Dear Community,

I have .. I think a special problem, not sure if anybody can help.

I try to route my public /29 Subnet from a server in the datacenter to my edge Router lite.

So have an interface vtun0 with the tunnel. And on my Edge a VLAN vif 40 with the public subnet (133.222.111.160/29) Interface eth2:40 IP: 133.222.111.161/29

I can now ping the interface-IP eth2:40 from internal and from the datacenter server, but not from the internet. BUT I can ping all other devices inside the vlan 40 (133.222.111.162, 3, 4...)

I can see with tcpdump, that the ping response from the internet try to leave the router via eth0, it shout be vtun0 if I ping from internet. But if I ping from internal or dedicated Server the response leave via vtun0.

I have PBR activated, but it’s not working for the eth2:40 133.222.111.161 interface .

Anybody some idea?

hours over hours I try to solve the problem.

For the last eight months or so, I've been using my ERL run through two Nanobeams to feed a cable ISP to my home about 1.5 miles away. It's worked well and I can't be happier with how stable the connection has been.

I should soon have access to a fiber connection. That said, I'm looking to keep my existing wireless solution as redundancy. I'm aware of the fact that the ERL can have two WAN connections without issue. My concern is the setup.

I don't want to lose the settings I have going right now. I have several IPs forwarded as well as my VLANs and IP scope set. Putting everything back would be a royal pain to say the least. I could do it as I have everything cataloged but it doesn't mean I want to. Is there a way to change the setup on the ERL for two WAN, one LAN without losing my other settings?  Also, what would my public IP be with a setup like this?  Would using either one work since they're both still going to the same internal network?

As a second question, once I move the ERL to the house from the remote location, I still want to be able to access the Nanobeams for config and update. How can I ensure that I can use a local IP to get to the UIs for each one? Someone mentioned before that I have to put that IP scope on the WAN connection going that way but I'm not sure how to do that without exposing my entire network to the open internet. Any help would be appreciated.

I have a network of various EdgeMax boxes running v4 + v6 OSPF to distribute loopback addresses, then a full mesh of iBGP for customer prefixes and eBGP for external connectivity.

In one location there is a Cisco 3750G running 12.2(55)SE10, behind this 3750G are various x86 boxes running Quagga/ExaBGP and BIRD. Yesterday I upgraded the 4 Edgemax boxes from a mix of v1.7.0 and 1.6 all to v1.9.1. I understand between 1.7 and 1.8 the routing daemon changed from Quagga to IPInfusion ZebOS? Since upgrading the Edgerouters to v1.9.1 OSPFv3 IPv6 adjacencies won't come up between the Cisco 3750G (185.61.112.65) and the Edgerouter (185.61.112.71).

IPv6 adjacency that won't come up is shown with the red line above.

The Cisco is showing Full/BDR:

sw1.gorras#show ipv6 ospf neighbor
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
185.61.112.71     1   FULL/BDR        00:00:35    8               Vlan29
185.61.112.66     1   FULL/DR         00:00:35    2               Vlan70

And the Edgerouter stuck at Loading/DR:

nat@rt2-gorras:~$ show ipv6 ospfv3 neighbor
OSPFv3 Process (*null*)
Neighbor ID     Pri   State           Dead Time   Interface  Instance ID
185.61.112.70     1   Full/DR         00:00:32    eth0       0
185.61.112.65     1   Loading/DR      00:00:39    eth4       0

MTU looks ok on both sides, Cisco:

sw1.gorras#show int gi1/0/1
GigabitEthernet1/0/1 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0015.c6f4.e481 (bia 0015.c6f4.e481)
  Description: to-rt2-at-pole
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

ER:

nat@rt2-gorras:~$ show interfaces ethernet eth4
eth4@switch0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue state UNKNOWN group default

 All of my configs are backed up automatically via Oxidized to a public github repo natm/home-network/configs, latest:

• rt2.gorras - Ubnt ER
• sw1.gorras - Cisco 3750G

I have taken a packet capture from the Edgerouter side on eth4 of just ipv6 packets - ospf1.pcap

Any help would be appreciated, I would rather not go back to 1.6 or 1.7 on the ER if it can be helped.

Thanks,

Nat,

I'm trying to configure a new EdgeRouter Xv1.9.1 to try to block all websites but 10 in an attempt to have PCs online that can't get sick from drive-by malware and such. I'm pretty sure I don't really have to block all of the Internet if I could just disable javascript for all of it but my 10. I've tried adjusting IE's security slider per zone but I can't get one critical site to function properly. I'd like to do this as painless as possible. I've hard of squidguard but I'm unsure if I can block the entire web with it including new servers that emarge for ransomeware. What I've done so far is to make firewall rules to allow for the IPs of my needed sites followed by rules to block outbound port 80 and 443. It's working but researching every IP for a site to function properly is a bit of a chore and probably impractical in the long run.

1. Can EdgeOS block or strip out javascript? I think I've seen this in Sonicwalls.

2. Can Squidguard easily blacklist all of the Internet (including future sites) but whitelist a dozen sites?

I am having the strangest error.... I've a simple PPTP server set up, with local authentication, but the clients will never connect..

