hi,

i have i have 4 ports in use on my router.

eth0-3

a gps ntp device is connecterd to the eth1 port at say 192.168.1.8

i want to be able to reach it from the other two ports.

i've tried reading some posts but they mostly deal with printers and i don't know if it's the same idea or not.

someone posted:

Eth0_IN

default drop

rule 1 action accept (state) established / related

rule 2 drop (state) invalid

If you've got the auto-firewall enabled, then you don't have to worry about stuff you put in port forwarding.

i'm kind of lost here with my setup of eth0 being the wan, i don't know if the above example is the same.

which firewall rules do i need so that i can do this?

thanks

Hi guys,

We have green line to make a LAN PARTY in my city.

Now we are making the dossier to Submit the proposal.

The only problem i have now is how to configure the network.

Our town hall provides 3 FTTH 300/300 connections with 4 ONT's.

Is it possible to use er8 with multiple WAN to support 300-400 hosts?

Also...

If our tawn hall provides 4 FTTH 300/300 is possible to still use de er8?

I know we crossed over the 1gbe limit (300*4=1200)

Streaming / Gaming / Download.

I'm trying to get VLAN 10 which is set up on my Unifi AP's as a second SSID to send all its traffic through the openVPN connection but currently that doesn't appear to be happening. 

When connected to the VLAN 10 SSID I see the traffic still traversing switch0 rather than switch0.10 and my external IP according to https://ifconfig.co/ is still the google fiber address. 

The UNIFI AP's are setup with two SSID's, one with no VLAN, gateway of 192.168.0.1 and subnet 192.168.0.1/24 and the new one on VLAN 10 with a gateway of 192.168.2.1 and subnet of 192.168.2.1/24

