Hello,

I've got a dorm with ~ 150 students. The university is the internet provider and put a (I believe it is a router) device in. Fibre goes in, ethernet comes out.

So far, DHCP was enabled and giving out public IP addresses to the students.

The leases looked like 141.x.y.z/24 where z started at 20 and goes up to probably 254, GW is 141.x.y.1

So, in effect, the dorm has ~250 IP addresses from 141.x.y.1 to 141.x.y.254 while the router is 141.x.y.1

The university might cooperate when I approach them about changes being needed, but they will not enable any firewalling or give anyone access to the router.

Now, management wants the ability to block certain ports (p2p), see if someone is using too much bandwidth and/or the ability to temporarily block internet access for any device. Oh and of course, it needs to be cheap. So I found this sounds like a job for the edgerouter lite...

I put it behind the university router.

eth0 = WAN, 141.x.y.2

eth1 = students

eth2 = management (more on that later), 192.168.50.x/24

If I could/would give the students on eth1 a private network like 192.168.20.x/24, I would be done. But, and I admit, it makes some sense... If any student is misbehaving and a letter will come in with an IP address, management would like to see who is responsible. Using private IPs and NAT for the students would take that away, since all traffic would originate from erlite eth0 141.x.y.2

Therefore I would like to keep the public IPs for my students. And I tried with static routes. I realise before I did it probably will be hard, if not impossible to do, because I will have the same subnets (141.x.y.0/24) on two interfaces.

For now, I set it up with subnetting, so at the moment..

eth0 = 141.x.y.2/30 with gw 141.x.y.1

eth1 = 141.x.y.254/2, net 141.x.y.128/29 and dhcp giving out 129-253

eth2 = 192.168.50.1/24 management (still more later)

it works. but it wastes over 100 addresses that I would actually need since its more then 150 students. Granted, it is unlikely they all will be online at the same time, but then again, some may have more than one device. And leases do not get deleted the second someone goes offline. and and and - its not pretty enough.

Now, I realise, this may be silly and I am a noob. I admit, I am not a network technician, and I especially never did work with real routing protocols, public ip addresses. And I usually can setup simple static routes. And private address range is big, so I never had to really dive deep into this.

But now, now I am a bit out of my depth.

So, my question...

How can I get my students on eth1 to use 141.x.y.z/24 when the upstream gateway is on eth0 with 141.x.y.1 without losing the dpi or firewall possibilites?

I dont need NAT

I may be able to speak with the university to give me 141.x.y.z/23

How is it done in real life? I can not imagine every router on the internet burns a number of ip addresses.
I can feel I am missing something, but what...?!

Ah almost forgot. In fact, edit...
the management interface. management wants to access the er3lite webinterface to do stuff. They operate on a different network, use a different ISP. And they surprise surprise do not want the use a students computer or run in the cellar and plugin a cable. So I will use eth2, give it an IP in the other network, connect it to the other network and disable dhcp/dns for eth2. So the webinterface can be accessed via eth2, but the erlite3 wont be the gatway for that network... this is NOT a problem...

Thanks in advance

Catwiesel

Hi there,

I set up an own private network with the ER-X in a computer lab in my university. Due to firewall restrictions I'm only able to use ssh to connect to an internal server. So I though I could set up OpenVPN on my ER-X and bind its port to a local one through ssh:

ssh -L 1194:my-erx-ip:1194 me@lab-server

This works fine and I can initiate the OpenVPN tunnel through ssh.

I also set up dnsmasq as my dhcp and dns forwarder which lets me resolve my static mapped hosts. This works fine if I'm in the lab and connected to the ER-X.

Now if I start a OpenVPN connection I can connect, ping etc. to my hosts via IP address but the local DNS resolving does not work anymore.

I played with all sort of options like changing OpenVPN from tun to tap mode, pushing OpenVPN options to the client ("--push route-gateway", "--push dhcp-option <DOMAIN,DNS,SEARCH" etc.) but nothing leads to a working dns resolution.

