Don't know if this has been asked before, I can only find bits of info about this on the forum but is there any plan or is it even possible to have more advanced switch functionality on the ERPoE-5 like vlans on switch ports. I found this mentioned in an older thread:

UBNT-ancheng
Re: ERPoE switch ports with different VLANs?
Options
‎12-24-2014 11:25 AM
You are right that when eth2/3/4 are in "switch mode", it is actually a switch. However, as discussed before, currently we have not exposed the switch functionality such as VLAN etc. so it can only be used as a simple switch. So if you need tagged/untagged VLAN etc., an external switch would be needed for now.

Hello,

currently we are using the EdgerouterX in a network, in which we only allow the Server to talk to the Internet, while the clients remain to the local network.

We made this work with the rule:

    name BlockIPRange {
        default-action accept
        description ""
        rule 1 {
            action drop
            description BlockGroup
            destination {
                address !192.168.1.0/24
            }
            log disable
            protocol all
            source {
                group {
                    address-group RangeToBlock
                }
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

Now it gets a bit complicated. As we still want the clients be protected with Anti-Virus, we are using ESET MSP Licenses. These Clients need to be able to talk to our ESET Remote Administrator but still nothing else in the www. So, is there the possibility to let the clients talk only to a certain DNS Host (we cant use IP, since its not static) at Port 2222? If so, how can I implement it?

Best regards

I have networks that need to access our datacenter, but not each other. Here is an example. My problems seems to be the local networks all having the 10.0.0.1 subnet. 

Datacenter

172.16.0.1

Network 1  -> Datacenter 

10.0.0.1 -> 172.16.0.0/30

Network 2 -> Datacenter

10.0.0.1 -> 172.16.0.4/30

As you can see they connect to different remote subs on the same router. 

I assume this would be VTI somehow. 

Any thoughts would be great!

Hello community,

I've been successfully using the EdgeRouter Lite for IPSEC based VPN Road Warrior access setup since 2014. So I wanted to suggest this for a possible firmware update and have some documentation here for myself..

For the user, this kind of access is as easy as PPTP. It works from Windows 7 and later out-of-box and the user only needs username+password to login. But it's secure IPSEC technology using the included STRONGSWAN... Which means it is way way better than insecure PPTP and does not require additional software, like OpenVPN or others.

There is a lot of information for this in the strongswan documentation, but here is my example configuration from my EdgeRouter Lite.

Add at the end of the file /etc/ipsec.conf

conn ikev2-win7
        keyexchange=ikev2
        left=1.2.3.4
        leftid=@vpn.domain.com
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=your_certificate.cer
        leftsendcert=always
        right=%any
        rightsourceip=%dhcp
        rightauth=eap-mschapv2
        rightsendcert=never
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        eap_identity=%any
        dpdaction=clear
        dpddelay=300s
        rekey=no
        auto=add
        leftfirewall=yes
        lefthostaccess=yes

Replace 1.2.3.4 with your static public IP.
Replace vpn.domain.com with a dns-entry pointing to your static public IP.
Replace your_certificate.cer with the filename of your certificate (see below).
Your certificate MUST be valid for the provided dns-entry and users MUST connect to this dns as target-host.

Add to /etc/ipsec.secrets

: RSA your_key.key

road.warrior1 : EAP "password"
road.warrior2 : EAP "password"

Replace your_key.key with the filename of your certificate's private key.
List the valid users with their passwords here.

Files locations

/etc/ipsec.d/private/your_key.key
/etc/ipsec.d/certs/your_certificate.cer

About the certificate

You will need a real certificate, which has a valid CA installed on any Windows machine out of box. So this does NOT work with a selfsigned certificate. However, any cheap certificate should be OK. For instance, I'm using a cheap RapidSSL email validated certificate myself. If you have to provide an intermediate CA certificate along with your own certificate, put the file here, like sown for my rapidssl ca/intermediate:

/etc/ipsec.d/cacerts/rapidssl_ca.pem

Firewall

IPSEC in general might need some configurations on your firewall configuration. Not covering this here..

Warning

Mentioned files can easily be overwritten by the system. Especially if you change something VPN related in the UI...

