Yesterday I came across this device Proscend 180-T. Basically a VDSL2 modem backwards compatible with ADSL/ADSL2+ in the form of an SFP. Though I think it is actually I think this is just a rebadged Metonia device. They also appear to have a G.Fast version in the works.

The best I can find is that you can configure/talk to the SFP using special ethernet packets, though there is very scant information on that.

The following are some places that seem to actually be selling it, the first is another rebadging in the USA, the second in Greece and the third in Australia.

https://www.versatek.com/product/vx-160ce-vdsl2-sfp-modem-remote-telco-grade/

https://www.nsys.gr/en/proscend-180-t-vdsl2-sfp-modem-module-telco.html

https://www.nsys.gr/en/proscend-180-t-vdsl2-sfp-modem-module-telco.html

They would make a really cool addition to the new ER4/6 lineup. Any chance Ubuquiti could offer badged versions with an update to EdgeOS to enable easy configuration of the device?

Hoping someone can help, because I'm stumped.

I installed an ER-X for a client a couple months ago, everything has been fine until yesterday when they called that the internet was down. Confirmed that the link was up to their AP but no connection to the internet. I plugged my laptop into the ER-X LAN and still had no internet connection. I substituted the router and brought their ER-X to my office.

The router does the same thing here; I have the WAN port (eth0) of the ER-X connected to my ERL on a segregated subnet, 192.168.10.X. I can ping 192.168.10.1 from the dashboard of the ER-X as well as from the terminal of my laptop connected to the ER-X LAN. Pinging any external hostname or IP fails.

I've tried:

1. Reinstalling the firmware, 1.9.7+hotfix.4
2. Factory reset, setup with Basic Setup wizard and WAN on eth0
3. Factory reset, setup with Basic Setup wizard and WAN on eth4 to make sure this isn't specific to eth0
4. Restored saved config

Nothing changes the issue. Looking at the logs, I see this entry but am not sure if it's related:

 No subnet declaration for eth0 (192.168.10.8).
Oct 31 01:42:04 PieperCafe dhcpd: ** Ignoring requests on eth0.  If this is not what
Oct 31 01:42:04 PieperCafe dhcpd:    you want, please write a subnet declaration
Oct 31 01:42:04 PieperCafe dhcpd:    in your dhcpd.conf file for the network segment
Oct 31 01:42:04 PieperCafe dhcpd:    to which interface eth0 is attached. **

Sanitized config.boot:

Output of show log:

 Any help would be greatly appreciated! 

I have a very strange problem and possibly a bug.

I was editing a firewall rule using the web interface, renaming it to be more descriptive. Once done editing the name I pressing "save" button to apply the changes. Everything seemed to be going well until I received a prompt stating my session had timed out, and I needed to log in again.

After loggin in all named firewall rules except the name I was busy saving at the time the sessions timed out
was gone from the web interface.

Investigating in the CLI showed the rules were missing as shown on the web interface. The only firewall rules was the rules I'd been working on. Checking the config.boot in /config/ showed last update timestamp of roughly the incident time. Checking the config.boot showed the firewall rules was missing as well.

I had a backup of the latest config, copied the backup to my home directory, made a backup of the broken config and replaced it with the known working config. running "load /config/config.boot" returned errors of duplicate firewall rules. Firewall rules which the config and webinterface was showing to be missing.

Running iptables as root showed the firewall rules were actually still in place and had been in place the whole time, but now the device is in uncommit state.

I'm really not sure how to proceed forward. I've since discarded the changes, but still need to get the router back to the state before the timeout.

Is there any way to get the router state and config.boot back into sync without having to reset the router and loading from config.boot without any previos config loaded ?

Hello Guys 

I have an issue with IGMP Proxy the traffic that the router is forwarding is not the same on the upstream interface than the downstream interface as you can see here 

this is my configuration about IGMP proxy

protocols {
    igmp-proxy {
        interface eth4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 10
        }
        interface eth6 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }

any idea why?

Thanks, Regards.

Have a strange issue that I'm able to replicate.

I have 3 static IPs on our wan.

I have 2 seperate networks, one for our pcs, and one for our wifi network.

I had source based NAT enabled for my wifi network, it works... Wifi clients do get a different external IP than LAN.

