Hello Community!
I just had a quick question and wasn't able to find the a satifying answer. I'm currently using two Edgerouter's for site to site vpn and wanted to implement on one of the sites RRAS via Windows 2016 for corporate vpn access since the built in L2TP does not work well and needs local accounts on the edgerouter.
Will enabling DNAT for the RRAS break the current tunnel between the two office's?
thanks
Gabriel
Hi
I am having a issue with the edge routers (ER-8 / ER-8 Pro) that needs attention. I really think it needs to be added into a firmware upgrade ASAP urgently.
Please firstly open Picture2 attached. You can see under the basic setup it allows you to add a VLAN to the WAN port (required for all our NBN Business Services we sell to customers) - this works 100% ok.
When you go to the Load Balancing Area (to setup Fail over to a PPPoE link – see Picture1), you can see the VLAN area is not an option for the first Internet port (which will be the static IP NBN VLAN Service that works using the basic setup area)
What can be done to add this in asap?
Hello I am starting up a new gaming cafe business looking for the best options for my network requirements.
I want to utilize 2 x 200mbps cable lines coming from the same isp. and route all gaming traffic on one line and the rest of the internet traffic (browsing, downloading etc.) through the other line. I will have 1 server, 23 end users and a cctv setup also on my network.
What is the best method to do this sort of routing? some sort of load balancing? or some other form of traffic management?
Once i have found the right setup for my network i can find a professional for the initial set up my network but i would like a system that would be easy to maintain and config for slight changes.
thanks in advance
I'm trying to set up two interfaces basically like its own router on an EdgeRouter Pro using policy based routing, but I can't get it to work.
Basically I have a point-to-point link from my upstream provider with a /30 (say, they're at 172.0.59.57/30 and I've set up eth7 as 172.0.59.58/30). I need to be the default route for a /29 network that goes to a layer-2 switch (like a DMZ). Let's say the network 10.0.177.48/29, so I've set up eth6 as 10.0.177.49/29.
(I've changed the IPs but the real networks I'm using are public ranges)
Then I need another interface on the 10.0.177.48/29 network that acts as my default route for the rest of the router, and that's going back to the L2 switch connected to eth6 - say, eth2 with IP 10.0.177.50/29.
So connection to 8.8.8.8 from a host on one of my LANs, I would want it to go through say, 10.43.0.5 (host) ->10.43.0.1 (ER-Pro eth0) -> 10.0.177.50 (ER-Pro eth2 - main default route) -> (L2 switch) -> 10.0.177.49 (ER-Pro eth6) -> 172.0.59.58 (ER-Pro eth7 - table 1 default route) -> 172.0.59.57 (provider P2P endpoint) -> (provider network) -> 8.8.8.8.
At the moment, I have a modify firewall for the public zone which I want to completly screen off - so I don't do a source address or anything because I want it to apply to all traffic on those interfaces -
modify PUBLIC_ZONE {
rule 10 {
description "All traffic use special WAN route table 1"
modify {
table 1
}
}
}This table just looks like this so far:
table 1 {
route 0.0.0.0/0 {
next-hop 172.0.59.57 {
}
}
}This is applied to eth6 and eth7:
ethernet eth6 {
address 10.0.177.49/29
description public-net
duplex auto
firewall {
in {
modify PUBLIC_ZONE
}
}
speed auto
}
ethernet eth7 {
address 172.0.59.58/30
description provider-fibre
duplex auto
firewall {
in {
modify PUBLIC_ZONE
}
}
speed auto
}
I haven't even set up the other IP on that subnet yet though, because so far, when I plug in eth6 to the L2 switch and eth7 to the media converter of the P2P link, connected routes for their subnets end up in the main routing table.
Is there any way to get the 'directly connected' routes to go to table 1 for those interfaces? Or should I just buy another router for the public zone? (I do have an ER-X lying around which I will probably set up temporarily, but it would be nice to be able to just do it all on the one router).
Thanks!
I've scrawled through a few posts here about implementing OpenVPN Clients on EdgeMAX. All of them involved a lot of CLI fiddling.
Are there any future plans to implement a user-friendly OpenVPN setup process in the GUI?
Hi UBNT Team,
Since the last firmware update (v1.9.7), the /var/log/messages get flooded by a msg each time the site 2 site VPN connects (& reconnects).
The VPN is working correctly but the log keeps get bigger for nothing...