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group MAR {
             address 192.168.199.1-192.168.199.119
             address 192.168.199.121-192.168.199.199
             address 192.168.199.201-192.168.199.255
             description "internal Network"
         }
         network-group DMZ {
             description ""
             network 172.16.0.0/24
         }
         network-group Internal {
             description mar
             network 192.168.199.0/24
         }
         network-group IsolateDMZ {
             description ""
             network 192.168.199.0/24
             network 192.168.2.0/24
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name PROTECT_DMZ_IN {
         default-action accept
         rule 10 {
             action accept
             description "Accept Established/Related"
             protocol all
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop LAN_NETWORKS"
             destination {
                 group {
                     network-group IsolateDMZ
                 }
             }
             log disable
             protocol all
         }
     }
     name PROTECT_DMZ_LOCAL {
         default-action drop
         rule 10 {
             action accept
             description "Accept DNS"
             destination {
                 port 53
             }
             protocol udp
         }
         rule 20 {
             action accept
             description "Accept DHCP"
             destination {
                 port 67
             }
             protocol udp
         }
     }
     name PROTECT_IN {
         default-action accept
         rule 10 {
             action accept
             description "Accept Established/Related"
             protocol all
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop LAN_NETWORKS"
             destination {
                 group {
                     address-group MAR
                 }
             }
             protocol all
         }
     }
     name PROTECT_LOCAL {
         default-action drop
         rule 10 {
             action accept
             description "Accept DNS"
             destination {
                 port 53
             }
             protocol udp
         }
         rule 20 {
             action accept
             description "Accept DHCP"
             destination {
                 port 67
             }
             protocol udp
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 21 {
             action accept
             description "Allow xxx.147"
             destination {
                 address 192.168.199.200
                 port 80,443
             }
             log disable
             protocol tcp
         }
         rule 22 {
             action accept
             description "Allow xxx.148"
             destination {
                 address 192.168.199.120
             }
             log disable
             protocol all
         }
         rule 23 {
             action accept
             description "Allow xxx.150"
             destination {
                 address 172.16.0.2
             }
             log disable
             protocol all
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             description "Allow PPTP"
             destination {
                 port 1723
             }
             log disable
             protocol tcp
         }
         rule 30 {
             action accept
             description "Allow PPTP GRE"
             log disable
             protocol gre
         }
         rule 40 {
             action accept
             description "Remote Access"
             destination {
                 port 80,443,22
             }
             disable
             log disable
             protocol tcp
         }
         rule 50 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address xxx.146/29
         address xxx.147/29
         address xxx.148/29
         address xxx.150/29
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         address 192.168.10.1/24
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         address 192.168.2.1/24
         description "Realtor Institute"
         duplex auto
         firewall {
             in {
                 name PROTECT_IN
             }
             local {
                 name PROTECT_LOCAL
             }
         }
         speed auto
     }
     ethernet eth3 {
         duplex auto
         speed auto
     }
     ethernet eth4 {
         address 192.168.199.1/24
         description MAR
         duplex auto
         speed auto
     }
     ethernet eth5 {
         duplex auto
         speed auto
     }
     ethernet eth6 {
         address dhcp
         duplex auto
         speed auto
     }
     ethernet eth7 {
         address 172.16.0.1/24
         duplex auto
         firewall {
             in {
                 name PROTECT_DMZ_IN
             }
             local {
                 name PROTECT_DMZ_LOCAL
             }
         }
         speed auto
     }
     loopback lo {
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface eth2
     lan-interface eth4
     lan-interface eth7
     wan-interface eth0
 }
 protocols {
     static {
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name DMZ {
             authoritative disable
             subnet 172.16.0.0/24 {
                 default-router 172.16.0.1
                 dns-server 208.67.222.123
                 dns-server 208.67.220.123
                 lease 86400
                 start 172.16.0.10 {
                     stop 172.16.0.100
                 }
             }
         }
         shared-network-name LAN1 {
             authoritative disable
             subnet 192.168.10.0/24 {
                 default-router 192.168.10.1
                 dns-server 8.8.8.8
                 dns-server 8.8.4.4
                 lease 86400
                 start 192.168.10.10 {
                     stop 192.168.10.240
                 }
             }
         }
         shared-network-name LAN2 {
             authoritative enable
             subnet 192.168.2.0/24 {
                 default-router 192.168.2.1
                 dns-server 192.168.2.1
                 lease 86400
                 start 192.168.2.38 {
                     stop 192.168.2.243
                 }
             }
         }
         shared-network-name MAR {
             authoritative disable
             subnet 192.168.199.0/24 {
                 default-router 192.168.199.1
                 dns-server 208.67.222.123
                 dns-server 208.67.220.123
                 lease 86400
                 start 192.168.199.10 {
                     stop 192.168.199.99
                 }
                 static-mapping marlamps {
                     ip-address 192.168.199.200
                     mac-address 6c:62:6d:81:94:9e
                 }
             }
         }
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on eth1
             listen-on eth2
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 1 {
             description "forward xxx.147 to 192.168.199.200"
             destination {
                 address xxx.147
             }
             inbound-interface eth0
             inside-address {
                 address 192.168.199.200
             }
             log disable
             protocol all
             type destination
         }
         rule 2 {
             description "forward xxx.148 to 192.168.199.120"
             destination {
                 address xxx.148
             }
             inbound-interface eth0
             inside-address {
                 address 192.168.199.120
             }
             log disable
             protocol all
             type destination
         }
         rule 3 {
             description "forward xxx.150 to 172.16.0.2"
             destination {
                 address xxx.150
             }
             inbound-interface eth0
             inside-address {
                 address 172.16.0.2
             }
             log disable
             protocol all
             type destination
         }
         rule 4 {
             description "int _ forward xxx.147 to 192.168.199.200"
             destination {
                 address xxx.147
             }
             inbound-interface eth4
             inside-address {
                 address 192.168.199.200
             }
             log disable
             protocol all
             type destination
         }
         rule 5 {
             description "int _ forward xxx.148 to 192.168.199.120"
             destination {
                 address xxx.148
             }
             inbound-interface eth4
             inside-address {
                 address 192.168.199.120
             }
             log disable
             protocol all
             type destination
         }
         rule 6 {
             description "int _ forward xxx.150 to 192.168.199.200"
             destination {
                 address xxx.150
             }
             inbound-interface eth4
             inside-address {
                 address 172.16.0.2
             }
             log disable
             protocol all
             type destination
         }
         rule 5000 {
             description "map 192.168.199.200 to xxx.147"
             log disable
             outbound-interface eth0
             outside-address {
                 address xxx.147
             }
             protocol all
             source {
                 address 192.168.199.200
             }
             type source
         }
         rule 5001 {
             description "map 192.168.199.200 to xxx.148"
             log disable
             outbound-interface eth0
             outside-address {
                 address xxx.148
             }
             protocol all
             source {
                 address 192.168.199.120
             }
             type source
         }
         rule 5002 {
             description "map 172.16.0.2 to xxx.150"
             log disable
             outbound-interface eth0
             outside-address {
                 address xxx.150
             }
             protocol all
             source {
                 address 172.16.0.2
             }
             type source
         }
         rule 5003 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }
 system {
     gateway-address xxx.145
     host-name ubnt
     login {
         user manager {
             authentication {
                 encrypted-password $6$U0t50ba0B$E0R6tsmhp6UtieYTVLlkv.GKp9b84Libq36nwxPCviGssyT4fNX4OmNaeQJyp/mv7YSOeqDoIhvC7r9fAgdfY0
             }
             level admin
         }
     }
     name-server 8.8.8.8
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
     traffic-analysis {
         dpi enable
         export enable
     }
 }
 traffic-control {
     advanced-queue {
         filters {
             match 1 {
                 attach-to 1023
                 ip {
                     destination {
                         address 0.0.0.0/24
                     }
                     source {
                         address 192.168.2.0/24
                     }
                 }
                 target 1
             }
             match 2 {
                 attach-to 1023
                 ip {
                     destination {
                         address 192.168.2.0/24
                     }
                     source {
                         address 0.0.0.0/24
                     }
                 }
                 target 2
             }
         }
         leaf {
             queue 1 {
                 bandwidth 2mbit
                 parent 1023
                 queue-type UBNT_BQ_FQ_CODEL
             }
             queue 2 {
                 bandwidth 2mbit
                 parent 1023
                 queue-type UBNT_BQ_FQ_CODEL
             }
         }
         queue-type {
             fq-codel UBNT_BQ_FQ_CODEL {
             }
         }
         root {
             queue 1023 {
                 attach-to global
                 bandwidth 1000mbit
                 description UBNT-BQ
             }
         }
     }
     smart-queue Throttle {
         download {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 120mbit
         }
         upload {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 120mbit
         }
         wan-interface eth0
     }
 }
 vpn {
     pptp {
         remote-access {
             authentication {
                 local-users {
                     username test {
                         password test
                     }
                 }
                 mode local
             }
             client-ip-pool {
                 start 10.10.8.1
                 stop 10.10.8.16
             }
             dns-servers {
                 server-1 208.67.222.123
                 server-2 208.67.220.123
             }
             outside-address xxx.146
         }
     }
 }