Here is my latest openvpn config:

    openvpn vtun0 {
        description openvpn
        encryption aes256
        hash sha256
        mode server
        openvpn-option "--tls-auth /config/auth/ta.key 0"
        openvpn-option "--user nobody"
        openvpn-option "--group nogroup"
        openvpn-option --comp-lzo
        openvpn-option "--verb 1"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option "--push dhcp-option DOMAIN my-setup.local"
        openvpn-option "--push dhcp-option DNS 192.168.10.1"
        openvpn-option "--push dhcp-option SEARCH my-setup.local"
        openvpn-option "--push route-gateway 192.168.10.1"
        protocol tcp-passive
        server {
            client my-client.my-setup.local {
                ip 10.66.77.88
            }
            name-server 192.168.10.1
            push-route 192.168.10.0/24
            push-route 192.168.3.0/24
            subnet 10.66.77.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/host.pem
            dh-file /config/auth/dhp.pem
            key-file /config/auth/host_nopass.key
        }
    }

Here my DHCP and DNS config:

    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DMZ {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.100 {
                    stop 192.168.3.254
                }
                static-mapping srv1 {
                    ip-address 192.168.3.110
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping srv2 {
                    ip-address 192.168.3.120
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping srv3 {
                    ip-address 192.168.3.130
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name MGMT {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name my-setup.local
                lease 86400
                start 192.168.10.100 {
                    stop 192.168.10.254
                }
                static-mapping my-client {
                    ip-address 192.168.10.100
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 400
            listen-on eth3
            listen-on br0
            listen-on vtun0
            name-server 141.62.1.20
            name-server 8.8.8.8
        }
    }

And my system config section:

system {
    domain-name my-setup.local
    host-name erx
    .
    .
    .
    name-server 127.0.0.1
    .
    .
    .
    static-host-mapping {
        host-name erx.my-setup.local {
            inet 192.168.10.1
        }
    }
}

All my zone firewalls seem to be in place correctly. I just wanted to ask you for general hints before posting the firewall rules. Am I missing something obvious in understanding how the local dns resolution works or is there even the possibility that this cannot possibly work under my circumstances (openvpn through ssh)?

I'm grateful for any help!

I've been reading the forums for intervlan but I am just not sure why it isn't working properly. I am able to ping the vlan gateway but no the clients on the vlan. I played with firewall rules but I never did get it to work. I noticed under "Routing" the vlans don't have hops? So I am not sure if that has something to do with it or not. At this moment in time, I don't care about blocking InterVLANs, I need to get it working. I have WAN > eth0 on ER, eth1 to a switch. 192.168.10.10 is the router IP (don't ask why it's like that). 192.168.3.1 is VLAN gateway. and I have a domain controller on 192.168.10.1 serving DHCP to vlan 3 (this works).

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "from the internet, through the router, and onward to your LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "from the internet to your router (192.168.10.10, no further)"
        rule 10 {
            action accept
            description "Allow Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description Gre
            log disable
            protocol gre
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 30 {
            action accept
            description Esp
            log disable
            protocol esp
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 40 {
            action accept
            description L2TP
            log disable
            protocol l2tp
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 50 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "from lan going into eth1 through router to WAN"
        rule 1 {
            action accept
            description "Allow SMTP trusted host"
            destination {
                port 25
            }
            log disable
            protocol tcp
            source {
                address 192.168.10.8
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 2 {
            action drop
            description "Deny SMTP not trusted"
            destination {
                port 25
            }
            log enable
            protocol tcp
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 68.68.68.68/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
            }
        }
        mac E0:5F:B9:0B:D8:B1
        speed auto
    }
    ethernet eth1 {
        address 192.168.10.10/24
        description Local
        duplex auto
        firewall {
            in {
                name WAN_OUT
            }
        }
        speed auto
        vif 3 {
            address 192.168.3.1/24
            mtu 1500
        }
    }
    ethernet eth2 {
        description Video
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description VoIP
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Corporate
        duplex auto
        speed auto
    }
    ethernet eth5 {
        description Guest
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface eth2
    lan-interface eth1.3
    rule 1 {}
    rule 2 {}
    rule 3 {}
    rule 4 {}
    rule 5 {}
    wan-interface eth0
}
service {
    dhcp-relay {
        interface eth1.3
        interface eth1
        server 192.168.10.1
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on eth1.3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description GRE
            inbound-interface eth0
            inside-address {
                address 192.168.10.1
            }
            log disable
            protocol gre
            type destination
        }
        rule 2 {
            description L2TP
            inbound-interface eth0
            inside-address {
                address 192.168.10.1
            }
            log disable
            protocol l2tp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 68.68.68.68
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password bghfghf
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    name-server 24.24.24.24
    name-server 24.24.24.24
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        custom-category Spotify {
            name QUIC
        }
        dpi disable
        export disable
    }
}

Hi all,

I'd like to contribute a script I've been using on my ERX

• Supports IPv4 and IPv6 blacklists - including mixed lists
• Works with most sites and easy to add them - tested with SpamHaus, OpenBL, dshield, and malc0de
• Good performance - updates SpamHaus in less than a second

https://github.com/amarcu5/EdgeOS-Blacklist

Let me know what you think!

