I believe I've managed to set up WAN failover using load-balancing on my EdgeRouter PoE. My config.boot file is: https://www.dropbox.com/s/vbir5d2q91wcakc/config.boot.txt?dl=0
↧
EdgeRouter - WAN Failover configurations
↧
Commit fails when setting up zone-based firewall - router no longer managable but still functions
This is my first post here so please forgive me if I miss including any necessary information.
- EdgeRouter-X v1.9.1
- eth0 - WAN
- LAN [192.168.1.0/24]
- eth1 - old router setup as dumb switch / dhcp forwarder
- eth2 - disconnected
- eth3 - FiOS router configured as dumb switch & MoCA adapter for FiOS TV boxes (eth3 > LAN port on switch)
- eth4 - PoE Ubiquiti AC Lite
- VLAN [switch0.1001] for Guest wifi (isolated from LAN and goes straight out to WAN via two rulesets.
- DHCP 192.168.1.1/24
- DHCP 172.x.x.x/24 (for VLAN 1001)
- DNS 8.8.8.8 / 8.8.4.4
- No other changes / configs
I'm trying to set up four zones, WAN, LAN, DMZ and LOCAL.
The reason for the DMZ is to open up the FiOS tv boxes so I can get caller-ID and remote DVR working again (long story but the short version is I put the FiOS router behind the ER-X because I didn't like VZ's backdoor into my network). I planned on logging communications between the tv boxes and WAN once I can get it working again but figured I'd start by using a DMZ rather than trying my luck with port forwards (which never seemed to work) but I digress.
From my reading I've figured out how to use the CLI to set zones and configure them to use firewall rulesets that I create beforehand in the GUI. Here are my commands:
set zone-policy zone DMZ default-action drop
set zone-policy zone DMZ from WAN firewall name WAN_TO_DMZ
set zone-policy zone DMZ from LAN firewall name LAN_TO_ALL
set zone-policy zone DMZ from LOCAL firewall name LOCAL_TO_ALL
set zone-policy zone WAN interface eth0
set zone-policy zone WAN from LAN firewall name LAN_TO_ALL
set zone-policy zone WAN from DMZ firewall name DMZ_TO_WAN
set zone-policy zone WAN from LOCAL firewall name LOCAL_TO_ALL
set zone-policy zone WAN default-action drop
set zone-policy zone LAN interface eth1
set zone-policy zone LAN interface eth2
set zone-policy zone LAN interface eth4
set zone-policy zone LAN default-action drop
set zone-policy zone LAN from DMZ firewall name DMZ_TO_LAN
set zone-policy zone LAN from WAN firewall name WAN_TO_LAN
set zone-policy zone LAN from LOCAL firewall name LOCAL_TO_ALL
set zone-policy zone LOCAL local-zone
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL from DMZ firewall name DMZ_TO_LOCAL
set zone-policy zone LOCAL from LAN firewall name LAN_TO_ALL
set zone-policy zone LOCAL from WAN firewall name WAN_TO_LOCAL
When I commit these changes, I see an error "another app is currently holding the xtables lock. perhaps you want to use the -w option?" then something about WAN zone and then the commit fails. Then I lose connection to the GUI (using CLI inside GUI).
Oddly enough, the router still functions, I can get to the internet and am posting this right now even though I can't get back in at 192.168.1.1
I've really tried to double check my work but I'm not familiar enough to know if these commands are incorrect for my goal.
Only questions I can think of right now:
- Could the problem be trying to set multiple interfaces to one zone (LAN in this case)?
- Should I be setting the interface for LAN zone as switch0?
- If I do that, won't the DMZ zone fall under LAN since switch0 encompasses all interfaces other than eth0?
- Should I try creating LAN1, LAN2, LAN4 as separate zones, and duplicating firewall rules? (A lot of typing I guess but would that work?)
- Shouldn't my default-action for the LOCAL zone be accept? (I watched a video and double checked the author's notes and he indeed wrote "drop" for LOCAL default-action.
Other than that, any advise or insight would be most helpful. For now I will reset the router and reload my backup config.
Thanks!
