Hi
I would like to know how to set my edgerouter X SFP to forece its to redirect all outbound traffic from lan to specific IP(external /internal). I have to know it because there are some people in my small network which I has to block internet and show them quick information that they haven't made payment yet.
With iptables it would look like that :
iptables -t nat -A PREROUTING -i -p tcp -m tcp --dport 80 -j DNAT --to-destination Ipaddress
Thank you for any tips and help 
I have several VLAN that I would like to isolate from the other vlans - but still be able to connect to WAN.
I have used the configuration below and it works.
But i want to allow RDP connection on WAN adress internal. It works before i activate this rules on interfaces.
From outside it still works, but internal it wont work with WAN adress but works with local adress.
set firewall group network-group PROTECT_NETWORKS
set firewall group network-group PROTECT_NETWORKS description "Protected Networks"
set firewall group network-group PROTECT_NETWORKS network 192.168.0.0/16
set firewall group network-group PROTECT_NETWORKS network 172.16.0.0/12
set firewall group network-group PROTECT_NETWORKS network 10.0.0.0/8
set firewall name BLOCK_IN
set firewall name BLOCK_IN default-action accept
set firewall name BLOCK_IN rule 10 action accept
set firewall name BLOCK_IN rule 10 description "Accept Established/Related"
set firewall name BLOCK_IN rule 10 protocol all
set firewall name BLOCK_IN rule 10 state established enable
set firewall name BLOCK_IN rule 10 state related enable
set firewall name BLOCK_IN rule 20 action drop
set firewall name BLOCK_IN rule 20 description "Drop PROTECT_NETWORKS"
set firewall name BLOCK_IN rule 20 destination group network-group PROTECT_NETWORKS
set firewall name BLOCK_IN rule 20 protocol all
set firewall name BLOCK_LOCAL
set firewall name BLOCK_LOCAL default-action drop
set firewall name BLOCK_LOCAL rule 10 action accept
set firewall name BLOCK_LOCAL rule 10 description "Accept DNS"
set firewall name BLOCK_LOCAL rule 10 destination port 53
set firewall name BLOCK_LOCAL rule 10 protocol udp
set firewall name BLOCK_LOCAL rule 20 action accept
set firewall name BLOCK_LOCAL rule 20 description "Accept DHCP"
set firewall name BLOCK_LOCAL rule 20 destination port 67
set firewall name BLOCK_LOCAL rule 20 protocol udp
Hi, I have a question regarding how to fix a NAT that a customer requested. I haven't started the implementation on this particualr issue so I don't have any config to share, but the drawing below should give you an idea on the networking between the client and the server setup.
So the idea is that the server on a separate subnet (DMZ) should only be accessed from Public IP's (let's play with the thought that this was a multi tenant firewall and I don't want to do LAN1 -> DMZ firewall directly, but instead go from LAN1 to WAN and back in using the firewall rules on WAN -> DMZ
Is it a 1:1 I need?
Do I need to recreate the appropriate FW rules + NAT's manually for this to work, or can I use the auto generated rules for this? I'll try to setup this in a lab, but someone probably knows how to do this before I get my lab up and running.
Thanks in advance!
Hi all,
I'm currently preparing to convert my interface-based firewall policies to a zone-based configuration. I'm thinking of reusing existing policies and I'd like to know whether this is possible/supported or not.
Example:
I have a couple of VLANs and each has an interface-policy assigned to IN direction. The polices are quite granular and allow access to the Internet and to other VLANs. Let's say VLAN 2 is allowed to access the Internet and also resources in VLAN 3.
Now the idea is to have one zone per interface and to use the existing interface-policy for both zone pairs:
zone INTERNET: from VLAN 2 use <existing interface policy VLAN 2 IN>
zone VLAN 3: from VLAN 2 use <existing interface policy VLAN 2 IN>
This way I would have to maintain only one policy per source interface and not one policy for every zone pair.
I had quick try and it didn't work as expected, therefore I'd like to know whether this should be possible before I dive deeper into this.
Thanks for any comments.
