Switch ERL against Edgerouter Pro?

February 7, 2017, 3:02 am

≫ Next: Edgerouter Lite Dual DHCP WAN, not getting IP after disconnect

≪ Previous: VRRP Failover sometimes doesn't failover all groups

Hey there,

I currently have a ERL at our company. We (~60 users) have a segemented network with 8 VLANs. I'm very happy with the router, but I now have the option of getting a Edgerouter Pro for "free" (a non paying renter moved out of our building and left among other things an ER-Pro behind).

So I basically have the option of selling it on ebay, which would bring me about 200 €, or keep it and sell my ERL for about 50-60 €.

It would be nice, as it fits a rack. But are there any real advantages for me? I highly doubt that we need the faster hardware.

The only things that I can think of right now, concern these points:

Is there an advantage of having the vlans on actual ports?

Does anyone know what the plan for the USB Port is? I saw people trying to connect USB Modems, which would be nice (I currently have a failover WAN that is connected to a DDWrt Router with a 4G Modem, and I wouldn't mind losing the router). Or maybe storage? Anything else?

Any input and thoughts are greatly appreciated!

-Tobi

↧

Edgerouter Lite Dual DHCP WAN, not getting IP after disconnect

February 7, 2017, 3:30 am

≫ Next: DNS problem

≪ Previous: Switch ERL against Edgerouter Pro?

Hi,

Trying to configure a new EdgeRouter using the dual WAN with the policy based routing.

Using the tutorial from tutorial

But I set both of the eth0 and eth1 which are the WAN to be DCHP (get the IP from the modem directly)

Initially, both eth0 and eth1 are getting IPs

But When I do the testing to pull one of the cable and plug it back, it does not gets any ip from the modem anymore (i.e. eth0).
eth0 only gets the IP when I unplug eth1 or restart the ERL.

Have I missed something? in the setting?

Details are as follows:
eth0 = WAN DHCP IP
eth1 = WAN DHCP IP
eth2 = LAN 192.168.176.0/24

Thanks,

Win

↧

DNS problem

February 7, 2017, 4:40 am

≫ Next: Commit failed, then -> 'RTNETLINK answers: File exists'

≪ Previous: Edgerouter Lite Dual DHCP WAN, not getting IP after disconnect

Hi,

I have a EdgeRouter Xv1.9.1. between my home LAN and my ADSL router.

eth0 : LAN (192.168.1.1/24)

eth3 : WAN (192.168.0.1 to ADSL router)

System name server : 127.0.0.1

>cat /etc/dnsmasq.conf

# autogenerated by vyatta-dns-forwarding.pl on Tue Feb 7 13:31:16 CET 2017

log-facility=/var/log/dnsmasq.log

interface=eth0

cache-size=400

server=62.197.111.140 # statically configured

server=109.88.203.3 # statically configured

server=8.8.8.8 # statically configured

no-resolv

I upgraded to 1.9.1 recently and although I am not 100% sure, the problems date back to the upgrade.

dnsmasq does run, local addresses configured in system static-host-mapping get resolved but that's it.

I don't think that there is a firewall problem since machines on the LAN have DNS resolution and access to the internet (I had to configure static DNS addresses on each one). For instance, I can ping both www.google.com and 172.217.23.4 from the computer I am writing on BUT i can only ping 172.217.23.4 from the EdgeRouter X, not www.google.com.

I must confess I am lost and I cannot install dig or nslookup (ok I could replace the server name with its IP)...

Marc

↧

Commit failed, then -> 'RTNETLINK answers: File exists'

February 7, 2017, 6:36 am

≫ Next: Difference X and PoE

≪ Previous: DNS problem

Hi,

I was adding a new interface to my router, but I had an error in that config, a mentioned firewall rule did not yet exist. So I fixed the config, and tried committing again. It looks like said interface was already created in the first commit, but because the commit failed, it was not remembered as created. So now I do have an interface on the router, which would probably work, but the OS thinks it should still create it. And that fails.

