As it turns out, you can not power a Cisco SPA504g with a POE5 directly. From some research the power pin out is different between the 2 models. Does any one know the color code in which the phone side should be?
I use white green standards for eth build. Any help is appreciated.
Dear,
is it possible to configure a keepalvie to check the tunnel consistency on edgemax router?
thanks
Maria
Hi Folks...
Is the EdgeOS use in the EdgeRouter are all the same ?
If it is, so the only differences is just the hardware features in each model right?
Thanks,
BSDME
Hi experts!
I'm struggling with getting NetFlow working properly on my ER-X and PRTG
I have PRTG running, and it even seems to be receiving some NetFlow packets from my ER-X, but it's VERY sparse data.
I want to collect source IP / destination IP / protocol / bandwidth stats for my Internet connection
WAN interface is eth0
LAN uplink is eth3
However I'm only seeing two source IPs, one of which is my router, and the other of which isn't even active on my subnet:
192.168.1.1 is the router's IP
192.168.1.254 isn't the broadcast IP for a Class C network (that'd be .255), so I dont know what the heck the .254 thing is all about
I've looked at the NetFlow traffic coming in via WireShark and it seems consistent with the screenshot above. Despite there being a LOT of activity on my Internet connection, the ER-X just isn't reporting any of it via NetFlow.
I think the problem is with the config on the router but I'm in WAY over my head here
Any help would be appreciated
Here's the flow-accounting section of my config (I'd be quite willing to post the entire config if it would be helpful) (the server running PRTG is 192.168.1.107):
flow-accounting {
ingress-capture pre-dnat
interface eth0
netflow {
server 192.168.1.107 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 9
}
syslog-facility daemon
}
hey guys is it possible to aggerate 3 internet connections together from all 3 locations on my Ptmp network?
currently AP is a
connected to a edgerouter lite
and other 2 clients are using
to connect to my AP
all 3 locations have internet connection my aim is to combine them to have better speed.
Hi all,
I recently upgraded my firmware on my EdgeMax PoE router to the latest version as of a few days ago. Now, I cannot, for the life of me, access the router. (Most of) its existing firewall settings and NAT and such still work, as I can still get on the internet and my VLANs all exist, but I cannot change any settings. I say "most of" because I can't get in now!
I get a connection refused error anytime I try to connect via SSH or via the web UI, and I've tried over every VLAN I remember setting up, whether I blocked it in the firewall on that subnet or not (had to try).
After this, I bought a console cable. I can see broadcast messages come from the router, but I cannot seem to send data to the router. I confirmed the cable does in fact work both directions by using it on a different Ubiquiti EdgeMax router, which I could log into just fine. But, my router doesn't seem to respond to keystrokes (bad UART in router?).
Any ideas? Or am I gonna have to reset it? It would be inconvenient, but it's just my home router with only two production subnets, so it won't be the worst thing to set back up, just a pain. No, I don't have a backup (last time I do that).
Thanks
When I SSH to my ERL it gives me "acces denied".
The only user on the device is admin and ssh server is active and port set to 22.
It's the same problem as described in https://community.ubnt.com/t5/EdgeMAX/ssh-login-not-working/td-p/1830164 but that one never got solved.
hi, im newbie in networking, i try make site-to-site open vpn connection between my office and home, i try to follow this guide, i been bought 2 er-x. but something i dont understand when i connect my ER-x to my ISP router it said no internet connection. my ISP is fiber connection they give me router/gpon huawei hg8254a. it forbid bridge connection. i also think to use ER-x as my route but the ISP dont want to give the password for my account. i have try dmz but itsn't stable sometime the dmz is on sometime it off. please help my guys
Hello All,
I manage quite a few EdgeRouters and recently we noticed that they reboot once every 2 weeks (on average).
For firmware we tried everything from 1.9.1.1 to 1.9.7+hotfix.4 but this does not seem to change the frequency.
We are seeing this bahavior on 100% of the managed EdgeRouters. Since we manage 10+ EdgeRouters which all have this issue, I was expecting to see more people complaning, but the only somewhat related thread I could find is this:
https://community.ubnt.com/t5/EdgeMAX/ERPro-8-v1-9-7-hotfix-4-suddenly-restart/m-p/2147023#M186557
But that thread only speaks about firmware version 1.9.7+hf4.
