I'm a mechanical engineer with a great interest in computer science and electrical engineering (not an expert in system administration, but surely no noob and willing to learn and read).

My current setup is:

Ubee EVM3200 modem (Ziggo)

Linksys E4200 router

Netgear GS105E switch

and several wireless and wired clients

My neighbour doesn't have much to spend so he may use my wifi for free.

My WiFi signal is relatively poor because my router is located inside my meter room.

Besides the signal quality it lacks the possibility having multiple VLAN's and SSID's. For using DD-WRT firmware my routers hardware is too weak (very poor WAN speed due to lack of hardware NAT).

I recently bought myself a EgeRouter Lite 3 and a Unifi AP AC. Hopefully it will arrive this weekend.

My desired config is:

WLAN with 3 SSID / VLAN's

- private (WAN & LAN)

- neighbour (WAN & own VLAN)

- guest (only (limited) WAN)

LAN

- private (WAN & WLAN)

I think I need 3 VLAN's for this scenario. 1 for private use, 1 for guest use and 1 for my neighbours WiFi.

Is WAN (eth0), LAN (eth1) and WLAN (eth2) possible without bridging eth1 and eth2? My private wireless devices needs to connect to my private wired devices. The CPU load when using bridge mode frightens me a bit.

Otherwise, I will have WAN (eth0) and LAN/WLAN (eth1). The question then is:

Do I need a managed switch when only my Unifi AP AC serve multiple VLAN's? I ask while I run short on ports on my 5p-switch. I will buy a new switch (8+ ports) and wonder if an unmanaged switch is sufficient.

I hope one can (and will) help me answering my questions.

Thanks in advance, René

I was hoping to get a clarification on how the QoS shaper works. I'm starting from the example provided in this document.

https://help.ubnt.com/hc/en-us/articles/216787288-EdgeMAX-Quality-of-Service-QoS-#Shaper

set traffic­policy shaper shaper1 bandwidth 100mbit
set traffic­policy shaper shaper1 default bandwidth 60mbit
set traffic­policy shaper shaper1 class 2 bandwidth 20mbit
set traffic­policy shaper shaper1 class 2 match client2 ip source address 10.0.1.2/32
set interfaces ethernet eth0 traffic­policy out shaper1
commit

In this example, I see that class 2 will get 20mbit minimum, and class 2 is defined as 10.0.1.2/32 (a specific IP). If class 2 were changed to 10.0.1.0/24, how would the QoS system respond to that? Would 10.0.1.x get 20mbits minimum as a group, or would each IP have its own 20mbit minimum? If it is not the latter, is there a way to achieve this without specifying each IP individually?

Hi,

I am trying to open port 9  to implement WakeOnLan in my network.  I use Firewall/NAT>>>porforwarding to the main computer in the LAN (192.168.1.6), However I cannot manage to open it. I can easily open other ports but not this one. The LAN interface I select is "switch0" because I have a VLAN working.

Any help would be appreciated

Thanks

I have three different hosts at DYNDNS that recently stopped updating via my ERLs.  I couldn't trace back exactly when they stopped.  It might have been with the 1.9.1 alphas or before.  Anyway, I think that 1.9.1 is unrelated.

I had been providing my normal DYNDNS username and password via the Edgemax GUI which DYNDNS accepted happily.  Apparently now they are enforcing the use of your Updater Client Key (found here https://account.dyn.com/profile/) instead of your normal login password.  It probably relates to the recent DDNS attack they suffered.

Anyway, I stumbled around for a while trying to figure out if 1.9.1 broke something or I did.  The logs showed a bad authentication so I changed passwords, retyped etc but it kept showing the same error.  Eventually, I found this post https://community.ubnt.com/t5/EdgeMAX/Can-t-get-dyndns-to-update/m-p/1422751#M89346 in this forum and it fixed my problem.  I thought I would drop this post out there in case anyone else was having the same problem

I'm trying to figure out how to use the QOS Advanced Queue and am having trouble finding many examples. I was wondering if anyone knows how to do it and we could come up with some simple examples here to aid in the use of this feature.

For me personally, the Smart Queue works well for many purposes, but is a little too basic so I'm looking to basically implement a more advanced version of the smart queue, with the Advanced Queue. It looks like the Advanced Queue should be able to do this.

