Hi

I have an ER-X router and I want to setup my set-top box correctly.

The tv is coming through coax but it needs internet for the tv guide and movies and things like that.

My ISP is Telenet (Liberty Global)

Normally it gets a local ip 192.168.0.x and an external ip from the ISP router. But beause I have a Modem-only and my own router I need to set it up myself but I have no idea how. I've tried to use IGMP proxy but that didn't work (or I configured it wrong).

Is it possible to configure it somehow (with the mac address?) so that I can just connect it to a switch somewhere (like with the ISP router)? (This isn't necessary.)

Any ideas?

Thanks

Hi all,

i want to setup my EdgeRouter X as dedicated VPN access point 

I want to hookup 2 ports to my hp switch 1 for incomming external ip and 1 for my internal ip

So to be clear i dont want the router to be infrond of my switch i want to just act like a vpn and nothing more.

Can this be done, whats the best way to set this up?

Brand new to the Ubiquiti products, and needs some advice on the best practice to setup my router. 

I have a ERPoe-5, running v1.9.1

I have Internet through comcast (cable modem).

3 total switches

1 Wireless AP

Currently setup:

eth0 connected to the modem/Internet

eth1 Wireless AP

eth2 Swtich (servers)

eth3 Swtich (room1)

eth4 Switch (room2)

All clients need to connect to all other clients, as well as the Internet. 

Most clients support Gig-e, and will need to utilizie it, so I'd like it optimized for speed. 

DHCP needs to be enabled, on eth0

DHCP Server needs to be enabled on eth1, eth3 & eth4

Also needs to run a backup DNS server listening on all interfaces. (currently broken)

I'd also like to get traffic analysis data for each port, if possible.

Any advice would be greatly appreciated. 

Hi,

I've got an EdgeRouter X whos clock is always off by 40 minutes.  I've double checked the time settings and they are the same as an EdgeRouter Lite that I have on the same network and  which always shows the correct time.  I've tried toggling the Time zone (time zone to UTC and back) and NTP settings in the GUI but that doesn't help.

Thanks,

->g.

Greetings.  I am new to Edgerouter.  After MANY hours of scouring forums, numerous guides (some with differing advice) and trial an error, I have my OpenVPN woroking!

I'm posting my settings to see if they can help anybody else, but also to see if any of you wise ones here can point out any improvements I can make -- either for performance or security.

If somebody is interested I can sanitize and post my Apple .mobileconfig file; I think I have on-demand VPN actually working correctly (at least for apps that do HTTP calls; my camera app that connects to an internal name on port 8000 is still not triggering it).

Thanks

My client ovpn file (I created this by hand; if there is a utiity that can be run server-side to generate this with no errors I think that could help a lot of people).

client
dev tun
proto udp
remote MyDynamicName.com 1194
float
comp-lzo yes
push "comp-lzo yes"
keepalive 15 60
auth sha256
cipher AES-256-CBC
resolv-retry infinite
nobind
key-direction 1<tls-auth>...</tls-auth><ca>...</ca><cert>...</cert><key>...</key>

And my Server Config.  I am pretty sure replace-default-route and push-route are redundant.  I may remove the default-route so my device (iPhone) can do split tunneling.  And add another subnet to push when I get my router working with an AWS VPC.

 openvpn vtun0 {
     description OpenVPN
     encryption aes256
     hash sha256
     mode server
     openvpn-option --duplicate-cn
     openvpn-option "--comp-lzo no"
     openvpn-option "--tls-auth /config/auth/ta.key 0"
     openvpn-option "--user nobody"
     openvpn-option --persist-key
     openvpn-option --persist-tun
     openvpn-option "--group nogroup"
     replace-default-route {
         local
     }
     server {
         name-server 192.168.0.1
         push-route 192.168.0.0/24
         subnet 10.99.99.0/24
     }
     tls {
         ca-cert-file /config/auth/cacert.pem
         cert-file /config/auth/server.pem
         dh-file /config/auth/dhp.pem
         key-file /config/auth/server.key
     }
 }

And my firewall:

show firewall name WAN_LOCAL
 default-action drop
 description "WAN to router"
 rule 4 {
     action accept
     description OpenVPN
     destination {
         port 1194
     }
     log disable
     protocol tcp_udp
     state {
         established enable
         invalid disable
         new enable
         related enable
     }
 }
 rule 10 {
     action accept
     description "Allow established/related"
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action drop
     description "Drop invalid state"
     state {
         invalid enable
     }
 }

Hoping this make sense )

I have port forwarding set (WAN->LAN1) for an IMAP service and this works fine.  ((I use the Port Forwarding TAB plus add the allow rules in the WAN_IN policy))

How can I configure the router where I can connect from LAN2 to the same WAN IP and have it forward to LAN1?