I cannot find any relevant log messages.
I am currently looking to get my hands on a console cable, but is there any other way I can already start troubleshooting?
Pascal
I would like to limit the bandwidth usage per PC (IP adress)
I set up a smart Queue (upload 740 kbits/s and download 9.8 Mbits/s)
And I would like that each PC has an equal access to the nework, regardless of the type of traffic.
Without any basic rule, If I have someone doint a transfer, or some uttorents traffic... All the others see that the network access is not good.
I tried to forbid uttorent kind of traffic but now I have all the traffic in "other"
In fact I don't care people doing uttorent... As long as this has no impact on the work.
So I would like everyone to have something as 150k upload and 1m download with a kind of burst capacity to go up to the max bandwidth as long as the others have access to their basic bandwidth.
I tried to set up a basic rule
Source 192.168.2.0/24, dest =' ' rate =150k; Burst rate= 690 k; Burst size= 256Kb; Queue type FQ_COD
Reverse rate= 1536k; Reverse Burst Rate= 8m; reverse burst size= 10mB; reverse Queue Type FQ_COD
But this seems to give poor performances, I am certainly doing something wrong
Is there a simple way to set up such a kind of simple rule?
Many thanks in advance
jf
[UPDATE NOV 2017]
AT&T did an upgrade to my modem/router and the configuration I had working below suddenly stopped working. Going back to looking at solving this problem, I found a configuration that works. This seems more in-line with what everyone has been seeing.
I wanted to share with everyone a perfectly good working IPv6 configuration that works with AT&T GigaPower using the PACE 5268ac and DMZ plus. I am using a Edge Router Lite v1.9.7+hotfix.3
In the ATT device you can see under Settings -> Broadband -> Status
Dual-Stack IPv6 Internet Connection Dual-Stack IPv6 Internet Address 2001:506:70b0:1b71::1 Dual-Stack IPv6 Default Gateway fe80::8626:2bff:fe83:b971 Dual-Stack IPv6 Delegated Prefix 2600:XXXX:XXXX:b710::/60
The delegated prefix is the network that is assigned to you. The ATT router breaks that down into /64’s. You can visit https://subnettingpractice.com/ipv6_subnetting.html to get a list of how your /60 will be carved into /64.
On the LAN status Settings -> LAN -> Status you will see under IPv6 Status
IPv6 Status Link Local Address fe80::d6b2:7aff:fe4c:12bd Delegated Address 2600:XXXX:XXXX:b710::1
So you can assume that the PACE has been delegated a /60 and is willing to give out /64's the devices behind it. For this reason I configured the PD as follows on eth0 ( there is really nothing to configure on eth1 ).
Interface facing the ATT Pace ( note the prefix length, this is important )
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 0 {
interface eth1 {
host-address ::1
service slaac
}
prefix-length /64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}Internal interface:
ethernet eth1 {
address 192.168.2.1/24
description Local
duplex auto
speed auto
}DNS masq with ra:
dns {
forwarding {
cache-size 150
listen-on eth1
options enable-ra
options dhcp-range=::1,constructor:eth1,ra-names,86400
}
}One thing you should do is WATCH the ATT device. I did clean all IPV6 configuration from the interfaces of the edge router lite and then rebooted the edge router lite. This I did because even after removing the ipv6 configuration on the interfaces the show interfaces command still showed the interface with a v6 address and I could still ping. Not good!
So after a reboot everythign was gone. Then I added the configuration for eth0 dhcp-pd. At that point when I look at the ATT PACE router I can see that it came to life and could see under Settings -> Lan -> Lan Address Allocation:
So with the prefix assigned, the internal interface was assigned the b718 subnet from the /60 group and everything started working.
In the dnsmasq logs you can see the advertisement built for eth1
Nov 27 15:42:18 dnsmasq-dhcp[1650]: IPv6 router advertisement enabled Nov 27 15:49:20 dnsmasq-dhcp[1650]: router advertisement on 2600:XXXX:XXXX:b718::, constructed for eth1 Nov 27 15:49:20 dnsmasq-dhcp[1650]: RTR-ADVERT(eth1) 2600:XXXX:XXXX:b718::
The radvd.conf file is set properly set automatically also:
interface eth1 {
# This section was automatically generated by the Vyatta
# configuration sub-system. Do not edit it.
#
# service type [slaac]
#
IgnoreIfMissing on;
AdvSendAdvert on;
RDNSS 2600:XXXX:XXX:b710::1 { };
AdvManagedFlag off;
AdvOtherConfigFlag off;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};And with that, magic… great speed as it’s just ipv6 routing on the Edge Router…
beHi!