I also noticed that I can stop this behaviour by disabling HW Offloading for IPSEC.
Here is the msg:
Aug 10 23:00:26 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000041d2e6000 x->sa_handle (nil) Aug 10 23:00:43 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000041d6d0000 x->sa_handle (nil) Aug 10 23:12:01 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000041d7dd800 x->sa_handle (nil) Aug 10 23:12:23 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000041cad5000 x->sa_handle (nil) Aug 10 23:12:33 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 8000000416bc3400 x->sa_handle (nil) Aug 10 23:13:15 Router-Name kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000041da13000 x->sa_handle (nil)
Is this a known bug? Can you please fix it?
Thanks.
I can't get port forwarding for SSH to work on my edgerouter PoE. I can connect from the LAN using my WAN IP or the public hostname, but connecting from outside (i.e. mobile network or SSH from a server on the WAN) doesn't work and I get a "Connection timed out" error. I guess that means hairpin NAT is working but the firewall isn't?
My setup is:
ISP -> BT modem -> Edgerouter PoE -> 2No. Unifi AP AC LR -> Ubuntu server via WiFi
The server's wifi connection is configured via DHCP but I've given it a static map for 192.168.2.2 in the control panel.
My full config is:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
poe {
output off
}
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id *******************
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
description "Local 2"
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth3 {
description "Local 2"
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth4 {
description "Local 2"
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.2.1/24
description "Local 2"
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description "Kodi SSH"
forward-to {
address 192.168.2.2
port 22
}
original-port 2222
protocol tcp_udp
}
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
static-mapping kodi {
ip-address 192.168.2.2
mac-address 80:86:f2:bd:91:f6
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}Should there be an additional firewall rule in there to allow SSH traffic? I have configured the router using the GUI, and the "enable auto firewall" box is checked (and it appears in the config too).
I see there have been two more firmware releases since this version, but I just skimmed the release notes and nothing jumped out at me:
ubnt@ubnt:~$ show version Version: v1.9.1.1 Build ID: 4977347 Build on: 04/26/17 03:59 Copyright: 2012-2016 Ubiquiti Networks, Inc. HW model: EdgeRouter PoE 5-Port HW S/N: 802AA88EA44B Uptime: 11:25:21 up 31 days, 16:36, 2 users, load average: 0.07, 0.13, 0.09
Is this a bug or have I misconfigured the router?
First: it is running again, I have a image file to restore the USB
Second: I have a Kingston 16 GB stick in the Edgrouter POE (original stick died)
Every time on upgrading the system (now to the latest "hotfix" version) the system does not boot any more with the message "No Elf image found" . Is this always on a specific address and/or is it possible to find out and maybe configure correctly in some config file?
Is there an address to find out where exactly this should be and modify a config file?
IT is always quite a time consuming effort for me to restore the USB stick to an older image and then restore and upgrade to the latest version.
Thank you for your always good support, best wishes
Frido
Hi Greetings ,
I'm having issue with the following configuration that I would like to make and would like to know if it is possible.
I wanted to use my edge router directly connected to my ISP and use eth0 as a Wan port, eth1 as my local 1 (192.168.1.0/24)network, eth2 as my local 2 (192.168.2.0/24) network ,eth3 as my local 3 (192.168.3.0/24) network and eth4 as my local 4 (192.168.4.0/24) network. I tried to using two default config ( one is basic from wizard as described here and also using wizard wan+2lan2) . and so far I am only able to use up to local 2 means eth1 and eth2 ports. However even after configuring eth3 and eth4 IP address and DHCP lease and unchecked this two ports from switch 0, I am able to ping outside ICMP traffic such as google but not able to browse any website on this port. Any help in this matter is highly appreciated..
Thanks
i have a 5 port edgerouter on my network (10.44.10.0/24) and i noticed today that if a device tries to access a device on a 192.168.1.x network the router sends the packet out the default route. then my internet provide responds with a ICMP host unreachable.
i've tried configuring a black hole but now my router responds with an ICMP network unreachable.
i also tried routing 192.168.1.x to the edgerouter switch port.and got host unreachable from the edgerouter.
i finally tried routing 192.168.1.0/24 to a local switch, which seems to work.
if anyone has a better idea, please let me know
i just want any packets destined to 192.168.1.x to be dropped
Just bought a new ERLite-3. I cannot figure out how to connect to it.
