Hello. 

We have an edgerouter pro configured with a static WAN port. We have all the firewall rules in place for masqueradng, however clients on the LAN still cannot access the Internet. The router itself has Internet access. 

Here is our config: 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 68.65.X.X/28
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
        vif 1010 {
            address 100.64.0.1/31
            description "NBRD Philly connection"
            mtu 1500
        }
        vif 1011 {
            address 100.68.0.1/31
            description "ACMA Connection"
            mtu 1500
        }
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        address 10.157.0.1/24
        description MGMT
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name MGMT {
            authoritative disable
            subnet 10.157.0.0/24 {
                default-router 10.157.0.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 10.157.0.5 {
                    stop 10.157.0.253
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
    }
    gui {
        http-port 80
        https-port 443
        listen-address 10.157.0.1
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "Masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        listen-address 10.157.0.1
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.1.4977353.170426.0429 */

Any suggestions would be greatly appreciated. Thank you. 

On my phone, I can connect to VPN without an issue. However, on my OSX laptop, I cannot get it to connect. Both the phone and the computer are on same WIFI and the phone works, but the laptop does not. 

Are there any specific settings I need on OSX to make ti connect?

I have an edgerouter pro 8 at my home site and a edgerouter x at a remote site both on firmware 1.9.1.1. I can get the vpn tunnel to establish but can not get traffic to pass through the tunnel. I used the GUI to set up the routers and the VPN. I do have the Automatically open firewall and exclude from NAT check box checked. I have also gone through the past threads on this subject and tried the fixes but had no joy. Istripped the config back to a fairly basic one and need some advice from here. 

all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address x.x.x.x(WAN IP)/28
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address x.x.x.x(LAN STATIC IP)/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.1.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5001 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name Domain.com
gateway-address x.x.x.x (WAN INTERNAL IP)
host-name xxxxx-Edge-Pro
login {
user admin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name Administrator
level admin
}

}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash md5
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash md5
}
}
site-to-site {
peer x.x.x.x(REMOTE WAN IP) {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description "VPN1"
ike-group FOO0
ikev2-reauth inherit
local-address x.x.x.x(LOCAL WAN)
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix x.x.x.x(LOCAL LAN SUBNET)/24
}
remote {
prefix x.x.x.x(REMOTE LAN SUBNET)/24
}
}
}
}
}
}

I've read the article on QoS setting and I have a rough idea of how it works but need clarification on a couple points.

I have an ER-L with 2 subnets, one corporate and one public, and I wish to gurantee the corporate side a minimum bandwidth for internet traffic so that the public side doesn't eat it all up. pub side guet no guarantees.

Q1. If I set a class for the corp traffic origonating from IP range x.x.x.x., do I need to set a class for the pub traffic or can I just let it fall under the default?

Q2. Do I need to set separate XXmbit values for IN and OUT traffic on the specified interface?

Thanks

I understand that it is a known bug that it is impossible to have two concurrent L2TP VPN connects into an EdgeMax. In the past, I was able to get around this by having one external system use a PPTP connection and the other a L2TP. But Apple has dropped PPTP support from macOS, so no I'm stuck with L2TP for all VPN connections into my LAN. The users connecting in need my help (they are family members I support) and when I'm away form my LAN, I also need to VPN into my LAN concurrent with them to be able to help them. Both use Macs.

I was wondering if there is a workaround for this. E.g. something like creating two L2TP setups side by side (just as I had PPTP and L2TP side by side)? Anything that doesn't require my users to do complex things.

Is there a workaround that will enable me to let them connect to my L2TP VPN setup while at the same time also enabling me to make such a connection?

The edge router lite seems to have a limitation on speed of around 5Mbps as an openvpn client due to a lack of hardware offloading I believe, are there any other models that support offloading and speeds up to and around 50Mbps?

Thanks

Hi,

I have a working configuration with 3 routers, all doing ibgp. 2xEdgeRouter Pro, 1xMikrotik.