Am newbie in Ubiquiti!
I have this solution:
with this configuration:
ubnt@R6Zapala:~$ show con
Invalid command
ubnt@R6Zapala:~$ show configuration
interfaces {
bonding bond0 {
bridge-group {
bridge br0
}
hash-policy layer2
mode round-robin
}
bridge br0 {
address 192.168.23.110/24
aging 300
bridged-conntrack disable
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
bridge-group {
bridge br0
}
duplex auto
poe {
output off
}
speed auto
}
ethernet eth1 {
bond-group bond0
duplex auto
speed auto
}
ethernet eth2 {
bond-group bond0
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
switch-port {
interface eth5 {
}
}
}
}
load-balance {
}
service {
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name R6Zapala
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Argentina/Salta
} (For test, both R6 are connected directly, without AirFiber)
I put a Mikrotik behind each R6 and did a bandwidth test, the result never could overcome:
TX: 250Mbps / RX: 100Mbps.
What do you think? This is a normal performance?
Thank you!!!
All,
I am the happy owner of an ER-POE5. But I do have a difficulty in passing PPPoE through a bridge and I appreciate your help on it.
eth0 = WAN. This carries VLAN4 (IPTV), VLAN6 (Internet over PPPoE) and VLAN7 (VoIP over PPPoE)
eth1 = LAN, connected to a managed switch.
eth2-eth4 = switch0. A VoIP box is connected to eth2.
eth0.7 and switch0.7 are bridged.
VoIP is not working. When I run tcpdump simultaneously on both ends of the bridge, I see some packets passing and some not.:
On the right I see the VoIP box emitting PADI requests and I see them appearing on the left side of the bidge as well. So there is some bridging :-). The PADO offers on the WAN side do however not arrive at the right side of the bridge and hence my VoIP is not working.
I don't understand why these PADO packets are not passed through the bridge and I appreciate any insights on this!
Thanks much!
Joost
interfaces {
bridge br0 {
aging 300
bridged-conntrack disable
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
description "eth0 - WAN"
duplex auto
mtu 1512
poe {
output off
}
speed auto
vif 4 {
address dhcp
description "eth0.4 - IPTV"
dhcp-options {
client-option "send vendor-class-identifier "IPTV_RG";"
client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
default-route no-update
default-route-distance 210
name-server update
}
}
vif 6 {
description "eth0.6 - Internet"
mtu 1508
pppoe 0 {
default-route auto
idle-timeout 180
mtu 1500
name-server auto
password kpn
}
}
vif 7 {
bridge-group {
bridge br0
}
description "eth0.7 - VOIP"
mtu 1500
}
}
ethernet eth1 {
address 172.17.114.4/24
description "eth1 - LAN"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
vif 7 {
bridge-group {
bridge br0
}
mtu 1500
}
}
}
protocols {
igmp-proxy {
interface eth0.4 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1 {
role downstream
threshold 1
}
}
static {
}
}
service {
dhcp-server {
disabled false
global-parameters "option vendor-class-identifier code 60 = string;"
global-parameters "option broadcast-address code 28 = ip-address;"
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 172.17.114.0/24 {
default-router 172.17.114.4
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 172.17.114.10 {
stop 172.17.114.100
}
}
}
shared-network-name Unifi1 {
authoritative disable
subnet 172.17.115.0/24 {
default-router 172.17.115.4
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 172.17.115.10 {
stop 172.17.115.100
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 8.8.8.8
name-server 8.8.4.4
options listen-address=172.17.114.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description IPTV
destination {
address 213.75.112.0/21
}
log disable
outbound-interface eth0.4
protocol all
type masquerade
}
rule 5001 {
destination {
address 10.16.0.0/16
}
log disable
outbound-interface eth0.4
protocol all
type masquerade
}
rule 5010 {
description "KPN Internet"
log disable
outbound-interface pppoe0
protocol all
source {
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
}
system {
host-name egx
login {
user joost {
authentication {
encrypted-password ""
plaintext-password ""
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024004.171005.0403 */
Hi guys,
I want to replace some of the cisco 800 series routers my client has across their branches with perhaps an edge router lite as the branches are quite small, about 10-20 users each.