Here's my full configuration, any help much appreciated. I've followed this guide mostly, the only difference being I put the vif on the switch rather than the interface. 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
        rule 40 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-name WANv6_OUT {
        default-action accept
        description "WAN outbound traffic"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify vpn-pbr {
        rule 1 {
            action modify
            modify {
                table 1
            }
            source {
                address 192.168.2.0/24
            }
        }
    }
    name LAN_IN {
        default-action accept
        description "LAN to Internal"
        rule 10 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow Multicast 224"
            destination {
                address 224.0.0.0/4
            }
            log disable
        }
        rule 20 {
            action accept
            description "Allow Multicast 225"
            destination {
                address 225.0.0.0/4
            }
            log disable
        }
        rule 30 {
            action accept
            description "Allow UDP to Multicast 224"
            destination {
                address 224.0.0.0/4
            }
            log disable
            protocol udp
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            description "Allow UDP to Multicast 225"
            destination {
                address 225.0.0.0/4
            }
            log disable
            protocol udp
            state {
                new enable
            }
        }
        rule 50 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 60 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
            state {
                established enable
                related enable
            }
        }
        rule 70 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Port Forward - Router SSH"
            destination {
                address 192.168.0.1
                port 22
            }
            protocol tcp
        }
        rule 30 {
            action accept
            description "Port Forward - Router HTTPS"
            destination {
                address 192.168.0.1
                port 443
            }
            protocol tcp
        }
        rule 40 {
            action accept
            description "Allow Multicast 224"
            destination {
                address 224.0.0.0/4
            }
            log disable
        }
        rule 50 {
            action accept
            description "Allow Multicast 225"
            destination {
                address 225.0.0.0/4
            }
            log disable
        }
        rule 60 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1460
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Google Fiber Jack"
        duplex auto
        poe {
            output 48v
        }
        speed auto
        vif 2 {
            address dhcp
            description "Google Fiber WAN"
            dhcpv6-pd {
                pd 0 {
                    interface eth1 {
                        host-address ::1
                        prefix-id :2
                        service slaac
                    }
                    interface switch0 {
                        host-address ::1
                        prefix-id :0
                        service slaac
                    }
                    interface switch0.102 {
                        host-address ::1
                        prefix-id :1
                        service slaac
                    }
                    prefix-length /56
                }
                rapid-commit enable
            }
            egress-qos 0:3
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
                out {
                    ipv6-name WANv6_OUT
                    name WAN_OUT
                }
            }
        }
    }
    ethernet eth1 {
        address 192.168.99.1/24
        description "Local Config Port"
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description LAN
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description LAN
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description LAN
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/openvpn_coventry.ovpn
        description "UK VPN"
    }
    switch switch0 {
        address 192.168.0.1/24
        description "LAN Switch"
        firewall {
            in {
                name LAN_IN
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 10 {
            address 192.168.2.1/24
            description "VPN SSID"
            firewall {
                in {
                    modify vpn-pbr
                }
            }
            mtu 1500
        }
        vif 102 {
            address 172.16.0.1/24
            description "Guest Network VLAN"
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description "Router SSH"
        forward-to {
            address 192.168.0.1
            port 22
        }
        original-port 2222
        protocol tcp_udp
    }
    rule 2 {
        description "Router HTTPS"
        forward-to {
            address 192.168.0.1
            port 443
        }
        original-port 8080
        protocol tcp_udp
    }
    rule 3 {
        description ""
        forward-to {
            address 192.168.0.1
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    wan-interface eth0.2
}
protocols {
    igmp-proxy {
        interface eth0.2 {
            alt-subnet 10.0.0.0/8
            role upstream
            threshold 1
        }
        interface switch0 {
            alt-subnet 192.168.0.0/24
            role downstream
            threshold 1
        }
    }
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
            route 0.0.0.0/0 {
                next-hop 136.62.168.1 {
                }
                next-hop 192.168.1.254 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name Blighty {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.199
                }
            }
        }
        shared-network-name Config {
            authoritative disable
            subnet 192.168.99.0/24 {
                default-router 192.168.99.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.99.101 {
                    stop 192.168.99.254
                }
            }
        }
        shared-network-name Guest {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                domain-name guest.example.com
                lease 86400
                start 172.16.0.10 {
                    stop 172.16.0.254
                }
            }
        }
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                domain-name example.com
                lease 86400
                start 192.168.0.101 {
                    stop 192.168.0.254
                }
            }
        }
        use-dnsmasq disable
    }
    dns {        
        forwarding {
            cache-size 500
            listen-on switch0
            name-server 2001:4860:4860::8888
            name-server 2001:4860:4860::8844
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "Outbound NAT"
            log disable
            outbound-interface eth0.2
            protocol all
            type masquerade
        }
        rule 5001 {
            description "Outbound VPN"
            log disable
            outbound-interface vtun0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on switch0
        nat-pmp disable
        secure-mode enable
        wan eth0.2
    }
}
system {
    host-name UBNT-gateway
    login {
        user ubnt {
            authentication {
                encrypted-password $6$8xi7qJBknN3mbv$4Lj0iBrI8ATvfOax89t1LlMZaBVDKdfTefIoiNzh.oyArT576CRwoY.xYZFzunOs4GcMEwmphgUPv3BTeuO/h0
                plaintext-password ""
            }
            full-name "UBNT Admin"
            level admin
        }
    }
    name-server 2001:4860:4860::8888
    name-server 2001:4860:4860::8844
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        custom-category UK_Websites {
            name bbc-iplayer
            name itv
            name bbc
        }
        dpi enable
        export enable
    }
}

I have a EdgeLite router and I am trying to black list some IPs that have been trying to connect to my PBX server, I created the DNAT rules instead of port forwarding and created a Firewall group with the IPs that I am trying to blacklist. For some reason my Firewall rules is never triggered and the blacklisted IPs are constrantly trying to connect to my PBX server.