and when i check the log.... :

Mar  7 16:36:07 ubnt pppd[26017]: pppd 2.4.4 started by root, uid 0
Mar  7 16:36:07 ubnt pppd[26017]: Connect: ppp0 <--> /dev/pts/2
Mar  7 16:36:07 ubnt pppd[26017]: peer from calling number [scrubbed IP] authorized
Mar  7 16:36:07 ubnt pppd[26017]: MPPE required but peer negotiation failed
Mar  7 16:36:07 ubnt pppd[26017]: Connection terminated: no multilink.
Mar  7 16:36:07 ubnt pptpd[26012]: GRE: read(fd=6,buffer=416518,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Mar  7 16:36:07 ubnt pptpd[26012]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Mar  7 16:36:07 ubnt pptpd[26012]: CTRL: Couldn't write packet to client.

Looks like Poptop server is not working??

Please help...

Hello, I am trying to peer up with a Quagga/Cisco-esque device using public internet IPs and need to peer up using BGP unnumbered.

Something to the tune of:

neighbor swp1 interface v6only peer-group fabric

However it would appear that UBNT does not support this.  Is it possible to check if the underlying Quagga supports this, or moreover if I can replace the underlying Quagga with Cumulus' fork of quagga which does support BGP unnumbered?

Thanks!

I recently bought a ERX to replace my old flaky Buffalo device for my home.  The first thing I did was to upgrade it to v1.91.  I ran the basic setup wizard and chose the option to set up two LANs.  This results in eth0 being the WAN interface getting its IP from my ISP's modem, eth1 being a standalone interface (I used manual network 192.168.20.0/24), and eth2 - eth4 being part of switch0 with a manual network 192.168.10.0/24.