But we're experiencinc terrible packet loss from our main network.

As soon as I disable the NAT rule for the wifi network, everything goes back to normal.

I'm currently using the default masqurade and just made a single rule for the WIFI.

I've also tried disabling the default masqurade and creating 2 seperate source based nat rules, but the packet loss returns.

Is this a known issue, or to be expected when using source based nat?

I have followed the the UBNT "EdgeRouter on a Stick"

ES-8 have 4 VLANs configured - they communcate over a wireless backbone to the ER-8 port eth1

• eth1.10 (VIF 10) - 10.0.10.1/24
• eth1.20 (VIF 20) - 10.0.20.1/24
• eth1.20 (VIF 20) - 10.0.30.1/24
• eth1.99 (VIF 99) - 10.0.99.1/24

I need connect other devices that are in the same respective subnet (that are phyiscally in same area as ER-8)

Can I assign other ports on the ER-8 to the respective VIF's

i.e. Eth2 to VIF 10...Eth3 to VIF 20

Can you implement LLDP-MIB for EdgeRouters?

This makes the LLDP data available to our network mapping software (LibreNMS) and would be a great asset. 

Thank you.

Hello, 

I'm somehow new to EdgeOS . I'm trying to accomplish the following :

I have an ER-8  and 4 incoming Internet connections, I want to make ports 1 -4 WAN  port for load balancing and failover and port 5 LAN port to give out DHCP.

I can't find a lot of info  on the forum just one generic link  but the info is too vague, any info or help will appreciatted.

Thank You

How do I see the ethernet errors on a given port on an EP-R6?

Thanks

Hi - it seems something changed when I went from 1.9.0 to 1.9.7hotfix4.

I have a firewall rule allowing RDP from one host on my main subnet to another separate subnet that goes through a pfSense router.  I had a rule for source=host1.subnet1 dest=host2.subnet2 port=3389 with established and new selected.  After much diagnosing I found that now, with 1.9.7, checking 'Invalid' in the state list allows it to work.

e.,g. without 'invalid enable' it's not allowing a connection.  I did logging and it allows one SYN through, then all the ACKs get dropped as invalid.

rule 20 {
action accept
description "Allow RDP"
destination {
address 192.168.2.10 # this goes through my pfsense router interface e.g. 192.168.1.50 might be pfsense, I have a route for 192.168.2.0/24 -> 192.168.1.50
port 3389
}
log enable
protocol tcp
source {
address 192.168.1.25/32
}
state {
established enable
invalid enable
new enable
related enable
}
}

Is this an expected change?  In general I can't figure out why the packets are getting flagged as invalid.

This is for my home network. I just want to make sure that I have set up my network in the best way. It's possible that with my current connection speed, this doesn't matter that much and I am overthinking things. Right now I just have a 20/1 DSL connection, but I want to upgrade to a faster connection in the next couple of months.

My modem is in bridge mode to my ER-X, which handles the pppoe connection. I then have the eth1-4 ports being used for connecting my wireless access point and a powerline network adapter to shoot a connection to some devices accross the house. Should I be putting a switch in between the ER-X and the other devices or is it ok to just use the ER-X ports. Does it even matter for the ER-x?

I'm currently running EdgeOS 1.9.7 hotfix4 on my EdgeRouter PoE-5 and like to use multi path (ECMP) to loadbalance between 2 bgp peers.. is this possible? The routes seems to be equal cost but the first peer that is online is selected as best route.

This is my setup..

-- begin bgp config --

protocols {
    bgp 65123 {
        neighbor 172.16.1.4 {
            remote-as 65101
            soft-reconfiguration {
                inbound
            }
        }
        neighbor 172.16.1.5 {
            remote-as 65101
            soft-reconfiguration {
                inbound
            }
        }
        redistribute {
            static {
            }
        }
    }


-- end bgp config --

ubnt@ubnt:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [210/0] via x.x.x.x, eth0
C    *> x.x.x.x.0/23 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo
B    *> 172.16.2.0/24 [20/0] via 172.16.1.4, eth1, 00:27:40
C    *> 172.16.1.0/24 is directly connected, eth1
B       172.16.1.0/24 [20/0] via 172.16.1.4 inactive, 00:27:40

ubnt@ubnt:~$ show ip bgp
BGP table version is 8, local router ID is 172.16.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, l - labeled
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
    Network          Next Hop            Metric    LocPrf       Weight Path
*>  0.0.0.0/0        x.x.x.1                                    32768  ?
*>  172.16.2.0/24    172.16.1.4          0                      0      65101 ?
*                    172.16.1.5          0                      0      65101 ?
*>  172.16.3.0/24    172.16.1.4          0                      0      65101 ?
*                    172.16.1.5          0                      0      65101 ?

