Hi all,

I am having an issue with HTTPS traffic during a failover.  All of my loadbalance groups failover correctly except the HTTP one.

Group LOWLATENCY
 interface : eth1
 carrier : up
 status : active
 gateway : 176.26.136.1
 route table : 202
 weight : 100%
 flows
 WAN Out : 142000
 WAN In : 0
 Local Out : 15130

 interface : eth0
 carrier : up
 status : failover
 gateway : unknown
 route table : 201
 weight : 0%
 flows
 WAN Out : 0
 WAN In : 40
 Local Out : 0

Group STICKY
 interface : eth0
 carrier : up
 status : inactive
 gateway : unknown
 route table : 203
 weight : 0%
 flows
 WAN Out : 40528
 WAN In : 0
 Local Out : 0

 interface : eth1
 carrier : up
 status : active
 gateway : 86.12.228.11
 route table : 204
 weight : 100%
 flows
 WAN Out : 29343
 WAN In : 0
 Local Out : 0

Group WLB
 interface : eth0
 carrier : up
 status : inactive
 gateway : unknown
 route table : 205
 weight : 0%
 flows
 WAN Out : 140000
 WAN In : 0
 Local Out : 0

 interface : eth1
 carrier : up
 status : active
 gateway : 176.26.136.1
 route table : 206
 weight : 100%
 flows
 WAN Out : 50840
 WAN In : 0
 Local Out : 0

As you can see the STICKY group shows up as "inactive" and has the failed interfaces gateway IP address.  It should IMHO show the other gateway and the status should read "failover"

My full config is here

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        port-group GAMES_TCP {
            description "Game TCP ports"
            port 1119
            port 3724
            port 6113
            port 5222
            port 9988
            port 17502
            port 20000-20100
            port 22990
            port 42127
        }
        port-group GAMES_UDP {
            description "Game UDP ports"
            port 3659
            port 6250
            port 5062
            port 5060
            port 12000-64000
            port 3478
            port 3479
            port 1119
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify WLB {
        rule 20 {
            action modify
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 21 {
            action modify
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 22 {
            action modify
            destination {
                address 192.168.101.0/24
            }
            modify {
                table main
            }
        }
        rule 29 {
            action modify
            destination {
                port 443
            }
            modify {
                lb-group STICKY
            }
            protocol tcp
        }
        rule 30 {
            action modify
            description "Low latency TCP LB rule"
            destination {
                group {
                    port-group GAMES_TCP
                }
            }
            modify {
                lb-group LOWLATENCY
            }
            protocol TCP
        }
        rule 31 {
            action modify
            description "Low latency UDP LB rule"
            destination {
                group {
                    port-group GAMES_UDP
                }
            }
            modify {
                lb-group LOWLATENCY
            }
            protocol UDP
        }
        rule 100 {
            action modify
            modify {
                lb-group WLB
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "From internet to LAN"
        rule 10 {
            action accept
            description "Allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Plex inbound for NAT"
            destination {
                address 192.168.1.254
                port 32400
            }
            protocol tcp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
        }
    }
    name WAN_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description VM_WAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description SKY_WAN
        dhcp-options {
            client-option "send dhcp-client-identifier **"
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description WLAN
        duplex auto
        poe {
            output 48v
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    pseudo-ethernet peth1 {
        address 192.168.101.1/24
        description "Openreach Modem"
        link eth1
    }
    switch switch0 {
        address 192.168.1.1/24
        firewall {
            in {
                modify WLB
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
load-balance {
    group LOWLATENCY {
        interface eth0 {
            failover-only
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
        }
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
        }
        lb-local disable
    }
    group STICKY {
        interface eth0 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 75
        }
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 25
        }
        lb-local disable
        sticky {
            dest-addr enable
            proto enable
            source-addr enable
        }
    }
    group WLB {
        interface eth0 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 75
        }
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 25
        }
        lb-local disable
        sticky {
        }
    }
}
protocols {
    static {
        interface-route 192.168.100.0/24 {
            next-hop-interface eth0 {
                description SuperHub
                distance 1
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LANSubnet1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.10 {
                    stop 192.168.1.254
                }
                static-mapping HomeServer {
                    ip-address 192.168.1.254
                    mac-address 44:8a:5b:99:75:92
                }
                static-mapping Vera {
                    ip-address 192.168.1.60
                    mac-address 94:4a:0c:08:4e:8e
                }
                unifi-controller 192.168.1.254
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 10 {
            destination {
                port 32400
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.254
                port 32400
            }
            protocol tcp
            type destination
        }
        rule 11 {
            destination {
                port 32400
            }
            inbound-interface eth1
            inside-address {
                address 192.168.1.254
                port 32400
            }
            protocol tcp
            type destination
        }
        rule 5001 {
            description "VM WAN NAT"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5002 {
            description "SKY WAN NAT"
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
        rule 5003 {
            description "Openreach Modem"
            log disable
            outbound-interface peth1
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name HomeRouter
    login {
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    package {
        repository debian {
            components main
            distribution wheezy
            password ****************
            url http://ftp.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
}

Does anyone have any ideas?

Thank you!

Dear community,

this is the first time I have those EdgeMax 16XG switches to configure. Maybe someone can help me out of the dark.

My scenario:

I have a Nutanix with 4 Esxi hosts. Each host has two 10GB Sfp+ cards (nic02 and nic03). Now i connect all four nic02 to the first 16XG and the four nic03 to the second 16XG. Another Sfp+ wire between these switches.

From both ubnt switches I have a 1GB connection to our core switch for management etc. (ntnx and vmware recommendations). The problem is, in case of failure when one nic02 goes offline, the connection goes throuh the slow 1GB connection of the core switch (blue arrow), instead between the ubnt switches (red arrow). Please have a look at the screenshot. Is there something to configure (priority, costs, etc) to tell these switches to take another was to destination?

thx a lot.

