put some traffic shapping based on IP/port origin.

WAN is at eth0, and all other ports (eth2, eth3, eth4) are being bridged (br0).

Also, doing something like this can I still use SMART QUEUE?

Thanks.

Hey All,

I've got a configuration that feels bleedingly close to what is actually needed save this one issue.  I've crawled similar postings to no end but can't quite get there, so any help is much appreciated!!

The core issue is, while the VPN is working as intended clients on it can communicate with all the other subnets (in our case VPN is served a 192.168.3.0/24 subnet while two other dhcp servers are running on the local network on separate interfaces with 192.168.1.0/24 and 192.168.2.0/24 subnets respectively).   This is a tremendous issue when the VPN clients local network has a dhcp server on the same subnet (as is the case for my home network)!  In fact, I lose access to my home router's UI when connected via VPN as it shares the same address as the EdgeMax router's gateway address on one of the interfaces (on the local network behind the VPN).  We desire VPN clients to be able to access only one specific system (a server) at an IP address which is translated from the 192.168.1 subnet it is normally on to a static 192.168.3 address outside the pool that is allocated to VPN clients.  Then have the whole thing siloed such that VPN clients can only talk to each other and that server through NAT (i.e. only the 192.168.3.0/24 subnet).  I haven't quite been able to noodle out the VPN settings or firewall rules that would entirely prevent this.

Currently, we have an ipsec VPN setup in a manner approximating this tutorial: EdgeMAX - Set up L2TP over IPsec VPN server.  After having also figured out the Windows 10 extra configuration options that are necessary (usually auto-detect settings on, require encryption, and allow MSfot CHAP Version 2) and the necessary WAN_LOACL firewall rules the VPN is connecting and working flawlessly.    A single SNAT and DNAT rule accomplish the formerly mentioned behavior (packets bound for 192.168.3.0/24 addresses, which are normally only VPN clients, are translated to a destination address of 192.168.1.XXX, additionally the opposite is true).

Configuration given below and redacted; seems like I must be missing a simpler way to accomplish this functionality.  Would be great if VPN clients were also able to resolve the hostname windows server gives the server computer (i.e BOBS-SERVER-001 rather than 192.168.3.XXX).

Thanks again!

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name ETH0_ETH2_IN {
        default-action accept
        description ""
        rule 30 {
            action drop
            description "Drop LAN to VPN"
            destination {
                address !192.168.3.100
            }
            log disable
            protocol all
            source {
                address 192.168.3.0/24
            }
        }
        rule 40 {
            action drop
            description "Drop VPN to LAN"
            destination {
            }
            disable
            log disable
            protocol all
            source {
                address 192.168.3.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Accept Established"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Accept Established"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description L2TP
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 40 {
            action accept
            description "External Ping"
            log enable
            protocol icmp
        }
        rule 50 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        firewall {
            out {
                name ETH0_ETH2_IN
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
        traffic-policy {
            out UPLOAD
        }
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        firewall {
            out {
                name ETH0_ETH2_IN
            }
        }
        speed auto
        traffic-policy {
            out DOWNLOAD
        }
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth5 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth6 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth7 {
        address 192.168.7.1/24
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 75.75.75.75
                lease 3600
                start 192.168.1.5 {
                    stop 192.168.1.244
                }
                static-mapping The_Server {
                    ip-address 192.168.1.100
                    mac-address XX:XX:XX:XX:XX:XX
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 8.8.8.8
                dns-server 75.75.75.75
                lease 86400
                start 192.168.2.5 {
                    stop 192.168.2.199
                }
                static-mapping ES-24-250W {
                    ip-address 192.168.2.XXX
                    mac-address XX:XX:XX:XX:XX:XX
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description VPN
            destination {
                address 192.168.3.100
            }
            inbound-interface l2tp0
            inside-address {
                address 192.168.1.100
            }
            log disable
            protocol all
            source {
                address 192.168.3.0/24
            }
            type destination
        }
        rule 5010 {
            description Masquerade
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
        rule 5011 {
            description VPN
            destination {
                address 192.168.3.0/24
            }
            log disable
            outbound-interface eth0
            outside-address {
                address 192.168.3.100
            }
            protocol all
            source {
                address 192.168.1.100
            }
            type source
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "Me"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
traffic-policy {
    shaper DOWNLOAD {
        bandwidth 5Mbit
        class 2 {
            bandwidth 80%
            burst 100k
            ceiling 100%
            match ADDR {
                ip {
                    destination {
                        address 192.168.2.0/24
                    }
                }
            }
            queue-type fair-queue
        }
        default {
            bandwidth 100%
            burst 15k
            ceiling 100%
            queue-type fair-queue
        }
    }
    shaper UPLOAD {
        bandwidth 5Mbit
        class 2 {
            bandwidth 80%
            burst 100k
            ceiling 100%
            match ADDR {
                ip {
                    source {
                        address 192.168.2.0/24
                    }
                }
            }
            queue-type fair-queue
        }
        default {
            bandwidth 100%
            burst 15k
            ceiling 100%
            queue-type fair-queue
        }
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth1
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username users {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.3.100
                stop 192.168.3.120
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 75.75.75.75
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            mtu 1492
            outside-address XX.XX.XX.XX
        }
    }
}

