* I will send $100 via PayPal to the first person to provide the correct instructions to get my router working. *

Short version:

How do I establish connectivity to the outside Internet from the router?

Other than using the "Basic Wizard", which I have performed at least 10 times, what other steps are needed?

On the System tab, which of these fields are REQUIRED?

• Host Name
• Gateway
• Name Server
• Domain Name

For those that are required, what should I put there?

I have a Comcast cable modem. When I connect the PC to the modem with no other equipment, and type "ipconfig", I get:

IP Address: 174.57.3.238

Default Gateway: 174.57.2.1

Do I need to put either of those numbers anywhere?

Long version:

I am incredibly frustrated. I am an IT professional with 30 years of experience in software development and basic networking.  Although I am not an idiot, this router has certainly made me feel like one.

I just got an ERLite-3 to replace an old failing Linksys router.

First I spent 5 hours trying to connect to the router admin screen. It seemed like the router was dead. Finally I happened to try a different computer that didn't have Kaspersky Total Security on it, and was able to connect to the router right away.

So, lesson #1:  You must disable Kaspersky Total Security in order to connect to an ERLite-3 on 192.168.1.1.  Otherwise, it is silently blocked, with no error message or anything. It just looks like the router is dead.

After solving that problem, I have spent at least 8 hours running the so-called "Wizard" to set up the router.

(By the way, in my world, a Wizard is something that has a sequence of steps, with a defined start and and end, and navigation like "Next" and "Previous".  I don't know who named these screens "Wizards", but they are not wizards by any definition I have ever seen. It doesn't step me through anything. The "wizard" is just a single screen, and after completing it, the router still isn't usable, so why not have the "wizard" also include whatever other steps are also going to be needed in order to actually use the router?)

I am trying to set up a SOHO network consisting of: 

Motorola SB6120 Cable modem

ERLite-3 router

Netgear FS116 switch

Several Windows PCs, some wired, some wireless

Vonage VoIP phone adapter

Engenius Wireless Access Point

A few other Wireless devices

I have tried both the Basic Wizard and the WAN+2LAN Wizard.

I was able to configure the router to find my LAN, and when I then plug my PC into eth1, I can see several of the other devices on the LAN.  (Curiously, I only see 3 out of the other 10 devices though.  All the devices I am seeing are wireless, I don't see any of the other wired devices. At least 3 of those are plugged in and should be active.)

Then I connected eth0 to my cable modem.  All connections are with brand new Cat6 cables by the way.

I cannot get to the outside world.  I tried pinging 8.8.8.8 and a few other IP's, and get "destination not available" or something like that.

Comcast tells me that their DNS server is 10.0.0.1.   Do I need to put that anywhere?

I tried using Google's 8.8.8.8 for DNS1 and 8.8.4.4 for DNS2 - but I am not even sure if I put those in the right place. I found 2 or 3 different places across the various admin screens where I could enter a DNS IP.

I cannot afford to spend more time on this.  I have unplugged the router and am currently using the old Linksys so I can create this post.  

I will spend up to one hour tomorrow if someone can give me exact instructions that I can follow.  If you want to call me on the phone, I'll provide my phone number.  As I said at the top of this message, if you can get me online successfully with this router, I'll pay $100.   Otherwise, it is going back to Amazon on Monday. 

My warranty has already expired over a year ago, and my device has started acting up due to the USB thumb drive failing. I already had to rewrite some of the files from the 1.9.1 image manually a few times using a Linux VM.

It keeps randomly locking up at arbitrary times of the day, after a week or two of uptime. I want to get a replacement USB drive, and image it myself and insert it, since I am well beyond the warranty.

Unless someone here can tell me that it will be cheaper to ship the entire unit to the manufacturer for the USB replacement, out of warranty.

