New EdgeRouter 4 configured to connect multiple office sites via static routes.

No firewall enabled on the Edgerouter.

This replaced a Cisco 831.

All the "internal" traffic remoting in to our terminal server has no trouble going through the edgerouter.

However, some of our other sites that use IPSec VPN to connect to our Cisco ASA firewall, and then RDP in to our terminal server can no longer remote in.

VPN connection is established, I can ping the devices on the other network (the one that is VPN in), but they cannot RDP in to our server. Its like the Edgerouter is blocking the traffic, but I cannot seem to determine how to open that up.

I had to pull it out of production for now until I can figure out the issue.

Thanks!

This is a complete recode in Go(lang) of the integration I released here: Adblocking and blacklisting. This is a pre-release, so as ever, use at your own risk.

edgeos-dnsmasq-blacklist dnsmasq DNS blacklisting and redirection

Features

• Adds DNS blacklisting integration to the EdgeRouter configuration
• Generates configuration files used directly by dnsmasq to redirect dns lookups
• Integrated with the EdgeMax OS CLI
• Any FQDN in the blacklist will force dnsmasq to return the configured dns redirect IP address

Compatibility

• edgeos-dnsmasq-blacklist has been tested on the EdgeRouter ERLite-3, ERPoe-5, ER-X, UniFi Security Gateway USG3 routers, EdgeOS versions v1.7.0-v1.9.7+hotfix.4

Installation

• Download and untar the package for your router type
  • sudo tar -zxvf  edgeos-dnsmasq-blacklist_<version>_<arch>.deb

EdgeRouter ERLite-3, ERPoe-5 & UniFi-Gateway-3

• sudo dpkg -i edgeos-dnsmasq-blacklist_0.0.7_mips.deb

EdgeRouter ER-X & ER-X-SFP

• sudo dpkg -i edgeos-dnsmasq-blacklist_0.0.7_mipsel.deb

Removal

EdgeMAX ERLite-x & EdgeMax ER-X

• sudo apt-get remove edgeos-dnsmasq-blacklist

I am shocked I couldn't find this info, but I _did_ search first...

Does anyone know how to delete a specific, numbered rule from one of the firewalls via the CLI?

Maybe I'm searching for the wrong info, but I found plenty of info on adding a new rule, modifying an existing rule, disabling a rule...but I can't find a command to delete a rule!

Thanks,

AJ

I need to access an external IP address.  I cannot connect to it from other networks (such as my phone's 4G connection), but as soon as I am behind the ER8 I cannot reach it.

Thanks for your help and sorry for such a basic quetstion. 

I have a CIDR block through my ISP, using what looks to be the standard way cable companies do it, by giving a WAN IP, then routing the CIDR through that IP.

I've been using the ERLite-3 with one port for the CIDR block, which is going well.

I've been thinking that I might want to use Private IP addresses, and then do a 1:1 NAT to IPs on the CIDR block.  I tried using NAT Masquerade for outgoing, and that worked, but not sure how to configure the incoming packets to translate to the Private IP.  Would that be through destination NAT?

right now I have:

eth0: WAN port

eth1: CIDR block

eth2: LAN

I'd like to do:

eth0: WAN port

eth1: Private IP (let's say 10.5.0.0/24)

eth2: LAN

if I have an IP in the CIDR like 174.88.88.88 and I want to map to 10.5.0.2 on eth1, can I do that?  As I mentioned, I was able to use masquerade and get the IP on eth1 to map to the CIDR IP outgoing, but incoming it didn't seem like destination NAT would work.   Anyone set this kind of configuration up?

Strangness.  Trying to clean-up some firewall config that I no longer want to use...

I actually copied my config.boot aside and opened it in a text editor.  I want to delete this address-group "ADS-A".  According to config.boot it is NOT referenced anywhere.  So I tried this:

delete firewall group address-group ADS-A

Which returned without any error.  However, when I went to commit my change, I get this:

root@firewall# commit
[ firewall name WAN_LOCAL ]
Error: group [ADS-A] doesn't exist