I'm thinking of trying to remove the vif using `ip link`, but I'm not sure if this will break stuff. The reason that there is no ip address the second time I did show interfaces, is because I removed the ip address with 'ip addr del'. Please advise, rebooting is not an option.

ubnt@rtr1# set interfaces bonding bond0 vif 214 address 'W.X.Y.V/29'
ubnt@rtr1# set interfaces bonding bond0 vif 214 description 'v-customer'
ubnt@rtr1# set interfaces bonding bond0 vif 214 firewall local name 'to_local'
ubnt@rtr1# set interfaces bonding bond0 vif 214 firewall out name 'customer-out'
ubnt@rtr1# set interfaces bonding bond0 vif 214 vrrp vrrp-group 214 virtual-address 'W.X.Y.Z/32'
ubnt@rtr1# commit
[ interfaces bonding bond0 vif 214 firewall local name to_local ]
Firewall config error: Rule set to_local is not configured

Commit failed
[edit]

[edit interfaces bonding bond0 vif 214 firewall local]
ubnt@rtr1# set name ipv4_to_local
[edit interfaces bonding bond0 vif 214 firewall]
ubnt@rtr1# set local ipv6-name ipv6_to_local
[edit interfaces bonding bond0 vif 214 firewall]
ubnt@rtr1# commit
[ interfaces bonding bond0 vif 214 ]
RTNETLINK answers: File exists

Commit failed

ubnt@rtr1# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
bond0.214    W.X.Y.V/29                    u/u  v-customer

[edit]
ubnt@rtr1# commit
[ interfaces bonding bond0 vif 214 ]
RTNETLINK answers: File exists

[edit]
ubnt@rtr1# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
bond0.214    -                                 A/D  v-customer

↧

Difference X and PoE

February 7, 2017, 8:01 am

≫ Next: Adding a second router to create a separate LAN?

≪ Previous: Commit failed, then -> 'RTNETLINK answers: File exists'

Hi,

What is the difference between EdgeRouter X and EdgeRouter PoE, the X es more powerful on routing and siwtching ?

Regards,

Abraham

↧

Adding a second router to create a separate LAN?

February 7, 2017, 8:09 am

≫ Next: Namecheap DDNS Not Using SSL

≪ Previous: Difference X and PoE

Hi!

Im currently using a home network with a few roommates and sometimes guests. This network is managed by Router A (Asus wifi router).

I would like to have my devices on a separate network (and isolate (or protect) it from users on the LAN of router A). I will need to use the same internet connection as Router A.

I have briefly read about VLAN, Which is not entirely clear to me, so I think I have to rule that out.

Since my budget is limited ($200) I was thinking about getting a second router (router B, maybe an EdgeMax lite with an wireless access point). The idea is to connect it this way:

Internet to WAN port of Router A,

LAN port of Router A to WAN port of Router B

Connected to router B would be a PS4, a smartphone and a Mac. I use these devices in a very basic manner, I currently do not use any port forwarding or UpNp. I use office applications and online banking on my Mac and some online gaming on the ps4.

What I would like to achieve is to increase security for my devices if for instance a malicious device was (mistakenly) brought to the LAN of router A. Will this solution achieve this?

From what I have read, using two routers like this isn't ideal and will lead to double NAT-ing (I remember reading something about problems with SSL).

What limitations are there to this configuration? How bad is double NAT? Will it limit my current usage? Will it increase or decrease security?

Slighlty off-topic: I was looking at the edgemax lite, since hearing good things about it compared to home network routers. Setup using CLI is beyond my skill so I will therefore have to use the web interface. I have had no problems configuring home network routers in the past, is the web interface of the edgemax comparable in the level of knowledge required by the user?

I apologize for my use of grammar and if this is the wrong forum for this question.

Thanks in advance

↧

Namecheap DDNS Not Using SSL

February 7, 2017, 9:34 am

≫ Next: VLAN Issues

≪ Previous: Adding a second router to create a separate LAN?

Hello,

I am running an EdgeRouter Lite v1.9.1. I was setting up Dynamic DNS using the Namecheap client (ddclient) and noticed that the client was not making the request using SSL. This means that the client is sending the passwords in clear text.

When there's no problem it only logs a SUCCESS message. However, if you're like me and you give it the the incorrect login like a bumbling monkey, you'll see something similiar in the logs.

Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: SENT: http://dynamicdns.park-your-domain.com/update?host=@&domain=[my_domain]&password=[my_password]&ip=[my_ip]
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: REPLIED: HTTP/1.1 200 OK
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Cache-Control: private
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Content-Length: 423
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Content-Type: text/html
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Server: Microsoft-IIS/8.5
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Set-Cookie: ASPSESSIONIDSUSBSTSR=EHDDLOFABCHHPKEKDLPKHMOH; secure; path=/
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: X-Powered-By: ASP.NET
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Date: Tue, 07 Feb 2017 16:35:59 GMT
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: Connection: close
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING:
Feb 7 10:35:59 [My_Router] ddclient[1788]: WARNING: <?xml version="1.0"?><interface-response><Command>SETDNSHOST</Command><Language>eng</Language><ErrCount>1</ErrCount><errors><Err1>Domain name not found</Err1></errors><ResponseCount>1</ResponseCount><responses><response><ResponseNumber>316153</ResponseNumber><ResponseString>Validation error; not found; domain name(s)</ResponseString></response></responses><Done>true</Done><debug><![CDATA[]]></debug></interface-response>
Feb 7 10:35:59 [My_Router] ddclient[1788]: FAILED: updating @: Invalid reply.

According to my research ssl=yes needs to be added to the .conf file. I checked the /etc/ddclient/ddclient_eth0.conf file and see that ssl=yes is added by default. For troubleshooting, I also tried adding it to /etc/ddclient.conf and had the same result.

The version installed by default is ddclient v3.8.3, which according to this unofficial link should have ssl support.

Am I missing something or is this a bug?

Sincerely,

Gregory Strike

↧

VLAN Issues

February 7, 2017, 10:29 am

≫ Next: ER8Pro BGP-6: %BGP-5-ADJCHANGE: neighbor Down Interface Flap

≪ Previous: Namecheap DDNS Not Using SSL

Having trouble with the VLANS on this switch. So I have VLAN 150 DATA, 101 MANAGEMENT, 200 VOIP and I have a Meraki MX400 routing VLAN 150 192.168.200.1, VLAN 200 10.20.10.1, VLAN 101 172.17.0.1. Meraki is connected to port 1 on the EdgeMAX Switch with configurations of

interface 0/1

switchport mode trunk

switchport trunk allowed vlan 101,150,200

vlan participation include 101,150,200

vlan tagging 101,150,200

I have an Avaya Phone and a PC connected to port 2: (This may be incorrect due to not solving the next issue I will address)

interface 0/2

switchport mode access

switchport access vlan 150

vlan participation exclude 101

vlan participation include 150

vlan tagging 200

From Port 2 the PC does get an IP address of 192.168.200.24

On port 48 I have the Avaya DHCP server with a static of 10.20.10.10 which the phones need for an IP address:

switchport mode access

switchport access vlan 200

vlan pvid 200

vlan participation exclude 101,150

vlan participation include 200

Any ideas what I'm doing wrong?

↧

ER8Pro BGP-6: %BGP-5-ADJCHANGE: neighbor Down Interface Flap

February 7, 2017, 10:32 am

≫ Next: EdgeRouter Pro 8 - Bonding.

≪ Previous: VLAN Issues

Hi,

I noticed that my ER8Pro sent BGP-6: %BGP-5-ADJCHANGE: neighbor Down Interface Flap to my syslog server when i restarted a radio connected to it.

The weird thing is there is no OSPF/BGP config on that interface/link.

Is this normal?

Kind Regards

↧

EdgeRouter Pro 8 - Bonding.

February 7, 2017, 11:14 am

≫ Next: Using dnsmasq with dhcp-relay

≪ Previous: ER8Pro BGP-6: %BGP-5-ADJCHANGE: neighbor Down Interface Flap

Hi all,

I have some question on the EdgeRouter.

1 - If I had two fiber connection from the ISP and connected to SPF+ 1 and 2 . now I have 8 ports ethernet on the EdgeRouter. Can I bond 4 ports into Bond0 and Bond1 (LACP) ?

a - If I had two XG switches, Can I connect the Bond to the 4 ethernet ports ?

b - If I had a 24/48 US . or ES - can I just bond the same ports to use the bond's created on the edgerouter.