Hi All,

I have configured pptp vpn via running the below commands.

configure
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username sam27s password mypassword
set vpn pptp remote-access client-ip-pool start 192.168.1.10
set vpn pptp remote-access client-ip-pool stop 192.168.1.15
set vpn pptp remote-access dns-servers server-1 8.8.8.8
commit
save

My DHCP range is 192.168.1.100 to 1.254

Fire wall rules have WAN_LOCAL to allow both 1723 and GRE on all protocol and status also set to "New".

Config file attached

When I connect the connection gets stuck at "Verifying username and password" and then gives the error message ............

"Error 806: The VPN connection between your computer and the VPN server could not be completed. The most common cause for this failure is that at least one Internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or Internet Service Provider.""

Please help I have no idea what else can I try.....

Do I need to create DNAT rules for 1723? LIke I have created for other ports??

Regards

Sammy

I have a Synology NAS behind an ER-X and try to connect from my laptop at work (Win 10 and Lubuntu) to the OpenVPN server of the Synology NAS.

The tunnel is built up okay and I can connect to the Synology operating system graphical user interface with my browser on my laptop at work - using the tunnel IP https://10.8.0.1:5001.

But I cannot ping 10.8.0.1 or any other IP of the tunnel or the remote LAN. The only ping that works is the broadcast 10.8.0.7.

This brings me to some basic features of OpenVPN connections that are not discussed well. I found them here:

https://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html

It is explained that the setup works so that each OpenVPN client that connects with a TUN interface (actually on windows 10 it is a TAP interface that emulates TUN), gets an IP inside a /30 network. This means the server is handing out 4 tunnel IPs (according to the post above). This also explains why ipconfig /all shows a DHCP server IP.

Now my first question is: When I connect to my tunnel I get 10.8.0.6 as my laptop IP. How does it work that I can connect to 10.8.0.1 in the browser to my web GUI which is outside the /30 network for the client (4/5/6/7)? 

But since we are in the Ubiquiti forum my real question is: Why can I not ping anything? I already added a route on the EdgeRouter that should forward any packages coming from the internet (via the tunnel, meaning they have the destination 10.8.0.0/24) to the IP of the Synology in the LAN, which is 192.168.0.8.

Is the router holding back anything additionally? Because this setup worked better with my old router. 

Hi, total noob here, could really use some assistance.

Background:  I currently have Uverse internet with a block of 5 usable static ip addresses, four of which I am currently using for (1) email server, (2) web server, (3) cloud server, and (4) openvpn server.  The servers are virtualbox servers on a Ubuntu 16.04 machine.  The Pace 5268AC gateway support ip passthrough (needed for the email server to prevent emails being tagged as spam from reverse DNS failure) and it's pretty easy to assign static ip addresses to the individual servers.  The Pace is set up with two DHCP pools, one private and one public.  It generally pulls from the private pool for phones, ipads, etc.  But when I need to assign a static ip to a virtual server, I:

1 - set the gateway to begin pulling public ips instead of private,

2 - stop/start networking on the server

3 - set the gateway back to assigning private ip adresses for each new attached device

It has been very convenient, but for those of you with Uverse, you know the monthly fees keep spiraling upward.  So I'm in the process of changing my ISP from Uverse to WOW and this is where my new troubles begin...

WOW has given me the following:

I'm using an Edgerouter-X with dnsmasq enabled. I've found that short-name resolution does not work without jumping through hoops if I specify a "system domain".  This occurs because the dnsmasq option "dhcp-fqdn" is being set in "/etc/dnsmasq.d/dnsmasq-dhcp-config.conf" whenever a "system domain" is defined.

This logic seems backward. The point of using "dhcp-fqdn" is to prevent name conflicts that might occur when multiple domains contain the same host name.

For example, if two subnets are defined with different domains, such as mycompany.com and yourcompany.com, using fqdn's to query the dns server works fine. The following makes sense:

nslookup pc5.mycompany.com
nslookup pc5.yourcompany.com

If one were to lookup based on the short name "pc5", the dns query lacks the precision to be properly resolved.

nslookup pc5

I would expect the dnsmasq "dhcp-fqdn" option to be set in the above scenario of multiple domains to assure the precision required for proper name resolution. The option is not set and allows name conflicts to occur.

