Hi,
I recently configured my ERL with a Guest VLAN and somehow I did't manage to connect the Guest VLAN to the Internet. What I finally did is I created a NAT rule for the Guest VLAN and after that I could connect to the Internet. In all the articles I found about setting up a Guest VLAN I didn't read anything about creating a NAT rule, so I'm a bit in doubt if this is realy necessary.
Anyone an answer to this?
Thanks,
Mario
Hi. I currently use dual WAN failover between a wired link and 4G on an ERX
I want to use HFQ to limit the download speed of each of my users, WHEN on 4G. Can I set up QoS rules so that the HFQ is applied only when the failover 4G has been activated?
I am runnning a raspberry pi in my home and has a webserver enabled. I have a domain name pointing to my WAN IP Address and a port forward to the local PI on port 80.
I can access the PI just fine outside the network via the domain name, however, when I try to pull up the website internally, it is taking me to the edge router login page instead.
WAN IP - > Port Forward 80 -> Raspberry PI local IP address.
If I hit the domain name from my phone with no wifi, all works good. Loading the website internally though via domain takes me to the router login.
Do I need to change the port for the router to something else? If so, how can I do that?
Thanks,
Carl
Is there a setting to always hide the scrolling 'Taffic Distribution Graph' when you log in each time?
Okay, I am going to list my issues (no.. the router issues.. lol) first, then add the config afterwards. Going to take it one step at a time.
First off, I HAD a Netgear router...I got frustrated with my Ubiquiti stuff, so started replacing it. Came here, you guys were so awesome.. I decided to have another "go" at it and plugged it all back in and, it works like a champ. Now, the problems:
1 - My end goal is to be able to lock the entire network down to MAC addresses that are authorized, static IPs for all, Port Forwarding for cameras, maybe Guest access with ONLY internet for 48 hours then renewed, logging of traffic for guests, and.. (wait for it...) being able to (if at ALL possible) lock my kid's mac addresses out on a time schedule.
(The last one is a pipe dream, I know...) BUT...if I can figure this one out, I can upgrade to a BIG BOY router soon.. lol, maybe it will do that.
I have PoE injectors on all cameras and WAPs except one, so works out well this has one PoE port.
2 - I have 2 IP cameras. I set them up on the Netgear with ddns, but the netgear is gone, there is zero port-forwarding on this EdgeMax router yet.. so, no earthly idea how they are working on my cell phone when I am 30 miles away.. heh
3 - It took me a while to update the OS on the router, but done. I know this thing is small and so so basic, but it is a handful for me.. so, I want it to be secure, but I also do not want to break it and spend the next 30 years beating the heck out of it.. lol. Any good ideas on how to configure it as simply as possible?
4 - The BIG question here - Port Forwarding.. I am very confused (yea.. shock I know).. I have read a lot and tried a lot.. and, just cannot seem to figure out how to get this to work.
Sorry for the lack of knowledge guys. Trying to read as much as possible without bugging you all, but also worried I will blow it up, have to start over, and be locked out due to space, so trying not to break it.
Thank you!
firewall {
all-ping enable
broadcast-ping disable
group {
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
}
out {
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
poe {
output pthru
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168. {
default-router 192.168.
dns-server 192.168.
lease 86400
start xxxxxxxxx {
stop xxxxxxxxx + 100
}
static-mapping Camera1 {
ip-address 192.168.18.18
mac-address xxxxxxxxx
}
static-mapping Camera 2 {
ip-address 192.168.72.73
mac-address xxxxxxxxx
}
static-mapping bubba {
ip-address 192.168.33.34
mac-address xxxxxxxxx
}
static-mapping Device 4 {
ip-address 192.168.1.58
mac-address xxxxxxxxx
}
static-mapping Device 3 {
ip-address 192.168.78.78
mac-address xxxxxxxxx
}
static-mapping device 1 {
ip-address 192.168.2.22
mac-address xxxxxxxxx
}
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service custom-Duckdns {
host-name myhome
login nouser
password passwordhidden
protocol dyndns2
server www.duckdns.org
}
}
}
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password NONYA
plaintext-password ""
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939092.161214.0702 */
I'm trying to setup ad block in ER Lite so every device at home gets ride of the ads.