I want the mikrotik to get a default route from the EdgeRouters (so mikrotik gets 2 default routes)

This works great in the current firmware i'm using (currently 1.3, factory delivered)

After upgrading to 1.9.1.1 the default gateway is not populated over bgp anymore, the config hasn't changed.

Reverting back to 1.3 solves it, but it's a very old release so i would like to use a newer one.

Is this a known issue, or has something changed why the default route isn't sent?

show ip bgp neighborn <ip> shows: default not sent

In v1.3 it says: default sent

Any help would be very nice,

Thank you,

Robert

Setting up the ER POE, I'm running into an issue with my cablemodem. I have it plugged into eth0, and it pulls the IP information but will not connect to the internet. I ran the WAN + 2LAN2 config, and I have everything plugged in correctly as far as I can see. DHCP is working. But no surf with the CM. 

When I have my backup Peplink 4g modem connected, it works just fine. I can't see why one works properly, and the other just refuses to. 

Any thoughts? 

Is there a way to force an eth interface to 1Gig?  It was mentioned in a thread but I can't find anything on it.

What I want:

WAN 0: default route

WAN 1: failover-only (if WAN 0 down)

WAN 2: failover-only (if both WAN 0 and WAN 1 down)

What I'm considering doing instead, since we apparently can't currently do the above:

load-balance group G

WAN 0: weight 99

WAN 1: weight 1

WAN 2: failover-only

Will this work? Is there a better way? Thanks.

--Jon

I have configured two edge routers with vrrp sync groups. vrrp is configured for both wan interface and lan interface. Internet connection from LAN is working fine with lan vip as gateway.

However when i configure port-forwarding on wan interface, it is listening only on interface ip and not on the vrrp vip. I tried both options - Firewall rules and Port forwarding Gui. But nothing worked.

Any help on this is highly appreciated.

my second try at setting up openvpn server with an android client but receiving timeout prior to connection.

i used the following set of instructions on my erl:

https://loganmarchione.com/2016/05/edgerouter-lite-openvpn-setup/

what is the best way to pull the config for review?

Hi all,

I've been running our edgerouter for about a year with no issues on the voip side (hosted PBX with hardware phones, about 15 hansets in total). Recently I have had a single phone at a time not being able to register all of a sudden. Looking at the conntrack for the IP of the handset shows a connection. If I manually delete the connection then it registers again perfectly fine.

I've had this happen to a couple of different handsets now and one that is also a different brand.

Voip company just say they have not had any traffic from that handset since xx time so is being blocked somewhere.

I've just found the commands to disable SIP ALG but I found it strange that it has been running fine for over a year without one dropout? I've been on v1.9.1 since a couple of weeks after its release and haven't changed anything in the config. I have rebooted the router recently (due to electrical works, before that it had been up for a few months solid!). The issue is there before and after the reboot. Still only happends once every couple of weeks but is annoying as it requires the command line to delete the connection so cannot be easily done by the end users.

Thanks,

Hello, 

I'm having an issue where I can't access one subnet on my Edgerouter from another subnet.  I've been looking around for answers, but everything I see is pointing to either default-gateway configuration (configured correctly) or a firewall rule (could be, but I don't understand)

Currently this my configuration

Eth1 is my WAN interface in subnet 192.168.0.0/24.  It is running NAT and has the default firewall rules for accepting established IN and LOCAL.

Eth2 is a server connection in subnet 192.168.200.0/30.  This is the subnet I can't access.  The server is statically configured correctly.

Eth3-4 are my LAN connections assigned to Switch0 in subnet 192.168.1.0/24.  

Everything on the LAN works fine.  DHCP, internet connectivity, etc with no issues.  When I try to access my server connection I get nothing.  I can't ping the port on the router or the server itself from a PC on the LAN.  When I use the toolbox on the Edgerouter, however, I can ping the server just fine.

Maybe I'm not understanding the firewall rules or NAT is messing with it, but I don't understand how.  The way I understand it is the traffic shouldn't have to pass through the Firewall or NAT in order to reach the other subnet.