So I am trying to do inter vlan routing in a ERPOE-5 and the vlan tab on the config is missing so I go the tree and under switchport I enable vlan aware and it says:

I have a regular network on a PBE M5-400 in bridge mode and vlan 1 is accessing a 10.1.57.0 network and also I am trying to get internet on the same link on vlan 251. So my question is how would I configure this link into my ERPOE-5, would I create a WAN interface or use a switch interface.

My setup ultamately would be:

Eth0-WAN to Primary Internet (currently Dish Network)

Eth1 - WAN to secondary internet for now (vlan251) (Failover)

Switch0 - my local 192.168.20.0/24 network at my house, and need to have a route to the VLAN1 on the PBE Bridged link to get to the 10.1.57.0 network and have access from 10.1.57.0/24  to 192.168.20.0/24

Any ideas ?

Currently 200 miles from router and will be a couple weeks before I get there but have a spare router I am currently playing with.

Thanks.

Tim

I have multiple remote ER Lites connecting back to the same headend ER using IPSEC/GRE.  On the ER Lite side, Eth0 gets its address from the local ISPs dynamically.  Some are publically routable addresses, and some are given RFC 1918 private addresses.  In the latter case, IPSEC NAT-T is used to establish the tunnel. In all cases, traffic flows through the IPSEC/GRE tunnel and out the headend onto my corporate LAN just fine.  I'm seeing a very odd issue where if two remote sites that are both connected through NAT-T tunnels send traffic between eachother, all traffic to both of those sites ceases until the traffic flow between them stops.  

If I start up pings from the network behind the headend ER (Laptop below to both ER LIte A and B) and start a ping between the two ER Lites (ER LIte A and ER Lite B), the pings from the laptop to both ER LIte A and B time out until I kill the pings between ER LIte A and ER LIte B.  If one of the two ER LItes in the test is not using NAT-T (I.e. It has a public address), there is no issue.  All devices are running 1.91.

Hi all,

I discovered yesterday with ip scanner a strange and suspeted device connected in my network called "camera network" who has a MAC Adress "aa:bb:cc:dd:ff:dd". All my known devices are listed in a xls file, so i can recognize them in my network, but this one is not in my list.

So how to block a device by it's Mac Adress in ERL to prevent suspicious connexions please?

Is adding a new rule by source (MAC Adress) in the firewall rules, enough?

Thanks

Could someone walk me through the correct setup for this:

I have 3 networks coming together:  1) DHCP internet access, 2) internal network, 3) vLan from the corporate network. (does not have internet access)

The internal and internet access network are simple.  The curve ball is the vLan.  The corporation wants to provide VPN access to the internal network via a static, public IP pushing through to the vLan (on their hardware) to this Edge Router.  

My initial idea was to use the WAN 2LAN2 wizard to setup the 3 networks and implement the L2TP over IPsec VPN to accept the incoming VPN request on eth1 which is setup on the corportate vLan.  

Am I going in the right direction?  If so, I have the WAN + 2LAN setup.  I need some direction to setup the VPN and use local user authentication (no RADIUS)

Thanks!

I am looking at replacing an old obsolete Cisco router with an EdgeRouter thats attached to the Internet. I'm looking at either the ERLite3 or the ER-X, but I'm not sure which one would best suit my needs. This network is small with 10 computers accessing the Internet with no heavy usage. Most traffic is email, web pages, and the occasional video. I just need 1 port for WAN, 1 port for LAN, DHCP, NAT, and firewall. Can someone give me some advise on which model would be best? Thanks.

Does anyone have this combination working?  Expressvpn is an openvpn.  I'm running v1.9.0.

So, I could probably test for this, but it's quite a lot easier asking...

I've generated certs/keys for OpenVPN sessions. I need to revoke a key, so I generate the proper crl.pem file.

