Hi everyone, 

I want to acccept traffic received from IP Phones bound for my phone providers network. 

For some reason, using a destination network-group doesn't match the traffic. This is rule 30.

If I specify the destination address /24 it does match. This is rule 40. 

Bizarrely, rule 20 does match and work... which is also using a destination network group. 

I want to remove rule 40 and use destination network group as there are potentially other networks I will need to add or modify later. 

Have deleted and readded via CLI and via Web interface. 

Relevant rules as follows:

set firewall group network-group 2TALK-NETWORKS network 27.114.14.0/24

set firewall name VOIP-IN default-action drop
set firewall name VOIP-IN enable-default-log
set firewall name VOIP-IN rule 20 action drop
set firewall name VOIP-IN rule 20 description 'Drop all other traffic to internal subnets'
set firewall name VOIP-IN rule 20 destination group network-group ALL-INTERNAL-NETWORKS
set firewall name VOIP-IN rule 20 log disable
set firewall name VOIP-IN rule 20 protocol all
set firewall name VOIP-IN rule 30 action accept
set firewall name VOIP-IN rule 30 description 'Accept traffic to 2Talk Networks'
set firewall name VOIP-IN rule 30 destination group network-group 2TALK-NETWORKS
set firewall name VOIP-IN rule 30 log disable
set firewall name VOIP-IN rule 30 protocol all
set firewall name VOIP-IN rule 40 action accept
set firewall name VOIP-IN rule 40 description 2talk
set firewall name VOIP-IN rule 40 destination address 27.111.14.0/24
set firewall name VOIP-IN rule 40 log disable
set firewall name VOIP-IN rule 40 protocol all

Any suggestions most welcome, thank you. 

Hi,

I have a problem with Portforwarding within Loadbalancing.

Our Setup:

Two Static IP-Adresses on Eth0 and Eth1 both with PPPoe

LAN on Eth3 10.0.1.1 to Hardware Firewall 10.0.1.2 (IPFire)

Problem: When I do a request on PPPoe1 everything works fine. The Host behind the Firewall is resolved correctly. When I do a request on PPPoe0 the host is not resolved correctly I see a hit within the interface but the client receive no answer

Open Ports:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
        port-group CWT_EXTERN {
            description "Forward to IPFIRE TCP"
            port 1194
            port 1195
            port 25
            port 443
            port 8001
            port 8002
            port 8009
            port 9022
            port 7023
            port 7022
            port 8022
            port 8083
            port 8080
            port 8081
            port 8443
            port 8023
        }
        port-group CWT_ROADWARRIOR {
            description "Forward to IPFIRE UDP"
            port 1194
            port 1195
        }
    }

NatRules:

 nat {
        rule 1 {
            description "Port Test"
            destination {
                address 80.153.XXX (Static Adress 1)
                port 8080
            }
            inbound-interface pppoe1
            inside-address {
                address 10.0.1.2
                port 8080
            }
            log enable
            protocol tcp
            type destination
     }
        rule 2 {
            description "Port Test"
            destination { 
                address 80.153.XXX (Static Adress 2)
                port 8080
            }
            inbound-interface pppoe0
            inside-address {
                address 10.0.1.2
                port 8080
            }
            log enable
            protocol tcp
            type destination
        }

Load Balance Setup:

modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe1
                }
            }
            modify {
                table main
            }
        }

        }
        rule 100 {
            action modify
            modify {
                lb-group G
            }
        }
    }

Firewall Setup:

name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 41 {
            action accept
            description "Allow TCP"
            destination {
                address 10.0.1.2
                group {
                    port-group CWT_EXTERN
                }
            }
            log enable
            protocol tcp
        }
        rule 42 {
            action accept
            description "Allow UDP"
            destination {
                address 10.0.1.2
                group {
                    port-group CWT_ROADWARRIOR
                }
            }
            log disable
            protocol udp
        }
    }

Any help for this? I have no clue whats the issue here

Best

Michael

Hello

here is what I would like to achieve.

