Hi,

No idea what to do with this information since I don't know enough about the hack to submit anything on HackerOne so I post it here.

Anyways - my EdgeMAX X SFP router got hacked. Got an e-mail today from my ISP that there were lots of port scans on port 22 done from my IP address, and that I likely had a network device that was hacked. My first instinct was to try to update the firmware on my router (from 1.9.0 to 1.9.1).

Tried to upload the firmware to the router - got an error message. Then tried to delete the firmware images stored on the router to make space (in case that was the problem) according to the instructions on firmware release notes. Got the message that the router had been updated and needed a reboot. So I rebooted.

Then, the router didn't start up - didn't get an IP through DHCP, so I entered a fixed IP and tried to connect to 192.168.1.1 - and got a splash screen with an error message from an ASUS firmware saying that my ASUS RT-bla bla needed to be rebooted?!

I'm guessing this means the router was hacked and some other firmware was installed on it somehow, and whoever hacked it used it to do the port scans that my ISP warned me about.

So I guess this means the EdgeMAX X-SFP w. firmware version 1.9.0 has a pretty big security exploit.

Again - don't know what to do with this information, but maybe it helps someone else. Maybe the exploit is well-known - I don't know.

/Jonas

Hello once again Ubiquti community!

When I first purchased my ERPoE-5, I had misconfigured it to use a software bridge, rather than the 3 ports corresponding to hardware switch.  Thanks to the advicer of this forum, I have since fixed this and seen a large performance increase.

Ever since, however, I have been dealing with a very frustrating issue.  I frequently play online games, and I notice that once or twice a day I will lose connection.  I have not had much luck in diagnosing the source of this disconnection.  This behavior does not seem to manifest itself when I connected directly via my modem (that I have noticed), so I can only think it is related to the router.  Restarting the router does temporarily fix this problem.  All relevant information I can think of is below.

Thanks for any help!

Config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description Local
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output 48v
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description "Local 2"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.1.1 {
                    stop 192.168.1.199
                }
                static-mapping freenas {
                    ip-address 192.168.1.200
                    mac-address 00:25:90:5d:76:67
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on switch0 {
            outbound-interface eth0
        }
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $6$4yjIa7WEExgKrS8l$q1Vt3YElbiXSG0Y9jQkq0HF8jn35hviPZHB3NT7NB0/3vnLj/i6YKTuyeRyQ42RdAamRoUToTBKRqlsEBrnAl/
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939093.161214.0705 */

Copy of my var/log/messages file (not that during this time frame, a disconnect did occur, but I do not see any useful information relating to it):