admin@ubnt:~$ show configuration | cat                                          
firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    group {                                                                     
        address-group IPs_TO_BLOCK {                                            
            address 107.77.106.56                                               
            address 51.15.65.172                                                
            address 89.163.242.160                                              
            address 185.127.24.103                                              
            address 195.154.177.170                                             
            address 199.48.164.51                                               
            address 146.0.35.21                                                 
            address 195.154.182.242                                             
            address 23.236.50.39                                                
            address 68.64.51.39                                                 
            address 62.210.167.32                                               
            address 104.198.216.3                                               
            address 130.211.188.114                                             
            address 89.249.67.50                                                
            address 51.15.68.212                                                
            address 95.182.79.72                                                
            address 209.159.151.162                                             
            address 163.172.64.146                                              
            address 62.210.201.52                                               
            address 199.48.164.108                                              
            address 51.15.131.73                                                
            address 51.15.77.245                                                
            address 209.126.74.176                                              
            address 212.47.249.105                                              
            address 107.77.106.123                                              
            description ""                                                      
        }                                                                       
        port-group UCM_PORTS {                                                  
            description "UCM ports"                                             
            port 8089                                                           
            port 10000-11000                                                    
            port 5080-5085                                                      
            port 4569                                                           
        }                                                                       
    }                                                                           
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    name WAN_IN {                                                               
        default-action drop                                                     
        description "WAN to internal"                                           
        rule 10 {                                                               
            action drop                                                         
            description "Drop unauth attempts to UCM"                           
            destination {                                                       
                address 192.168.15.154                                          
                group {                                                         
                    port-group UCM_PORTS                                        
                }                                                               
            }                                                                   
            log enable                                                          
            protocol all                                                        
            source {                                                            
                group {                                                         
                    address-group IPs_TO_BLOCK                                  
                }                                                               
            }                                                                   
            state {                                                             
                established enable                                              
                invalid disable                                                 
                new enable                                                      
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 20 {                                                               
            action accept                                                       
            description "Allow established/related"                             
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 30 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {                                                             
                invalid enable                                                  
            }                                                                   
        }                                                                       
        rule 40 {                                                               
            action accept                                                       
            description "allow port 8089"                                       
            destination {                                                       
                address 192.168.15.154                                          
                port 8089                                                       
            }                                                                   
            log disable                                                         
            protocol tcp                                                        
        }                                                                       
        rule 50 {                                                               
            action accept                                                       
            description "allow port 10000-11000"                                
            destination {                                                       
                address 192.168.15.154                                          
                port 10000-11000                                                
            }                                                                   
            log disable                                                         
            protocol udp                                                        
        }                                                                       
        rule 60 {                                                               
            action accept                                                       
            description "allow port 5080-5085"                                  
            destination {                                                       
                address 192.168.15.154                                          
                port 5080-5085                                                  
            }                                                                   
            log disable                                                         
            protocol udp                                                        
        }                                                                       
        rule 70 {                                                               
            action accept                                                       
            description "allow port 4596"                                       
            destination {                                                       
                address 192.168.15.154                                          
                port 4569                                                       
            }                                                                   
            log disable                                                         
            protocol tcp_udp                                                    
        }                                                                       
    }                                                                           
    name WAN_LOCAL {                                                            
        default-action drop                                                     
        description "WAN to router"                                             
        rule 10 {                                                               
            action accept                                                       
            description "Allow established/related"                             
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 20 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {                                                             
                invalid enable                                                  
            }                                                                   
        }                                                                       
        rule 21 {                                                               
            action drop                                                         
            description "Drop unauth attempts to UCM"                           
            destination {                                                       
                group {                                                         
                    port-group UCM_PORTS                                        
                }                                                               
            }                                                                   
            log enable                                                          
            protocol all                                                        
            source {                                                            
                group {                                                         
                    address-group IPs_TO_BLOCK                                  
                }                                                               
            }                                                                   
        }                                                                       
    }                                                                           
    receive-redirects disable                                                   
    send-redirects enable                                                       
    source-validation disable                                                   
    syn-cookies enable                                                          
}                                                                               
interfaces {                                                                    
    ethernet eth0 {                                                             
        address dhcp                                                            
        description Internet                                                    
        duplex auto                                                             
        firewall {                                                              
            in {                                                                
                name WAN_IN                                                     
            }                                                                   
            local {                                                             
                name WAN_LOCAL                                                  
            }                                                                   
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth1 {                                                             
        description Local                                                       
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth2 {                                                             
        description Local                                                       
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth3 {                                                             
        description Local                                                       
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth4 {                                                             
        description Local                                                       
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    loopback lo {                                                               
    }                                                                           
    switch switch0 {                                                            
        address 192.168.15.1/24                                                 
        description Local                                                       
        mtu 1500                                                                
        switch-port {                                                           
            interface eth1 {                                                    
            }                                                                   
            interface eth2 {                                                    
            }                                                                   
            interface eth3 {                                                    
            }                                                                   
            interface eth4 {                                                    
            }                                                                   
            vlan-aware disable                                                  
        }                                                                       
    }                                                                           
}                                                                               
port-forward {                                                                  
    auto-firewall disable                                                       
    hairpin-nat disable                                                         
    wan-interface eth0                                                          
}                                                                               

See the attached images.