My goal is to use the edge router do do DPI as transparently as possible

Now here is my detail goal

• I have a VDSL router. This VDSL router has 2 interfaces
  • 1 for the LAN
  • 1 for the GUEST LAN
• I would like on the ERL to
  • feed the LAN on ETH0
  • feed the GUEST LAN on ETH1
  • connect my switch on ETH2
  • Have the GUEST LAN on ETH2 in VLAN4
  • Have all DHCP request (both on LAN and GUESTLAN) be answered by my VDSL router

My first step was to try to setup DHCP-relay

• I plugged my VDSL LAN port on the ERL eth0 port
• I plugged my computer on the ERL eth2 port
• on the ERL I setup eth0 as DHCP client
• eth0 and eth1 as dhcp relay with VDSL router (192.168.33.1) as DHCP server
  

  configure
  edit service dhcp-relay
  set server 192.168.33.1
  set interface eth0
  set interface eth1
  commit

I never managed to get DHCP pass the edge router.

Anyone has an idea how to start ?

Thanks

Hello, I've just joined and despite my searching in the forum I haven't found my issue addressed.

Mind you, this could well be due to the technical exlanations I've read going well over my head. So, I humbly ask that you bear with me and that any reply is fit to be included in "EdgeRouter Lite for Dummies".

The issue: we have two VDSL lines in small office and need to "join" then in order to

a. load balance user bandwidth requests (mostly web browsing)

b. maximize download throughput for large files (when using 'suitable' downloader software such as Download Accelerator Plus, jdownloader etc)

This has been achieved in a different location using a consumer TP-Link TL-R470T+ to join 3 ADSL lines, to an acceptable degree, a far as download speed is concerned. Reliability is a different matter though, hence our looking into a Ubiquity solution.

Thank you very much in advance,

Nikolas 

Hey Guys,

Thanks for reading my post!

I have a problem and hope that you guys can help me out, it should be a stupid simple mistake but i can't seem to figure it out.

I have a Edgemax 5-Ports Boarder Router.

eth0 = WAN Modem (DHCP)

eth1 = My Creapy Network, all kinds of virusses here (broken pc's, etc) // 10.0.0.0/24

eth2, eth3, eth4 = Normal network with 2 VLAN's 192.168.7.0/24 -- 17.0/24 -- 27.0/24

Everything is working like it should but now i want to restrict access from eth1 to eth2,3,4 (i don't want virusses over here).

So i jumped in my Firewall settings and created a new Ruleset (Creapy_Local);

- Set it to interface eth1 (direction local)

- Set it to default action Drop

- Created a rule that accept port 53 and 67 for DNS & DHCP (i think i can limit that to address 10.0.0.1, since that is the router,. but okay thats for later purpose)

- Created a rule with a drop action from address 10.0.0.0/24 to destination 192.168.7.0/24 - Protocol all

- Created a rule with a drop action from address 10.0.0.0/24 to destination 192.168.17.0/24 - Protocol all

- Created a rule with a drop action from address 10.0.0.0/24 to destination 192.168.27.0/24 - Protocol all

Well thats that, but when i make a ICMP ping towards 192.168.x.x from 10.0.0.x i got a positive answer,..

How is this possible, i can't figure it out.

I have also tried to Create a rule from Source eth1 and destination switch0 or switch 0.10 or switch0.20

This resulted in a total loss of traffic for eth1 or same result as above,..

Iám stuck

Thanks!

We're still having issues with SNMPv3 settings being wiped on every upgrade. Same issue as here.

https://community.ubnt.com/t5/EdgeMAX/SNMP-wiped-after-1-8-5-upgrade/m-p/1656982

How is the load of lans balanced by the colors of the EDGE Route Poe 5? My here is CPU 0 going up to 99% and the other in 50-60%

Used

eth0 = 60Mb (input)
eth1 = 100Mb (input)

eth2 = 100Mb (uplink)

eth3 = 60Mb (uplink)

eth4 = 80Mb (input)

Eth0 and eth1 goes to CPU 0 and in eth2,3,4 to CPU 1 ???

Hi there,

I just wanted to set up a zone-based firewall on my EdgeRouter POE-5. However, after setting up the zones, I do not seem to have any access to the router. I already tried to set the default-action of any firewall to allow for debugging purposes, but it still doesn't work. There has to be some problem with a rule not applied and falling back to the default-action DROP of the zones.