Connecting from Windows
Pretty much exactly like connecting using PPTP. Provide username+password from ipsec.secrets and connect to dns-entry as configured in ipsec.conf. Make sure the type is either automatic or "IPSEC IKEv2", NOT PPTP.

Debugging/Logs

Run "ipsec statusall" and or check /var/log/messages

This morning I noticed that the ER-POE5 was resyncing at 10-15 minute intervals. One thing I noticed in the log that each time after resync the date and time was displayed:

Mar 22 03:12:55 DSL1-3879 ntpd[21425]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1)

I have the ER-POE5 behind a NetGear DM200 that is in modem only mode (bridge). The date in the modem displayed as the default Jan 1970. I thought this may have something to do with the constant resyncs so I temporarily placed it in router mode and let it pull the time.

NTP now displays as:

Wed Mar 22 09:18:26 EDT 2017
hank@DSL1-3879:~$ show ntp
     remote           local      st poll reach  delay   offset disp
=======================================================================
*199.102.46.75   xxx.xx.xxx.xx    1   64  377 0.06529  0.001158 0.05856
=213.154.236.182 xxx.xx.xxx.xx    2   64  377 0.13837  0.000454 0.04947
=74.120.8.2      xxx.xx.xxx.xx    2   64  177 0.07582  0.003160 0.07172
=83.98.201.134   xxx.xx.xxx.xx    2   64  377 0.12178  0.000573 0.07484

 I am not certain if this makes any difference as you can see from the above log extract as the date in left side of the log entry showed the correct time. But since placing the DM200 in router mode and letting it pull a time stamp I have not had any addtional resync's on the ER-POE5. Here the below entry really has me preplexed.

Mar 22 05:28:55 DSL1-3879 pppd[1802]: peer from calling number F4:B5:2F:A1:48:F6 authorized
Mar 22 05:28:55 DSL1-3879 pppd[1802]: local IP address xxx.xx.xxx.xxx
Mar 22 05:28:55 DSL1-3879 pppd[1802]: remote IP address 74.42.148.172
Mar 22 05:28:55 DSL1-3879 pppd[1802]: primary DNS address 74.40.74.40
Mar 22 05:28:55 DSL1-3879 pppd[1802]: secondary DNS address 74.40.74.41
Mar 22 05:28:59 DSL1-3879 ntpd_intres[30843]: host name not found: 0.ubnt.pool.ntp.org
Mar 22 05:28:59 DSL1-3879 ntpd_intres[30843]: host name not found: 1.ubnt.pool.ntp.org
Mar 22 05:28:59 DSL1-3879 ntpd_intres[30843]: host name not found: 2.ubnt.pool.ntp.org
Mar 22 05:28:59 DSL1-3879 ntpd_intres[30843]: host name not found: 3.ubnt.pool.ntp.org
Mar 22 05:29:03 DSL1-3879 ntpd[30837]: ntpd exiting on signal 15
Mar 22 05:29:05 DSL1-3879 ntpd[31059]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1)
Mar 22 05:29:05 DSL1-3879 ntpd[31060]: proto: precision = 54.024 usec
Mar 22 03:30:23 DSL1-3879 ntpd[22546]: ntpd exiting on signal 15
Mar 22 03:30:25 DSL1-3879 ntpd[22795]: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1)
Mar 22 03:30:25 DSL1-3879 ntpd[22796]: proto: precision = 53.315 usec
Mar 22 03:30:26 DSL1-3879 pppd[1802]: Connection terminated: no multilink.
Mar 22 03:30:26 DSL1-3879 pppd[1802]: Modem hangup
Mar 22 03:30:27 DSL1-3879 ntpd_intres[22802]: host name not found: 0.ubnt.pool.ntp.org
Mar 22 03:30:27 DSL1-3879 ntpd_intres[22802]: host name not found: 1.ubnt.pool.ntp.org
Mar 22 03:30:27 DSL1-3879 ntpd_intres[22802]: host name not found: 2.ubnt.pool.ntp.org
Mar 22 03:30:27 DSL1-3879 ntpd_intres[22802]: host name not found: 3.ubnt.pool.ntp.org

Note the time change on the left hand side after the resync, it goes from Mar 22 05:29:05 to Mar 22 03:30:23 but the date/time on the right side of the log entry stays the same. But as previously stated after placing the DM200 in router mode and letting pull a time stamp there have been no further resyncs.