Hi All,

I am a happy consumer now of a Edgerouter X. I am pretty new in this area.

Recently I see the following messages in the log monitor appear twice every hour:

Router kernel: [WAN_LOCAL-21-A]IN=eth0 OUT= MAC=44:d9:e7:ff:e9:5d:00:22:90:c6:85:d9:08:00 src=118.193.22.243 DST=80.114.75.77 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=52686 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

I do not know the mac adres and IP. WHOIS on external IP delivers different results.

What does this tell me an is this something I should be concerned about?

I have an Edgerouter X that, because the client has copper ADSL into the premises,  needs to have a Huawei router in the mix.  Unfortunately I can't just bridge the router as he has VOIP dependant on this router.

Premises are two houses next door to each pother owned by the same person and has CAT 6 cable between them, one is a holiday house he rents out so needs to be seperate subnet

The Huwaei Router is set to 192.168.10.1 with dmz forwarded to the ERX through ETH0  (have also tried to forward individual ports to ERX)

ERX is 192.168.1.1 which is the main subnet for clients house of 192.169.1.x (eth1)

Second subnet is 192.168.2.x (eth2)

There are 4 ports I need to forward to a device on the 192.168.2.x subnet (808,8000,554 and 443)

And one port (2601) to a device on the 192.168.1.x subnet

Have setup DDNS for client for his WAN address.

Have setup mutltiple times but cannot get to devices from the WAN (fine inside LAN)

Any help appreciated, config below

firewall {
all-ping enable
broadcast-ping disable
group {
address-group NVR {
address 192.168.2.115
description "Camera Group"
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name NVR {
default-action accept
description Camera
rule 1 {
action accept
description Camera808
destination {
group {
address-group NVR
}
}
log disable
protocol tcp
}
rule 2 {
action accept
description Camera8000
destination {
address 192.168.2.115
port 8000
}
log disable
protocol tcp
source {
group {
address-group ADDRv4_eth0
}
}
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description Alarm
destination {
address 192.168.1.3
port 2601
}
log disable
protocol tcp
source {
address 192.168.10.1
group {
}
port 2601
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description Alarm
destination {
address 192.168.1.3
port 2601
}
log disable
protocol tcp
source {
address 192.168.10.1
port 2601
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name NVR
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description LAN2
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
lan-interface eth1
rule 1 {
description NVR808
forward-to {
address 192.168.2.115
port 808
}
original-port 808
protocol tcp
}
rule 2 {
description NVR554
forward-to {
address 192.168.2.115
port 554
}
original-port 554
protocol tcp
}
rule 3 {
description NVR443
forward-to {
address 192.168.2.115
port https
}
original-port https
protocol tcp
}
rule 4 {
description NVR8000
forward-to {
address 192.168.2.115
port 8000
}
original-port 8000
protocol tcp
}
rule 5 {
description Alarm24
forward-to {
address 192.168.1.3
port 2601
}
original-port 2601
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.2 {
stop 192.168.1.254
}
static-mapping Adams-Air {

{ A FEW STATIC MAPS HERE)
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.100 {
stop 192.168.2.150
}
static-mapping Camera {
ip-address 192.168.2.115
mac-address bc:ad:28:a0:38:32
}
static-mapping Unifi1 {
ip-address 192.168.2.101
mac-address 80:2a:a8:40:48:a2
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 1 {
description NVR
destination {
address 192.168.2.115
port 808
}
inbound-interface eth0
inside-address {
address 192.168.10.1
port 808
}
log enable
protocol tcp_udp
source {
group {
address-group ADDRv4_eth0
}
}
type destination
}
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
gateway-address 192.168.10.1
host-name TheBeachHouse
login {
user (REMOVED) {
authentication {
encrypted-password (REMOVED)
plaintext-password ""
}
level admin
}
user ubnt {
authentication {
encrypted-password (REMOVED)
plaintext-password ""
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Australia/Sydney
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.1.4821926.151103.1114 */

Hello all,

Wondering if it is possible to setup a EdgeRouter X as a Layer 3 switch?