[ firewall name WAN_IN ]
Error: group [ADS-A] doesn't exist

Commit failed

But this is that firewall:

edit firewall name WAN_IN
[edit firewall name WAN_IN]
root@firewall# show
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action drop
description "drop ET-N.aa"
source {
group {
address-group black.nets.aa
}
}
}
rule 40 {
action drop
description "drop ET-N.ab"
source {
group {
address-group black.nets.ab
}
}
}
rule 50 {
action drop
description "drop ET-N.ac"
source {
group {
address-group black.nets.ac
}
}
}
rule 60 {
action drop
description "drop ET-N.ad"
source {
group {
address-group black.nets.ad
}
}
}
rule 70 {
action drop
description "drop ET-N.ae"
source {
group {
address-group black.nets.ae
}
}
}
rule 80 {
action drop
description "drop ET-A.aa"
source {
group {
address-group black.adds.aa
}
}
}
rule 90 {
action drop
description "drop ET-A.ab"
source {
group {
address-group black.adds.ab
}
}
}
rule 100 {
action accept
description "Port Forward IMAPS"
destination {
port imaps
}
log disable
protocol tcp
}
rule 110 {
action accept
description "Port Forward Vonage"
destination {
port 10000-20000
}
log disable
protocol udp
}
rule 130 {
action accept
description "Port Forward Slingbox"
destination {
port 5001
}
log disable
protocol tcp_udp
}
rule 140 {
action accept
description "Port Forward PLEX"
destination {
port 32400
}
log disable
protocol tcp_udp
}
rule 160 {
action accept
description "Ring Doorbell"
destination {
port 15063
}
log disable
protocol tcp_udp
}
[edit firewall name WAN_IN]
root@firewall# exit

As you can see, it's not referenced.  How do I clean this address-group up???

Thanks,

AJ

PS: I can't make heads-or-tails of the new editor...I used to use code tags, and that formatted it much easier to read!  (Sorry)

Hi, 

  Have a dual WAN configuration. 

On the 2nd WAN, periodically (about every two or three weeks), it disconnects, and fails to reconnect.

Logging indicates an auth error.   A manual disconnect / connect solves the issue, but this is not ideal. 

Please see logs / config, below.  

#####
##### from /var/log/vyatta
#####
CHAP authentication failed
sent [LCP TermReq id=0x9a "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x3 "user jdujsik authentication failed - radius timeout\000"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x9a]
Connection terminated: no multilink.
sent [LCP ConfReq id=0x9b <mru 1492> <magic 0x72964cd0>]
write: Bad file descriptor (9)
Connected to 00:0c:42:74:46:20 via interface eth2
using channel 839
Using interface ppp1
Connect: ppp1 <--> eth2
LCP: Up event in state 6!
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <mru 1492> <magic 0x31f122c7>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <auth chap MD5> <mru 1492> <magic 0x31f122c7>]
rcvd [LCP ConfReq id=0x2 <auth chap MD5> <mru 1492> <magic 0x31f122c7>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x2 <auth chap MD5> <mru 1492> <magic 0x31f122c7>]
sent [LCP ConfReq id=0x9b <mru 1492> <magic 0x72964cd0>]
rcvd [LCP ConfAck id=0x9b <mru 1492> <magic 0x72964cd0>]
sent [LCP EchoReq id=0x0 magic=0x72964cd0]
rcvd [CHAP Challenge id=0x1 <11ee2a1ab8f976842d123f9a5c50dda1>, name = "nca.rtr01.willowcreek"]
sent [CHAP Response id=0x1 <a6448fbf76dfc2fcc2de9e25bdcfa9a1>, name = "jdujsik"]
rcvd [LCP EchoRep id=0x0 magic=0x31f122c7]
rcvd [CHAP Failure id=0x1 "bad username or password"]
CHAP authentication failed: bad username or password
CHAP authentication failed
sent [LCP TermReq id=0x9c "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x3 "user jdujsik authentication failed - radius timeout\000"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x9c]
Connection terminated: no multilink.
sent [LCP ConfReq id=0x9d <mru 1492> <magic 0xc4d0135c>]
write: Bad file descriptor (9)
Connected to 00:0c:42:74:46:20 via interface eth2
using channel 840
Using interface ppp1
Connect: ppp1 <--> eth2
LCP: Up event in state 6!
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <mru 1492> <magic 0x3238f2a1>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <auth chap MD5> <mru 1492> <magic 0x3238f2a1>]
rcvd [LCP ConfReq id=0x2 <auth chap MD5> <mru 1492> <magic 0x3238f2a1>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x2 <auth chap MD5> <mru 1492> <magic 0x3238f2a1>]
sent [LCP ConfReq id=0x9d <mru 1492> <magic 0xc4d0135c>]
rcvd [LCP ConfAck id=0x9d <mru 1492> <magic 0xc4d0135c>]
sent [LCP EchoReq id=0x0 magic=0xc4d0135c]
rcvd [CHAP Challenge id=0x1 <f5050694b61d976cc88e4e957e257450>, name = "nca.rtr01.willowcreek"]
sent [CHAP Response id=0x1 <48f34c74f8f2295ee6841445906a83da>, name = "jdujsik"]
rcvd [LCP EchoRep id=0x0 magic=0x3238f2a1]
rcvd [CHAP Failure id=0x1 "bad username or password"]
CHAP authentication failed: bad username or password
CHAP authentication failed
sent [LCP TermReq id=0x9e "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x3 "user jdujsik authentication failed - radius timeout\000"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x9e]
Connection terminated: no multilink.
sent [LCP ConfReq id=0x9f <mru 1492> <magic 0x2b09cbfb>]
write: Bad file descriptor (9)
Connected to 00:0c:42:74:46:20 via interface eth2
using channel 841
Using interface ppp1
Connect: ppp1 <--> eth2
LCP: Up event in state 6!
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <mru 1492> <magic 0x79834eab>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <auth chap MD5> <mru 1492> <magic 0x79834eab>]
rcvd [LCP ConfReq id=0x2 <auth chap MD5> <mru 1492> <magic 0x79834eab>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x2 <auth chap MD5> <mru 1492> <magic 0x79834eab>]
sent [LCP ConfReq id=0x9f <mru 1492> <magic 0x2b09cbfb>]
rcvd [LCP ConfAck id=0x9f <mru 1492> <magic 0x2b09cbfb>]
sent [LCP EchoReq id=0x0 magic=0x2b09cbfb]
rcvd [CHAP Challenge id=0x1 <507916a3bf62406a901316b816f95dfe>, name = "nca.rtr01.willowcreek"]
sent [CHAP Response id=0x1 <fb2b97b58ee4e93029956c635d69857e>, name = "jdujsik"]
rcvd [LCP EchoRep id=0x0 magic=0x79834eab]
rcvd [CHAP Failure id=0x1 "bad username or password"]
CHAP authentication failed: bad username or password
CHAP authentication failed
sent [LCP TermReq id=0xa0 "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x3 "user jdujsik authentication failed - radius timeout\000"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0xa0]
Connection terminated: no multilink.
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
write: Bad file descriptor (9)
Connected to 00:0c:42:74:46:20 via interface eth2
using channel 842
Using interface ppp1
Connect: ppp1 <--> eth2
LCP: Up event in state 6!
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]
sent [LCP ConfReq id=0xa1 <mru 1492> <magic 0x62cfe1df>]