So as a first step I'd like to implement something like the Smart Queue, with FQ_CODEL upstream and downstream, but set one IP address as a lower priority for upstream, so if 2 computers are uploading they don't split the upstream bandwidth but rather the IP address with a lower priority gets limited bandwidth (as in my case it is running CrashPlan for backups which should take the lowest priority).

Once I get something like this running I think I should be able to add more services with some different priority levels, but I'm having trouble getting even a simple case like this running. Thanks.

 Have an odd issue.  

Set up my router utilzing one of the setup wizards (WAN+2LAN I believe) last year.   Attached to eth1 is my primary house switch (with other switches behind it) as well as my primary wireless access point.  Attached to eth2 was a single old Linksys router with DD-WDT that I use for Nintendo gaming.  Everything has been working fine for months.

Sometime in the past couple of weeks I noticed that the Netgear connection wasn't working anymore.  

Much (MUCH) troubleshooting later I've discovered the following:

- Plug in a laptop or any device into eth2 and it is presented an IP (192.168.2.x) from DHCP no problem

- Plug in the router with DHCP and nothing assigned

- Plug the router in with a static IP in the 192.168.2.x range and attempt to ping the Edge or out to the internet and get Destination Host Unreachable

- Plug in a swtich to the eth2 and plug the laptop into the switch works like before.   Introduce the Linksys in and nothing again to the Edge or internet but between laptop and Netgear just fine.

Here is the odd part, plug Linksys into the switch connected to eth1?  Everything works exactly like it use to.   Only when trying to utilize eth2 (port 3) does it not work.  

Again, it was working fine, now all of the sudden eth2 just will not talk to the Linksys.  Right now I'm just running the Linksys through eth1 so everything just works but I'd really prefer it stay off on eth2 by itself.

ANY thoughts on what additional troubleshooting I should look into?

EdgeRouter Lite v1.9.1 config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Wired
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description JoBed
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 208.67.222.222
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping BaseBack7 {
                    ip-address 192.168.1.101
                    mac-address f0:de:f1:08:86:65
                }
                static-mapping DenonHT {
                    ip-address 192.168.1.20
                    mac-address 00:05:cd:a0:50:ac
                }
                static-mapping GameHTPC {
                    ip-address 192.168.1.100
                    mac-address c8:60:00:c3:0a:3f
                }
                static-mapping R8000 {
                    ip-address 192.168.1.3
                    mac-address e8:fc:af:f8:2e:9c
                }
                static-mapping SmartSwitch {
                    ip-address 192.168.1.2
                    mac-address a0:63:91:68:ea:a9
                }
                static-mapping TL-SG108E-BaseCloset {
                    ip-address 192.168.1.4
                    mac-address 98:de:d0:85:8b:44
                }
                static-mapping WDMyCloud {
                    ip-address 192.168.1.16
                    mac-address 00:90:a9:de:38:80
                }
                static-mapping jMac5k {
                    ip-address 192.168.1.99
                    mac-address 38:c9:86:2a:3c:64
                }
                static-mapping jMacPro {
                    ip-address 192.168.1.98
                    mac-address 00:e2:4c:68:05:0e
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 208.67.222.222
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user jstew {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 208.67.222.222
    name-server 208.67.220.220
    name-server 8.8.8.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Kentucky/Louisville
    traffic-analysis {
        dpi enable
        export enable
    }
}

Thanks for any recomendations.

Hey Everyone - Long time Lurker, first time poster :-)

I've been using Ubiquiti products for a long time, love them, very happy with them.  Have a pretty good networking background and am getting stumped and getting frustrated.  I just got uprgraded from 50mpbs Internet to 300 and my EdgeRouter Lite is now struggling and even getting worse performance than before.  If I hook my PC directly to my modem i get 340Mbps through several speedtest sites, If i go through the ERL i get 15-35Mbps.  I have offloading for forwarding and vlan enabled, I can run iperf3 from one internal vlan to the other which goes through the ERL and i get 790Mbps so it CAN push a lot of traffic #just not over the WAN link

I've even load a stock WAN-LAN wizard configuration and got the same results, don't know if something is faulty with the ERL's port or whats going on. I am running Version 1.9.0 and am planning on upgrading to 1.9.1 to try it tonight.

Any suggestions are very much appriciated at this point.

