Configuration advice - local traffic routing

March 26, 2017, 4:42 pm

≫ Next: VPN Aggressive mode and PSK

≪ Previous: Noob ER questions

$

0

0

Hi there,

 

I just upgraded from an EdgeRouter Lite to the EdgeRouter Pro, and I am looking at doing a more advanced setup.

 

I am bringing in a rack of servers soon and I want to put them on their own network separate from my home network.  This will allow me to do cool stuff like use QoS to rate limit the server network, have a separate bandwidth graph for the server port, and so on.

 

However I have pretty fast Internet here and I would also like to be able to use the servers locally.  I have two concerns here, I don't want the internal traffic to mess up my bandwidth stats, and I don't want the internal traffic to saturate the Internet connectivity for either network.  

 

So what I want to do is set up each network to have two ports on the EdgeRouter, use one port for Internet traffic on that segment, and use the other for routing between the two local subnets.

 

I tried getting it set up, but it was doing something weird by default where inbound traffic used one port and outbound traffic used the other (at least that's what it looked like was happening).

 

Is the configuration I want possible and can someone point me in the right direction?

 

To reiterate, looking at the diagram below, I want two have two networks.  I want to use the orange cable for Internet connectivity to that network.  I want to use the red cable for internal traffic between the LANs.

 

Thanks!

 

 

 

 

 

 

 

 

 

 

---

VPN Aggressive mode and PSK

March 26, 2017, 5:17 pm

≫ Next: edgerouter-x routing problems

≪ Previous: Configuration advice - local traffic routing

$

0

0

EdgeRouter X v1.9.1

 

I need to create a VPN tunnel with a router that requires I use both Aggressive mode and PSK, I don't have control over that router.

 

At this point my understanding is that I have to edit /etc/ipsec.conf in order to do this. I thus have added "aggressive=yes" under "conn %default"

 

This works, until I reboot my EdgeRouter X.

 

I believe this is because I have set VPN settings via the Web UI and/or CLI. I found a reference that I should delete these settings and then my custom ipsec.conf won't be overwritten.

 

I am unsure how to do this. My current ipsec.conf doesn't show 100% of the VPN config settings. I don't know if I need to add more entries or if there is a separate file with other config settings for VPN. Do I delete all of VPN or only "vpn ipsec site-to-site peer xxx.xxx.xxx.xxx?

 

Examples of things not in my ipsec.conf: dh-group,  pre-shared-secret, pfs.

 

Thanks,

-Mont

 

edgerouter-x routing problems

March 26, 2017, 5:28 pm

≫ Next: DNS forwarding stops after 1-3 weeks

≪ Previous: VPN Aggressive mode and PSK

$

0

0

i'm new to the edgerouter family and the problem i have is that when i use the wizzard to make 2 diferent networks on my edgerouter-x i get diferent results everytime i reset the device and start over the wizzard.

senario1 : i can ping the hosts between the networks with no problems

senario2 : i can't ping anything between the 2 networks

senario3 : i can ping from network 1 to network 2 but i can't ping from network 2 to network 1

nothing is been added to the configuration by me it's the defaul from the wizzard

 the device has the latest firmware 1.9.1

 

the curent state of the device now is :

network 1 : 192.168.2.0/24 on eth1

network 2 : 192.168.3.0/24 on switch0

internet is on eth0

both networks have internet connectivity

there is no comunication between networks

 

any ideas or possible solutions are welcome

 

 

DNS forwarding stops after 1-3 weeks

March 26, 2017, 6:51 pm

≫ Next: VLAN tagged AND untagged

≪ Previous: edgerouter-x routing problems

$

0

0

Hi All,

I've been running the ER-X since FW 1.8 and love it! I've been having an issue though ... for the last few months ... it's time to put it to the forum for thoughts.

After running for 1-3 weeks my ER-X no longer provides DNS forwarding. The last time this happened, the web managment interface was unavailible as well. The solution was to remove and re-apply power. After this I'm in good shape for 1-3 weeks again. I'm guessing that I've experienced this about 6 times now.

I'm currently on FW 1.9 (don't use 1.9.1 as it has an issue pushing out a domain name via DHCP), am powering the router via a US-16-150w, site to site IPSec and OpenVPN ... everything else is fairly straitforward. Config attached.

I just replaced the unit with a spare to eliminate any hardware issues and wanted to run the config (attached) by the forum while I'm waiting for the next 1-3 weeks to go by.

Any thoughts?

best,

James

VLAN tagged AND untagged

March 26, 2017, 8:36 pm

≫ Next: EdgeSwitch protocol 8100 is buggy

≪ Previous: DNS forwarding stops after 1-3 weeks

$

0

0

Can you set a port to accept both untagged traffic as VLAN-1 and VLAN-1 tagged taffic as VLAN-1. It appears possible on the EdgeMAX switches but this config seems to be considered "improper" by some admins, especially in the CISCO enviroment. Example here.