So I have an ER-L running 1.9.7 (hotfix 1). My broadband is verizon fios 75mb/75mb. If I run the fios speedtest, it tells me 84mb down, 90mb up (note that FIOS oftens provisions more BW than you are paying for.) The downside in the above is bufferbloat is reported as being moderate (letter grade 'B'). If I create a vanilla smart queue with 75mb/75mb and run the same test, I get (consistently) about 50mb down and 61mb up, but the buffer bloat improves to 'A+' grade. I realize I probably (almost certainly) don't really need QoS here, but my wife telecommutes and makes a LOT of lengthy toll-free calls, and having choppy voice or other issues is not conducive to happiness So, the $64K question: why does the BW get reduced so drastically? Especially the download?
Hi everyone,
I have been running a ERL for the last two years with no problems. Tonight clients stopped getting IP addresses via DHCP. The logs would suggest an issue accessing /var/log/upnp.leases. The last four entries read:
Oct 30 20:50:05 NBH1 rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Oct 30 20:51:06 NBH1 xl2tpd[2524]: setsockopt recvref[30]: Protocol not available
Oct 30 20:51:28 NBH1 miniupnpd[2770]: could not open lease file: /var/log/upnp.leases
Oct 30 20:51:30 NBH1 radvd[2693]: Exiting, privsep_read_loop had readn return 0 bytes
The device is running 1.9.7 hotfix 4.
Has anybody got a suggestion to what the problem could be?
Can somebody point me in the right direction to create a plot of CPU usage over time on ER-Pro
I have 1GB internet service from Centurylink, and I am getting incredibly slow throughput from them on my ERL
If I plug in the Zyxel router they gave me, I get consistent 900Mb/s upload and download connections. However, my ERL is getting ~70Mb/s download and ~60Mb/s upload.
Can I get a second pair of eyes to see where my config is incorrect? I would really appreciate it.
Edit: cleaned grammar.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 15 {
action accept
description "Allow Remote WEBUI"
destination {
port 443
}
log disable
protocol tcp
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "Internet (PPPoE)"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
vif 201 {
description "CenturyLink Fibre 201 VLAN"
pppoe 0 {
default-route auto
mtu 1492
name-server auto
password ****************
user-id ****************
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 172.16.0.1/16
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
wan-interface pppoe
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 172.16.0.0/16 {
default-router 172.16.0.1
dns-server 172.16.0.1
lease 86400
start 172.16.38.102 {
stop 172.16.243.51
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
ca-file /config/letsencrypt/intermediate.pem
cert-file /config/letsencrypt/cert.pem
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp2 {
acl {
rule 10 {
action allow
description "Allow Xbox Live"
external-port 1024-65535
local-port 0-65535
subnet 172.16.0.1/16
}
rule 100 {
action deny
description "Deny All other devices"
external-port 1024-65535
local-port 0-65535
subnet 0.0.0.0/0
}
}
listen-on eth2
nat-pmp enable
secure-mode enable
wan eth0
}
}
system {
host-name ubnt
login {
user mike {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ****************
url http://http.us.debian.org/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ****************
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}
we have some strange network issue from time to time on different firmware versions on different sites that we are not able to reproduce, so i thought ill document what is happening, maybe it helps to find the cause.
the configuration is basically two bridges over all eth ports, br0 with public ip and br1 on mgmt bridge on vlan 1100 with private ip.
there are two routing daemons running on public bridge br0, olsrd(for ipv4) and olsrd2(for ipv6).
since today at about 13:43 (GMT+1) our monitoring tells it cant reach one router.
in this case its running v1.9.7+hotfix.2
i checked and neither can reach it by its public v4 nor v6 address.
luckily i forgot to remove a local alias ip (10.0.0.100/24 on br0 in this case) to which i could connect.
so im on the router and checking all related stuff like routing daemon, routes, default route, interfaces...
on first sight it looks everything ok, just that i cant reach anything on the internet (local mgmt br1 works tough!)
ubnt-discover works too it seems, i see devices from neighbor nodes.
looking via tcpdump there is much going on, packets going in and out, looks like everything is working.
but the routing daemons dont see any neighbors, so they dont have any access to the network outside
now one would maybe blame those routing daemons, but i think we can say, if two seperate different routing daemons on two different ip protocols stop working at the same moment, there is something else wrong in the system i guess.
for the moment its not dramatical if i dont reboot and the router isnt public reachable.
i rather would like to find out whats wrong and why that happened..