Configuration File: Attached

Hello,

I got my L2TP settup and working well on my X router. The only problem i see is that all clietns that connect negotiate to AES128 SHA1. I would like to change that to AES256 SHA384. Is this currently possible on this platform? I am running the latest software release. Thank you.

i have just purchase edge router lite ER-3 and tried configuring it using dhcp mode but failed many times.

My network structure is as follows:

One ADSL modem with is configured with ISP on static mode and i have one cisco switch where all of my computer lan are connected and one edge router lite er 3.

My ADSL modem has 192.168.1.1 ip means i open my ADSL page by typing 192.168.1.1   Url

Under Wizards tab i selected wan+2lan2 and tick briding and under lan port(eth 1 and eth2) ip 192.168.1.1/255.255.255.0 and tick on enable dhcp server under lan port setting

When i apply above config and connect my adsl Lan wire to eth0 port of edgerouter lite and eth1 port to cisco switch.In this setting i my internet doesnot work on any computer and i also cannot access my modem thru 192.168.1.1 nor i can access edgerouter thru 192.168.1.1 

Now i change my Lan ports(eth1 and eth2) address to 192.168.2.1/255.255.255.0 and hit apply in this case my internet works but i cannot access any of my 192.168.1.x network devices including ADSL modem.

I took chat support of ubnt but doesnt help me out.

My mainpurpose of configuring Edgerouter lite is that i created one guest ssid on my unifi ap pro and one admin ssid and i want to block serval sites when device connect to guest network and when any device connect to admin ssid it will not block anything.

For blocking of sites i use opendns setting and want to configure edgerouter in such a way that when any device connect to guest ssid it will take opendns DNS and when device is connect to  admin ssid it will take google dns.

Can someone please guide me step by step how to configure my edgerouter lite in such manner that my needs get fulfill.

i will me very grateful to you if you solve my problem.

Evening all

Im a bit confused, I have 4 vlans and they are attached to eth1.

Im using that as my management network (which in hindsight I believe is incorrect)

My issue is a device untagged on vlan 10 shows its upload traffic to the web in Mbps on the eth1 device and very little data passing on vif1.10

Is this expected behaviour?

Should I have created a new management vlan say vif1.11to keep management off eth1 and use this for my devices? Would this change the situation so that the traffic flowing on my vlans would then show up correctly.

Ive attached a screen shot as this may explain it better.

Appreciate your help.

Cheers

Andy

Keepalived_vrrp[3787]: Netlink: filter function error

Anyone knows wth is this ?

Hi!

After connecting the second WAN interface on my Edgerouter X with software version 1.9.0, and enabling load-balancing with sticky it seems that FTPS doesn't work. Filezilla gives me TLS handshake errors (GnuTLS error 110) and time-outs when trying to list directories. I tried different sticky settings, and tried manually setting up loadbalancing using the following article: https://help.ubnt.com/hc/en-us/articles/205202690-EdgeMAX-Policy-based-routing-with-WAN-load-balancing but nothing seems to solve the problem. The sticky settings do seem to work for https traffic (banking websites, login to Plesk, login to DirectAdmin, etc.)

Disabling one of the WAN interfaces, with load-balancing still enabled, solves the problem so my best gues is that sticky doesn't work with FTPS (FTP over TLS) because normal FTP also works.

Any help is appreciated!

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 1 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Internet 2"
        disable
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 172.16.0.1/16
        description Local
        firewall {
            in {
                modify balance
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        sticky {
            dest-addr enable
            dest-port enable
            source-addr enable
        }
    }
}

Hi, I'm looking for some advice on putting together a home network around an EdgeRouter. Hope I'm posting in the right place.

High Level Requirements

1. Ability to segregate networks e.g.

- Office (main PC, laptop, NAS, wi-fi printer etc).

- Home (Phones, Tablets, TV, Surround Amp, RasPlex, NAS, general IOT type devices)

- Guests

I do need my Phones, Tablets, TV and RasPlex to be able to access my NAS however.

I understand that a vlan is probably the way to approach this. From reading  a tutorial online about setting up an EdgeMax it would seem that this is possible however I am not sure if I can have my NAS on two vlans.

2. Security

- I need everything in my Office network to be able to talk to the outside world.

- I will need to port forward some applications into my NAS.

- I want to restrict my Home network so that devices can't talk unrestricted to the internet.

- I want to restrict my guest network to HTTP/S.