Markus

Hi all,

I'm having trouble configuring my ERL as an IKEv2 VPN endpoint. I have an almost working set up; I'm looking for some troubleshooting help.

End Goal:

1. Connect to network from iPhones and Windows laptop using built-in VPN clients.
2. Clients authenticate with x509 certificates only. No usernames or passwords.
3. Clients receive IP address on 192.168.1.x subnet (or 192.168.2.x subnet with 255.255.255.252 mask).

Lay of the Land:

I'm anonymizing my domain names a bit, but the naming conventions are consistent with real-world.

1. ERL's local hostname is router.familyname.lan (fake domain for internal use).
2. ERL's public-facing hostname is vpn.realdomain.com (real domain -- VPN clients will connect to this).
3. Currently, network has no VLANs; all local devices are on the 192.168.1.x subnet.
4. I've installed the vyos-agile-vpn package available at https://github.com/TriJetScud/vyos-agile-vpn on the ERL.
5. I created certificates and configured the VPN server using the settings at the bottom of this post.

I can't seem to get this 100% correct. On Windows, the client connects but fails authentication -- I get either a "Policy Match Error" or "Error 13806." The policies and CN/SAN names on the certs all seem to match. On iOS, the VPN client immediately switches to off when I try to initiate a connection. There really isn't any logging on iOS, so that's as much information as I have.

Has anyone been able to get IKEv2 to work on ERL? Any ideas as to what I'm doing wrong?

Thanks!

Elahd

=== CONFIGURATION BELOW ===

Generating CA Key/Certificate in /config/auth/certs/rootCA/

pki --gen --outform pem > caKey.pem
pki --self --in caKey.pem --dn "C=US, O=FamilyName, CN=FamilyName Edgerouter Certificate Authority" --ca --outform pem >
caCert.pem

Generating VPN Server Key/Certificate in /config/auth/certs/strongswan/

pki --gen --outform pem > serverKey.pem
pki --pub --in serverKey.pem | pki --issue --cacert /config/auth/certs/rootCA/caCert.pem --cakey /config/auth/certs/rootCA/caKey.pem --dn "C=US, O=FamilyName, CN=vpn.realdomain.com" --san="vpn.realdomain.com" --flag serverAuth --flag --outform pem --digest sha256 > serverCert.pem

Generating Client Key/Certificate

pki --gen --outform pem > elahdKey.pem
pki --pub --in elahdKey.pem | pki --issue --cacert /config/auth/certs/rootCA/caCert.pem --cakey /config/auth/certs/rootCA/caKey.pem --dn "C=US, O=FamilyName, CN=elahd@vpn.realdomain.com" --san="elahd@vpn.realdomain.com" --outform pem --flag clientAuth --digest sha256 > elahdCert.pem
openssl pkcs12 -export -inkey elahdKey.pem -in elahdCert.pem -name "elahd" -certfile /config/auth/certs/rootCA/caCert.pem -caname "FamilyName Edgerouter Certificate Authority" -out elahdCert.p12

ERL CLI Configuration Commands

Note that the IP address assignments are in the wrong subnet here. Setting my desired subnet mask of 255.255.255.252 causes a conflict with the primary DHCP server, so I've left it like this for now. This shouldn't impact connectivity.

set firewall name WAN_LOCAL rule 3 action accept
set firewall name WAN_LOCAL rule 3 description 'VPN: Allow L2TP'
set firewall name WAN_LOCAL rule 3 destination port 500,1701,4500
set firewall name WAN_LOCAL rule 3 log disable
set firewall name WAN_LOCAL rule 3 protocol udp
set firewall name WAN_LOCAL rule 4 action accept
set firewall name WAN_LOCAL rule 4 description 'VPN: Allow ESP'
set firewall name WAN_LOCAL rule 4 log disable
set firewall name WAN_LOCAL rule 4 protocol 50
set service dhcp-server shared-network-name IKEV2_DHCP_Server authoritative disable
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 default-router 192.168.2.1
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 lease 86400
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 start 192.168.2.230 stop 192.168.2.243
set service nat rule 5013 description 'masquerade for IKEv2 subnet'
set service nat rule 5013 log disable
set service nat rule 5013 outbound-interface eth0
set service nat rule 5013 protocol all
set service nat rule 5013 source address 192.168.2.1/24
set service nat rule 5013 type masquerade
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec remote-access client-ip-pool subnet 192.168.2.1/24
set vpn ipsec remote-access compatibility-mode enable
set vpn ipsec remote-access dns-servers server-1 192.168.1.1
set vpn ipsec remote-access ike-settings authentication mode x509
set vpn ipsec remote-access ike-settings authentication x509 ca-cert-file /config/auth/certs/rootCA/caCert.pem
set vpn ipsec remote-access ike-settings authentication x509 local-id @vpn.realdomain.com
set vpn ipsec remote-access ike-settings authentication x509 remote-id '*@vpn.realdomain.com'
set vpn ipsec remote-access ike-settings authentication x509 remote-ca-cert-file /config/auth/certs/rootCA/caCert.pem set vpn ipsec remote-access ike-settings authentication x509 server-cert-file /config/auth/certs/strongswan/serverCert.pem set vpn ipsec remote-access ike-settings authentication x509 server-key-file /config/auth/certs/strongswan/serverKey.pem set vpn ipsec remote-access ike-settings authentication x509 server-keytype rsa set vpn ipsec remote-access ike-settings ike-lifetime 86400 set vpn ipsec remote-access ike-settings fragmentation disable set vpn ipsec remote-access ike-settings operating-mode ikev2-mobike set vpn ipsec remote-access inactivity 28800 set vpn ipsec remote-access outside-address 0.0.0.0
commit
save
exit

configure
sudo /opt/vyatta/sbin/vyos-update-agile.pl
exit

sudp ipsec restart

Windows Client Configuration (attempted in Windows 7 and 10)

1. Installed CA certificate in Windows trusted root library.
2. Installed client .p12 and .pem in Windows personal certificate library. I've also tried this with either of the two installed alone.
3. Hostname: vpn.realdomain.com
4. Remote ID: elahd@vpn.realdomain.com
5. Local ID: vpn.realdomain.com
6. Type: IKEv2

iPhone Client Configuration

1. Installed root CA.
2. Type: IKEv2
3. Server: vpn.realdomain.com
4. Remote ID: elahd@vpn.realdomain.com
5. Local ID: vpn.realdomain.com
6. User Authentication: Certificate
7. Certificate: [client certificate]

Hi all,

I'm having trouble configuring my ERL as an IKEv2 VPN endpoint. I have an almost working set up; I'm looking for some troubleshooting help.