There is a VPLS network between all these branches, it is just a regular L2 network. We have Cisco 800s doing the routing pretty much transparent, as it is a private WAN connection between all of them, so no need to filter anything at the router level.
Can I achieve something similar with the Edge router? I just want it to forward packets without doing NAT.
All routers have an IP in the range of 10.0.0.x/24 and they are all conected to a router in a datacentre over the private WAN. Eveyr branch and datacentre has a LAN interface 192.168.x.0/24.
If branch A send a packet to branch B it goes from branch A LAN > branch A router > private WAN > datacentre router > private WAN > branch B router > branch B LAN
Would this be achieveable with an edge router? I want to have no filters at all on the router.
I am trying to set up my Edgerouter X as a PPTP client for ExpressVPN. Something is going wrong, but I can't figure out what. (Note: I have two other openvpn configs in there, but hopefully they aren't hurting anything.) Here is my config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 3 {
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol udp
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow PPTP"
destination {
port 1723
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /config/edgerouterx.ovpn
disable
}
openvpn vtun1 {
config-file /config/auth/my_expressvpn_usa_-_washington_dc_udp.ovpn
description ExpressVPN
disable
}
pptp-client pptpc0 {
description "VPN to expressvpn.com"
mtu 1450
password [passwordfromEVPN]
require-mppe
server-ip texas-ubuntu-l2tp.expressprovider.com
user-id [userfromEVPN]
}
switch switch0 {
address 192.168.3.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description hass
forward-to {
address 192.168.3.17
port 8153
}
original-port 8153
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pptpc0 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 86400
start 192.168.3.38 {
stop 192.168.3.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on vtun0
name-server 208.67.222.222
name-server 208.67.220.220
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
outbound-interface pptpc0
type masquerade
}
rule 5001 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for OpenVPN"
log disable
outbound-interface vtun0
protocol all
type masquerade
}
rule 5003 {
description "masquerade for OpenVPN at Express"
log disable
outbound-interface vtun1
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $6$3FN2
public-keys jay@macmini {
key AAA
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}Here is my log file output when it tries to connect:
Nov 28 15:17:11 ubnt pppd[27996]: write: Bad file descriptor (9) Nov 28 15:17:11 ubnt pppd[27996]: Connect: ppp0 <--> /dev/pts/3 Nov 28 15:17:11 ubnt pptp[29537]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply Nov 28 15:17:11 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established. Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply. Nov 28 15:17:12 ubnt pptp[29542]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 19968). Nov 28 15:17:17 ubnt pppd[27996]: CHAP authentication succeeded Nov 28 15:17:17 ubnt pppd[27996]: MPPE 128-bit stateless compression enabled Nov 28 15:17:18 ubnt pppd[27996]: not replacing existing default route via 192.168.1.1 Nov 28 15:17:18 ubnt pppd[27996]: local IP address 10.0.0.14 Nov 28 15:17:18 ubnt pppd[27996]: remote IP address 10.0.0.1 Nov 28 15:17:18 ubnt pppd[27996]: primary DNS address 10.0.0.1 Nov 28 15:17:18 ubnt pppd[27996]: secondary DNS address 10.0.0.1 Nov 28 15:17:21 ubnt ntpd[29493]: ntpd exiting on signal 15 Nov 28 15:17:23 ubnt ntpd[29714]: ntpd 4.2.6p2@1.2194-o Thu Aug 3 08:17:18 UTC 2017 (1) Nov 28 15:17:23 ubnt ntpd[29715]: proto: precision = 41.817 usec Nov 28 15:17:28 ubnt pptp[29537]: anon