I copy that [since I'm doing cert/key manangement off the ER] crl.pem file to the place the config says the CRL should be. [In my case that's /config/auth ]

Will the OpenVPN server check for a new CRL with every auth to the ER, or do I need to hup the OpenVPN server on the ER to get it to recognize the new CRL? 

If I need to hup, or reload it, what's the best way to do that at the CLI, without disrupting other services? [Obviously I could reboot, but that's less than ideal.]

TIA

-Greg

Hello,

I need some advice on how to easily disable SIP ALG on this router.  Does anyone have simplified instructions for the average Joe.

Also, is this router able to handle VOIP traffic or is it going to be problematic?

Thanks.

There are two locations. Both have their own ISP, own EdgeRouter Poe5, and their own network.

Location A - 192.168.1.0/24

Location B - 10.16.0.0/16

I managed to set up a static route between the two. The static route goes through a NanoBridge M5 bridge between the two locations.

I want to be able to see the computers in Location B from Location A, as if it was all on one network, and vice versa. Right now I can ping each device on each network, but DNS resolution doesn't seem to work.

I have enabled DNS Forwarding on the Internal LAN port and the Antenna Port which interconnects the two locations on both routers.

I have also provided the gateway IPs of the name servers (each router) for the router in Location A and B.

If I do a ping for a specific system from one location to another, it comes back with the message "The request could not find host xxx....", but I can definitely ping the IPs.

So it looks like DNS forwarding doesn't work as I'd originally imagined and I'm missing something. Any help would be appreciated!

I have an ER-X whose LAN is connected to a simple switch. Said switch has a few UAP's and a controller connected (all working fine).

The main DHCP server is set up and works. Nothing fancy, handing out 192.168.1.0/24 addresses.

The AP's broadcast 2 SSIDs, one gets IP addresses from that, the other (guest) is supposed to be on VLAN50 and get IP addresses from another DHCP server handing out addresses from 172.16.0.0/16.

I'm attaching images of controller showing the network set up (the DHCP server option there is not checked since I'm using ER-X not USG), the wireless network, the DHCP server from the router, and the VLAN.

If I do the same thing except leave out the VLAN, they get addresses from my main DHCP server no problem, but when I add the VLAN it gets an APIPA.

My understanding was that associating the SSID with the VLAN (2nd image) would tag it then the DHCP server giving out addresses in the range of the VLAN would assign an address. I scoured the forums but everything looks good to me. What am I missing?

On ER-X I set up a remote access L2TP/IPSEC VPN. Basically this setup and it works fine in that I can connect to it.

When connected, I can access IP/phones, printers, etc via a browser without issue.

However I can't access any network shares.

I can ping all the devices, any with a web interface (NAS) can be logged into, but none (including the NAS I know I can access) are accessible to map as a network drive or even view in network devices.

The VPN gives an address that is in the same subnet as everything else.

I found several known problems/fixes with an old firmware version, but coudn't confirm this issue with the current (1.9.1) version.

SMB issues maybe?

Anyone else had similar issues?

I might be missing something but I tried all the kung-foo I know and I can't make the system config-management commit-archive location file path work with white space in it.

Not a big deal as I was making up a new one, I just renamed it to have no white space.

I want to inspect the resulting iptables rules based on the configuration I've created. How can I do that? the iptables and iptables-save binaries don't seem to come installed by default. Is this possible?

Hi,

I am about to deploy an ER-PoE to load balance 2 WAN links, and supply 2 LANs. 

My LAN will come off ethX and is fed to my house with a LiteBeam AC.

Ideally, I would like to enable load balancing where I can set clients to use a specfiic WAN link based on VLAN ID.

I have seen this post

https://community.ubnt.com/t5/EdgeMAX/Dual-WAN-with-some-hosts-using-only-one-WAN/m-p/703493#M22093

however I would like to be able to tag by VLAN on my own network.

I will be running a Cisco 2951 or similar at the other end of the litebeam and also Cisco switches that I already have, so these will handle the client vlan tagging.

The reason behind this is that one connection is super reliable, but has low quota (huge problem in Australia). The other WAN link is unmetered, and I want to restrict streaming services such as netflix to this.

My thoughts are if I can modify this section, of at least the definition of the LB-minions group

 group LB-minions {
     interface eth1 {
         failover-only
     }
     interface eth2 {
     }

 Is there a network-group equivalent such as vlan-group or similar? Would it just be easier to put all the devices in a different network?

Cheers

Nic