End Goal:

1. Connect to network from iPhones and Windows laptop using built-in VPN clients.
2. Clients authenticate with x509 certificates only. No usernames or passwords.
3. Clients receive IP address on 192.168.1.x subnet (or 192.168.2.x subnet with 255.255.255.252 mask).

Lay of the Land:

I'm anonymizing my domain names a bit, but the naming conventions are consistent with real-world.

1. ERL's local hostname is router.familyname.lan (fake domain for internal use).
2. ERL's public-facing hostname is vpn.realdomain.com (real domain -- VPN clients will connect to this).
3. Currently, network has no VLANs; all local devices are on the 192.168.1.x subnet.
4. I've installed the vyos-agile-vpn package available at https://github.com/TriJetScud/vyos-agile-vpn on the ERL.
5. I created certificates and configured the VPN server using the settings at the bottom of this post.

I can't seem to get this 100% correct. On Windows, the client connects but fails authentication -- I get either a "Policy Match Error" or "Error 13806." The policies and CN/SAN names on the certs all seem to match. On iOS, the VPN client immediately switches to off when I try to initiate a connection. There really isn't any logging on iOS, so that's as much information as I have.

Has anyone been able to get IKEv2 to work on ERL? Any ideas as to what I'm doing wrong?

Thanks!

Elahd

=== CONFIGURATION BELOW ===

Generating CA Key/Certificate in /config/auth/certs/rootCA/

pki --gen --outform pem > caKey.pem
pki --self --in caKey.pem --dn "C=US, O=FamilyName, CN=FamilyName Edgerouter Certificate Authority" --ca --outform pem >
caCert.pem

Generating VPN Server Key/Certificate in /config/auth/certs/strongswan/

pki --gen --outform pem > serverKey.pem
pki --pub --in serverKey.pem | pki --issue --cacert /config/auth/certs/rootCA/caCert.pem --cakey /config/auth/certs/rootCA/caKey.pem --dn "C=US, O=FamilyName, CN=vpn.realdomain.com" --san="vpn.realdomain.com" --flag serverAuth --flag --outform pem --digest sha256 > serverCert.pem

Generating Client Key/Certificate

pki --gen --outform pem > elahdKey.pem
pki --pub --in elahdKey.pem | pki --issue --cacert /config/auth/certs/rootCA/caCert.pem --cakey /config/auth/certs/rootCA/caKey.pem --dn "C=US, O=FamilyName, CN=elahd@vpn.realdomain.com" --san="elahd@vpn.realdomain.com" --outform pem --flag clientAuth --digest sha256 > elahdCert.pem
openssl pkcs12 -export -inkey elahdKey.pem -in elahdCert.pem -name "elahd" -certfile /config/auth/certs/rootCA/caCert.pem -caname "FamilyName Edgerouter Certificate Authority" -out elahdCert.p12

ERL CLI Configuration Commands

Note that the IP address assignments are in the wrong subnet here. Setting my desired subnet mask of 255.255.255.252 causes a conflict with the primary DHCP server, so I've left it like this for now. This shouldn't impact connectivity.

set firewall name WAN_LOCAL rule 3 action accept
set firewall name WAN_LOCAL rule 3 description 'VPN: Allow L2TP'
set firewall name WAN_LOCAL rule 3 destination port 500,1701,4500
set firewall name WAN_LOCAL rule 3 log disable
set firewall name WAN_LOCAL rule 3 protocol udp
set firewall name WAN_LOCAL rule 4 action accept
set firewall name WAN_LOCAL rule 4 description 'VPN: Allow ESP'
set firewall name WAN_LOCAL rule 4 log disable
set firewall name WAN_LOCAL rule 4 protocol 50
set service dhcp-server shared-network-name IKEV2_DHCP_Server authoritative disable
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 default-router 192.168.2.1
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 lease 86400
set service dhcp-server shared-network-name IKEV2_DHCP_Server subnet 192.168.2.1/24 start 192.168.2.230 stop 192.168.2.243
set service nat rule 5013 description 'masquerade for IKEv2 subnet'
set service nat rule 5013 log disable
set service nat rule 5013 outbound-interface eth0
set service nat rule 5013 protocol all
set service nat rule 5013 source address 192.168.2.1/24
set service nat rule 5013 type masquerade
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec remote-access client-ip-pool subnet 192.168.2.1/24
set vpn ipsec remote-access compatibility-mode enable
set vpn ipsec remote-access dns-servers server-1 192.168.1.1
set vpn ipsec remote-access ike-settings authentication mode x509
set vpn ipsec remote-access ike-settings authentication x509 ca-cert-file /config/auth/certs/rootCA/caCert.pem
set vpn ipsec remote-access ike-settings authentication x509 local-id @vpn.realdomain.com
set vpn ipsec remote-access ike-settings authentication x509 remote-id '*@vpn.realdomain.com'
set vpn ipsec remote-access ike-settings authentication x509 remote-ca-cert-file /config/auth/certs/rootCA/caCert.pem set vpn ipsec remote-access ike-settings authentication x509 server-cert-file /config/auth/certs/strongswan/serverCert.pem set vpn ipsec remote-access ike-settings authentication x509 server-key-file /config/auth/certs/strongswan/serverKey.pem set vpn ipsec remote-access ike-settings authentication x509 server-keytype rsa set vpn ipsec remote-access ike-settings ike-lifetime 86400 set vpn ipsec remote-access ike-settings fragmentation disable set vpn ipsec remote-access ike-settings operating-mode ikev2-mobike set vpn ipsec remote-access inactivity 28800 set vpn ipsec remote-access outside-address 0.0.0.0
commit
save
exit

configure
sudo /opt/vyatta/sbin/vyos-update-agile.pl
exit

sudp ipsec restart

Windows Client Configuration (attempted in Windows 7 and 10)

