Hi

I just migrated from 1043nd+openwrt to ER-X. Everything goes well except IPv6 prefix issue which causing me LOTS OF PAIN!

My ISP changes IPv6 prefix every 72 hours via automatically disconnecting PPPoE. Once this happens, all devices under switch0 will lost IPv6 connection since they all use the OLD prefix. The only way to solve this is to restart (or physically re-plug) interface on my machines to regain IPv6 connectivity.

Frimware: 1.9.7, eth4 = wan+pppoe, switch0 = eth[0-3]

Here is reproducible steps:

1. First, confirm that PPPoE is connected and check both IPv4 and IPv6 address is working on PC/mac via: ping google.com , ping6 ipv6.google.com

2. ssh into ER-X, type: disconnect interface pppoe0 && sleep 5 && connect interface pppoe0

3. check IPv4 and IPv6 address is still working on PC/MAC via: ping google.com , ping6 ipv6.google.com. (at this point, IPv6 can't connect to other sites)

IPv4 is still working correctly but not IPv6. I can see PC/MAC obtains the new IPv6 address but still uses the old one as default, which breaks the IPv6connectivity.

Really need to solve this, otherwise this issue will happen every 3 days

Possible solutions:

1. flash openwrt

2. Set a cronjob to restart ER-X every 3 days.

(both solutions are kinda stupid though)

My configuation:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WAN6_IN {
        default-action drop
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
    }
    ipv6-name WAN6_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
        rule 40 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1440
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            dhcpv6-pd {
                no-dns
                pd 0 {
                    interface switch0 {
                        host-address ::1
                        no-dns
                        service slaac
                    }
                    prefix-length 64
                }
                prefix-only
                rapid-commit enable
            }
            firewall {
                in {
                    ipv6-name WAN6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WAN6_LOCAL
                    name WAN_LOCAL
                }
            }
            ipv6 {
                address {
                    autoconf
                }
                dup-addr-detect-transmits 1
                enable {
                }
            }
            mtu 1480
            name-server auto
            password ****************
            user-id 123456789@hinet.net
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.8.1/24
        description Local
        ipv6 {
            address {
                autoconf
            }
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    preferred-lifetime 259200
                    valid-lifetime 259200
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
    }
}
protocols {
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.8.0/24 {
                default-router 192.168.8.1
                dns-server 168.95.192.1
                dns-server 8.8.4.4
                lease 86400
                start 192.168.8.100 {
                    stop 192.168.8.131
                }
            }
        }
        use-dnsmasq disable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }

Any suggestion would be really helpful. Thank you.

Hi,

How do I configure firewall rule that will allow Internet access on interface ETH0 from interface switch0 and switch0.10, but no access from switch0.10 interface to IPs on switch0 interface ?

IP-range switch0 interface: 192.168.1.0/24 (Router 192.168.1.1)

IP-range switch0.10 interface: 172.16.2.0/24 (Router 172.16.2.1)

(EdgeRouter X firmware 1.9.7)

Hello all, 

my ER-X periodically drops my internet connection. It doesn't happen very often, at max once per day. 

When I take a look at the logs I get this messages:

Aug  5 12:26:16 Edgerouterx pppd[4367]: Connected to [mac-address] via interface eth4
Aug  5 12:26:16 Edgerouterx pppd[4367]: Failed to create pid file /run/pppoe-client-sessions/[ppoeusername]/[ppoeusername]@pppoe0: No such file or directory
Aug  5 12:26:16 Edgerouterx pppd[4367]: Connect: ppp0 <--> eth4
Aug  5 12:26:16 Edgerouterx pppd[4367]: PAP authentication succeeded
Aug  5 12:26:16 Edgerouterx pppd[4367]: peer from calling number [mac-address] authorized
Aug  5 12:26:17 Edgerouterx pppd[4367]: local  IP address [ip-address1]
Aug  5 12:26:17 Edgerouterx pppd[4367]: remote IP address [ip-address2]
Aug  5 12:26:17 Edgerouterx pppd[4367]: primary   DNS address [ip-address3]
Aug  5 12:26:17 Edgerouterx pppd[4367]: secondary DNS address [ip-address4]

I'm connected through a Draytek Vigor 130 DSL-Modem via PPPoE. The PPPoE username looks something like this "provider/username@online.de", maybe it has something to do with the slash in the username?

Any help would be appreciated. 

Hi All,

My edgemax is freezing periodically, I would say every 24 hours until reboot. Reboot fixes the issue but l honestly don't know what is going on. The only console output l can see as below:

INFO: rcu_sched self-detected stall on CPU { 2} (t=6527400 jiffies g=726294 c=726293 q=2515)
INFO: rcu_sched self-detected stall on CPU { 2} (t=6543154 jiffies g=726294 c=726293 q=2515)
INFO: rcu_sched self-detected stall on CPU { 2} (t=6574662 jiffies g=726294 c=726293 q=2515) 

The same message repeats endlessly until reboot. After reboot router works fine for another day. 