↧
↧
ARP Not Clearing
Long time listener, first time caller to the forum.
Strange behaviour, it seems with 1.9.1... It appears that the ARP table is not clearing...
Version: v1.9.1
Build ID: 4939098
Build on: 12/14/16 07:33
Copyright: 2012-2016 Ubiquiti Networks, Inc.
HW model: EdgeRouter Pro 8-Port
I cannot comment on if this has always been the case, but after dealing with some client troubleshooting, it was very concerning/annoying.
This after a few days (entries below). I have cleared ARP when I first noticed.
Anyone else seen/experienced this?
.
.
172.16.39.98 ether 00:0a:b0:04:98:fb C eth5
172.16.35.123 ether 00:21:b6:00:34:c8 C eth3
172.16.36.200 (incomplete) eth6
172.16.37.165 ether ac:cc:8e:15:a6:3f C eth7
172.16.37.21 ether 90:b1:1c:2f:92:82 C eth7
.
.
172.16.35.19 ether 00:0d:ad:02:80:52 C eth3
172.16.37.30 ether 98:90:96:b6:23:33 C eth7
172.16.39.96 (incomplete) eth5
172.16.35.121 ether 00:21:b6:00:31:b8 C eth3
172.16.37.183 ether ac:cc:8e:16:ef:57 C eth7
Thanks!
↧
Frequent Disconnections with EdgeRouter
I am having frequent disconnections to my EdgeRouter Lite connected to Google Fiber. Websites will fail to load every couple minutes. If I leave the EdgeOS web interface up, it will disconnect every few minutes. I have Eth1 connected to the Fiber Jack, Eth0 connected to a dumb switch (Netgear GS105), which is connected to a few wired devices as well as a Unifi UAP-AC-Pro. Multiple devices are connected to the Unifi AP. I am not using any of the VLANs. Here's my configuration. Is there anything that's obviously wrong?
Thanks a bunch in advance!
firewall {
all-ping enable
broadcast-ping disable
group {
address-group PUBLIC_DEVICES {
address 192.168.1.3
address 192.168.1.4
address 192.168.1.5
description "Public Devices"
}
network-group LAN_NETWORKS {
description "LAN Networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-name WAN6_IN {
default-action drop
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
log disable
protocol icmpv6
}
}
ipv6-name WAN6_LOCAL {
default-action drop
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
icmpv6 {
}
protocol ipv6-icmp
}
rule 40 {
action accept
description "Allow DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-name WAN6_OUT {
default-action accept
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action reject
description "Reject invalid state"
state {
invalid enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description "LAN to Internal"
rule 10 {
action drop
description "drop invalid state"
state {
invalid enable
}
}
}
name PROTECT_IN {
default-action accept
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 19 {
action accept
description "Accept Public Devices"
destination {
group {
address-group PUBLIC_DEVICES
}
}
}
rule 20 {
action drop
description "Drop LAN_NETWORKS"
destination {
group {
network-group LAN_NETWORKS
}
}
protocol all
}
}
name PROTECT_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to Internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to Router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMP"
log disable
protocol icmp
}
rule 40 {
action accept
description "Allow OpenVPN"
destination {
port 1194
}
protocol udp
}
}
name WAN_OUT {
default-action accept
description "Internal to WAN"
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action reject
description "Reject invalid state"
log enable
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1460
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description LAN
duplex auto
firewall {
in {
name LAN_IN
}
out {
}
}
speed auto
vif 102 {
address 172.16.1.1/24
description "Guest Network"
firewall {
in {
name PROTECT_IN
}
local {
name PROTECT_LOCAL
}
}
}
vif 103 {
address 192.168.100.1/24
description Devices
firewall {
in {
name PROTECT_IN
}
local {
name PROTECT_LOCAL
}
}
}
}
ethernet eth1 {
description "Google Fiber Jack"
duplex auto
speed auto
