Hi,

i've had an er-x up and running for about 6 weeks.  during the first week i had 2-3 random lock-ups (see threads with lights on but nobody home).  since then very stable until yesterday.  another lock up.  now ports won't up eventhough upnp2 is turned on.  here's my config.  it hasn't changed in like a month. 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.0.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.99
                }
                static-mapping jeffs_laptop {
                    ip-address 192.168.0.38
                    mac-address *
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            system
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password *
            }
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
traffic-control {
    smart-queue sq1 {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            htb-quantum 18000
            limit 1514
            rate 200mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            htb-quantum 4000
            limit 1514
            rate 11mbit
        }
        wan-interface eth0
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.0.4783374.150622.1533 */

I'm suspecting the unit is bad (and has been, but limping along).

any suggestions for why ports aren't being opened?  show upnp2 rules   is blank.

thanks,

jeff

Does anyone know the command to include multiple interfaces(or subinterfaces) into zone-based firewall zone setting? I just couldn't do it in CLI under zone-policy. 

I am setting up L2TP VPN on Edgerouter (server/client) but I have a question i can't find the answer to.  Does there need to be an interface on the router with the subnet of the VPN?

Hey, I've got a bit of an odd one here.

Basically we've got a bunch of devices with hard-coded fixed IP address 10.2.0.1, which is impossible to change. (don't ask...)

I'd like to use an EdgeRouter, plug one device into each port, and rewrite the IP addresses to 10.2.0.2, 10.2.0.3, etc etc. If that's not possible I can put them across different subnets (10.2.1.1, 10.2.2.1, etc etc). But ideally I'd get an 8-port EdgeRouter, and then I can put the client on eth0 and the various devices along the other ports.

I'm a bit stumped as to how to implement this with NAT. Seems like I'd need SNAT and DNAT to do it both ways (so the device can communicate with the client on 10.2.0.123, and the client can communicate with the various devices on the various IPs) but none of my efforts have worked.

Thoughts?

We used a PC + VYOS border router, recently changed by a UBNT Er-8.

Our AS operates in dual stack (IPV4+IPV6) mode, with dual upstreams in BGP ful routing.

The configuration running on VYOS was line-by-line transported to ER-8 using config-tree, but with no sucess. The IPv4 works fine, but we dont have routering on IPV6.

The communication with BGP neighbors also is ok, the routes are received, but our IPV6 transit dont happens.

I opened a ticket on UBNT's support, but they gave up, claiming the scenario is too complex.

Could someone help us?

Thanks

Breno

hello,

I've jumped in the edge family recentlty. a little bit deceptive with this router the managing step is a little bit hard for me.)

my first and main problem now is: who is eating the internet bandwith??? with 2 teens playing overwatch and an 6Mb ADSL, it's a little bit hard to manage

so

- on the dashboard, rx rate is 6Mb on the eth0 interface, connected to modem

- eth1 Tx rate 6Mb. ok

- on the traffic analysis, if i sum up everything, i've got 500kb ...

how eats the missing 5.5Mb ???

i came from a old tomato and it was way more comprehensive and usable on this.

can someone explain me where i go wrong?

thanks

I have 2 towers(B & C) connected to a head end (A) 

B & C are on the same network 172.23.x.x

There is currently no connection between B & C. B is tapped, C is not. I would like to put a link between B&C and allow them to share bandwidth. 

I've been told that it's not possible or a good idea. Just wondering if someone could elobrate on a way to share bandwidth between two towers on the same network.

Does it work this way?  I'm remote and when I try to set up the ERX that way I lose connection.  10.0.0.17 is not accessible.  10.0.0.17 was on eth0 and eth0 was NOT part of the switch.  I'm putting all ports in the switch, and giving switch0 the "WAN" address.  Hoping to create a couple virtual networks inside switch0.

 ethernet eth0 {
     duplex auto
     speed auto
 }
 ethernet eth1 {
     duplex auto
     speed auto
 }
 ethernet eth2 {
     duplex auto
     speed auto
 }
 ethernet eth3 {
     duplex auto
     speed auto
 }
 ethernet eth4 {
     duplex auto
     speed auto
 }
 ethernet eth5 {
     duplex auto
     speed auto
 }
 loopback lo {
 }
 switch switch0 {
     address 10.0.0.17/16
     mtu 1500
     switch-port {
         interface eth0 {
         }
         interface eth1 {
         }
         interface eth2 {
         }
         interface eth3 {
         }
         interface eth4 {
         }
         vlan-aware enable
     }
     vif 100 {
         address 192.168.0.1/24
     }
     vif 101 {
         address 192.168.1.1/24
     }
 }

Hi all !!

I come with my problem, because i don't find any solution or clue of what happen...

My issue :

- Trying to connect to a FORTIGATE VPN IPSEC with the fortinet's client : no connection

- Trying to connect to another ERL L2TP/IPSEC with the default sytem client (Mac OS and Windows 10) : no connection

For more information :

- I can connect to this ERL (mine) from the outside using the VPN L2TP/IPSEC from the default client (MacOS and Windows 10)

- I have a basic configuration because i was on a CISCO 800 series just before and i'm new on the ERL, so i'm learning

- I don't see anything in the "show log tail" that bring me a clue of what happen...