The manual says to create a Static IP Address for my PC. It suggests 192.168.1.100, so I tried setting my IPv4 static IP to that value and plugging into the Eth0 port. Although ipconfig confirms that my IP Address is correctly set, I do not get any internet access.
I am using a Motorola SB6120 cable modem on Comcast. The ISP service works fine. When I connect the PC directly to the cable modem and get a Dynamic IP address, ipconfig says my address is 174.57.3.238, and my Gateway is 174.57.2.1. I thought this was a little weird because I was expecting 192.168.x.x for my IP.
I can go to the Motorola modem's admin screen on 192.168.100.1 and see/configure the modem settings.
But I want to connect the Router to the modem instead, then connect my PC to the router (or to a switch that is connected to the router.)
My desired end state topology is: modem > ERLite-3 > Netgear FS116 switch > Engenius WAP plus a few PCs and other wired devices.
In creating the Static IP, the instructions don't specify what to use for a subnet mask, or for the gateway IP address, or for the DNS server. So I had to experiment. I tried everything I could think of, and nothing worked.
I tried 192.168.1.100, and 192.168.1.11, and 192.168.1.111, and 174.57.3.238 (the same one I was given automatically), and a few others. Nothing worked - I am not able to connect to the router.
What are the complete steps to setting a static IP so I can connect to the ERLite-3?
How can I tell if my router is working correctly or not?
Most importantly: How can I use this router? If I can't make it work, I will have to return it.
Is it compatible or not compatible with a Motorola SB-6120?
Ok so business X has has three locations, HQ and remote office A and B. All three locations have an er-lite-poe. There is an IPSEC VPN between HQ and site A, and HQ and site B. Traffic passes beautifully between HQ and both remote offices. But the company that handles phones for business X would like to be able to send data back and forth between remote office A and B, and that does not work. Are there settings that I should change on the the current VPN connection settings? Should I create another VPN between remote office A and B?
Thanks a ton for any help!
Trying to add a public Static IP address then port forward it to the phone system. Do I have to do that from the CLI? Tried adding Public Static address under Routing but it did not work?
Have tried to upgrade with hotfix several times from the 1.9.7 version. Fails to finish upgrade with error message.
Thanks for your help in advance.
Is anyone else having trouble getting to the login page in Firefox? This has been around since 1.9.0 or so for me but it doesn't seem like a widespread problem. I was hoping the major GUI changes in 1.9.7 would resolve it but they didn't. This is how it happens for me:
- fresh install of Firefox with no old profile, cache, etc.
- router GUI loads fine and is snappy
- after logging in to 5 or 6 different routers (log in to one, poke around, close tab, log into 2nd one, poke around, close tab, etc...) the GUI login page will be very slow to open for any of them (several minutes)
In Firefox stable 54.0.1 (32-bit) the browser will use 100% of one CPU core and become unresponsive. If you leave it for long enough (5 or 10 min) it will eventually bring up the login page and you can use the GUI fine from there.
I tried Firefox nightly after finding the performance troubleshooting page for Firefox (https://developer.mozilla.org/en-US/docs/Mozilla/Performance/Reporting_a_Performance_Problem). After installing nightly 57.0a1 (2017-08-09) 64-bit I was able to log in to 5 or 6 routers again before the problem came back up, in nightly it uses 100% of all CPU cores but the browser does not hang, and again if you leave it long enough it will eventually let you log in. In nightly I noticed it sits on "Performing a TLS handshake to [router ip]..." for the whole time when it is stuck at 100% CPU.
Using their performance troubleshooting steps I captured this trace, hopefully it helps narrow the issue down: https://perfht.ml/2wBAwhY
I use plex media server for personal use and like to use it internally and externally, but I do not want the server accessable by anybody. Plex frequently initiates connections from their network to make sure the server is online. Therefore, I need to let a few trusted sources gain access to the server but I still want to exclude everyone else that isn't on my white list.
My question is, how can I isolate and look at both dropped and accepted entries in the log either through the GUI or CLI. I don't seem to be doing it right.