Any help will be greatly appreciated

Two questions below. 

Much to our dismay our ERX will not factory reset. Unit was purchased new 10/2016. I've attempted reset a few dozen times with power on, power off methods, hold reset to steady green, hold until steady green is off... none work. The unit is a brick and it's the only one we have. Fortunately a WRT54G is available and holding things up but we're crippled in the mean time with lost functionality we had grown accustomed to. 

1. Is there some last ditch reset I can attempt here? I've come across youtube videos for older products where internal usb sticks can be erased / reset. I'm not afraid to open the device and try another method. I am 10 months into a 12 month warranty. 

2. I did an RMA. No email confirmation. No means of followup. No communication whatsoever as to how long this will take. I sent an email to support@ubnt.com asking for confirmation but no idea when they'll get back. I am also waiting on live chat at the moment. Can anyone tell me how long this might take? 

* I should add reset has been attempted with/without rj45 connected and wait time after reset was up to hours. 

* I should also add live chat told me RMA form was never received because RMA form is broken. 

Hello,

I'm wondering how would be the best way to configure the ER-8 to enable an internal OpenVPN server. I would like to be able to VPN into my network from outside internet and access internal network resources. I know I can setup OpenVPN on the ER-8 and simplify the setup, but since I have a PowerEdge R310 server with Ubuntu lying around, I would like to use it as the OpenVPN server. The server has 2 NICs so one would go to the ER-8 and the other one will be at the swtich of the internal network. I was wondering how to setup the ER-8 to allow the traffic. I'm planning on using port 443 and since I don't want remote access to the ER-8 from outside network it should not be a problem. Now my question is, just a plain port forwarding rule will work? 

Thanks!

Gianni

Hello!

I've a problem with my Edgerouter ER-8Pro. Why couldn't I access the web GUI / Ping from the second LAN (eth3) interface? Routing to WAN1 (eth7) and WAN2(eth1) is working on this port with the common Loadbalacing troubles.

What do i have to change in the GUI to make this work?

