Quantcast
Channel: EdgeRouter topics
Viewing all 20028 articles
Browse latest View live

EdgeRouter POE5 Eth port power Pin out

$
0
0

As it turns out, you can not power a Cisco SPA504g with a POE5 directly.  From some research the power pin out is different between the 2 models.  Does any one know the color code in which the phone side should be?

 

I use white green standards for eth build.  Any help is appreciated. 


keepalive on gre-bridge

$
0
0

Dear,

 

is it possible to configure a keepalvie to check the tunnel consistency on edgemax router?

 

thanks

Maria

Question on Edgerouter and EdgeOS

$
0
0

Hi Folks...

 

Is the EdgeOS use in the EdgeRouter are all the same ?

If it is, so the only differences is just the hardware features in each model right?

 

Thanks,

 

BSDME

Troubleshooting Netflow on ER-X

$
0
0

Hi experts!

 

I'm struggling with getting NetFlow working properly on my ER-X and PRTG

 

I have PRTG running, and it even seems to be receiving some NetFlow packets from my ER-X, but it's VERY sparse data.

 

I want to collect source IP / destination IP / protocol / bandwidth stats for my Internet connection

WAN interface is eth0

LAN uplink is eth3

 

However I'm only seeing two source IPs, one of which is my router, and the other of which isn't even active on my subnet:

 

NetFlow example.PNG

 

192.168.1.1 is the router's IP

192.168.1.254 isn't the broadcast IP for a Class C network (that'd be .255), so I dont know what the heck the .254 thing is all about

 

I've looked at the NetFlow traffic coming in via WireShark and it seems consistent with the screenshot above. Despite there being a LOT of activity on my Internet connection, the ER-X just isn't reporting any of it via NetFlow.

 

I think the problem is with the config on the router but I'm in WAY over my head here

Any help would be appreciated

 

 

Here's the flow-accounting section of my config (I'd be quite willing to post the entire config if it would be helpful) (the server running PRTG is 192.168.1.107):

 

flow-accounting {
    ingress-capture pre-dnat
    interface eth0
    netflow {
        server 192.168.1.107 {
            port 2055
        }
        timeout {
            expiry-interval 60
            flow-generic 60
            icmp 60
            max-active-life 60
            tcp-fin 10
            tcp-generic 60
            tcp-rst 10
            udp 60
        }
        version 9
    }
    syslog-facility daemon
}

Routing 3 internet connections

$
0
0

hey guys is it possible to aggerate 3 internet connections together from all 3 locations on my Ptmp network?

 

currently AP is a 

LiteBeam 5AC-16-120

connected to a edgerouter lite

 

and other 2 clients are using 

LiteBeam-5AC-Gen2 - 23dBi

to connect to my AP

 

all 3 locations have internet connection my aim is to combine them to have better speed.

Locked out of router via SSH, web, console cable

$
0
0

Hi all,

 

I recently upgraded my firmware on my EdgeMax PoE router to the latest version as of a few days ago. Now, I cannot, for the life of me, access the router. (Most of) its existing firewall settings and NAT and such still work, as I can still get on the internet and my VLANs all exist, but I cannot change any settings. I say "most of" because I can't get in now!

 

I get a connection refused error anytime I try to connect via SSH or via the web UI, and I've tried over every VLAN I remember setting up, whether I blocked it in the firewall on that subnet or not (had to try).

 

After this, I bought a console cable. I can see broadcast messages come from the router, but I cannot seem to send data to the router. I confirmed the cable does in fact work both directions by using it on a different Ubiquiti EdgeMax router, which I could log into just fine. But, my router doesn't seem to respond to keystrokes (bad UART in router?).

 

Any ideas? Or am I gonna have to reset it? It would be inconvenient, but it's just my home router with only two production subnets, so it won't be the worst thing to set back up, just a pain. No, I don't have a backup (last time I do that).

 

Thanks

 

SSH acces denied

Newbie need help

$
0
0

hi, im newbie in networking, i try make site-to-site open vpn connection between my office and home, i try to follow this guide, i been bought 2 er-x. but something i dont understand when i connect my ER-x to my ISP router it said no internet connection. my ISP is fiber connection they give me router/gpon huawei hg8254a. it forbid bridge connection. i also think to use ER-x as my route but the ISP dont want to give the password for my account. i have try dmz but itsn't stable sometime the dmz is on sometime it off. please help my guys 


EdgeRouter Lite 3 - Restarting Randomly

$
0
0

Hello All,

 

I manage quite a few EdgeRouters and recently we noticed that they reboot once every 2 weeks (on average).

 

For firmware we tried everything from 1.9.1.1 to 1.9.7+hotfix.4 but this does not seem to change the frequency.

 

We are seeing this bahavior on 100% of the managed EdgeRouters. Since we manage 10+ EdgeRouters which all have this issue, I was expecting to see more people complaning, but the only somewhat related thread I could find is this:

 

https://community.ubnt.com/t5/EdgeMAX/ERPro-8-v1-9-7-hotfix-4-suddenly-restart/m-p/2147023#M186557

 

But that thread only speaks about firmware version 1.9.7+hf4.