Basically I need to keep the device (cell phone) and Gmail pointed to the external IP for IMAP connectivity while I'm on the road but I'd like things to also work when I'm home connected to LAN2 (WIFI).

Do I need a DNAT rule?  I am confused about what to put where in the DNAT configuration screen for Translations, Source, Dest ... 

any help appreciated.

I'm trying out the Smart Queue feature on my Edgerouter Lite (running 1.9.0), but something seems wrong. This post here suggests that I should see a 5% drop in bandwidth, but I'm seeing a much larger drop.

My internet connection is a 100/100 MBit/s dedicated fiber and I usually observe an excellent line quality. In order to set up the smart queue, I just ran a speed test (getting 92/94 Mbit/s) and entered those values into the wizard fields as explained in this video.

A 5% bandwidth reduction would mean I should expect to see speeds in the neighbourheed of 87/90 MBit/s after I applied the smart queue. In reality however, I'm now getting speeds in the order of 65/68 MBit/s. That's way lower bandwidth than I expected.

Another thing which may or may not be important: After I applied the smart queue, when I run a speed test the Edgerouter is reporting CPU usage in the range of 50% to 80% while the test is running. Is the smart queue really that demanding or is something broken somewhere?

Edit: spelling.

--

Best regards,

Jes Hansen

Hi folks,

I have implemented OPENvpn on five ERL , all site-to-site, (i.e. 5 sites, and clients behind each ERL can communicate  to any client behind any router.

Ping is everywhere cca 2-6ms, regardless what PC pings what PC.

The ISP bandwith (tested with speedtest.net) is approximatelly DOWNload 25MBps / UPLoad 25MBps on all my sites. with 2-3 ms ping

However if I downoad/transfer file from one PC to another, then the real speed is 80-120kbpswhich is not workable soution at all.....

I tried changing encryption/cipher from 256 to 128, no change, disabling TLS, no change..., both LZO on and off, no change....

I am attaching config files of the two routers and Log file from the main router

. the router 1 has public IP, the router 2 does not.

Thank you so much for help/hints

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And one interesting thing (with has no connection to the performance, as the OPENvpn speed was slow since the implementation).

I realised that  from last week in the LOG file, there is no more indication FROM where (IP address) are the ERLs connecting.... I always saw lines in LOG file of the main router saying .... 

 edge33 openvpn[1617]: Peer Connection Initiated with [AF_INET]40.23.122.124:1197

(so I could see on the main router where OPENvpn is instaled that someone connected from this IP)

but since last week i cannot see this IP, as the log shows this

 edge33 openvpn[1617]: Peer Connection Initiated with [AF_INET]192.168.1.1:1197

Now I cannot see the real IP address from where the ERL is connecting , and it seems as if the main ERL is making connections with itself???? (as the WAN IP of ERL is 192.168.1.99 and 1.1. is Gateway) 

I found an article where a person used multiple VLan's w/OSPF to load balance unequal wireless links. 

On the surface, considering how little I know about this subject, this sounds like it may be the way to go. 

Was hoping someone is already doing something like this and can elaborate for me. Or read through this idea and tell me what you think.

WISP Design: Using OSPF to build a transit fabric over unequal links – StubArea51.com
http://www.stubarea51.net/2016/10/27/wisp-design-using-ospf-to-build-a-transit-fabric-over-unequal-links/

Hi, 

I've setup the PPTP vpn on the ER-X as the documentation says and I've got a problem.

The VPN client is connectif fine (Windows or Android), I can reach the LAN ip of the ER-X, but I can't reach any other lan device. 

The PPTP dhcp pool for the clients is in another range that the lan devices...