what should i check else to find a cause why networking (partly) stopped working?
logs:
configuration:
root@bm5-router:/home/onetrix# show configuration
interfaces {
bridge br0 {
address 193.238.159.125/32
address 10.0.0.100/24
aging 300
bridged-conntrack disable
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
bridge br1 {
address 10.24.77.100/24
aging 300
bridged-conntrack disable
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
bridge-group {
bridge br0
}
duplex auto
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
ethernet eth1 {
bridge-group {
bridge br0
}
duplex auto
poe {
output 24v
}
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
ethernet eth2 {
bridge-group {
bridge br0
}
duplex auto
poe {
output 24v
}
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
ethernet eth3 {
bridge-group {
bridge br0
}
duplex auto
poe {
output 24v
}
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
ethernet eth4 {
bridge-group {
bridge br0
}
duplex auto
poe {
output 24v
}
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
ethernet eth5 {
bridge-group {
bridge br0
}
duplex auto
speed auto
vif 1100 {
bridge-group {
bridge br1
}
}
}
loopback lo {
address 2a02:61:9ad::1/128
}
switch switch0 {
mtu 1500
}
}
protocols {
static {
interface-route 10.5.44.101/32 {
next-hop-interface br1 {
}
}
route 10.5.44.0/24 {
next-hop 10.5.44.101 {
}
}
}
}
service {
gui {
http-port 81
https-port 10443
older-ciphers enable
}
nat {
rule 5000 {
log disable
outbound-interface br0
protocol all
source {
address 10.24.77.0/24
}
type masquerade
}
}
pppoe-server {
access-concentrator onetrix
authentication {
mode radius
radius-server 10.5.44.225 {
key ****************
}
}
client-ip-pool {
start 0.0.0.0
stop 0.0.0.100
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
encryption disable
interface br0
local-ip 193.238.159.125
radius {
}
service-name onetrix
}
snmp {
community onetrix0xff {
authorization ro
}
contact support@onetrix.net
location "1140, Bergmillergasse 5"
}
ssh {
port 10
protocol-version v2
}
unms {
connection wss://10.5.44.212:443+2SmFN...7jRgfzs+allowSelfSignedCertificate
}
}
system {
flow-accounting {
ingress-capture pre-dnat
interface br0
netflow {
server 86.59.13.171 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 5
}
syslog-facility daemon
}
host-name bm5-router
login {
user funkfeuer {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "Funkfeuer Wien"
level admin
}
user onetrix {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys onetrix@unms {
key ****************
type ssh-rsa
}
}
full-name "Onetrix Network"
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
options {
reboot-on-panic true
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 86.59.13.171 {
facility all {
level info
}
}
}
time-zone Europe/Vienna
}
vpn {
ipsec {
auto-update 300
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
mode main
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
site-to-site {
peer 86.59.13.171 {
authentication {
id 193.238.159.125
mode pre-shared-secret
pre-shared-secret ****************
remote-id 86.59.13.171
}
connection-type initiate
ike-group FOO0
ikev2-reauth inherit
local-address 193.238.159.125
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.24.77.0/24
}
remote {
prefix 10.5.44.0/24
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.24.77.0/24
}
remote {
prefix 10.242.2.0/24
}
}
}
}
}
pptp {
remote-access {
authentication {
local-users {
username funkfeuer {
password ****************
}
}
mode local
}
client-ip-pool {
start 10.24.77.120
stop 10.24.77.130
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
mtu 1492
}
}
}
root@bm5-router:/home/onetrix#
My company recently installed an EdgeRouter Pro 8. Shortly thereafter, we failed our PCI compliance scan (from SecurityMetrics). I did some hardening and managed to eliminate the flags on all the ports except one, and that's port 53.
This is going to be a tough one. We can't just close port 53 because we have two internal AD DS servers needing recursive DNS. I have tried adding a firewall rule that rejects new inbound connections to destination port 53, only allowing established/related via the default rules. However, the port is still failing test scans.
I've included our firewall rules, please let me know if there's something I've missed (DMZ rule is disabled because we only occasionally need one).
