I have an ERL that was running on firmware version 1.9 just fine. I started to upgrade the router to edgeos v1.9.1 by going to the GUI, uploading the 1.9.1 firmware then confirming the restart to apply the update. Since confirming the restart, it never started back up. I tried to reset the router but still no luck. When i serial into the router this is what i see and it stops here (see attached image). It doesnt go any further. I cant seem to do anything to the router. No SSH, no default GUI by going to 192.168.1.1, nothing. Is this bricked? Should i throw in the trash and get another one?

Please advise

Hello.

I have another router at home as a WAN source for ER.

Now, I would like to allow WAN accessing ER web setup (probably temporarily)

Setting WAN_LOCAL [accept + tcp and udp + all ports + from WAN network] seems to be allowing too much. Is there a way to restrict it more?

Or is it a bad practice and only SSH should be allowed?

thanks!

edgerouter fan noise is there anyway of turning down the fans as spinning is loud currently have it in my kitchen as im testing it  currently but if im going to implement it  in my living room but this point i do not have a rack

but would like to silence the fan noise

Hi all, I looked around on forums some to see if others see this, don't see anything similiar...

A few days ago, my ERL after over a year without issues, regular upgrades to newest releases, and using it as my ISP edge router with multiple openVPN tunnels to AirVPN and other things, it "forgot" all of it's interface configs.

What I mean by that...when I consoled into it over serial, the interface config was just blank. There should have been ethernet interfaces with several openVPN interfaces, just blank. Oddly enough, serveral standard linux directories were just missing files. /opt/vyatta/etc/config.boot.default DID NOT exist. So I hit the factory reset button to restore it and restored it to full service.

Today, after powering it down to move it due to shuffling around my desk, it powers on, and it forgot all of the service config:

}
service {
}
system {

Yes, the config was saved. My DHCP and DNS service configurations are just gone. /etc/dnsmasq.conf file is empty.

What gives? Should I try the last restort recovery? My troubleshooting skills with this type of thing is limited...$dayjob is vendor voip stuff.

Hello community 

i have some questions about creating configuration with LAN to LAN and alternative rotue with VPN 

i have two edge routers, one in my office and other in remote location, i have already Fiber link LAN to LAN 

but i want to create alternative route via VPN, but i dont know how to configure the router to prefer LAN to LAN before VPN, and when the LAN to LAN fails take the VPN Route.

tnx for your time

I have a OpenVPN tunnel that works very well between 2 ERLs and as I am growing the networks I would like to be able to use OSPF. I have tried to configure it according to a few different guides, but I can't get the OSPF to work over the tunnel. OSPF seems to be active on eth1 and eth2, but when I type "show ip ospf interface vtun0" it does not return anything. The other ERL does the exact same thing... Here is my config.