1. Installed CA certificate in Windows trusted root library.
2. Installed client .p12 and .pem in Windows personal certificate library. I've also tried this with either of the two installed alone.
3. Hostname: vpn.realdomain.com
4. Remote ID: elahd@vpn.realdomain.com
5. Local ID: vpn.realdomain.com
6. Type: IKEv2

iPhone Client Configuration

1. Installed root CA.
2. Type: IKEv2
3. Server: vpn.realdomain.com
4. Remote ID: elahd@vpn.realdomain.com
5. Local ID: vpn.realdomain.com
6. User Authentication: Certificate
7. Certificate: [client certificate]

Over the last week I've been receiving a kernel warning message (below) on my EdgeRouter-X that I haven't seen before.

It seems to repeat with a slightly different status for around five minutes each day.

This warning has been logged a total of 575 times in the last week.

Could anyone shed any light on what it means and if it can be safely ignored?

All "!PE Ring" messages from today:

Mar  2 16:38:28 Router1 kernel: !PE Ring[17] ErrCode=0x1! status=6010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:38:33 Router1 kernel: !PE Ring[74] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:38:41 Router1 kernel: !PE Ring[99] ErrCode=0x1! status=10010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:38:48 Router1 kernel: !PE Ring[103] ErrCode=0x1! status=e010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:00 Router1 kernel: !PE Ring[121] ErrCode=0x1! status=10010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:12 Router1 kernel: !PE Ring[22] ErrCode=0x1! status=a010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:14 Router1 kernel: !PE Ring[31] ErrCode=0x1! status=7010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:25 Router1 kernel: !PE Ring[95] ErrCode=0x1! status=10010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:37 Router1 kernel: !PE Ring[59] ErrCode=0x1! status=11010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:39:43 Router1 kernel: !PE Ring[37] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:40:09 Router1 kernel: !PE Ring[81] ErrCode=0x1! status=5010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:40:10 Router1 kernel: !PE Ring[45] ErrCode=0x1! status=5010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:40:13 Router1 kernel: !PE Ring[71] ErrCode=0x1! status=11010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:40:29 Router1 kernel: !PE Ring[28] ErrCode=0x1! status=3010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:40:53 Router1 kernel: !PE Ring[120] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:41:02 Router1 kernel: !PE Ring[55] ErrCode=0x1! status=7010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:41:13 Router1 kernel: !PE Ring[93] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:41:26 Router1 kernel: !PE Ring[69] ErrCode=0x1! status=b010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:41:37 Router1 kernel: !PE Ring[97] ErrCode=0x1! status=8010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:41:46 Router1 kernel: !PE Ring[17] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:05 Router1 kernel: !PE Ring[48] ErrCode=0x1! status=6010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:09 Router1 kernel: !PE Ring[124] ErrCode=0x1! status=c010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:18 Router1 kernel: !PE Ring[72] ErrCode=0x1! status=d010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:20 Router1 kernel: !PE Ring[23] ErrCode=0x1! status=11010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:21 Router1 kernel: !PE Ring[100] ErrCode=0x1! status=f010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:25 Router1 kernel: !PE Ring[69] ErrCode=0x1! status=d010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:29 Router1 kernel: !PE Ring[122] ErrCode=0x1! status=11010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:29 Router1 kernel: !PE Ring[69] ErrCode=0x1! status=6010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:35 Router1 kernel: !PE Ring[8] ErrCode=0x1! status=b010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:48 Router1 kernel: !PE Ring[47] ErrCode=0x1! status=2010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:42:54 Router1 kernel: !PE Ring[112] ErrCode=0x1! status=9010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:01 Router1 kernel: !PE Ring[46] ErrCode=0x1! status=a010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:04 Router1 kernel: !PE Ring[37] ErrCode=0x1! status=b010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:04 Router1 kernel: !PE Ring[101] ErrCode=0x1! status=b010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:28 Router1 kernel: !PE Ring[79] ErrCode=0x1! status=6010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:36 Router1 kernel: !PE Ring[87] ErrCode=0x1! status=e010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:44 Router1 kernel: !PE Ring[42] ErrCode=0x1! status=3010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:46 Router1 kernel: !PE Ring[47] ErrCode=0x1! status=4010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:50 Router1 kernel: !PE Ring[119] ErrCode=0x1! status=e010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:50 Router1 kernel: !PE Ring[59] ErrCode=0x1! status=d010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:43:58 Router1 kernel: !PE Ring[59] ErrCode=0x1! status=d010412 rdn=1 cdn=0 encrypt=2 qlen=0
Mar  2 16:44:01 Router1 kernel: !PE Ring[115] ErrCode=0x1! status=b010412 rdn=1 cdn=0 encrypt=2 qlen=0

I just got a new ER-X SFP.  I had it running for 2 hours before leaving the site.  When someone else arrived 30 minutes later, the network was down.  He restored connectivity by power-cycling the router.  It was down twice again this morning.

When I arrived this morning, it was briefly working but then went down again.  I could not ping the router, connect to the web interface, or connect with SSH.  DHCP was still working.  I disconnected all cables from the router but my laptop.  There was no change.