I plugged a Cisco Meraki MR18 into eth1.  I have it configured to serve three SSIDs: internal LAN, guest, and other (for PS4 and smart TV).  I have tagged these wireless networks 40, 30, and 50, respectively.  On the ERX, I added the three VLANs to eth1 with networks 192.168.40.0/24, 192.168.30.0/24, and 192.168.50.0/24.  I used Ubuquiti's guide to create a secured guest network to both VLAN 30 and 50 (basically disallow all traffic to any private IP address and, on the ERX, allow only DNS and DHCP).  I added DHCP scopes for each of these networks and bound the DNS server to all of the interfaces except eth0 (including the VLAN interfaces).

I want my PS4 to be able to connect to my MacBook Pro, which runs Plex Media Server.  Since this device is a laptop, I created one DHCP reservations/static DHCP mapping for my MacBook Pro's wired NIC MAC address in 192.168.10.0/24 and one for its wireless NIC MAC address in 192.168.40.0/24.  I also created a mapping for the PS4's wireless NIC in 192.168.50.0/24.  Then I created an address group containing the MacBook Pro's two reserved IP addresses and then created a rule that allowed communication from the PS4's reserved IP address to that address group on port 32400 (the Plex server port).

It seemed to work at first, but later I noticed that nothing could get an address assigned via DHCP.  It didn't matter which wireless SSID I tried to connect to or which port on the ERX I plugged my Mac into, I couldn't get an address.  Even the Meraki AP stopped working when I tried to reset it (it also is configured to get its IP address via DHCP).  If I configured my MacBook Pro's wired NIC IP and DNS information manually according to the appropriate network assigned to ERX eth1 or switch0, that worked fine and I was able to reach the Internet.

I checked my config and didn't notice any issues, so I tried scaling back some of the configuration. The thing that got DHCP working again was deleting the static DHCP mappings that I had configured for my MacBook Pro and PS4.

To me, this makes no sense whatsoever.  I'd like to get to the bottom of this because I need my static DHCP reservations in order for my rules to work consistently over time.

What steps or commands can I use to troubleshoot this?  I'm entirely new to Ubiquiti and EdgeMAX.

I wanted historical graphs of my bandwidth so I set up cacti + SNMP.  That's working.

The default 5 minute sample rate of cacti seems coarse to me.  I see instructions online on how to change cacti from 5 min to 1 min but that got me thinking: is SNMP a point in time metric or is it in any way smoothed out over time?  Example: my router is doing RX@90Mbps over a 5 minute period but cacti asks SNMP for the usage during a "blip" where the RX dropped to 0Mbps would SNMP report 0?  90?  Something in between?

My goal: I'm curious over the long term if/when/how often I'm saturating my WAN connection.  If there is another better or easier way to solve that, please let me know.

Thanks!

I have several ER-Lites with nearly identical configs connecting back to an Edgerouter using IPSEC/GRE tunnels.  Two of the Edgerouter Lites can't pass any traffic back to the Edgerouter until the Edgerouter sends a packet towards the Edgerouter LIte.   A ping from the Edgerouter side towards the Edgeroute Lite side is all that's needed to get bidirectional traffic working.  During the issue, I see traffic coming into the Edgerouter(By looking at the dashboard), but none going back.  The rest of my ER Lites don't experience this issue at all.  Both sides show that the tunnel is up.  The ER LItes always initiate the tunnel since they are all using dynamic WAN addressing.  Both devices are running 1.91.

Any help will be greatly appreciated.  Configs below in spoilers.

 This is the Edgerouter Config (Headend)

 This is the Edgerouter Lite Config (Remote)

Hi everyone, so I have a Esxi host running a few VMs and I have successfully figured how to automatically shutdown the host and VMs but I am having problem with creating a task via task-scheduler on Edgemax Lite router. I know this script works because I had previously used it to turn on my xpenology server (192.168.1.119) and it ran on time everyday.

I have used the following WOL script provided by member Zfa:

#!/bin/sh
# Wake any device contained in config.boot by specifying hostname or IP

if [ -z "$1" ]; then
#  echo -e "\nIssue Wake-on-lan to devices configured in config.boot\n"
#  echo -e "Usage: ${0} <hostname|ip address>\n\nAvailable hosts:\n"
#  awk '$1=="static-mapping" {print "\t"$2}' /config/config.boot | sort -u
#  exit 0
  HOST="192.168.1.117"
else
  HOST=${1}
fi

MAC_ADDR=`grep -i -A2 -B1 -e "static-mapping ${HOST} " -e "ip-address ${HOST}\$" /config/config.boot | awk '$1=="mac-address" {print $2}'`

if [ -z "${MAC_ADDR}" ]; then
  echo -e "\nNo MAC found in config.boot, nothing to wake.\n\nAvailable hosts:\n"
  awk '$1=="static-mapping" {print "\t"$2}' /config/config.boot | sort -u
else
  MAPPING=`grep -i -A2 -B1 -e "static-mapping ${HOST} " -e "ip-address ${HOST}\$" /config/config.boot | awk '$1=="static-mapping" {print $2}'`
  IP_ADDR=`grep -i -A2 -B1 -e "static-mapping ${HOST} " -e "ip-address ${HOST}\$" /config/config.boot | awk '$1=="ip-address" {print $2}'`
  BROADCAST_ADDR=`echo "${IP_ADDR}" | sed 's/\.[0-9]*$/.255/'`
  echo -e "\nHOST\t\t${MAPPING}\nIP\t\t${IP_ADDR}\nMAC\t\t${MAC_ADDR}\nBROADCAST\t${BROADCAST_ADDR}\n"
  /usr/bin/wakeonlan -p 7 -i ${BROADCAST_ADDR} ${MAC_ADDR}
fi

exit 0

I have setup my task-scheduler with the following:

configure
set system task-scheduler task wake-NAS crontab-spec "30 06 * * *"
set system task-scheduler task wake-NAS executable path /config/scripts/wol.sh
commit
save
exit

My Esxi host IP is 192.168.1.117 but when I run the test command:

/config/scripts/wol.sh 192.168.1.117

Running the above test command results in:

Host: ESXI

IP:  192.168.1.117

MAC: assigned to the above IP (dont remember)

BROADCAST ADDRESS: 192.168.1.255

then shows sending magic packets to 192.168.1.255:7 with MAC address.