Thanks for your time.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group ****_LAN {
description "LAN networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action reject
description "reject new DNS queries"
destination {
port 53
}
log disable
protocol udp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action accept
description DMZ
destination {
address 172.31.10.10
}
disable
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol udp
}
rule 40 {
action accept
description IKE
destination {
port 500
}
log disable
protocol udp
}
rule 50 {
action accept
description L2TP
destination {
port 1701
}
log disable
protocol udp
}
rule 60 {
action accept
description ESP
log disable
protocol esp
}
rule 70 {
action accept
description NAT-T
destination {
port 4500
}
log disable
protocol udp
}
rule 80 {
action reject
description "drop new DNS"
destination {
port 53
}
log disable
protocol tcp_udp
state {
established disable
invalid disable
new enable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
I am trying to configure port forwarding on my EdgeRouter X to allow my Ooma Telo to connect to the internet.
I have added all the ports Ooma suggests that need forwarded, but UDP 53 and UDP 123 keep coming up failed on my Ooma Telo.
I have removed the port forwarding rule for each and re-added, but nothing allows these ports to forward to my Ooma. I have the IP for the Ooma set to static at 192.168.1.63 to ensure I am trying to access the right IP address.
I have added a Ruleset in my WAN_IN Policy and creates a Firewall Group with all the same ports as in the screenshot.
None of this allows UDP 53 and UDP 123 to connect to my Ooma.
What am I doing wrong?
Thanks in advance.
Hello!
I've followed a few of the guides so far and this community is awesome!
Hoping someone can guide me in the right direction:
SiteA (Primay):
Site B (Remote):
Recent logs from Site A:
show swanctl --log:
Recent logs from Site B:
show swanctl --log:
192.168.44.X are WAN DHCP from my ISP. The 47.50.252.248/29 are statics and prefered for configuration.
Thanks!
-Skyfox
Hello,
I have an EdgeRouter 8 Pro, purchased about 1 year ago, and yesterday the eth0 port died. It won't get link detect anymore. I tried rebooting it by removing the power cable, but it didn't help. I ended up switching to eth1, which works fine.
If this is a hardware fault, I am somewhat disappointed that I have a dead port, already. I don't consider 1 year to be very old for a Router. However, it might be that the warranty is void. I am not sure. Even if the warranty is not void, it is going to be a hassle returning it (from Australia) to the USA for repairs, considering we need this router for Internet connectivity.
Do I have any other options I haven't considered?
Thanks
So i have an edgerouter connected to 2 unifi-ac-pros. I am trying to connect my AirPrint from my iPhone on AP 1 to my printer on AP 2. I am able to see the printer when I try to print. But when I attempt to initiate printing all I get is that it can't find the printer.
Ok so im now to this so please be gentle. I have an EdgeRouter Pro and i'm trying to setup L2TP VPN but its not working. I thought I set it up correctly but I must be missing something because when I go to connect I get a message of.
I have an EdgeRouter X set up using the WAN+2LAN2 wizard and updated to the latest firmware (1.9.7+hotfix.4.5024279.171006.0255). A dumb layer 2 switch is connected to eth1 and my LAN, and eth0 is connected to another router using DHCP to reach the internet.
Every so often the EdgeRouter randomly stops responding. No SSH, no web interface, no DHCP offers, no ping, and no internet. It will not respond at all until I remove either one of the ethernet cables attached to it, at which point it starts responding again after a few seconds. A reboot is not required to make it start responding again.
While it is not responding, both eth0 and eth1 lights still flash, but at different times. Under normal operation, they always flash together since there are only two interfaces and a steady flow of traffic to servers.
Generally, the issue presents itself once every two to three days. The issue seems to be more present under "heavy" load. For example, exhibiting the symptom three times while downloading one 20GB game from Steam. Traffic is standard home traffic plus a steady flow of VPN traffic out of a home server.
Logs show no unusual entries, apart from random failures to transmit DHCP requests as below.
Attempted fixes:
I've taken two EdgeRouter X units back to the store I bought it from and exchanged them for a new unit. This is my third and exhibits the exact same symptoms as the earlier two units. What could be the cause?
Config:
Absolutely default WAN+2LAN2 setup with DHCP WAN connection.