So what exactly does this entry mean: ntpd 4.2.6p2@1.2194-o Fri Jul 29 23:29:38 UTC 2016 (1) is that the date and time that the time server was placed on-line?

Also is it possible to change what time servers are used by the router?

hi, 

why the edgerouter or security gateway doesn't include an SD-WAN capabilty ? is it in the roadmap ?

What is the best way to pass down a public IP to a router behind our router? 

For example. 

We have two public ips on our edgerouter 1.1.1.1 and 1.1.1.2.

I want to pass 1.1.1.2 to the edgerouter lite that is plugged into a switch on eth2 on our main edgerouter

I want it to be able to recognize it has 1.1.1.2 and not the local dhcp subnet. 172.16.0.x. 

Basically how an ISP would route down a public ip. 

Thank you!

How do we allow access to a remote site connected via IPSEC site to site from an L2TP client? I have done this with openvpn, but not with IPSEC. 

-------------------------------------------------------------------------------------------------------

20-year-old flaw found in Ubiquiti networking gear running ancient PHP

Running PHP 2.0.1 turns out to be a bad way to secure network devices against a range of threats including cross-site request forgery attacks.

Security researchers have discovered an unpatched vulnerability in some networking equipment from Ubiquiti that could allow hackers to gain control of the devices, or use them as an entry point to attack other nearby devices.

The flaw was found by SEC Consult, and worryingly, is still unpatched as talks between the security firm and Ubiquiti broke down in January.

In a security advisory, SEC Consult said that the vulnerability enables an attacker to inject arbitrary commands into the web-based administration interface of affected devices. The command injection vulnerability was found in "pingtest_action.cgi". This script is vulnerable since it is possible to inject a value of a variable, according to the security firm. It added that one reasons for this was the use of PHP 2.0.1, which is 20 years old and lacks security features found in later versions.

The vulnerability can be exploited by luring a user to click on a crafted link or just surf on a malicious website. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection,” said the researchers.

“An attacker can open a port binding or reverse shell to connect to the device and is also able to change the ‘passwd' since the web service runs with root privileges,” said the advisory. “Furthermore, low privileged read-only users, which can be created in the web interface, are also able to perform this attack.”

The advisory added that if the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.

The security researchers said they had tested the exploit on four Ubiquiti devices, but 38 other models could also be affected. SEC Consult advises organisations not to use these products in a production environment “until a thorough security review has been performed by security professionals and all identified issues have been resolved”.

Elliott Thompson, security consultant at SureCloud, told SC Media UK that for administrators of these devices, extreme care should be taken with active sessions.

“Using a separate browser profile to administer the devices and logging out immediately after use would be strongly recommended. For customers, whose data travels across these links, a VPN should be used to prevent traffic from being maliciously manipulated, this is best practice anyway even without this specific vulnerability,” he said.

He added that it is critically important that vendors ensure software is using current and supported software versions including PHP. “There is a litany of vulnerabilities that have been patched between PHP 2.0.1 and the current version, some of which could be more serious than the CSRF vulnerability if successfully exploited,” he added.

Edouard Viot, endpoint security product marketing manager at Stormshield, told SC that the problem is that no patch exists for this vulnerability, and Ubiquiti has so far given no release date for a patch.

“I doubt that anything will move quickly on this, since Ubiquiti have been aware of the vulnerability for several months,” he said.

“The best approach for organisations is to change the equipment quickly, because there is a strong likelihood that we will discover another vulnerability in other equipment that uses PHP 2.0.1. Our advice would be to take a measured approach, and find a way to limit who can send information to the administration module of Ubiquiti devices.”