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group Houses {
            description "House Networks"
            network 10.0.6.0/24
            network 10.0.7.0/24
        }
        network-group LAN_NETWORKS {
            description "LAN Networks"
            network 10.0.1.0/24
            network 10.0.2.0/24
            network 10.0.6.0/24
            network 10.0.7.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description ""
        rule 10 {
            action accept
            description "Accept related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "block access from barn to House"
            destination {
                group {
                    network-group Houses
                }
            }
            log disable
            protocol all
        }
    }
    name PROTECT_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow Corne Video"
            destination {
                port 7080,7443,7446
            }
            log disable
            protocol tcp
            source {
                mac-address 14:b4:84:93:5d:2f
            }
        }
        rule 30 {
            action accept
            description "Allow George Video"
            destination {
                address 10.0.1.12
                port 7080,7443,7446
            }
            log disable
            protocol tcp
            source {
                mac-address a0:39:f7:7a:51:58
            }
        }
        rule 40 {
            action drop
            description "Drop LAN_NETWORKS"
            destination {
                group {
                    network-group LAN_NETWORKS
                }
            }
            protocol all
        }
    }
    name PROTECT_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 20 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "packets from internet to LAN"
        enable-default-log
        rule 1 {
            action accept
            description "allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
        }
        rule 3 {
            action accept
            description "allow vpn"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 1194
            }
            log disable
            protocol tcp_udp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "allow ping"
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "allow vpn"
            destination {
                port 1194
            }
            log disable
            protocol tcp_udp
        }
        rule 23 {
            action accept
            description "allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 24 {
            action accept
            description "allow ESP"
            log disable
            protocol 50
        }
    }
    name WAN_OUT {
        default-action accept
        description ""
        rule 1 {
            action drop
            description "block calf"
            log disable
            protocol all
            source {
                mac-address bc:ae:c5:15:c1:31
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.1.1/24
        description Barn
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        ip {
        }
        speed auto
        vif 20 {
            address 10.0.20.1/24
            description "Barn Guest"
            firewall {
                in {
                    name PROTECT_IN
                }
                local {
                    name PROTECT_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        address 10.0.6.1/24
        description Jordan
        duplex auto
        ip {
        }
        speed auto
        vif 20 {
            address 10.0.21.1/24
            description "Jordan Guest"
            firewall {
                in {
                    name PROTECT_IN
                }
                local {
                    name PROTECT_LOCAL
                }
            }
            mtu 1500
        }
    }
    loopback lo {
    }
    openvpn vtun0 {
        ip {
            ospf {
                cost 10
                dead-interval 40
                hello-interval 10
                network point-to-point
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-address 10.99.99.1 {
        }
        local-port 1194
        mode site-to-site
        openvpn-option --float
        openvpn-option "--ping 10"
        openvpn-option "--ping-restart 20"
        openvpn-option --ping-timer-rem
        openvpn-option --persist-tun
        openvpn-option --persist-key
        openvpn-option "--user nobody"
        openvpn-option "--group nogroup"
        remote-address 10.99.99.2
        remote-host ****.com
        remote-port 1194
        shared-secret-key-file /config/auth/secret
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            area-type {
                normal
            }
            network 10.99.99.0/32
            network 10.0.1.0/24
            network 10.0.6.0/24
        }
        neighbor 10.99.99.2 {
            poll-interval 60
            priority 0
        }
        parameters {
            abr-type cisco
            router-id 10.99.99.1
        }
        redistribute {
            connected {
                metric-type 2
            }
        }
    }
    static {
        interface-route 10.0.2.0/24 {
            next-hop-interface vtun0 {
            }
        }
        interface-route 10.0.7.0/24 {
            next-hop-interface vtun0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest {
            authoritative disable
            subnet 10.0.20.0/24 {
                default-router 10.0.20.1
                dns-server 10.0.20.1
                dns-server 8.8.8.8
                lease 86400
                start 10.0.20.11 {
                    stop 10.0.20.200
                }
            }
        }
        shared-network-name Jordan_Guest {
            authoritative disable
            subnet 10.0.21.0/24 {
                default-router 10.0.21.1
                dns-server 10.0.21.1
                dns-server 8.8.8.8
                lease 86400
                start 10.0.21.11 {
                    stop 10.0.21.200
                }
            }
        }
        shared-network-name LAN1 {
            authoritative disable
            subnet 10.0.1.0/24 {
                default-router 10.0.1.1
                dns-server 10.0.1.1
                lease 86400
                start 10.0.1.100 {
                    stop 10.0.1.199
                }
                static-mapping ubnt {
                    ip-address 10.0.1.114
                    mac-address 44:d9:e7:40:0e:fc
                }
                unifi-controller 10.0.1.12
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 10.0.6.0/24 {
                default-router 10.0.6.1
                dns-server 10.0.6.1
                lease 86400
                start 10.0.6.100 {
                    stop 10.0.6.199
                }
                unifi-controller 10.0.1.12
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name ****.com
                    login ****
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on eth1.20
            listen-on eth2.20
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name BarnRouter
    login {
        user **** {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Toronto
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username ***** {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.1.90
                stop 10.0.1.99
            }
            dhcp-interface eth0
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            mtu 1492
        }
    }
}

Hi Community,

given following scenario:

* a central IPSEC "server" (EdgeRouter 8 Pro) with one (of many) local subnets:

** 10.10.0.0/20: real local subnet

** 10.10.16.0/21: MPLS tunnel by provier to branch office in same country

** 10.10.24.0/21: MPLS tunnel by provide to branch office in same country

** quite some more of these MPLS tunnels.

* three sites are connected via IPSEC to the central server above

** site 1: 10.10.96.0/21

** site 2: 10.10.104.0/21

** site 3: 10.10.112.0/21

The MPLS is routed via static routes on the central EdgeRouter.