warn[decaps_gre:pptp_gre.c:331]: short read (-1): Message too long Nov 28 15:17:28 ubnt pptp[29542]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled) Nov 28 15:17:28 ubnt pppd[27996]: Modem hangup Nov 28 15:17:28 ubnt pptp[29542]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request' Nov 28 15:17:28 ubnt pptp[29542]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state) Nov 28 15:17:28 ubnt pppd[27996]: MPPE disabled Nov 28 15:17:28 ubnt pppd[27996]: Connection terminated: no multilink. Nov 28 15:17:32 ubnt ntpd[29715]: ntpd exiting on signal 15 Nov 28 15:17:34 ubnt ntpd[29901]: ntpd 4.2.6p2@1.2194-o Thu Aug 3 08:17:18 UTC 2017 (1) Nov 28 15:17:34 ubnt ntpd[29902]: proto: precision = 41.166 usec Nov 28 15:17:58 ubnt pppd[27996]: write: Bad file descriptor (9) Nov 28 15:17:58 ubnt pppd[27996]: Connect: ppp0 <--> /dev/pts/3 Nov 28 15:17:58 ubnt pptp[29922]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply Nov 28 15:17:59 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established. Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply. Nov 28 15:18:00 ubnt pptp[29931]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 20736). Nov 28 15:18:06 ubnt pppd[27996]: CHAP authentication succeeded Nov 28 15:18:06 ubnt pppd[27996]: MPPE 128-bit stateless compression enabled Nov 28 15:18:07 ubnt pppd[27996]: not replacing existing default route via 192.168.1.1 Nov 28 15:18:07 ubnt pppd[27996]: local IP address 10.0.0.11 Nov 28 15:18:07 ubnt pppd[27996]: remote IP address 10.0.0.1 Nov 28 15:18:07 ubnt pppd[27996]: primary DNS address 10.0.0.1 Nov 28 15:18:07 ubnt pppd[27996]: secondary DNS address 10.0.0.1 Nov 28 15:18:10 ubnt ntpd[29902]: ntpd exiting on signal 15 Nov 28 15:18:12 ubnt ntpd[30107]: ntpd 4.2.6p2@1.2194-o Thu Aug 3 08:17:18 UTC 2017 (1) Nov 28 15:18:12 ubnt ntpd[30108]: proto: precision = 40.767 usec Nov 28 15:18:42 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 136 (expecting 135, lost or reordered) Nov 28 15:18:57 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 226 (expecting 225, lost or reordered) Nov 28 15:19:00 ubnt pptp[29931]: anon log[logecho:pptp_ctrl.c:677]: Echo Reply received. Nov 28 15:19:10 ubnt pptp[29922]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 300 (expecting 299, lost or reordered) Nov 28 15:19:10 ubnt pptp[29922]: anon warn[decaps_gre:pptp_gre.c:331]: short read (-1): Message too long Nov 28 15:19:10 ubnt pppd[27996]: Modem hangup Nov 28 15:19:10 ubnt pptp[29931]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled) Nov 28 15:19:10 ubnt pptp[29931]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request' Nov 28 15:19:10 ubnt pptp[29931]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state) Nov 28 15:19:10 ubnt pppd[27996]: MPPE disabled Nov 28 15:19:10 ubnt pppd[27996]: Connection terminated: no multilink. Nov 28 15:19:13 ubnt ntpd[30108]: ntpd exiting on signal 15 Nov 28 15:19:15 ubnt ntpd[30330]: ntpd 4.2.6p2@1.2194-o Thu Aug 3 08:17:18 UTC 2017 (1) Nov 28 15:19:15 ubnt ntpd[30331]: proto: precision = 42.560 usec
Does anyone have any ideas? Thanks!
Hi All,
I tried setting up the webproxy service and am seeing speeds drop drastically (10-20MB on a 150 line). I have deleted the service but still seeing issues. flash is full and I have deleted system image as well. How can I get this back to normal? It looks like the blacklist is 250mb but access is denied. Any suggestions or is this unit toast? Desperate!!!!
TIA
Hello,
I have a EdgeRouter X 5-Port running the latest v1.9.7+hotfix.4 version.
Since I enabled remote syslog, I notice that there's a 'show ip route summary json' being executed every minute - and I'd really like this to stop 
$ show version
Version: v1.9.7+hotfix.4
Build ID: 5024279
Build on: 10/06/17 02:55
Copyright: 2012-2017 Ubiquiti Networks, Inc.