I have followed this article https://help.ubnt.com/hc/en-us/articles/205223340-EdgeRouter-Ad-blocking-content-filtering-using-EdgeRouter but I got the following error when I do run the .sh file :
/config/user-data/update-adblock-dnsmasq.sh: line 9: /etc/dnsmasq.d/dnsmasq.adlist.conf.tmp: Permission denied Error building the ad list, please try again.
Which corresponds to the following line:
curl -s $ad_list_url | sed "s/127\.0\.0\.1/$pixelserv_ip/" > $temp_ad_file
The strange thing is that I'm running as root, so I should have the correct permissions to run the file and create it?
Thanks for your help. Lee
Please help a newbie who has only used much simpler routers in the past.
I am replacing a cisco router.
I recently purchased the EdgeRouter Pro and after many, many failed attempts I cannot get the device to simply work as a router. My intentions are to have it load balance between two internet connections to my lan.
I have two cable modems that lead into our current router. The cable modems have ISP assigned static IP addresses. We want the lan on 10.0.0.1.
We cannot set the lan to 10.0.0.1. The edgerouter pro simply won’t let us reconnect if we change the lan from 192.168.1.1 or the next from 192.168.2.1. So we tried with lan unchanged from 192 and it cannot under any wizard, under any configuration see the internet.
Ihave been trying it on just one connection first and it will not let the lan into the internet. Using the various wizards does not work. I have tried all manner of wizards combinations. I have repeated the attempts and plugged in the devices in different orders, powered off, powered on.
I have left everything unpowered for long periods of time just in case the cable modem is holding onto the old device.
I am at a complete loss.
Can you please point me in the right direction. As far as I can tell from Ubiquiti documentation and what I can find in these forums, the wizards alone should be able to do what we need.
The cable modems are arris. Switches will connect to the lan ports.
I will also want to have multiple lans using the other eth ports and I want them to freely see eachother and to all have access to the internet.
Thank you in advance for any help you might give,
-Frank
Good evening,
I'm trying to establish IPsec over ERLite and ER-X (sits behind the router). Totally stuck, don't know what I did wrong here. Please check my configs, appreciate anyone for your time and help <3
78.xx.xx.xx --- Internet --- 84.xx.xx.xx --- Local --- 192.168.1.199
I have three separate WAN connections: 2 fiber and 1 coax. 1 fiber and 1 coax need to be load balanced for the computers. The third fiber connection is dedicated to the VoIP phones. I'd like all of these connections to go through one ERPro-8.
All WAN connections will reach the ERPro-8 as copper 100/1000 Base-T.
I will be using a US-48-500W as my switch. The phones will be on a separate VLAN. I could configure the VLAN in the ER, or as a physical LAN2 in the ER with a dedicated port on the switch and do the VLANing in the switch.
I'd also like to set up a DHCP option with the correct VLAN information for my Polycom phones. I've done this before on a SonicWALL but not an ER.
Anyone have a recommended configuration? Know how to do this?
Less important: I also have a spare/backup ERPro-8. Is there a way to set it up as a hot-spare/failover device? With config sync?
Thanks!
Good Morning!
I have an edge router all setup and working nicely for months. I get the stats I want, and will soon have a second ISP connected purely for backups on the family server.
Now, I recently purchased a AP-PRO and a cloud key to replace an old router-turned-ap. I have those all setup, but I noticed that the UI for the AP has HUGE greyed out boxes and features, saying the Security Gateway is required to view them and to use the features... ... ..
I want to use those features, but not replace my Edge Router... so I purchased a Security Gateway.
My goal was to plug in the security gateway into the edge router, and the AP into the gateway. Specifically, to get those stats.
Possible? Thoughts?
Hey guys,
I have successfully set up a site to site IPSec with a pfSense FW. Now on the remote end being the pfsesne firewall any hosts behind pfsense can ping all devices on my local LAN. I would like to restrict only a single host access a single IP on my local lan.
Any ideas how I can achieve this ? I already have my two rules in place fro WAN_IN and WAN_LOCAL (Default actio nis Drop) by they seem to be able to ping anything
Any ideas
So, I'd posted on this yesterday thinking I had a situation that was specific to PPPoE. Turns out, I was wrong -- PPPoE is apparently irrelevant. I deleted that post.
Here's the deal: I set up a deployment that generally follows the VPLS/LDP reference design from the knowledge base. All works as anticipated. Site A talks to Site B just fine. I can add a PPPoE server to R1 and route traffic to them, while simultaneously supporting site-to-site traffic between VPLS sites A & B.
Lab works.