But nothing happens its just stands there, my ESXI doesn't turn on.

Why is the broadcast with .255? that doesn't seem right???  Do I have to port forward 192.168.1.255 with port 7?

Any help to get this resolved would be great.

Thanks

hi guys,

i found this on mt auth.log file:

Mar  7 23:17:03 ubnt login[24970]: FAILED LOGIN (5) on '/dev/pts/5' from '[::ffff:85.99.115.202]:56229' FOR 'root', Authentication failure
Mar  7 23:17:03 ubnt login[24970]: TOO MANY LOGIN TRIES (5) on '/dev/pts/5' from '[::ffff:85.99.115.202]:56229' FOR 'root'
Mar  7 23:17:03 ubnt login[24970]: pam_mail(login:session): pam_putenv: delete non-existent entry; MAIL
Mar  7 23:17:03 ubnt login[24985]: FAILED LOGIN (2) on '/dev/pts/0' from '[::ffff:109.103.37.161]:46917' FOR 'root', Authentication failure
Mar  7 23:17:03 ubnt login[24982]: FAILED LOGIN (3) on '/dev/pts/6' from '[::ffff:89.250.145.180]:43237' FOR 'root', Authentication failure
Mar  7 23:17:03 ubnt login[24981]: FAILED LOGIN (3) on '/dev/pts/3' from '[::ffff:91.143.173.62]:42635' FOR 'root', Authentication failure
Mar  7 23:17:03 ubnt login[24985]: pam_securetty(login:auth): access denied: tty '/dev/pts/0' is not secure !
Mar  7 23:17:04 ubnt login[24968]: FAILED LOGIN (5) on '/dev/pts/9' from '[::ffff:207.68.213.252]:38204' FOR 'root', Authentication failure
Mar  7 23:17:04 ubnt login[24968]: TOO MANY LOGIN TRIES (5) on '/dev/pts/9' from '[::ffff:207.68.213.252]:38204' FOR 'root'
Mar  7 23:17:04 ubnt login[24968]: pam_mail(login:session): pam_putenv: delete non-existent entry; MAIL
Mar  7 23:17:04 ubnt login[24987]: FAILED LOGIN (2) on '/dev/pts/2' from '[::ffff:37.70.53.77]:51302' FOR 'root', Authentication failure
Mar  7 23:17:04 ubnt login[24982]: pam_securetty(login:auth): access denied: tty '/dev/pts/6' is not secure !
Mar  7 23:17:04 ubnt login[24981]: pam_securetty(login:auth): access denied: tty '/dev/pts/3' is not secure !
Mar  7 23:17:04 ubnt login[24987]: pam_securetty(login:auth): access denied: tty '/dev/pts/2' is not secure !
Mar  7 23:17:04 ubnt login[24977]: FAILED LOGIN (5) on '/dev/pts/4' from '[::ffff:95.180.112.249]:55710' FOR 'root', Authentication failure
Mar  7 23:17:04 ubnt login[24977]: TOO MANY LOGIN TRIES (5) on '/dev/pts/4' from '[::ffff:95.180.112.249]:55710' FOR 'root'
Mar  7 23:17:04 ubnt login[24977]: pam_mail(login:session): pam_putenv: delete non-existent entry; MAIL
Mar  7 23:17:05 ubnt login[25080]: pam_securetty(login:auth): access denied: tty '/dev/pts/4' is not secure !
Mar  7 23:17:05 ubnt login[24980]: FAILED LOGIN (3) on '/dev/pts/11' from '[::ffff:14.171.218.219]:41257' FOR 'root', Authentication failure
Mar  7 23:17:05 ubnt login[25079]: pam_securetty(login:auth): access denied: tty '/dev/pts/5' is not secure !
Mar  7 23:17:05 ubnt login[24983]: FAILED LOGIN (3) on '/dev/pts/8' from '[::ffff:207.68.213.252]:38440' FOR 'root', Authentication failure
Mar  7 23:17:05 ubnt login[24989]: FAILED LOGIN (2) on '/dev/pts/1' from '[::ffff:72.90.220.146]:46210' FOR 'root', Authentication failure
Mar  7 23:17:05 ubnt login[24978]: FAILED LOGIN (4) on '/dev/pts/10' from '[::ffff:116.104.54.70]:54092' FOR 'root', Authentication failure
Mar  7 23:17:06 ubnt login[24983]: pam_securetty(login:auth): access denied: tty '/dev/pts/8' is not secure !
Mar  7 23:17:06 ubnt login[24989]: pam_securetty(login:auth): access denied: tty '/dev/pts/1' is not secure !
Mar  7 23:17:06 ubnt login[24980]: pam_securetty(login:auth): access denied: tty '/dev/pts/11' is not secure !
Mar  7 23:17:06 ubnt login[25082]: pam_securetty(login:auth): access denied: tty '/dev/pts/7' is not secure !
Mar  7 23:17:06 ubnt login[24985]: FAILED LOGIN (3) on '/dev/pts/0' from '[::ffff:109.103.37.161]:46917' FOR 'root', Authentication failure
Mar  7 23:17:06 ubnt login[24978]: pam_securetty(login:auth): access denied: tty '/dev/pts/10' is not secure !
Mar  7 23:17:06 ubnt login[24982]: FAILED LOGIN (4) on '/dev/pts/6' from '[::ffff:89.250.145.180]:43237' FOR 'root', Authentication failure
Mar  7 23:17:06 ubnt login[24981]: FAILED LOGIN (4) on '/dev/pts/3' from '[::ffff:91.143.173.62]:42635' FOR 'root', Authentication failure
Mar  7 23:17:06 ubnt login[24985]: pam_securetty(login:auth): access denied: tty '/dev/pts/0' is not secure !
Mar  7 23:17:06 ubnt login[24982]: pam_securetty(login:auth): access denied: tty '/dev/pts/6' is not secure !