vif 2 {
address dhcp
description "Google Fiber WAN"
dhcpv6-pd {
pd 0 {
interface eth0 {
host-address ::1
prefix-id :0
service slaac
}
interface eth0.102 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
prefix-length /56
}
rapid-commit enable
}
egress-qos 0:3
firewall {
in {
ipv6-name WAN6_IN
name WAN_IN
}
local {
ipv6-name WAN6_LOCAL
name WAN_LOCAL
}
}
}
}
ethernet eth2 {
address 192.168.200.1/24
description Wired
duplex auto
firewall {
in {
name LAN_IN
}
out {
}
}
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth0
wan-interface eth1.2
}
protocols {
static {
arp 192.168.1.2 {
hwaddr x:x:x:x:x:x
}
arp 192.168.1.3 {
hwaddr x:x:x:x:x:x
}
arp 192.168.1.4 {
hwaddr x:x:x:x:x:x
}
arp 192.168.1.5 {
hwaddr x:x:x:x:x:x
}
arp 192.168.1.10 {
hwaddr x:x:x:x:x:x
}
}
}
service {
dhcp-server {
disabled false
hostfile-update enable
shared-network-name Admin {
authoritative disable
subnet 192.168.200.0/24 {
default-router 192.168.200.1
dns-server 192.168.200.1
dns-server 8.8.8.8
lease 86400
start 192.168.200.101 {
stop 192.168.200.254
}
}
}
shared-network-name Devices {
authoritative disable
subnet 192.168.100.0/24 {
default-router 192.168.100.1
dns-server 192.168.100.1
dns-server 8.8.8.8
lease 86400
start 192.168.100.101 {
stop 192.168.100.254
}
}
}
shared-network-name Guest {
authoritative disable
subnet 172.16.1.0/24 {
default-router 172.16.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 172.16.1.101 {
stop 172.16.1.254
}
}
}
shared-network-name LAN {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.1.101 {
stop 192.168.1.254
}
static-mapping ASUSRT-AC68U {
ip-address 192.168.1.10
mac-address x:x:x:x:x:x
}
static-mapping BrotherPrinter {
ip-address 192.168.1.5
mac-address x:x:x:x:x:x
}
static-mapping DenonAVR {
ip-address 192.168.1.3
mac-address x:x:x:x:x:x
}
static-mapping VizioTV {
ip-address 192.168.1.4
mac-address x:x:x:x:x:x
}
static-mapping raspberrypi {
ip-address 192.168.1.2
mac-address x:x:x:x:x:x
}
unifi-controller 192.168.1.2
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface eth1.2 {
service dyndns {
host-name xxxxxxx.ddns.net
login xxxxxxxx
password xxxxxxxxxx
server dynupdate.no-ip.com
}
}
}
forwarding {
cache-size 1000
listen-on eth0
listen-on eth0.102
listen-on eth0.103
listen-on eth2
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
name-server 8.8.8.8
name-server 8.8.4.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "Masquerade for WAN"
log disable
outbound-interface eth1.2
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp2 {
listen-on eth0
nat-pmp disable
secure-mode disable
wan eth1.2
}
}
system {
host-name Edgerouter-Lite
login {
user tocirahl {
authentication {
encrypted-password xxxxxxxxxxx
plaintext-password ""
}
full-name "Li Ma"
level admin
}
}
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
package {
repository debian {
components main
distribution wheezy
password ""
url http://ftp.us.debian.org/debian
username ""
}
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ""
url http://http.us.debian.org/debian
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939093.161214.0705 */
↧
Mystery DHCP using R7000 as AP
I am going to apologize in advance because networking is not my forte - i bought this little guy as a chance to learn more. So sorry if i misstate anything or am too vague, it's not on purpose.
I have a simple setup. I was using an R7000 as my router/AP and after building my home with cat6 runs decided to get a dedicated router and use the R7000 as an AP/switch only.
So configured the edgemax with 1 vlan and one dhcp service handing out 192.168.2.x ips
The R7000 was reset and configured using the out of box AP Mode functionality which, if you are unfamiliar, locks down all functionality, disables DHCP, and allows you to assign a static IP if you wish (which i did so i could interact via UI if needed). SSIDs configured properly and all seems well.