Background information:

The user/zone PG has full access to the router and I am testing from there (eth1).

I would be very glad if someone could have a quick look at my configuration!

Zones:

 zone-policy {
	zone LOCAL {
		default-action drop
		from WAN {
			firewall {
				name WAN_TO_LOCAL
				}
		}
		from PG {
			firewall {
				name PG_TO_LOCAL
				}
		}
		from AG {
			firewall {
				name LAN_TO_LOCAL
				}
		}
		from REILA {
			firewall {
				name LAN_TO_LOCAL
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_LOCAL
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_LOCAL
				}
		}
		from GUEST {
			firewall {
				name LAN_TO_LOCAL
				}
		}
		local-zone
	}
	zone WAN {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from PG {
			firewall {
				name LAN_TO_WAN
				}
		}
		from AG {
			firewall {
				name LAN_TO_WAN
				}
		}
		from REILA {
			firewall {
				name LAN_TO_WAN
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_WAN
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_WAN
				}
		}
		from GUEST {
			firewall {
				name GUEST_TO_WAN
				}
		}
		interface eth0
		interface vtun0
	}
	zone PG {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from AG {
			firewall {
				name LAN_TO_PG
				}
		}
		from REILA {
			firewall {
				name LAN_TO_PG
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_PG
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_PG
				}
		}
		from GUEST {
			firewall {
				name LAN_TO_PG
				}
		}
		interface switch0.2
		interface eth1
	}
	zone AG {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from PG {
			firewall {
				name LAN_TO_AG
				}
		}
		from REILA {
			firewall {
				name LAN_TO_AG
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_AG
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_AG
				}
		}
		from GUEST {
			firewall {
				name LAN_TO_AG
				}
		}
		interface switch0.3
	}
	zone REILA {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from PG {
			firewall {
				name PG_TO_REILA
				}
		}
		from AG {
			firewall {
				name LAN_TO_REILA
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_REILA
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_REILA
				}
		}
		from GUEST {
			firewall {
				name LAN_TO_REILA
				}
		}
		interface switch0.4
	}
	zone SERVER {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from PG {
			firewall {
				name PG_TO_SERVER
				}
		}
		from AG {
			firewall {
				name AG_TO_SERVER
				}
		}
		from REILA {
			firewall {
				name REILA_TO_SERVER
				}
		}
		from NETWORKING {
			firewall {
				name NETWORKING_TO_SERVER
				}
		}
		from GUEST {
			firewall {
				name GUEST_TO_SERVER
				}
		}
		interface switch0.1
	}
	zone NETWORKING {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from PG {
			firewall {
				name PG_TO_NETWORKING
				}
		}
		from AG {
			firewall {
				name LAN_TO_NETWORKING
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_NETWORKING
				}
		}
		from REILA {
			firewall {
				name LAN_TO_NETWORKING
				}
		}
		from GUEST {
			firewall {
				name LAN_TO_NETWORKING
				}
		}
		interface switch0
	}
	zone GUEST {
		default-action drop
		from LOCAL {
			firewall {
				name LOCAL_TO_ALL
				}
		}
		from WAN {
			firewall {
				name WAN_TO_LAN
				}
		}
		from PG {
			firewall {
				name LAN_TO_GUEST
				}
		}
		from AG {
			firewall {
				name LAN_TO_GUEST
				}
		}
		from SERVER {
			firewall {
				name LAN_TO_GUEST
				}
		}
		from REILA {
			firewall {
				name LAN_TO_GUEST
				}
		}
		from NETWORKING {
			firewall {
				name LAN_TO_GUEST
				}
		}
		interface switch0.100
	}
 }

Full configuration is attached.

Best,

Fips272

100Mbps up/10Mbps down WAN connection

I would like a policy that ensures no single flow uses all available bandwidth and negatively impacts other applications.

So basically a default class 95% of bandwidth with WFQ and 2% priority queue. But the problem appears to be downstream bandwidth is actually controlled by the sender and I can't apply a shaper to in direction (WAN in).

So which policy should I apply on which interface? My LAN interfaces have VLAN subinterfaces. Does the policy on physical interface get applied to subinterfaces all well?

