Hi all,

I have set up my EdgeRouter X with some QoS rules just to prioritize voip over http over torrent.

Torrent should be prioritized by ip, voip by MAC and http by port,

But int the end, when I check with 

tc -s class show dev eth0

It shows that class 7 is still used for most fo the traffic (output of tc):

class prio 1:1 parent 1: leaf 8052:
 Sent 54093 bytes 783 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:2 parent 1:
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:3 parent 1:
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:4 parent 1:
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:5 parent 1: leaf 8053:
 Sent 5620096 bytes 26549 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:6 parent 1: leaf 8054:
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class prio 1:7 parent 1: leaf 8051:
 Sent 191232490 bytes 268081 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

How can I put any "default" traffic in class 6 and let class 7 empty?

My relevant configuration follows. eth0 is wan, eth1,2,3,4 are connect to 4 different vlans. 10.0.3.8 and 10.0.3.12 are seedboxes whos traffic I would like to put into the lower priority class.

set traffic-policy priority-queue download class 1 match host-download ip destination address 10.0.3.8/32
set traffic-policy priority-queue download class 1 match host-p2p ip destination address 10.0.3.12/32
set traffic-policy priority-queue download class 1 queue-type drop-tail
set traffic-policy priority-queue download class 5 match traffic-http ip source port 80
set traffic-policy priority-queue download class 5 match traffic-https ip source port 443
set traffic-policy priority-queue download class 5 queue-type drop-tail
set traffic-policy priority-queue download class 6 match ata-fritzbox ether destination '00:15:0C:E2:7C:94'
set traffic-policy priority-queue download class 6 match ata-spa2102 ether destination '00:0E:08:11:B0:56'
set traffic-policy priority-queue download class 6 queue-type drop-tail
set traffic-policy priority-queue download default queue-type fair-queue
set traffic-policy priority-queue upload class 1 match host-download ip source address 10.0.3.8/32
set traffic-policy priority-queue upload class 1 match host-p2p ip source address 10.0.3.12/32
set traffic-policy priority-queue upload class 1 queue-type drop-tail
set traffic-policy priority-queue upload class 5 match traffic-http ip destination port 80
set traffic-policy priority-queue upload class 5 match traffic-https ip destination port 443
set traffic-policy priority-queue upload class 5 queue-type drop-tail
set traffic-policy priority-queue upload class 6 match ata-fritzbox ether source '00:15:0C:E2:7C:94'
set traffic-policy priority-queue upload class 6 match ata-spa2102 ether source '00:0E:08:11:B0:56'
set traffic-policy priority-queue upload class 6 queue-type drop-tail
set traffic-policy priority-queue upload default queue-type fair-queue

Can anyone help?

TIA

Paolo

Hey everone,

I'm currently facing load-balancing issue whenever there's a failover happening, sometimes losing internet access in the process.

Setup: EdgeRouter POE 1.9.7-hotfix4

ISP1 CPE (IP Passthrough) > WAN1 (eth0) > LAN (switch0 [eth2,3,4])
ISP2 CPE > WAN2 (eth1) > LAN (switch0 [eth2,3,4])

IP Passthrough from ISP1 via 172.31.255.6/30, see table 1

Upon failover the log shows the interface going inactive, then active again, this results in major hickups or downtime even.

Would be great if somebody could help spot me errors in the config below.

I'd also like to accomplish DNAT for both WAN interfaces (eth0 and eth1) to allow an OpenVPN server behind the Router on port 1194 and am struggeling with that quite a bit - would appreciate some help for best practice with the load-balancing setup with DHCP on WAN. Currently there's an ISP2ADD group that always should go over ISP2(eth1) but I'm not sure that's the best way. Going forward there's definitely stuff we want to have over both, and some that run over ISP1 only for example.

$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group ISP2ADD {
            address 10.67.3.30
            description ""
        }
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 80 {
            action modify
            destination {
                group {
                    address-group ISP2ADD
                }
            }
            modify {
                lb-group ISP2
            }
        }
        rule 90 {
            action modify
            modify {
                lb-group LB
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow OpenVPN"
            destination {
                address 10.67.3.30
                port 1194
            }
            log disable
            protocol udp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 172.31.255.6/30
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        poe {
            output 48v
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.67.1.1/22
        description Local
        firewall {
            in {
                modify balance
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
load-balance {
    group ISP2 {
        interface eth0 {
            failover-only
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group LB {
        interface eth0 {
            route {
                table 1
            }
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface switch0
    rule 1 {
        description VPN
        forward-to {
            address 10.67.3.30
            port 1194
        }
        original-port 1194
        protocol udp
    }
    wan-interface eth1
}
protocols {
    static {
        table 1 {
            mark 1
            route 0.0.0.0/0 {
                next-hop 172.31.255.5 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative disable
            subnet 10.67.0.0/22 {
                default-router 10.67.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                domain-name local
                lease 86400
                start 10.67.1.15 {
                    stop 10.67.3.3
                }
                static-mapping synovpn {
                    ip-address 10.67.3.30
                    mac-address 00:11:22:33:44:55
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

 thanks a lot!