HW model: EdgeRouter X 5-Port
HW S/N: __obfuscated__
Uptime: 20:46:34 up 22:48, 1 user, load average: 1.00, 1.05, 1.09
Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:29 ubiq sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/vtysh.pl -c show ip route summary json
Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:29 ubiq sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 28 21:04:30 1.2.3.10 Nov 28 20:04:30 ubiq sudo: pam_unix(sudo:session): session closed for user root
and another one next minute...
Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:30 ubiq sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/vtysh.pl -c show ip route summary json
Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:30 ubiq sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 28 21:05:31 1.2.3.10 Nov 28 20:05:31 ubiq sudo: pam_unix(sudo:session): session closed for user root
Any ideas if this is a regression, as I found an older message from 2016 stating this was already fixed?
Thanks,
//Sorin
Hey all, I'm using an EdgeRouter X with some VoIP phones, with just the basic setup from the WAN + 2LAN2 wizard. We've been getting hit by SIPVicious spam calls, and I was wondering if there are any settings on the firewall I can add that will block SIPVicious?
For anyone unfamiliar, SIPVicious is a set of security auditing tools for testing the security of SIP PBX'es, that hackers can use to find vulnerabilities to exploit. Some the tools do port scans that cause VoIP phones to ring nonstop. As you can imagine, it's a huge headache and super disruptive. Any chance the EdgeRouter X's firewall can stop it, or do I need to buy something more robust?
Router is behind 2 additional NATted gateways providing dual-wan access. The dual-wan load balancing is handled with simple source modify rules.
The symptom is that IPSEC site to site is unreliable. I discovered that while IP traffic NATted by the EdgeRouter reaches its destination (verified with tcpdump at the destination) reliably, traffic originating from the EdgeRouter is not. The tcpdump on the ER looks proper whether NATted or not, however the traffic simply doesn't arrive at the destination.
ICMP traffic does reliably make it where it needs to go. `telnet VPNendpoint 500` from a host inside the EdgeRouter source NAT makes it where it needs to go. `telnet VPNendpoint 500` from the edgerouter itself though, nothing ever arrives at the destination. I don't think it's an MSS/MTU problem as I've already modified them down quit substantially, much lower than the 1420 I had set on the prior configuration, in addition tcpdump is indicating very small frame lengths, <200 bytes.
Rebooting the EdgeRouter fixes the problem, for awhile. Tunnel comes up, traffic moves smoothly for... hours. Eventually it fails and it takes a reboot to make traffic flow again.
Again... NATted traffic is still making it to its destination. ICMP traffic moves fine to and from wherever. IP (UDP and TCP seemingly) traffic cannot get where I need it to go however, including sending to destinations unrelated to the VPN, if it's originating at the EdgeRouter's own IP interface.
I'm worried that it's actually a defective unit, in a remote location North of the Arctic Circle 
This is in /var/log/messages:
"I/O Error, both of real entry and whiteout found, resolv.conf, error -5"
.... a lot:
root@nvfy-edgerouter:/var/log# grep "I/O Error, both of real entry and whiteout found" /var/log/messages | wc -l 1011
pseudo-sanitized config:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group Unwanted_WAN_Traffic {
address 40.77.232.59
address 198.251.90.71
description ""
}
network-group LAN_All {
description ""
network 172.22.1.0/24
network 172.22.19.0/24
network 172.22.21.0/24
network 172.22.22.0/24
network 172.22.23.0/24
network 172.22.24.0/24
network 172.22.25.0/24
}
network-group source_route_1 {
description "IPs that route through general Internet"
network 172.22.21.0/24
network 172.22.23.0/24
network 172.22.24.0/24
network 172.22.25.0/24
}
network-group source_route_2 {
description "IPs that route through acct Internet"
network 172.22.22.0/24
network 172.22.1.0/24
network 172.22.19.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify WAN_LB {
rule 10 {
action modify
modify {
table 1
}
source {
group {
network-group source_route_1
}
}
}
rule 20 {
action modify
modify {
table 2
}
source {
group {
network-group source_route_2
}
}
}
}
name GZGTG_LAN {
default-action accept
description ""
rule 1 {
action drop
description "Block Unwanted Sites"
destination {
group {
network-group LAN_All
}
}