I have hdnat and ipsec offloading enabled, and l also have 2 ipsec vpns. So l am thinking on disabling offloading for now to see if this will fix the issue:

https://community.ubnt.com/t5/EdgeMAX/EdgeRouter-CPU-Stall-and-Restart/td-p/769012

Hi,

I have an edgerouter lite running v 1.9.7.

The ipsec/l2tp vpn has been operating since v 1.8 or so. The remote access clients I thought should be able to see each other in the 192.168.3.x/24 subnet which is assigned by the end lite for clients that successfully connect.

But they cannot even ping one another. 

Is there something I am missing?

TIA

 I have a  hill with solar panel and two12 volt batteries and a rocket 5 titanium pointed to a fiber company where I have my other rocket.   Also on the hill I have purchased two NBE-5AC-19 radios.  From my house I wish to point to one of them using another  NBE-5AC-19 radio .  And then from my other home I wish to point to the other radio (opposite side of hill).  Thanks to Dave's advice I purchased  an ER-X-SFP to be placed on the hill and connect the radios. 

Question for anyone that may be able to help:    At the home locations, will they each need a router ?  or is this new router going to handle all the DHCP for all the devices in the homes.  I  was hoping that I could have my home seperate, and use my own router (vlan??) .  I dont want the people living in the other home to have  direct access, but rather just trying to get them internet access.  I figured the radios would be point to multipoint as I also have a barn an a motorhome that I wanted to point up there, same thing - more of guest access .  Any ideas on this router/radio setup?

Thanks community.

I have two ports forwarded to two different devices on my LAN. ONe works (443) and one does not (1194)  Below is a screen shot of my Ports Forwarding tab, and a copy of my configuration. Can anyone reive this and see if I've done someting wrong, Please.

Thanks!

Admin@JSFHomeRTR:~$ show configuration                                          
firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    name WAN_IN {                                                               
        default-action drop                                                     
        description "WAN to internal"                                           
        rule 10 {                                                               
            action accept                                                       
            description "Allow established/related"                             
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 30 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {                                                             
                invalid enable                                                  
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.0.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description NextcloudPortForward
        forward-to {
            address 192.168.0.90
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    rule 2 {
        description PiVPN
        forward-to {
            address 192.169.0.91
            port 1194
        }
        original-port 1194
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name JSFHome {
            authoritative disable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 69.195.152.204
                dns-server 23.94.5.133
                domain-name jfrederick.com
                lease 3600
                start 192.168.0.21 {
                    stop 192.168.0.70
                }
                static-mapping JSF-iMac {
                    ip-address 192.168.0.22
                    mac-address 00:1f:f3:d8:d0:52
                }
                static-mapping adblockpi {
                    ip-address 192.168.0.92
                    mac-address b8:27:eb:9f:d5:53
                }
                static-mapping nextcloudpi {
                    ip-address 192.168.0.90
                    mac-address b8:27:eb:e8:b7:e3
                }
                static-mapping pidesktop {
                    ip-address 192.168.0.95
                    mac-address b8:27:eb:16:f1:9b
                }
                static-mapping svcspi {
                    ip-address 192.168.0.91
                    mac-address b8:27:eb:e1:c8:52
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service easydns {
                    host-name xxxxxx.xxxxxxx.com
                    login xxxxxxxxxx
                    password REMOVED
                    protocol easydns
                    server api.cp.easydns.com/dyn/tomato.php
                }
                web dyndns
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    domain-name jfrederick.com
    host-name JSFHomeRTR
    login {
        user Admin {
            authentication {
                encrypted-password REMOVED
            }
            full-name "Admin user"
            level admin
        }
        user Jeff {
            authentication {
                encrypted-password REMOVED
                plaintext-password REMOVED
            }
            full-name "Jeffery Frederick"
            level admin
        }
    }
    name-server 69.195.152.204
    name-server 23.94.5.133
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}

Hello,

Enabld RTSP Module in v1.9.7 without issue and can see it in new config.boot. 

Are there any metrics/stats to determine if its actually working? 

Thanks,

-- asterger

Hello,

Am trying to figure out how to do the following, seems like it should be simple, but searching through the documentation and forum posts I didn't find an example of someone doing this.