Hello everyone,

I must be very tired. So I need your help

I just want to setup a simple routing on my ERL.

eth0 192.168.1.1/24

eth2 192.168.33.190/24

 default route 0.0.0.0/0 to 192.168.33.1

configure
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth2 address 192.168.33.90/24
set protocols static route 0.0.0.0/0 next-hop 192.168.33.1 

When I then connect a computer with ip 192.168.1.100 mask 255.255.255.0 gw 192.168.1.1 on eth0

And my home network with gateway 192.168.33.1 on eth2

On the ERL I can ping 192.168.33.1, 192.168.33.90, 192.168.1.1 and 192.168.1.100

From the computer I can ping 192.168.33.90, 192.168.1.1

BUT

I can't ping 192.168.33.1

Very trivial... but I can't do it.  what is wrong with my setup ?

Thanks

OK, hopefully I can explain this properly. Suffice to say the way it is currently setup is what I'm stuck with for now, I'll redo it better after some big renovations.

Upstream is a DHCP router that is assigning addresses in the 192.168.10.0/24 range. There's a long ethernet run coming out of this. I want to put an ERX at the end of this and 'split' it into two separate networks that are isolated from one another such that I have the following:

eth1 - main network but not itself running any dhcp, I basically just want it to 'pass along' whatever IP the upstream DHCP hands out.

eth2 - secondary network on different subnet (say 192.168.20.0/24) solely with internet access, but no access to the main subnet

Suggestions and configs welcome.

Hello all

i created a normal Portforwarding Rule, works of course.

But now i want to limit access to this forwarding rule to a specific Internet Ip Address.

Currently have no idea how to set this up.

Hope someone here can help me out.

Thanks

Cheers

I have upgarded my EdgeRouter Lite to v1.9 and I have installed Putty on my Windows 10 laptop and able to access the Edgerouter Lite via SSH - IP Address 192.168.1.1 and I am following Steve Jenkins guide 'https://www.stevejenkins.com/blog/2015/11/replace-your-google-fiber-network-box-with-a-ubiquiti-edgerouter-lite/#comment-73347'

The issue I am having is the copying portion from the guide.

% sudo su

The above command is not working with the %. 

:set noai

 If I use command without percent sign, then use command :set noai, it does not recongize it.

What am I doing wrong????

Also does anyone right now with an Edgerouter Lite have Google Fiber and TV service working???

If so can you post your configuration on how you connected the Google Fiber network box and tvs. I have read on here that it is not working.

I have LAN and GUEST networks and drop everything that goes GUEST > LAN.

However I want to be able to ping LAN to GUEST. And that does not work. I can ping GUEST from CLI but not from LAN:

LAN does not have any firewall rules, GUEST_LOCAL allows ping. Could someone take a look and see what I am doing wrong, please.

Here is the config:

tridy@ER-X-SFP:~$ show configuration | cat
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN_NETWORKS {
            description "LAN Networks"
            network 192.168.2.0/24
            network 192.168.3.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        rule 1 {
            action drop
            description "Disallow GUEST to LAN"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name GUEST_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 20 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            protocol udp
        }
        rule 21 {
            action accept
            description "Allow PING"
            destination {
                group {
                    address-group ADDRv4_switch0
                }
            }
            log disable
            protocol icmp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description Allow_PING
            log disable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.116/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description "Local 3"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 3"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 3"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.3.1/24
        description "Switch eth2 eth3 eth4"
        firewall {
            in {
                name GUEST_IN
            }
            local {
                name GUEST_LOCAL
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.254
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.100 {
                    stop 192.168.3.254
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 192.168.1.1
    host-name ER-X-SFP
    login {
        user tridy {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 194.132.32.32
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Stockholm
}

thanks!

Hello all, I want to use an ERX as an extension of my ERL.

My network looks like this:
LAN - 10.1.1.1/24
Isolation - 10.0.0.1/29 (assigned to a VLAN on Eth2)
Servers - 10.2.2.2/24

ERL:
Eth0 - Internet
Eth1 - LAN - Assigned to interface, no vlan.
Eth2 - Trunk to ERX (All Vlans)
Note, Eth2 is currently the Server port, but with the three VLAN's added to it.

ERX:
Eth0 - Uplink trunk to ERL (All vlans)
Eth1 - Isolation (VL 25)
Eth2 - Isolation  (25)
Eth3 - Servers (30)
Eth4 - AP (10)

I am having trouble understanding how pvid and vid work in the switch settings/VLAN aware area of the ERX as it gets very unhappy to have 25 25 in the id's.

I don't want Vlan 25 to talk to 10 or 30, and I can't leave either field blank.

Vlan 10 - needs to pull IP's from the LAN subnet.
Vlan 25 - Assigned, but needs a physical link to work.
Vlan 30 - needs to pull IP's from the Server subnet.

Pretend the ERX is a miniature Edgeswitch, that is all I need it to do.

with eth0 pvid - 10 and vid 25,30
eth1 & 2 p -25 vid 10
eth3 30 10
eth4 10 30?

Any tips?

I've tried following the steps listed in https://community.ubnt.com/t5/EdgeMAX/Private-Internet-Access-Open-VPN-Step-by-Step-Configuration/td-p/1711643 to set up my ER-X to route traffic from a specific machine on my network (192.168.1.10, spcieifed in a firewall group) via PIA. I can't seem to get it working.

config.boot:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group OPENVPN_COMPUTERS {
            address 192.168.1.10
            description "openvpn hosts"
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 10 {
            action modify
            description "traffic from Devices to vtun0"
            modify {
                table 1
            }
            source {
                group {
                    address-group OPENVPN_COMPUTERS
                }
            }
        }
    }
    name OPENVPN_IN {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name OPENVPN_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        mode client
        config-file /config/auth/Netherlands.ovpn
        description "Private Internet Access VPN"
        firewall {
          in {
            name OPENVPN_IN
          }
          local {
            name OPENVPN_LOCAL
          }
        }
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 3 {
            firewall {
                in {
                    modify OPENVPN_ROUTE
                }
            }
            mtu 1500
        }
    }
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping xxx {
                    ip-address 192.168.1.10
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5001 {
            description openvpn
            log disable
            outbound-interface vtun0
            protocol all
            source {
                group {
                    address-group OPENVPN_COMPUTERS
                }
            }
            type masquerade
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
  ...
}

Netherlands.ovpn:

When the router boots, vtun0 has an IP address of 10.7.10.6/32. There are some openvpn-releated messages in the log inspector:

Feb 13 17:34:36	ubnt kernel: Bridge firewalling registered
Feb 13 17:34:21	ubnt openvpn[1328]: Initialization Sequence Completed
Feb 13 17:34:21	ubnt openvpn[1328]: /sbin/ip addr add dev vtun0 local 10.7.10.6 peer 10.7.10.5
Feb 13 17:34:21	ubnt openvpn[1328]: /sbin/ip link set dev vtun0 up mtu 1500
Feb 13 17:34:21	ubnt openvpn[1328]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 13 17:34:21	ubnt openvpn[1328]: TUN/TAP device vtun0 opened
Feb 13 17:34:21	ubnt openvpn[1328]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Feb 13 17:34:21	ubnt openvpn[1328]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 13 17:34:21	ubnt openvpn[1328]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 13 17:34:21	ubnt openvpn[1328]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

The router was initially set up with the WAN+2LAN2 wizard.

Any help would be greatly appreciated.

Hello everyone.  I hope someone can help.  I've been working on this load balance for what it seems like for ever.  I cannot get ISP 1 to connect using its own routing table.  ISP 2 seems to have no problem but ISP 1 will not route unless I change its static metric to be the first one, but that isn't what I want.  If I change ISP 1 metric to be in the higher position for the default main table route then everything goes down briefly when ISP 1 goes down.  When I change ISP 2 to be the higher metric on the main table, then ISP 1 fails to connect completely.

