I have absolutely no idea how I've managed this, but if I try to access a host across my site to site vpn link the router gets really hot and turns itself off...

It's a ER-X powered by PoE (unifi injector) that is also then powering an access point.  WAN from a virgin media hub in modem mode, eth1 going to a dumb switch.  Everything works absolutely fine, and the tunnel is showing as up.

If I ping -t a server in the remote site it's responding fine.  But the second I browse to the router at the remote site I lose connection to the router here, then after abour 20 seconds the access point turns off.  The eth0 and eth1 lights stay on fine, but the router seems to get hotter.  Hard reset fixes the issue.

I want to narrow down whether the same happens without the AP attached but my gf is getting sick of me "****ing the tv up".

Where do I even start...

Hello,

i'm currently running an OpenVPN Server as VPS on my private home rack server. Becuase I'm going to stay for a semester abroad 6 months in china I wanted to have a more reliable hardware-based solution for VPN. With UniFi AP in our house  I already started to became a big fan of Ubiquiti network hardware. It is important for me to have reliable solution as I am not able to do any (physical) mainteance during my stay in china.

My main plan was to connect to my home network to access file shares or do some small maintenance on my rack or other network hardware. For that I wanted to use a paid VPN service which can obfusicate network traffic to bypass the Great Firewall, and then VPN into my home (VPN in VPN, which is possible with a few paid VPN services). I just started to read about obfsproxy which also could obfusicate my traffic and I wouldn't be forced to use a paid service aswell.

Has somebody already got working obfsproxy on an ER-X Router and could share his experience?  Is it working well? I just found a thread from 2015 where somebody tried to get it working at all: https://community.ubnt.com/t5/EdgeMAX/OpenVPN-obfuscation-for-censorship-circumvention-package/td-p/1269814

Thank you all!

Best Regards,

Sebastian

Hi,

I am trying to implement a time based url-filtering for my edgerouter.

Trying to block local computers from accessing external sites at certain hours.

I am using squidgaurd & associated webproxy url-filtering

The url-filtering works fine for "new" sessions that start inside or outside the defined time periods.

However existing sessions that transition from an unblocked time period to a blocked time period continue.

e.g. if it is a you-tube or netflix video that is streaming during an allowed time period and it transitions to a disallowed time period the video continues to stream

Is there a way to prevent this ?

Thanks in advance

Are there any limits(as in length) for sending power over the EdgePower 54V port and still being able to power a edgepoint16?

I currently have a Edgepower 150 (non dual power supply) and connecting out around 500 feet to a edgepoint16 connected with MM Fiber.

Anything I should do differently? or add a second power supply? 

Nothing listed on the limits of the Edgepower sending power over the UBNT Power cable.

Thanks in Advance!

We are running ERX-SFP for customer devices on an active ethernet fiber network.  After much futzing I've got a pretty reasonable (I think) configuration that allows us to provide Internet over the wan (eth5) port and route voice to a subinterface (eth5.75).  I'm doing RFC3442 routes on the eth5.75 interface telling it to use that interface for talking to our voice services and management. (thanks to those on the forums who figured out how to do RFC3442 on these devices and +10 to get it in the default firmware).

All is good and works fine until you physically disconnect eth5 (and thus the eth5.75) interface.  When this is physically disconnected, it drops the routes (as I would expect) and drops the dhcp lease for eth5 (again as I would expect) however it does not drop the dhcp lease for eth5.75.  The eth5.75 ip persists and when the interface is reconnected it still functions and can ping the gateway.  However... since it did not have to do DHCP and it dropped the routes when it was disconnected it no longer has the routes that it got from the initial DHCP exchange.. and our voice services and management can no longer talk to it.

Doing a:

renew dhcp interface eth5.75

from the command line, or just rebooting the box brings the routes back.

It also appears through imperical evidence, though I have not tested this yet, that the standard dhcp renew process does not tickle the RFC3442 exit-hook as leaving these connected past their lease expire time does not resolve the problem.  Only the reboot or command line renew seems to tickle the appropriate bits.

Any insights from the all knowers here?