 

My primary goal is to have VOIP phones on VLAN-2 and PC data on VLAN1. PC's connected directly to the switch will be transmitting untagged frames and all of the phones can be configured to send VLAN-2 tagged frames. My problem is a number of PC's are connected via the VOIP phone LAN passthrough and the phones cant be configured to pass the computer data untagged while tagging their own. So can a port handle both direct untagged PC data as VLAN1- and data tagged as VLAN-1. How does the the switch handle returning data frames, will it know to untag some and pass some as VLAN-1.

EdgeSwitch protocol 8100 is buggy

March 26, 2017, 8:45 pm

≫ Next: DPI Categories no longer being updated/supported?

≪ Previous: VLAN tagged AND untagged

$

0

0

When trying to upgrade a ER-Pro5 to any of the latest firmwares, including v1.9.1 the system responds very slowly and spews out on the console:

 

Mar 26 22:24:54 r1 kernel: protocol 8100 is buggy, dev eth1

 

I'm not doing any QnQ, so not sure why I'm seeing this message.

 

Eth1 is configured with 4 vlans (vif 101-104), and connected to a 48 port EdgeSwitch in switch port mode trunk, with a pvid of 100.

 

1.7.0 seems to be the latest working firmware I can run, but this issue seems odd given that it's an edgeswitch connected to the edgerouter and causing so much greif...

 

 

Any suggestions on what may be going on?

DPI Categories no longer being updated/supported?

March 26, 2017, 9:55 pm

≫ Next: New WISP Equipment Help

≪ Previous: EdgeSwitch protocol 8100 is buggy

$

0

0

I've got an EdgeRouter X running v1.9.1 and trying to get this DPI stuff to be more useful but it looks like this build doesn't have it all wired up.

 

The tech article EdgeRouter - Deep Packet Inspection Engine for EdgeRouter dated 2/6/2017 indicates there should be an entry in /etc/cron.daily to invoke /usr/sbin/ubnt-update-dpi.  I don't have that entry.  Also when the command is run manually it returns 'No new signatures available'.

 

I downloaded the rule file that the update script references and the file was last created/modified 9/2/2016.  There are not any entries for any TopSites categories (regardless of capitalization) in the rule.xml file.

 

So I guess the little bit of research I've done indicates the feature isn't really being updated.  

 

Is this a feature that's in the process of dying on the vine?

New WISP Equipment Help

March 26, 2017, 11:20 pm

≫ Next: EdgeRouter PoE switch

≪ Previous: DPI Categories no longer being updated/supported?

$

0

0

I am stuck on a new setup. I am trying to connect an Edgerouter Pro and Edgepoint S16 with Cisco SFP's and I do not get a link. I haven't tested the optical power or anything but I know both units are on because I can see TX light when I disconnect fibers. I just do not get a link. I had them connected with copper and it worked but when I switch to fiber I don't get anything. Not sure what to check for on either unit because this is my first time using them. Any help is appreciated.

---

EdgeRouter PoE switch

March 26, 2017, 11:46 pm

≫ Next: Block QUIC protocoll in EdgeOS?

≪ Previous: New WISP Equipment Help

$

0

0

Good day all,

 

I'm looking at the EdgeRouter PoE and I would like to get your opinion on the following:

 

eth2 to eth4 are behind a hardware switch chip. How is the quality and performance of this switch chip?

Would I get better performance if I just use one interface port of the EdgeRouter and connect that to let's say a ES-8-150W and go the the rest of my LAN from there? Or would i get the same performance and stability if I use all the interfaces on the internal switch chip of the EdgeRouter and make the internal switch chip the "core" switch of my LAN?

 

Secondly is there anyway to get a readout of the PoE power draw from one of the interfaces of the EdgeRouter POE? I tried some EdgeSwitch CLI commands but those don't work.

Block QUIC protocoll in EdgeOS?

March 27, 2017, 1:25 am

≫ Next: How to configure IPSEC protected GRE tunnels ? (Urgent)

≪ Previous: EdgeRouter PoE switch

$

0

0

Is it possible to block the QUIC protocoll in EdgeOS? And if so - how do I proceed?

 

It is possible to block it in some enterprise firewall like Palo-Alto

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-QUIC-Protocol/ta-p/120207

 

How to configure IPSEC protected GRE tunnels ? (Urgent)

March 27, 2017, 2:57 am

≫ Next: ER-X-SFP power poe problem

≪ Previous: Block QUIC protocoll in EdgeOS?

$

0

0

Hello ,

 

As caption ! Please help !

 

I have tried many methods and all methods do NOT work !

 

I refer to the below discussion:

https://community.ubnt.com/t5/EdgeMAX/Send-Multicast-over-bridge-of-GRE-tunnel/td-p/1243389

 

Would you please give an example to follow?

 

thanks !  Professional !

ER-X-SFP power poe problem

March 27, 2017, 4:19 am

≫ Next: Aply firewall policy tio VPN IPSEC

≪ Previous: How to configure IPSEC protected GRE tunnels ? (Urgent)

$

0

0

Hi ,

Maybe someone has the same problem. I use ER-X-SFP 5port full 5 port poe powering  5 ubiquiti devices.

Sometimes one of these decvices doesnt respond and then i must of/on power on selected port and then it comes back. Whats wrong with this ER-X-SFP.  Known problem or maybe something wrong with my ER-X-SFP ?