My goal with this was to hopefully have some sort of way to port-forward traffic for my server.  By default, it is web managed, but I'm running another web service on a different TCP port. I want everyone on the LAN to be able to access the service, but not the web management portal.  After looking ahead a bit I realize that this probably won't work how I'm thinking, but I can't figure out why I can't even ping between subnets to start.

I hope this is an easy question to answer and I hope I can explain it properly so that it's easy to understand.

We are implementing wireless into our manufacturing facilities to save costs on wiring these large warehouse type buildings. Due to company policy the wireless network can not be on the same subnet as our wired / main network. So I am using edge routers and tough switches with AP's to create a 192.168.2.1 / 24 subnet for these warehouse devices. The devices still need access to the internet and some of the computers on the main network that provides them with content.

I've setup the edge routers to us nat and masquerading so that the main wired network is plugged into eth1 and assigned a static ip on the main network and the rest of the router is setup as  switch 0 (ports 2-4)  on the 192.168.2.1 /24 network. I've disabled the firewall policy so that the computers on the 192 subnet can see the computers on the main network. This works pretty well. the computers on wireless can see the main network and get the information they need. the main network cannot get to the wireless network unless I add routes into the routing tables of specific computers letting them know where the next hop is for the wireless network..

what I'd IDEALLY like to do is have the wireless computers only have access to the computers on the main network that they specifically need (the file server, web server etc) as well as being able to get out to the internet (which means access to the router as well)

so I'd like to create a firewall ruleset that allows access to the specific ips I want them to be able to get to on the main network (file server, web server, internet gateway / router) and then drop everything else on the main netwok. 

I've played around with the firewall policy settings in gui and can't seem to figure it out to where it works. 

Any help would be GREATLY appreciated.

Hi all,

it just wont work. I tried the thread found here for older versions but my edgerouter (EdgeRouter Pro v1.9.1.1) just wont connect to the pfsense (release 2.3.4). See attached configs. Anyone an idea?

Thanks!

pfsense log:

Jul 7 14:04:27 192.168.1.1 charon: 12[NET] <50> received packet: from XXXXXXXX[500] to XXXXXXXX[500] (152 bytes)
Jul 7 14:04:27 192.168.1.1 charon: 12[ENC] <50> parsed ID_PROT request 0 [ SA V V V V ]
Jul 7 14:04:27 192.168.1.1 charon: 12[IKE] <50> received XAuth vendor ID
Jul 7 14:04:27 192.168.1.1 charon: 12[IKE] <50> received DPD vendor ID
Jul 7 14:04:27 192.168.1.1 charon: 12[IKE] <50> received NAT-T (RFC 3947) vendor ID
Jul 7 14:04:27 192.168.1.1 charon: 12[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 7 14:04:27 192.168.1.1 charon: 12[IKE] <50> XXXXXXXX is initiating a Main Mode IKE_SA
Jul 7 14:04:27 192.168.1.1 charon: 12[ENC] <50> generating ID_PROT response 0 [ SA V V V ]
Jul 7 14:04:27 192.168.1.1 charon: 12[NET] <50> sending packet: from XXXXXXXX[500] to XXXXXXXX[500] (132 bytes)
Jul 7 14:04:28 192.168.1.1 charon: 12[NET] <50> received packet: from XXXXXXXX[500] to XXXXXXXX[500] (372 bytes)
Jul 7 14:04:28 192.168.1.1 charon: 12[ENC] <50> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 7 14:04:28 192.168.1.1 charon: 12[IKE] <50> remote host is behind NAT
Jul 7 14:04:28 192.168.1.1 charon: 12[ENC] <50> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 7 14:04:28 192.168.1.1 charon: 12[NET] <50> sending packet: from XXXXXXXX[500] to XXXXXXXX[500] (372 bytes)
Jul 7 14:04:28 192.168.1.1 charon: 12[NET] <50> received packet: from XXXXXXXX[500] to XXXXXXXX[500] (56 bytes)
Jul 7 14:04:28 192.168.1.1 charon: 12[ENC] <50> parsed INFORMATIONAL_V1 request 157683913 [ N(INVAL_KE) ]
Jul 7 14:04:28 192.168.1.1 charon: 12[ENC] <50> ignoring unprotected INFORMATIONAL from XXXXXXXX
Jul 7 14:04:28 192.168.1.1 charon: 12[IKE] <50> message verification failed
Jul 7 14:04:28 192.168.1.1 charon: 12[IKE] <50> ignore malformed INFORMATIONAL request
Jul 7 14:04:28 192.168.1.1 charon: 12[IKE] <50> INFORMATIONAL_V1 request with message ID 157683913 processing failed
Jul 7 14:04:57 192.168.1.1 charon: 12[JOB] <50> deleting half open IKE_SA after timeout