PS - originally noticed in FW 1.9.1, but same result in FW 1.9.7

/thanks

/rh

Hello, I would like to know if it is possible to use the edgepoint-s16 as a managed switch with vlan and at the same time as a simple switch. for example, can I configure 8 ports to be untagged + 1 tagged SFP port and 8 other ports + 1 SFP port as a simple switch? I uploaded a picture to give you an idea .

I would like to create (ideally) an app type that tells me total bandwidth per computer between that computer and an IP.

Hello

Tested firmware 1.9.7 but is terrible, dhcpclient renew broke, when delete/disable route forever loop, and startup on ER-PRO8 slower 10 minutes with 1.9.1 was 1-2 minutes. Why out alpha-beta as production you are making people crazy, i hope Ancheng be back to edgemax development he is the bigman for this.

Hey Guys,

what is wrong with you? ^^ :-)

How to supress ZEBRA from adding a default-route on DHCP-Interface?

# ip r s
default dev eth0  proto zebra

i did

configure
set interfaces ethernet eth0 dhcp-options default-route no-update
commit

how can i prefent insertion of default-route?

Or how can i send the default-route to a different routing-table?

Synology console now has an integration for lets encrypt. The certificate was requested and installed correctly. After setting up a temporary cname to the sub domain. It requires a domain for configuration. 

The cert was able to be selected and installed into the server. 

Is the same possible without configuration modification on the EdgeRouter ? I don't want to make configuration changes that could be undone with software updates. 

If there is a current process let me know. 

I'm new to VPN and trying to set up openvpn connection to Edgerouter Lite. After following bunch of internet tutirials, i managed to generate certificates and start the server. But when I'm trying to connect it looks like something is happening but not exactly what is should be. It looks like this:

Wed Aug 09 13:19:48 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
Wed Aug 09 13:19:48 2017 Windows version 6.1 (Windows 7) 64bit
Wed Aug 09 13:19:48 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Wed Aug 09 13:19:48 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Aug 09 13:19:48 2017 Need hold release from management interface, waiting...
Wed Aug 09 13:19:48 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Aug 09 13:19:48 2017 MANAGEMENT: CMD 'state on'
Wed Aug 09 13:19:48 2017 MANAGEMENT: CMD 'log all on'
Wed Aug 09 13:19:48 2017 MANAGEMENT: CMD 'echo all on'
Wed Aug 09 13:19:48 2017 MANAGEMENT: CMD 'hold off'
Wed Aug 09 13:19:48 2017 MANAGEMENT: CMD 'hold release'
Wed Aug 09 13:19:48 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 09 13:19:48 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.35.0.103:443
Wed Aug 09 13:19:48 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 09 13:19:48 2017 UDP link local: (not bound)
Wed Aug 09 13:19:48 2017 UDP link remote: [AF_INET]10.35.0.103:443
Wed Aug 09 13:19:48 2017 MANAGEMENT: >STATE:1502277588,WAIT,,,,,,
Wed Aug 09 13:19:48 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:19:50 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:19:54 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:20:02 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:20:18 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:20:48 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Aug 09 13:20:48 2017 TLS Error: TLS handshake failed
Wed Aug 09 13:20:48 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Aug 09 13:20:48 2017 MANAGEMENT: >STATE:1502277648,RECONNECTING,tls-error,,,,,
Wed Aug 09 13:20:48 2017 Restart pause, 5 second(s)
Wed Aug 09 13:20:53 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 09 13:20:53 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.35.0.103:443
Wed Aug 09 13:20:53 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 09 13:20:53 2017 UDP link local: (not bound)
Wed Aug 09 13:20:53 2017 UDP link remote: [AF_INET]10.35.0.103:443
Wed Aug 09 13:20:53 2017 MANAGEMENT: >STATE:1502277653,WAIT,,,,,,
Wed Aug 09 13:20:53 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:20:56 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:21:00 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:21:08 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:21:25 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:21:53 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Aug 09 13:21:53 2017 TLS Error: TLS handshake failed
Wed Aug 09 13:21:53 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Aug 09 13:21:53 2017 MANAGEMENT: >STATE:1502277713,RECONNECTING,tls-error,,,,,
Wed Aug 09 13:21:53 2017 Restart pause, 5 second(s)
Wed Aug 09 13:21:58 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 09 13:21:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.35.0.103:443
Wed Aug 09 13:21:58 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 09 13:21:58 2017 UDP link local: (not bound)
Wed Aug 09 13:21:58 2017 UDP link remote: [AF_INET]10.35.0.103:443
Wed Aug 09 13:21:58 2017 MANAGEMENT: >STATE:1502277718,WAIT,,,,,,
Wed Aug 09 13:21:58 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:22:00 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Aug 09 13:22:02 2017 SIGTERM[hard,] received, process exiting
Wed Aug 09 13:22:02 2017 MANAGEMENT: >STATE:1502277722,EXITING,SIGTERM,,,,,