But the craziest of things occurs. When I hop on either of the two broadcasted SSIDs DHCP kicks the client a 192.168.7.x IP. I am flabbergasted by this. Even if it were the R7000 doing this, i would expect an IP on it's default 192.168.1.x subnet.
Yes i have confirmed there is only 1 DHCP service setup.
I have scoured the web, i have scoured EdgeOS, i have scoured netgear's UI - and i cannot for the life of me figure out how i'm getting a 192.168.7.x IP
I have tried everything. This setup seems pretty straightfoward. I'd dump this box and get a UBNT AP but worried i have something setup wrong on the edgemax side and i would be in the same boat.
Any thoughts? Can i provide anything to assist in figuring this out?
↧
↧
Load Balance + IPv6 - Its possible?
Maybe it is a Noob question, but is possible to use load balance and ipv6? And how? I have 2 dsl line, both have ipv6 but in the edgerouter i didnt enable, just use the wizard.
↧
Edgemax Set up issue with DHCP
Hey all!
So im an Audio Engineer and my IT knowledge isnt the best though I know how it needs to work.
I have an edgemax router and UP AP outdoor.
Please look at the picture for how I need it to be set up.
Any help would be appreciated 
↧
DHCPv6 static lease not working with dhclient
I have a nice setup with my IPv6. It works perfectly except my ubuntu boxes.
In my Ubuntu boxes the DHclient is ignoring the lease advertisment withn I set a static IPv6 on edgemax.
For more info :
my switch0 config:
switch switch0 {
address 10.10.10.1/24
address 2001:xxxx:xxxx:dead::1/64
description LAN
dhcpv6-options {
}
firewall {
in {
name PROTECT_LAN
}
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
default-preference high
link-mtu 0
managed-flag true
max-interval 600
other-config-flag true
prefix 2001:xxxx:xxxx:dead::/64 {
autonomous-flag false
on-link-flag true
valid-lifetime 86400
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}My Ipv6 settings (pool):
dhcpv6-server {
shared-network-name switch0_V6POOL {
subnet 2001:xxxx:xxxx:dead::/64 {
address-range {
start 2001:xxxx:xxxx:dead::2 {
stop 2001:xxxx:xxxx:dead::ffff:ffff
}
}
domain-search lan
lease-time {
default 3600
}
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
static-mapping athina {
identifier 00:01:00:01:20:00:99:xx:00:16:3e:xx:e3:5e
ipv6-address 2001:xxxx:xxxx:dead::4
}
static-mapping bastion {
identifier 00:01:00:01:20:00:35:xx:00:16:3e:xx:40:99
ipv6-address 2001:xxxx:xxxx:dead::2
}
static-mapping mac {
identifier 00:01:00:01:1f:61:9b:xx:c4:b3:01:xx:3b:8f
ipv6-address 2001:xxxx:xxxx:dead::bee
}
}
}My bastion/athina which are working with ubuntu 16.04 previously with debian 7 and 8. They do not accept any static-mapping. But my Mac works flowlesly.
If I kill dhclient and switch to dhcpcd5, then static leases works. For some reason the dhclient is behaving in a strange way.
Any experience with these issues?
↧
Multiple subnets
Hello,
I bought the router edge x and I think I managed to set it up so the basic works but I can't figure out how to give other subnets internet access aswell.
On eth0 the internet comes in.
I have the 'switch0' with a manual ip (from the basic wizard) which is 192.168.178.1/24.
But my wifi access points have guest networks but those use 192.168.179.1/24.
How can I give those internet access aswell? And by doing so will they also be able to access 192.168.178.* addresses?
I tried adding another manual ip 192.168.179.1/24 but it doesn't seem to work.
Thanks in advance
↧
↧
trying to determine source of log message
I noticed a message on my edgerouter log monitor, and am trying to determine the source.
ubnt xl2tpd[32457]: Maximum retries exceeded for tunnel 39471
I've only enabled the VPN tunnel for one person, me, and only on two device.
The times these messages are being generated (once every couple of days to twice a day) I am not tunneling in, and neither device is configured to auto-connect.
I have a syslog server setup, but I don't see these messages being transferred to the server, they only show up in the Log Monitor UI.