Kind Regards Christoph

Firmware: 1.9.7

My Config:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Server {
            address 192.168.0.0/24
            description "Server Infrastruktur"
        }
        address-group Streaming {
            address 192.168.10.0/24
            description "Streaming Clients"
        }
        port-group VPN {
            description VPN
            port 1194
            port 5555
            port 443
        }
        port-group eMail {
            description eMail
            port 25
            port 465
            port 587
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 1 {
            action modify
            destination {
            }
            modify {
                lb-group SRV
            }
            source {
                group {
                    address-group Server
                }
            }
        }
        rule 2 {
            action modify
            modify {
                lb-group Stream
            }
            source {
                group {
                    address-group Streaming
                }
            }
        }
        rule 3 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name Clients_Sperren {
        default-action accept
        description ""
        rule 1 {
            action drop
            description Fernseher
            log disable
            protocol all
            source {
                address 192.168.2.3
            }
            state {
                established enable
                invalid enable
                new enable
                related disable
            }
        }
        rule 3 {
            action drop
            description Drucker
            log disable
            protocol all
            source {
                address 192.168.6.0/24
            }
        }
        rule 4 {
            action drop
            description Loxeon
            log disable
            protocol all
            source {
                address 192.168.5.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description DC0
            destination {
                group {
                    port-group VPN
                }
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description NAS
            destination {
                group {
                    port-group eMail
                }
            }
            log disable
            protocol tcp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description UPC
        duplex auto
        firewall {
            in {
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description DREI
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        firewall {
            in {
            }
        }
        speed auto
    }
    ethernet eth3 {
        address 10.10.11.1/24
        description Server
        duplex auto
        firewall {
            in {
                modify balance
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        address dhcp
        description UPC-LWL
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth7 {
        address 10.10.10.10/24
        description LAN-LWL
        duplex auto
        firewall {
            in {
                modify balance
                name Clients_Sperren
            }
        }
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth1 {
            failover-only
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 30
        }
        interface eth6 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 70
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
        }
    }
    group SRV {
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 30
        }
        interface eth6 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 70
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            dest-addr enable
        }
    }
    group Stream {
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 30
        }
        interface eth6 {
            failover-only
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 70
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth7
    lan-interface eth3
    rule 1 {
        description SMTP
        forward-to {
            address 192.168.0.5
            port 25
        }
        original-port 25
        protocol tcp
    }
    rule 2 {
        description SMTP2
        forward-to {
            address 192.168.0.5
            port 465
        }
        original-port 465
        protocol tcp
    }
    rule 3 {
        description SMTP3
        forward-to {
            address 192.168.0.5
            port 587
        }
        original-port 587
        protocol tcp
    }
    rule 4 {
        description IMAPS
        forward-to {
            address 192.168.0.5
            port 993
        }
        original-port 993
        protocol tcp
    }
    rule 5 {
        description Softether
        forward-to {
            address 10.10.11.20
            port 5555
        }
        original-port 5555
        protocol tcp_udp
    }
    rule 6 {
        description Softether_443
        forward-to {
            address 10.10.11.20
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    rule 7 {
        description OpenVPN
        forward-to {
            address 10.10.11.20
            port 1194
        }
        original-port 1194
        protocol tcp_udp
    }
    rule 8 {
        description SofthEtherDC2
        forward-to {
            address 10.10.11.21
            port 6666
        }
        original-port 6666
        protocol tcp_udp
    }
    wan-interface eth6
}
protocols {
    static {
        route 10.255.4.0/24 {
            next-hop 10.10.10.1 {
            }
        }
        route 10.255.5.0/24 {
            next-hop 10.10.10.1 {
            }
        }
        route 10.255.6.0/24 {
            next-hop 10.10.10.1 {
                distance 1
            }
        }
        route 10.255.7.0/24 {
            next-hop 10.10.10.1 {
            }
        }
        route 192.168.0.0/16 {
            next-hop 10.10.10.1 {
                distance 1
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 2 {
            description DC0_LTE
            destination {
                address 10.255.101.51
                group {
                    port-group VPN
                }
            }
            inbound-interface eth1
            inside-address {
                address 10.10.11.20
            }
            log disable
            protocol tcp_udp
            source {
                group {
                }
            }
            type destination
        }
        rule 3 {
            description NAS
            destination {
                address 10.255.101.51
                group {
                    port-group eMail
                }
            }
            inbound-interface eth1
            inside-address {
                address 192.168.0.5
            }
            log disable
            protocol tcp
            source {
                group {
                }
            }
            type destination
        }
        rule 5000 {
            description "LTE CPE"
            destination {
                address 10.255.101.0/24
            }
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth6
            protocol all
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.0.9
        listen-address 10.10.10.10
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password XXX.
                plaintext-password ""
            }
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password XXX/
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    name-server 192.168.0.20
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7.5001803.170720.0156 */

My ERLite-3 is mounted on a wall inside a wooden cabinet in my home office, along with my modem and a switch and a Vonage phone adapter.

The router is mounted on a wall using the included screws, with ports facing down and power jack on top.  (So the part I am going to call the "top" in this post is actually the back of the unit which has the power jack and ground lug.  And the part I am going to call the "side" is actually the top of the unit, i.e. the large surface that has the "EdgeRouter LIte" logo.)

I would prefer to keep the cabinet door closed if possible.  

With the door closed, the router measures 100 degrees F on the "side", and 115 degrees F on the "top"..

Are these temps OK?   Or am I going to need to keep the door open or just remove the door?

WIth the door left open for a while, the temp on the "top" is 107F, and the temp on the "side" is 92F.