######
###### /var/log/messages
######

Jan 17 12:38:24 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=36.41.174.247 DST=23.252.86.84 LEN=44 TOS=0x00 PREC=0x00 TTL=232 ID=51298 PROTO=TCP SPT=51833 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x64800000
Jan 17 12:39:29 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=77.72.82.135 DST=23.252.86.84 LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=22335 PROTO=TCP SPT=50293 DPT=5140 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x64800000
Jan 17 12:40:45 ubnt wlb: wlb-G-pppoe1 Starting wlb watchdog on wlb-G-pppoe1 after 60s delay
Jan 17 12:40:45 ubnt wlb: wlb-G-pppoe2 Starting wlb watchdog on wlb-G-pppoe2 after 60s delay
Jan 17 12:40:51 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=66.240.219.146 DST=23.252.86.84 LEN=40 TOS=0x10 PREC=0x00 TTL=115 ID=61484 PROTO=TCP SPT=58022 DPT=8060 WINDOW=4967 RES=0x00 SYN URGP=0 MARK=0x64800000
Jan 17 12:41:50 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=5.188.86.4 DST=23.252.86.84 LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=43577 PROTO=TCP SPT=46331 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x64800000
Jan 17 12:42:05 ubnt wlb: wlb-G-pppoe2 wlb-G-pppoe2 reachability failed, failover
Jan 17 12:42:31 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=185.82.203.150 DST=23.252.86.84 LEN=36 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=54800 DPT=123 LEN=16 MARK=0x64800000
Jan 17 12:43:13 ubnt kernel: [WAN_LOCAL-default-A]IN=pppoe1 OUT= MAC= src=111.73.46.39 DST=23.252.86.84 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 MARK=0x64800000

#####
##### during the failure
#show interfaces pppoe pppoe2
pppoe2: Coming up

doing a disconnect and reconnect solved everyting

#####
##### config of WAN 2
#####

ethernet eth2 {
description "WAN 2"
duplex auto
pppoe 2 {
default-route none
firewall {
in {
name snmp
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password ****************
user-id jdujsik
}
speed auto
}

###### version

ubnt@ubnt:/var/log$ show version
Version: v1.9.7+hotfix.4
Build ID: 5024004
Build on: 10/05/17 04:03
Copyright: 2012-2017 Ubiquiti Networks, Inc.
HW model: EdgeRouter Lite 3-Port
HW S/N: 802AAA84F82B7
Uptime: 17:38:32 up 19 days, 2:23, 2 users, load average: 0.03, 0.05, 0.08

So, pretty sure I didn't change anything, I did upgrade my UniFi system, switches and UAP's recently to the most current.