--------------------------------------------------------------------------------------------------------

Original article: 20-year-old flaw found in Ubiquiti networking gear running ancient PHP

Not particularly impressive, Ubiquiti

I have been in the Network/Telecom field for about 6 years and just recently purchased a EdgeRouter pro for my personal use at home. The company that I work for offers us the option to work from home from time to time using a VPN client on our latop to get into our Corporate Network. (Cisco Anyconnect, Junos Pulse, Juiper NetConnect are some of the different VPN clients we have used on our latops over the years) I was wondering if there was a way that I setup my Edgerouter in a VPN client mode to connect our Corporate VPN and give a VPN'd ip to one of my eth ports that I could then NAT out via a selection of switchports on my main switch via VLAN tagging. For example I would like VLAN 3 to be the VLAN with all the VPN traffic going accross it and have VLAN 3 trunked to my switch and have Gi0/1 and Gi0/2 "switchport access vlan3". In this example I could use Gi0/1 for my Avaya IP desk phone and Gi0/2 for my Laptop. The VPN client and Avaya softphone client hogs up a lot of my Corporate Laptops resources making it extreamly unresponsive. I found some other posts out there regarding this topic in some form but not exaclty to my needs. Read that I could use openvpn on the EdgeRouter but I am unfamilar with how to set this up and where to get "Certificate Files" from. Also I use a RSA token to authenticate myself onto our Corporate VPN.

Greetings all,

I have an ipsec tunnel established between our pfSense box at work and an Edgerouter X at a coworkers home in order for them to have a constant connection between the two sites.  I followed the instructions I found in a thread on the pfSense forum: https://forum.pfsense.org/index.php?topic=111450.0 and the setup went extremely well and has functioned with only a few hiccups for months now.

Unfortunately, today the tunnel fails to establish beyond the Phase 1 negotiation.  I do not have access to the remote side at this time but I am receiving errors on the pfSense side:

          [remote ip] ERROR: packet shorter than isakmp header size (60, 1, 28)

          ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange

          ERROR: notification INVALID-HASH-INFORMATION received in informational exchange

          ERROR: (remote ip) give up to get IPsec-SA due to time up to wait

While I have not received these exact errors before, whenever the phase negotiations would hang, a restart of the racoon ipsec service on the pfSense side would resolve these issues.  This has not been the case this time around.  

As far as I am aware, no configuration changes were made on either side, so I'm a little puzzled here.  Would a restart of the vpn tunnel on the remote side fix this, or is something more extensive required?  I can provide the settings on the pfSense side and the commands entered to set up the tunnel on the Edgerouter side if need be.

Thanks in advance for any help.

With EdgeOS v1.9.1, a EdgeRouter ER-X still responds to UBNT Discovery even when it's been disabled on the System page.

Is this a known issue?  Is there a firewall rule I can put into place to *really* block discovery requests? 

Hi. I'm using an EdgeRouter-X in a mesh network with OLSRv2 as routing daemon.

As of this, the WAN v6-address is assigned to the loopback interface "lo".

How I will get my LAN clients work with IPv6 connected to eth0.6?

My assigned address is 2a02:61:a9e:22::/80

I tried several guides, but all of them use an eth-port for WAN, and non of them handles a statically assigned IPv6-Adress :-(

Thx, pocki80

Hi All,

Thinking about IPv6 and the challenges of small site fail-over where the ISP is delegating an IPv6 prefix.

We have a dual WAN setup with failover to a secondary (more expensive) LTE link setup - this works fine for IPv4 in the event of failure.

Whilst both WAN links have IPv6 capability we have to date not enabled this.

I'm thinking the best course of action might be to enable IPv6 only on the primary WAN link.

Thoughts?  Anyone care to share some working configs and ideas?

Thanks in advance.

So I got great info in my other thread about using vlans and a ER-x for our mesh network. Now I have another question if you guys do not mind, this may be a little more in depth. Basically we have a great guest network setup already, but need more flexibility/bandwidth. 

Here is how I have this all setup now, with some basic ms paint modifications as to my ideas, with legend on the picture.

as you can see I plan on adding another AP at the pool connected to the Main AP and then connect main 2's location to the pool AP since all would be LOS instead of the way it is now.

Since I have learned about Vlans, and being able to put them on different subnets, I would like to tie DSL 2 into this mesh network to share bandwidth since each DSL is only 6Mbps, fiber is to expensive for our budget to go 300'+/- so I was thinking a wireless connection between the DSL 2 location to an ER-x at DSL 1 location

OR

Is there a way to just integrate the DSL 2 into the mesh network by putting a uap-mesh at the DSL 2 location? if that is possible, how would I go about doing that, and what other equipment would be required?