edge config part:

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group pfsense compression enable
set vpn ipsec esp-group pfsense lifetime 3600
set vpn ipsec esp-group pfsense mode tunnel
set vpn ipsec esp-group pfsense pfs disable
set vpn ipsec esp-group pfsense proposal 1 encryption 3des
set vpn ipsec esp-group pfsense proposal 1 hash sha1
set vpn ipsec ike-group pfsense dead-peer-detection action hold
set vpn ipsec ike-group pfsense dead-peer-detection interval 15
set vpn ipsec ike-group pfsense dead-peer-detection timeout 120
set vpn ipsec ike-group pfsense ikev2-reauth no
set vpn ipsec ike-group pfsense key-exchange ikev1
set vpn ipsec ike-group pfsense lifetime 28800
set vpn ipsec ike-group pfsense mode main
set vpn ipsec ike-group pfsense proposal 1 dh-group 14
set vpn ipsec ike-group pfsense proposal 1 encryption 3des
set vpn ipsec ike-group pfsense proposal 1 hash sha1
set vpn ipsec site-to-site peer XXXXXXXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXXXXXXX authentication pre-shared-secret XXXXXXXX
set vpn ipsec site-to-site peer XXXXXXXX connection-type initiate
set vpn ipsec site-to-site peer XXXXXXXX description tunnel_to_rz
set vpn ipsec site-to-site peer XXXXXXXX ike-group pfsense
set vpn ipsec site-to-site peer XXXXXXXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXXXXXXX local-address any
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 esp-group pfsense
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 local prefix 172.31.0.0/24
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 protocol all
set vpn ipsec site-to-site peer XXXXXXXX tunnel 0 remote prefix 192.168.1.0/24

I'm planning on switching between the ERX and the ER-PPOE later today. Can I just upload the config backup fromt he ERX to the new Router? 

Hello community, 

I have a firewall with DPI blocking Netflix but is not working, it was working a few weeks ago, anyone knows why?

Tnx

Should the edgerouter automatically call NTP when restarting to get the correct date?

I live in a new neighborhood with a lot of construction, so we are still getting some power fluctuations and can lose power once or twice a week. When the router resets, it doesn't appear to get the correct date/time unless I go in and run 

set date ntp

That works fine, but it's odd that I have to run it every time the router resets.

Sorry...I wasn't clear. This is on an ERL running 1.9.1.1

Hello,

I'm completely terrible with firewall rules apparently and I've already jacked up my network trying to do this so I'll just ask here.

I'm trying to permit web access to a server only for a single host.

192.168.1.200 = Host

192.168.1.201 = Server

I tried creating a firewall rule with a permit action for TCP, a source address of 192.168.1.200, and destination of 192.168.1.201 port 80.  Then a rule to drop TCP traffic, no source address, and same destination.

I applied the rule on switch0 (LAN) inbound.  Nothing happened.  Then I applied it on switch0 outbound.  Again, nothing.  I got fed up and applied it in every direction on switch0 and I brought the whole network down.  Oddly, I was actually able to manage the server, but that was it.  The Internet, router management, everything else was inaccessible.

So how do I go about blocking only port 80 on only my server for everyone except myself?  Other services running on the server still need to be accessed.