So is this an attack or just suspected activities that affect all the routers connected to the net? Is there something to do to better secure my network from kinda malicious attempts?

thnks

I'll post my config below, been trying many different options, nothing is sticking.  I setup a VLAN, I setup a DHCP server for it, I tag my UniFi controller wireless network with the correct VLAN ID, the devices on that particular wireless network do get assigned the correct IP address from the DHCP server, BUT NO INTERNET CONNECTION.  Racking my brain. I've tryed manually entering in DNS thinking that would do the trick...it ain't.  Also, I have another wireless network with no VLAN that works just fine. In the pictures below, not sure if I need the Student Network, but with my EdgeLites, it worked fine. Here is my config:

firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.2.141/24
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.3.141/24
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.50.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
}
speed auto
vif 20 {
address 192.168.5.1/24
description Student
mtu 1500
}
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
lb-local enable
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.2.1 {
}
next-hop 192.168.3.1 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.50.0/24 {
default-router 192.168.50.1
dns-server 192.168.50.1
lease 86400
start 192.168.50.38 {
stop 192.168.50.243
}
}
}
shared-network-name Student {
authoritative disable
subnet 192.168.5.0/24 {
default-router 192.168.5.1
dns-server 75.75.75.75
dns-server 75.75.76.76
lease 86400
start 192.168.5.6 {
stop 192.168.5.245
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.20
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $6$CFwCZE.pQkRTir$dHe6qSecQhNdzMB4pU7FCf6pKU3.9FsE4Bk739MuQ0N4tPxO2LJJc4zUDdHvR6jESeAc4fWOWj1ezZ/BQVaNt1
}
level admin
}
}
name-server 75.75.75.75
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939098.161214.0733 */

 Captured this, but it is giberish to my current knowledgebase:

Hopped on here a while ago trying to figure out how to prioritize devices so I could give priority to some IP phones and left that idea to use the shaper instead as shown here.

To be fair I don't fully understand what the shaper stuff is or how it works, but I figured if I followed the tutorial it should work. I made a few slight changes to personalize.

Changes:

1) eth2 is my LAN instead of eth1

2) the bandwidth is slightly less than the demo assumes so I altered the 5000k and 1000k to 4000k and 700k

3) The phones tag with 46 and 52 instead of 46 and 24 for voice and SIP respectively so I altered that

Otherwise I think I followed it perfectly and whenever I add the below config, as soon as I reboot I can't access the router through any port, whether with DHCP or with a static IP (tried a couple different IP's that should be in the subnet the router is using).

If it matters, I'm trying to get all the kinks out prior to deployment so there's nothing plugged into the router except the laptop for config work.

Existing config is fairly simple -

Used the load balance wizard, eth0 is a dsl connection so PPPOE, eth1 set to DHCP but won't be in use immediately.

And then changed/added:

system gateway, timezone, hostname, ntp server, system dns server, couple port forward rules, guest VLAN, couple DHCP servers, and remote access VPN server and necessary firewall exceptions.

Everything works fine with all this config but when I ad the below lines, I can't access it.

Help greatly appreciated! Hoping to go live tomorrow..

Thanks!

set traffic-policy shaper DownStream description "DownStream QoS Policy"
set traffic-policy shaper DownStream bandwidth 4000kbit
set traffic-policy shaper DownStream class 10 description "RTP"
set traffic-policy shaper DownStream class 10 bandwidth 25%
set traffic-policy shaper DownStream class 10 ceiling 100%
set traffic-policy shaper DownStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper DownStream class 20 description "SIP"
set traffic-policy shaper DownStream class 20 bandwidth 5%
set traffic-policy shaper DownStream class 20 ceiling 100%
set traffic-policy shaper DownStream class 20 match VOIP-SIP ip dscp 52
set traffic-policy shaper DownStream default bandwidth 70%
set traffic-policy shaper DownStream default ceiling 100%
set traffic-policy shaper UpStream description "UpStream QoS Policy"
set traffic-policy shaper UpStream bandwidth 700kbit
set traffic-policy shaper UpStream class 10 description "RTP"
set traffic-policy shaper UpStream class 10 bandwidth 50%
set traffic-policy shaper UpStream class 10 ceiling 100%
set traffic-policy shaper UpStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper UpStream class 20 description "SIP"
set traffic-policy shaper UpStream class 20 bandwidth 10%
set traffic-policy shaper UpStream class 20 ceiling 100%
set traffic-policy shaper UpStream class 20 match VOIP-SIP ip dscp 52
set traffic-policy shaper UpStream default bandwidth 40%
set traffic-policy shaper UpStream default ceiling 100%
set interfaces ethernet eth2 traffic-policy out DownStream
set interfaces ethernet eth0 traffic-policy out UpStream