3. WIFI

- Need to be able to set up two access points. One for "approved" users and one for guests. For approved users they should be able to access the Home network. Guests should only be able to access the Guest network.

- Ideally I would like to use POE to power the device if this is a posibility.

So that is my plan, here are the questions..

- I guess firstly I need to know if this is possible to do?

- I was thinking of looking at a Ubiquity WiFi AP but not sure how it would integrate with the Edge Router. Am I able to say that the guest AP can connect only to the guest vlan?

- Would I be able to adminster this through a GUI?

- Is there a way I can download my configurations and source control them?

- Is it possible to have a device that can span two vlans?

Happy to be correct on both terminology and my ideas.

Thanks in advance for any help received.

Hi, I have setup an IPsec site to site VPN between 2 EdgeMAX routers. Firmware version EdgeRouter Xv1.9.0.

The Tunnel is UP. From each I can ping the other LAN interface but I can not ping anything behind. I have add the NAT exclusion rule as well as the firewall rules.. Any clues?

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description ipse
set firewall name WAN_IN rule 20 destination address 192.168.1.0/24
set firewall name WAN_IN rule 20 ipsec match-ipsec
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 source address 192.168.2.0/24
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 description 'Drop invalid state'
set firewall name WAN_IN rule 30 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'allow ipsec nat-t'
set firewall name WAN_LOCAL rule 20 destination port 4500
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ipsec
set firewall name WAN_LOCAL rule 30 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 30 ipsec match-ipsec
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol all
set firewall name WAN_LOCAL rule 30 source address 192.168.2.0/24

set service nat rule 5000 description ipsec
set service nat rule 5000 destination address 192.168.2.0/24
set service nat rule 5000 exclude
set service nat rule 5000 log enable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
set service nat rule 5001 description 'masquerade for WAN'
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 type masquerade
set service nat rule 5002 description 'masquerade for WAN 2'
set service nat rule 5002 outbound-interface eth1
set service nat rule 5002 type masquerade

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group vpntunnel compression disable
set vpn ipsec esp-group vpntunnel lifetime 1800
set vpn ipsec esp-group vpntunnel mode tunnel
set vpn ipsec esp-group vpntunnel pfs disable
set vpn ipsec esp-group vpntunnel proposal 1 encryption 3des
set vpn ipsec esp-group vpntunnel proposal 1 hash sha1
set vpn ipsec ike-group vpntunnel ikev2-reauth no
set vpn ipsec ike-group vpntunnel key-exchange ikev1
set vpn ipsec ike-group vpntunnel lifetime 28800
set vpn ipsec ike-group vpntunnel proposal 1 dh-group 2
set vpn ipsec ike-group vpntunnel proposal 1 encryption 3des
set vpn ipsec ike-group vpntunnel proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ************
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group vpntunnel
set vpn ipsec site-to-site peer 1.1.1.1 ike-group vpntunnel
set vpn ipsec site-to-site peer 1.1.1.1 ikev2-reauth inherit

We are looking to setup each individual port for a specific public IP address for a location handing out DHCP and cannot see each other and basically ETH4 for us to plug in and be able to login to all 4 other IP's for management, whether setting laptop to certain IP on each one we want to access or not.  Have upgraded to 1.90 firmware and worked with wizards.

I had setup a VPN with L2TP over IPSec and it was working before I moved out of testing to production.

I do have multiple outside IP addresses on my WAN (.114 through .118) and currently my primary is my .117 address and that is where my VPN was once working.

My two main devices that I have to connect are a Mac and an iPhone. I did have an issue early on where I could connect with my computer but not my phone. I changed the preshared key to something without any special characters and then it worked. I changed the key back to what I originally had with the special characters, and it worked again.

My config of the VPN is shown below.

Any thoughts? Any log I can turn on so I can see what may be being rejected?

ipsec {
     auto-firewall-nat-exclude enable
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
         allowed-network 10.0.10.0/24 {
         }
         allowed-network 10.0.100.0/24 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username ***username*** {
                     password ***password***
                 }
             }
             mode local
         }
         client-ip-pool {
             start 10.0.100.222
             stop 10.0.100.239
         }
         dns-servers {
             server-1 8.8.8.8
             server-2 8.8.4.4
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ***PASSWORD***
             }
             ike-lifetime 7200
         }
         outside-address ***Outside Static IP***
         outside-nexthop ***ISP Gateway***
     }
 }

 hi,

I have my ERlite3 for a couple of weeks now and i have some strange issues.