192.168.1.1
Unknown command '192.168.1.1' - try 'help'
Octeon ubnt_e100# ubnt
Operation required
Octeon ubnt_e100# help

This is what it says when I connected to the port console. How do I get the program? please help me !

Hi,

I've got an Edgerouter X working together with a Unifi AP.

Two days ago, I noted some things starting to act up, namely that I couldn't access anything within certain apps on the phone (Discord and 9gag). They simply weren't able to access anything while I had the wifi enabled.

There was also some issues where the phone suddnely couldn't access a web page, but it occured only randomly and only in that evening, not since. There has been no problems on my main pc, which is also connected only through the AP.

Yesterday, I went through upgrading both the router and the AP with the latest FW, but no difference.

Today, I also noted that my domoticz home automation system, running on a raspberry pi(which is connected by cable), could not access the data from my netatmo weather system, and that it wasn't able to do so since 2 days ago.

I havn't done anything to the equipment, and I even noted that the AP had an uptime of 148 days before I upgraded the FW.

Setup works great except UAP Wireless clients are recieving DHCP on the 10.0.99.0/24 network and should be getting 10.0.10.0/24

Router has a /29 on its WAN interface with a series of NAT rules.  SNAT comes out of one IP, DNAT on two others for separate servers.  When I try to connect from inside (LAN) to public DNS name I get failures.  Outside addresses have no issues.

admin@er6# show firewall group 
 port-group mail {
     description "mailserver access"
     port 25
     port 465
     port 587
     port 143
     port 993
     port 110
     port 995
     port 6009
     port 443
 }
 port-group ucrm {
     description ""
     port 80
     port 81
     port 443
 }
[edit]

admin@er6# show service nat
 rule 1 {
     description mail.in
     destination {
         address a.b.c.146
         group {
             port-group mail
         }
     }
     inbound-interface eth0
     inside-address {
         address 192.168.d.21
     }
     log disable
     protocol tcp
     type destination
 }
 rule 2 {
     description ucrm.in
     destination {
         address a.b.c.147
         group {
             port-group ucrm
         }
     }
     inbound-interface eth0
     inside-address {
         address 192.168.d.23
     }
     log disable
     protocol tcp
     type destination
 }
 rule 5000 {
     description mail.out
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.146
     }
     protocol all
     source {
         address 192.168.d.21/32
     }
     type source
 }
 rule 5001 {
     description ucrm.out
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.147
     }
     source {
         address 192.168.d.23/32
     }
     type source
 }
 rule 5002 {
     description lan.clients.out
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.145
     }
     protocol all
     source {
         address 192.168.d.0/24
     }
     type source
 }
 rule 5003 {
     description net.devices
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.145
     }
     protocol all
     source {
         address 10.0.0.0/16
     }
     type source
 }
 rule 5004 {
     description customers-pa
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.149
     }
     protocol all
     source {
         address 100.70.e.0/24
     }
     type source
 }
 rule 5005 {
     description customers-w
     log disable
     outbound-interface eth0
     outside-address {
         address a.b.c.148
     }
     protocol all
     source {
         address 100.70.f.0/24
     }
     type source
 }
[edit]
admin@er6# 

Pretty sure I missed something obvious here, but it seems to be eluding me at the moment.

Hello,

i got a new ER-X (my first UBNT product) and try to configure IPv6 for subnets. All configuration i tried so far did not succeed.

My setup is:

eth0 -> WAN (connected to FritzBox 7590), active NAT

eth1 -> LAN

switch0.100 -> 2nd LAN

switch0.200 -> 3rd LAN

(The switch configuration may not be important)

The Firewall is Zone-based.

What i want:

Receive /62 via DHCPv6 on WAN and assign one /64 to LAN on eth1. In a second step it would be nice to also assign a /64 to switch0.100 and switch0.200 each.

The first step already fails. I tried almost every configuration combination i can think of, but nothing worked for me.

