I realise questions related to this have been posted before, but none of them seem to contain a solution to my problem.

I have a Vigor 130 VDSL2 modem connected to eth0, and two local networks on 10.1.x.x and 10.2.x.x on eth1 and eth2, respectively.

I have eth0 configured to use a static IP of 192.168.2.10 so that I can access the modem's configuration page on 192.168.2.1, in addition to PPPoE over eth0 for the internet. This requires two NAT rules for both the internet and the modem, but it all works fine.

The problem comes when the modem loses VDSL connection and the PPPoE session ends. The edgerouter just fails to redial. You can see in the web UI and the CLI that the router clearly knows the PPPoE session has ended - it has a status of disconnected.

If I type disconnect interface pppoe; connect interface pppoe, then I get a working connection again. Alternatively if I reboot the whole modem, then the router notices and reconnects.

It's almost as if the mechanism for reconnecting the PPPoE link is listening to the status of eth0, and not the pppoe interface.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name GUESTv6_IN {
        default-action accept
    }
    ipv6-name GUESTv6_LOCAL {
        default-action accept
    }
    ipv6-name TRUSTEDv6_IN {
        default-action accept
    }
    ipv6-name TRUSTEDv6_LOCAL {
        default-action accept
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            log disable
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        rule 1 {
            action drop
            description "Block local hosts"
            destination {
                address 10.0.0.0/8
            }
            log disable
        }
        rule 2 {
            action drop
            description "Block modem"
            destination {
                address 192.168.0.0/16
            }
            log disable
        }
    }
    name GUEST_LOCAL {
        default-action accept
        rule 2 {
            action drop
            description "Block router management"
            destination {
                address 10.1.0.1
            }
            log disable
        }
        rule 3 {
            action drop
            description "Block router guest"
            destination {
                address 10.2.0.1
                port ssh,https,80
            }
            log disable
            protocol tcp_udp
        }
        rule 4 {
            action drop
            description "Block router modem"
            destination {
                address 192.168.0.0/16
            }
            log disable
        }
    }
    name TRUSTED_IN {
        default-action accept
        rule 1 {
            action drop
            description "Block guest subnet"
            destination {
                address 10.2.0.0/16
            }
            log disable
        }
    }
    name TRUSTED_LOCAL {
        default-action accept
        rule 1 {
            action drop
            description "Block router guest"
            destination {
                address 10.2.0.1
            }
            log disable
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type pppoe
            mss 1460
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.2.10/24
        description WAN
        duplex auto
        mtu 1508
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1500
            name-server none
            password *********************
            user-id ********************
        }
        speed auto
    }
    ethernet eth1 {
        address 10.1.0.1/16
        description Trusted
        duplex auto
        firewall {
            in {
                name TRUSTED_IN
            }
            local {
                name TRUSTED_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 10.2.0.1/16
        description Guest
        duplex auto
        firewall {
            in {
                name GUEST_IN
            }
            local {
                name GUEST_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description Plex
        forward-to {
            address 10.1.2.4
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    rule 2 {
        description Synology
        forward-to {
            address 10.1.2.3
            port 5001
        }
        original-port 5001
        protocol tcp
    }
    wan-interface pppoe0
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name Guest {
            authoritative disable
            subnet 10.2.0.0/16 {
                default-router 10.2.0.1
                dns-server 10.2.0.1
                lease 86400
                start 10.2.0.2 {
                    stop 10.2.255.254
                }
            }
        }
        shared-network-name Trusted {
            authoritative disable
            subnet 10.1.0.0/16 {
                default-router 10.1.0.1
                dns-server 10.1.0.1
                lease 86400
                start 10.1.0.2 {
                    stop 10.1.255.254
                }
                // redacted static mappings from here ...
                unifi-controller 10.1.1.0
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "Masquerade for WAN"
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
        rule 5011 {
            description "Masquerade for Modem"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan pppoe0
    }
}
system {
    host-name ubnt
    ipv6 {
        disable-forwarding
    }
    login {
        user admin {
            authentication {
                encrypted-password *************
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe enable
        }
        ipv6 {
            forwarding enable
            pppoe enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

My ISP has changed the settings. I need no longer VLAN8 for IPTV. IPTV now works over PPPoE.

OLD configuration

protocols {
    igmp-proxy {
        interface eth1.8 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
            whitelist 239.35.0.0/16
        }
    }
}

NEW configuration

protocols {
    igmp-proxy {
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
            whitelist 239.35.0.0/16
        }
        interface pppoe0 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
    }
}

My idea was, to do the following

configure
delete protocols igmp-proxy interface eth1.8
set protocols igmp-proxy interface pppoe0 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface pppoe0 role upstream
set protocols igmp-proxy interface pppoe0 threshold 1
commit
save
exit


ubnt@ER--X# commit
[ protocols igmp-proxy ]
Starting IGMP proxy

[edit]
ubnt@ER--X# save
Saving configuration to '/config/config.boot'...
Done
[edit]
ubnt@ER--X# exit
exit
ubnt@ER--X:~$exit

The TV-stream start immediately and all seem OK.

But if I reboot the ER-X the IGMP-Proxy don't work.

My workaround is to restore the old configuration and make the changes again.

I think I have confused the Proxy. What can I do?

Hello

I need help setting up multiple WAN's in our office. We currently have 3 WAN's, one for outgoing traffic and two for incoming traffic (hosted services). Here's a list of our WAN's.

WAN 1
eth6, Ethernet, DHCP, 1 IP

WAN 2
pppoe0 (eth5), PPPoE, Static, 16 IP's

WAN 3
eth4, Ethernet, Static, 32 IP's

We would like to use WAN 1 as default gateway for normal outgoing traffic from all machines. I made a NAT masquerade for this to work.

WAN 2 and 3 is used for multiple services and we have a bunch of static IP's for those interfaces. Now, when a user connects to one of the public IP's from WAN 2 or 3, I make a destination NAT to one of our servers on our local network. This works for incoming packets but all packets from the response leave on interface eth6 (WAN 1) with an IP address from WAN 2 or 3.

If one of our server initiates a new session to a public IP address, traffic should leave through WAN 1. But if a session was initiated through WAN 2 or 3, the response should leave through the corresponding interface.

How can I accomplish this scenario? Thanks for your help!

Hi ,

I switched  on Traffic Analysis with DPI on my   EdgeRouter Lite v1.9.7+hotfix.4. It's working fine. I see all "Apps " and "Top Apps".

Yet I'd rather like to see all external IP adresses an internal device is currently connected to! Can this be done with the WEB GUI? If not, how?

Thank you very much.

SSCDE

I have an issue which brings a vlan down.

A customer's iptv box (MAG 254) is uploading at a speed of 2Mbit/s which brings down the whole VLAN.

The effects are:

-airOS has maxed out CPU 100%

-EdgeRouter Pro survives but sudo conntrack -C sky rockets from 9000 connectios to 25000

Anyone has some tips ?

Should I limit the connections per ip ?

Hi All

          I've tried setting up a VPN on my ERX and followed a lot of tutorials online but still unable to succeed. Can someone help me sort this out? Thanks in advance.

Hello,

We are fairly new to Ubiquiti (Mostly using Cisco and Cisco Meraki)

We have different sites with Ubiquiti EdgeMAX 3 Lite routers and HP switches.

We want to manage the HP switches remotely so we have a set of port forwarding rules to those switches with an ADMIN group of IP addresses so only we can remotely manage the router / switches.

On most of the sites we do not use VLAN's and on those sites we can manage the switches remotely perfectly, but we want to add more security to the sites so on one site we are having a VLAN setup and we can't access the switches remotely. Locally it works fine.

So I'm having several questions on how to setup the ERL.

Eth0 = WAN

Eth1 = LAN - VLAN7 = 192.168.235.0/24

Eth2 = LAN - VLAN8 = 172.16.51.0/24

Management VLAN of switches: VLAN8

The ERL is connected to the core switch with eth1 AND eth2.

eth1 on VLAN7 of the switch

eth2 on VLAN8 of the switch

Question 1: 

At Firewall -> Port Forwarding do I set LAN interface to eth1 and eth2 or eth1.7 and eth2.8 ?

Question 2:

At Dashboard: Do I setup the local IP addresses of the ERL on eth1 and eth2 (Ethernet) or on eth1.7 and eth2.8 (VLAN) ?

Question 3:

Do I have to use Port Forward or NAT or both and in case of NAT, how would I have to set this up regarding the interfaces?

I've tried numerous of combinations of the above but can't get it working.

This is basically the rule we are trying to get working:

rule 1 {
description Switch1
forward-to {
address 172.16.51.110
port 80
}
original-port 9451
protocol tcp
}

The config is attached to post.

If you need more info just ask.

Thanks in advance!

My router have some probleme with reboot/crash here

which was solved by disabling QOS but after two days without problems 

i get a similar problem Here

Clients are waiting so i need to reset it and reconfigure it ASAP

i will downgrade it to 1.9.1.1

any sugestions before i make de move ?

Hey all, been using 3 edgerouter pro's for 2 months now.  Each router is connected to a ISP and we are taking a full table from each ISP.  Everything seems to be running quite well, but I see the following error every so often that I want to ensure are expected.    

Nov 13 21:21:45 edgerouter2 BGP[791]: BGP-4: xx.xx.x.xx-Outgoing [DECODE] Attr Aggregator: AS value error(0), Ignoring error...
Nov 13 21:22:00 edgerouter2 BGP[791]: BGP-4: xx.xx.xx.x-Outgoing [DECODE] Attr Aggregator: AS value error(0), Ignoring error...
Nov 13 21:22:14 edgerouter2 BGP[791]: BGP-4: xx.xx.xx.xx-Outgoing [DECODE] Attr Aggregator: AS value error(0), Ignoring error...
Nov 13 21:22:23 edgerouter2 BGP[791]: BGP-4: xx.xx.xx.x-Outgoing [DECODE] Attr Aggregator: AS value error(0), Ignoring error...

 Hi,

Would you go throu my config file and check if something is off. I cant seem to make the vpn to work. 

IF ill make this work ...this config file will be used in a few other maybe hundreds routers we are going to buy. But i need to make this work first. 

 Any help is welcome. 

PS. - i have version EdgeRouter X v1.7.1 and im not able to update.

       - it would be best if i can use the same ip range for the vpn as the "main" range but maybe "higher up"

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description PPTP
            destination {
                port 1073
            }
            log enable
            protocol tcp
        }
        rule 3 {
            action accept
            log enable
            protocol gre
        }
        rule 4 {
            action accept
            description Rmtmng
            destination {
                port 22,443
            }
            log disable
            protocol tcp
        }
        rule 6 {
            action accept
            description ping
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            icmp {
                type 8
            }
            log disable
            protocol icmp
        }
        rule 7 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.65.0.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative disable
            subnet 10.65.0.0/24 {
                default-router 10.65.0.1
                dns-server 10.65.0.1
                lease 86400
                start 10.65.0.38 {
                    stop 10.65.0.100
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            options listen-address=10.0.0.1
            options listen-address=10.65.0.1
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description "masquerade for PPTP"
            log disable
            outbound-interface switch0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password somepaswd.
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username someuser {
                        password somepaswd
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.65.0.100
                stop 10.65.0.151
            }
            dns-servers {
                server-1 10.65.0.1
                server-2 8.8.4.4
            }
            mtu 1370
        }
    }
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.1.4821926.151103.1114 */

Hello,

I wish to know if there is any way to make a nice way to allow site to site vpn using ipsec with dynamic IP.

I have on ERPro with static ip, but the ERL on the dialup site have dynamic IP, that change every day.

Here is configurations :

Master site with static IP :

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 60
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        nat-traversal enable
        site-to-site {
            peer 176.167.xx.yy {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description "4G Bot"
                ike-group FOO0
                ikev2-reauth inherit
                local-address 193.aaa.bbb.ccc
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.0.2.1/32
                    }
                    remote {
                        prefix 192.0.2.2/32
                    }
                }
            }
        }
    }
}

"Dynamic IP" site :

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 60
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        nat-traversal enable
        site-to-site {
            peer 193.aaa.bbb.ccc {
                authentication {
                    id 176.167.xx.yy
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description master
                ike-group FOO0
                ikev2-reauth inherit
                local-address 0.0.0.0
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.0.2.2/32
                    }
                    remote {
                        prefix 192.0.2.1/32
                    }
                }
            }
        }
    }
}

As you can see the id 176.167.xx.yy is the dynamic IP I have every day, I have to change it by hand.

Is there any clues to get this working (any pointers / url will be really appreciated).

Kind regards

I have an EdgeRouter Infinity:

- Plugged in both PSUs (AC)

- White power LED goes on

- Fans spin at full speed

- Using a console cable (using FTDI adapter, confirmed working on other gear), nothing is shown on boot.

- Attempting a power-on reset doesn't work (i.e. LEDs don't blink in the manner described)

- Ethernet plugged into eth0 causes the LED to blink, but ping/ssh/etc don't work (Host Down)

- It has never booted, so I have no idea of the Firmware version.

- I took the cover off to verify everything was connected, and also re-seated the memory. No change.

- Board is HW Rev 13

I have a ticket w/ support that hasn't really gone anywhere yet.

Any thoughts?

Thanks!

Hi,

I have EdgeRouter connected to a switch and divided into three segments:

VLAN 1 (has access to other VLANs)

VLAN 2 (has no access to other VLANs)

VLAN 3 (has no access to other VLANs)

Each VLAN has different addressing.

Now I need to create two VPN accesses to LAN behind the router:

1st for administrative purposes from internet to VLAN 1

2nd to VLAN 2 only

How can I acheive this goal?

So far, I created a VPN connection with local authentication and it works well but it connects only to VLAN1.

I'm trying to get a site to site configuration working between 2 ERLs but have not been successful in doing so.

First tried configuring ipsec site to site via the GUI, but all IP remote IP addresses were unreachable. Now trying to get this config working with OpenVPN but I am getting anywhere from 30-75% packet loss.

My best guess, and from what I've gathered from other threads is that this is an issue related to the routing tables and load balancing. 

Has anyone seen a similar issue and been successful in getting this setup working?

I have an ERLite-3. I've had it about 6 months. Originally I got it to combat the "bufferbloat" issue which comes from having a large family with many devices.

We have 100/20 business internet service, but as I'm now well aware, you can't use the smart queue features (or any kind of queue features) to rate limit a 100 mbit connection with an ERLite-3. If I add a queue limited at 80mbit, the performance actually drops to 40mbit. The device simply can't keep up.

My question to the smart people here is: where is this limitation spelled out in the product datasheets? I am looking at ordering an ER-4, but I don't know how to confirm this will actually work with my internet connection. What if I upgrade to a 200mbit account? How can I know which product will actually be able to handle my internet connection? I didn't think that it would be that much of a problem for dedicated devices like this.

Relevant links:

ER-4 datasheet: https://www.ubnt.com/downloads/datasheets/edgemax/EdgeRouter_ER-4_DS.pdf

ERLite-3 datasheet: https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Another thread detailing the issue: https://community.ubnt.com/t5/EdgeMAX/EdgeRouter-ERLite-3-Smart-QoS-Limits-Bandwidth-more-than/m-p/1810971

Thanks for your time!

The problem is  not new for me.

https://community.ubnt.com/t5/EdgeMAX/Can-t-open-some-webpages/td-p/1950743

Yesterday the IPS has made changes and I get my IP from a new address pool.

I have only done this  changes: https://community.ubnt.com/t5/EdgeMAX/Can-t-change-IGMP-Proxy-settings/m-p/2137655#M185600

And now I can't reach www.ubnt.com.

To click at a google search result also not works.

Is there a workaround?

I have 2 default static routes setup for 0.0.0.0/0 with different distance values for each of my WAN connections.

When the eth0 (primary) connection fails and the router switches to eth1, everything works great. The correct route is selected and shows "In FIB" in the routing tab.

However, when the primary connection is restored, the eth1 route does not change and still shows "Yes" under "Selected" and "In FIB". Because of this, the vpn connection cannot be restored.

The workaround I have found is to go to the routing tab and do action>config on any route, then change the description and click save. Once I do this, the VPN is restored immediately and the WAN1 route becomes shows "Yes" under "selected" and "In FIB".

Perhaps it is my lack of knowledge about how the routing table works, but I'm not sure exactly what is going on here. Is there some way I can script out whatever is happening when I edit and save a route so that the routes are reapplied correctly after the failover happens?

Does the F-POE device have a http management page?

I am wondering if I can do things like rate shaping on the device, or ping it and  have it face customers.

Hi,

I have placed my ERL as the DMZ computer with respect to my U-Verse Modem.

All of my home stuff is in the 192.168.1.0/24 net. And every thing seems to be working...

However the U-Verse Modem's config pages are at 192.168.1.254. The ERL sends all of the

192.168.1.0/24 to eth0. I want the 192.168.1.254 address to be routed via eth1 to the U-Verse modem.

I tried adding a static route 192.168.1.254/32 via eth1 but this evidently does not work. The config page on the

U-Verse Modem does not load.

Can I solve this problem with routing? is the DMZ-ness getting in the way?

I have a workaround: I can directly connect one of my computers to a spare port on the U-Verse device via an 

ethernet cable and access the config pages.

Thanks, 

Jerry

I have a unique configuration situation where I am using an ERX SFP as both a router and a switch.  Eth0, Eth2, Eth3 and Eth4 are on Switch0 which is VLAN aware, with Eth0 connected to our fibre ONT vid 35, and the other three ports with other devices that initiate their own PPPoE connections and ae not managed by this router pvid 35. Those three devices establish a PPPoE connection get a public IP to their own devices and work fine.

Eth1 is not connected to switch0 and is used for our local network.  The ERX SFP establishes a PPPoE connection and acts as a router for the local network with a PPPoE interfaces created on VLAN 35 which I created on switch0.  I can't get a PPPoE connection to connect when the interface is created directly on the switch, despite having VID 35 specified from the switch configuration on Eth0, so as it stands now this seems to be the only way to get it to work.  

The weird situation is that I can't specify any firewall rules for the PPPoE connection when it is created on a VLAN of the switch.  I can specify firewall rules if the PPPoE connection is created on the switch0 interface itself, or a VLAN of one of the Ethernet interfaces, but not on a VLAN of the switch.  The option to set firewall is simply not there fron the command line, and doesn't show up in the tree of the GUI.  Unless there's something I'm missing, creating VLAN 35 on the switch is the only way I can tag the VLAN to establish a PPPoE session and maintain the independant PPPoE connections from the three external devices on the same switch interface.

Anyone have any ideas?  Seems odd that the only place where I can't specify a firewall rule from the command line for a PPPoE connection is only when it's created on a VLAN of the switch.  Or am I going about this the wrong way entirely?  NAT is working, but as it stands now there is no firewall running on the PPPoE connection which is hardly ideal.

Thanks