I'm having a strange routing issue that I need some help with. My main network (a) is 10.0.0.0/24. I have several subnets (b) 10.1.0.0/24, (c) 10.100.0.0/24, and (d) 10.101.0.0/24. (b) has a static route in (a), while (c) and (d) use RIP. (b) (c) and (d) can communicate with each other, the wan, and the main router (10.0.0.1), but cannot communicate with any other device in 10.0.0.0/24. Ping works but no http traffice. (b) and (d) are wireless links and I can access the wireless radio's web page only when I'm on the 10.0.0.0/24 network and not on any other network.

This is my config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name switch {
        default-action accept
        description ""
        rule 1 {
            action drop
            description "block dhcp"
            log disable
            protocol udp
            source {
                port 67-68
            }
        }
    }
    name wan_in {
        default-action reject
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name wan_local {
        default-action reject
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description openvpn
            destination {
                port 1194
            }
            log disable
            protocol udp
            source {
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description wan
        duplex auto
        firewall {
            in {
                name wan_in
            }
            local {
                name wan_local
            }
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/vtun0/config.ovpn
    }
    switch switch0 {
        address 10.0.0.1/24
        firewall {
            in {
                name switch
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 2 {
        description "openvpn bridge"
        forward-to {
            address 10.0.0.50
            port 1196
        }
        original-port 1196
        protocol tcp_udp
    }
    wan-interface eth0
}
protocols {
    rip {
        interface switch0
        interface eth1
    }
    static {
        route 10.1.0.0/24 {
            next-hop 10.0.0.50 {
                description b
            }
        }
        route 10.100.0.0/24 {
            next-hop 10.0.0.2 {
                description c
                disable
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name a {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                domain-name a
                lease 86400
                start 10.0.0.100 {
                    stop 10.0.0.199
                }
            }
        }
        use-dnsmasq enable
    }
    dns {
        dynamic {
            interface eth0 {
                service custom-dnsomatic {
                    protocol dyndns2
                    server updates.dnsomatic.com
                }
                web http://myip.dnsomatic.com/
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on vtun0
            options expand-hosts
            options stop-dns-rebind
            options rebind-localhost-ok
            options domain-needed
            options server=/b/10.1.0.1
            options server=/c/10.100.0.1
            options rebind-domain-ok=/c/
            options server=/d/10.101.0.1
            options rebind-domain-ok=/d/
            options dhcp-script=/config/scripts/transform-leases.pl
            options rebind-domain-ok=/b/
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name a
    host-name root
    ip {
        override-hostname-ip 10.0.0.1
    }
    login {
        user admin {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
}
traffic-policy {
}

Hi All,

for starters I am a complete noob when dealing with the CLI

currently using Ver 1.7 as i have had problems using 1.9

I have been trying to setup 2 VPN (Site A - Site B & Site A - Site C) i can get them running the CLI but arfter anout 24hrs on of the sites go down

I have tried CLI commands

reset vpn

clear vpn ipsec-peer xxx.xxx.xxx.xxx

but none of them bring the site back up

can anyone please let me know what i can try & if you need any info just let me know how to get it

Thankyou

Scotty

When you want to perform source routing you would do it via tables (protocols -> static -> tables), however, there only appears to be a 'route' not 'route6' option meaning it's only supported for IPv4.

Does anyone know why this is or if it's just not yet implemented?

The 'workaround' is to manually run the commands at the shell, example:

echo "200 mytable" >> /etc/iproute2/rt_tables
ip -6 rule add from 2001:470:beef:101::/64 table myable
ip -6 route add default via 2001:470:beef:beef::1 dev vtun0 table mytable
ip -6 route add 2001:470:dead:196::1/64 dev eth1.5 table mytable

Given there's v4 support for this via the CLI I see no reason why there shouldn't be for v6, unless of course I'm missing something obvious.

Hello guys,

I've deployed in production an 8 port edge router in a dual wan failover scenario.

This is the architecture in summary:

eth0 - RECEPTION LAN
eth1 - VIDEO SURVEILLANCE LAN
eth2 - GUEST LAN
eth3 - MANAGEMENT LAN

eth6 - PRIMARY WAN
eth7 - SECONDARY WAN

RECEPTION, VIDEO and MANAGEMENT use primary wan pipe and failover-only to secondary wan.

GUEST use secondary wan pipe and failover-only to primary wan.

All is working fine, if I unplug eth6 all traffic goes through eth7 and vice versa.

The problem is: if the secondary wan pipe goes down upstream (on the telco modem for example)
and eth7 remains up the edge router doesn't initiate the failover and the traffic is dropped.
The "show load-balance watchdog" shows both wan interfaces as running.

Infact I can even still reach internet from secondary wan: "sudo ping -I 172.16.0.10 google.it"

What I missed in the config? How can I tell the edge to failover in case of upstream fail?