Total number of prefixes 4

Hi,

Is there a MIB entry for if an interface can successfully send/receive traffic to the internet? For example, my EdgeRouter Lite is behind my cable modem, so although it can always ping 192.168.100.1 (the modem), it can't always get a route to, say, google — the cable might be out. Is there a MIB for when the link to (for example) Google might be down?

Similarly, I have a link vtun0. Is there a way I could use SNMP to determine when this interface is able to successfully route traffic?

So my first ER-X bricked right away when I got it up and updated to the latest firmware. Waited 3 weeks for the replacement and have zero interest in waiting again since these things seem to brick more than what is acceptable.

Hi!

Three days ago i have oper the web interface of my ER-X and in the Traffic Analysis page a second befor clear the data i see an Ip addres that starts with 52. Can be a way in order to recover all ip passed on er-x?

Unfortunately i can't remember the address but i'v very scary for this!

On my net i have the ER-X, a unifi switch, can be a ubiquiti service?

this my configuration:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description ""
        rule 1 {
            action drop
            description "Drop traffic to other LANs"
            destination {
                address 10.0.0.0/8
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow client DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }
    name VLAN_IN {
        default-action accept
        description ""
        rule 10 {
            action accept
            description "Accept established-related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description Plex
            destination {
                address 10.0.0.3
                port 32400
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action drop
            description "Drop traffic to other LANs"
            destination {
                address 10.0.0.0/8
            }
            log disable
            protocol all
        }
    }
    name VLAN_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow client DHCP non necessario"
            destination {
                port 67
            }
            disable
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow client DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description 443-10000
            destination {
                address 10.0.2.2
                port 15111-15112
            }
            log disable
            protocol tcp
        }
        rule 23 {
            action accept
            description "13242"
            destination {
                address 10.0.0.5
                port 13242
            }
            log disable
            protocol tcp
        }
        rule 24 {
            action accept
            description "59754"
            destination {
                address 10.0.0.5
                port 59754
            }
            log disable
            protocol udp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 20 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Switch
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Airport
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description "Apple TV"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Par
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 192.168.79.200/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    pvid 1
                    vid 20
                    vid 30
                    vid 40
                }
            }
            interface eth1 {
                vlan {
                    pvid 1
                    vid 1003
                }
            }
            interface eth2 {
                vlan {
                    pvid 30
                }
            }
            interface eth3 {
                vlan {
                    pvid 20
                }
            }
            vlan-aware enable
        }
        vif 1 {
            address 10.0.0.1/24
            description Home
            mtu 1500
        }
        vif 20 {
            address 10.0.2.1/24
            description Service
            firewall {
                in {
                    name VLAN_IN
                }
                local {
                    name VLAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 30 {
            address 10.0.3.1/24
            description Plex
            firewall {
                in {
                    name VLAN_IN
                }
                local {
                    name VLAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 40 {
            address 10.0.4.1/24
            description NVR
            firewall {
                in {
                    name VLAN_IN
                }
                local {
                    name VLAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 1003 {
            address 172.16.0.1/24
            description Guest
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat disable
    wan-interface eth4
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name GUEST {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 3600
                start 172.16.0.2 {
                    stop 172.16.0.5
                }
            }
        }
        shared-network-name HOME {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                lease 86400
                start 10.0.0.2 {
                    stop 10.0.0.15
                }
            }
        }
        shared-network-name NVR {
            authoritative enable
            subnet 10.0.4.0/24 {
                default-router 10.0.4.1
                dns-server 10.0.4.1
                lease 86400
                start 10.0.4.2 {
                    stop 10.0.4.5
                }
            }
        }
        shared-network-name PLEX {
            authoritative enable
            subnet 10.0.3.0/24 {
                default-router 10.0.3.1
                dns-server 10.0.3.1
                dns-server 8.8.8.8
                lease 86400
                start 10.0.3.2 {
                    stop 10.0.3.6
                }
            }
        }
        shared-network-name SERVICE {
            authoritative enable
            subnet 10.0.2.0/24 {
                default-router 10.0.2.1
                dns-server 10.0.2.1
                lease 3600
                start 10.0.2.2 {
                    stop 10.0.2.3
                }