I see documentation on resetting the unit and configuring as a Layer 2 switch and have completed this but would ideally like to be able handle static routes, assign dhcp forwarders and possible intervlan routes.  I have no need for firewall usage as the unit is already behind a firewall and NAT infastructure. 

Pehaps though possible its overly complicated to configure and if this is the case i probable will move on to a dedicated Layer 3 switch.

Just a thought,

thanks

Jon

Hello everyone,

Very new to Unifi and this advanced network gear. Currently I am running an Edge Router Lite and a UAP-AC-Lite in my home. My Setup is as follows:WAN+2LAN2  ISP Modem into eth0 as WAN on-->ERL. Then I have LAN eth1 on ERL--->8 port GIG switch.From that switch I have a hard wired connection to my PS4 with static 192.168.1.69. I can explain that more if I did not make any sense.  

I have been browsing through almost all I could find on the ERL, DMZ, Port Forwarding, NAT, Firewall Rules, however nothing has seemed to work, if what I want is even possible.

I would like to achieve 1 of the following, priority 1 would be ideal, if not possible I would like to see if 2 is.

1- Is it possible to configure this one port, or static IP to act as if it were allowed direct access to the internet with absolutely no blocks or restrictions? As if I was to grab the WAN connection from my ISP modem and plug it directly into the back of the PS4? This would give me a NAT Type of 1 on the playstation, Open NAT type in all of my games allowing the optimal connection for gaming/streaming to twitch/connecting to friends' lobby's and games. 

if that is not possible

2-How could I go about attempting to open all of the ports required by Sony or for each game individually? Sony has listed the ports they deem to be required, but for the majority of the top titles there are additional ports they ask for. 

I was hoping with beine able to have full control over my new network would allow me to somehow configure this in a way to better the gaming experience. Furthermore to this, there is also an additional playstation in the house, not as important but I am assuming once a solution for this one had been conquered, I can replicate the settings to the other. 

I did read a post where if I created a VLAN, specifically for DMZ clients I could open it right up, I just do not have the knowledge yet, and am hoping all of you great folks could assist.

Thank you in advance!

I followed the other posts relative to setting up PIA's OpenVPN, and for the life of me, I cannot get my tunnel to connect and assign an IP. Is there any pertinent log information that will pinpoint exactly why? Here is my config info:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Ext ping"
            log disable
            protocol icmp
        }
        rule 4 {
            action accept
            description ESP
            log disable
            protocol 50
        }
        rule 5 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 6 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 7 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 8 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/USEast2.ovpn
        description PIA
    }
    switch switch0 {
        address 192.168.2.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
                static-mapping xxxxxx {
                    ip-address 192.168.2.127
                    mac-address xxxxxx
                }
                static-mapping xxxxxxx {
                    ip-address 192.168.2.30
                    mac-address xxxxxxx
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth1 {
                service afraid {
                    host-name xxxxxxxx
                    login xxxxxx
                    password xxxxxxx
                    server freedns.afraid.org
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact "xxxxxxxx"
        location xxxxxx
        v3 {
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxxx
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.2.30 {
            facility all {
                level notice
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username xxxxxx {
                        password xxxxxx
                    }
                }
                mode local
            }
            client-ip-pool {
                start 172.16.1.10
                stop 172.16.1.19
            }
            dhcp-interface eth1
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxxxxx
                }
                ike-lifetime 3600
            }
        }
    }
}

And here is the content of my OpenVPN file:

client
dev-type tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /config/auth/auth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/auth/crl.rsa.2048.pem
ca /config/auth/ca.rsa.2048.crt
disable-occ
route-nopull

I've been messing with this all day and it's driving me insane.

Just purchased an ER8 along with a crossover and straight cable.

Configured my laptop ethernet IPv4 with  192.168.1.2 however on connecting the cable I do not get any link lights, and the ethernet connection tells me the cable is unplugged.

In addition to this, I attempted a reset by holding the button for 10seconds and apprently eth7 should light up solid. Nope. Nothing. Not one iota.. Sounds like a dead router no?

Anyone have any ideas?