Here below my current config without firewall entries (tell me if you want to see complete configuration).

Thanks!

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify GUEST.LB.POLICY {
rule 10 {
action modify
modify {
lb-group GUEST.LB.GROUP
}
}
}
modify RECEPTION.LB.POLICY {
rule 10 {
action modify
modify {
lb-group RECEPTION.LB.GROUP
}
}
}

receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.0.10.1/24
description "RECEPTION LAN"
duplex auto
firewall {
in {
modify RECEPTION.LB.POLICY
}
}
speed auto
}
ethernet eth1 {
address 10.0.20.1/24
description "CAM LAN"
duplex auto
firewall {
in {
modify RECEPTION.LB.POLICY
}
}
speed auto
}
ethernet eth2 {
address 10.0.30.1/24
description "GUEST LAN"
duplex auto
firewall {
in {
modify GUEST.LB.POLICY
}
}
speed auto
}
ethernet eth3 {
address 10.0.100.1/24
description "MGMT LAN"
duplex auto
firewall {
in {
modify RECEPTION.LB.POLICY
}
}
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
address 192.168.1.10/24
description "PRIMARY WAN"
duplex auto
speed auto
}
ethernet eth7 {
address 172.16.0.10/24
description "SECONDARY WAN"
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group GUEST.LB.GROUP {
interface eth6 {
failover-only
}
interface eth7 {
}
lb-local enable
}
group RECEPTION.LB.GROUP {
interface eth6 {
}
interface eth7 {
failover-only
}
lb-local enable
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.16.0.1 {
}
next-hop 192.168.1.1 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name CAM.DHCP {
authoritative enable
subnet 10.0.20.0/24 {
default-router 10.0.20.1
dns-server 10.0.20.1
lease 3600
start 10.0.20.100 {
stop 10.0.20.254
}
}
}
shared-network-name GUEST.DHCP {
authoritative enable
subnet 10.0.30.0/24 {
default-router 10.0.30.1
dns-server 10.0.30.1
lease 3600
start 10.0.30.100 {
stop 10.0.30.254
}
}
}
shared-network-name MGMT.DHCP {
authoritative enable
subnet 10.0.100.0/24 {
default-router 10.0.100.1
dns-server 10.0.100.1
lease 3600
start 10.0.100.100 {
stop 10.0.100.254
}
}
}
shared-network-name RECEPTION.DHCP {
authoritative enable
subnet 10.0.10.0/24 {
default-router 10.0.10.1
dns-server 10.0.10.1
lease 3600
start 10.0.10.100 {
stop 10.0.10.254
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
listen-on eth2
listen-on eth3
system
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 10 {
description "port forward to vpn server"
inbound-interface eth6
inside-address {
address 10.0.100.25
port xxxxx
}
protocol tcp
type destination
}
rule 20 {
description "port forward to openvpn"
inbound-interface eth6
inside-address {
address 10.0.100.25
port xxxxx
}
protocol udp
type destination
}
rule 30 {
description "port forward to nvr"
inbound-interface eth6
inside-address {
address 10.0.100.15
port xxxxx
}
protocol tcp
type destination
}
rule 5010 {
description "Masquerade Nat for Telecom WAN1"
outbound-interface eth6
type masquerade
}
rule 5020 {
description "Masquerade Nat for Fastweb WAN2"
outbound-interface eth7
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name edge

name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}

}

Hellow community 

i have a question about OSPF 

i have two edge routers, they are running OSPF 

in both routers i have internet access and ive distributed the default routes in both, but the ospf only acts when the link state is disconected 

the question is how i can use the alternative internet route (the default route to internet of the second router) when the link state is connected but the service is not available???

tnx for your time

Hi All,

I have recently started pushing in the ER-X to clients and it has worked fantastically well with the Smart QOS and one LAN on Eth1 and Switch0 on Eth2,3 and 4. With a PPPoE on Eth0. I know it is a little overkill to use it just for having two individual networks and splitting the internet speeds between them, but hey it works. 

Now I have a client that has one fiber PPPoE connection and he wants it split to three offices(all on one plot but in separate buildings), and he needs the internet speed devided equally between them. This has me sumped. 

My question is, can I have a configuration where I have say Eth0 as PPPoE, Eth1 as Office 1, Eht2 as Ofiice 2 and Eth3 as Office 3, where each office gets a separate DHCP (office 1 gets 10.0.0.0, office 2 gets 10.0.1.0 and office 3 get 10.0.2.0) and they can all access the PPPoE connection with speeds controlled by the SmartQOS? And, how do I go about doing this on the device? 

Thanks so much in advance

Hi,

I´m a newbie to Quality of Service and i´m looking to define a set of rules for our aircall app. https://aircall.groovehq.com/knowledge_base/topics/are-there-specific-ports-to-prioritize-in-order-to-get-the-best-call-quality

The thing is (without entering CLI) I have tried to set the Qos rules through the management interface but, have so far, been unsuccesfull. Mostly its because i cannot find a way to select a set of Ports (in the basic queue screen when picking the application I haven´t found a way to define my own application, and custom application appears as disabled). Is there any way i can access the list of applications and add my own or edit one in order to introduce the ports needed? I know its very basic, but can´t find a way to do it without using CLI. 

If not, and there is no way to define your own application, would it be possible to proritize the traffic from one of the interfaces? (Example, let all traffic from eth1 have higher prority than the rest of the interfaces).

Thanks a lot,

Miguel.