And so on... Could someone plis tell me what should I do first to diagnose what's wrong? For training purpose, router is inside lan (10.35.X.X on wan port).

My OpenVPN config:

openvpn vtun0 {
        description OpenVPN
        local-port 443
        mode server
        openvpn-option "--comp-lzo no"
        protocol tcp-passive
        server {
            push-route 192.168.103.0/24
            subnet 192.168.200.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/SERVER.pem
            dh-file /config/auth/DH.pem
            key-file /config/auth/SERVER-NOPASS.key
        }
    }

Thank you.

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    group {                                                                     
    }                                                                           
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    name WAN_IN {                                                               
        default-action drop                                                     
        description "WAN to internal"                                           
        rule 10 {                                                               
            action accept                                                       
            description "Allow established/related"                             
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 20 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow port 80"
            destination {
                port 80
            }
            log disable
            protocol tcp
        }
        rule 22 {
            action accept
            description "Allow port 443"
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.0.0.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 10 {
            address 20.0.0.1/24
            description MediaFisken
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description "UniFi Discover"
        forward-to {
            address 10.0.0.50
        }
        original-port 3389
        protocol tcp
    }
    rule 2 {
        description "UniFi Remote Management"
        forward-to {
            address 10.0.0.50
            port 8080
        }
        original-port 8081
        protocol tcp
    }
    rule 3 {
        description "UniFi STUN/data collection"
        forward-to {
            address 10.0.0.50
        }
        original-port 3478
        protocol udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 84.200.69.80
                dns-server 10.0.0.1
                lease 86400
                start 10.0.0.100 {
                    stop 10.0.0.243
                }
                static-mapping rpiserver {
                    ip-address 10.0.0.50
                    mac-address b8:27:eb:3d:29:66
                }
            }
        }
        shared-network-name MediaFisken {
            authoritative disable
            subnet 20.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 20.0.0.1
                dns-server 84.200.69.80
                lease 86400
                start 20.0.0.50 {
                    stop 20.0.0.100
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 81
        https-port 8443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "Redirect port 80"
            destination {
                port 80
            }
            inbound-interface eth0
            inside-address {
                address 10.0.0.50
                port 80
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "Redirect port 443"
            destination {
                port 443
            }
            inbound-interface eth0
            inside-address {
                address 10.0.0.50
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user XXX {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username LGG5 {
                        password ****************
                    }
                    username M8 {
                        password ****************
                    }
                    username SimsHP {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.0.200
                stop 10.0.0.210
            }
            dhcp-interface eth0
            dns-servers {
                server-1 10.0.0.1
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
        }
    }
}

When I try pinging my public IP @port 443 or 80, nothing happens.

Firewall rule WAN_LOCAL is catching the packets and dropping them.

Looks like the router GUI still "locks onto port 80".

I have no idea why. GUI ports have been changed to avoid interference from the router.

Any ideas?

Hi All,

I have an edgerouter lite with an ipsec/l2tp vpn setup. Clients are able to connect and are assigned an address in the 192.168.3.x network. The local LAN network is 192.168.10.x.

I would like to be able to access a webserver (port 80) on a vpn client from a machine on the lan. 