Yesterday i didn't got any DNS responds from my ER and no response from my webui. I needed to pull out the power supply to restart the router. After this everything was fine again.

Today i got some traffic that was slowing down, when i logged into the router is saw differrent traffic between WAN and LAN ?

Is this normal/explainable? Where does the traffic go to ?

thx

btw: the ERlite runs pretty hot

printscreen from the issue:

I have a dual wan setup Im trying to deploy. I need everything on eth1 to ALWAYS go out on eth0. Everything on eth1.20 should go out on eth2 unless its down. Both WAN interfaces have LAN addresses though. I was unable to get the hardware to work in a bridged mode so I had to basically DMZ it. The WAN IPs are all assigned by DHCP.

eth0 is 192.168.1.64/24

eth1 is 10.0.1.2/24

eth1.20 is 172.16.20.1

eth2 is 10.x.x.x

When I make the failover group and apply the modify firewall rules to eth1.20, eth1 can no longer go out on the internet over eth0. The only way I was able to get it working was to create another load balancing group that only has eth0 in it and apply it to eth1. However im getting some strange things happening. For example, VoIP phones that are supposed to be going out over eth2 will register with the WAN IP of eth0, BUT send all the RTP traffic over eth2. eth0 is a DSL with a pathetic upload so it isnt suited to VoIP but eth2 is LTE.

Im not sure if Im having routing problems because both eth1 and eth2 are both in the 10.x.x.x subnet. But this doesnt seem right that I need to put both interfaces into a load balancing group if only 1 of them is going to be using a failover.

Hi,

I've been fighting with IPv6 on my ER-X for the last few days. I'm on BT VDSL in the UK and I'm trying to get IPv6 working correctly. I've got as far as getting IPv6 addresses assigned to my local lan interface and lan clients using dhcpv6-pd but I don't seem to be route IPv6 properly.

Neither my local clients or the ER-X appear to be able to route out using IPv6, attempting to ping out results in no response.

To add to the confusion, if I ping my ER-X lan IPv6 address from an external IPv6 server I can see the ping being logged by the ER-X firewall, tcpdump on the pppoe interface also shows the echo reply being sent back but it never arrives.

Does anyone have any ideas?

Thanks in advance

Further Info:

root@Router:/home/ubnt# tcpdump -n -i pppoe0 -vv ip6
tcpdump: listening on pppoe0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:41:52.645735 IP6 (hlim 53, next-header ICMPv6 (58) payload length: 64) 2001:41d0:52:cff::XXZZ > 2a00:23c5:XXYY:3b01::1: [icmp6 sum ok] ICMP6, echo request, seq 1
21:41:52.646226 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a00:23c5:XXYY:3b01::1 > 2001:41d0:52:cff::XXZZ: [icmp6 sum ok] ICMP6, echo reply, seq 1

root@Router:/home/ubnt# show ipv6 route

IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
K ::/0 [0/1024] via fe80::221:5ff:feaa:3424, pppoe0, 01:01:22
C ::1/128 via ::, lo, 01:04:13
C 2a00:23c5:XXYY:3b01::/64 via ::, eth0, 01:01:22
C fe80::/10 via ::, pppoe0, 01:03:27
C fe80::/64 via ::, vtun0, 01:03:05

root@Router:/home/ubnt# show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.50.1/24 u/u LAN
2a00:23c5:XXYY:3b01::1/64
eth0.199 192.168.51.1/24 u/u Cameras
eth1 - A/D eth1
eth2 192.168.1.100/24 u/u Modem Management
eth3 - u/D
eth4 10.255.255.255/32 u/u WAN
lo 127.0.0.1/8 u/u
::1/128
pppoe0 86.166.205.XX u/u
switch0 - u/u

Hi,

I have a network topology whereby I have two ERPRO.  One ERPRO does BGP.  The "internal" router does firewall, etc.  The "internal" router has our public address block, on which servers, VM, etc.. are connected.

The two routers are connected using a private network (10.x.x.x) so as to not waste address space.  This is not a problem, but it does break traceroute, as that internal network is visible.

Is there some way to hide that internal network?  This would mean not lowering TTL when transiting to the second router.