log enable
protocol all
source {
group {
address-group Unwanted_WAN_Traffic
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1372
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.100/24
duplex auto
speed auto
}
ethernet eth1 {
address 172.22.1.1/24
duplex auto
firewall {
in {
modify WAN_LB
}
}
speed auto
vif 19 {
address 172.22.19.1/24
description "Server VLAN"
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
vif 21 {
address 172.22.21.1/24
description "GZGTG Users"
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
vif 22 {
address 172.22.22.1/24
description Accounting
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
vif 23 {
address 172.22.23.1/24
description "GZGTG Guests"
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
vif 24 {
address 172.22.24.1/24
description VOIP
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
vif 25 {
address 172.22.25.1/24
description "GZGTG Printers"
firewall {
in {
modify WAN_LB
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.100/24
duplex auto
mtu 1460
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
}
}
load-balance {
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
next-hop 192.168.2.1 {
}
}
route 207.2.81.240/29 {
next-hop 192.168.2.1 {
description "All GSE LLC traffic through Acct Uplink"
}
}
table 1 {
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
}
}
table 2 {
route 0.0.0.0/0 {
next-hop 192.168.2.1 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Native_VLAN_pool {
authoritative disable
subnet 172.22.1.0/24 {
default-router 172.22.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
static-mapping gzgtg-ups1 {
ip-address 172.22.1.6
mac-address 00:c0:b7:6a:47:14
}
static-mapping nvfy-vm4 {
ip-address 172.22.1.9
mac-address 00:24:e8:7f:1c:f8
}
}
}
shared-network-name Server {
authoritative disable
subnet 172.22.19.0/24 {
default-router 172.22.19.1
dns-server 172.22.1.7
dns-server 172.22.19.48
domain-name tribal.local
lease 86400
start 172.22.19.64 {
stop 172.22.19.64
}
static-mapping Brother-Env {
ip-address 172.22.19.44
mac-address 90:cd:b6:68:7e:2b
}
static-mapping Brother-Realty {
ip-address 172.22.19.43
mac-address 40:49:0f:a2:8f:30
}
static-mapping UniFi1 {
ip-address 172.22.19.6
mac-address 04:18:d6:6c:56:da
}
static-mapping UniFi2 {
ip-address 172.22.19.7
mac-address 04:18:d6:6c:5e:f1
}
}
}
shared-network-name VOIP_pool {
authoritative disable
subnet 172.22.24.0/24 {
default-router 172.22.24.1
dns-server 172.22.1.7
dns-server 172.22.19.48
domain-name tribal.local
lease 86400
start 172.22.24.128 {
stop 172.22.24.255
}
tftp-server-name 172.22.24.2
}
}
shared-network-name accounting_pool {
authoritative disable
subnet 172.22.22.0/24 {
default-router 172.22.22.1
dns-server 172.22.1.7
dns-server 172.22.19.4
domain-name tribal.local
lease 86400
start 172.22.22.64 {
stop 172.22.22.127
}
static-mapping acct-printer {
ip-address 172.22.22.42
mac-address 40:b0:34:a4:dc:4a
}
}
}
shared-network-name gen_use_pool {
authoritative disable
subnet 172.22.21.0/24 {
default-router 172.22.21.1
dns-server 172.22.1.7
dns-server 172.22.19.4
domain-name tribal.local
lease 86400
start 172.22.21.128 {
stop 172.22.21.191
}
static-mapping nvfy-desktop16 {
ip-address 172.22.21.192
mac-address b0:83:fe:ba:97:eb
}
}
}
shared-network-name guest_pool {
authoritative disable
subnet 172.22.23.0/24 {
default-router 172.22.23.1
dns-server 172.22.1.7
lease 86400
start 172.22.23.64 {
stop 172.22.23.127
}
}
}
shared-network-name printers_pool {
authoritative disable
subnet 172.22.25.0/24 {
default-router 172.22.25.1
dns-server 172.22.1.7
lease 86400
static-mapping prn-housing-1 {
ip-address 172.22.25.64
mac-address 48:5a:b6:7e:7a:a5
}
static-mapping prn-realty-1 {
ip-address 172.22.25.65
mac-address 40:49:0f:a2:8f:30
}
}
}
use-dnsmasq disable
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5001 {
description Outbound_All_eth0
log disable
outbound-interface eth0
protocol all
source {
group {
network-group LAN_All
}
}
type masquerade
}
rule 5002 {
description Outbound_All_eth2
log disable
outbound-interface eth2
protocol all
source {
group {
network-group LAN_All
}
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name tribal.local
host-name nvfy-edgerouter
login {
user jrdalrymple {
authentication {
encrypted-password $6$gZ6pymO7r4tfag55$LakDYi2Gmm2rnZ7BdkQKIbZ4.WQLKfK1CQJaE0UjAfsLOWkm/NbVUJnL9DtQ7FpC1dnKLZF6dRTZ910/QjCUK1
plaintext-password ""
}
full-name "JR Dalrymple"
level admin
}
user ubnt {
authentication {
encrypted-password $6$mFYayM/oosIR$eW7ztWThZMKN7tg5/0qdTErjHBr6NHKHSmywgH9gtxnryx9e/kbVRWF5C9owuIWwcTijwDRfeXRfGxV6PJVnd.