 

I cannot find any relevant log messages.

 

I am currently looking to get my hands on a console cable, but is there any other way I can already start troubleshooting?

 

Pascal

Edge Router Pro V1.9.7 : QOS

$
0
0

I would like to limit the bandwidth usage per PC (IP adress)

 

I set up a smart Queue (upload 740 kbits/s and download 9.8 Mbits/s)

 

And I would like that each PC has an equal access to the nework, regardless of the type of traffic.

Without any basic rule, If I have someone doint a transfer, or some uttorents traffic... All the others see that the network access is not good.

I tried to forbid uttorent kind of traffic but now I have all the traffic in "other"

In fact I don't care people doing uttorent... As long as this has no impact on the work.

 

So I would like everyone to have something as 150k upload and 1m download with a kind of burst capacity to go up to the max bandwidth as long as the others have access to their basic bandwidth.

 

I tried to set up a basic rule

Source 192.168.2.0/24, dest =' ' rate =150k; Burst rate= 690 k; Burst size= 256Kb; Queue type FQ_COD

Reverse rate= 1536k; Reverse Burst Rate= 8m; reverse burst size= 10mB; reverse Queue Type FQ_COD

 

But this seems to give poor performances, I am certainly doing something wrong

 

Is there a simple way to set up such a kind of simple rule?

Many thanks in advance

jf

IPv6/AT&T/Giga Power/Pace 5268ac working explanation

$
0
0

[UPDATE NOV 2017]

AT&T did an upgrade to my modem/router and the configuration I had working below suddenly stopped working. Going back to looking at solving this problem, I found a configuration that works. This seems more in-line with what everyone has been seeing. 

 

I wanted to share with everyone a perfectly good working IPv6 configuration that works with AT&T GigaPower using the PACE 5268ac and DMZ plus. I am using a Edge Router Lite v1.9.7+hotfix.3

 

In the ATT device you can see under Settings -> Broadband -> Status 

Dual-Stack IPv6 Internet Connection
Dual-Stack IPv6 Internet Address	2001:506:70b0:1b71::1
Dual-Stack IPv6 Default Gateway	fe80::8626:2bff:fe83:b971
Dual-Stack IPv6 Delegated Prefix	2600:XXXX:XXXX:b710::/60

The delegated prefix is the network that is assigned to you. The ATT router breaks that down into /64’s. You can visit https://subnettingpractice.com/ipv6_subnetting.html to get a list of how your /60 will be carved into /64.

 

On the LAN status Settings -> LAN -> Status you will see under IPv6 Status

IPv6 Status

Link Local Address	fe80::d6b2:7aff:fe4c:12bd
Delegated Address	2600:XXXX:XXXX:b710::1

So you can assume that the PACE has been delegated a /60 and is willing to give out /64's the devices behind it. For this reason I configured the PD as follows on eth0 ( there is really nothing to configure on eth1 ).

 

Interface facing the ATT Pace ( note the prefix length, this is important )

    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    service slaac
                }
                prefix-length /64
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }

 Internal interface:

    ethernet eth1 {
        address 192.168.2.1/24
        description Local
        duplex auto
        speed auto
    }

DNS masq with ra:

    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            options enable-ra
            options dhcp-range=::1,constructor:eth1,ra-names,86400
        }
    }

One thing you should do is WATCH the ATT device. I did clean all IPV6 configuration from the interfaces of the edge router lite and then rebooted the edge router lite. This I did because even after removing the ipv6 configuration on the interfaces the show interfaces command still showed the interface with a v6 address and I could still ping. Not good!

 

So after a reboot everythign was gone. Then I added the configuration for eth0 dhcp-pd. At that point when I look at the ATT PACE router I can see that it came to life and could see under Settings -> Lan -> Lan Address Allocation:

Screen Shot 2017-11-27 at 9.04.37 PM.png

So with the prefix assigned, the internal interface was assigned the b718 subnet from the /60 group and everything started working.

 

In the dnsmasq logs you can see the advertisement built for eth1

Nov 27 15:42:18 dnsmasq-dhcp[1650]: IPv6 router advertisement enabled
Nov 27 15:49:20 dnsmasq-dhcp[1650]: router advertisement on 2600:XXXX:XXXX:b718::, constructed for eth1
Nov 27 15:49:20 dnsmasq-dhcp[1650]: RTR-ADVERT(eth1) 2600:XXXX:XXXX:b718::

The radvd.conf file is set properly set automatically also:

interface eth1 {
#   This section was automatically generated by the Vyatta
#   configuration sub-system.  Do not edit it.
#
#   service type [slaac]
#
    IgnoreIfMissing on;
    AdvSendAdvert on;
    RDNSS 2600:XXXX:XXX:b710::1  { };
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    prefix ::/64 {
          AdvOnLink on;
          AdvAutonomous on;
    };
};

And with that, magic… great speed as it’s just ipv6 routing on the Edge Router…

Screen Shot 2017-09-17 at 3.07.44 PM.png

EdgePoint R6 - Bandwidth

$
0
0

beHi!

Am newbie in Ubiquiti!