Firmware v.1.91

1WAN + 2LAN2 Wizard

L2TP/IPSec VPN using this guide:  https://help.ubnt.com/hc/en-us/articles/204959404-EdgeRouter-Set-up-L2TP-over-IPsec-VPN-server

Dynamic DNS via No-IP using these commands:

     set service dns dynamic interface eth0 service custom-domain host-name <domain>
     set service dns dynamic interface eth0 service custom-domain login <username>
     set service dns dynamic interface eth0 service custom-domain password <password>
     set service dns dynamic interface eth0 service custom-domain protocol noip

Before I request an RMA, is there something about what I'm doing that might be causing the router to not respond?  Its the first time I've tried this particular configuration so I'm not 100% certain it should be working.

I got a brand new EdgeRouter PRO today and updated it to firmware ER-e200.v1.9.0.4901118.tar using the web interface.  The upgrade was successful and it rebooted successfully.  I added one vlan interface (eth1.2) and left it running on my desk for a while.  I came back later and it had spontaneously become unresponsive.  After trying to reboot it and use the reset button, I connected a console cable and saw this repeated over and over:

U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27 2014 - 11:19:05)



Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.

Skipping PCIe port 1 BIST, reset not done. (port not configured)

BIST check passed.

UBNT_E200 r1:0, r2:17, serial #: 802AA8F157CE

MPR 13-00317-17

Core clock: 1000 MHz, IO clock: 600 MHz, DDR clock: 533 MHz (1066 Mhz DDR)

Base DRAM address used by u-boot: 0x8f800000, size: 0x800000

DRAM: 2 GiB



Reg: 0x0 0x0

Reg: 0x1 0x0

Reg: 0x2 0xFFFFFFFFC0735CD8

Reg: 0x3 0xFFFFFFFFC0000000

Reg: 0x4 0xFFFFFFFFC0000000

Reg: 0x5 0x800000008F800000

Reg: 0x6 0x0

Reg: 0x7 0x400000

Reg: 0x8 0xFFFFFFFFC008F020

Reg: 0x9 0x800000008F88F020

Reg: 0xA 0xFFFFFFFFC008F020

Reg: 0xB 0xFFFFFFFFC0000CA8

Reg: 0xC 0x0

Reg: 0xD 0x1C004066C

Reg: 0xE 0xC0080CA8C0085E30

Reg: 0xF 0x0

Reg: 0x10 0x735CD8

Reg: 0x11 0xFFFFFFFFFFFFFFFF

Reg: 0x12 0x400000

Reg: 0x13 0x800000008F800000

Reg: 0x14 0x8FF35CD8

Reg: 0x15 0x715CC0

Reg: 0x16 0x8FF35FB0

Reg: 0x17 0xFFFFFFFFFFFFFFFF

Reg: 0x18 0x0

Reg: 0x19 0xFFFFFFFFC0001200

Reg: 0x1A 0xFFFFFFFFFFFF97F8

Reg: 0x1B 0xFFFFFFFFFFFF97F8

Reg: 0x1C 0xFFFFFFFFC008D880

Reg: 0x1D 0xFFFFFFFFC0715CC0

Reg: 0x1E 0x0

Reg: 0x1F 0xFFFFFFFFFFBF0018

s�atus:  �0x504000E6

caus0xC (
0xFFFFFFFFC008F09C

ba0xFFFFFFFFFFBF5028
0xFFFFFFFFFFFF5010


Jumping to start of image at address 0xbfca0000





U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27 2014 - 11:19:05)



Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.

Skipping PCIe port 1 BIST, reset not done. (port not configured)

BIST check passed.

UBNT_E200 r1:0, r2:17, serial #: 802AA8F157CE

MPR 13-00317-17

Core clock: 1000 MHz, IO clock: 600 MHz, DDR clock: 533 MHz (1066 Mhz DDR)