I am trying to do it - instead of having a bottleneck of 1GB link to the fiber internet to 'atleast' 4GB bonded link

Router:

https://www.ubnt.com/edgemax/edgerouter-pro/

Switches:

https://www.ubnt.com/unifi-switching/unifi-switch-poe/

https://www.ubnt.com/unifi-switching/unifi-switch-16-xg/

Thanks.

↧

Using dnsmasq with dhcp-relay

February 7, 2017, 12:27 pm

≫ Next: Question Regarding VPLS and Hardware Offload

≪ Previous: EdgeRouter Pro 8 - Bonding.

Is it possible to use dnsmasq for dhcp-relay? We're having some issues with dhcp-relay and are intrested to see if dnsmasq is less "fussy" . However I cant figure out how to enable it when using DHCP relay.

↧

Question Regarding VPLS and Hardware Offload

February 7, 2017, 12:37 pm

≫ Next: Dumb firewall question (WLAN+2LAN2)

≪ Previous: Using dnsmasq with dhcp-relay

As I understand it there are no plans to support offload for VPLS. However I have a few cases where I would like to use it for layer 2 transport for a few of my customers. That means I will need to enable label switching on most (if not all of my core routers).

I would like to understand what effect enabling VPLS will have on hardware offload.

Does the fact that VPLS is not offloaded only affect the vpls endpoints or will it also effect the transport between that’s doing label switching?

When I enable label switching will my normal (non vpls) traffic still have the benefits of hardware offload?

↧

Dumb firewall question (WLAN+2LAN2)

February 7, 2017, 2:04 pm

≫ Next: Connecting two ER8's

≪ Previous: Question Regarding VPLS and Hardware Offload

I have an Edgerouter X that I started with the WAN+2LAN2 wizard, it worked well and I've added a lot of additional config to it....

I was working on setting up the local PPTP access and I messed up the firewall, and stipudly I had not backed it up first.

Can someone post the default WLAN-2LAN2 firewall config, so I can put it to rights?

Thanks and sorry for ebing so stupid...

Steve

↧

Connecting two ER8's

February 7, 2017, 2:34 pm

≫ Next: pfSense Replacement Recommendation

≪ Previous: Dumb firewall question (WLAN+2LAN2)

So, I need help with a scenerio listed below. I have searched through the forums and couldn't find the exact situation I have, so if it has been answered before, please let me know.

I have a total of 3 networks. One WAN and two LANs.

Both LANs connect to the same WAN, however, I need to also connect the LANs together directly using another hardline between the two ER8s.

Router 1

Er0 -> WAN

Er1 -> Local Subnet 10.45.100.1/24 Switch

Er7 -> Router 2 Er7

Router 2

Er0 -> WAN

Er1 -> Local Subnet 10.45.101.1/24 Switch

Er7 -> Router 1 Er7

I have client devices on both subnets that need to talk to each other (ie 10.45.100.20 nees to communicate with 10.45.101.20)

How do I need to configure the two ER8s to allow for this communication to happen, and not have to setup multiple GWs in the client endpoints?

Thanks!

↧

pfSense Replacement Recommendation

February 7, 2017, 2:37 pm

≫ Next: BGP Flaps after CQBuf error

≪ Previous: Connecting two ER8's

not sure best forum to ask?

i have pfsense on c2558 thats a ticking timebomb sounds like i can have board repaired but would need to fill time gap with something this is what i currently do with pfsense need advice also run unifi and airmax products in network

pfsense

2-wan 1-lan

2-he net ipv6 tunnels

traffic shapping to help with buffer bloat

limiter keep xbox from eating bandwidth

ntp

dyn dns (to getij from outside via openvpn

openvpn

dhcp resevations

packages:

snort

pfblocker

ntopng

nut

traffic totals

↧

BGP Flaps after CQBuf error

February 7, 2017, 3:23 pm

≫ Next: 2 dhcp servers off the same interface.

≪ Previous: pfSense Replacement Recommendation

I just had a bunch of BGP flaps, I think right after the router received a bunch of updates from it's upstream (two full feeds).