Just want to figure out how I can get to the actual full log data so I can determine if I am somehow doing this or is someone else is.
Thanks!
-Chip
↧
setting up edge router x
need help please.
we have an outside IP and we have natted to our own ip skeem 172.20.x.x
↧
Can't delete static route
In the GUI view, there is a static default route no one recalls adding. (Our default routes should only be coming via OSPF). But there is no action button for this route, so it can't be deleted via the GUI.
Going into the CLI, the route is not visible. What is going on here?
↧
Load-balance watchdog hangs on 1.9.0 after failover
I have an ER-8 running 1.9.0 with dual-wan configure in a fail-over only mode. When the router goes into failover mode, it won't fail-back. The watchdog results for pings / fails never increments on th primary WAN (eth0), however it does incremement on the fail-over WAN (eth1). Rebooting the router fixes the issue, and causes it to resume using the primary WAN (eth0).
Any idea what's going on?
↧
↧
EdgeRouter X - vlan existing guess network for IOT
Common theme of being paranoid about IOT, even big guys Nest, Ring..
Typical home configuration.
Have existing Asus RT-AC68U Wireless router and would like to add an Edge Router X to secure the Asus's Guest Network. Is this possible?
If not: I suppose I could run an old wireless router as a guest network wireless access point and setup a vlan for it on one of the Edge Router X's ports.
↧
Is this a viable configuration - ER Poe5
I currently have my ER PoE-5 setup like this:
eth0 - ISP
eth1 - nothing
eth2-4 setup as switch for my local lan with:
--eth2 - connected to 8 port switch #1
--eth3 - PoE enabled to AP
--eth4 - connected to 8 port switch #2
I just got a cloud key to replace my vm with controller as it's become troublesome for me to keep the vm going reliably on my machine(hardware issue) and I scored it for a good deal. I'd like to use eth1, enable PoE and keep my configuration the same. Can I setup a secondary private subnet on eth1 and route to it from my local network without causing any other ill effects?
So for instance
current local lan is 192.168.20.0/24
add subnet 192.168.30.0/24 to eth1 and plug cloud key in there.
↧
OpenVPN Site-to-Site disconnecting on 1.9.1
I setup our OpenVPN tunnel between an EdgeRouter and EdgeRouter-Lite on 1.9.0 after hours of trying to get IPsec to work with no luck. It was working great until I updated our routers to 1.9.1. Now, it frequently loses connection. Tried running "reset openvpn interface vtun0" to resolve the issue with no luck, returning "invalid interface". The "restart vpn" command doesn't work because it only applies to ipsec vpns (pretty dumb).
The only way to resolve the issue is to reboot the ERL at the remote office, which, to say the least, is extremely inconvenient for everyone in the remote office. Guess I'll rollback to 1.9.0 when I get a chance. The configs for both routers are attached. Forgive me if I made errors when I sanitized them.
↧
Load balance or failover? How to reverse? (should be easy)
So we had a fast (eth1) and slow connection (eth2), but changed to a fast (eth1) and superfast (eth2) setup.
The load balance was working fine before, but now we need to swap the interfaces' priority.