            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 200
            listen-on switch0.1
            listen-on switch0.20
            listen-on switch0.30
            listen-on switch0.40
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 2 {
            description 443-10000
            destination {
                port 15111-15112
            }
            inbound-interface eth4
            inside-address {
                address 10.0.2.2
                port 15111-15112
            }
            log disable
            protocol tcp
            type destination
        }
        rule 4 {
            description "59754"
            destination {
                port 59754
            }
            inbound-interface eth4
            inside-address {
                address 10.0.0.5
                port 59754
            }
            log disable
            protocol udp
            type destination
        }
        rule 5 {
            description "13242"
            destination {
                port 13242
            }
            inbound-interface eth4
            inside-address {
                address 10.0.0.5
                port 13242
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth4
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address 192.168.79.254
    host-name HomeRouter
    login {
        user ale {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            full-name Alessandro
            level admin
        }
    }
    name-server 192.168.79.254
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec disable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Rome
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth4
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username alessandro {
                        password 
                    }
                    username colmar {
                        password 
                    }
                    username giusi {
                        password 
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.0.51
                stop 10.0.0.53
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret 
                }
                ike-lifetime 3600
            }
            mtu 1492
            outside-address 192.168.79.200
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024279.171006.0255 */

Hi guys,

After the last update of openvpn client for Android ( https://play.google.com/store/apps/details?id=net.openvpn.openvpn ) its not possible to connect.

More info: https://forums.openvpn.net/viewforum.php?f=33

I have a bit of a problem.  In the last week ive noticed that my ER-X SFP started lowing down.  A few time when ive checked it i either cant get logged into the web mgmt interface or the CPU is topped out at 90%+.  So i reboot it and it is fine for a while.  The last couple days it has constantly been problematic and ive been watching it fluctuate between 30-50% CPU usage at all times.  I use this at my home for home use and a lab enviroment, when it is working normally is see less than 5% CPU usage on it.  I connected to it by SSH and ran TOP and noted that syslogd seems to be the offender.  i even elevated to root and ran "killall -HUP syslogd"  which killed the syslogd proccesses and cpu utiliazation dropped down to normal.  syslogd restarted after a couple of minutes and usage spiked back up. 

I am currently running v1.9.7HF3.

show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group exch {
            address 192.168.1.12
            description ""
        }
        port-group Exchange {
            description ""
            port 25
            port 587
            port 80
            port 443
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify eth3 {
    }
    name WAN_IN {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action accept
            description RDP
            destination {
                port 3389
            }
            log disable
            protocol tcp_udp
            source {
                address <PublicIP>24
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 3 {
            action accept
            description EXCH_ANY
            destination {
                group {
                    port-group Exchange
                }
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description Allow_MGMT
            destination {
                port 22
            }
            log disable
            protocol tcp_udp
            source {
                address <PublicIP>/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 4 {
            action accept
            description Allow_MGMT
            destination {
                port 443
            }
            log disable
            protocol tcp_udp
            source {
                address <PublicIP>/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        address <PublicIP>/29
        address <PublicIP>/29
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
        vif 5 {
            address 192.168.5.1/24
            description MGMT
            mtu 1500
        }
        vif 10 {
            address 192.168.10.1/24
            description home.local
            mtu 1500
        }
        vif 20 {
            address 192.168.20.1/24
            description lab.pri
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description MC_SERVER
        forward-to {
            address 192.168.1.25
            port 25565
        }
        original-port 25565
        protocol tcp_udp
    }
    rule 2 {
        description MC_DynMap
        forward-to {
            address 192.168.1.25
            port 8123
        }
        original-port 8123
        protocol tcp_udp
    }
    rule 3 {
        description rdp
        forward-to {
            address 192.168.10.5
            port 3389
        }
        original-port 3389
        protocol tcp_udp
    }
    rule 4 {
        description MC_RDP
        forward-to {
            address 192.168.1.25
            port 3389
        }
        original-port 5600
        protocol tcp_udp
    }
    rule 5 {
        description MURMUR
        forward-to {
            address 192.168.1.26
            port 64738
        }
        original-port 64738
        protocol tcp_udp
    }
    wan-interface eth4
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop <PublicIP> {
            }
        }
    }
}
service {
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 2 {
            description exch1-1
            destination {
                address <PublicIP>
            }
            inbound-interface eth4
            inside-address {
                address 192.168.10.17
            }
            log disable
            protocol all
            source {
            }
            type destination
        }
        rule 5001 {
            destination {
            }
            log disable
            outbound-interface eth4
            outside-address {
                address <PublicIP>
            }
            protocol all
            source {
                address 192.168.10.17
                group {
                }
            }
            type source
        }
        rule 5002 {
            description inside_Outside
            log disable
            outbound-interface eth4
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    domain-name theorder.local
    host-name edge
    login {
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
        user netadmin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level err
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
}
vpn {
}
root@edge:/home/netadmin#