Have ERPoe-5 running 1.9.7 and currently setup like this:

Eth0 WAN
Eth1 LAN1
Switch0 (Eth2, Eth3, Eth4) LAN2

What I want to do is:

LAN2 access to WAN
LAN2 access to LAN1
LAN1 blocked from accessing WAN

Do not need name resolution for items on LAN1, they will all be static addresses. So I would want to simply address them by IP from LAN2

Basically I have items on LAN1 that may want to access the WAN but I don't want to let them. And I do want two sepparate LANs because there will be fairly high levels of traffic contained with LAN1.

Guidance?

TIA

I need some assistance with setting up a VPN client with policy routing- source and destination. After many different failed attempts, I'm reaching out to the community for help. Be kind, patient and detailed. I haven't seen a complete, step-by-step tutorial for what I'm trying to achive. 

Here is my setup

EdgeRouter X

Wan: Eth0

LAN: all other ports/switch

LAN: 192.168.2.x

DNSmasq: yes, it's cool

VPN provider: SmartDNSProxy, accepts PPTP, L2TP and OpenVPN. 

Policy Routing goals: route all traffic to the WAN. Only certain clients/static-ip to use the VPN and for certain destinations (e.g. hulu). 

Thanks

I have a smart tv I'd like to prevent receiving an ip address. It is on the network via an access point that's directly connected to port two of the ER-X. I'm beginning to suspect there's something fundamental I'm missing about the firewall policies that's preventing this from working. Any ideas?

Thanks!

I get the Fatal Error "Unable to load the router configuration" every time I am configuring an EdgeRouter and changing networks around.

The only way to re-gain access to the web GUI is to clear the browser cookies/cache. This has been an issue ever since I started using EdgeRouters and I always just work around it, but it's starting to get really frustrating now that I am configuring EdgeRouters more frequently.

I bet it's something pretty simple to fix in the GUI if investigated.

Can we please get it fixed UBNT?

I am currently running EdgeOS v1.9.7 on my EdgeRouter X.  I think I have everything working with DNS except when I try to use nslookup or dig to resolve my internal domain name, I get the following.  I appreciate any help I can get.

nslookup

> set q=any

> my.home

Server: 192.168.1.1

Address: 192.168.1.1#53

** server can't find my.home: NXDOMAIN

>

However, resolving hosts with and without the domain name works fine.  All hosts on 192.168.1.1 resolve just fine.

Here are the options I have set for DNS forwarding.

ubnt-router# show service dns forwarding

cache-size 400

listen-on switch0

name-server 8.8.8.8

name-server 8.8.4.4

options domain=my.home

options expand-hosts

options domain-needed

I have also tried the following options for dnsmasq, but they don't make any difference:

options bogus-priv

options local=/my.home/
options rev-server=192.168.1.0/24,127.0.0.1
options server=/my.home/127.0.0.1

When dnsmasq starts up, the following shows in the dnsmasq.log file:

dnsmasq[22472]: started, version 2.76-1-ubnt3 cachesize 400

dnsmasq[22472]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

dnsmasq-dhcp[22472]: DHCP, IP range 192.168.1.151 -- 192.168.1.250, lease time 1d

dnsmasq[22472]: using nameserver 8.8.4.4#53

dnsmasq[22472]: using nameserver 8.8.8.8#53

dnsmasq[22472]: using local addresses only for domain my.home

dnsmasq[22472]: using local addresses only for domain 1.168.192.in-addr.arpa

dnsmasq[22472]: read /etc/hosts - 11 addresses

ubnt-router# show service dhcp-server

disabled false

dynamic-dns-update {

     enable true

}

hostfile-update disable

shared-network-name LAN {

     authoritative enable

     subnet 192.168.1.0/24 {

         default-router 192.168.1.1

         dns-server 192.168.1.1

         domain-name my.home

         lease 86400

         start 192.168.1.151 {

             stop 192.168.1.250

         }

     }

}

use-dnsmasq enable

ubnt-router# show system

domain-name my.home

domain-search {

}

host-name ubnt-router

ip {

     override-hostname-ip 192.168.1.1

}

....

name-server 127.0.0.1

....

Thanks for any help in advance!!!!

Hello,

Here's a bug that would be great to see fixed. Just tested again on v1.9.7 - still exists.

When adjusting the OSPF network type to point-to-multipoint...such as:

set interfaces ethernet eth7 vif 2117 ip ospf network point-to-multipoint

It automatically sets the hello-interval to 30 seconds, overruling whatever value is entered for the ip ospf hello-interval. To set the hello-interval back to a specified value, you have to remove your old command (i.e delete interfaces ethernet eth7 vif 2117 ip ospf hello-interval) and then re-add it. Seems trivial...HOWEVER, as soon as the router is rebooted, the 30 second point-to-multipoint value returns (which means OSPF neighbor relationships break until you go and manually revert the hello timer with the said process again). Yikes! 