Base DRAM address used by u-boot: 0x8f800000, size: 0x800000

DRAM: 2 GiB



Reg: 0x0 0x0

Reg: 0x1 0x0

Reg: 0x2 0xFFFFFFFFC0735CD8

Reg: 0x3 0xFFFFFFFFC0000000

Reg: 0x4 0xFFFFFFFFC0000000

Reg: 0x5 0x800000008F800000

Reg: 0x6 0xFFFFFFFFC0437A74

Reg: 0x7 0x400000

Reg: 0x8 0xFFFFFFFFC008F020

Reg: 0x9 0x800000008F88F020

Reg: 0xA 0xFFFFFFFFC008F020

Reg: 0xB 0xFFFFFFFFC0000CA8

Reg: 0xC 0x0

Reg: 0xD 0x1C004066C

Reg: 0xE 0xC0080CA8C0085E30

Reg: 0xF 0x0

Reg: 0x10 0x735CD8

Reg: 0x11 0xFFFFFFFFFFFFFFFF

Reg: 0x12 0x400000

Reg: 0x13 0x800000008F800000

Reg: 0x14 0x8FF35CD8

Reg: 0x15 0x715CC0

Reg: 0x16 0x8FF35FB0

Reg: 0x17 0xFFFFFFFFFFFFFFFF

Reg: 0x18 0x0

Reg: 0x19 0xFFFFFFFFC0001200

Reg: 0x1A 0xFFFFFFFFFFFF97F8

Reg: 0x1B 0xFFFFFFFFFFFF97F8

Reg: 0x1C 0xFFFFFFFFC008D880

Reg: 0x1D 0xFFFFFFFFC0715CC0

Reg: 0x1E 0x0

Reg: 0x1F 0xFFFFFFFFFFBF0018

s0x505000E6

caus0x8000000C

Reg: 0x0 0x0

Reg: 0x1 0x0

Reg: 0x2 0xC

Reg: 0x3 0xFFFFFFFFC0000000

Reg: 0x4 0xFFFFFFFFC0FF17AF

Reg: 0x5 0x20

Reg: 0x6 0x1F

Reg: 0x7 0x400000

Reg: 0x8 0x8001180000000800

Reg: 0x9 0xFFFFFFFFC0FF17AF

Reg: 0xA 0x0

Reg: 0xB 0xFFFFFFFFFFFFFFFF

Reg: 0xC 0xFFFFFFFFC0001A3C

Reg: 0xD 0x1C004066C

Reg: 0xE 0xC0080CA8C0085E30

Reg: 0xF 0x0

Reg: 0x10 0x735CD8

Reg: 0x11 0xFFFFFFFFFFFFFFFF

Reg: 0x12 0x400000

Reg: 0x13 0x800000008F800000

Reg: 0x14 0x8FF35CD8

Reg: 0x15 0x715CC0

Reg: 0x16 0x8FF35FB0

Reg: 0x17 0xFFFFFFFFFFFFFFFF

Reg: 0x18 0xFFFFFFFFBFC01604

Reg: 0x19 0xFFFFFFFFC00013D0

Reg: 0x1A 0xFFFFFFFFFFFF97F8

Reg: 0x1B 0xFFFFFFFFFFFF97F8

Reg: 0x1C 0xFFFFFFFFBFC8D880

Reg: 0x1D 0xFFFFFFFFFFFF97F8

Reg: 0x1E 0x0

Reg: 0x1F 0xFFFFFFFFBFC0161C

s0x505000E6

caus0x80000008 (TLB 
0xFFFFFFFFC008F088

ba0xFFFFFFFFC0FF17AF
0x5E00FB2D


Jumping to start of image at address 0xbfca0000





U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27 2014 - 11:19:05)



Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.

Skipping PCIe port 1 BIST, reset not done. (port not configured)

BIST check passed.

UBNT_E200 r1:0, r2:17, serial #: 802AA8F157CE

MPR 13-00317-17

Core clock: 1000 MHz, IO clock: 600 MHz, DDR clock: 533 MHz (1066 Mhz DDR)

Base DRAM address used by u-boot: 0x8f800000, size: 0x800000

DRAM: 2 GiB



Reg: 0x0 0x0

Reg: 0x1 0x0

Reg: 0x2 0xFFFFFFFFC0735CD8

Reg: 0x3 0xFFFFFFFFC0000000

Reg: 0x4 0xFFFFFFFFC0000000

Reg: 0x5 0x800000008F800000

Reg: 0x6 0x0

Reg: 0x7 0x400000

Reg: 0x8 0xFFFFFFFFC008F020

Reg: 0x9 0x800000008F88F020

Reg: 0xA 0xFFFFFFFFC008F020

Reg: 0xB 0xFFFFFFFFC0000CA8

Reg: 0xC 0x0

Reg: 0xD 0x1C004066C

Reg: 0xE 0xC0080CA8C0085E30

Reg: 0xF 0x0

Reg: 0x10 0x735CD8

Reg: 0x11 0xFFFFFFFFFFFFFFFF

Reg: 0x12 0x400000

Reg: 0x13 0x800000008F800000

Reg: 0x14 0x8FF35CD8

Reg: 0x15 0x715CC0

Reg: 0x16 0x8FF35FB0

Reg: 0x17 0xFFFFFFFFFFFFFFFF

Reg: 0x18 0x0

Reg: 0x19 0xFFFFFFFFC0001200

Reg: 0x1A 0xFFFFFFFFFFFF97F8

Reg: 0x1B 0xFFFFFFFFFFFF97F8

Reg: 0x1C 0xFFFFFFFFC008D880

Reg: 0x1D 0xFFFFFFFFC0715CC0

Reg: 0x1E 0x0

Reg: 0x1F 0xFFFFFFFFC0037A74

s0x505000E6

caus0x8 (TLB 
0xFFFFFFFFC008DD40

ba0xFFFFFFFFFFFFDBAC
0xFFFFFFFFC001DBAC

Eventually, it will just start spewing the list of registeres over and over without the U-boot part.  It doesn't respond to keyboard input on the console.

I was able to set up a L2TP VPN server on my edgerouter. I can connect remotely using a MAC or PC, but in both cases I cannot access to my local LAN.

Attached below is my configuration.

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    ipv6-name WANv6_IN {                                                        
        default-action drop                                                     
        description "WAN inbound traffic forwarded to LAN"                      
        enable-default-log                                                      
        rule 10 {                                                               
            action accept                                                       
            description "Allow established/related sessions"                    
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 20 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {                                                             
                invalid enable                                                  
            }                                                                   
        }                                                                       
    }                                                                           
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action accept
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 50 {
            action accept
            description "Allow ESP"
            log disable
            protocol 50
        }
        rule 60 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface switch0 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                prefix-length /56
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.2.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.0.1.1/24
        description "Local 2"
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.0.2.0/24 {
                default-router 10.0.2.1
                dns-server 10.0.2.1
                lease 86400
                start 10.0.2.100 {
                    stop 10.0.2.149
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.0.1.0/24 {
                default-router 10.0.1.1
                dns-server 10.0.1.1
                lease 86400
                start 10.0.1.100 {
                    stop 10.0.1.149
                }
                static-mapping ADT {
                    ip-address 10.0.1.8
                    mac-address 40:5D:82:0F:67:83
                }
                static-mapping AP-AT {
                    ip-address 10.0.1.70
                    mac-address 44:D9:E7:FC:44:D0
                }
                static-mapping AP-HE {
                    ip-address 10.0.1.60
                    mac-address 44:D9:E7:F9:77:9C
                }
                static-mapping AP-OL {
                    ip-address 10.0.1.30
                    mac-address 44:D9:E7:F9:1F:00
                }
                static-mapping AP-PR {
                    ip-address 10.0.1.50
                    mac-address 44:D9:E7:F9:1D:49
                }
                static-mapping ATT-MicroCell {
                    ip-address 10.0.1.32
                    mac-address 48:1D:70:4A:5B:64
                }
                static-mapping HomeServer {
                    ip-address 10.0.1.31
                    mac-address 2C:4D:54:57:6A:76
                }
                static-mapping NAS {
                    ip-address 10.0.1.33
                    mac-address 00:11:32:69:C3:85
                }
                static-mapping SW-HE {
                    ip-address 10.0.1.6
                    mac-address 00:41:D2:0B:BD:44
                }
                static-mapping SW-OL {
                    ip-address 10.0.1.3
                    mac-address 3C:0E:23:FF:31:D0
                }
                static-mapping SW-OR {
                    ip-address 10.0.1.4
                    mac-address 00:AF:1F:BD:6E:EE
                }
                static-mapping SW-PR {
                    ip-address 10.0.1.5
                    mac-address AC:7E:8A:91:64:9B
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service custom-noip {
                    host-name "Domain"
                    login "NoIP UserName"
                    password ****************
                    protocol noip
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user Roberto {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username "VPN UserName" {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.10.1
                stop 10.0.10.10
            }
            dhcp-interface eth0
            dns-servers {
                server-1 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            mtu 1024
        }
    }
}