Any idea? The NAT masquerade is active on the wan interface for the LAN and I only have the basic firewall rules for the PPTP vpn, nothing else is add. 

The config is in attachment (only users and passwords were removed)

Any idea someone?

Thanks!

Hello,

I'am new to Ubiquiti and have the first time a Edge Router Pro in my Hands.

what im doing until now:
In the Edge Router i start the Wizard Wan+2Lan2

I set the eth0 to DHCP and connect the cable to my ISP Modem

I set the Ip-Adress for the eth1 to 192.168.0.254/24 and activate the DHCP
on the eth1 Port i connect my Laptop with a Cable and become a IP-Adress 192.168.0.1
from the DHCP Server.

i set the IP Adress of eth2 to 192.168.14.249/24 without DHCP

on this Port i have a NAS Server for Testing with the IP-Adress 192.168.14.1

this is all what i do until now....

so now when i want to connect from my Laptop in the 192.168.0 Network
to my Test NAS Server in the 192.168.14 Network 
i cannot connect or Ping the NAS Server !

works this not normaly in this Router does i can connect from one Subnet to another ?
or what must i do for Routing from one Subnet to another ?

Thanks for Helping a Newby

Benny

I need some expert advice.

The thing is that I have already researched points below and although I know they are individually possible (and I could follow configurations individually) but the difficulty for me is having (a) all of these things work together (site to site connection with multicast forwarding, load balancing, link aggregation, VLAN) and (b) I basically have to pre-configure everything as I will only be on the remote site only later this year and for a very limited period of time (so I won't have time then to research and make things work). So, given my basic skillset in this domain I am reaching out for help.

So here goes nothing:

1. I have an existing symetric 100Mbps Fibre connection in Switzerland (Site1) configured and working on ER-X SFP. It all works great and even multicast from WAN (ETH5.10) is working properly on the LAN with igmpproxy, this is a very simple configuration with no VLAN etc. This is Router1 and I have a couple of TL-SG2008 immediately after the ER-X which feature IGMP snooping to avoid flooding the LAN with Multicast traffic. This WAN is on dynamic IP address.
2. There is a second site (Site2) located a few thousand kilometers away (c. 200ms ping latency) in a country where internet connection is flaky and speed limited for each connections. On Site2 there are 2 separate internet connections with each 8-10Mbps with 2 separate providers over ADSL (let's call these connections Site2.WAN_A and Site2.WAN_B). Both WANs are on dynamic IP addresses
3. What I am trying to do:
   1. On Site2, have a ER-X (or other UBNT product if necessary) (let's call this Router2) that will provide the following functionality:
      1. Connect to Internet Site2.WAN_A via ETH0, and Site2.WAN_B via ETH1
      2. VLAN_10 and VLAN_20 based on the ETH port through which local clients are connected; VLAN_10 for connections through ETH2, and VLAN 20 for ETH3
      3. For all clients connected on ROuter2.VLAN_10: load balancing for Site2.WAN_A and Site2.WAN_B (respectively on ETH0 and ETH1). Site2.WAN_A and Site2.WAN_B are unreliable so the configuration should work even if one of the two connections is down
      4. For all clients connected on Router2.VLAN_20;
         1. get IPs from reserved range assigned by Router1. All clients from Router2.Vlan_20 to appear on same subnet and as if part of same LAN as for all local clients of Router1.
         2. aggregate Site2.WAN_A and Site2.WAN_B connections from Router 2 (respectively on Router2.ETH0 and Router2.ETH1) to Router1.ETH5.10; the idea is to have up to 20mbs aggregated speed connection between Router1 and Router2.
         3. Router1 acts as internet gateway for all clients on Router2.Vlan20
         4. Router2.Vlan20 clients get access to multicast traffic available on Router1.switch0 (and which originates from Router1.eth5.10). IGMP snooping should prevent flooding the Router1-Router2 connection.
   2. All clients on Router1.switch0 should see all clients on Router2.VLAN_20 and vice-versa

Basically, from Site 2 I want to be virtually on the same network as if I was in switzerland where I can access my NAS, multicast traffic, etc. The connection between router1 and router2 should be encrypted as Site 2 ISPs cannot be trusted.