I don't have a console cable at hand so unable to attempt connect with that.

Cheers,

Byron

Hi All,

I´m thinking about setting up a simple network with a ER-X-SFP and two UNIFI-AP-AC-LITE, so here are my questions:

1) will I be able to have both APs on the same lan-segment (Vlan 1 or whatever) and an extra vlan on some other port without loosing forrwarding capacity in the router?

2) I have read about other ER models that have the operating system on a USB-stick, is the ER-X-SFP build in a similar fashion? If yes, is it a common problem that it fails?

3) Are there any problems with port failures in the ER-X-SFP, I have read that it can be a common problen on other models.

4) Is the firewall feature in the ER-X-SFP functional?

thanks  

/HZ

Hello,It is a possible to add second MAC address to a network interface ( example eth0/wan) or create virtual network interfaces with separate mac addresses ?

In regular linux or especially openwrt we may use MACVLAN.

ip link add link eth1 eth2 type macvlan
ifconfig eth2 hw ether 00:24:01:f5:1b:84

ip link add link eth1 eth3 type macvlan
ifconfig eth3 hw ether 00:24:01:f5:1b:85

ip link add link eth1 eth4 type macvlan
ifconfig eth4 hw ether 00:24:01:f5:1b:86

ip link add link eth1 eth5 type macvlan
ifconfig eth5 hw ether 00:24:01:f5:1b:87

ip link add link eth1 eth6 type macvlan
ifconfig eth6 hw ether 00:24:01:f5:1b:88

Hello.

I bought EdgeMAX router and using in Japan.

Some of Japanese ISP uses DS-Lite, it uses ipip6 tunnel. Current vyos support ipip6 tunnel, but EdgeOS v1.9.0 doesn't imprement it.

I hope it will be imprement.

Best Regards,

Masaru

Hi all,

Have just done the initial setup using the wizard on 1.9. The Lan/wlan setup is fairly simple with 3 wired AP's and the usual amount of wired and wireless streaming devices / PCs and a WHS 2011  (yes, fantastic machine, sorry that MS discontinued it) with the family pictures.

I get a litle scared when i see the complexity of setting up the firewall. I have felt perfectly secure enough behind a consumer router with built in firewall ( D-link). Could somebody guide me to where i can find information on how to set up a firewall on the Edgerouter Poe that is as good as whats typically on a consumer router with built in firewall?

Hi All,

I have configure the DDNS setting in the edge router lite and was working but later I found that it is not updating... Not sure if I have misconfigure, and hope to receive advise from here..

When I run tail -f /var/log/messages, I get the following log,

Dec  5 23:55:10 ubnt ddclient[5269]: WARNING:   last updated <never> but last attempt on Mon Dec  5 23:54:00 2016 failed.
Dec  5 23:55:10 ubnt ddclient[5269]: WARNING:   Wait at least 5 minutes between update attempts.
Dec  5 23:56:13 ubnt ddclient[5269]: WARNING:  cannot connect to :443 socket: IO:ocket:SL: Bad hostname '' IO:ocket::INET configuration failed error:00000000:lib(0):func(0):reason(0)
Dec  5 23:56:13 ubnt ddclient[5269]: FAILED:   updating xxx.mooo.com: Could not connect to .
Dec  5 23:57:13 ubnt ddclient[5269]: WARNING:  file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = ''
Dec  5 23:57:17 ubnt ddclient[5269]: WARNING:  skipping update of xxx.mooo.com from <nothing> to 42.60.xx.xxx.
Dec  5 23:57:17 ubnt ddclient[5269]: WARNING:   last updated <never> but last attempt on Mon Dec  5 23:56:10 2016 failed.
Dec  5 23:57:17 ubnt ddclient[5269]: WARNING:   Wait at least 5 minutes between update attempts.
Dec  5 23:58:20 ubnt ddclient[5269]: WARNING:  cannot connect to :443 socket: IO:ocket:SL: Bad hostname '' IO:ocket::INET configuration failed error:00000000:lib(0):func(0):reason(0)
Dec  5 23:58:20 ubnt ddclient[5269]: FAILED:   updating xxx.mooo.com: Could not connect to .
Dec  5 23:59:20 ubnt ddclient[5269]: WARNING:  file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = ''
Dec  5 23:59:21 ubnt ddclient[5269]: WARNING:  skipping update of xxx.mooo.com from <nothing> to 42.60.xx.xxx.
Dec  5 23:59:21 ubnt ddclient[5269]: WARNING:   last updated <never> but last attempt on Mon Dec  5 23:58:17 2016 failed.
Dec  5 23:59:21 ubnt ddclient[5269]: WARNING:   Wait at least 5 minutes between update attempts.