Doeas anyone use this ER-X_SFP with full 5 devices on poe port without any problems ?

Any ideas?

 

Aply firewall policy tio VPN IPSEC

March 27, 2017, 4:32 am

≫ Next: dns options ignored from config

≪ Previous: ER-X-SFP power poe problem

$

0

0

Hi All,


I have three vpn ipsec. One of these vpn have vti interface asing to routing and firewall this is OK.

But, I need to apply firewall policy to VPN without vti interface. I can't have create vti interface in this vpn  by the requeriments of clients.

In current firewall all VPN conections have interface either with phase 2 configured with LAN's or with 0.0.0.0

Any Idea?

dns options ignored from config

March 27, 2017, 4:35 am

≫ Next: user level operator

≪ Previous: Aply firewall policy tio VPN IPSEC

$

0

0

Hi there,

I try to setup zone transfer with additional dnsmasq options auth-* but it is complete ignored.

set service dns forwarding options auth-peer=10.206.250.204,172.31.254.1
set service dns forwarding options auth-zone=m73.tigoda.somedomain.tld
set service dns forwarding options auth-sec-servers=gns.m73.tigoda.somedomain.tld

after commit I try to fix any changes but didn't see any

ps auxwww |grep dnsmasq
dnsmasq   6299  0.0  0.2   5228  1260 ?        S    11:14   0:00 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service

cat /etc/dnsmasq.d/dnsmasq-dhcp-config.conf |grep auth-
empty output

what I do wrong?

 

user level operator

March 27, 2017, 5:39 am

≫ Next: iptables

≪ Previous: dns options ignored from config

$

0

0

Hi there
I try to restrict access for operator and use preseted level operator. How can this user change there own password?
how I can specify which commands can be executed through CLI for operator level?

---

iptables

March 27, 2017, 7:59 am

≫ Next: The DNAT Question

≪ Previous: user level operator

$

0

0

i'm looking at a purchase of the erlite-3 and have a question about iptables.

 

i have a fairly large iptables list from sles and openvms.  the sles is in cidr format of 163.0.0.0/8,

and the vms is in old bsd style of 171.0.0.0 255.0.0.0.

 

can i convert these two files into some form that can be imported into the rules as used by edgeos? i would rather not have to type these back in.  command line would be ideal.

 

thanks.

 

The DNAT Question

March 27, 2017, 9:16 am

≫ Next: Please help with configuration

≪ Previous: iptables

$

0

0

Hi All,


I have big Problem.

In my company. I have two connections to internet.
ISP1: 1 Public IP and velocity 300/300Mbps
ISP2: 16 Public IP and Velocity 4/4Mbps

The ISP1 is the default gateway to internet acces for all users and servers.
The ISP2 is the public network to piblished services to internet.

I have followed the documentation of Policy-based routing (source address based)

Https://help.ubnt.com/hc/en-us/articles/204952274-EdgeMAX-Policy-based-routing-source-address-based-

But this is simple when you have ten servers, i have 64 published services.

Following this manual, i have create 64 of the firewall WAN IN Policy,  64 of DNAT, 64 of SNAT, and 64 of modify policy.

This Process is not posible automate with some option?

In my opinion, if I have an input NAT rule, the output from that input port should be from the same output as the input ...

Please help with configuration

March 27, 2017, 10:44 am

≫ Next: Change VPN outside adress

≪ Previous: The DNAT Question

$

0

0

Hi together,

 

for someone who did before, maybe a easy thing. For me, after reading tons auf help sites from ubnt, still clueless. since i just dont want to copy and paste commands not knowing what happens exactly, i'm asking you to help me.

 

What i got:

- ER-X (10.10.10.3) on eth0

- 2x internet line (192.168.1.1, 192.168.2.1 as router) eth1+eth2

- local network at 10.10.10.0/23

- er-x updated to 1.9.1

 

what i want:

 

want to use the two internet lines as loadbalancing and use the er-x as vpn access point too. there is no radius.

VPN-Clients should get ip-range 10.10.10.50 to 10.10.10.60. or, if possible and routed a class c ip range. (192.168.5.x)

 

can anyone please help me with simple instructions?

 

 

Change VPN outside adress

March 27, 2017, 11:32 am

≫ Next: VPN between egderouter and cloud Linux server

≪ Previous: Please help with configuration

$

0

0

I  had an edgerouter on a construction site where the ISP used static IP`s,

Now the router is moved to a new location and i need to change the outside adress to DHCP in VPN config.

Someone who can help?

 

Regards // Mike

VPN between egderouter and cloud Linux server

March 27, 2017, 11:52 am

≫ Next: EdgeRouter Lite behind bridged Modem

≪ Previous: Change VPN outside adress

$

0

0

Hi there

 

I am trying to add a VPN to existing structure, currently I have 4 edgerouters with IPSec setup between them.

 

Now I would like to add a cloud linux server to the VPN network. 

Please let me know what would be the best solution? 

 

OpenVPN or StrongSwan IPsec

 

if you have some detailed steps how to do so, please let me know

 

Thank you.