Now for the really hard part. I am not yet on site 2, I will be by the end of the year and only for a handful of days then. SO I would like to configure everything in advance before I leave, and if possible pre-configure the new Router2 ER-X before I leave and have a high degre of certainty that it will work when I get there.

So, can you guys help me setup up to config for both Router1 and Router2? Is there anything unclear or missing in my question/description?

Many thanks in advance

Hello, all.

Was looking at my friend's ERlite today, and got into an argument about the need for firewall rules. They didn't run the basic setup wizard, and only had a snat masq rule. I feel you need at least the "default" WAN_IN and WAN_Local rules, but other than restricting HTTPS management access, I couldn't really provide any examples with certainty as to why you need them other than "you just do". My friend feels that with only a snat masq rule, nothing external will cause issues on the internal network.

What exactly do you protect against with the firewall rules on a residential connection? Specific resources would be helpful. While I would love ammo in this argument, I'm a bit embarrassed I don't know, and would love to learn.

Hi everyone,

In an effort to keep track of the health of my home cable modem, I wrote a Python script for the Edgerouter that publishes a custom metric to AWS CloudWatch. Right now, it's pretty basic but I hope to get around to improving it. If you're interested in checking it out, I've published it on Github. Any feedback or pull requests are appreciated!

In a nutshell, the script is designed to run every minute (you can configure this) and will put a custom metric to CloudWatch. From there, you can graph the health of your network connection in CloudWatch and set an alarm whenever there hasn't been a metric published to CloudWatch in X number of minutes. Of course as long as the Edgerouter is running, we expect there to be a stream of metrics, so if the network connection goes down, CloudWatch can be configured to send an email notification.

Like I said, the script is pretty basic right now. It can be modified to do some helpful things like publish CPU and/or memory utilization but I haven't gotten around to it yet. I hope to have the time in the future to continue evolving this project. I just wanted to share in case others find it useful.

In the manual it says several times that the Basic and Wan 2lan2 wizards are the same.  Are they truly identical and if so they why have two of them?

  In the dashbord I see that there is a virtual interface labeled as "switch" that seems to take all traffic for the local subnet 192.168.1.0/24.  I also see in the manual that this router bridges all the interfaces to act as a software switch.  It also notes that this might introduce  a small performance hit.  Why not just leave them as routed ports and not bother with the sofware switch?

This is about the edgemax edgerouter X     5 port router.

I recently replaced an older ASUS wireless router with an Edgerouter Lite (the ASUS is now an AP). In the process i lost the ability to use Tivo Stream. Tivo works well with the TV on the network but the Stream (which allows an Android tablet to watch a Tivo recording) no longer works.

The home network is connected to eth1 on the ERL via a TP-Link switch (soon to be replaced by a Unifi Switch 8).

I can ping the Tivo and Tivo Stream from my PC, but cannot successfully use traceroute unless I force traceroute to use TCP or ICMP. Traceroute with UDP fails which appears to indicate that the ERL is blocking UDP?  I need specifically UDP ports 37, 123, 2190, and 5353 to work.

A few questions

1. Does the ERL block UDP on the home network?

2. If so, is there a way to enable UDP? Perhaps some like https://community.ubnt.com/t5/EdgeMAX/Getting-UDP-Broadcasts-across-subnets/m-p/1606592#M116606 ?

Any other ideas or suggestions most welcome!

thanks

Brad

After many struggles I've got my new USG and AP running, with a Pi running the controller! Yay! 

I also bought a EdgeRouter PoE 5 port switch to run the AP and future POE cameras. I have the ER running from an unmanaged switch, which is plugged into the USG. So USG is handing out IPs.. but the ER was also. So I found online how to change the ER running as a switch, but it seems to only act as a switch for eth3, eth4, and eth5. Is this true? I can't find how to add eth0 and eth1 to switch0. I suspect you can't.

The real question is, will this cause problems if I want to add three POE cameras and the POE AP, which if we add right, makes 4 POE ports. I know those ports are changed to POE in the UI, but do they also need to be part of switch0? Followup: will I be able to use eth0 and eth1 as POE? When a port is POE, is it simply doing a passthrough of the IP?

Hopefully that all makes sense.