I would realy appreciate if somebody could guide me to the solution of my problem.

Thank you

I am having issues getting hairpin nat to work. Ive tried a few solutions from other threads, including adding a new snat rule for hairpin/loopback.

Router model: EdgeRouter Pro

Router Firmware: 1.9.1

This is what I am trying to do.

The EdgeRouter Pro is configured with 5 public IPs. 

(using example ips)

Public Subnet: 10.100.200.136/29

Private Subnet: 172.16.0.0/23

I have 1:1 rules setup for the following:

Server A: 10.100.200.140 -> 172.16.1.20

Server B: 10.100.200.141 -> 172.16.1.21

The 1:1 works perfectly. I am able to access the services on each server with its specific IP, and outbound connections from these servers also show the correct public IP.

However I am not able to connect from Server A to Server B's or its own public IP. All requests seem to terminate at the EdgeRouter.

port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface eth7
     lan-interface eth6
     wan-interface eth0
 }

Ideally I want all traffic for these 2 public IPs to be forwarded to their respective internal hosts. What am I missing here ?

I can upload a sanitized config if needed.

I recently upgraded my ERLite to 1.9.1 (from 1.9.0) and immediately found that I could barely browse the web (a handful of the requests the browser was making were timing out). Further testing showed frequent connection timeout errors to hosts on the Internet.

Downgrading to 1.9.0 fixed the problem immediately.

I'm on a CenturyLink fiber connection in Denver, CO (with IPTV, so no PPPoE involved).

I've attached my config in case it's useful for reproducing the problem.

I have (2) ERLs that I'm attempting to connect with a site-to-site VPN. I have the VPN configured on each end (see attached images with diagram and config) and I see the tunnels are working via the CLI (show vpn ipsec sa). However, I can only ping between the interfaces that have an addresses physically assigned on the devices (192.168.1.0/24 and 10.1.1.0/24). I cannot ping from 192.168.1.0 to 10.1.2.0 or 10.1.3.0. I am able to tcpdump on the 10.1.1.0 site and I see the ICMP traffic that should be going to eth2 appears to be going out eth1 - which is where the VPN should be terminated, rather than out the interface where I have the route defined for it.

root@ERL:~# tcpdump -i eth1 host 192.168.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
07:02:04.765792 IP 192.168.1.200 > 10.1.3.1: ICMP echo request, id 11, seq 49406, length 40
07:02:09.769244 IP 192.168.1.200 > 10.1.3.1: ICMP echo request, id 11, seq 49413, length 40
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@ERL:~# tcpdump -i eth2 host 192.168.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
7 packets dropped by interface

Not sure if I'm posting this in the right place or not but wanted to show my EdgeRouter Lite's uptime.  It is connected to a 1Gbps internet connection and is the gateway for our office wifi (5 Unifi ACs).  2 years is pretty good for a sub $100 router.

Best way to se traffic live (on all interfaces), on a remote system for trouble shooting? Like in ASDM.

Hello,

I've replaced the router at a client's office with an ERL-3 and am trying to get his Win 10 laptop to see local hostnames over the VPN. The laptop connects and can connect to machines via IP, but none of the mapped network drives work because the names won't resolve. I've looked at several threads on this and have tried the fixes with no luck- any kicks in the right direction would be greatly appreciated.

Best regards,

Allen

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        port-group VPN {
            description "VPN ports"
            port 50
            port 1701
            port 1723
            port 500
            port 4500
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "VPN passthrough"
            destination {
                group {
                    port-group VPN
                }
            }
            log disable
            protocol tcp_udp
            source {
                group {
                }
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.0.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        global-parameters "option domain-name "moneypenny.local";"
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                dns-server 8.8.8.8
                domain-name moneypenny.local
                lease 3600
                start 192.168.0.132 {
                    stop 192.168.0.152
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                domain-name moneypenny.local
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on l2tp0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user <SNIP> {
            authentication {
                encrypted-password <SNIP>
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username <SNIP> {
                        password <SNIP>
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.0.200
                stop 192.168.0.205
            }
            dhcp-interface eth0
            dns-servers {
                server-1 192.168.0.1
                server-2 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret <SNIP>
                }
                ike-lifetime 3600
            }
        }
    }
}

Network:

Cable Modem < eth0 > ER PoE < eth1 > TP Link TL-SG1024DE

General network 10.0.21.0/24

VLANs:

eth1.200: OfficeNet

eth1.300: CameraNet

eth1.400: TenantNet

eth1.500: GuestNet

For now I'm concentrating only on VLAN 200, a VLAN for my home office, servers, and virtual machines. If I can get that set up, I should be good for the others.