Perhaps my understanding of system domain is incorrect, but I expect a system domain to be global, meaning that all defined subnets are members of the same domain, eliminating domain definition at the subnet level.

In the case of a system domain, the dnsmasq "dhcp-fqdn" option is unnecessary because short names provide the same level of precision as fqdn's in a single domain environment. However, in  the case of a single domain that "dhcp-fqdn" is applied. Shouldn't the Edgerouter logic be reversed?

Am I just missing the boat?

Thank you indvance,

I have a basic setup

eth0 = Internet

eth1 = LAN

eth2 = LAN but not being used

I am trying to accomplish two things-

1) All traffic from specific Local IP group to eth0 (internet traffic not local traffic) during certain hours should DROP.

2) Whitelist only certain IP"S for DNS servers for all requests.

I have the following so far, but I think I am doing somthing wrong.

Thanks!

Guys i want to thank you and to inform everyone that uses the ER8 pro and has the 1.9 version to upgrade to 1.9.7 hotfix it works great...

Loadbalancing seems a lot better without changing the settings...!!

Dear All 

I have an Erl   running 1.9.7 - Hotfix1 

was thinking about adding a VLAN to my network 

but notice an odd thing when I added the VLAN interface  to my eth1

I was getting quite a lot of latency, once created ( nothing on network, just created it )  see attached Image  

( I am just pinging a device on my VPN  )    

is it a bug ?  or what can be causing this 

without the VLAN it's not a complicated config, 1 wan( eth0),  2 lans ( eth1 and eth2 ) and 1 VPN 

please advise 

thanks 

Whitty

(second time I post this, maybe the first was deleted due to I don't introduce myself in the right topic, sorry)

Hi all, as I wrote in the title, I have a 3 WAN setup, 2 WAN are VDSL (~100/30 each) and the third is a 4G Lte router with an ethernet port, used for backup (~50/20 decent speed for survival purpose only).

I have an EdgeRouter-X firmware 1.9.7, the wizards worked fine.

Unfortunately isp modem/router are not so configurable... almost locked...

WAN1 LB eth0 static ip 192.168.201.50 (dmz on isp router)

WAN2 LB eth1 static ip 192.168.202.50 (dmz on isp router)

WAN3 FO eth2 static ip 192.168.200.50 (dmz on 4g lte router)

eth3 and eth4 used for local lan/switch on 192.168.100.0/24 class

Load-balance is up and working:

Default WAN1 up WAN2 up - 50% 50% 0

WAN1 DOWN WAN 2 UP - 0% 100% 0%

WAN1 and WAN2 DOWN - 0% 0% 100% (Failover works fine)

I don't understand how exactly sticky works... first of all, if enable it is not working until reboot the device, don't know if is normal in this way.

I have read EdgeRouter - Dual WAN Load-Balance Feature and the final note about sticky.

I have read WAN load-balancing except for some traffic that explain how to use WAN1 for HTTPS and WAN2 for failover.

I don't know if I can put 2 of the 3 WAN as failover only and if WAN3 failover on WAN2 that failover on WAN1 fail (...sorry)

I have an idea but i don't know how to implement it:

All traffic (except HTTPS) use load balance WAN1 and WAN2 (failover WAN3) NO sticky, in this way we can use a combined full speed.

HTTPS traffic (used for bank sites an so on) on a load balance group WAN1 and WAN2 with sticky enabled (always WAN3 for failover), in this way we don't have problem about IP changing.

Is this a good idea? Is that possible? and (if the previous answer are "yes") how can I implement this?!

I have a ER X trying to set a time table where I can block certain MAC addresses or IP's at certain times. Everything I think I am close I reboot router to make sure all settings take but I get locked out of ER X then I need to factory reset and restore.