At this time I can ping the vpn client at 192.168.3.90 from the lan machine at 192.168.10.131. I can also see that port 80 and port 22 on the vpn client are listening (using ms portqry).

When I attempt to open a browser and point it to the webserver at 192.168.3.90, the page does not load.

How can I troubleshoot this?

Here is a sanitized config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description RDP
            log enable
            protocol rdp
        }
        rule 22 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 23 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 24 {
            action accept
            description AH
            log disable
            protocol ah
        }
        rule 25 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 26 {
            action accept
            description GRE
            log disable
            protocol gre
        }
        rule 27 {
            action accept
            description VNC
            destination {
                port 5900
            }
            log disable
            protocol tcp
        }
        rule 28 {
            action accept
            description UnifiVideoHTTPS
            destination {
                port 7443
            }
            log disable
            protocol tcp_udp
        }
        rule 29 {
            action accept
            description UnifiVideoHTTPSStream
            destination {
                port 7446
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description UnifiVideoHTTP
            destination {
                port 7080
            }
            log disable
            protocol tcp_udp
        }
        rule 31 {
            action accept
            description UnifiVideoStream
            destination {
                port 7445
            }
            log disable
            protocol tcp_udp
        }
        rule 32 {
            action accept
            description Unifi
            destination {
                port 8443
            }
            log disable
            protocol tcp_udp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            description ssh
            destination {
                port 22
            }
            log disable
            protocol tcp
        }
        rule 4 {
            action accept
            description www
            destination {
                port 80
            }
            log disable
            protocol tcp
        }
        rule 5 {
            action accept
            description https
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 6 {
            action accept
            description "ESP (50)"
            destination {
                port 50
            }
            log disable
            protocol tcp_udp
        }
        rule 7 {
            action accept
            description "IKE (500)"
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 8 {
            action accept
            description "Allow L2TP"
            destination {
                port 1701
            }
            log disable
            protocol tcp_udp
        }
        rule 9 {
            action accept
            description "NAT-T (4500)"
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 11 {
            action accept
            description GRE
            log disable
            protocol gre
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.10.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth0
    rule 1 {
        description imd03a_RDP
        forward-to {
            address 192.168.10.32
            port 3389
        }
        original-port 3389
        protocol tcp_udp
    }
    rule 2 {
        description lr3_VNC
        forward-to {
            address 192.168.10.20
            port 5900
        }
        original-port 5900
        protocol tcp_udp
    }
    rule 3 {
        description UnifiVideoHTTPS
        forward-to {
            address 192.168.10.32
            port 7443
        }
        original-port 7443
        protocol tcp_udp
    }
    rule 4 {
        description "Unifi VideoHTTPSStream"
        forward-to {
            address 192.168.10.32
            port 7446
        }
        original-port 7446
        protocol tcp_udp
    }
    rule 5 {
        description Unifi
        forward-to {
            address 192.168.10.32
            port 8443
        }
        original-port 8443
        protocol tcp_udp
    }
    wan-interface eth1
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.5
                lease 86400
                start 192.168.10.100 {
                    stop 192.168.10.248
                }
                unifi-controller 192.168.10.32
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "exclude ipsec local to remote"
            destination {
                address 192.168.0.0/24
            }
            exclude
            log disable
            outbound-interface eth1
            protocol all
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
        rule 5001 {
            description "exclude ipsec local to remote"
            destination {
                address 0.0.0.0
            }
            exclude
            log disable
            outbound-interface eth1
            protocol all
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
        rule 5002 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name EdgeRouterIMD
    login {
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.5.7 {
            facility all {
                level warning
            }
        }
    }
    task-scheduler {
        task update_blacklists {
            executable {
                path /config/scripts/update-dnsmasq.pl
            }
            interval 1d
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        site-to-site {
            peer 208.y.y.y {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description ""
                ike-group FOO0
                ikev2-reauth inherit
                local-address 24.x.x.x
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.10.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius-server 192.168.10.5 {
                    key ****************
                }
            }
            client-ip-pool {
                start 192.168.3.60
                stop 192.168.3.90
            }
            dns-servers {
                server-1 192.168.10.5
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 43200
            }
            outside-address 24.x.x.x
            outside-nexthop 24.x.x.y
        }
    }
}

Is there a way to configure DHCP on the EdgeMax to go to more than 254 dhcp clients.