Thanks in advance

Dale

I am looking at putting in a pair of EdgeRouter Pros in a datacentre and use SFP modules to accept the fibre connections from the upstream provider. I have the UF-SM-1G-S bidi SFP modules.

Provider is handing over the following fibre;

1G

single mode

duplex

LC

From what I have see in the rack - the handover at the fiber patch panel is a pair of LC connectors (i.e. duplex). I am confused about how this would plug into and work with the pair of bidi SFP modules that I have?

Right now I have the SFP modules in eth6 and eth7 - would a patch lead from each port in the fibre patch panel into these work?

Is there a duplex->simplex patch lead that would plug into the router? Are there any 1G single mode (non-bidi) SFP models that are supported by these routers?

ERPOE 1.9.0

I have a working PBR config and needed to modify it slightly. The plan was to delete rule 13 and create two new rules in its place, 20 and 30, using two smaller subnets in place of the single larger one.

I can create rules 20 and 30 and then commit no problem. But when I attempt to commit after deleting rule 13, I get the quoted error.

I see somebody had this same error a few years ago and the workaround was to reboot the router. I prefer not to go this route, so I'm hoping somebody can provide some insight here.

clarknova@RTR-Lancaster-Place# show firewall modify SOURCE_ROUTE 
 rule 5 {
     action modify
     description "LAN to LAN skip PBR"
     destination {
         group {
             network-group LOCAL
         }
     }
     modify {
         table main
     }
 }
 rule 10 {
     action modify
     description "PBR outsmartinroutin to pppoe1"
     modify {
         table 1
     }
     source {
         address 10.2.31.45
     }
 }
 rule 11 {
     action modify
     description "PBR DC_speeders to pppoe1"
     modify {
         table 1
     }
     source {
         address 10.2.31.128/25
     }
 }
 rule 12 {
     action modify
     description "PBR LP_speeders to pppoe1"
     modify {
         table 1
     }
     source {
         address 10.4.23.128/25
     }
 }
-rule 13 {
-    action modify
-    description "PBR DC_WISP to pppoe3"
-    modify {
-        table 3
-    }
-    source {
-        address 10.2.31.0/25
-    }
-}
 rule 14 {     action modify
     description "PBR BG_WISP to pppoe1"
     modify {
         table 1
     }
     source {
         address 10.1.0.0/16
     }
 }
 rule 15 {
     action modify
     description "PBR LP_WISP to pppoe2"
     modify {
         table 2
     }
     source {
         address 10.4.23.0/25
     }
 }
 rule 16 {
     action modify
     description "PBR LP_WIRE to pppoe2"
     modify {
         table 2
     }
     source {
         address 10.4.22.0/24
     }
 }
 rule 20 {
     action modify
     description "PBR DC_WISP_1 to pppoe2"
     modify {
         table 2
     }
     source {
         address 10.2.31.0/26
     }
 }
 rule 30 {
     action modify
     description "PBR DC_WISP_2 to pppoe3"
     modify {
         table 3
     }
     source {
         address 10.2.31.64/26
     }
 }
[edit]

Hey all,

I run tech for an internet cafe in Melbourne, Australia with the challenge of replacing the provided Mikrotik RB2011 with something a little more powerful. At the same time, I have also requested additional external IP addresses and have been provided with information stating additional IPs have been routed to our premise 'via the main IP'.

I would like to replace the router with an ER-8 rack mounted EdgeRouter, and set it up so that the 88 computers randomly select an external IP from the subnet to use as their external IP behind the NAT.

Is this possible?

After fresh installing Windows 10 I canot log through browser to ER-X. I tried with Firefox, Edge and also Internet Explorer.  The result is the same.  After mark exception regarding wrong certificate, appear error that user or password in not correct.

If I tried connecting from different computer with Windows 7 or Android, the connection is fine.  In Windows 10 no information appear in log.  However in ER-X's messages log I have following error froeach time I enter user/password and cannot succeed logging :

 ubnt wlb: pam_securetty(login:auth): cannot determine user's tty

Thank You