Would someone be able to help? What information do you need on settings this up? I have tried the below forum page but could not get working and kept locking up router.

https://community.ubnt.com/t5/EdgeMAX/Time-based-firewall-rules-issue/td-p/663797

I've included my firewall configuration below. Yes I realize the rules are in bad shape. I plan on fixing this but I have this more immediate issue: 

I want to allow access from the guest network defined as VLAN_5 to a single resource in VLAN_1 (192.168.1.85:80). Given the complete lack of security around VLAN_1 (default-action accept) I thought this would be allowed by default. I've tried some specific rules to allow this but none are working. Is there anything I need to do with VLAN_5? 

I'm pretty confident about the interface configuration. Both VLAN_5 and VLAN_1 are on eth1 and eth1 has vid 1, pvid 5. The DHCP rule below wouldn't work if this weren't set. 

 9803 root      20   0  5372 2708 1760 R  28.0  0.5   0:00.29 vtysh.pl                                                                                                             
 9802 root      20   0  4388 1552 1304 S   6.8  0.3   0:00.07 sudo                                                                                                                 
  568 root      20   0  148m  11m 3952 S   5.8  2.4  12:10.37 ubnt-util 

Hi,

I would like to know what does this process? it gaves me always that CPU usage every 5-7 seconds.

I'm going to set up a snmp server but if there are any information it would be great to enlight me.

Is it vlan related? webui related? something else?

thanks in advance

best regards

Hi all, as I wrote in the title, I have a 3 WAN setup, 2 WAN are VDSL (~100/30 each) and the third is a 4G Lte router with an ethernet port, used for backup (~50/20 decent speed for survival purpose only).

I have an EdgeRouter-X firmware 1.9.7, the wizards worked fine.

Unfortunately isp modem/router are not so configurable... almost locked...

WAN1 LB eth0 static ip 192.168.201.50 (dmz on isp router)

WAN2 LB eth1 static ip 192.168.202.50 (dmz on isp router)

WAN3 FO eth2 static ip 192.168.200.50 (dmz on 4g lte router)

eth3 and eth4 used for local lan/switch on 192.168.100.0/24 class

Load-balance is up and working:

Default WAN1 up WAN2 up - 50% 50% 0

WAN1 DOWN WAN 2 UP - 0% 100% 0%

WAN1 and WAN2 DOWN - 0% 0% 100% (Failover works fine)

I don't understand how exactly sticky works... first of all, if enable it is not working until reboot the device, don't know if is normal in this way.

I have read EdgeRouter - Dual WAN Load-Balance Feature and the final note about sticky.

I have read WAN load-balancing except for some traffic that explain how to use WAN1 for HTTPS and WAN2 for failover.

I don't know if I can put 2 of the 3 WAN as failover only and if WAN3 failover on WAN2 that failover on WAN1 fail (...sorry)

I have an idea but i don't know how to implement it:

All traffic (except HTTPS) use load balance WAN1 and WAN2 (failover WAN3) NO sticky, in this way we can use a combined full speed.

HTTPS traffic (used for bank sites an so on) on a load balance group WAN1 and WAN2 with sticky enabled (always WAN3 for failover), in this way we don't have problem about IP changing.

Is this a good idea? Is that possible? and (if the previous answer are "yes") how can I implement this?!

What command do I need to issue to specify that my gateway is dynamic for a specific routing table?

This is the command I use to connect to the gateway as if it were static... but I am noticing it changes quite frequently:

set protocols static table 1 route 0.0.0.0/0 next-hop 108.XXX.XXX.1

 Running the following fails to commit with "Must add either a next-hop or blackhole for route 0.0.0.0/0"

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface eth0.1000

And I am unable to run:

set protocols static table 1 route 0.0.0.0/0 next-hop-interface eth0.1000

Any help with this would be appreciated.

He Guys,

I just reset my edgemax router and now port 25 is being blocked. I can't send any email anymore.