DNAT Looks something like this:
me@erp# show service nat rule 19
description "Plex external access"
destination {
port 8017
}
inbound-interface eth+
inside-address {
address 192.168.1.121
port 32400
}
log disable
protocol tcp
type destination
I have a address list that includes both IP addresses that are known remote locations where I will use plex and this list also includes plex servers that perform this connection check. Here is a fake list but you get the point:
me@erp# show firewall group address-group PLEX_AUTH_SERVERS address 55.11.22.55 address 11.111.111.1 address 11.111.111.1 address 11.111.111.1 description "Trusted remote Plex users"
For debugging purposes, I have two entries in the WAN_IN firewall. Here is what it generally looks like:
me@erp# show firewall name WAN_IN
rule 100 {
action accept
description "Allow trusted Plex users"
destination {
port 32400
}
log enable
protocol tcp
source {
group {
address-group PLEX_AUTH_SERVERS
}
}
}
rule 110 {
action drop
description "Explicitly disallow untrusted Plex users for logging purposes"
destination {
port 32400
}
log enable
protocol tcp
}My list of Plex authorization servers is simply incomplete. From time to time throughout the day, my plex server is checked and sometimes marked as not available for remote access.
There must be a good way to keep a log (and view it) of every connection that meets either of these rules. Some tips or pointing me to one of the many good UBNT how to's would be great!!! I'm good with the CLI or GUI, either way.
Thanks in advance!
We just bought a bunch of EdgeRouter Xs to use as firewalls in front of printers. I got the first one configured just right (I think) and made a test print from a computer in the same subnet as the router's WAN port (eth4). The problem is that the router will not send any packets outside of this subnet.
I thought it was a firewall issue, but it is not. To test, I grabbed another router straight out of the box with no configuration other than what it came with, and it has the same behavior.
I can see packets come in to the router using the packet capture tool, but no responses ever go back. The router responds to hosts in the same external subnet with no problem, but it refuses to talk to anything outside of this subnet. There is no firewall enabled on this second router.
We know this is not a network configuration issue, because we can plug a laptop into the same network jack, assign it the same IPv4 address as the router (after removing the router, of course), and get responses to ping, etc. from other subnets.
Any hints are appreciated. Here is the config from the second router:
interfaces {
ethernet eth0 {
address 192.168.1.1/24
duplex auto
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
address 101.222.16.200/22
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
}
}
service {
gui {
https-port 443
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.1.5005851.170803.0322 */
This is the setup I have
Model Edgerouter POE
eth0 --> Cable Modem
eth1 --> UnifiACPRO
eth2,3,4 --> Switch0
The ROKU is connected to the switch0
The roku app connecting via AC wifi does not see the ROKU on the subnet.
Similarly the Smart TV on wifi is not discovered buy the Smarthings Hub on the Switch0
There seems to be an issue due to subnets. I have enabled mDNS as per pervious requests. But this does not seem to help the issue.
There are many protocols that I would like to be discovered across the subnets. SMB, AFP, Bonjour, Chromecast, ssdp etc. These all have to do with entertainment and file service. is there an easy way to have these services discovered across the subnets?
Upgraded to Firmware EdgeRouter Pro v1.9.7+hotfix.1
Note that i did all these settings through the web UI. Did not test this through CLI.
Starting config after the FW upgrade:
System > System Gateway address : 192.168.0.1
interface eth0 (Internet) : DCHP IPv4 + DHCP IPv6 ( -> got a address from next hop 192.168.0.203/24 )
Routing-tab > 'Connected' : There is a default route 0.0.0.0/0 through 192.168.0.1
So far, so good. This works.
Change eth0 to static ip:
interface eth0 (Internet) : Static IPv4 192.168.0.100/24 + DHCP IPv6
==> try to surf outside : does not work
==> try ping to google.com : ICMP destination unreachable
==> ping host on private interface: ICMP echo reply (internal network does work)
Try to solve problem
First idea : routing problem?
Routing-tab > 'All' : There is no default route in the table listed.
Routing-tab > 'Add static route' button > Gateway + dest netw: 0.0.0.0/0 + next hop: 192.168.0.1
==> When i click save in the screen to add a static default route, i got a Error: "Cannot combine static gateway and static default route."
If i recall correctly at this point, in Firmware v1.9.1.1, there was with a static IPv4 op my public interface automatically a default route created. Since v1.9.7 and v1.9.7+hotfix.1, this seems not to be the case now.
My question is, is this a change in firmware v1.9.7(+hotfix.1) or is this some kind of a software bug?
Solution:
- Clear IPv4 for System Gateway address
- add static default route manually : Routing-tab > 'Add static route' button > Gateway + dest netw: 0.0.0.0/0 + next hop: 192.168.0.1
==> try to surf outside : works
==> try ping to google.com : ICMP echo reply