Note that there are no power supplies inside the cabinet, so the only sources of heat are the equipment itself.

I cannot find any specifications for operating temperature range in the product doc.

Friends who own a small B&B have asked me to upgrade their network (currently using 10 year old Dell switch, Sonicwall, and Cisco Aironet 802.11g WAPs).

I have been thinking that an ERX SFP would provide enough capacity for their needs - figure at the most 50 concurrent devices on their 100/20 Comcast connection. Usually there will be a lot fewer than 50 devices, probably closer to 20. Thoughts on this? I originally thought to go with a USG or ERL, but they are trying to save money where they can. I use the ERX at home and at my dad's dental office, and have never had any issues. The ERL/USG worry me because of the internal USB drive going bad.

What would people here recommend?

Thanks!

I have an ISP that is providing Data and Voice to my sites.  I wanted to be able to NAT the data (WAN on Eth0 and LAN on Switch0) and trunk the voice vlan (VLAN:3) from the Eth0 port to the Switch0 ports.

Is there a way to accomplish this with this device?

I tried creating the same VLAN on both interfaces but no luck with that.  I have done something similar using more expensive Layer 3 switches but the size and quantity of the sites require something much less expensive.

Thanks...

Jeff

Probably one of the worst post titles for what is essentially a simple question but take some explaining to get there! When we go to whatismyip.com we need the IP from out public block of IPs we have assigned to the router to be returned. Currenly it's returning out Comcast transit address, which is what I would expect given our current config, but I don't know how to make it do what we want, hence this posting.

Scenario: EdgeRouter Pro 8Comcast Fiber, /30 addresses for transit, /29 public IP block.

• eth0 assigned transit address of 50.201.X.6. Gateway address for router is 50.201.x.5.
• eth1 assigned public IP from /29 block of 50.224.x.54. <- This is what we want to be our public IP. We have some devices that need publically facing IP address that are statically assigned from the /29 block on a switch on this interface, can't do 1-to-1 NAT for them. This is working.
• eth7 is the LAN with 192.168.1.1
• SNAT masq rule for eth0 for LAN since this is currently the actual outbound interface.
• SNAT exclude rule for 50.224.x.48/29
• Firewall rule allowing established, new and related to 50.224.x.48/29 and only established and related to everything else.

When someone on the LAN goes to whatismyip.com we want the 50.224.x.54 to show as the IP. I get that eth0 is the outbound port, but I guess what we want is eth1 to be the outbound port for the LAN and our block of IPS and eth0 to be the gateway for all of that and it's next hope is Comcast's gateway.

Does my question make sense?

I have a ER8Pro with two WANs with load balancing. Now the WAN1 in eth0 has a static IP and WAN2 on eth1 is a dynamic IP.

For our IPSec Site2Site VPN i have to use the static IP from WAN1 on eth0.

Now i tried with the

ipsec-interfaces {
            interface eth0
        }

configration. Now the gui said, that the ipsec-interfaces value ist deprecated.

What is the replacement of that? The IPSec connection can only be established by WAN1...

I use EdgeOS 1.9.1.1 because of load balance problems with 1.9.7.

Hello,

Been working on this site-to-site tunnel for about a week and a half now. While I can get the tunnel to come up by pinging from ELR to ASA, I cannot get tunnel to come up by pinging from ASA to ERL. 

I have messed around with NAT rules and FW rules on the ERL side. I have looked at countless topics in the forums and also knoledgebase. I still can't figure out why I cannot ping and open tunnel from ASA side. 

I believe I may have a misconfigured NAT or FW on my ERL side. I have included the sanitized ERL config. Any help is greatly appreciated.