 

I have this solution:
test.jpeg

 

with this configuration:

ubnt@R6Zapala:~$ show con                                                       
Invalid command                                                                 
ubnt@R6Zapala:~$ show configuration                                             
interfaces {                                                                    
    bonding bond0 {                                                             
        bridge-group {                                                          
            bridge br0                                                          
        }                                                                       
        hash-policy layer2                                                      
        mode round-robin                                                        
    }                                                                           
    bridge br0 {                                                                
        address 192.168.23.110/24                                               
        aging 300                                                               
        bridged-conntrack disable                                               
        hello-time 2                                                            
        max-age 20                                                              
        priority 32768                                                          
        promiscuous disable                                                     
        stp false                                                               
    }                                                                           
    ethernet eth0 {                                                             
        bridge-group {                                                          
            bridge br0                                                          
        }                                                                       
        duplex auto                                                             
        poe {
            output off                                                          
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth1 {                                                             
        bond-group bond0                                                        
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth2 {                                                             
        bond-group bond0                                                        
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth3 {                                                             
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    ethernet eth4 {                                                             
        duplex auto                                                             
        poe {                                                                   
            output off                                                          
        }
        speed auto                                                              
    }                                                                           
    ethernet eth5 {                                                             
        duplex auto                                                             
        speed auto                                                              
    }                                                                           
    loopback lo {                                                               
    }                                                                           
    switch switch0 {                                                            
        mtu 1500                                                                
        switch-port {                                                           
            interface eth5 {                                                    
            }                                                                   
        }                                                                       
    }                                                                           
}                                                                               
load-balance {                                                                  
}                                                                               
service {                                                                       
    gui {                                                                       
        http-port 80                                                            
        https-port 443                                                          
        older-ciphers enable
    }                                                                           
    ssh {                                                                       
        port 22                                                                 
        protocol-version v2                                                     
    }                                                                           
}                                                                               
system {                                                                        
    host-name R6Zapala                                                          
    login {                                                                     
        user ubnt {                                                             
            authentication {                                                    
                encrypted-password ****************                             
            }                                                                   
            level admin                                                         
        }                                                                       
    }                                                                           
    ntp {                                                                       
        server 0.ubnt.pool.ntp.org {                                            
        }                                                                       
        server 1.ubnt.pool.ntp.org {                                            
        }                                                                       
        server 2.ubnt.pool.ntp.org {                                            
        }
        server 3.ubnt.pool.ntp.org {                                            
        }                                                                       
    }                                                                           
    syslog {                                                                    
        global {                                                                
            facility all {                                                      
                level notice                                                    
            }                                                                   
            facility protocols {                                                
                level debug                                                     
            }                                                                   
        }                                                                       
    }                                                                           
    time-zone America/Argentina/Salta                                           
}                

(For test, both R6 are connected directly, without AirFiber)
I put a Mikrotik behind each R6 and did a bandwidth test, the result never could overcome:
TX: 250Mbps / RX: 100Mbps.

What do you think? This is a normal performance?

 

Thank you!!!

 

 

PPPoE through a bridge?

$
0
0

All, 

 

I am the happy owner of an ER-POE5. But I do have a difficulty in passing PPPoE through a bridge and I appreciate your help on it.

 

eth0 = WAN. This carries VLAN4 (IPTV), VLAN6 (Internet over PPPoE) and VLAN7 (VoIP over PPPoE)

eth1 = LAN, connected to a managed switch.

eth2-eth4 = switch0. A VoIP box is connected to eth2.

eth0.7 and switch0.7 are bridged.

 

VoIP is not working. When I run tcpdump simultaneously on both ends of the bridge, I see some packets passing and some not.:

voip1.png

 

 

On the right I see the VoIP box emitting PADI requests and I see them appearing on the left side of the bidge as well. So there is some bridging :-). The PADO offers on the WAN side do however not arrive at the right side of the bridge and hence my VoIP is not working.

 

I don't understand why these PADO packets are not passed through the bridge and I appreciate any insights on this!

 

Thanks much!

Joost

 

interfaces {
    bridge br0 {
        aging 300
        bridged-conntrack disable
        hello-time 2
        max-age 20
        priority 32768
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        description "eth0 - WAN"
        duplex auto
        mtu 1512
        poe {
            output off
        }
        speed auto
        vif 4 {
            address dhcp
            description "eth0.4 - IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
        }
        vif 6 {
            description "eth0.6 - Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                idle-timeout 180
                mtu 1500
                name-server auto
                password kpn
            }
        }
        vif 7 {
            bridge-group {
                bridge br0
            }
            description "eth0.7 - VOIP"
            mtu 1500
        }
    }
    ethernet eth1 {
        address 172.17.114.4/24
        description "eth1 - LAN"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 7 {
            bridge-group {
                bridge br0
            }
            mtu 1500
        }
    }
}
protocols {
    igmp-proxy {
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1 {
            role downstream
            threshold 1
        }
    }
    static {
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 172.17.114.0/24 {
                default-router 172.17.114.4
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 172.17.114.10 {
                    stop 172.17.114.100
                }
            }
        }
        shared-network-name Unifi1 {
            authoritative disable
            subnet 172.17.115.0/24 {
                default-router 172.17.115.4
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 172.17.115.10 {
                    stop 172.17.115.100
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 8.8.8.8
            name-server 8.8.4.4
            options listen-address=172.17.114.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            type masquerade
        }
        rule 5001 {
            destination {
                address 10.16.0.0/16
            }
            log disable
            outbound-interface eth0.4
            protocol all
            type masquerade
        }
        rule 5010 {
            description "KPN Internet"
            log disable
            outbound-interface pppoe0
            protocol all
            source {
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
}
system {
    host-name egx
    login {
        user joost {
            authentication {
                encrypted-password "" 
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024004.171005.0403 */