I haven't tested other OSPF network types at this point. Any advice? Quick fix?

-JeremyC

I noticed that there was a line in the 1.9.7 release notes:

• [Routing] Fix wrong number of routes shown in WebGUI. Discussed here

This may be a supplimental / similar issue. We have OSPF routes delivered over four load-balanced paths. The CLI shows all four of them...while the web GUI only shows two. You can see this below for the 10.223.0.0/24 and 10.10.70.0/24 networks. NOTE: I've obscured a few public IPs from the CLI output.

-JeremyC

Drifty Tables

Hi,

So I am trying to decide what Router to run at my IP Transit point for a small WISP. The EdgeRouter X SFP looks like a good option which is cheap and has PoE which I can use to power my Access Point from. I have a concern with running this Router at my IP Transit that hopefully, someone here can put to ease. So my concern is will this Router be able to handle large BGP tables? I don't intend to be sharing BGP tables with the upstream provider from the IP Transit until customers want public IP addresses at their CPEs. When customers start to want Public IP addresses I will have to start to share BGP tables with the upstream provider at the IP Transit and wanted to know if this Router will be able to handle them? If this Router can't handle large BGP tables then I will have to go with something like the EdgeRouter PRO or something. Any input is greatly appreciated.

Thank you,

From Ozar.

Hello,

I've recently bought an EdgeRouter POE device and I'm having difficulties to have it offload packets routing to hardware.

When testing my uplink which is 1 Gb/s I'm maxing at 25 MB/s and CPU is 100% although I've already reached 100MB/s with other devices.

I've read a lot of posts on hardware offloading and how it does not work with QoS but I'm not using it.

Here is my conf - https://pastebin.com/iurPjypZ, can someone help me to spot what is wrong on my conf?

Thanks in advance.

Hi,

I'm trying to set my EdgeRouter Lite as an openVPN client so all my devices in my LAN will go through Private Internet Access VPN.

I have followed Willie Howe video https://www.youtube.com/watch?v=B9dXiKhDVl0

and copied PIA files .ovpn files, a ca.crt file, and a crl.pem. and created userpass.txt file to /config/auth/ directory. then enter the follwoing commands, but its not working.

set interfaces openvpn vtun0 config-file /config/auth/sydney.ovpn

set interfaces openvpn vtun0 description 'Private Internet Access'

set interfaces openvpn vtun0 enable

set service nat rule 5000 description PIA

set service nat rule 5000 log disable

set service nat rule 5000 outbound-interface vtun0

set service nat rule 5000 source address 192.168.1.0/24

set service nat rule 5000 type masquerade

set service nat rule 5001 description default

set service nat rule 5001 log disable

set service nat rule 5001 outbound-interface eth2

set service nat rule 5001 source address 192.168.1.0/24

set service nat rule 5001 type masquerade

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

set firewall modify pia_route rule 1 description 'PIA'

set firewall modify pia_route rule 1 source address 192.168.1.0/24

set firewall modify pia_route rule 1 modify table 1

set interfaces ethernet eth2 firewall in modify pia_route

sydney.ovpn file

client

dev-type tun

proto udp

remote aus.privateinternetaccess.com 1198

resolv-retry infinite

nobind

persist-key

persist-tun

cipher aes-128-cbc

auth sha1

tls-client

remote-cert-tls server

auth-user-pass /config/auth/userpass.txt

comp-lzo

verb 1

reneg-sec 0

crl-verify /config/auth/crl.rsa.2048.pem

ca /config/auth/ca.rsa.2048.crt

disable-occ

i have attached the config file

Note: 1. i have removed/replaced nat rule, see attached screen shot, as i got some errors when i set the nat rules

and it was similar to 5000 not sure whether i did the right thing.

2. for the userpass.txt password i tried to use PIA login uaername/password and PPTP/L2TP/SOCKS Username and Password but its not working which user/password should i use login or PPTP/L2TP/SOCKS? 

3. on the EdgeOS Dashboard i can see ovpn show connected but no ip shown still connected to eth2, see attached screen shot.

4. didnt changed any firewall rules

5. not sure if static routes correct

At the moment PIA is not working, please let me know what i missed

Thank you

In one of my setups I want to apply a bandwith limit at night to a certain Client-IP. So far I don't know how thats possible.

Thanks for some input ;-)

I am at my wits end with setting up OpenVPN.  Every issue I run into I search and usually find the answer.  When setting up TLS auth configuration of local TLS files, I received the following error when attempting to commit:

OpenVPN configuration error: Specified cert-file "/config/auth/server.pem" is not valid.

Commit failed

I can't seem to find the solution after searching for some time.

Thanks for any assistance.