This is my current result: 

tcg@SCF-Edge:~$ show load-balance watchdog 
Group ATT-INT-ADDR
  eth1
  status: Running 
  pings: 1035
  fails: 0
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

Group G
  eth0
  status: Waiting on recovery (0/3)
  pings: 3
  fails: 3
  run fails: 3/3
  route drops: 2
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Tue Feb 14 02:37:54 2017
  last route recover: Tue Feb 14 02:32:07 2017

  eth1
  status: Running 
  pings: 1034
  fails: 0
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

Group LB_HTTPS
  eth0
  status: Waiting on recovery (0/3)
  pings: 125
  fails: 5
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Tue Feb 14 00:29:14 2017

  eth1
  status: Running 
  failover-only mode
  pings: 1036
  fails: 1
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

Group LB_VOIP
  eth0
  status: Waiting on recovery (0/3)
  failover-only mode
  pings: 126
  fails: 5
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Tue Feb 14 00:29:14 2017

  eth1
  status: Running 
  pings: 1035
  fails: 0
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

And this is my current config

tcg@SCF-Edge# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         network-group PRIVATE_NETS {
             network 192.168.0.0/16
             network 172.16.0.0/12
             network 10.0.0.0/8
         }
         network-group VOIP_NET {
             network 10.2.0.0/24
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians disable
     modify balance {
         rule 10 {
             action modify
             description "do NOT load balance lan to lan"
             destination {
                 group {
                     network-group PRIVATE_NETS
                 }
             }
             modify {
                 table main
             }
         }
         rule 20 {
             action modify
             description "do NOT load balance destination public address"
             destination {
                 group {
                     address-group ADDRv4_eth0
                 }
             }
             modify {
                 table 1
             }
         }
         rule 30 {
             action modify
             description "do NOT load balance destination public address"
             destination {
                 group {
                     address-group ADDRv4_eth1
                 }
             }
             modify {
                 table 2
             }
         }
         rule 60 {
             action modify
             description "ATT Internally Routed Networking Send To ATT Only"
             modify {
                 lb-group ATT-INT-ADDR
             }
             protocol all
             source {
                 address 12.185.x.x
             }
         }
         rule 72 {
             action modify
             description "HTTPS to one WAN unless Failover"
             destination {
                 port 443
             }
             modify {
                 lb-group LB_HTTPS
             }
             protocol tcp
         }
         rule 75 {
             action modify
             description "VOIP to WAN1 unless failover then WAN 2"
             modify {
                 lb-group LB_VOIP
             }
             source {
                 group {
                     network-group VOIP_NET
                 }
             }
         }
         rule 80 {
             action modify
             modify {
                 lb-group G
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "VOIP IN"
             destination {
                 address 10.2.0.11
             }
             log enable
             protocol tcp_udp
             source {
                 address 64.136.x.x
             }
         }
         rule 40 {
             action accept
             description "ATT Static Allow All"
             destination {
                 address 12.185.x.x
             }
             log enable
             protocol all
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow OpenVPN 1194"
             destination {
                 group {
                     address-group ADDRv4_eth0
                 }
                 port 1194
             }
             log enable
             protocol udp
         }
         rule 40 {
             action accept
             description "Allow OpenVPN 1194"
             destination {
                 group {
                     address-group ADDRv4_eth1
                 }
                 port 1194
             }
             log enable
             protocol udp
         }
         rule 50 {
             action accept
             description "TCG IN"
             log enable
             protocol all
             source {
                 address 73.x.x.x
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address 71.92.x.x/29
         description Charter
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         address 12.94.x.x/30
         description "ATT Internet"
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         poe {
             output off
         }
         speed auto
     }
     ethernet eth2 {
         duplex auto
         speed auto
     }
     ethernet eth3 {
         duplex auto
         speed auto
     }
     ethernet eth4 {
         duplex auto
         speed auto
     }
     ethernet eth5 {
         disable
         duplex auto
         speed auto
     }
     loopback lo {
     }
     openvpn vtun0 {
         encryption aes128
         mode server
         openvpn-option --persist-tun
         openvpn-option --persist-key
         openvpn-option "--user nobody"
         openvpn-option "--group nogroup"
         openvpn-option --daemon
         openvpn-option "--remote-cert-tls client"
         openvpn-option "--keepalive 30 120"
         openvpn-option "--verb 4"
         server {
             domain-name stancofair.local
             name-server 192.168.1.21
             name-server 192.168.1.22
             push-route 10.200.0.0/24
             push-route 192.168.1.0/24
             push-route 10.100.100.0/24
             subnet 172.16.16.0/24
         }
         tls {
             ca-cert-file /config/auth/Stancofair_CA.crt
             cert-file /config/auth/Stancofair_Server_Cert.crt
             dh-file /config/auth/dh2048.pem
             key-file /config/auth/Stancofair_Server_Cert.pem
         }
     }
     switch switch0 {
         address 10.200.0.1/24
         description Local
         firewall {
             in {
                 modify balance
             }
         }
         mtu 1500
         switch-port {
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
 }
 load-balance {
     group ATT-INT-ADDR {
         interface eth1 {
             route {
                 table 2
             }
         }
         lb-local disable
     }
     group G {
         interface eth0 {
             route {
                 table 1
             }
             weight 75
         }
         interface eth1 {
             route {
                 table 2
             }
             weight 25
         }
         lb-local disable
     }
     group LB_HTTPS {
         interface eth0 {
             route {
                 table 1
             }
         }
         interface eth1 {
             failover-only
             route {
                 table 2
             }
         }
         lb-local disable
     }
     group LB_VOIP {
         interface eth0 {
             failover-only
             route {
                 table 1
             }
         }
         interface eth1 {
             route {
                 table 2
             }
         }
         lb-local disable
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 12.94.x.x {
                 distance 1
             }
             next-hop 71.92.x.x {
                 distance 5
             }
         }
         route 10.0.0.0/9 {
             next-hop 10.200.0.3 {
                 distance 1
             }
         }
         route 12.185.x.x/30 {
             next-hop 10.200.0.3 {
                 description "Internal Routed ATT Network"
                 distance 1
             }
         }
         route 192.168.1.0/24 {
             next-hop 10.200.0.3 {
                 distance 1
             }
         }
         table 1 {
             description Charter
             route 0.0.0.0/0 {
                 next-hop 71.92.x.x {
                     distance 1
                 }
             }
         }
         table 2 {
             description "ATT Internet"
             route 0.0.0.0/0 {
                 next-hop 12.94.x.x {
                     distance 1
                 }
             }
         }
     }
 }
 service {
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 4000 {
             description "VOIP To Server"
             destination {
                 group {
                     address-group ADDRv4_eth1
                 }
                 port 5060
             }
             inbound-interface eth1
             inside-address {
                 address 10.2.0.11
                 port 5060
             }
             log enable
             protocol tcp_udp
             type destination
         }
         rule 4005 {
             description "VOIP To Server"
             destination {
                 group {
                     address-group ADDRv4_eth0
                 }
                 port 5060
             }
             inbound-interface eth0
             inside-address {
                 address 10.2.0.11
                 port 5060
             }
             log enable
             protocol tcp_udp
             type destination
         }
         rule 4010 {
             description "VOIP Ports"
             destination {
                 port 10000-20000
             }
             inbound-interface eth1
             inside-address {
                 address 10.2.0.11
             }
             log enable
             protocol udp
             source {
             }
             type destination
         }
         rule 5000 {
             description "Masquerade for Charter"
             log disable
             outbound-interface eth0
             type masquerade
         }
         rule 5005 {
             description "Masquerade for ATT for Private Nets ONLY"
             log disable
             outbound-interface eth1
             protocol all
             source {
                 group {
                     network-group PRIVATE_NETS
                 }
             }
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     conntrack {
         expect-table-size 4096
         hash-size 4096
         table-size 32768
         tcp {
             half-open-connections 512
             loose enable
             max-retrans 3
         }
     }
     host-name SCF-Edge
     login {
         user tcg {
             authentication {
                 encrypted-password $6$0vAsE4wtvuxp1C$su.rJWkPdisutTlwFb0UARipgQ4S1uCEP5rG4nkrU0ThvWInbzhl.kkbMycY.8nFiiXbrJaPRtCfaA82iY4bA0
             }
             level admin
         }
     }
     name-server 8.8.8.8
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
     traffic-analysis {
         dpi enable
         export enable
     }
 }
 traffic-control {
     smart-queue ATT-QOS {
         download {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 50mbit
         }
         upload {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 50mbit
         }
         wan-interface eth1
     }
     smart-queue Charter-QOS {
         download {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 100.00mbit
         }
         upload {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 7.00mbit
         }
         wan-interface eth0
     }
 }

Everyone's input is appreciated!  And please, let me know if you need clarification.