Thanks for your help and let me know if you need some more informations.

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group bogons {
            description "Invalid WAN networks"
            network 0.0.0.0/8
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/4
            network 240.0.0.0/4
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow HTTPS to 219P"
            destination {
                address 192.168.2.235
                port 443
            }
            log disable
            protocol tcp
            source {
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "Allow HTTPS to 213J"
            destination {
                address 192.168.2.245
                port 5001
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 40 {
            action accept
            description "Allow HTTPS to AXIS"
            destination {
                address 192.168.2.215
                port 443
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 50 {
            action accept
            description "Allow HTTP to HEDEN"
            destination {
                address 192.168.2.220
                port 80
            }
            disable
            log disable
            protocol tcp
        }
        rule 60 {
            action accept
            description "Allow XBOX"
            destination {
                address 192.168.2.155
                port 1-65535
            }
            disable
            log disable
            protocol tcp_udp
        }
        rule 70 {
            action drop
            description "Drop Bogons"
            log disable
            protocol all
            source {
                group {
                    network-group bogons
                }
            }
        }
        rule 80 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow L2TP"
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description "Allow IKE"
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description "Allow NAT-T"
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 50 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 60 {
            action accept
            description "Allow HTTPS"
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 90 {
            action accept
            description "Allow SSH"
            destination {
                port 22
            }
            log disable
            protocol tcp
        }
        rule 100 {
            action drop
            description "Drop Bogons"
            log disable
            protocol all
            source {
                group {
                    network-group bogons
                }
            }
        }
        rule 110 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password *****
            user-id *****
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description LAN
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.3.254/24
        description DMZ
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface eth1
    wan-interface pppoe0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 192.168.2.254
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.100
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.254
                dns-server 192.168.3.254
                lease 86400
                start 192.168.3.1 {
                    stop 192.168.3.100
                }
            }
        }
        shared-network-name VPN {
            authoritative disable
            disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.110 {
                    stop 192.168.2.115
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface pppoe0 {
                service dyndns {
                    host-name *****
                    login *****
                    password *****
                }
                web dyndns
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "NAT to 219P HTTPS"
            destination {
                port 23543
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.235
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "NAT to 219P FTP"
            destination {
                port 21
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.235
                port 21
            }
            log disable
            protocol tcp
            type destination
        }
        rule 3 {
            description "NAT to 219P FTP PASV"
            destination {
                group {
                }
                port 1024-65535
            }
            disable
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.235
            }
            log enable
            protocol tcp
            type destination
        }
        rule 4 {
            description "NAT to 213J HTTPS"
            destination {
                port 24543
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.245
                port 5001
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5 {
            description "NAT to 213J FTP"
            destination {
                port 24521
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.245
                port 21
            }
            log disable
            protocol tcp
            type destination
        }
        rule 6 {
            description "NAT to 213J FTP PASV"
            destination {
                group {
                }
                port 1024-65535
            }
            disable
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.245
                port 1024-65535
            }
            log enable
            protocol tcp
            type destination
        }
        rule 7 {
            description "NAT to AXIS HTTPS"
            destination {
                port 21543
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.215
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 8 {
            description "NAT to HEDEN HTTP"
            destination {
                port 22080
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.220
                port 80
            }
            log disable
            protocol tcp
            type destination
        }
        rule 9 {
            description "NAT OPEN XBOX"
            destination {
                port 1-65535
            }
            disable
            inbound-interface pppoe0
            inside-address {
                address 192.168.2.155
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5001 {
            description "masquerade for WAN"
            log enable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 50
    }
    host-name EdgeRouter-*****
    login {
        user admin {
            authentication {
                encrypted-password *****
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
            prefer
        }
        server 1.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    task-scheduler {
        task l2tp_IP_update {
            executable {
                path /config/scripts/l2tp_update_ip
            }
            interval 30m
        }
    }
    time-zone *****
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue SQ1 {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 4.2mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 0.5mbit
        }
        wan-interface pppoe0
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username ***** {
                        password *****
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.2.110
                stop 192.168.2.115
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret *****
                }
                ike-lifetime 86400
            }
            mtu 1024
            outside-address *****
            outside-nexthop *****
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939093.161214.0705 */

Are there any inherent issues with using the same ike-group and esp-group across multiple IPsec peers?

Background: I have an ERP sitting on an IXP peering network.  This network assigns IPv6 addresses out of a globally-addressable, but not globally-routed, /64, for participants to use to establish BGP peering.  Linux's source address selection algorithm can cause problems in this environment, as it can choose my address on the IXP network as the source address for packets destined for the Internet.  Because the IXP network is unrouted, the response packets never make it back to me.  The workaround I've seen used is described on this page -- set the IXP network address as "deprecated" to exclude it from Linux default source address selection, then explicitly specify it as a source address for BGP purposes.