Steps to configure:

1. Created VLAN eth1.200 on ERPoE with static IP 10.0.31.1/24.

2. Created DHCP server for range 10.0.31.100 - .199.

3. Enabled 802.1Q VLAN Configuration on TL-SG1024DE.

4. Tagged ports 1-24.

Tested with an iMac with VLAN 200 added as a virtual interface. Nothing. Attempted specifying its port untagged and still no DHCP. Tested further with a UniFi AP-AC-Lite, which after a restart did nothing. Removing the VLAN config on the TP-Link switch and power cycling it made it reappear.

Am I missing firewall settings? (Below)

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN_NETWORKS {
            description "LAN Networks"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

I can recreate this behavior in production, though only intermittently in the lab:  Build a router (we'll call this R1) participating in OSPF area zero with a neighbor (R2) on some interface -- we'll use eth0.  Now build some arbitrary VPLS/LDP tunnel on R1 -- we don't care where it goes, really, call it R3, as long as it exists and the LDP session is operational.  I'll use eth2 for my VPLS interface.

Check your LDP session and make sure you can send traffic from hosts at site A to hosts at site B.  All is well.  You can follow the VPLS reference design in the knowledge base for most of this.

The goal here is to have Site A and Site B communicating with each other on a layer2 basis.  Think of these as sites for a customer on two separate wireless towers.

Now here it gets interesting: add a PPPoE server listening on some interface on R1 -- we'll use eth1 here.  There are also residential PPPoE subscribers on R1's tower.  PPPoE clients on R1 obviously need to get out to the internet.  Spin up some PPPoE tunnels on R1.  

All to often (nearly always) they can't.  I've had a couple of cases in the lab where it seemed to work for a while, but eventually it stops.  I haven't actually caught it in the act.  Usually, I'm stuck in WTF-land.  Most of the time, it's broken right from the start.

I can't ping the PPPoE clients from anywhere but R1:  R1 routes all traffic that it receives on eth0 that is destined for PPPoE clients, back to R2.   Where the traffic goes from there can vary, but eventually it goes back to R1, which sends it back to R2, on and on until the TTL expires.  Again, pinging from R1 works.  Traffic that arrives on R1 destined for those same addresses gets routed back to R2.

VPLS works fine.  Hosts at sites A & B can continue to ping each other.  I can also ping R1 itself and log into it from anywhere else on the network.  OSPF routes are properly advertised and traffic is routed to R1 as expected.

The unexpected behavior is that R1 sends traffic destined for PPPoE clients -- and ONLY the PPPoE clients--  back to R2, instead of to the tunnels.

I'm baffled.  R1 shows these as connected routes.  R2 shows that R1 has advertised them.  Pinging these addresses from R1 results in the expected response.  It's only when traffic arrives on R1 eth0 that things go sideways.

Hmm... I'm repeating myself.

Regardless, if I issue "delete protocols ldp && delete protocols mpls && delete protocols vpls && commit && clear ip ospf process" then suddenly my PPPoE clients work perfectly, but obviously, VPLS doesn't.

That seems like pretty clear vindication that the configs are right.

Where do I go from here?

Hi

is there any good replacement for Edgerouter? I have a lot of problems with timeouts and it looks like nobody address this. Maybe it is a good time to migrate to anything else.

What is comparable to Edgerouter with one exception - it should be working. I don't expect bells and whisles but just internet connection to be stable....

Paul

Hey,

I am in need of help figuring out why i am experiencing 100% CPU usage. I have a very basic setup and was wondering if anyone could help out, I have read a number of similar posts and tried almost everything I could find but to no avail. Here is my top listing.

admin@ubnt:~$ top
top - 04:52:10 up 21:54,  2 users,  load average: 2.18, 2.29, 2.37
Tasks:  91 total,   2 running,  89 sleeping,   0 stopped,   0 zombie
%Cpu(s): 95.3 us,  2.8 sy,  0.0 ni,  0.6 id,  0.0 wa,  0.0 hi,  1.3 si,  0.0 st
KiB Mem:    495532 total,   273488 used,   222044 free,    31136 buffers
KiB Swap:        0 total,        0 used,        0 free,   124280 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
16925 ubnt      20   0 28300  21m 4676 R 193.5  4.4   2033:28 kworker
22477 admin     20   0  3636 1316 1008 R   1.3  0.3   0:00.17 top
22219 root      20   0  102m 7136 3456 S   0.6  1.4   0:02.03 ubnt-util
    9 root      20   0     0    0    0 S   0.3  0.0   2:20.76 rcu_sched
  234 root      20   0     0    0    0 S   0.3  0.0   0:28.09 kworker/0:1
16783 ubnt      20   0 12720 2984 1364 S   0.3  0.6   0:18.27 sshd
19901 root      20   0 28536 1540 1188 S   0.3  0.3   0:00.55 rsyslogd
    1 root      20   0  2568  760  656 S   0.0  0.2   0:04.51 init
    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd
    3 root      20   0     0    0    0 S   0.0  0.0  18:30.06 ksoftirqd/0
    5 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kworker/0:0H
    7 root      rt   0     0    0    0 S   0.0  0.0   0:11.88 migration/0
    8 root      20   0     0    0    0 S   0.0  0.0   0:00.00 rcu_bh
   10 root      rt   0     0    0    0 S   0.0  0.0   0:01.99 watchdog/0
   11 root      rt   0     0    0    0 S   0.0  0.0   0:01.45 watchdog/1
   12 root      rt   0     0    0    0 S   0.0  0.0   0:00.97 migration/1
   13 root      20   0     0    0    0 S   0.0  0.0   0:06.98 ksoftirqd/1

Any help or point in the right direction would be greatly appriciated. 

Hi,

I am using ER-X-SFP.

I set eth0 obtain IP by DHCP Client, eth0 obtains IP and DNS successfully, but the dhcp client doesn't add a default router to the system's route table.

I have tried:

set interfaces ethernet eth0 dhcp-options default-route update

and

set system gateway-address THE_GATEWAY

but it doesn't work.

I am sure that the DHCP Server is normal, bucause i have tested it with other devices.

Is there any solution for this problem?