admin@edge-rt-nyc# show load-balance
group PRIMARY {
interface eth1 {
route {
default
}
}
interface eth2 {
failover-only
route {
table 2
}
}
}
group SECONDARY {
interface eth1 {
failover-only
route {
default
}
}
interface eth2 {
route {
table 2
}
}
}
[edit]
admin@edge-rt-nyc# show firewall modify
modify GUEST_WLB {
description "GUEST load balancing prefer secondary ISP"
rule 10 {
action modify
destination {
address !192.168.0.0/16
}
modify {
lb-group SECONDARY
}
}
}
modify VPN_IN {
description "Mark inbound VPN packets so they dont go to WLB tables"
rule 10 {
action modify
modify {
mark 192168
}
source {
address 192.168.0.0/16
}
}
}
modify WAN_WLB {
description "LAN/DMZ/AVS load balancing prefer primary ISP"
rule 5 {
action accept
description "Do not load balance xfer server which we will NAT back in"
destination {
address 100.200.100.230/32
}
}
rule 10 {
action modify
description "Load balance anything else thats not local or VPN bound"
destination {
address !192.168.0.0/16
}
modify {
lb-group PRIMARY
}
}
}
[edit]
admin@edge-rt-nyc:~$ show load-balance status
Group PRIMARY
interface : eth1
carrier : up
status : active
gateway : 100.200.100.225
route table : 201
weight : 100%
flows
WAN Out : 301000
WAN In : 7763
Local Out : 277
interface : eth2
carrier : up
status : failover
route table : 2
weight : 0%
flows
WAN Out : 0
WAN In : 0
Local Out : 0
Group SECONDARY
interface : eth2
carrier : up
status : active
route table : 2
weight : 100%
flows
WAN Out : 0
WAN In : 0
Local Out : 0
interface : eth1
carrier : up
status : failover
gateway : 100.200.100.225
route table : 202
weight : 0%
flows
WAN Out : 0
WAN In : 0
Local Out : 0So it looks like I could
1- Switch the weights within the PRIMARY and SECONDARY groups
set load-balance group PRIMARY interface eth1 weight 0 set load-balance group PRIMARY interface eth2 weight 100 set load-balance group SECONDARY interface eth1 weight 100 set load-balance group SECONDARY interface eth2 weight 0 commit save exit
2-Modify Rule 10 to change it to (but not sure how)
rule 10 {
action modify
description "Load balance anything else thats not local or VPN bound"
destination {
address !192.168.0.0/16
}
modify {
lb-group SECONDARY
}or
3- Change the load-balance Group configurations to:
group PRIMARY {
interface eth2 {
route {
default
}
}
interface eth1 {
failover-only
route {
table 2
}
}
}
group SECONDARY {
interface eth2 {
failover-only
route {
default
}
}
interface eth1 {
route {
table 2
}
}
}But I think that might then need the Route table 2 to be adjusted.
or
4- just rename the load-balance Groups, swapping names (assuming the names are what are keyed upon, and that I can do that without disrupting things as I anticipate I would need two changes (first: PRIMARY->SECONDARY2 and SECONDARY->PRIMARY, then a second switch SECONDARY2->SECONDARY) so I don't have a conflict in between the first two renames).
I think modifying the rule (option 2) would be the best (followed by just renaming the Groups later to reflect which one has priority, which would be more clear), but option 4 seems like it should also work easily (though I'm not sure how to rename a load-balance group).
Any suggestions?
↧
↧
Web Content Filter - Options?
I'm currently using Sophos XG for my web content filtering (transparent mode) by utilizing PBR on my EdgeOS. This works fairly well but sometimes its cumbersome to get services to work correctly I'm curious to see what other people are using. This question is 100% geared toward home use so a free or very low cost solution is what I'm looking for.
My goal its to keep my kids away from bad things on the internet. https decryption would be handy for limiting mobile applications as well (picture uploads, etc.)
A "free for home use" solution like zScaler would be ideal if it exists.
↧
upnp2 edgerouter PoE error after configuring Error parsing address/mask (or interface name) : eth2
Hello all and thanks in advance for any help!
I love my edgerouter PoE and have had it for a couple years. I'm an IT professional that's very comfortable on the CLI. I'm also a gamer so I want to enable UPNP on my edgerouter for mine and my wife's gaming computer.
Our computers are plugged into eth2 and eth3, the internet connection is eth0.
This is what I did on the CLI:
configure
set service upnp2 listen-on eth2
set service upnp2 listen-on eth3
set service upnp2 wan eth0
set service upnp2 nat-pmp enable
commit
Then it immediatle spits out this on the next line:
[ service upnp2 ]
Error parsing address/mask (or interface name) : eth2
can't parse "eth2" as valid lan address
Error parsing address/mask (or interface name) : eth3
can't parse "eth3" as valid lan address
Usage:
/usr/sbin/miniupnpd [-f config_file] [-i ext_ifname] [-o ext_ip]
[-a listening_ip] [-p port] [-d] [-U] [-S] [-N]
[-u uuid] [-s serial] [-m model_number]
[-t notify_interval] [-P pid_filename] [-z fiendly_name]
[-B down up] [-w url] [-r clean_ruleset_interval]
[-A "permission rule"]
Notes:
There can be one or several listening_ips.