When I direct connect the notebook to the modem I can send a e-mail but otherwise port 25 is being blocked. Who can help me?

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        ip {
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description "Local 2"
        mtu 1500
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
}

Hi all,

I started to notice this behaviour after accruing some uptime (and that varies of course) but in anycase, I had to do a reboot today for `show logs tail` to work.

When this fails, even looking at `tail -f /var/log/messages` gets you nothing.

**Update**: I had just rebooted about 5 hours ago and logging has already stopped working.

ubnt@ubnt:~$ uptime
 14:39:08 up  5:04,  2 users,  load average: 1.25, 1.16, 1.17
ubnt@ubnt:~$ show log
ubnt@ubnt:~$ show log tail

Well, according to `tail -n 10 -f /var/log/messages`, the last logged entry is at 12:14, so the logging seems to have died ~3 hrs after bootup.

I've found others experience similar issues (Link: https://community.ubnt.com/t5/EdgeMAX/firewall-logs/m-p/720079) - thoughts?

Would replacing this with an EdgeRouter (the large 1u/8port version) help?

Thanks.

Hi, All.

We have a problem with enabling RIP protocol on vti interface on EdgeRouter PRO. The RIPD is not sending protocol updates on vti interfaces at all. We only receive an multicast updates to 224.0.0.9 address from hub router over vti tunnel. Here is a tcpdump output belongs to RIP exchange what we have seen.

13:24:06.962138 IP (tos 0xc0, ttl 2, id 0, offset 0, flags [none], proto UDP (17), length 252)
    10.255.165.1.route > 224.0.0.9.route: [udp sum ok]
        RIPv2, Response, length: 224, routes: 11 or less
          AFI IPv4,        10.0.0.0/16, tag 0x0000, metric: 1, next-hop: self

And so on...

Out RIPD do not generate any multicast packet on vti interface. Just for test I`ve enable RIP on eth interface - all works fine.

show interfaces output:

vti0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1422 qdisc noqueue state UNKNOWN group default
    link/ipip 192.168.0.245 peer 193.33.122.131
    inet 10.255.165.20/24 scope global vti0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
      18390366     134069          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
      12621751     116938          6          0          6          0

br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:9f:c2:05:1d:d1 brd ff:ff:ff:ff:ff:ff
    inet 10.100.64.1/28 brd 10.100.64.15 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::2c16:9ff:fe98:8470/64 scope link
       valid_lft forever preferred_lft forever
    Description: LAN

    RX:  bytes    packets     errors    dropped    overrun      mcast
     440183696     339980          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
      46756296     103141          0          0          0          0

Thank you in advance.

There are 2 WAN connections on ER Pro ETH0+ETH1 speed is 100mbps each

there is 1 LAN interface and no firewall policy i applied on incoming or outgoing traffic 

ther is total of 200mbps throuhput.

I want to use both lines for all kind of internet trafic and if some user tries to use voip service or vpn serice they can use the WAN2 and that portion will no longer be the part of  load balancing 

WAN1 192.168.0.0/24

WAN2 192.168.1.0/24

LAN 172.16.0.0/16

I have set up an IP camera network which is currently on the same network as my pcs but I haven't opened up to the net to be viewed remotely because I don't trust all the devices are updated (or will always be updated) with necessary security patches.

Currently to view it remotely, I VPN into my network and then access them via Apps on the phone.  While this works it's not fantastic as you need to connect the VPN first and then find the App.  

An idea that I have is to put the IP cameras onto a separate LAN that cannot access my main network but my main network can access the IP cameras.  This obviously doesn't protect the IP cameras if they do indeed have a vulnerability but they don't point anywhere that I'm concerned about.

I have a EdgeRouter Lite, running v1.9.1.1. Currently only using one port for the WAN and one for the LAN, if the above idea works, how should I set this up?

Let me know if you need other details.

Thanks,

Rob