Here's the logs:

Feb  7 23:17:56 rtr1 BGP[890]:  BGP-3: ipv4address104.106-Outgoing [ENCODE] Update: Failed to get CQBuf
Feb  7 23:17:56 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address104.106 Down BGP Notification CEASE
Feb  7 23:17:58 rtr1 BGP[890]:  BGP-6: ipv4address104.106-Outgoing [RIB] : Cleared BGP route table, af=1/1 route-num=10
Feb  7 23:18:13 rtr1 BGP[890]:  BGP-6: ipv4address104.105-Outgoing [RIB] : Cleared BGP route table, af=1/1 route-num=577558
Feb  7 23:18:13 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address104.105 Down Peer closed the session
Feb  7 23:18:14 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::1 Down Hold Timer Exipred
Feb  7 23:18:14 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv6addres0:1::1 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:16 rtr1 BGP[890]:  BGP-6: ipv6addres0:1::1-Outgoing [RIB] : Cleared BGP route table, af=2/1 route-num=35767
Feb  7 23:18:16 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::2 Down Hold Timer Exipred
Feb  7 23:18:16 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv6addres0:1::2 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:17 rtr1 BGP[890]:  BGP-6: ipv6addres0:1::2-Outgoing [RIB] : Cleared BGP route table, af=2/1 route-num=9
Feb  7 23:18:17 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:6::2 Down Hold Timer Exipred
Feb  7 23:18:17 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv6addres0:6::2 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:18 rtr1 BGP[890]:  BGP-6: ipv6addres0:6::2-Outgoing [RIB] : Cleared BGP route table, af=2/1 route-num=4
Feb  7 23:18:18 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address29.2 Down Hold Timer Exipred
Feb  7 23:18:18 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv4address29.2 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:21 rtr1 BGP[890]:  BGP-6: ipv4address29.2-Outgoing [RIB] : Cleared BGP route table, af=1/1 route-num=7
Feb  7 23:18:21 rtr1 BGP[890]:  BGP-3: ipv6addres0:1::1-Outgoing [NETWORK] Set Sock Opt: failed to set option: Sock = 10
Feb  7 23:18:22 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address104.106 Up
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6: Hashtable expanded :: name=bgp-adv-0/0-(null) size=16384 count=46280
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6: Hash summary :: name=bgp-adv-0/0-(null) size=16384 count=46280
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) empty=994(6.1%) occupied=15390(93.9%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=001->001 cnt=2727 (17.7%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=002->002 cnt=3867 (25.1%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=003->003 cnt=3688 (23.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=004->004 cnt=2540 (16.5%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=005->005 cnt=1452 (9.4%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=006->006 cnt=698 (4.5%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=007->007 cnt=255 (1.7%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=008->008 cnt=118 (0.8%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=009->009 cnt=36 (0.2%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=010->010 cnt=6 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=011->015 cnt=3 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=016->020 cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=021->050 cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=051->100 cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=101->500 cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=501->998 cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=999->max cnt=0 (0.0%)
Feb  7 23:18:25 rtr1 BGP[890]:  BGP-6: Hash summary done
Feb  7 23:18:27 rtr1 BGP[890]:  BGP-6: Hashtable expanded :: name=bgp-adv-0/0-(null) size=32768 count=96770
Feb  7 23:18:27 rtr1 BGP[890]:  BGP-6: Hash summary :: name=bgp-adv-0/0-(null) size=32768 count=96770
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) empty=1687(5.1%) occupied=31081(94.9%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=001->001 cnt=5084 (16.4%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=002->002 cnt=7462 (24.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=003->003 cnt=7384 (23.8%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=004->004 cnt=5366 (17.3%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=005->005 cnt=3170 (10.2%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=006->006 cnt=1536 (4.9%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=007->007 cnt=730 (2.3%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=008->008 cnt=217 (0.7%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=009->009 cnt=97 (0.3%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=010->010 cnt=27 (0.1%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=011->015 cnt=8 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=016->020 cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=021->050 cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=051->100 cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=101->500 cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=501->998 cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=999->max cnt=0 (0.0%)
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6: Hash summary done
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-3: ipv6addres0:6::2-Outgoing [NETWORK] Set Sock Opt: failed to set option: Sock = 11
Feb  7 23:18:28 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::1 Up
Feb  7 23:18:29 rtr1 BGP[890]:  BGP-3: ipv6addres0:1::2-Outgoing [ENCODE] Open: Failed to get CQBuf
Feb  7 23:18:32 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:6::2 Up
Feb  7 23:18:32 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address29.2 Up
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6: Hashtable expanded :: name=bgp-adv-0/0-(null) size=32768 count=96500
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6: Hash summary :: name=bgp-adv-0/0-(null) size=32768 count=96500
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) empty=1700(5.2%) occupied=31068(94.8%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=001->001 cnt=5065 (16.3%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=002->002 cnt=7434 (23.9%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=003->003 cnt=7498 (24.1%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=004->004 cnt=5346 (17.2%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=005->005 cnt=3205 (10.3%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=006->006 cnt=1524 (4.9%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=007->007 cnt=614 (1.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=008->008 cnt=263 (0.8%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=009->009 cnt=84 (0.3%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=010->010 cnt=26 (0.1%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=011->015 cnt=9 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=016->020 cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=021->050 cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=051->100 cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=101->500 cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=501->998 cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=999->max cnt=0 (0.0%)
Feb  7 23:18:37 rtr1 BGP[890]:  BGP-6: Hash summary done
Feb  7 23:18:39 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::1 Down Hold Timer Exipred
Feb  7 23:18:39 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv6addres0:1::1 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:40 rtr1 BGP[890]:  BGP-6: %BGP-3-NOTIFICATION: sending to ipv6addres0:1::2 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
Feb  7 23:18:43 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv4address104.105 Up
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6: Hashtable expanded :: name=bgp-adv-0/0-(null) size=16384 count=46278
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6: Hash summary :: name=bgp-adv-0/0-(null) size=16384 count=46278
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) empty=995(6.1%) occupied=15389(93.9%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=001->001 cnt=2735 (17.8%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=002->002 cnt=3851 (25.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=003->003 cnt=3696 (24.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=004->004 cnt=2545 (16.5%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=005->005 cnt=1438 (9.3%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=006->006 cnt=709 (4.6%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=007->007 cnt=250 (1.6%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=008->008 cnt=120 (0.8%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=009->009 cnt=35 (0.2%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=010->010 cnt=7 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=011->015 cnt=3 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=016->020 cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=021->050 cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=051->100 cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=101->500 cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=501->998 cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=999->max cnt=0 (0.0%)
Feb  7 23:18:45 rtr1 BGP[890]:  BGP-6: Hash summary done
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6: Hashtable expanded :: name=bgp-adv-0/0-(null) size=32768 count=96745
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6: Hash summary :: name=bgp-adv-0/0-(null) size=32768 count=96745
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) empty=1694(5.2%) occupied=31074(94.8%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=001->001 cnt=5076 (16.3%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=002->002 cnt=7469 (24.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=003->003 cnt=7388 (23.8%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=004->004 cnt=5360 (17.2%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=005->005 cnt=3165 (10.2%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=006->006 cnt=1541 (4.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=007->007 cnt=724 (2.3%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=008->008 cnt=218 (0.7%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=009->009 cnt=97 (0.3%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=010->010 cnt=28 (0.1%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=011->015 cnt=8 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=016->020 cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=021->050 cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=051->100 cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=101->500 cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=501->998 cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6:   >> name=bgp-adv-0/0-(null) range=999->max cnt=0 (0.0%)
Feb  7 23:18:48 rtr1 BGP[890]:  BGP-6: Hash summary done
Feb  7 23:18:50 rtr1 BGP[890]:  BGP-3: ipv6addres0:1::1-Outgoing [NETWORK] Set Sock Opt: failed to set option: Sock = 13
Feb  7 23:18:50 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::2 Up
Feb  7 23:18:51 rtr1 BGP[890]:  BGP-6: %BGP-5-ADJCHANGE: neighbor ipv6addres0:1::1 Up
Feb  7 23:19:29 rtr1 BGP[890]:  BGP-4: ipv4address104.105-Outgoing [DECODE] Attr Aggregator: AS value error(0), Ignoring error...

Can anybody explain what went wrong here?

↧

2 dhcp servers off the same interface.

February 7, 2017, 6:05 pm

≫ Next: Strange thing happened with ICS in windows

≪ Previous: BGP Flaps after CQBuf error

I have a netowrk set up with an edge router, 2 switchs, and a Wireless AP. The problem I'm having is that I want to have the ethernet network on 1 subnet and the wireless devices on 2nd subnet. I have the router running 2 DHCP servers right now, 1 for the ethernet and a 2nd for the wireless. From the router I have an interface for the external network, a switch, and the wireless AP.

What I want is to put the wireless AP on one of my switches so that there is not an enourmous amount of uncessary traffic flow through the router. The change in the topology does not allow the DHCP sever for the 2nd network to work on the same interface as the ethernet network.

Can anyone help me solve this problem. Thanks.

↧

Strange thing happened with ICS in windows

February 7, 2017, 7:01 pm

≫ Next: ERPoE-5 DHCP/Static IP Issues on 1.9.1

≪ Previous: 2 dhcp servers off the same interface.

ERL running 1.9.1, no betas.

I was conducting an experiment with windows internet connection sharing. The test would work for about a minute and then something really weird happened which knocked out the DHCP server for all interfaces.

The shared interface was going to a test device, not back into my network, so no loops or duelling banjos.

ERL - LAN - Server - Test device

I had to factory reset on my router and now, it is barely hanging on with DHCP, it wouldn't issue out many addresses, so I ran my test again and it killed DHCP... again.

I restored back to a good config and only some of my VM's are getting IP's which doesn't bode well for the stability of my network.

It seems to remember MAC addresses that have been reserved, but doesn't do anything about it...

Any thoughts?

↧

ERPoE-5 DHCP/Static IP Issues on 1.9.1

February 7, 2017, 7:10 pm

≫ Next: ER-X : How to setup firewall for PPPOE interface which is setup under VLAN of swith port

≪ Previous: Strange thing happened with ICS in windows

I've been banging my head on this for a while and I have no clue what's going on. I'm trying to assign a handful of static IP addresses on a network and this ERPoE-5 running 1.9.1 refuses to hand out the IPs that I'm telling it to.

A third party contractor who wasn't familiar with EdgeMax installed a few systems on the network that require static IPs, so they went ahead and just set the static IPs on the devices (and didn't leave me a list of devices with static IPs). I'm going through and transferring the static assignments to the Edgerouter so that I can actually track what each device's IP address is. At the same time, I'm trying to assign some other network hardware to static IPs outside the DHCP range, namely a CloudKey and two UAP-AC-LRs. Here's a rough list of what has happened:

-UAPs had DHCP-assigned IP addresses of 192.168.1.103 and .108, I assigned static IPs of 192.168.1.3 and .4. I rebooted the UAPs and they pulled the correct addresses.

-UCK had a DHCP-assigned IP address of 192.168.1.102, I assigned a static IP of 192.168.1.2 and rebooted the UCK. It completely dropped off the UniFi system and showed as being offline (I assumed it had crashed - more on this later).

-A security camera DVR was set up with a (device-specified) static IP of 192.168.1.50, I assigned a static IP through the Edgerouter DHCP server of 192.168.1.50 (the same IP), and turned DHCP on the device. The connection to the device dropped.

-Thinking that it was highly unlikely that two completely different devices dropped off the network under similar circumstances, I downloaded NMAP and pinged the entire subnet. Turns out that the UCK's IP was actually192.168.1.30 (and internet access apparently wasn't working, hence the offline cloud controller issue), and the DVR's IP was 192.168.1.120. After signing into the UCK locally, both UAPs' addresses were showing at 192.168.1.20.

-I deleted all static mappings and the UCK, UAPs, and DVR came back up correctly with DHCP addresses. I then re-set a static IP for DVR to the IP that it seemed to prefer (192.168.1.120) and it seems to have stuck for now.

I have no clue what would cause the DHCP server to freak out like that. Authoritative was originally set to disabled, I then enabled it to troubleshoot (it didn't help). I seem to recall fome funkiness with static IPs when I originally set this thign up for my parents, but I can't recall the specifics of that at this point. I gave up and just went with DHCP addresses at the time.

Config is below. Any help would be greatly appreciated.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Guest_IN {
        default-action accept
        description ""
        rule 1 {
            action drop
            description "Block LAN Access"
            destination {
                address 192.168.1.0/24
            }
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description "Block IOT LAN Access"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name Guest_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 2 {
            action accept
            description "Allow DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow IKE for VPN"
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 22 {
            action accept
            description "Allow L2TP for VPN"
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 23 {
            action accept
            description "Allow ESP for VPN"
            log disable
            protocol 50
        }
        rule 24 {
            action accept
            description "Allow NAT-T for VPN"
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description “IOT LAN”
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Switch
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description WIFI-1
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        description WIFI-2
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description LAN
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 10 {
            address 192.168.3.1/24
            description "Guest VLAN"
            firewall {
                in {
                    name Guest_IN
                }
                local {
                    name Guest_LOCAL
                }
            }
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface switch0
    lan-interface switch0.10
    rule 1 {
        description Leviton
        forward-to {
            address 192.168.1.80
            port 4369
        }
        original-port 4369
        protocol tcp
    }
    rule 2 {
        description Alibi
        forward-to {
            address 192.168.1.120
            port 8000
        }
        original-port 8000
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest_VLAN {
            authoritative enable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.101 {
                    stop 192.168.3.250
                }
            }
        }
        shared-network-name IOT_LAN {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.101 {
                    stop 192.168.2.250
                }
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.101 {
                    stop 192.168.1.250
                }
                static-mapping Alibi {
                    ip-address 192.168.1.120
                    mac-address bc:ad:28:xx:xx:xx
                }
                static-mapping WIFI-1 {
                    ip-address 192.168.1.3
                    mac-address 44:d9:e7:xx:xx:xx
                }
                static-mapping WIFI-2 {
                    ip-address 192.168.1.4
                    mac-address 44:d9:e7:xx:xx:xx
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name xxx.xxx.xxx
                    login xxx
                    password xxx
                    server dynupdate.no-ip.com
                }
                web dyndns
            }
        }
        forwarding {
            cache-size 200
            listen-on eth1
            listen-on switch0
            listen-on switch0.10
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name xxx
    host-name ERPoE-5
    login {
        user xxx {
            authentication {
                encrypted-password xxx
            }
            level admin
        }
        user xxx {
            authentication {
                encrypted-password xxx
             }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 192.168.1.0/24 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username xxx {
                        password xxx
                    }
                    username xxx {
                        password xxx
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.1.21
                stop 192.168.1.40
            }
            dhcp-interface eth0
            dns-servers {
                server-1 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxx
                }
                ike-lifetime 3600
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939093.161214.0705 */

↧

ER-X : How to setup firewall for PPPOE interface which is setup under VLAN of swith port

February 7, 2017, 7:11 pm

≫ Next: Possible Malware

≪ Previous: ERPoE-5 DHCP/Static IP Issues on 1.9.1

Model: ER-X
Background: Have setup all ethernet interfaces into switch0 and enable vlan-aware, aslo setup PPPOE under one vlan of switch0 and can get connection without issue.
Issue: Now try to setup firewall for this PPPOE interface, but cannot get firewall option like below command line show after press TAB. Is anybody could help on this? much appreciate.

CLI show:there is no firewall option for this pppoe under vif 1

ubnt@GWHOME# set interfaces switch switch0 vif 1 pppoe 0
access-concentrator description          ipv6                 name-server          service-name
bandwidth            dhcpv6-pd            local-address        password             traffic-policy
connect-on-demand    idle-timeout         mtu                  redirect             user-id
default-route        ip                   multilink            remote-address
[edit]
ubnt@GWHOME# set interfaces switch switch0 vif 1 pppoe 0

PPPOE setting:

ubnt@HOME# show interfaces switch switch0 vif 1
address 192.168.1.1/24
address 192.168.100.2/24
firewall {
     in {
         name WAN_IN
     }
     local {
         name WAN_LOCAL
     }
}
mtu 1500
pppoe 0 {
     default-route auto
     mtu 1492
     name-server auto
     password XXXXXXXX
     user-id XXXXXXXX
}

↧