This loosely simulates two wireless towers, one of which has residential PPPoE subscribers, with both towers also hosting a site for a business. The business has a need for a layer-2 VPLS connection bridging the two sites together -- essentially a psuedowire connection for their gear.
When I deploy this in the field, I run into a bizarre behavior where I can ping and route to addresses that are physically present on the EdgeRouter R1, but traffic destined for PPPoE clients gets routed from the network, to R1, which sends the traffic back to R2. R2 sends it back to R1, and so forth until the TTL expires.
Hosts across the VPLS tunnel continue to work just fine, and addresses present on interfaces on R1 are pingable.
I had thought this affected the PPPoE clients only, but I did a little experiment to try and distribute addresses to customers using DHCP... and the same behavior appeared. No PPPoE involved.
My production topology is grossly comparable to the reference design. There are a few extra hosts in the middle, but other than that it's much the same. The primary deifference in the field is that instead of the reference design's "R2" device, I have a Cisco 6504 layer3 switch. I've replicated this in the lab using a 3845 router and a 1941 router as well. I've also tried with all EdgeRouter 8 Pro units, though I had some mixed results there -- sometimes it worked, others it didn't.
The config on R1 is pretty simple -- an ER3 lite in this case:
interfaces {
ethernet eth0 {
duplex auto
mtu 1580
speed auto
vif 397 {
address 172.17.100.34/30
mtu 1580
}
vif 649 {
address 66.181.253.97/28
}
}
ethernet eth1 {
duplex auto
mtu 1580
speed auto
}
ethernet eth2 {
duplex auto
mtu 1580
speed auto
}
loopback lo {
address 172.20.100.149/32
}
}
protocols {
ldp {
interface eth0.397 {
enable {
ipv4
}
}
targeted-peer {
ipv4 172.20.100.32
}
transport-address {
ipv4 172.20.100.149 {
}
}
}
mpls {
interface eth0.397 {
label-switching
}
}
ospf {
area 16247 {
network 172.17.100.32/30
}
parameters {
abr-type standard
router-id 172.16.149.1
}
passive-interface default
passive-interface-exclude eth0.397
redistribute {
connected {
metric-type 2
}
static {
metric-type 2
}
}
}
static {
}
vpls {
instance vpls1 {
id 15491 {
signaling {
ldp {
vpls-peer 172.20.100.32 {
}
}
}
}
}
interface eth2 {
instance vpls1
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name PubLab {
authoritative disable
subnet 66.181.253.96/28 {
default-router 66.181.253.97
dns-server 66.181.253.97
lease 86400
start 66.181.253.98 {
stop 66.181.253.110
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0.649
name-server 66.181.240.11
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
}
system {
conntrack {
expect-table-size 8192
hash-size 131072
table-size 1048576
}
host-name rt-lab-er3-pppoe
ip {
override-hostname-ip 172.16.149.1
}
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 66.181.240.11
name-server 66.181.240.12
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
}
time-zone UTC
}
R3 is similar, an ER8 Pro:
interfaces {
ethernet eth0 {
address 172.17.3.26/27
duplex auto
mtu 1580
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
mtu 1580
speed auto
}
loopback lo {
address 172.20.100.32/32
}
}
protocols {
ldp {
interface eth0 {
enable {
ipv4
}
}
targeted-peer {
ipv4 172.20.100.102
}
transport-address {
ipv4 172.20.100.32 {
}
}
}
mpls {
interface eth0 {
label-switching
}
}
ospf {
area 0 {
network 172.17.3.0/27
}
parameters {
abr-type standard