Lets Say: Addresses of  : 10.0.0.100 - 10.0.1.254 giving us 154 + 254 = 405 usable DHCP addresses in one pool

I know it has something to do with Subnetting and setting your dhcp to something to make it work.

ER-Lite --> V 1.9.7

Thanks in Advance!

I'm trying to setup a Edgerouter and I have a external DHCP server.  I'm connecting to a LAN on eth0 and want to bridge that LAN to eth1 (which I can do).  What I don't understand is how to setup the LAN on eth2 which has a different subet.  I still need to be able to reach network 1 and the WAN.  What do I need to do?  Hopefully this picture helps.  Please let me know if you need more information.

Hello I have:

1 ERPOE-5 Edge Router

1 Unifi AP-AC PRO Access Point

They currently have default configs. I would like instructions on how to set them up for a home wireless network. It would seem a very simple setup that has eluded me.

Can anyone provide me a step by step for setting up these two devices to work together?

All -

I cannot find a way to log traffic flowing through a port-forward.  Need it for debguging, verifying operation.

Is the only way to not use port-forward and build it manually somehow?

Thanks

s

We're using our EdgeSwitch as a router and DHCP server. After a prolonged power outage early August 8, the switch will no longer assign DHCP addresses. I've tried restarting the device, I can't get any CLI to restart the DHCP service to work via SSH.

All the DHCP pools and VLANs seem okay.

What on earth am I missing?

I've attached the current startup config for diagnostics.

I flashed the new update this morning and my EdgeRouter X started acting like a dumb switch.  I wouldn't access it at all.  I ended up connecting up a serial adapter and when it boots I get this:

[<80483a7c>] kernel_init_freeable+0x15c/0x21c
[<80379afc>] kernel_init+0x10/0xf8
[<800043b0>] ret_from_kernel_thread+0x10/0x18

UBI error: ubi_attach_mtd_dev: failed to attach mtd7, error -5
UBI error: ubi_init: cannot attach mtd7
UBIFS error (pid 1): ubifs_mount: cannot open "ubi0_0", error -19
VFS: Cannot open root device "ubi0_0" or unknown-block(0,0): error -19
Please append a correct "root=" boot option; here are the available partitions:
1f00             512 mtdblock0  (driver?)
1f01          261632 mtdblock1  (driver?)
1f02             512 mtdblock2  (driver?)
1f03             384 mtdblock3  (driver?)
1f04             384 mtdblock4  (driver?)
1f05            3072 mtdblock5  (driver?)
1f06            3072 mtdblock6  (driver?)
1f07          253696 mtdblock7  (driver?)
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

I tried a number of things, such as booting to the backup to no avail:

setenv bootargs console=ttyS1,57600n8 ubi.mtd=7 root=ubi0_2 rootfstype=ubifs rootsqimg=squashfs.img rootsqwdir=w rw

saveenv

bootm bfd40000

<and>

setenv bootargs console=ttyS1,57600n8 ubi.mtd=7 root=ubi0_0 rootfstype=ubifs rootsqimg=squashfs.o rootsqwdir=w.o rw

saveenv

bootm c0040000

I'm able to get into the System Boot Command Line Interface by hitting "4" when it boots up.  I'm not entirely sure what to do from here.  Is it possible to upload a new ubi0_0 image or upload a new squashfs.img using the loadb command?  I'm a bit lost as to what I can try to do here.  Any help would be appreciated.

 I am currently using the Edge Router lite 3 port (wan, 2 lan) I currently have 6 Vlans configured passing though Lan2. I just got an OpenVPN account, is there a way to use the Router as a OpenVPN client, NAT and pass it though a spacific vlan for instance Vlan 5. So any devices sitting on vlan 5 will be going though the VPN Tunnel?
Or is it possible to pass OpenVPN out the 1st Lan port?