Network:
eth0 DHCP client
eth1 LAN1 (dumb switch > all devices)
eth2-4 LAN2 (Switch0, not used at all)
Hello,
so i just want to reach my edgerouter from wan (or from another site connected with IPsec), but i don't know what configure. It is connected by PPPOE.
Port forwarding ? firewall ? etc ...
Thank you !
Hi all,
I needed a fixed IP and because I use LTE-A for internet connectivity(fibre is coming) the only option was to use a VPN tunnel.
I now have an OpenVPN tunnel set up and I get a local fixed IP for $30/month - which is not bad considering the lack of options. I pointed my domain there and it resolves correctly.
Before I set this part up I used ddns to VPN into my router to get remote access.
Now I need to change my VPn setup so that it allows traffic to come through the tunnel and not directly from the WAN.
The attached screenshot is where I figure the problem lies. I have managed to see the VPN attempting to connect, but it is not finishing the setup. My initial thought was to make the outside address xxx.xxx.xxx.xxx as my fixed IP and use the internal tunnel address as the local IP to route it through the tunnel. But this is not working. eth1 is my WAN connection.
So in a nutshell. L2TP server than can be accessed over the OpenVPN tunnel.
Thanks in advance!
Hi all,
I set up an OpenVPN tunnel so that I have a fixed IP while using LTE-A for WAN.
I now want to allow http through my firewall and I can get it working through my WAN IP, but not through the tunnel IP.
If I set my GUI firewall to use eth1 as the WAN network, the port-forwarding works fine. (WAN IP)
However when it is set to use vtun0 as the WAN network and connect to the tunnel public IP, the connection drops.
How do I resolve this?
Hey Guys,
i like to set the SRC attribute on routes to specify the ip-address that will be set on 0.0.0.0 sockets like ICMP and other applications that will not bind to a specificated interface.
Current Example:
R1 R2 R3
192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eth0 10.0.1.1/24 ------------ 10.0.1.2/24 eth0
eth1 10.0.2.1/24 -------------------------------------- 10.0.2.2/24 eth0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eth4 192.168.1.1/24 192.168.2.1/24 192.168.3.1/24 eth4
#R1 ip route show #R3 ip route show
192.168.2.0/24 via 10.0.1.2/24 192.168.1.0/24 via 10.0.2.1/24
192.168.3.0/24 via 10.0.2.2/24 192.168.2.0/24 via 10.0.2.1/24
#R2 ip route show
192.168.1.0/24 via 10.0.1.1/24
192.168.3.0/24 via 10.0.1.1/24
Traceroute from R2 to R3
~$ /usr/bin/traceroute -n 192.168.3.1 traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 38 byte packets 1 10.0.1.1 0.302 ms 0.292 ms 0.275 ms 2 10.0.2.2 0.877 ms 0.834 ms 0.917 ms
I like to show the IP-Addresses 192.168.1.1 and 192.168.2.1 as hops. That can be achived when you pass the src attribute to your routes.
Example:
R1 R2 R3
192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eth0 10.0.1.1/24 ------------------------ 10.0.1.2/24 eth0
eth1 10.0.2.1/24 ----------------------------------------------------------------- 10.0.2.2/24 eth0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eth4 192.168.1.1/24 192.168.2.1/24 192.168.3.1/24 eth4
#R1 ip route show #R3 ip route show
192.168.2.0/24 via 10.0.1.2/24 src 192.168.1.1 192.168.1.0/24 via 10.0.2.1/24 src 192.168.3.1
192.168.3.0/24 via 10.0.2.2/24 src 192.168.1.1 192.168.2.0/24 via 10.0.2.1/24 src 192.168.3.1
#R2 ip route show
192.168.1.0/24 via 10.0.1.1/24 src 192.168.2.1
192.168.3.0/24 via 10.0.1.1/24 src 192.168.2.1Traceroute from R2 to R3
~$ /usr/bin/traceroute -n 192.168.3.1 traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 38 byte packets 1 192.168.1.1 0.302 ms 0.292 ms 0.275 ms 2 192.168.3.1 0.877 ms 0.834 ms 0.917 ms
That are basics of routing. But is not implemented with your routing daemon.
How this works:
So i need the src-attribute to set on ingress filter of BGP / OSPF / ISIS routes.
set policy route-map [name] rule [number] set src-pref 192.168.x.1
Thank you.