My configuration ist as follows: (The router advert on eth1 is manually set, but even without that and only with ipv6 address autoconfig it didn't work)

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name allow-all-6 {
        default-action accept
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
    }
    ipv6-name allow-est-drop-inv-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
    }
    ipv6-name lan-local-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
        rule 200 {
            action accept
            description "Allow HTTP/HTTPS"
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
        rule 710 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 547
            }
            protocol udp
        }
        rule 800 {
            action accept
            description "Allow SSH"
            destination {
                port 22
            }
            protocol tcp
        }
    }
    ipv6-name sub1-local-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name allow-all {
        default-action accept
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name allow-est-drop-inv {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name lan-local {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol icmp
        }
        rule 200 {
            action accept
            description "Allow HTTP/HTTPS"
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
        rule 800 {
            action accept
            description "Allow SSH"
            destination {
                port 22
            }
            protocol tcp
        }
    }
    name sub1-local {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol icmp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :0
                    service slaac
                }
                prefix-length /62
            }
            prefix-only
            rapid-commit enable
        }
        duplex auto
        ipv6 {
            address {
                autoconf
            }
            dup-addr-detect-transmits 1
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.24.1/24
        description Management
        duplex auto
        ipv6 {
            address {
                autoconf
            }
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 7200
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        mtu 1500
        switch-port {
            interface eth2 {
                vlan {
                    pvid 100
                }
            }
            interface eth3 {
                vlan {
                    pvid 200
                }
            }
            interface eth4 {
                vlan {
                    vid 100
                    vid 200
                }
            }
            vlan-aware enable
        }
        vif 100 {
            address 192.168.28.1/24
            ipv6 {
                address {
                    autoconf
                }
                dup-addr-detect-transmits 1
            }
            mtu 1500
        }
        vif 200 {
            address 192.168.29.1/24
            ipv6 {
                address {
                    autoconf
                }
                dup-addr-detect-transmits 1
            }
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name 28er {
            authoritative enable
            subnet 192.168.28.0/24 {
                default-router 192.168.28.1
                dns-server 192.168.28.1
                lease 86400
                start 192.168.28.100 {
                    stop 192.168.28.254
                }
            }
        }
        shared-network-name 29er {
            authoritative enable
            subnet 192.168.29.0/24 {
                default-router 192.168.29.1
                dns-server 192.168.29.1
                lease 86400
                start 192.168.29.100 {
                    stop 192.168.29.254
                }
            }
        }
        shared-network-name Management {
            authoritative enable
            subnet 192.168.24.0/24 {
                default-router 192.168.24.1
                dns-server 192.168.24.1
                lease 86400
                start 192.168.24.100 {
                    stop 192.168.24.254
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0.100
            listen-on switch0.200
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers disable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    domain-name tj.mieth.net
    host-name ubnt-erx
    login {
        user <username> {
            authentication {
                encrypted-password ******
                public-keys <username> {
                    key *****
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
zone-policy {
    zone LAN {
        default-action drop
        from WAN {
            firewall {
                ipv6-name allow-est-drop-inv-6
                name allow-est-drop-inv
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface eth1
    }
    zone SUB1 {
        default-action drop
        from WAN {
            firewall {
                ipv6-name allow-est-drop-inv-6
                name allow-est-drop-inv
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface switch0.100
    }
    zone SUB2 {
        default-action drop
        from WAN {
            firewall {
                ipv6-name allow-est-drop-inv-6
                name allow-est-drop-inv
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface switch0.200
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        from SUB1 {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        from SUB2 {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface eth0
    }
    zone local {
        default-action drop
        from LAN {
            firewall {
                ipv6-name lan-local-6
                name lan-local
            }
        }
        from SUB1 {
            firewall {
                ipv6-name sub1-local-6
                name sub1-local
            }
        }
        from SUB2 {
            firewall {
                ipv6-name sub1-local-6
                name sub1-local
            }
        }
        from WAN {
            firewall {
                ipv6-name allow-est-drop-inv-6
                name allow-est-drop-inv
            }
        }
        local-zone
    }
}

I sniffed the network traffic on eth0

As far as i understand the ER-x successfully requests a /62 subnet. But this is not assigned to my LAN:

I would be very happy if someone could help me with that. If any further information is needed, please ask me (and maybe describe how to get that information). As this is my first time using UBNT and also first time to configure a "real" router i might be a bit noobish, sry for that.

Does any one have any info on how DPI affects VoIP?

Especially for webRTC based VoIP. 

I want to enable DPI on our ER8 (v1.9.1.1)  but the documentation states DPI will disable offloading. 

Am I misreading something?

I'm trying to set up remote config access to the Sangoma support office, but when I enabled SSH using the above rules (40, 50, 60) I started getting Fail2Ban warnings on the server from all other IPs. So I didn't do something correctly. I added rule 70 thinking it might catch the non-good ssh traffic, but that didn't help. 

I want to enable SSH connections from just the three IPs I have listed. What's the best way to accomplish that?

I noticed my /var/log/message file is emtpy but I do have message.1 all the way to message.10 full.  Does the edgerouter have its own internal logging service that I should just restart once in a while.

Thanks

Are there any plans at all to implement a easy to use geo ip blocking feature into the edgerouter products?

Good Evening: I have been trying to set up my EdgeRouter Lite 3 running v1.9.7+hf4 as a VPN server to accept IPSec connections from an Avaya 9650 VPN IP Phone, to no avail. There is lots of information on the web and even a new wizzard on the GUI to setup Site-to-Site VPN, but there is no information on setting up a client to site scenario.

Is the ERL3 capable of running as an IPSec VPN server to allow individual clients to connect? If so, can someone please point me to a guide?

Your help is highly appreciated.

Regards:

Juan G Castro

I just got an EdgeRouter X, and I've been having some issues with static host mapping. I'm running EdgeOSv1.9.7+hotfix.4. I set up the system using the "Basic Setup" wizard, made some changes to DHCP settings, and enabled hardware acceleration for NAT. I then tried to add some static hostnames using the "DNS host names" wizard, using a fake domain. The first time I did this, it seemed to be working fine, but at some point (very shortly after I set it up), it stopped working - possibly right after a reboot. I tried to do some research on it but the advice I found on these forums was either not applicable or didn't seem to do what it was supposed to. I then reset the configuration of the router and ran through the basic setup wizard again, just entering one static hostname, but this time I could not get the static DNS entry to resolve at any point. The entry does show up in /etc/hosts, but neither the router itself nor my PC seems to be able to resolve it. Does anyone here know what could be causing this? DHCP is giving out my router's IP address as the DNS servers, and it seems to be resolving normal domain names just fine.

Thanks in advance.

So the title says it all. I had a working L2TP setup with no issues moving along fantastic.  I was like wow this little box can really zoom compared to a 1921 or 1841 cisco.  Then boom the tunnel builds out but will not pass traffic at more than a single meg. Bellow is a copy of the post i made over at reddit. The device is less than 30 days old. 

Hello,

So I've been trying to get my Edgerouter to connect to the PIA server the I subscribe to, but for some reason, after going through all the setup, I completely lose internet access. I can still log on to the EdgeOS, but if I try and go to any other website, or use any one of my connected devices (Amazon Fire Stick, ShieldTV...) they give back errors saying that I am not connected to the internet.

I've searched all the various tutorials on the UBNT support pages, as well as on the Private Internet Access page, and regardless of any changes I try and make, nothing works.

I currently have Verizon Fios Gigabit speed ISP and I connect my Edgerouter X to a TP-Link switch as well as Unifi AP HD.

I'm attaching my Edgerouter X config file (I know that it says that vtun0 interface is disabled, but I did that on purpose, because after doing so, I can connect to the internet again). Any help would be greatly appreciated.

Hi, 

If we can setup restrict one dedicated internal ip with limited bandwidth ( like 1Mbps ) in 6:00PM-10:00PM

the EdgeMax is EdgeRouter ER-X

Thanks,

With Regards.

Hank

Hi

how to Proirtize Youtube App trafic on Edge Router 

Hi all,

I have an application on my EdgeRouter X (v1.9.7-hotfix4 but the same problem appears with older OS version) that needs to grab packets from the kernel and selectively drop them. This application connects via NFQUEUE with a script similar to this

iptables -t mangle -F VYATTA_FW_IN_HOOK
iptables -t mangle -F VYATTA_FW_OUT_HOOK

iptables -t mangle -A VYATTA_FW_IN_HOOK -i br0 -j CONNMARK --restore-mark
iptables -t mangle -A VYATTA_FW_OUT_HOOK -i br0 -j CONNMARK --save-mark
iptables -A VYATTA_FW_IN_HOOK -t mangle -m mark --mark 1 -j ACCEPT
iptables -A VYATTA_FW_IN_HOOK -t mangle -m mark --mark 2 -j DROP
iptables -A VYATTA_FW_IN_HOOK -t mangle -m mark --mark 0 -i br0 -j NFQUEUE --queue-num 0 --queue-bypass

The issues I have are

1. --queue-bypass does not seem to work (if my app is down the bypass does not work and no traffic passes)

2. if I mark a connection let's say with mark 1, the connection packets match both ACCEPT and also NFQUEUE. I believe that when from C I call nfq_set_verdict_mark() on my app, the marker is actually not set.

This very sample example works well on x86 and other Linux flavours, so I believe there is something "special" to do on my EdgeRouter box.

