Excuse me if this is a bit 'basic' but I am new to Ubiquiti gear.

My setup: Edgerouter X + UAP AC Lite; 2 SSID - one for 2G one for 5G, all under single subnet.set up using basic wizard and added firewall rules for VPN setup.

firmware latest 1.9.7 and also latest on the UAP. issues also happening before latest updates.

Problem:

It seems I have problems seeing other devices on the same network.

e.g. 1 On macbook which is on wifi through the UAP on eth4, I want to see my MacMini which is on eth1 on ERX. I always need to switch SSID (either from 2G one to 5G or vice versa) before the computer pops up on the shared computers column on the Finder menu. I can however use 'connect to server' to smb:192.168.1.101 and it will connect even when it is not showing up. 

e.g. 2 Chromecasts are really patchy whether they show up or not on any devices (I have tried either band). I have added them to the exception list on 'Block LAN to WLAN Multicast and Broadcast Data' on the UAP but it doesn't seem to help.

e.g. 3 a robot vacuum thinks my phone is connecting remotely when the phone is on wifi; when i VPN (L2TP) into the ERX it then thinks it is on the same network.

I have looked at several settings like IGMP proxy (not on) and making sure there are no funny firewall rules. I dont seem to have seen any similar posts on the forums either. I am not even sure if this is a ERX or UAP problem.

Any help appreciated.

bad pppoe uptime in my configuration:

User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
xxxxxxx 946d17h17m PPPoE pppoe0 10.18.24.1 6.6K 957.2K 6.1K 3.0

Currently using openVPN over TCP on port 443.

cipher is SHA512 AES-256-CBC

Server is a $20 digital Ocean Droplet, client endpoint is a Synology DS916+

I'd like to move the client endpoint off the Synology and onto the ER8-Pro. But I'm not sure if the edgerouter hardware can support the speeds.

Screenshot below is for the droplet (openvpn server), which shows CPU at 36% and throughput at roughly 100+Mbit. The Synology (vpn client) stayed within single digit numbers for cpu utilization. I have no idea how to compare the hardware/performance of this setup vs the ERPro.

So the question is, can the ER8-Pro replace the Synology DS916+ as the vpn client endpoint and handle 100+Mbit vpn traffic?

Hi

Please see my posted config.

Problem is as follows

I had unifi controller setup on a pc, this managed my wifi access points.

I then got rid of this settup and blanced the access points via putty

I connected cloud key to my switch and it got an ip from dhcp of 192.168.1.151

i have 2 access points that are on lan 1 with 10.0.x.x ip addresses

Once i connected the cloud key and reset the access points they now show up with ip address of 192.168.1.x from vlan10, i dont no why this is as they shouldnt be getting ip addresses from this scope, also i can only connect to them via the 10.0.x.x addresses

any help or understanding of why this is happening would be great.

thanks 

1.9.7 harpin nat is broken.

DNAT rule is eth+ and it worked fine on 1.9.1.1

Hi All,

I have an EdgeRouter Lite and have configured the PPTP VPN as follows:

vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username MyUsername {
                        password MyPasswordHere
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.1.205
                stop 10.0.1.209
            }
            dns-servers {
                server-1 10.0.1.1
            }
            mtu 1492
        }
    }
}

My EdgeRouter Eth1 IP range is 10.0.1.x /24 - so valid range is 10.0.1.1 - 10.0.1.255

I can successfully establish a VPN Connection from remote location over the Internet and it seems fine.

The strangeness is I have multiple hosts on the LAN, and I can connect to some of them, but not all, a fair number do not seem to respond.

For example -

• I have two servers at 10.0.1.71 and 10.0.1.72 on the LAN
• When I establish the VPN connection I can ping 10.0.0.72 perfectly - it responds and I can use the server as if I was on the LAN
• Pinging 10.0.1.71 though gives 

Reply from 10.255.254.0: Destination host unreachable.

When I am on the LAN with my client both respond fine, also from the CLI of the EdgeRouter I can ping both IP addresses fine.

Using a different VPN (SSL/SSTP to a VPN server on the network works perfectly).

Does anyone have any advice on what I can try to resolve this?

I have a edge router lite with firmware 1.9.1.1 I recently changed my provider and I have new ip addressing and gateway. So I went into the config tree and eth 1 options which is the internet eth and changed the ip addresses to the new addresses with a /29 subnet I have 5 ip addresses. Then I changed the gateway to the correct gateway address but I can not get out on the internet with the above changes. Do I need to change anything else. I made the changes and rebooted the router and still nothing. I had to revert back to the backup I made before to get back online with the other service for now until I figure out way I cant get the new service to work. If I config a laptop up with with the new ip and gateway I can get online just fine so I know the new connection is working. 

Thoughts. 