ubnt@ShilohEdge:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group CH_Remote {
            description "Remote Local Network"
            network XX.3.1.0/24
            network XX.2.1.0/24
        }
        network-group Shiloh_Local {
            description "Local address"
            network XX.30.1.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 31 {
            action accept
            description VPN_Allow
            destination {
                group {
                    network-group Shiloh_Local
                }
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                group {
                    network-group CH_Remote
                }
            }
        }
        rule 32 {
            action accept
            description Incoming_Inside
            ipsec {
                match-ipsec
            }
            log disable
            protocol ip
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description HTTPS_IN
            destination {
                group {
                    address-group NETv4_eth0
                }
                port 443
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 30 {
            action accept
            description SSH
            destination {
                group {
                    address-group NETv4_eth0
                }
                port 22
            }
            log disable
            protocol tcp
        }
        rule 40 {
            action accept
            description "IPsec IKE"
            destination {
                port 500
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description "Allow IPsec NAT-T"
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description "Allow IPsec ESP"
            log disable
            protocol esp
        }
        rule 70 {
            action accept
            description WAN_ICMP
            log disable
            protocol icmp
        }
        rule 80 {
            action accept
            description "IPsec Interesting Traffic"
            destination {
                group {
                    network-group Shiloh_Local
                }
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                group {
                    network-group CH_Remote
                }
            }
        }
        rule 90 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address XX.XX.103.124/29
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address XX.30.1.253/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.30.1.0/24 {
                default-router XX.30.1.253
                dns-server XX.XX.191.107
                dns-server XX.XX.120.194
                lease 86400
                start XX.30.1.38 {
                    stop XX.30.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5001 {
            description "masquerade for ipsec"
            destination {
                group {
                    network-group CH_Remote
                }
            }
            exclude
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                    network-group Shiloh_Local
                }
            }
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address XX.XX.103.121
    host-name ShilohEdge
    login {
        user rmartinez {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "derp"
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server XX.XX.191.107
    name-server XX.XX.120.194
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        disable-uniqreqids
        esp-group FOO0 {
            compression disable
            lifetime 28800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer XX.XX.XX.50 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description ShilohtoCH
                ike-group FOO0
                ikev2-reauth inherit
                local-address XX.XX.XX.124
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix XX.30.1.0/24
                    }
                    remote {
                        prefix XX.3.1.0/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix XX.30.1.0/24
                    }
                    remote {
                        prefix XX.2.1.0/24
                    }
                }
            }
        }
    }
}

I've included my firewall configuration below. Yes I realize the rules are in bad shape. I plan on fixing this but I have this more immediate issue: 

I want to allow access from the guest network defined as VLAN_5 to a single resource in VLAN_1 (192.168.1.85:80). Given the complete lack of security around VLAN_1 (default-action accept) I thought this would be allowed by default. I've tried some specific rules to allow this but none are working. Is there anything I need to do with VLAN_5? 

I'm pretty confident about the interface configuration. Both VLAN_5 and VLAN_1 are on eth1 and eth1 has vid 1, pvid 5. The DHCP rule below wouldn't work if this weren't set. 

Hello,

Been working on this site-to-site tunnel for about a week and a half now. While I can get the tunnel to come up by pinging from ELR to ASA, I cannot get tunnel to come up by pinging from ASA to ERL. 

I have messed around with NAT rules and FW rules on the ERL side. I have looked at countless topics in the forums and also knoledgebase. I still can't figure out why I cannot ping and open tunnel from ASA side. 

I believe I may have a misconfigured NAT or FW on my ERL side. I have included the sanitized ERL config. Any help is greatly appreciated. 

PS. Don't know what happened to my previous post.