I read from other thread and tried the debug command and realise that there are bad hostname which I have hightlighted in RED

admin@ubnt:~$ sudo /usr/sbin/ddclient -daemon=0 -debug -verbose -noquiet -file /  etc/ddclient/ddclient_eth0.conf > /tmp/ddclient.debug
Use of uninitialized value in string eq at /usr/sbin/ddclient line 3725.
Use of uninitialized value $_[1] in sprintf at /usr/sbin/ddclient line 1706.

admin@ubnt:/tmp$ cat ddclient.debug
=== opt ====
opt{cache}                           : <undefined>
opt{cmd}                             : <undefined>
opt{cmd-skip}                        : <undefined>
opt{daemon}                          : 0
opt{debug}                           : 1
opt{exec}                            : <undefined>
opt{facility}                        : <undefined>
opt{file}                            : /etc/ddclient/ddclient_eth0.conf
opt{force}                           : <undefined>
opt{foreground}                      : <undefined>
opt{fw}                              : <undefined>
opt{fw-login}                        : <undefined>
opt{fw-password}                     : <undefined>
opt{fw-skip}                         : <undefined>
opt{geturl}                          : <undefined>
opt{help}                            : <undefined>
opt{host}                            : <undefined>
opt{if}                              : <undefined>
opt{if-skip}                         : <undefined>
opt{ip}                              : <undefined>
opt{login}                           : <undefined>
opt{mail}                            : <undefined>
opt{mail-failure}                    : <undefined>
opt{max-interval}                    : 2419200
opt{min-error-interval}              : 300
opt{min-interval}                    : 30
opt{options}                         : <undefined>
opt{password}                        : <undefined>
opt{pid}                             : <undefined>
opt{postscript}                      : <undefined>
opt{priority}                        : <undefined>
opt{protocol}                        : <undefined>
opt{proxy}                           : <undefined>
opt{query}                           : <undefined>
opt{quiet}                           : 0
opt{retry}                           : <undefined>
opt{server}                          : <undefined>
opt{ssl}                             : <undefined>
opt{syslog}                          : <undefined>
opt{test}                            : <undefined>
opt{timeout}                         : <undefined>
opt{use}                             : <undefined>
opt{usev6}                           : <undefined>
opt{verbose}                         : 1
opt{web}                             : <undefined>
opt{web-skip}                        : <undefined>
=== globals ====
globals{cache}                       : /var/cache/ddclient/ddclient_eth0.cache
globals{daemon}                      : 60
globals{debug}                       : 1
globals{file}                        : /etc/ddclient/ddclient_eth0.conf
globals{if}                          : eth0
globals{login}                       : "loginname"
globals{max-interval}                : 2419200
globals{password}                    : "password"
globals{pid}                         : /var/run/ddclient/ddclient_eth0.pid
globals{protocol}                    : freedns
globals{quiet}                       : 0
globals{server}                      : freedns.afraid.org
globals{ssl}                         : 1
globals{syslog}                      : 1
globals{use}                         : if
globals{verbose}                     : 1
=== config ====
config{anchorvale.mooo.com}{atime}   : 0
config{anchorvale.mooo.com}{cacheable} : ARRAY(0x74a168)
config{anchorvale.mooo.com}{cmd}     : <undefined>
config{anchorvale.mooo.com}{cmd-skip} :
config{anchorvale.mooo.com}{fw}      :
config{anchorvale.mooo.com}{fw-login} : <undefined>
config{anchorvale.mooo.com}{fw-password} :
config{anchorvale.mooo.com}{fw-skip} :
config{anchorvale.mooo.com}{host}    : xxx.mooo.com
config{anchorvale.mooo.com}{if}      : eth0
config{anchorvale.mooo.com}{if-skip} :
config{anchorvale.mooo.com}{ip}      : <undefined>
config{anchorvale.mooo.com}{login}   : "loginname"
config{anchorvale.mooo.com}{max-interval} : 2419200
config{anchorvale.mooo.com}{min-error-interval} : 300
config{anchorvale.mooo.com}{min-interval} : 300
config{anchorvale.mooo.com}{mtime}   : 0
config{anchorvale.mooo.com}{password} : "password"
config{anchorvale.mooo.com}{protocol} : freedns
config{anchorvale.mooo.com}{server}  : freedns.afraid.org
config{anchorvale.mooo.com}{status}  :
config{anchorvale.mooo.com}{use}     : if
config{anchorvale.mooo.com}{usev6}   : <undefined>
config{anchorvale.mooo.com}{warned-min-error-interval} : 0
config{anchorvale.mooo.com}{warned-min-interval} : 0
config{anchorvale.mooo.com}{web}     : dyndns
config{anchorvale.mooo.com}{web-skip} :
config{anchorvale.mooo.com}{wtime}   : 30
=== cache ====
cache{anchorvale.mooo.com}{atime}    : 0
cache{anchorvale.mooo.com}{host}     : xxx.mooo.com
cache{anchorvale.mooo.com}{mtime}    : 0
cache{anchorvale.mooo.com}{status}   : noconnect
cache{anchorvale.mooo.com}{warned-min-error-interval} : 1480950033
cache{anchorvale.mooo.com}{warned-min-interval} : 0
cache{anchorvale.mooo.com}{wtime}    : 30
DEBUG:    get_ip: using if, eth0 reports 42.60.xx.xxx
DEBUG:
DEBUG:     nic_freedns_update -------------------
DEBUG:    proxy  =
DEBUG:    url    = http://freedns.afraid.org/api/?action=getdyndns&sha=6d7b46ee7  d9fec66576321a57c241f498620d08c
DEBUG:    server = freedns.afraid.org
CONNECT:  freedns.afraid.org
CONNECTED:  using SSL
SENDING:  GET /api/?action=getdyndns&sha=6d7b46ee7d9fec66576321a57c241f498620d08  c HTTP/1.0
SENDING:   Host: freedns.afraid.org
SENDING:   User-Agent: ddclient/3.8.3
SENDING:   Connection: close
SENDING:
RECEIVE:  HTTP/1.1 200 OK
RECEIVE:  Server: nginx
RECEIVE:  Date: Mon, 05 Dec 2016 15:01:04 GMT
RECEIVE:  Content-Type: text/plain; charset=utf-8
RECEIVE:  Connection: close
RECEIVE:  Vary: Accept-Encoding
RECEIVE:  X-Cache: MISS
RECEIVE:
RECEIVE:  xxx.mooo.com|42.60.xx.xxx|https://freedns.afraid.org/dynamic/up  date.php?eGMyQVprWE0wbllXRHI1UkxuVjlnWUF6OjE2NDY1ODk0
INFO:     setting IP address to 42.60.xx.xxx for xxx.mooo.com
UPDATE:   updating xxx.mooo.com
DEBUG:    proxy  =
DEBUG:    url    =
DEBUG:    server =
CONNECT:
WARNING:  cannot connect to :443 socket: IO:ocket:SL: Bad hostname '' IO:o  cket::INET configuration failed error:00000000:lib(0):func(0):reason(0)
FAILED:   updating xxx.mooo.com: Could not connect to .
admin@ubnt:/tmp$