Since upgrading to 1.9.7, I'm seeing cron entries for this once a minute. Assuming I don't plan to be using the new network management system, is there any reason I shouldn't disable this? Any side-effects on regular functionality if this script is disabled in crontab? What is the proper procedure for doing so in crontab and making the change persistant? Thanks.

My wife's home office has a single ethernet drop, which feeds into a cheapo tplink switch for her personal computer, printer, ip phone. But I want to separate her work computer from the household network. 

Can I do this if I replace the TPLink with a swith that supports VLAN? How would that setup work with the ERPro8?

Thanks!

with the 1.97 FW, the GUI can no longer be iframed...  is there a setting or config that can be altered...  I'm assuming this new version no sets the X-FRAME header now.

Dear friends, I am trying to do in edge router lite several dhcp servers so that I can use in dhcp relays in other areas of the network, I will explain better:

I want to centralize dhcp servers, I currently use windows server as dhcp server, and on switch / routers over the net I relay to windows server ip. Just what we were thinking, if there would be no way to configure the edge router as a dhcp server of several subnets just like windows already does.

What I've tried:

I released everything on the edge router's firewall, put an ip / 30 on the wan (eth0) interface, and disabled the other two interfaces (eth1 / 2). Later I registered the dhcp servers with their respective subnet. Except that it does not deliver DHCP to the clients.

By what I read it would only work if I had in the equipment lan (example: eht2) several vlans each with its ip so that it can serve based on the interfaces ip.

Could anyone help me figure out how to replace this my current windows server 2008 with the edge router to provide dhcp to the various networks?

Hi, just got this router. My internet connection is 240 download and when I directly connect to my cable modem I get a solid 240 mbps. When I use this router I am anywhere between 80 and 120 mbps. I can't get any higher speeds. That's really disappointing. Is that just the max this device can handle?

I just goit it out of the box, plugged it in and ran the basic configuration that's it.

Here's my config. Thanks!

oh ps I've updated to the last firmware.

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user admin {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}

Hi

Please see my posted config.

Problem is as follows

I had unifi controller setup on a pc, this managed my wifi access points.

I then removed this settup and wiped  the access points via putty

I connected cloud key to my switch and it got an ip from dhcp of 192.168.1.151 (correct)

i have 2 access points that are on lan 1 with 10.0.x.x ip addresses

Once i connected the cloud key and set inform on the access points they are showning in the unifi controller as 10.0.x.x but also showing on my edge router as 192.168.2.x 

I can now connect to the access points via both 10.0 and 192.186, when i run info on access points they show http://unifi:8080 and not http://192.168.1.151:8080

any help or understanding of why this is happening would be great.

thanks 

After finally switching away from the Fios Router and getting my ER-X and UniFi AP AC Lite working I started up with new expansion on one of my games.

I noticed I am getting abnormally high latency now with the ER-X. I usually was hovering around 30-40ms and its sitting in 266-400ish. I have a brand new Cat-6 ethernet cord that I bought to use with the router. Switched both old and new cord to see if that was a problem and still was getting bad ms.

Don't know how to solve this lol. Total noob here

Is there a good example of how to set up WAN failover with static IPs?

I've been searching the forums for a while but can't find an example with exactly what I'm looking for.

I have the primary ISP on eth0 and backup ISP on eth1.

I created default routes for both of the WAN connections like so:

set protocols static route 0.0.0.0/0 next-hop <WAN1 Gateway> distance 1
set protocols static route 0.0.0.0/0 next-hop <WAN2 Gateway> distance 1

However, it seems to be routing everything out the failover ISP, even when the primary ISP is up.

Is the distance for the secondary ISP supposed to be 2?

Or am I supposed to create a separate routing table for each interface under load-balance like this?

set load-balance group WAN_FAILOVER interface eth0 route table 1
set load-balance group WAN_FAILOVER interface eth1 route table 2

I've set this up where both ISPs had dynamic IPs and it worked fine. It automatically created both default routes with distance 210 and shows up like this:

S    *> 0.0.0.0/0 [210/0] via 2.2.2.2, eth1
     *>           [210/0] via 1.1.1.1, eth0

But it seems to pick the correct route (primary normally, and backup if primary fails).

I don't see why it's behaving differently with static IPs.

Thanks!

I've been reading a bunch of posts on the forum about lb-local not working properly when enabled. Has this been fixed in 1.9.1.1 or 1.9.7?

Thanks!

Hello,

I have an EdgeRouter Pro with 3 network interfaces.  eth0 is internet, eth1 is internal1, eth2 is another internal2.

The goal is to enable http://publicip:4401  from the outside Internet to reach internal2:443 

I feel as if I followed all the instructions I've seen correctly.  I even have other externa<->internal working (that have the same ports on both sides) yet this one is not.

Could you please help me out?

NOTE:  I've sanitized the confirmation.  The public IP address is 2.2.2.2  there are 2 internal ip addresses, the 10.10.10.12 is the one I'm trying to get working (nat 2). 