The IPSEC sites are connected via following tunnel scenarios:

 tunnel 1 {
     local {
         prefix 10.25.96.0/21
     }
     remote {
         prefix 10.25.0.0/16
     }
 }

(and with the appropriate subnet for the other two sites).

Our goal is, that the IPSEC branch offices can connect to the central subnet and also to the other subnet via MPLS (the routing on MPLS side OK).

But sadly, as soon as we start the above tunnel, all traffic (even to local subnets) on the branch side is not working anymore.

I assumed that the router can handle that automatically to handle local subnets prior to IPSEC subnets - but sadly it tries to route all traffic to IPSEC as soon as it's up.

Honestly, I have not yet tried this with a different Linux/IPSEC server, but according to my knowledge of kernel & routing the kernel should be able to handle this.

Is this now a "bug" on EdgeRouter or is my knowledge wrong and this is a design flaw?

Thanks upfront,

fips

/edit: just to inform: it's not a problem of the IPSEC tunnel, as soon as I try to tunnel 192.168.x.0/24 through the same config, everything works ;-)

I'm beating my head on this. I tried following the guides from Ubiquiti, but it seems there are conflicting ones or I'm not getting something. 

When I try to connect (tethering my phone) from macOS using L2TP over IPSec connection with all the right credentials, I get this popup:

The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

Looking at the Console, I think these are related logs:

default	13:06:52.162803 -0500	racoon	accepted connection on vpn control socket.
default	13:06:52.162850 -0500	racoon	accepted connection on vpn control socket.

default	13:06:52.163353 -0500	racoon	Connecting.
default	13:06:52.163700 -0500	racoon	IPSec Phase 1 started (Initiated by me).
default	13:06:52.163729 -0500	racoon	IPSec Phase 1 started (Initiated by me).

default	13:06:52.164174 -0500	racoon	IKE Packet: transmit success. (Initiator, Main-Mode message 1).
default	13:06:52.164227 -0500	racoon	>>>>> phase change status = Phase 1 started by us
default	13:06:52.164273 -0500	racoon	>>>>> phase change status = Phase 1 started by us
default	13:06:55.361320 -0500	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	13:06:58.650561 -0500	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	13:07:01.944046 -0500	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	13:07:02.166075 -0500	racoon	IPSec disconnecting from server 173.***
default	13:07:02.166353 -0500	racoon	IPSec disconnecting from server 173.***

Here's my VPN config:

 ipsec {
     auto-firewall-nat-exclude enable
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username *** {
                     password *****
                 }
             }
             mode local
         }
         client-ip-pool {
             start 192.168.7.50
             stop 192.168.7.254
         }
         dns-servers {
             server-1 192.168.1.1
             server-2 8.8.8.8
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ***
             }
         }
         mtu 1440
         outside-address 173.***
         outside-nexthop 173.***.1
     }
 }

Here's my Local firewall config:

 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action accept
         description "WAN Admin"
         destination {
             port 443
         }
         log disable
         protocol tcp
     }
     rule 30 {
         action accept
         description "Allow L2TP"
         destination {
             port 1701
         }
         ipsec {
             match-ipsec
         }
         log enable
         protocol udp
     }
     rule 40 {
         action accept
         description "Allow ESP"
         log disable
         protocol 50
     }
     rule 50 {
         action accept
         description "Allow IKE"
         destination {
             port 500
         }
         ipsec {
             match-ipsec
         }
         log disable
         protocol udp
     }
     rule 60 {
         action accept
         description "Allow NAT-T (VPN)"
         destination {
             port 4500
         }
         ipsec {
             match-ipsec
         }
         log disable
         protocol udp
     }
     rule 70 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
 }

I purchased a EdgeRouter PoE and a Unifi AC-Lite to replace my TP-Link router. I already known that such equipment require a highest  learning curve compared to traditional customer oriented network equipment.