router-id 172.20.100.32
}
passive-interface default
passive-interface-exclude eth0
redistribute {
connected {
metric-type 2
}
static {
metric-type 2
}
}
}
vpls {
instance vpls1 {
id 15491 {
signaling {
ldp {
vpls-peer 172.20.100.149 {
}
}
}
}
}
interface eth1 {
instance vpls1
}
}
}
service {
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name rt-er8-dkn-colo2a
login {
user ubnt{
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 66.181.240.11
offload {
hwnat disable
ipsec disable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding disable
}
}
time-zone America/Phoenix
}
A traceroute to an interface on R1 from R3, followed by traceroute to a DHCP lease in that same subnet, via the 6504 in the middle (hops 2,6,10,etc should be 172.17.100.34, which is R1):
ubnt@rt-er8-dkn-colo2a:~$ traceroute 66.181.253.97
traceroute to 66.181.253.97 (66.181.253.97), 30 hops max, 38 byte packets
1 172.17.3.11 (172.17.3.11) 0.702 ms 0.418 ms 0.677 ms
2 66.181.253.97 (66.181.253.97) 0.844 ms 0.415 ms 0.541 ms
ubnt@rt-er8-dkn-colo2a:~$ traceroute 66.181.253.100 traceroute to 66.181.253.100 (66.181.253.100), 30 hops max, 38 byte packets 1 172.17.3.11 (172.17.3.11) 0.534 ms 0.354 ms 0.385 ms 2 * * * 3 172.17.100.33 (172.17.100.33) 0.765 ms 0.622 ms 0.625 ms 4 172.17.3.1 (172.17.3.1) 0.424 ms 0.395 ms 0.283 ms 5 172.17.3.11 (172.17.3.11) 0.669 ms 0.643 ms 0.695 ms 6 * * * 7 172.17.100.33 (172.17.100.33) 0.893 ms 1.049 ms 0.952 ms 8 172.17.3.1 (172.17.3.1) 0.508 ms 0.631 ms 0.501 ms 9 172.17.3.11 (172.17.3.11) 1.094 ms 0.996 ms 0.833 ms 10 * * * 11 172.17.100.33 (172.17.100.33) 1.457 ms 0.976 ms 1.045 ms 12 * * * 13 172.17.3.11 (172.17.3.11) 1.390 ms 1.427 ms 0.996 ms 14 * * * 15 172.17.100.33 (172.17.100.33) 1.131 ms 1.170 ms 1.109 ms 16 * * * 17 172.17.3.11 (172.17.3.11) 1.650 ms 1.313 ms 1.866 ms 18 * * * 19 172.17.100.33 (172.17.100.33) 1.367 ms 1.256 ms 2.028 ms 20 * * * 21 172.17.3.11 (172.17.3.11) 1.795 ms 1.145 ms 1.437 ms 22 * * * 23 172.17.100.33 (172.17.100.33) 1.447 ms 1.855 ms 1.367 ms 24 * * * 25 172.17.3.11 (172.17.3.11) 2.534 ms 1.235 ms 1.571 ms 26 * * * 27 172.17.100.33 (172.17.100.33) 1.480 ms 1.593 ms 2.607 ms 28 * * * 29 172.17.3.11 (172.17.3.11) 1.917 ms 1.624 ms 1.814 ms 30 * * *
And finally, that subnet on R1. Note the odd traceroute:
ubnt@rt-lab-er3-pppoe:~$ ping 66.181.253.100 PING 66.181.253.100 (66.181.253.100) 56(84) bytes of data. 64 bytes from 66.181.253.100: icmp_req=1 ttl=64 time=0.599 ms 64 bytes from 66.181.253.100: icmp_req=2 ttl=64 time=0.549 ms ^C --- 66.181.253.100 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.549/0.574/0.599/0.025 ms ubnt@rt-lab-er3-pppoe:~$ traceroute 66.181.253.11 traceroute to 66.181.253.11 (66.181.253.11), 30 hops max, 38 byte packets 1 172.17.100.33 (172.17.100.33) 0.782 ms 0.600 ms 0.548 ms 2 172.17.3.1 (172.17.3.1) 0.454 ms !N 0.491 ms !N * ubnt@rt-lab-er3-pppoe:~$ show ip route 66.181.253.100 Routing entry for 66.181.253.96/28 Known via "connected", distance 0, metric 0, External Route Tag: 0, best * is directly connected, eth0.649 ubnt@rt-lab-er3-pppoe:~$ sudo route -n | grep 66.181.253.96 66.181.253.96 0.0.0.0 255.255.255.240 U 0 0 0 eth0.649
Where do I go from here?
Hi
I am a beginner and i m trying to understand my erx (1.9.1)
DNS forwarding seems to be out of order & and i would like to be sure about my configuration.
VLAN10 (Guest connection can't to access to internet)
Someone could read my config and explain where is the problem ?