 

 

 

Edgerouter doing transparent routing for a private WAN netwok

$
0
0

Hi guys,

 

I want to replace some of the cisco 800 series routers my client has across their branches with perhaps an edge router lite as the branches are quite small, about 10-20 users each.

 

There is a VPLS network between all these branches, it is just a regular L2 network. We have Cisco 800s doing the routing pretty much transparent, as it is a private WAN connection between all of them, so no need to filter anything at the router level.

 

Can I achieve something similar with the Edge router? I just want it to forward packets without doing NAT.

 

All routers have an IP in the range of 10.0.0.x/24 and they are all conected to a router in a datacentre over the private WAN. Eveyr branch and datacentre has a LAN interface 192.168.x.0/24.

 

If branch A send a packet to branch B it goes from branch A LAN > branch A router > private WAN > datacentre router > private WAN > branch B router > branch B LAN

 

Would this be achieveable with an edge router? I want to have no filters at all on the router.

ExpressVPN PPTP on Edgerouter X

$
0
0

I am trying to set up my Edgerouter X as a PPTP client for ExpressVPN.  Something is going wrong, but I can't figure out what.  (Note:  I have two other openvpn configs in there, but hopefully they aren't hurting anything.)  Here is my config:

 

 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 3 {
             action accept
             description OpenVPN
             destination {
                 port 1194
             }
             log disable
             protocol udp
         }
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow PPTP"
             destination {
                 port 1723
             }
             protocol tcp
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         speed auto
     }
     loopback lo {
     }
     openvpn vtun0 {
         config-file /config/edgerouterx.ovpn
         disable
     }
     openvpn vtun1 {
         config-file /config/auth/my_expressvpn_usa_-_washington_dc_udp.ovpn
         description ExpressVPN
         disable
     }
     pptp-client pptpc0 {
         description "VPN to expressvpn.com"
         mtu 1450
         password [passwordfromEVPN]
         require-mppe
         server-ip texas-ubuntu-l2tp.expressprovider.com
         user-id [userfromEVPN]
     }
     switch switch0 {
         address 192.168.3.1/24
         description Local
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface eth1
     rule 1 {
         description hass
         forward-to {
             address 192.168.3.17
             port 8153
         }
         original-port 8153
         protocol tcp_udp
     }
     wan-interface eth0
 }
 protocols {
     static {
         interface-route 0.0.0.0/0 {
             next-hop-interface pptpc0 {
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.3.0/24 {
                 default-router 192.168.3.1
                 dns-server 192.168.3.1
                 lease 86400
                 start 192.168.3.38 {
                     stop 192.168.3.243
                 }
             }
         }
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
             listen-on vtun0
             name-server 208.67.222.222
             name-server 208.67.220.220
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5000 {
             outbound-interface pptpc0
             type masquerade
         }
         rule 5001 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
         rule 5002 {
             description "masquerade for OpenVPN"
             log disable
             outbound-interface vtun0
             protocol all
             type masquerade
         }
         rule 5003 {
             description "masquerade for OpenVPN at Express"
             log disable
             outbound-interface vtun1
             protocol all
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }
 system {
     host-name ubnt
     login {
         user ubnt {
             authentication {
                 encrypted-password $6$3FN2
                 public-keys jay@macmini {
                     key AAA
                     type ssh-rsa
                 }
             }
             level admin
         }
     }
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }

Here is my log file output when it tries to connect:

 