NOTE #2:  The other NAT rule (rule 1) works just fine.

NOTE #3:  There is no blocking of anything by any ISP.

Here is the rule I created for the firewall (only allow from home to private ip port 443):

        rule 23 {
            action accept
            description "R710 https port 4401 from home"
            destination {
                address 10.10.10.12
                port 443
            }
            log disable
            protocol tcp
            source {
                address 66.66.66.66
            }
        }
    }

Here is the NAT rule I created to turn external 4401 into internal 443:

        rule 2 {
            description "R710 10.10.10.12"
            destination {
                address 2.2.2.2
                port 4401
            }
            inbound-interface eth0
            inside-address {
                address 10.10.10.12
                port 443
            }
            log enable
            protocol tcp
            type destination
        }

Here is the entire config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description ssh
            destination {
                port 22
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 22 {
            action accept
            description "mstsc to vmforsystem"
            destination {
                address 10.10.20.3
                port 3389
            }
            log disable
            protocol tcp_udp
            source {
                address 66.66.66.66
            }
        }
        rule 23 {
            action accept
            description "R710 https port 4401 from home"
            destination {
                address 10.10.10.12
                port 443
            }
            log disable
            protocol tcp
            source {
                address 66.66.66.66
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description ssh
            destination {
                port 22
            }
            log disable
            protocol tcp
            source {
                address 66.66.66.66
            }
        }
        rule 22 {
            action accept
            description "Allow HTTPS from home"
            destination {
                port 443
            }
            protocol tcp
            source {
                address 66.66.66.66
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 2.2.2.2/29
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.10.2/24
        description "VLAN20 Mgmt"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 10.10.20.2/24
        description "VLAN30 Firewall Public"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    lan-interface eth1
    wan-interface eth0
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description "mstsc to vmforsystem"
            destination {
                address 2.2.2.2
                port 3389
            }
            inbound-interface eth0
            inside-address {
                address 10.10.20.3
                port 3389
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 2 {
            description "R710 10.10.10.12"
            destination {
                address 2.2.2.2
                port 4401
            }
            inbound-interface eth0
            inside-address {
                address 10.10.10.12
                port 443
            }
            log enable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 2.2.2.1
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

Thanks in advance!!

Hi all,

Wondering if you could provide some insight on how I might be able to accomplish a challenge I am facing. I work in South East Asia and have setup a customer using a Edgerouter X with some Unifi gear behind the router. Because of the country I am in, most internet connections NAT'd due to low IPv4 address alotments. My "public" IP is a 172.17.x.x/24 at the moment. I am wanting a way to be able to manage the EdgeRouter when I am not at the customers location. It seems that making a persistent outbound connection might work. I have a SonicWALL TZ400 or a Ubuntu Server I can connect to to provide that bridge. It doesn't seem the Edgerouter supports a function of being a client, is that correct? I am running v1.9.7 at the moment. I know the UNMS is a option down the road, but not sure if will do what I need right now. Thanks for any suggestions.

Hi,

i'm using a er-x as loadbalancer. this one is connected to an edgeswitch. there are also 2 servers (Fileserver & AD/DHCP) and 2 clients (Win7 & Win10) connected to the same switch.
IP configuration is done via dhcp on a server 2012. The Network is 10.10.10.0/23

i noticed, when i copy files from a server to a client, all the local lan traffic is routed over the er-x. This will end up in a speed arround 150MBiT and not GBiT like expected.
i'm pretty sure that is cause all clients and servers got the er-x ip as default gw for 0.0.0.0/0.0.0.0.
route print gives out the following:
.
. Win7 client:
0.0.0.0     0.0.0.0    10.10.10.3    10.10.11.1    10
10.10.10.0    255.255.254.0     On-link     10.10.11.1    266
.
.
Win10 Client:
0.0.0.0    0.0.0.0    10.10.10.3     10.10.11.9    25
10.10.10.0     255.255.254.0     On-link     10.10.11.1    281

10.10.10.3 is the er-x.

This looks standard to me.

ER-X config is attached but this is also nearly standard after the wizzard. (one more static rule and a dns option added)

Can anybody help me what to do that local lan traffic will not be routed over the er-x? I used the wizzard for setting up the loadbalancer.

Regards
Michael

I'm on an ER-8 Pro running 1.9.1.

I use a script comprising of wgetting blacklists, and adding them to an network group with ipset.

That network group is then used in a FW rule, to drop ingress traffic from these networks.

It works great - meaning, if I put a well-known IP in the nwtwork group, traffic from it is dropped.

With the ipset command in CLI, I can get the full list of the networks in the network group.

BUT - here's the issue - in the web ui, the network group shows, but with a member count of 0.

Is the missing showing of the networks in the web UI something to be concerned about, or is it just not showing in excess of x counts ?