Thx
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
}
ethernet eth1 {
description "Switch NETGEAR"
duplex auto
speed auto
}
ethernet eth2 {
description "Switch DLINK POE"
duplex auto
speed auto
}
ethernet eth3 {
description Synology
duplex auto
speed auto
}
ethernet eth4 {
description AC_LR_POE
duplex auto
poe {
output pthru
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.11.251/24
description SWITCH
firewall {
in {
name LAN_IN
}
}
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
vlan {
vid 10
}
}
vlan-aware enable
}
vif 10 {
address 192.168.10.1/24
description vlan10
firewall {
in {
name VLAN10_IN
}
local {
name VLAN10_LOCAL
}
}
mtu 1500
}
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.11.0/24 {
default-router 192.168.11.251
dns-server 192.168.11.251
dns-server 80.67.169.12
lease 86400
start 192.168.11.200 {
stop 192.168.11.220
}
static-mapping Android_tab_Ilea {
ip-address 192.168.11.35
mac-address 98:3b:xx:xx:xx
}
static-mapping CM_HIK1 {
ip-address 192.168.11.72
mac-address bc:ad:xx:xx:xx:xx
}
static-mapping Cam_Entree {
ip-address 192.168.11.73
mac-address a4:14:37:xx:xx:xx:xx
}
static-mapping Cam_Salle {
ip-address 192.168.11.71
mac-address 28:10:xx:xx:xx:xx
}
static-mapping DCS-932L_1 {
ip-address 192.168.11.70
mac-address 28:10:xx:xx:xx:xx
}
static-mapping EPSON6B1FBE {
ip-address 192.168.11.55
mac-address 00:26:xx:xx:xx:xx
}
static-mapping FRSN1018_LAN {
ip-address 192.168.11.22
mac-address 20:47:xx:xx:xx:xx
}
static-mapping FRSN1018_WIFI {
ip-address 192.168.11.23
mac-address 5c:e0:xx:xx:xx:xx
}
static-mapping Laptop_M {
ip-address 192.168.11.21
mac-address 90:00:xx:xx:xx:xx
}
static-mapping PS3 {
ip-address 192.168.11.40
mac-address f8:d0:xx:xx:xx:xx
}
static-mapping Phoned {
ip-address 192.168.11.30
mac-address d0:25:xx:xx:xx:xx
}
static-mapping PhonedS {
ip-address 192.168.11.33
mac-address 88:66:xx:xx:xx:xx
}
static-mapping Synologed {
ip-address 192.168.11.250
mac-address 00:11:xx:xx:xx:xx
}
static-mapping TV_Clemence {
ip-address 192.168.11.47
mac-address cc:2d:xx:xx:xx:xx
}
static-mapping TV_Suite {
ip-address 192.168.11.46
mac-address 78:bd:xx:xx:xx:xx
}
static-mapping UAP_AC_LR {
ip-address 192.168.11.252
mac-address 44:d9:xx:xx:xx:xx
}
static-mapping WDTVLive {
ip-address 192.168.11.45
mac-address 00:90:xx:xx:xx:xx
}
static-mapping android-723770026ec90add {
ip-address 192.168.11.31
mac-address e4:12:xx:xx:xx:xx
}
static-mapping android_MC {
ip-address 192.168.11.32
mac-address 84:55:xx:xx:xx:xx
}
static-mapping android_Tab_clemence {
ip-address 192.168.11.36
mac-address 48:88:xx:xx:xx:xx
}
}
}
shared-network-name VLAN_10 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 80.67.169.12
dns-server 80.67.169.40
lease 86400
start 192.168.10.200 {
stop 192.168.10.205
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 1001
listen-on switch0
listen-on l2tp0
listen-on switch0.10
name-server 80.67.169.12
name-server 80.67.169.40
options host-record=nas.home,192.168.11.250
options neg-ttl=300
options listen-address=192.168.11.xxx
options listen-address=192.168.111.xxx
options host-record=router.home,192.168.11.251
options host-record=cam0.home,192.168.11.70
options host-record=cam1.home,192.168.11.71
options host-record=cam3.home,192.168.11.73
options host-record=cam2.home,192.168.11.72
options log-queries
options listen-address=192.168.10.xxx
system
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
listen-address 192.168.11.251
port 22
protocol-version v2
}
}
system {
config-management {
commit-archive {
location ftp://Config_ERX:xxxxxxxx@192.168.11.250/CONFIG_ERX
}
commit-revisions 20
}
host-name Ubiquited
login {
user Hedy76 {
authentication {
encrypted-password xxxxxxxx
plaintext-password ""
public-keys rsa-key-20161007 {
key xxxxxxxxx
type ssh-rsa
}
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec disable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 192.168.11.250 {
facility all {
level warning
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username VPN {
password xxxxxxxxxx
}
}
mode local
}
client-ip-pool {
start 192.168.111.1
stop 192.168.111.5
}
dhcp-interface eth0
dns-servers {
server-1 192.168.11.251
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxx
}
ike-lifetime 3600
}
mtu 1492
}
}
}
Hello,
I need to have Open vSwitch on my EdgeRouter ErPOE-5.