Feb 10 16:36:15 ubnt rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 10 16:36:15 ubnt kernel: Linux version 3.10.20-UBNT (root@ubnt-builder2) (gcc version 4.7.0 (Cavium Inc. Version: SDK_3_1_0_p2 build 34) ) #1 SMP Fri Dec 2 02:30:08 PST 2016
Feb 10 16:36:15 ubnt kernel: CVMSEG size: 2 cache lines (256 bytes)
Feb 10 16:36:15 ubnt kernel: Checking for the multiply/shift bug... no.
Feb 10 16:36:15 ubnt kernel: Checking for the daddiu bug... no.
Feb 10 16:36:15 ubnt kernel: Zone ranges:
Feb 10 16:36:15 ubnt kernel: DMA32 [mem 0x00400000-0xefffffff]
Feb 10 16:36:15 ubnt kernel: Normal [mem 0xf0000000-0x41fbfffff]
Feb 10 16:36:15 ubnt kernel: Movable zone start for each node
Feb 10 16:36:15 ubnt kernel: Early memory node ranges
Feb 10 16:36:15 ubnt kernel: node 0: [mem 0x00400000-0x00a8ffff]
Feb 10 16:36:15 ubnt kernel: node 0: [mem 0x00c00000-0x07ffffff]
Feb 10 16:36:15 ubnt kernel: node 0: [mem 0x08200000-0x0fdfffff]
Feb 10 16:36:15 ubnt kernel: node 0: [mem 0x410000000-0x41fbfffff]
Feb 10 16:36:15 ubnt kernel: Primary instruction cache 32kB, virtually tagged, 4 way, 64 sets, linesize 128 bytes.
Feb 10 16:36:15 ubnt kernel: Primary data cache 16kB, 64-way, 2 sets, linesize 128 bytes.
Feb 10 16:36:15 ubnt kernel: Secondary unified cache 128kB, 8-way, 128 sets, linesize 128 bytes.
Feb 10 16:36:15 ubnt kernel: Built 1 zonelists in Zone order, mobility grouping on. Total pages: 125887
Feb 10 16:36:15 ubnt kernel: Kernel command line: bootoctlinux $loadaddr coremask=0x3 root=/dev/sda2 rootdelay=15 rw rootsqimg=squashfs.img rootsqwdir=w mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@1024k(eeprom) console=ttyS0,115200
Feb 10 16:36:15 ubnt kernel: Checking for the daddi bug... no.
Feb 10 16:36:15 ubnt kernel: SCSI subsystem initialized
Feb 10 16:36:15 ubnt kernel: octeon_pci_console: Console not created.
Feb 10 16:36:15 ubnt kernel: /proc/octeon_perf: Octeon performance counter interface loaded
Feb 10 16:36:15 ubnt kernel: Bootbus flash: Setting flash for 8MB flash at 0x1f400000
Feb 10 16:36:15 ubnt kernel: phys_mapped_flash: Swapping erase regions for top-boot CFI table.
Feb 10 16:36:15 ubnt kernel: number of CFI chips: 1
Feb 10 16:36:15 ubnt kernel: 3 cmdlinepart partitions found on MTD device phys_mapped_flash
Feb 10 16:36:15 ubnt kernel: Creating 3 MTD partitions on "phys_mapped_flash":
Feb 10 16:36:15 ubnt kernel: 0x000000000000-0x000000080000 : "boot0"
Feb 10 16:36:15 ubnt kernel: 0x000000080000-0x000000100000 : "boot1"
Feb 10 16:36:15 ubnt kernel: 0x000000100000-0x000000110000 : "eeprom"
Feb 10 16:36:15 ubnt kernel: scsi 0:0:0:0: Direct-Access USB DISK 2.0 PMAP PQ: 0 ANSI: 6
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] 7831552 512-byte logical blocks: (4.00 GB/3.73 GiB)
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] Write Protect is off
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] No Caching mode page found
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] No Caching mode page found
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] No Caching mode page found
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Feb 10 16:36:15 ubnt kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
Feb 10 16:36:15 ubnt kernel: Algorithmics/MIPS FPU Emulator v1.5
Feb 10 16:36:15 ubnt kernel: ubnt_platform: module license 'Proprietary' taints kernel.
Feb 10 16:36:15 ubnt kernel: Disabling lock debugging due to kernel taint
Feb 10 16:36:15 ubnt kernel: octeon-ethernet 2.0
Feb 10 16:36:15 ubnt kernel: Interface 0 has 3 ports (RGMII)
Feb 10 16:36:15 ubnt kernel: switch0: 1000 Mbps Full duplex, port 2
Feb 10 16:36:16 ubnt NSM[618]: NSM-6: Initializing memdbg: ptr=0x6929d4 history-size=1024 memdbg-size=143552
Feb 10 16:36:16 ubnt RIB[621]: RIB-6: Initializing memdbg: ptr=0x586a04 history-size=1024 memdbg-size=143552
Feb 10 16:36:16 ubnt NSM[619]: NSM-6: 1000 MB
Feb 10 16:36:16 ubnt NSM[619]: NSM-6: ioctl() returned illegal value. Setting bandwidth to 0
Feb 10 16:36:16 ubnt NSM[619]: NSM-6: 1000 MB
Feb 10 16:36:17 NSM[619]: last message repeated 3 times
Feb 10 16:36:17 ubnt NSM[619]: NSM-4: Could not create VRF table with identifier 1 in the MPLS Forwarder
Feb 10 16:36:17 ubnt RIB[624]: RIB-6: RIBd (1.2.0) starts
Feb 10 16:36:17 ubnt kernel: ip_set: protocol 6
Feb 10 16:36:19 ubnt rl-system.init: Checking/creating SSH host keys.
Feb 10 16:36:22 ubnt IMI[616]: IMI-6: imi_server_send_config called (PM 1)
Feb 10 16:36:22 ubnt IMI[616]: IMI-6: imi_server_send_config called (PM 42)
Feb 10 16:36:23 ubnt rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 10 16:36:23 ubnt rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 10 16:36:48 ubnt kernel: eth0: 1000 Mbps Full duplex, port 0
Feb 10 16:36:56 ubnt ntpd[1357]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1)
Feb 10 16:36:56 ubnt ntpd[1358]: proto: precision = 54.058 usec
Feb 10 16:37:03 ubnt NSM[619]: NSM-6: Operation not supported
Feb 10 16:38:11 NSM[619]: last message repeated 3 times
Feb 10 16:38:11 ubnt ntpd[1358]: ntpd exiting on signal 15
Feb 10 16:38:13 ubnt ntpd[1675]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1)
Feb 10 16:38:13 ubnt ntpd[1676]: proto: precision = 53.627 usec
Feb 10 16:38:21 ubnt dhcpd: WARNING: Host declarations are global. They are not limited to the scope you declared them in.
Feb 10 16:38:21 ubnt dhcpd:
Feb 10 16:38:21 ubnt dhcpd: No subnet declaration for eth0 (xx xx xx xx).
Feb 10 16:38:21 ubnt dhcpd: ** Ignoring requests on eth0. If this is not what
Feb 10 16:38:21 ubnt dhcpd: you want, please write a subnet declaration
Feb 10 16:38:21 ubnt dhcpd: in your dhcpd.conf file for the network segment
Feb 10 16:38:21 ubnt dhcpd: to which interface eth0 is attached. **
Feb 10 16:38:21 ubnt dhcpd:

After installing the latest 1.9.1 I have had nothign but problems.  After Hard Reset I still cannot get it to boot.  I capture this from the console.  How can I now recover this??

Octeon ubnt_e100#
Looking for valid bootloader image....
Jumping to start of image at address 0xbfc80000


U-Boot 1.1.1 (UBNT Build ID: 4670715-gbd7e2d7) (Build time: May 27 2014 - 11:16:22)

BIST check passed.
UBNT_E100 r1:2, r2:18, f:4/71, serial #: 802AA84CA322
MPR 13-00318-18
Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  512 MB
Clearing DRAM....... done
Flash:  4 MB
Net:   octeth0, octeth1, octeth2

USB:   (port 0) scanning bus for devices... 1 USB Devices found
       scanning bus for storage devices...
  Device 0: Vendor:          Prod.: USB DISK 2.0     Rev: PMAP
            Type: Removable Hard Disk
            Capacity: 3824.0 MB = 3.7 GB (7831552 x 512)
Reset pressed ...0...1...2...3...Confirmed
Starting with factory-default config...
** Partition 1 not valid on device 0 **

** Unable to use usb 0:1 for fatload **
argv[2]: coremask=0x3
argv[3]: root=/dev/sda2
argv[4]: rootdelay=15
argv[5]: rw
argv[6]: rootsqimg=squashfs.img
argv[7]: rootsqwdir=w
argv[8]: mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@1024k(eeprom)
argv[9]: resetsqimg
## No elf image at address 0x09f00000
 0
** Partition 1 not valid on device 0 **

** Unable to use usb 0:1 for fatload **
argv[2]: coremask=0x3
argv[3]: root=/dev/sda2
argv[4]: rootdelay=15
argv[5]: rw
argv[6]: rootsqimg=squashfs.img
argv[7]: rootsqwdir=w
argv[8]: mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@1024k(eeprom)
## No elf image at address 0x09f00000
Octeon ubnt_e100#

Hello, I am new on Edge Router, and before inserting this post I re-configured and checked documentation and forum, but I am not able to understand nor solve my problem... so please help me

I configured my ER-X with Wizard Basic configuration from GUI with pppoe on eth4 and all other port in a single LAN. DHCP on 192.168.1.0/24. All it is fine, except for the low speed of WAN download, always set to a max of 5Mbps. My provider grant me a 30Mbps and If I connect directly configuring pppoe on the laptop I always reach about 24-26 Mbps. I test this many times so no provider problem.

I re-configured with the wizard many times but same result: all it is fine except the download speed always set to 5 Mbps (more or less).

Can someone explain to me what is happening ?

No service enabled on the LAN during the test so no P2P no game, no torrent or similar.

Below my "show configuration" file.

Thank you for support

We are having a horrible time... I've hired an experienced Ubiquiti admin and he still can't figure out how to solve our issue.  We are running a website at FleetSupplier.com and it's routing fine from the outside, but none of our internal PCs can access the website through the SSL that we've got setup... it says certificate error and sends traffic into our router web server instead of our real webserver.

We're running one Comcast business internet connection into our business, into eth1.  Previously we had all traffic internally through Eth2.  However we moved all internal PCs onto eth0 now, and we are trying to route fleetsupplier.com to pass through the IP 50.196.239.227  ... which goes to the server of 192.168.2.101 internally.

eth0 is 192.168.1.x subnet.  None of the PCs can get onto fleetsupplier.com because something is happening on the router to cause an error in routing to the other eth2 subnet of 192.168.2.x since the DNS is somehow saying fleetsupplier.com -> 50.196.239.227  ... and then when the computer tries to access it from the eth0 subnet, it's just pointing to the EdgeMAX device at 192.168.1.1...  What else can we do?

So we have our router 8 port pro using eth0 as the WAN, we notice that the router drops about 100plumb on the system, we are also replacing all our tough switches because we notice that the poe5 port can only handle 85MB same with the 8 ports, its there something going on on the routers also, any comments will help when we speed test the fiber its all good, when we get to the ubnt router speeds drop. 

hi all 

I have just picked up my ER-Lite and have been configuring it 

I am having trouble with configuring my DDNS

I pay for a dyndns.org package and have been using this and have tried multiple hostnames 

i am currently using 1 of the hostnames on the router that i will be replacing (it is on a different link from another isp)

when trying to setup i get a few errors 

interface - eth1

service - dyndns

hostname - hostname.dyndns.org

username -  this is correct

password -   this is also correct

protocol - dyndns2 ( tried both 1 and 2)

server - (multiple, see results of below)

server - blank

interface : eth1
ip address :
host-name : hostname.dyndns.org
last update : Thu Jan 1 00:00:00 1970
update-status: badauth

server - members.dyndns.org (the only one i can find online)

i get the error noconnect 

interface : eth1
ip address :
host-name : hostname.dyndns.org
last update : Thu Jan 1 00:00:00 1970
update-status: noconnect

server - account.dyn.com

this connects but does not update ip address 

interface : eth1
ip address : 10.10.1.4
host-name : hostname.dyndns.org
last update : Sat Feb 11 00:03:54 2017
update-status: good

i have tested this with no-ip ddns and that one connects perfectly and updates ip on he first try (i didnt need to input a server)

yes i know that i am behind another router at the minute but that is because my main one is being used 

i am also using eth1 as it is my failover connection - eth0 is disconnected 

all settings will be changed to be used on eth0 once i get it to work correctly 

does anyone know the correct way to configure dyndns.org ?

i have also tried following the ubnt guide for configuring through cli. this gave the same responses as above 

Hello.

I have a question about Open VPN client on EdgeRouter X SFP v1.9.1

I have a VPN provider and it seems like I managed to upload the right OVPN, KEY, CRT files together with one specifying name and pass. I believe I got Open VPN connected (the 46.* addresses are the VPN server addresses)

the settings:

admin@ubnt:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         0.0.0.0         255.255.255.0   U         0 0          0 vtun0
0.0.0.0         46.246.39.1     128.0.0.0       UG        0 0          0 vtun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
46.246.39.0     0.0.0.0         255.255.255.0   U         0 0          0 vtun0
46.246.39.2     192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       46.246.39.1     128.0.0.0       UG        0 0          0 vtun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 switch0

and routes:

admin@ubnt:~$ ip route
0.0.0.0/24 dev vtun0  proto kernel  scope link
0.0.0.0/1 via 46.246.39.1 dev vtun0
default via 192.168.1.1 dev eth0  proto zebra
46.246.39.0/24 dev vtun0  proto kernel  scope link  src 46.246.39.78
46.246.39.2 via 192.168.1.1 dev eth0
128.0.0.0/1 via 46.246.39.1 dev vtun0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.116
192.168.2.0/24 dev switch0  proto kernel  scope link  src 192.168.2.1

so, here I got stuck not knowing how to setup routing and blocking.

as a starting point, my idea is to have:

eth0 as incoming internet into the roter

eth1 outgoing to an accesspoint (without VPN)

eth2, eth3, eth4 outgoing only to VPN

it could probably be done via WebUI or CLI but I do not know what needs to be done in my case.

Could someone give me a hint, please?

Thanks! 

regads

Hello

I want to connect to my Edge Router with a VPN L2TP connection

I have set a pool: 192.168.1.100 to 192.168.1.110

I want to reserve one IP from this pool (192.168.1.100) with a specific device (MAC) everytime I connect

Is it possible to have the same IP everytime I connect throught my VPN?

It seems like I have the opposite trouble of most site to site posts here.  I have traffic flowing both directions wonderfully.  I'm looking to allow local to access remote, deny by default remote to local.  I just can't seem to figure out which interface I should be placing the rule on.   

ER-X ipsec site-to-site tunnel

local (created using GUI ipsect site-to-site)

subnet 10.0.1.0/24

switch0 is 10.0.1.0/24 (eth0 is wan, remainder ethX is switch0)

remote (psense)

subnet 10.0.3.0/24

I would like to allow hosts from 10.0.1.0/24 to access 10.0.3.0/24 openly.  I would prefer 10.0.3.0/24 hosts to be dropped by default (sans established), unless permitted by specific rule.   

I had thought this rule should go on switch0 OUT with ipsec matched, however in my testing it didn't seem to do what I expected.  

Am I completely off on my thinking or should I dig more into the remainder of the config? 

     So the idea was to create a shortcut between two separate private networks, Office and Home.  This shortcut would allow sending IP camera traffic from the Home LAN to the Camera Server on the Office LAN.  I started by getting an EdgeRouterX, connecting Home LAN to Port0 and Office LAN to Port4.  Then I was going to put in static routes in both the Comcast Business Gateway and Comcast Residential Gateway, each one pointing to the other Gateway's internal IP.  Well, adding a static route to the business gateway doesn't work (verified with their tech support), and adding a static route to the residential gateway was not even an option.

     So, my next step (it's only another 50 bucks, right?), get another EdgeRouterX, configure both Comcast gateways to bridge only, and use the EdgeRouterX's to deal out ip's (DHCP server), Firewall, and route to each other's VLANS through the shortcut.  See picture attached.

     I'm just knowledgable to get myself into some real trouble, so that's why I post this.  I'm not sure how I'm going to configure all this, or even what optional services to enable on the routers (and how to configure them).  Anyone have any recommendations, warnings, or bad jokes?  I'll take what I can get.

I have an AT&T GigaPower connection at my house. When it was first installed, I had to enable hardware offload to get my full bandwidth allotment. I was consistently hitting between 850-950 down and up. I upgraded my FW to 1.9.1 tonight, and now I'm only getting 100-100 down and up. I made sure hardware offload was still enabled, but otherwisem I have no idea what happened.

When I plug directly into my U-Verse modem, I'm getting bandwidth results that I would expect, but behind the ER-X, nadda.

Here is my config file:
https://dl.dropboxusercontent.com/u/4463170/edgeos_ubnt_20170210.tar.gz

Hello, I was wondering whether anyone could help with how I could configure the Edgerouter Lite v1.9.1.

I have applied the dual WAN load balancing wizard, and that works fine - except for the SMTP.

WAN 1 and WAN 2 are different ISPs, and WAN 1 ISP's SMTP server is different to WAN 2 ISP's SMTP server (ie, different ISP, different SMTP server). Currently, WAN 1/ISP 1/SMTP 1 server is mail.optusnet.com.au and WAN 2/ISP 2/SMTP 2 server is mail.iinet.net.au.

In all of the various equipment/applications that allow me to nominate a SMTP server for outgoing email (ie, email notifications, alerts etc) , I need to nominate a SMTP server - from either ISP.

With the current dual WAN load balancing configuration (which I assume is standard as it results from the wizard), if both WAN 1 and WAN 2 are enabled, the equipment/applications can't connect/use the SMTP servers from either ISP to send outgoing email.

If I disable WAN 1, then equipment/applications with SMTP 2 can send emails (presumably through WAN 2/ISP 2), but equipment/applications with SMTP 1 cannot send emails.

If I disable WAN 2, then equipment/applications with SMTP 1 can send emails (presumably through WAN 1/ISP 1), but equipment/applications with SMTP 2 cannot send emails.

I assume this means the SMTP server for each ISP must connect through its own ISP, and/or each ISP blocks requests to another ISP's SMTP server - but I don't know what happens when both WAN/ISP/SMTP servers are enabled except it doesn't work.

Is there a way that I can:

1. Force equipment/applications with SMTP 1 to connect to SMTP 1 through WAN 1/ISP 1, and the same for equipment/applications with SMTP 2 to connect to SMTP 2 through WAN 2/ISP 2; or
2. Force all SMTP/port 25 through either WAN 1 or WAN 2 and then change all SMTP servers to the relevant SMTP server for the associated ISP (ie, change all equipment/applications to SMTP 1, and force all SMTP through WAN 1/ISP 1).

I've going through the forums every now and then looking for the answer, and I've tried unsuccessfully to follow a few examples. Basically, I'm at a loss and grateful for any help.

Hi all,

I am setting up an IPsec site to site VPN in a lab between a ER-X and a generic router.

I get all the way to the end with both IPsec SAs being built but traffic only seems to flow one way.

When I send a ping from the "right" side (initiator) I see the packet counter increase but tracing with wireshark on the ping destination, in the lan of the "left" side (responder) shows nothing coming out.

I don't have the firewall on so I am not expecting it to be that.

Does anyone know what I am missing?

ubnt@ubnt:~$ show vpn ipsec sa
peer-10.0.0.2-tunnel-1: #3, ESTABLISHED, IKEv1, ee20914664a98748:d25c09e6d9ffea7e
 local '10.0.0.1' @ 10.0.0.1
 remote '10.0.0.2' @ 10.0.0.2
 AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
 established 5837s ago, reauth in 22413s
 peer-10.0.0.2-tunnel-1: #1, REKEYING, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1536
 installed 3020 ago, rekeying in -432s, expires in 581s
 in cb082540, 190 bytes, 5 packets, 743s ago
 out 87ae4b6b, 0 bytes, 0 packets
 local 192.168.100.0/24
 remote 192.168.200.0/24
 peer-10.0.0.2-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1536
 installed 432 ago, rekeying in 2148s, expires in 3168s
 in cf481e6e, 38 bytes, 1 packets, 3s ago
 out 87ae4b6c, 0 bytes, 0 packets
 local 192.168.100.0/24
 remote 192.168.200.0/24

Below is my config.boot:

interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 10.0.0.1/24
        description Internet
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.100.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 192.168.100.1
                lease 86400
                start 192.168.100.38 {
                    stop 192.168.100.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth4
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        interface eth3 {
            disable
        }
        interface eth4 {
            disable
        }
    }
}
system {
    gateway-address 10.0.0.2
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $6$cSGs87wtN$WWYKB0Kf3MOGbSoCTXKP57JNdh8/p2NrHIAdMXJmFctXQbeiuuV4Y5VQE4Zj48FagJ/UiVNqHy3OE5Lkb8hVN1
            }
            level admin
        }
    }
    name-server 10.0.0.2
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        esp-group F00 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group5
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group F00 {
            dead-peer-detection {
                action hold
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 5
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth4
        }
        site-to-site {
            peer 10.0.0.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret VPNpassword
                }
                connection-type respond
                ike-group F00
                ikev2-reauth inherit
                local-address 10.0.0.1
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group F00
                    local {
                        prefix 192.168.100.1/24
                    }
                    remote {
                        prefix 192.168.200.1/24
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939092.161214.0702 */

I have a DMZ setup with the following commands (and a firewall rule which I did not specify here):

set service nat rule 1 description 'DMZ In'
set service nat rule 1 destination address x.x.x.241
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.2.38
set service nat rule 1 log disable
set service nat rule 1 protocol all
set service nat rule 1 type destination

set service nat rule 5000 description 'DMZ Out'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address x.x.x.241
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.2.38
set service nat rule 5000 type source

 It works but it's bound to a specific IP on the WAN side. And that ip can change, not often but sometimes after maintenance. So I'm now trying to use the ADDRv4_eth0 addres-group:

set service nat rule 1 destination group address-group ADDRv4_eth0

set service nat rule 5000 outside-address address-group ADDRv4_eth0

But that's not working, than I get an error of the likes of:

NAT configuration error: Can't mix destination address group [ADDRv4_eth0] and address

Does anybody know how setup these NAT rules with dynamic WAN IP? Did I setup the DMZ wrong?

I have searched the forums and not able to find a solution. Need some advise and thanks in advance for any assistance. 

I have configured thr ERPoE using the wizard WAN+2LAN2. The bridging between eth1 and eth2-4 is not enabled and kept as separate LAN. 

When i I connect a Cat6 cable from my Unifi switch to eth2, I get only 100 FDX. If I connect to eth1, I get 1000 FDX. All are set to auto negotiate. 

Why is there a difference? 

I have been trying to create a new configuration, with security and logging, for 2 days now and it it seems like im running around in circles, or my google skills have deside to leave me, as i cant finde any solution to my problem. (well, i can, but i really dont want to go that direction)

Hardware:
 - 1x EdgeRouter PoE 5-port
 - 3x Cisco 2960G
 
ISP Connection: 250/250Mbps (fiber)

Objective:
- create 4 vlans (75, 125, 175, 192)
- internet access on 75, 125, 175
- Block access from 75 to 125, 175, 192
- allow access from 75 to access 1 ip on 175 (streaming)
- block access from 125 to 75, 175, 192
- allow access from 1 ip on 125 to access 175, 192 (admin access)
- block access from 175 to 75, 125, 192
- block access from 192 to 75, 125, 175
- allow udp/514 from 192 to 1 ip on 175

Problem:
When testing my bandwith on speedtest.net, the bandwith is a lot lower than with a flat configuration (wan+2lan2)

Question:

Can my config be optimized, so i can get the same bandwith?

Comarison:

Speedtest.net, wan+2lan2

 Speedtest.net, adv.config.txt (vlan175)

I dug through the forums and I cannot see a solution.  One of the best features with the WispSwitch is its ability to send an alert when a port change occurs (offline, duplex missmatch, speed change etc) There have been a few times when a random backhaul will negotiate 100 half and we have a duplex missmatch. We find it by tracing and testing down the line. It would be amazing if the UBNT unit could send an alert if a port change occurs to ensure that we identify problems before they become one.

Any idea on how this can be accomplished wiht an EdgeMax switch?

Thank you ahead of time!

Is it possible to log all connections somewhere?

Preferbaly with what port the connection used.

I'd like to see them in an IP list with port. I'm sure such a list would be huge, so it would probably need to be flushed frequently or saved somewhere remotely.

I was gifted a Ubiquiti EdgeRouter Lite 3, and thought I'm not a networking pro, I'm slowly getting the hang of using it and I'm learning a lot along the way.

The all in one modem/router/ap (DPC3828S) provided by my cable company takes a coaxial connection, so I have no choice but to carry on using it. So I have plugged the EdgeRouter into one of the 4 lan ports on the back of the ISP router. Sadly the ISP provided device doesnt have a bridge mode so I think I may be double routed, and this is causing me all sorts of headache. For instance I cant access the EdgeRouter's web interface externally. When I type my public IP address into the web browser, it takes me to the web interface for the ISP router. 

Any ideas how I can configure it so that I can access the EdgeRouter web interface (perhaps on a different port)? I'm still relatively new to all this and would really appreciate some guidance.

PS, Ive already added a ruleset for WAN_LOCAL to accept tcp ports 80 and 443.