ubnt@ShilohEdge:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group CH_Remote {
            description "Remote Local Network"
            network XX.3.1.0/24
            network XX.2.1.0/24
        }
        network-group Shiloh_Local {
            description "Local address"
            network XX.30.1.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 31 {
            action accept
            description VPN_Allow
            destination {
                group {
                    network-group Shiloh_Local
                }
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                group {
                    network-group CH_Remote
                }
            }
        }
        rule 32 {
            action accept
            description Incoming_Inside
            ipsec {
                match-ipsec
            }
            log disable
            protocol ip
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description HTTPS_IN
            destination {
                group {
                    address-group NETv4_eth0
                }
                port 443
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 30 {
            action accept
            description SSH
            destination {
                group {
                    address-group NETv4_eth0
                }
                port 22
            }
            log disable
            protocol tcp
        }
        rule 40 {
            action accept
            description "IPsec IKE"
            destination {
                port 500
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description "Allow IPsec NAT-T"
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description "Allow IPsec ESP"
            log disable
            protocol esp
        }
        rule 70 {
            action accept
            description WAN_ICMP
            log disable
            protocol icmp
        }
        rule 80 {
            action accept
            description "IPsec Interesting Traffic"
            destination {
                group {
                    network-group Shiloh_Local
                }
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                group {
                    network-group CH_Remote
                }
            }
        }
        rule 90 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address XX.XX.103.124/29
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address XX.30.1.253/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.30.1.0/24 {
                default-router XX.30.1.253
                dns-server XX.XX.191.107
                dns-server XX.XX.120.194
                lease 86400
                start XX.30.1.38 {
                    stop XX.30.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5001 {
            description "masquerade for ipsec"
            destination {
                group {
                    network-group CH_Remote
                }
            }
            exclude
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                    network-group Shiloh_Local
                }
            }
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address XX.XX.103.121
    host-name ShilohEdge
    login {
        user rmartinez {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "derp"
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server XX.XX.191.107
    name-server XX.XX.120.194
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        disable-uniqreqids
        esp-group FOO0 {
            compression disable
            lifetime 28800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer XX.XX.XX.50 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description ShilohtoCH
                ike-group FOO0
                ikev2-reauth inherit
                local-address XX.XX.XX.124
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix XX.30.1.0/24
                    }
                    remote {
                        prefix XX.3.1.0/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix XX.30.1.0/24
                    }
                    remote {
                        prefix XX.2.1.0/24
                    }
                }
            }
        }
    }
}

Anyone been successful in changing the timezone on an EdgePower?

using vi to edit /etc/TZ does not seem to work... and reverts back to GMT upon reboot.

If I am not missing something, I'd like to know where I can submit a request for this to be added...

At boot it appears that some BGP prefixes can be learned, and advertised to peers, before route-map/prefix-list filters can be applied.  I had a peer report to me that I was advertising excessive route count in the past, but could never find a cause.  Today after a reboot of two different routers, they both exhibited this behavior.

After a reboot on a router with multiple iBGP and eBGP peers:

$ show ip bgp neighbors x.x.x.x advertised-routes

BGP table version is 428428, local router ID is x.x.x.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.y.w.0/24 x.x.x.x 100 0 i
*> 10.y.x.0/24 x.x.x.x 100 0 i
*> 10.y.y.0/24 x.x.x.x 100 0 i
*> 10.y.z.0/24 x.x.x.x 100 0 i

<... lots of prefixes ... >

Total number of prefixes 23

$ clear ip bgp x.x.x.x

$ show ip bgp neighbors x.x.x.x advertised-routes

BGP table version is 471584, local router ID is x.x.x.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

<... correct prefixes based on filters, nothing from 10.* etc... >

Total number of prefixes 7

Note this is with no configuration changes of any kind on the router after boot.  Simply logged in, looked at advertised routes, reset the session, and looked again.  On one of the routers there were about 2400 such extra prefixes being advertised (out of more than 100K we carry) so it seems like the filters were applied during the process of learning and advertising prefixes and the bleeding stopped.

This is a very serious problem since leaking prefixes to peers can, if your peers don't filter well enough, lead to massive routing problems and downtime for both networks.  Please place a high priority on this one...

-Adam

I found I have to reboot the Edgepoints everytime I make a change on the attached airfiber 5's. For instance if I change the power setting or frequency and apply, I will loose access to that airfiber and it doesn't come back until I restart the Edgepoint R6. Doesn't matter if they are set up with static routing or with OSPF. All are running current software. No firewall rules etc etc. Any ideas? 

tk

I've looked through some threads regarding blocking devices based on MAC during certain hours, but my scenario is slightly different. I have my kids' wireless on a VLAN utilizing OpenDNS for outbound DNS filtering.

Since I've instituted this, I've also had their wireless access (via Unifi) shut down during certain hours. This solution has worked great, however, they're getting older and are more connected than ever, and would like to use their iPads to control the Sonos in their rooms. This of course requires them to be connected.

Can I setup the ERL3 to block external traffic during certain hours, but leave them access to internal requests?

Thanks...