Anybody can help me to figure out the problem?

Thanks in advance.

Hi Guys

trying to get certain traffic (blizzard and bungie ) to route out eth0 all the time, this is my config though it doesnt appear to be working? i think from looking at the forums i need to do something with the modify balance part?

firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.69.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
disable-link-detect
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
pseudo-ethernet peth0 {
address 192.168.67.254/24
description "way to access router"
link eth0
}
pseudo-ethernet peth1 {
address 192.168.8.254/24
description optus2
link eth1
}
switch switch0 {
address 192.168.69.254/24
description Local
firewall {
in {
modify balance
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
load-balance {
group G {
interface eth0 {
route-test {
count {
failure 3
success 1
}
initial-delay 10
interval 2
type {
ping {
target 211.29.132.12
}
}
}
weight 10
}
interface eth1 {
route-test {
count {
failure 3
success 1
}
initial-delay 60
interval 10
type {
ping {
target 198.142.0.51
}
}
}
weight 90
}
lb-local enable
lb-local-metric-change disable
sticky {
dest-addr enable
dest-port enable
}
}
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.69.0/24 {
default-router 192.168.69.254
dns-server 192.168.69.11
dns-server 8.8.8.8
lease 86400
start 192.168.69.100 {
stop 192.168.69.150
}
static-mapping desktop {
ip-address 192.168.69.10
mac-address 60:45:cb:9f:51:1c
}
unifi-controller 192.168.69.12
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for blizzard1"
destination {
address 24.105.0.0/18
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5001 {
description "masquerade for blizzard3"
destination {
address 103.4.114.0/23
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5002 {
description "masquerade for bungie"
destination {
address 172.97.56.0/22
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5003 {
description "masquerade for bungie2"
destination {
address 117.121.252.0/23
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5004 {
description "masquerade for bungie3"
destination {
address 205.209.16.0/21
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5005 {
description "masquerade for bungie4"
destination {
address 205.234.118.0/23
port 1-65535
}
log disable
outbound-interface eth0
protocol tcp_udp
type masquerade
}
rule 5006 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5007 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
rule 5008 {
description "masq to router"
destination {
address 192.168.67.1
port 80
}
log disable
outbound-interface peth0
protocol tcp_udp
type masquerade
}
rule 5009 {
description "masq to router2"
destination {
address 192.168.8.1
port 80
}
log disable
outbound-interface peth1
protocol tcp_udp
type masquerade
}
}
snmp {
community public {
authorization ro
}
contact angus
location "mt eliza"
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
upnp2 {
listen-on switch0
nat-pmp enable
secure-mode enable
wan eth0
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}

if you guys could help me out that would be great

Hello,

I'm trying to setup a IPsec tunnel from siteA to siteB. SiteA is a Pro-8 and SiteB is a TL-R6000VPN. My IPsec config on siteA looks like this:

ipsec {
+    auto-update 60>    auto-firewall-nat-exclude enable
+    esp-group ESP-1 {
+        compression disable
+        lifetime 3600
+        mode tunnel
+        pfs enable
+        proposal 1 {
+            encryption aes256
+            hash sha1
+        }
+    }
+    ike-group IKE-1 {
+        proposal 1 {
+            dh-group 2
+            encryption aes256
+            hash sha1
+        }
+    }
+    ipsec-interfaces {
+        interface eth0
+    }
+    nat-traversal enable
+    site-to-site {
+        peer <IP> {
+            authentication {
+                mode pre-shared-secret
+                pre-shared-secret test123
+            }
+            default-esp-group ESP-1
+            ike-group IKE-1
+            ikev2-reauth inherit
+            local-address any
+            tunnel 1 {
+                allow-nat-networks disable
+                allow-public-networks disable
+                esp-group ESP-DAZA
+                local {
+                    prefix 172.0.0.0/16
+                }
+                remote {
+                    prefix 192.168.2.0/24
+                }
+            }
+        }
+    }
 }

My config on siteB is:

When the connection start i get the following warning on siteB: 

remote address mismatched. db=<IP>[4500], act=<IP>[500]

On siteA i see the following errors:

08[NET] received packet: from <IPb>[4500] to <IPa>[4500] (76 bytes)
08[ENC] invalid ID_V1 payload length, decryption failed?
08[ENC] could not decrypt payloads
08[IKE] message parsing failed
08[ENC] generating INFORMATIONAL_V1 request 4196668436 [ HASH N(PLD_MAL) ]
08[NET] sending packet: from <IPa>[500] to <IPb>[500] (76 bytes)
08[IKE] ID_PROT request with message ID 0 processing failed

Could anyone tell me what's going wrong here?

Kind regards