Per my post this past weekend:

https://community.ubnt.com/t5/EdgeMAX/ERP8-1-9-7-HF4-Trying-to-setup-Radius-against-2012R2-NPS/m-p/2117444#M183300

It seems my ERP-8 with 1.9.7+HF4 is not sending RADIUS requests to my configured PPTP RADIUS server.

admin@firewall:~$ show version
Version:      v1.9.7+hotfix.4
Build ID:     5024021
Build on:     10/05/17 05:33
Copyright:    2012-2017 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Pro 8-Port
HW S/N:       802AA84DB46A
Uptime:       07:08:43 up 23:33,  1 user,  load average: 0.19, 0.13, 0.08

admin@firewall# show vpn pptp
 remote-access {
     authentication {
         mode radius
         radius-server 10.0.0.12 {
             key radiuspass!
         }
     }
     client-ip-pool {
         start 10.0.0.200
         stop 10.0.0.235
     }
     dns-servers {
         server-1 10.0.0.12
         server-2 10.0.0.2
     }
     mtu 1492
     outside-address xxx.xxx.250.122
 }

On attempting to connect to the above ERP-8 with a PPTP client (win 7 builtin), I get the connect messages in /var/log/messages, but I dont see any corresponding traffic in tcpdump sent to my RADIUS server (Win2012):

/var/log/messages pptp except:

Nov 1 17:00:12 firewall pptpd[26698]: MGR: Launching /usr/sbin/pptpctrl to handle client
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: local address = 10.0.0.199
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: remote address = 10.0.0.200
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: pppd options file = /etc/ppp/options.pptpd
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Client 61.xxx.xxx.xxx control connection started
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Received PPTP Control Message (type: 1)
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Made a START CTRL CONN RPLY packet
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: I wrote 156 bytes to the client.
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Sent packet to client
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Received PPTP Control Message (type: 7)
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Set parameters to 100000000 maxbps, 64 window size
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Made a OUT CALL RPLY packet
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Starting call (launching pppd, opening GRE)
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: pty_fd = 6
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: tty_fd = 7
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: I wrote 32 bytes to the client.
Nov 1 17:00:12 firewall pptpd[26699]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
Nov 1 17:00:12 firewall pptpd[26699]: CTRL (PPPD Launcher): local address = 10.0.0.199
Nov 1 17:00:12 firewall pptpd[26699]: CTRL (PPPD Launcher): remote address = 10.0.0.200
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Sent packet to client
Nov 1 17:00:12 firewall pppd[26699]: Plugin radius.so loaded.
Nov 1 17:00:12 firewall pppd[26699]: RADIUS plugin initialized.
Nov 1 17:00:12 firewall pppd[26699]: Plugin radattr.so loaded.
Nov 1 17:00:12 firewall pppd[26699]: RADATTR plugin initialized.
Nov 1 17:00:12 firewall pppd[26699]: pppd 2.4.4 started by root, uid 0
Nov 1 17:00:12 firewall pppd[26699]: using channel 20
Nov 1 17:00:12 firewall netplugd[2747]: ppp0: ignoring event
Nov 1 17:00:12 firewall pppd[26699]: Using interface ppp0
Nov 1 17:00:12 firewall pppd[26699]: Connect: ppp0 <--> /dev/pts/3
Nov 1 17:00:12 firewall pppd[26699]: sent [LCP ConfReq id=0x1 <mru 1492> <asyncmap 0x0> <auth chap MS-v2> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Received PPTP Control Message (type: 15)
Nov 1 17:00:12 firewall pptpd[26698]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Nov 1 17:00:12 firewall pptpd[26698]: GRE: accepting packet #0
Nov 1 17:00:12 firewall pppd[26699]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x75b520ec> <pcomp> <accomp> <callback CBCP>]
Nov 1 17:00:12 firewall pppd[26699]: lcp_reqci: rcvd unknown option 13
Nov 1 17:00:12 firewall pppd[26699]: lcp_reqci: returning CONFREJ.
Nov 1 17:00:12 firewall pppd[26699]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Nov 1 17:00:12 firewall pptpd[26698]: GRE: accepting packet #1
Nov 1 17:00:12 firewall pppd[26699]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x75b520ec> <pcomp> <accomp>]
Nov 1 17:00:12 firewall pppd[26699]: lcp_reqci: returning CONFACK.
Nov 1 17:00:12 firewall pppd[26699]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x75b520ec> <pcomp> <accomp>]
Nov 1 17:00:13 firewall sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/ubnt-intf-ipv6.pl ppp0
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x1 <mru 1492> <asyncmap 0x0> <auth chap MS-v2> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #2
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x1 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x2 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #3
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x2 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x3 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #4
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x3 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x4 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #5
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x4 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x5 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #6
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x5 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x6 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #7
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x6 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x7 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #8
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x7 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x8 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #9
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x8 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0x9 <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #10
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0x9 <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0xa <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #11
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP ConfNak id=0xa <auth eap>]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP ConfReq id=0xb <mru 1492> <asyncmap 0x0> <magic 0xbb058d28> <pcomp> <accomp>]
Nov 1 17:00:15 firewall pptpd[26698]: GRE: accepting packet #12
Nov 1 17:00:15 firewall pppd[26699]: rcvd [LCP TermReq id=0x2 "u\37777777665 \37777777754\000<\37777777715t\000\000\002\37777777734"]
Nov 1 17:00:15 firewall pppd[26699]: sent [LCP TermAck id=0x2]
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Received PPTP Control Message (type: 12)
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Made a CALL DISCONNECT RPLY packet
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Received CALL CLR request (closing call)
Nov 1 17:00:15 firewall pppd[26699]: Modem hangup
Nov 1 17:00:15 firewall pppd[26699]: Connection terminated: no multilink.
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Reaping child PPP[26699]
Nov 1 17:00:15 firewall netplugd[2747]: ppp0: ignoring event
Nov 1 17:00:15 firewall pppd[26699]: RADATTR plugin removed file /var/run/radattr.ppp0.
Nov 1 17:00:15 firewall pppd[26699]: Exit.
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Client 61.xxx.xxx.xxx control connection finished
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Exiting with active call
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Asked to free call when no call open, not handled well
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Made a CALL DISCONNECT RPLY packet
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Couldn't write packet to client.
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Made a STOP CTRL REQ packet
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Couldn't write packet to client.
Nov 1 17:00:15 firewall pptpd[26698]: CTRL: Exiting now
Nov 1 17:00:15 firewall pptpd[25545]: MGR: Reaped child 26698

tcpdump running at same time as above /var/log/messages pptp excerpt:

root@firewall# tcpdump -i any udp port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes




^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel

MS Windows 2012 'Network Policy Server' configured as a RADIUS service shows NO connection related messages from the firewall at the same time as above client connect and tcpdump. I have some UniFi Wireless AP's authenticating against the same Windows RADIUS server with zero issues.

I'm stumped. Any ideas?

Starting Nov 1st I've stopped seeing traffic for most of the Traffic Analysis apps such as Netflix, Youtube, Amazon, Gmail etc. Most traffic seems to be under "Web - Other" with a few protocols such as SIP, QUIC, NTP still showing traffic.

I'm running EdgeRouterX 1.9.7+3 Everything was fine on Oct 31st and as far as I know, I have changed nothing. Any suggestions would be much appreciated.