Notify interval is in seconds. Default is 30 seconds.
Default pid file is '/var/run/miniupnpd.pid'.
Default config file is '/etc/miniupnpd.conf'.
With -d miniupnpd will run as a standard program.
-S sets "secure" mode : clients can only add mappings to their own ip
-U causes miniupnpd to report system uptime instead of daemon uptime.
-N enable NAT-PMP functionality.
-B sets bitrates reported by daemon in bits per second.
-w sets the presentation url. Default is http address on port 80
-A use following syntax for permission rules :
(allow|deny) (external port range) ip/mask (internal port range)
examples :
"allow 1024-65535 192.168.1.0/24 1024-65535"
"deny 0-65535 0.0.0.0/0 0-65535"
-h prints this help and quits.
But when I check the service it appears fine? :
ubnt@ubnt# show service upnp2
listen-on eth2
listen-on eth3
nat-pmp enable
wan eth0
So I should be set up correctly right? It seemed strange to get that error, I am sure eth2 and eth3 are the correct ports.
Thanks again for any help!
EDIT - Originally I said it was an edgerouter LITE, but I forgot I upgrade to an Edgerouter PoE.
↧
Port bridging and Ad Blocking Performance Impact? (EdgeRouter Lite)
Hello!
Ok 2 questions. First, I originally had bridged eth1 and eth2 but I noticed that when there was a lot of traffic on the network DNS resolution would start to take a long time and CPU usage would hover at around 50-60%. I decided to remove the bridge and used this as reference (https://community.ubnt.com/t5/EdgeMAX/New-Edgerouter-Lite-slow-speed/td-p/1059935). I'm just curious, how can I make sure hardware offloading got enabled after I deleted the bridge? I didn't want to restore to factory defaults because of all the port forwarding rules I already have set up, so I just want to make sure the router is in a state as to where I never even created the bridge.
Second, I saw that I could set up the router to block ads on the whole network. (https://help.ubnt.com/hc/en-us/articles/205223340-EdgeMAX-Ad-blocking-content-filtering-using-EdgeRouter) (https://community.ubnt.com/t5/EdgeMAX/Adblocking-at-home-using-EdgeMAX/td-p/623239) However, when I set it up like the tutorial said to, not a lot of ads were getting blocked, so I added more hosts to the list (around 500,000, too many, I know) and DNS resolution started taking a very long time (around 30 seconds max sometimes) so I restored to factory defaults. I was wondering, will setting up ad blocking slow down my router? Have you tried it before? One important thing, the bridge was still set up when I tried this ad blocking thing. I'm asking this because I don't know if the bridge was what slowed the it down or the ad blocking or a combination of the two.
Thanks!
P.S: Sorry if I don't make much sense, I'm running on 3 hours of sleep and A LOT of coffee.
↧
Specifically:
* eth1 is the primary internet source, gets a public ip via dhcp
* eth0 is connected to another router (gives it 192.168.0.100 ip address via dhcp) which gets its internet from a 3G usb modem. Configured as failover-only, and eth1 is set up to fail with 10 ping failures to 8.8.8.8.
I'm having some difficulty figuring out how to do a few things:
1) I'd like to access the 3G modem regardless of WAN failover status at 192.168.8.1 from within the LAN (it's connected to the router that's plugged in to eth0).
2) Either have DDNS automatically update when failover happens, or have both interfaces always record their public ips. Not sure this can work because eth0 doesn't get a public ip from dhcp.
3) Disallow torrent traffic from ever going through eth0, regardless of failover. Alternatively, disallow traffic from Server from ever going through eth0. Could I use QoS for this? Or more generally, have QoS rules that only apply to eth0, regardless of failover status?
4) Can port-forwarding be made to work through eth0 after failover? Either manually configure the port forwarding, or have a script on the load-balancing group that resets wan-interface for port forwarding?