Nov 28 15:17:11 ubnt pppd[27996]: write: Bad file descriptor (9)
Nov 28 15:17:11 ubnt pppd[27996]: Connect: ppp0 <--> /dev/pts/3
Nov 28 15:17:11 ubnt pptp[29537]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 19968).
Nov 28 15:17:17 ubnt pppd[27996]: CHAP authentication succeeded
Nov 28 15:17:17 ubnt pppd[27996]: MPPE 128-bit stateless compression enabled
Nov 28 15:17:18 ubnt pppd[27996]: not replacing existing default route via 192.168.1.1
Nov 28 15:17:18 ubnt pppd[27996]: local  IP address 10.0.0.14
Nov 28 15:17:18 ubnt pppd[27996]: remote IP address 10.0.0.1
Nov 28 15:17:18 ubnt pppd[27996]: primary   DNS address 10.0.0.1
Nov 28 15:17:18 ubnt pppd[27996]: secondary DNS address 10.0.0.1
Nov 28 15:17:21 ubnt ntpd[29493]: ntpd exiting on signal 15
Nov 28 15:17:23 ubnt ntpd[29714]: ntpd 4.2.6p2@1.2194-o Thu Aug  3 08:17:18 UTC 2017 (1)
Nov 28 15:17:23 ubnt ntpd[29715]: proto: precision = 41.817 usec
Nov 28 15:17:28 ubnt pptp[29537]: anon warn[decaps_gre:pptp_gre.c:331]: short read (-1): Message too long
Nov 28 15:17:28 ubnt pptp[29542]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Nov 28 15:17:28 ubnt pppd[27996]: Modem hangup
Nov 28 15:17:28 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Nov 28 15:17:28 ubnt pptp[29542]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Nov 28 15:17:28 ubnt pppd[27996]: MPPE disabled
Nov 28 15:17:28 ubnt pppd[27996]: Connection terminated: no multilink.
Nov 28 15:17:32 ubnt ntpd[29715]: ntpd exiting on signal 15
Nov 28 15:17:34 ubnt ntpd[29901]: ntpd 4.2.6p2@1.2194-o Thu Aug  3 08:17:18 UTC 2017 (1)
Nov 28 15:17:34 ubnt ntpd[29902]: proto: precision = 41.166 usec
Nov 28 15:17:58 ubnt pppd[27996]: write: Bad file descriptor (9)
Nov 28 15:17:58 ubnt pppd[27996]: Connect: ppp0 <--> /dev/pts/3
Nov 28 15:17:58 ubnt pptp[29922]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 20736).
Nov 28 15:18:06 ubnt pppd[27996]: CHAP authentication succeeded
Nov 28 15:18:06 ubnt pppd[27996]: MPPE 128-bit stateless compression enabled
Nov 28 15:18:07 ubnt pppd[27996]: not replacing existing default route via 192.168.1.1
Nov 28 15:18:07 ubnt pppd[27996]: local  IP address 10.0.0.11
Nov 28 15:18:07 ubnt pppd[27996]: remote IP address 10.0.0.1
Nov 28 15:18:07 ubnt pppd[27996]: primary   DNS address 10.0.0.1
Nov 28 15:18:07 ubnt pppd[27996]: secondary DNS address 10.0.0.1
Nov 28 15:18:10 ubnt ntpd[29902]: ntpd exiting on signal 15
Nov 28 15:18:12 ubnt ntpd[30107]: ntpd 4.2.6p2@1.2194-o Thu Aug  3 08:17:18 UTC 2017 (1)
Nov 28 15:18:12 ubnt ntpd[30108]: proto: precision = 40.767 usec
Nov 28 15:18:42 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 136 (expecting 135, lost or reordered)
Nov 28 15:18:57 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 226 (expecting 225, lost or reordered)
Nov 28 15:19:00 ubnt pptp[29931]: anon log[logecho:pptp_ctrl.c:677]: Echo Reply received.
Nov 28 15:19:10 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 300 (expecting 299, lost or reordered)
Nov 28 15:19:10 ubnt pptp[29922]: anon warn[decaps_gre:pptp_gre.c:331]: short read (-1): Message too long
Nov 28 15:19:10 ubnt pppd[27996]: Modem hangup
Nov 28 15:19:10 ubnt pptp[29931]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Nov 28 15:19:10 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Nov 28 15:19:10 ubnt pptp[29931]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Nov 28 15:19:10 ubnt pppd[27996]: MPPE disabled
Nov 28 15:19:10 ubnt pppd[27996]: Connection terminated: no multilink.
Nov 28 15:19:13 ubnt ntpd[30108]: ntpd exiting on signal 15
Nov 28 15:19:15 ubnt ntpd[30330]: ntpd 4.2.6p2@1.2194-o Thu Aug  3 08:17:18 UTC 2017 (1)
Nov 28 15:19:15 ubnt ntpd[30331]: proto: precision = 42.560 usec

Does anyone have any ideas?  Thanks!


ER-X out of space

$
0
0

Hi All,

I tried setting up the webproxy service and am seeing speeds drop drastically (10-20MB on a 150 line). I have deleted the service but still seeing issues. flash is full and I have deleted system image as well. How can I get this back to normal? It looks like the blacklist is 250mb but access is denied. Any suggestions or is this unit toast? Desperate!!!!

TIA

'/usr/bin/vtysh.pl -c show ip route summary json' appearing in Syslog every minute

$
0
0

Hello,

 

I have a EdgeRouter X 5-Port running the latest v1.9.7+hotfix.4 version.

 

Since I enabled remote syslog, I notice that there's a 'show ip route summary json' being executed every minute - and I'd really like this to stop Man Happy

 

$ show version
Version: v1.9.7+hotfix.4
Build ID: 5024279
Build on: 10/06/17 02:55
Copyright: 2012-2017 Ubiquiti Networks, Inc.
HW model: EdgeRouter X 5-Port
HW S/N: __obfuscated__
Uptime: 20:46:34 up 22:48, 1 user, load average: 1.00, 1.05, 1.09

 

 

Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:29 ubiq sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/vtysh.pl -c show ip route summary json
Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:29 ubiq sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:30 ubiq sudo: pam_unix(sudo:session): session closed for user root

 

and another one next minute...