I'm attempting to do this with EdgeOS.  I set the address as deprecated (using /sbin/ip directly -- see this thread for details on my attempts at doing this via EdgeOS config), and set the `update-source` of each BGP neighbor to that address explicitly.  For example:

set protocols bgp 395823 neighbor 2001:504:16::2 update-source 2001:504:16::6:a2f
commit

So far, so good -- existing BGP sessions stay up, and BGP neighbors are still able to establish new sessions with me.  Other applications no longer choose it as a source address, which is exactly what I want.

However, if I have a passive BGP neighbor that doesn't try to connect to me, and instead requires me to connect to them, the session never comes back up after a reset.  EdgeOS' bgpd is apparently not respecting the update-source, and is choosing a different address as the source address for BGP traffic!  When I "un-deprecate" the address, it chooses the IXP network address as a source address again, and the session comes back up just fine.

Does update-source only work for IPv4?  I know EdgeOS isn't quite using Quagga anymore, but is using a proprietary fork instead, but these docs suggest that update-source in Quagga config only works for v4.  EdgeOS' config tree will happily accept a v6 address, though, and the code in 

/opt/vyatta/sbin/vyatta-bgp.pl appears to translate that directly into a Quagga config update-source.

If update-source only works for IPv4, how can I influence IPv6 BGP session source address selection?

$ show version
Version:      v1.9.1
Build ID:     4939098
Build on:     12/14/16 07:33
Copyright:    2012-2016 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Pro 8-Port
HW S/N:       [redacted]
Uptime:       21:21:31 up 49 days, 13:36,  3 users,  load average: 0.07, 0.06, 0.05

Okay forgive me I am new to this but I need help with natting / routing

A simple overview of the network

WAN

I have 1 WAN 

I also have a configured openvpn vtun0

LAN

I have 2 VLAN

VLAN 15 - to go through vtun0 or VPN

VLAN 20 - to go through eth0  or no VPN

NAT

I created 2 Nats one for each VLAN based on source

screenshot (5) attached. 

my problem is .. when vpn is connected only VLAN 15  is working   and when VPN is off VLAN 20 is working... 

seems like I have a routing problem.. or nating I am lost.. any help?

Hi,

Can anyone provide more information on the "Coming Soon" Network Management Solution from Ubiquiti?

I'm interested to know:

1. If all of the current EdgeRouters are supported?

2. Is it to replace or be a compnaion to the onboard OS?

Thanks,

Mitka

Good night community 

i have a issue with my edge router ER-8PRO, i have a high CPU Usage 80-90%, looking into command top i can see this proces is taking a lot usage

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
 3129 root      20   0  424m 282m 3412 S 128.4 14.2   4114:16 charon

any one knows what "charon" process do?

tnx for your time

So I have a L2TP over IPSec VPN setup on several different edgerouter Lite's, POE's, and X's.  

Android, iPhone, and Mac all connect without issue every single time.  Windows is another story.  Sometimes it will connect without issue.  Sometimes it will take some fiddling to get it to connect (cancel, reconnect, cancel reconnect, etc.).  Is there a VPN client that is more stable than the built in windows VPN tool?  I understand this probably isn't the fault of the firewall but windows crap VPN service.

I logged into the web interface to find the attached in the left column of the dashboard.

I definitely do not have 7,403 static routes. Actually, now it's 7,406.

The only thing I can think of is that I believe one of my openvpn tunnels has been flapping and perhaps causing the web interface statistics to keep incrementing when routes are injected after the interface comes up?

Via the CLI, all static routes look normal, so it only looks like a web interface issue.

EdgeOS 1.9.1

Regards,

Dave

I use an Edgerouter Lite (Crontab) to boot my server at 7am.

The crontab job is set to 0 7 * * * but starts at 8am, when I change this to 1 7 * * * it starts at 7:14 am

Hello all let me start by saying that I am brand new to Ubiquiti EdgeMax. I am having one hell of time tyring to forward port 80 to my web server. I have searched this forum and I found similar threads but noting exact, so here we are.

I have a Raspberry PI set up as a web server on my network, when enter the internal IP of he RPI(192.168.1.50)into my web browser the page will load just fine but when I leave my network and try to access the page I get page can't be displayed. I have a DDNS set up through No-IP.com and when I enter that name into my browser from outside my network that is when in get th "page can't be displayed) error. When I enter that name while Inside my network my Router home page will load. I have set up port forwarding to send traffic from port 80 to the IP of my RPI but still nothing. I have also deleted the port forwarding rule and rid to edit my "Wan to IN" rule set to allow port 80 to be forwarded.

What am I doing wrong? I have no doubt that the problem is user error.

Hi

I have a symmetrical 1Gbs fiber connection. When I originally setup my ERL 2-3 years ago I had speeds around 950-980Mbs (up/down). Recently I ran a speed test and I just got 150-180Mbs.

I don't know if it has anything to do with my upgrade from FW1.9 to FW1.9.1 which somehow broke the DHCP service. Strangely, removing some static maps made it work again. But I don't think that this has anything to do with the speed issue.

Can you point me to any clues? Thank you in advance .

Cheers