My problem is that I can't figure out how to setup UPnP in EdgeOS for making my Android TV Box working with Servio DLNA Server on my Windows Computer.

Here is my settings:
-EdgeRouter Poe with basic wizard setup, firmware updated to 1.9.1
-Bridged created between both eth1 to eth4
-LAN 10.0.0.0/24
-Router on 10.0.0.1

-eth0 = WAN
-eth1 = Windows computer running Servio + DHCP static 10.0.0.100
-eth2 = MagicJack
-eth3 = Unused
-eth4 = Unifi AC-Lite AP

Android TV Box connected to AP by wifi.

What are the right method to enable and config UPnP from wizard for port used?

I have 2 Fritzbox 7390 behind my Edgerouter lite each in it´s own vlan. Both are connected to voip server at deutsche telekom now the problem. I can dial out all the time but after a short time i can´t dial in to both fritzboxes it seem that the boxes loses inbound connection maybe someone have a solution for that problem ? I alredy try 

set system conntrack modules sip disable

I have a domain name and am hosting a small RPI webserver for logging. I want to be able to just go to http://example.local and see my metrics from anywhere. Well, it works just fine from outside my home network but at home it doesn't. It takes me to the admin page. If I type in the server IP from home, it works fine but not when I use the FQDN. Obviously using a dummy domain name in this thread but not sure what is going on here.

http://pastebin.com/hAtTNiTt

**Re-linked pastebin**

Have a weird setup with a Edge router PoE handling load balancing(standard wizard config) of two ISPs and a Checkpoint sitting behind it handling a few VPN tunnels. All office traffic is behind the checkpoint. I need to tell the ER to send traffic trying to get to 3 specific IPs(The VPN tunnels) to only go out on eth0 and allow everything else to continue as normal balancing between the two connections.  Pointing me in the right direction to help them would be greatly appreciated. Thanks much.

Hey there,

So, I have our corporate network on vlan 10, 192.168.110.0/24 subnet, and we have a vendor with equipment running on vlan 90, 192.168.90.0/24 subnet. I need to allow the manager's computer, 192.168.110.40, access into vlan 90. How would I go about crafting this without allowing the other devices in vlan 10?

Router in question is an ErPro8 and unifi switching.VLAN 90 is not connected to our router at all. The Vendor's router is is sitting on 192.168.110.3, and according to their net engineer, is set up to accept access from our manager's computer at 192.168.110.40 already.

Thanks,

T

Sorry this is probably a dumb question. I have VLAN 2 tied to ETH0 which is effectivly my WAN port. So is watching traffic on ETH0 same as watching traffic on ETH0.2, Since everything going through VLAN2 has to go through ETH0 anyways, Or do I completely misunderstand things?

Reason I ask is I want to monitor overall bandwidth usage, So I plan on using SNMP to moniter my WAN port, Which I am unsure which I really should monitor, or if it even matters.

I'm currently using a set up almost identical to AnCheng's example in the following picture https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-9-0/ba-p/1643332?lightbox-message-images-1643332=82263iDF625218CC894BD6

In essence I'm putting a strict limit on the speeds that hosts can achieve with internet resources, because 4G data's expensive

However, I'd like there to be no limits on speeds to LAN resources. How does this work in terms of basic/advanced queues? Is there a particular address I can specify that means everything other than LAN traffic?

Hi,

I just got a fiber connection which comes over a bridged modem. The speed I should get is 300/100.

I assume that X router should handle that.

Now the PPPoE when connects will assign first IP x.x.161.137 to the pppoe port on X

Now I need to be able to assign the other 4 to different machines behind it.

How would I do it?

Thanks,

This has been working for a while, then all of the sudden it will stop.  Reboot always clears it up.  Just today I noticed the xl2tpd process at 99%+ CPU, and I couldn't sudo kill it and 'restart vpn' did nothing.  Reboot worked and VPN connected succesfully right after.