Is there anything I have missed out?

Thanks !

Hello,

I recently bought an EdgeRouter X and upgraded it to 1.9.0. Unfortunately, the router keeps crashing about once or twice a day with a fairly basic config. The configuration is based on the WAN+2LAN2 wizard with minimal modifications, one of them being enabling Smart Queue.

I've upgraded to 1.9.1alpha2 but the problem persists. I tried enabling netconsole and the built-in syslog server support and directing logs to a Raspberry Pi. Unfortunately, the syslog server logs nothing before the crash. The first log entries I can find (in /var/log/messages) look like post-crash entries:

Dec  4 17:15:33 ubnt ntpd[1241]: ntpd exiting on signal 15
Dec  4 17:15:35 ubnt ntpd[2894]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 22:29:12 UTC 2016 (1)
Dec  4 17:15:35 ubnt ntpd[2895]: proto: precision = 41.071 usec
Dec  4 17:15:37 ubnt ntpd[2895]: ntpd exiting on signal 15
Dec  4 17:15:39 ubnt ntpd[2989]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 22:29:12 UTC 2016 (1)
Dec  4 17:15:39 ubnt ntpd[2990]: proto: precision = 48.286 usec

eth0 is connected to a cable modem and eth1-4 have various devices connected, including a UniFi AP and an UniFi Controller.

Config attached. The EdgeRouter was stable for about 4 days with Smart Queue disabled, but after I enabled Smart Queue, it crashed within about 24 hours. That makes me suspect Smart Queue.