 

Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:30 ubiq sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/vtysh.pl -c show ip route summary json
Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:30 ubiq sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:31 ubiq sudo: pam_unix(sudo:session): session closed for user root

 

Any ideas if this is a regression, as I found an older message from 2016 stating this was already fixed?

 

Thanks,

 

//Sorin

Firewall Settings to Block SIPVicious?

$
0
0

Hey all, I'm using an EdgeRouter X with some VoIP phones, with just the basic setup from the WAN + 2LAN2 wizard. We've been getting hit by SIPVicious spam calls, and I was wondering if there are any settings on the firewall I can add that will block SIPVicious?

 

For anyone unfamiliar, SIPVicious is a set of security auditing tools for testing the security of SIP PBX'es, that hackers can use to find vulnerabilities to exploit. Some the tools do port scans that cause VoIP phones to ring nonstop. As you can imagine, it's a huge headache and super disruptive. Any chance the EdgeRouter X's firewall can stop it, or do I need to buy something more robust?

ipsec site to site VPN fails - requires reboot

$
0
0

Router is behind 2 additional NATted gateways providing dual-wan access. The dual-wan load balancing is handled with simple source modify rules.

 

The symptom is that IPSEC site to site is unreliable. I discovered that while IP traffic NATted by the EdgeRouter reaches its destination (verified with tcpdump at the destination) reliably, traffic originating from the EdgeRouter is not. The tcpdump on the ER looks proper whether NATted or not, however the traffic simply doesn't arrive at the destination.

 

ICMP traffic does reliably make it where it needs to go. `telnet VPNendpoint 500` from a host inside the EdgeRouter source NAT makes it where it needs to go. `telnet VPNendpoint 500` from the edgerouter itself though, nothing ever arrives at the destination. I don't think it's an MSS/MTU problem as I've already modified them down quit substantially, much lower than the 1420 I had set on the prior configuration, in addition tcpdump is indicating very small frame lengths, <200 bytes.

 

Rebooting the EdgeRouter fixes the problem, for awhile. Tunnel comes up, traffic moves smoothly for... hours. Eventually it fails and it takes a reboot to make traffic flow again.

 

Again... NATted traffic is still making it to its destination. ICMP traffic moves fine to and from wherever. IP (UDP and TCP seemingly) traffic cannot get where I need it to go however, including sending to destinations unrelated to the VPN, if it's originating at the EdgeRouter's own IP interface.

 

I'm worried that it's actually a defective unit, in a remote location North of the Arctic Circle Man Sad

 

This is in /var/log/messages:

 

"I/O Error, both of real entry and whiteout found, resolv.conf, error -5"

 

.... a lot:

 

root@nvfy-edgerouter:/var/log# grep "I/O Error, both of real entry and whiteout found" /var/log/messages | wc -l
1011

 

 

pseudo-sanitized config:

 

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Unwanted_WAN_Traffic {
             address 40.77.232.59
             address 198.251.90.71
             description ""
         }
         network-group LAN_All {
             description ""
             network 172.22.1.0/24
             network 172.22.19.0/24
             network 172.22.21.0/24
             network 172.22.22.0/24
             network 172.22.23.0/24
             network 172.22.24.0/24
             network 172.22.25.0/24
         }
         network-group source_route_1 {
             description "IPs that route through general Internet"
             network 172.22.21.0/24
             network 172.22.23.0/24
             network 172.22.24.0/24
             network 172.22.25.0/24
         }
         network-group source_route_2 {
             description "IPs that route through acct Internet"
             network 172.22.22.0/24
             network 172.22.1.0/24
             network 172.22.19.0/24
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify WAN_LB {
         rule 10 {
             action modify
             modify {
                 table 1
             }
             source {
                 group {
                     network-group source_route_1
                 }
             }
         }
         rule 20 {
             action modify
             modify {
                 table 2
             }
             source {
                 group {
                     network-group source_route_2
                 }
             }
         }
     }
     name GZGTG_LAN {
         default-action accept
         description ""
         rule 1 {
             action drop
             description "Block Unwanted Sites"
             destination {
                 group {
                     network-group LAN_All
                 }
             }
             log enable
             protocol all
             source {
                 group {
                     address-group Unwanted_WAN_Traffic
                 }
             }
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
     }
     options {
         mss-clamp {
             interface-type all
             mss 1372
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address 192.168.1.100/24
         duplex auto
         speed auto
     }
     ethernet eth1 {
         address 172.22.1.1/24
         duplex auto
         firewall {
             in {
                 modify WAN_LB
             }
         }
         speed auto
         vif 19 {
             address 172.22.19.1/24
             description "Server VLAN"
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
         vif 21 {
             address 172.22.21.1/24
             description "GZGTG Users"
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
         vif 22 {
             address 172.22.22.1/24
             description Accounting
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
         vif 23 {
             address 172.22.23.1/24
             description "GZGTG Guests"
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
         vif 24 {
             address 172.22.24.1/24
             description VOIP
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
         vif 25 {
             address 172.22.25.1/24
             description "GZGTG Printers"
             firewall {
                 in {
                     modify WAN_LB
                 }
             }
             mtu 1500
         }
     }
     ethernet eth2 {
         address 192.168.2.100/24
         duplex auto
         mtu 1460
         speed auto
     }
     ethernet eth3 {
         duplex auto
         speed auto
     }
     ethernet eth4 {
         duplex auto
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         mtu 1500
     }
 }
 load-balance {
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 192.168.1.1 {
             }
             next-hop 192.168.2.1 {
             }
         }
         route 207.2.81.240/29 {
             next-hop 192.168.2.1 {
                 description "All GSE LLC traffic through Acct Uplink"
             }
         }
         table 1 {
             route 0.0.0.0/0 {
                 next-hop 192.168.1.1 {
                 }
             }
         }
         table 2 {
             route 0.0.0.0/0 {
                 next-hop 192.168.2.1 {
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name Native_VLAN_pool {
             authoritative disable
             subnet 172.22.1.0/24 {
                 default-router 172.22.1.1
                 dns-server 8.8.8.8
                 dns-server 8.8.4.4
                 lease 86400
                 static-mapping gzgtg-ups1 {
                     ip-address 172.22.1.6
                     mac-address 00:c0:b7:6a:47:14
                 }
                 static-mapping nvfy-vm4 {
                     ip-address 172.22.1.9
                     mac-address 00:24:e8:7f:1c:f8
                 }
             }
         }
         shared-network-name Server {
             authoritative disable
             subnet 172.22.19.0/24 {
                 default-router 172.22.19.1
                 dns-server 172.22.1.7
                 dns-server 172.22.19.48
                 domain-name tribal.local
                 lease 86400
                 start 172.22.19.64 {
                     stop 172.22.19.64
                 }
                 static-mapping Brother-Env {
                     ip-address 172.22.19.44
                     mac-address 90:cd:b6:68:7e:2b
                 }
                 static-mapping Brother-Realty {
                     ip-address 172.22.19.43
                     mac-address 40:49:0f:a2:8f:30
                 }
                 static-mapping UniFi1 {
                     ip-address 172.22.19.6
                     mac-address 04:18:d6:6c:56:da
                 }
                 static-mapping UniFi2 {
                     ip-address 172.22.19.7
                     mac-address 04:18:d6:6c:5e:f1
                 }
             }
         }
         shared-network-name VOIP_pool {
             authoritative disable
             subnet 172.22.24.0/24 {
                 default-router 172.22.24.1
                 dns-server 172.22.1.7
                 dns-server 172.22.19.48
                 domain-name tribal.local
                 lease 86400
                 start 172.22.24.128 {
                     stop 172.22.24.255
                 }
                 tftp-server-name 172.22.24.2
             }
         }
         shared-network-name accounting_pool {
             authoritative disable
             subnet 172.22.22.0/24 {
                 default-router 172.22.22.1
                 dns-server 172.22.1.7
                 dns-server 172.22.19.4
                 domain-name tribal.local
                 lease 86400
                 start 172.22.22.64 {
                     stop 172.22.22.127
                 }
                 static-mapping acct-printer {
                     ip-address 172.22.22.42
                     mac-address 40:b0:34:a4:dc:4a
                 }
             }
         }
         shared-network-name gen_use_pool {
             authoritative disable
             subnet 172.22.21.0/24 {
                 default-router 172.22.21.1
                 dns-server 172.22.1.7
                 dns-server 172.22.19.4
                 domain-name tribal.local
                 lease 86400
                 start 172.22.21.128 {
                     stop 172.22.21.191
                 }
                 static-mapping nvfy-desktop16 {
                     ip-address 172.22.21.192
                     mac-address b0:83:fe:ba:97:eb
                 }
             }
         }
         shared-network-name guest_pool {
             authoritative disable
             subnet 172.22.23.0/24 {
                 default-router 172.22.23.1
                 dns-server 172.22.1.7
                 lease 86400
                 start 172.22.23.64 {
                     stop 172.22.23.127
                 }
             }
         }
         shared-network-name printers_pool {
             authoritative disable
             subnet 172.22.25.0/24 {
                 default-router 172.22.25.1
                 dns-server 172.22.1.7
                 lease 86400
                 static-mapping prn-housing-1 {
                     ip-address 172.22.25.64
                     mac-address 48:5a:b6:7e:7a:a5
                 }
                 static-mapping prn-realty-1 {
                     ip-address 172.22.25.65
                     mac-address 40:49:0f:a2:8f:30
                 }
             }
         }
         use-dnsmasq disable
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5001 {
             description Outbound_All_eth0
             log disable
             outbound-interface eth0
             protocol all
             source {
                 group {
                     network-group LAN_All
                 }
             }
             type masquerade
         }
         rule 5002 {
             description Outbound_All_eth2
             log disable
             outbound-interface eth2
             protocol all
             source {
                 group {
                     network-group LAN_All
                 }
             }
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     unms {
         disable
     }
 }
 system {
     domain-name tribal.local
     host-name nvfy-edgerouter
     login {
         user jrdalrymple {
             authentication {
                 encrypted-password $6$gZ6pymO7r4tfag55$LakDYi2Gmm2rnZ7BdkQKIbZ4.WQLKfK1CQJaE0UjAfsLOWkm/NbVUJnL9DtQ7FpC1dnKLZF6dRTZ910/QjCUK1
                 plaintext-password ""
             }
             full-name "JR Dalrymple"
             level admin
         }
         user ubnt {
             authentication {
                 encrypted-password $6$mFYayM/oosIR$eW7ztWThZMKN7tg5/0qdTErjHBr6NHKHSmywgH9gtxnryx9e/kbVRWF5C9owuIWwcTijwDRfeXRfGxV6PJVnd.
                 plaintext-password ""
             }
             full-name Admin
             level admin
         }
     }
     name-server 172.22.1.7
     name-server 172.22.19.48
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
     traffic-analysis {
         dpi enable
         export enable
     }
 }
 traffic-control {
     smart-queue GZGTG-eth0 {
         download {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 1024kbit
         }
         upload {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 512kbit
         }
         wan-interface eth0
     }
     smart-queue GZGTG-eth2 {
         download {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 1024kbit
         }
         upload {
             ecn enable
             flows 1024
             fq-quantum 1514
             limit 10240
             rate 512kbit
         }
         wan-interface eth2
     }
 }
 vpn {
     ipsec {
         auto-firewall-nat-exclude enable
         esp-group FOO0 {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group FOO0 {
             ikev2-reauth no
             key-exchange ikev1
             lifetime 3600
             mode main
             proposal 1 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         site-to-site {
             peer 207.2.81.244 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret vowu74khx9F99h4IfUPT6ohoOsmw0II4XtGO7rosGzWpRC3WYlnzt3bTz2RdvvpW
                 }
                 connection-type initiate
                 description "GSE LLC VPN"
                 ike-group FOO0
                 ikev2-reauth inherit
                 local-address any
                 tunnel 1 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group FOO0
                     local {
                         prefix 172.22.22.0/24
                     }
                     remote {
                         prefix 172.16.104.0/24
                     }
                 }
                 tunnel 2 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group FOO0
                     local {
                         prefix 172.22.19.0/24
                     }
                     remote {
                         prefix 172.16.104.0/24
                     }
                 }
                 tunnel 3 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group FOO0
                     local {
                         prefix 172.22.1.7/32
                     }
                     remote {
                         prefix 172.16.104.0/24
                     }
                 }
             }
         }
     }
 }

 

Any advice appreciated.

four isolated vlans

$
0
0

Hi Ubiquiti Community!

I have read this article:

https://help.ubnt.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Protect-a-Guest-Network-on-EdgeRouter

 

I have an edgerouter x. I wish to configure 4 separate vlans, and none of the vlans should be able to talk to each other.

 

eth0 = wan/internet

 

switch0.10 = vlan10

switch0.11 = vlan11

switch0.12 = vlan12

switch0.13 = vlan13

 

vlan10 = 10.1.10.0/24

vlan11 = 10.1.11.0/24

vlan12 = 10.1.12.0/24

vlan13 = 10.1.13.0/24

 

eth1, eth2, eth3, eth4 = pvid vlan 10, vid 11, vid 12, vid 13

 

The vlan setup seems to work. I have 4 dhcp servers, and they all give ip addresses in the correct subnets.

 

Right now I am trying to apply the firewall rules to only one vlan, vlan11, but i can still ping a host on vlan 11, from vlan 10.

 

When done, I would like to repeat this to all 4 vlans.

I do have some ports that need forwarded onto some hosts inside only vlan10.

 

thank you for your advice! Man Happy

 

 show interfaces

 

ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth2 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth3 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth4 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
vlan-aware enable
}
vif 10 {
address 10.1.10.1/24
description vlan10
mtu 1500
}
vif 11 {
address 10.1.11.1/24
description vlan11
firewall {
in {
name PROTECT_VLANS
}
local {
name PROTECT_LOCAL
}
}
mtu 1500
}
vif 12 {
address 10.1.12.1/24
description vlan12
mtu 1500
}
vif 13 {
address 10.1.13.1/24
description vlan13
mtu 1500
}
} 
show firewall



all-ping enable
broadcast-ping disable
group {
address-group router_addresses {
address 10.1.10.1
address 10.1.11.1
address 10.1.12.1
address 10.1.13.1
description ""
}
network-group local_subnets {
description ""
network 10.1.10.0/24
network 10.1.11.0/24
network 10.1.12.0/24
network 10.1.13.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_LOCAL {
default-action drop
description ""
rule 1 {
action accept
destination {
port 53
}
log disable
protocol udp
source {
}
}
rule 2 {
action accept
destination {
port 53
}
log disable
protocol udp
}
}
name PROTECT_VLANS {
default-action accept
description ""
rule 1 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
destination {
group {
network-group local_subnets
}
}
log disable
protocol all
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable 

 

 

 

Viewing all 20028 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>