plaintext-password ""
}
full-name Admin
level admin
}
}
name-server 172.22.1.7
name-server 172.22.19.48
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
smart-queue GZGTG-eth0 {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 1024kbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 512kbit
}
wan-interface eth0
}
smart-queue GZGTG-eth2 {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 1024kbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 512kbit
}
wan-interface eth2
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
mode main
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
site-to-site {
peer 207.2.81.244 {
authentication {
mode pre-shared-secret
pre-shared-secret vowu74khx9F99h4IfUPT6ohoOsmw0II4XtGO7rosGzWpRC3WYlnzt3bTz2RdvvpW
}
connection-type initiate
description "GSE LLC VPN"
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 172.22.22.0/24
}
remote {
prefix 172.16.104.0/24
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 172.22.19.0/24
}
remote {
prefix 172.16.104.0/24
}
}
tunnel 3 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 172.22.1.7/32
}
remote {
prefix 172.16.104.0/24
}
}
}
}
}
}
Any advice appreciated.
Hi Ubiquiti Community!
I have read this article:
I have an edgerouter x. I wish to configure 4 separate vlans, and none of the vlans should be able to talk to each other.
eth0 = wan/internet
switch0.10 = vlan10
switch0.11 = vlan11
switch0.12 = vlan12
switch0.13 = vlan13
vlan10 = 10.1.10.0/24
vlan11 = 10.1.11.0/24
vlan12 = 10.1.12.0/24
vlan13 = 10.1.13.0/24
eth1, eth2, eth3, eth4 = pvid vlan 10, vid 11, vid 12, vid 13
The vlan setup seems to work. I have 4 dhcp servers, and they all give ip addresses in the correct subnets.
Right now I am trying to apply the firewall rules to only one vlan, vlan11, but i can still ping a host on vlan 11, from vlan 10.
When done, I would like to repeat this to all 4 vlans.
I do have some ports that need forwarded onto some hosts inside only vlan10.
thank you for your advice!
show interfaces
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth2 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth3 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth4 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
vlan-aware enable
}
vif 10 {
address 10.1.10.1/24
description vlan10
mtu 1500
}
vif 11 {
address 10.1.11.1/24
description vlan11
firewall {
in {
name PROTECT_VLANS
}
local {
name PROTECT_LOCAL
}
}
mtu 1500
}
vif 12 {
address 10.1.12.1/24
description vlan12
mtu 1500
}
vif 13 {
address 10.1.13.1/24
description vlan13
mtu 1500
}
} all-ping enable
broadcast-ping disable
group {
address-group router_addresses {
address 10.1.10.1
address 10.1.11.1
address 10.1.12.1
address 10.1.13.1
description ""
}
network-group local_subnets {
description ""
network 10.1.10.0/24
network 10.1.11.0/24
network 10.1.12.0/24
network 10.1.13.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_LOCAL {
default-action drop
description ""
rule 1 {
action accept
destination {
port 53
}
log disable
protocol udp
source {
}
}
rule 2 {
action accept
destination {
port 53
}
log disable
protocol udp
}
}
name PROTECT_VLANS {
default-action accept
description ""
rule 1 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
destination {
group {
network-group local_subnets
}
}
log disable
protocol all
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable