Ladies & Gents,

First Thanks for the great help here.  Long time Debian user.  Wanting to set up add-blocking on the Router while I am forced to inactivity after surgery.

The issues is that even though I am able to login to the web interface I am not able to login via ssh.  That makes it so that I can not push the add-blocking script to the router.

The ssh session from within the web interface works fine.

It has been a long time since I first set the Edge Lite 3 up EdgeRouter Litev1.9.0  uptime 1 week

There is only one user on the router.  Default has been deleted.  Although it does show said user with multiple active sessions even though I am logged in via one borwser only.

I have searched the config tree for a remote access config of some kind but NO Joy.

What am I missing

Thanks

I have one customer with following config:

Edgerouter Lite:

ETH0 = Managment 

ETH1 = LAN

ETH2 = WAN

Behind this setup I have 2 AP's with the PoE injectors and a Cloudkey for Guest control.

Created a VLAN100 on ETH1 and setup Guest an Company WiFi.

Everything is working well! Guest users get IP from 192.168.100.xx range. Company from 192.168.0.xx range

======================================================

Situation 2

Edgerouter with config from situation 1. Behind this router on same ports as in config 1 a US-8-60W PoE Switch With one AP and Cloudkey.

In situation 2 the Guests won't get a IP from DHCP ??????

Can somebody explain this to me? US-8-60W is in default config, also with Port settings to ALL (for vlan) on all the 8 ports still nog IP.

Wire diagram situation 2

We have two WAN options. One is slow DSL. The other is fast-ish microwave.

Obviously when the microwave link is up, we don't want to wait for any packets sent over DSL.

So the first idea would be to simply send all traffic to microwave WAN.

But we also need to know that the backup is working.

Is there a way to configure a dual-WAN router to send all traffic to the fast WAN, except for a periodic ping (or other test) to make sure the backup is alive? And, ideally, if the backup goes down, send an alert?

good evening my friends, and following are mounting a scenario a Edge 8PRO and m mikrotik trying to raise ospf, mpls and vpls, but not sonsigo OSPF OK MPLS VPLS-OK don't connect, does anyone have any tips

Hey guys having a hard time with my vlans and dhcp server. Here is my setup.

router: erlite 3

switch: unifi 48p 500w

aps: ap-ac-pros

right now im running everything on the same subnet. couple of days ago i tried to vlan/subnet different devices(ip cams, voip, guest wifi).

Everyhting started working out great, devices with vlan enabled started getting their correct ip addresses, ports on the switch that I marked as X vlan worked correctly. But  when devices on 192.168.1.0/24 had their dhcp leases expired they couldnt renew their ip addresses and also any new devices didnt get their ip address. Inmediately after disabling the vlan dhcp servers, dhcp service on ...1.0/24 resumed.

Any suggestions what may i be doing wrong? i dont want to bork everything again no more complaints please lol

Sorry about my english, thanks before hand

So i was looking through the traffic analysis and noticed that the drop down on the right side that displays the details about a ip suddenly don't show any info .You can click drop down and it's just blank .After reloading teh page it works for a while then everyting disapears again.

Running ver 1.9.1 btw

I have an EdgeRouter Pro/8 which I use with CenturyLink gigabit ftth. I've had it set up and running reliably for several months, but suddenly this afternoon it started dropping/mangling packets. SSL connections in particular were almost impossible, with connections dropping within seconds of opening and downloading anything larger than a small HTML file failing completely. Non-SSL connections mostly worked but were also flaky; web sites would frequently stall during load, etc.

After a lot of digging, this seems to be related to PPPoE offload. If I disable the offload via

set system offload ipv4 pppoe disable

everything works fine again, albeit much slower as the PPPoE overhead swamps the CPU. Turn offload back on, and SSL connections immediately start failing again.

Linux ubnt 3.10.20-UBNT #1 SMP Fri Dec 2 02:43:07 PST 2016 mips64
Welcome to EdgeOS
ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# set system offload ipv4 pppoe enable
[edit]
ubnt@ubnt# commit
[edit]
ubnt@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
ubnt@ubnt# exit
exit
ubnt@ubnt:~$ exit
logout
Connection to 10.0.0.1 closed.
PDX-MACA004131:downloads ablack$ curl https://1.na.dl.wireshark.org/win64/Wireshark-win64-2.2.4.exe > test.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 47.0M    0  207k    0     0   254k      0  0:03:09 --:--:--  0:03:09  254k
curl: (56) SSLRead() return error -9845
PDX-MACA004131:downloads ablack$ ssh ubnt@10.0.0.1
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

ubnt@10.0.0.1's password: 
Linux ubnt 3.10.20-UBNT #1 SMP Fri Dec 2 02:43:07 PST 2016 mips64
Welcome to EdgeOS
Last login: Fri Feb 10 05:37:20 2017 from 10.0.0.102
ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# set system offload ipv4 pppoe disable
[edit]
ubnt@ubnt# commit
[edit]
ubnt@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
ubnt@ubnt# exit
exit
ubnt@ubnt:~$ exit
logout
Connection to 10.0.0.1 closed.
PDX-MACA004131:downloads ablack$ curl https://1.na.dl.wireshark.org/win64/Wireshark-win64-2.2.4.exe > test.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 47.0M  100 47.0M    0     0   178k      0  0:04:30  0:04:30 --:--:--  160k
PDX-MACA004131:downloads ablack$ 

I was running 1.9.0 when this started, now 1.9.1 with the same issue. Here's my full config:

ubnt@ubnt:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 10.0.0.1/8
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address xxxx/29
        description Comcast
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description CenturyLink
        duplex auto
        speed auto
        vif 201 {
            description "CenturyLink VLAN"
            mtu 1500
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                }
                mtu 1492
                name-server auto
                password ****************
                user-id xxxx@qwest.net
            }
        }
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
        rule 5011 {
            description "CenturyLink NAT"
            log disable
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name xxxx
    gateway-address xxxx
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name ubnt
            level admin
        }
    }
    name-server 10.0.0.9
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            pppoe disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}
ubnt@ubnt:~$ 

Any ideas? My wild guess is that CenturyLink changed their PPPoE protocol in some subtle way that the offload system doesn't handle right, but otherwise I'm stumped...

Dear Ubnt Experts

I have configured OpenVPN on my ER-8 Router, the connection with the Viscosity Client is working. According the VPN Configuration, the Client got the IP 192.168.70.2.

The internal devices in the LAN have 192.168.1.x  Addresses like my NAS on 192.168.1.100. How can I configure that the VPN client get access to this net adress range for example to get access on the NAS?

Just for your information, the ER-8 runs in Bridge Mode, the ER-8 Network Interfaces eth1-eth7 are bridged to the Internet Interface eth0 as br0.

This command here did not help - do I have so set a route or anything else? Any help is very appreciated.

openvpn-option "--push route 192.168.1.0 255.255.255.0"

Regards from Switzerland

Martin

Hey guys

So I have an old 5 port Edgerouter poe.  Ive tried multiple pens over time however recently the ubnt supplied pen died (unit is out of warranty anyway)

Can anyone recommend a good quality usb pen thats available in the uk to replace the stock one please?

Recently Ive had pens hanging on the bootloader octeon stage.  

Unless my poe router is actually dying a death on me.  

Currently borrowing my dads edgerouter X as a temporary measure but it does have hardware offload etc

Cheers

Andy

Hello

i am in the progress to drop some application categorys. How do they get updated, i mean the categorys ?

Regards

Ok so I've read quite some threads about this topic but still can't really figure it out.

There's a 160/15 cable internet connection on eth0 of the ERPoe
As where I am now it seems i can either have full download speed with (very) high bufferbloat or low bufferbloat at the cost of my download speed which then seems to top out at 95-100Mbit.

I've tried many suggestions you can find scattered around the forum.

- Hardware offload on: speed good but BB high
- Hardware offload off: speed bad but BB low
- Smart Qos on: even worse speed then with just HW off load off but low BB.
- Custom QoS settings as found somewhere in this forum: speed still slow but not as slow as with standard smart QoS with low BB

I have it now running without Hardware offload on and without any QoS settings active. I don't mind losing a bit of speed if it means that i will improve a lot on bufferbloat. Every combination of hardware offload and/or QoS settings results in speed going down by almost 1/3 to around 95-100Mbit which i find too much of a loss.

I can't wrap my head around the seemingly fact that the ERPoe can't do about 150Mbit with low bufferbloat while a budget Netgear router that barely costs 1/4 of the ERPoe can do 160Mbit with low bufferbloat right out of the box.

What am I missing here? or is this simply not possible with the ERPoe?

Edit:

Forgot to mention that the site in which this ERPoe is deployed is almost 400KM away from where i life and work so getting a config file or something like that is quite the challenge and probably not happening anytime soon.

Basically just the default WAN+2LAN2 setup with LAN1 on eth1 and LAN2 on eth2/3/4 (switch0) not bridged with a DHCP server for each LAN. Hardware offload on, all QoS and DPI off. 

Hi, I'm trying to set a PPTP Client on edgerouter to make a VPN to RV042G network.

Here's my config:

default-route auto

 description Internet

 mtu 1458

 name-server auto

 password somepass

 require-mppe

 server-ip somehost

 user-id someuser

I get this log on edgerouter:

Feb 10 12:27:44 CPDUG pppd[11592]: MS-CHAP authentication failed: Access denied

Feb 10 12:27:44 CPDUG pppd[11592]: CHAP authentication failed

Feb 10 12:27:44 CPDUG pppd[11592]: Connection terminated: no multilink.

Feb 10 12:27:44 CPDUG pptp[14629]: anon warn[decaps_hdlcptp_gre.c:204]: short read (-1): Input/output error

Feb 10 12:27:44 CPDUG pptp[14629]: anon warn[decaps_hdlcptp_gre.c:216]: pppd may have shutdown, see pppd log

Feb 10 12:27:44 CPDUG pptp[14637]: anon log[callmgr_mainptp_callmgr.c:234]: Closing connection (unhandled)

Feb 10 12:27:44 CPDUG pptp[14637]: anon log[ctrlp_repptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'

Feb 10 12:27:44 CPDUG pptp[14637]: anon log[call_callbackptp_callmgr.c:79]: Closing connection (call state)

Feb 10 12:28:14 CPDUG pppd[11592]: Connect: ppp2 <--> /dev/pts/2

Feb 10 12:28:14 CPDUG pptp[14709]: anon log[mainptp.c:314]: The synchronous pptp option is NOT activated

Feb 10 12:28:14 CPDUG pptp[14717]: anon log[ctrlp_repptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'

Feb 10 12:28:14 CPDUG pptp[14717]: anon log[ctrlp_dispptp_ctrl.c:739]: Received Start Control Connection Reply

Feb 10 12:28:14 CPDUG pptp[14717]: anon log[ctrlp_dispptp_ctrl.c:773]: Client connection established.

Feb 10 12:28:15 CPDUG pptp[14717]: anon log[ctrlp_repptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'

Feb 10 12:28:15 CPDUG pptp[14717]: anon log[ctrlp_dispptp_ctrl.c:858]: Received Outgoing Call Reply.

Feb 10 12:28:15 CPDUG pptp[14717]: anon log[ctrlp_dispptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 3328).

Feb 10 12:28:21 CPDUG pppd[11592]: MS-CHAP authentication failed: Access denied

Feb 10 12:28:21 CPDUG pppd[11592]: CHAP authentication failed

Feb 10 12:28:21 CPDUG pppd[11592]: Connection terminated: no multilink.

Feb 10 12:28:21 CPDUG pptp[14709]: anon warn[decaps_hdlcptp_gre.c:204]: short read (-1): Input/output error

Feb 10 12:28:21 CPDUG pptp[14709]: anon warn[decaps_hdlcptp_gre.c:216]: pppd may have shutdown, see pppd log

Feb 10 12:28:21 CPDUG pptp[14717]: anon log[callmgr_mainptp_callmgr.c:234]: Closing connection (unhandled)

Feb 10 12:28:21 CPDUG pptp[14717]: anon log[ctrlp_repptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'

Feb 10 12:28:21 CPDUG pptp[14717]: anon log[call_callbackptp_callmgr.c:79]: Closing connection (call state)

Does anyone know what could be happening?

I think it has something to do with the mppe encryption, how do I set it to 40 bits, for example?

Thanks

Cassio

Hi!

I'm looking at setting up a VPLS network for a customer of mine running on our infrastructure.

Today we're running OSPF+BFD with VLAN on our switches.

Therefor I would like to know if it's possible to use VLAN together with VPLS on the EdgeRouter ?

Example:

set protocols mpls interface eth1 vif 20 label-switching
set protocols vpls instance vpls1 id 1 signaling ldp vpls-peer 10.100.0.3
set protocols vpls interface eth0 instance vpls1

or

set protocols mpls interface eth1.20 label-switching
set protocols vpls instance vpls1 id 1 signaling ldp vpls-peer 10.100.0.3
set protocols vpls interface eth0 instance vpls1

(Above is taken from example here: https://community.ubnt.com/t5/EdgeMAX/1-8-0-Documentation-Basic-Virtual-Private-LAN-Service-VPLS-with/m-p/1356559)

If I can't use VLAN I don't have enough free ports in the routers and I need to upgrade them.

Anybody got experience with how much bandwidth is possible to push through VPLS tunnel ?

Hello,

still searching for a way to get this working. So i decided to make it as simple as possible.

In short i configured my vpn server and have it now in my local network. Only to try if a client pc can connect to it. And after that i would try it from the internet.

For this reason i configured my edgerouter via the wizard in basic mode. On eth0 is my router from the ISP which does the DHCP. Eth1-3 are configured as switch0.

Eth0 is 192.168.0.87

Switch0 is 192.168.1.1

After the basic setup i startet to configure my vpn like this:

1.) configure

2.) set vpn ipsec ipsec-interface interface eth0

3.) set vpn ipsec nat-networks allowed-network 10.0.0.0/8

4.) set vpn ipsec nat-networks allowed-network 172.16.0.0/12

5.) set vpn ipsec nat-networks allowed-network 192.168.0.0/15

6.) set vpn ipsec nat-traversal enable

7.) set vpn l2tp remote-access authentication mode local

8.) set vpn l2tp remote-access authentication local-users username ubnt password ubnt

9.) set vpn l2tp remote-access client-ip-pool start 192.168.1.20
10.) set vpn l2tp remote-access client-ip-pool stop 192.168.1.30

11.) set vpn l2tp remote access dns-servers server-1 192.168.1.1

12.) set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
13.) set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testing123
14.) set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

15.) set vpn l2tp remote-access outside-address 192.168.0.87 (assigned by dhcp from router)

16.) set vpn l2tp remote-access ouside-nexthop 192.168.0.1 (my router)

17.) commit; save; exit

Windows l2tp/ipsec client config:

1.) In Control Panel => Network and Internet => Network and sharing Center => set up a new connection

2.) Connect to workplace

3.) Use my internet connection VPN

4.) Internet Adress= 192.168.0.87

5.) Username=ubnt Password=ubnt Domain stays empty

6.) In the VPN connections properties i set "Type of VPN = Layer 2 Tunneling with IPSEC

7.) Advanced => Use preshared .... => Key: ubnt1234

8.) Trying to connect. After username and password nothing happens 

What am i doing wrong here?

best regards

I just got in a EdgeRouter ERPoe-5 for a client.  First one for me.  Generally I'm a Mikrotik router person, but wanted to try the EdgeOs.. Anywho... I got the router in and it is running EdgeOs 1.2.0 and I wanted to update to latest firmware so I downloaded ER-e100.v1.9.1.4939093.tar  and when I upload it, the router gives me an Error updating dialog box, so I decided to upload an earlier firmware so I went back to 1.7.0 but it did the same.. Any pointers, or is there a firmware that I need to upload to allow new? 

Thank

Joe

If the default action of a Ruleset is drop, what good does do having a drop rule within it?

I notice there are 'drop invalid' rules put in Rulesets by the Wizards and it's not the first rule.

If the Wizard put it as rule 1, I would assume you could have an established AND invalid packet.

I thought if a packet isn't picked up by an accept rules it's heading for the bin anyway.

-- Alan.

Hi 

I've got an Edgerouter x running the v1.91 edge os.

I've got the DHCP sercer set up as:

RouterUnifi ControllerDNS 1DNS 2Domain

Lease Time seconds

Enable

I received my first ER-X July 2016.  That one (unit #1) failed a couple months later (becoming completely non-responsive and not passing data or being able to be accessed).  I replaced that one in Oct 2016 (unit #2) and didn't get around to actually installing it till after Christmas, when i found out that i couldn't access the ER-X web server.  Ubiquiti issued and RMA and sent me a replacement (unit #3), and I'm not able to access the ER-X web server to run the wizard or change settings.  (i've tried this with 3 different computers, 3 different cables, different browsers, etc, all with the same result)
I contacted Ubiquiti and they asked questions like what i did, (what browser, cable, etc), but there has been no response from Ubiquiti for a week.
This is getting very frustrating!!  If the error is on my end, i would like to figure out what is causing it.  If it is the unit, i would rather just return it for a refund and get on with my life -- i can't keep spending time troubleshooting their equipment.

I have experience managing other consumer routers (Asus, Linksys, etc) and have never had issues like this.  Very frustrating -- equipment failure and unresponsive support from Ubiquiti
Thoughts?

Hi,

I recently got an edgerouter lite to replace a Tomato based firewall that was causing issues. I was able to get everything set up very quickly, and started moving on to some advanced things. Specifically I started implementing a netgroup containing every US CIDR range with the goal of blocking everything outside of it.

I initially implemented something using python from the following post:

https://community.ubnt.com/t5/EdgeMAX/GEO-IP-Blocking/td-p/754928

But have since switched over to something based upon ipset, using a script from the following post:

https://community.ubnt.com/t5/EdgeMAX/Adding-2700-Network-groups-to-firewall-group/td-p/603173

In any case I've had mixed results with that effort, but the specific issue I cannot resolve is the transient bus error messages I'm receiving when executing certain ipset calls. Specifically:

```

sudo ipset -q -A US-AGGREGATED-32419 198.17.201.0/24
21875 Bus error

```

I'm getting these pretty frequently, and I don't understand why. I searched the forum and didn't see anything similar. The terms "bus" and "error" are pretty generic...

Does anyone have any idea what's going on here? I'm wondering if there is a hardware problem... I don't think bus errors are the kind of thing I should be seeing.