ERLite-3 running 1.9.0.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name eth0_in {
        default-action accept
        description LAN
    }
    name eth0_local {
        default-action accept
        description "LAN LOCAL"
    }
    name eth1_in {
        default-action accept
        description WIFI
    }
    name eth1_local {
        default-action accept
        description "WIFI LOCAL"
    }
    name eth2_in {
        default-action drop
        description WAN
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name eth2_local {
        default-action drop
        description "WAN LOCAL"
        enable-default-log
        rule 10 {
            action accept
            description All
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow IKE for remote VPN server"
            destination {
                port 500
            }
            log enable
            protocol udp
        }
        rule 30 {
            action accept
            description "Allow NAT-T for Remote VPN Server"
            destination {
                port 4500
            }
            log enable
            protocol udp
        }
        rule 40 {
            action accept
            description "Allow L2TP for remote VPN server"
            destination {
                port 1701
            }
            log enable
            protocol udp
        }
        rule 50 {
            action accept
            description "Allow ESP for remote VPN server"
            log enable
            protocol 50
        }
        rule 60 {
            action accept
            description "ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
        rule 70 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.254/24
        duplex auto
        firewall {
            in {
                name eth0_in
            }
            local {
                name eth0_local
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.100.1/24
        duplex auto
        firewall {
            in {
                name eth1_in
            }
            local {
                name eth1_local
            }
        }
        speed auto
    }
    ethernet eth2 {
        address x.x.x.73/29
        duplex auto
        firewall {
            in {
                name eth2_in
            }
            local {
                name eth2_local
            }
        }
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth0
    wan-interface eth2
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name guestwireless-eth1 {
            authoritative disable
            description "Guest Wireless Network - Eth1"
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.200
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 192.168.1.254
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description WAN_PAT
            log enable
            outbound-interface eth2
            protocol all
            source {
            }
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.254
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name x.local
    gateway-address x.x.x.78
    host-name X-FW
    ipv6 {
        disable
    }
    login {
        user admin {
            authentication {
                encrypted-password x
                plaintext-password ""
            }
            full-name admin
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 75.75.75.75
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.1.2 {
            facility all {
                level info
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth2
        }
        logging {
            log-level 2
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username vpntest1 {
                        password x
                    }
                }
                mode radius
                radius-server 192.168.1.2 {
                    key x
                }
            }
            client-ip-pool {
                start 192.168.1.50
                stop 192.168.1.99
            }
            dns-servers {
                server-1 192.168.1.2
                server-2 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret x
                }
                ike-lifetime 3600
            }
            mtu 1492
            outside-address x.x.x.73
            outside-nexthop x.x.x.78
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */

I have configured an Edgerouter X running v1.9.1. with site to site IPSEC.  The edgerouter is behind a nat. Therefore, i am not able to use vti.  I am using IKEV2 and below is the snippet of my config.

ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 212.54.152.100 {
authentication {
mode pre-shared-secret
pre-shared-secret XXXXXX
}
connection-type initiate
ike-group IKE1
ikev2-reauth inherit
local-address 192.168.11.192
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group noPFS
local {
prefix 192.168.40.0/24
}
remote {
prefix 4.2.2.1/32
}

As a test, I set my remote prefix to 4.2.2.1 to test traffic to bound to that address.  Traffic is passing to the tunnel but when I changed the 4.2.2.1/32 to 0.0.0.0/0.  Access to the local network is gone.

remote {
prefix 0.0.0.0/0
}

We need to send all local network traffic to the ipsec vpn.

This issue was reported last year and was deemed SOLVED here

https://community.ubnt.com/t5/EdgeMAX/No-LAN-access-for-VPN/m-p/1654958#M124615

But there was no solution.  Is there a workaround or a bug fix?

helo ok  just set up edge router 8 on lan

current set up is 

connection dhcp   picking up 192.168.2.X range 

lan is 10.10.0.1 255.255.0.0

sip phone is on local lan with 10.10.64.205  yealink phone states registered

freepbx is on wan 192.168.2.xxx address

calls in do not get in

but calls out of yealink get recieved phone to phone butt not 

external phone to yealink connection failed might need to from default set up with not sure if its correct 

this is set up wan>2lan2 set up

Hi Team,

Want to direct all traffic enter ethX ports through an OpenVPN tunnel before exiting through the wan.

Please give advice on how this can be achieved, this will avoid each individual client from having to run an OpenVPN session on each device.

Cheers.