I tried to add debian repository, i've installed it, but i've the following error when i try to start the service (openvswitch-switch) :
root@router:~# /etc/init.d/openvswitch-switch start
[FAIL] Inserting openvswitch module ... failed!
Module has probably not been built for this kernel.
Install the openvswitch-datapath-source package, then read
/usr/share/doc/openvswitch-datapath-source/README.Debian
[FAIL] Inserting openvswitch module ... failed!
root@router:~#
Thank you for your support
Thomas
I have an unusual request. I have a small tower site that is setup on my routed network that has a static ip address that everyone on that tower shares. (hepls me figure out when i get a spamming warning what tower i need to focus on)
Well i have a new customer that requested a static ip that is BEHIND the router at the tower with the static ip, how do i make this happen? I tried routing his address from the main router, throught the radios and tower router but it still shows the towers ip address not his assigned static address?
(ps the main router at the NOC is a Mikrotik but all radios in the chain and the tower router as well as the customer router are ubiquiti )
I have a network that seems to have grown a bit out of control, has slowed somewhat and is overly "messy". It's got bits and pieces of Asus routers, Netgear and D-link Gig managed and unmanaged switches and multiple endpoints. And quite a few POE devices.
I've been looking at the ERLite-3 and the ERPoe-5 as well as Ubiquiti switches US-8-60W / US-8 and TS-5-POE/TS-8-PRO. I'm a long way from being a networking pro but can manage reasonably well with some assistance.
I've attached a PDF and a PNG diagram, hopefully these don't clutter up the post....
My property is in several segments: my cable internet connection and "Relay 1" are not on my property and are remote; Relay 2 and the rest of the network are mine. All the radios are on the same private subnet and I can control them fine from the "Lake" and remote into them and LAN 1 / AC2 when travelling as long as the radios are "up". Routers for LANs 1, 2 and Backup ISP are all at the "Lake" location.
What I'd like is to simplify (if possible) the arrangement and speed everything up. I'd like my "backup ISP" to be connected as a true failover. LANs should remain isolated from each other.
LAN 1 is for radio management only. LANs 3 and 4 are separate businesses. LAN 2 is a home and guest LAN, and also has a separate public static address. I'd prefer not to locate equipment at my cable modem as I can't reliably get into that building after business hours.
I can't figure out a topology/equipment combo that is relatively straightforward and workable, so I'd appreciate any insights into the design and comments as to which router(s) might be the best choice. (I'll add Unifi to the house and grounds in due course once everything is working and my wife is happy.)
I think that since 1.9 when I load a new config file and commit it, the new rules don't take (not found in show firewall) but there are no errors. Have I done something wrong?
Perhaps related what are the required comments at the end of the config:
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939092.161214.0702 */
I have a new Edgerouter X. Came with v1.8 firmware. Ran WAN+2LAN2 wizard. Everything worked.
Upgraded to v1.9: Now I can use the new 'BASIC' wizard or the 2LAN2 wizard, and afterwards I can logon to the UI through a LAN port, but as soon as I plug in the WAN port to modem, the box becomes unresponsive. I get kicked out of the UI and never get internet connection...?
The getting kick out of the UI makes no sence to me. Any ideas?
Thanks for the help.
NoobDex
UPDATE- Reverted to V1.80 and have the same problem... 
UPDATE 2- Everytime I try to reinstall V1.91 I get a UPLOAD FAILED on the UI...
Can we get this rewritten to allow sorting of these rules? Obviously, you set a --- application, it'll take precedence over the same IP a line below trying to shape an application, etc. Right now, there's no way to keep IP rules together other than entering them one after another. If you've got a long list, you'll have to add another rule below and is hard to keep track of visually.
These rules would still keep the same leaf ID, just re-sort the filter ID.
Do-able?
For anyone interested I made an article descibing the steps how to make a scheduled backup of the edgerouter via SFTP (or SCP). Everything that you need to set up a secure public key authentication to the backup-server 
http://www.cron.dk/edgerouter-scheduled-backups/
Best regards,
Alex Jensen