Got reports that a person's Roku device or Smart TV was sorta working.  Most apps would work but NOT streaming from Amazon or Netflix.

Those devices were connected to a VLAN.  When I connected them (using the same wireless network, different SSID and getting and address from my local DHCP, not the VLAN), the devices were able to stream just fine.

Any ideas?

I've attached my config (deleted login information). 

Faculty Homes is the VLAN.  I think I read somewhere to disable offload for VLAN.

I need 4 separate IPsec tunnels (3 peers, 4 networks) for work, and for some reason, only one is connecting properly. When I run a tcpdump on port 500, it looks like only one tunnel is even trying to connect. I'm not getting any failures on my end. Does the Edgerouter support multiple peers in IPsec? 

If I set to 3DES SHA1, will it use that for phase 1 and 2? (the gui doesn't seem to have an option for the two phases) 

What configs do I need to show, (and how do I get them? I'm treading in water WAY over my head here) 

I’m fighting through what I have to believe is a simple issue, but I’m brand new to Ubiquiti gear (fairly technical but little networking background) and am hoping you smart folks can point me in the right direction. At its most basic, I’m having trouble managing my switches when I’m on a different VLAN/subnet than the management VLAN to which they are IP'd.

Here’s what I’ve got (latest firmware on all):

• EdgeRouter Lite– currently connected only to a downstream US-8-60W
• Unifi Switch US-8-60W– will feed wired connections from a central location to the rest of the house; sits between my ER-L and ER-X-SFP
• EdgeRouter X SFP– will be used solely as a VLAN capable switch in a home office where I need more than one physical connection and VLAN; connected to the US-8-60W

I’ve got this all set up as minimally as possible to ensure it works as expected before replacing my existing consumer gear, so they’re literally daisy chained together on a table in my home office (totally isolated/self-contained).

ER-L:

eth2 = 192.168.0.1/24 = Management

eth2.10 = 192.168.1.1/24 = LAN

eth2.20 = 172.16.0.1/24 = Guest

US-8-60W (192.168.0.2):

port1 = uplink to ERL

port2 = connection to ER-X-SFP, VLANs = “All”

ER-X-SFP (192.168.0.3):

eth0 = uplink to US-8-60W, pvid=1 vid=10,20

eth1 = pvid=1

eth2 = pvid=10

eth3 = pvid=20

Note: I followed this document to use this device solely as a VLAN capable switch. The only adjustment it required (hopefully correctly) was assigning the management IP to switch0.1 instead of switch0. I otherwise couldn’t connect to the switch interface after enabling VLANs without this change.

https://help.ubnt.com/hc/en-us/articles/222484908-EdgeRouter-System-How-to-Configure-an-EdgeRouter-as-a-Switch

I’ve been doing all of my testing by plugging into the ER-X-SFP, and despite a few hours of trial and error I think I’ve finally got this working as expected. I plug my laptop into eth1, 2, 3 and get the expected DHCP-assigned IP address for the VLAN. After a minor celebration I realized the only problem I was having was in communicating from VLAN10/192.168.1.x to the devices on management VLAN1/192.168.0.x (I'd ideally like to separate network devices and LAN but would like to be able to manage those devices from my trusted LAN). I noticed immediately that when my laptop was assigned 192.168.1.10 the UniFi controller (running locally on the laptop) lost connectivity to the UniFi switch at 192.168.0.2 and could no longer connect to the web interface of the ER-X-SFP at 192.168.0.3. Strangely, I could successfully ping 192.168.0.2 but could not successfully ping 192.168.0.3. If I plug into eth1 and pull a 192.168.0.10 IP, connectivity to all of those devices returns as expected.

Sorry for the wall of info, but I wanted to be thorough (glad to provide other info). Anyone have any thoughts? Given my novice status I’m sure I’ve made a mistake or two but am hoping it’s something minor.

Thanks for any suggestions!

A EP-R8 that we installed last fall has rebooted twice in the last 3 days. Before the other day it was very stable. Traffic at the time of both reboots was negligible (aprox 8Mbps down, 3 Mbps up).

$ show version
Version: v1.9.7+hotfix.4
Build ID: 5024021
Build on: 10/05/17 05:33
Copyright: 2012-2017 Ubiquiti Networks, Inc.
HW model: EdgePoint Router 8-Port
HW S/N: 44D9E7FF2270
Uptime: 20:08:07 up 1:39, 1 user, load average: 0.02, 0.04, 0.05

There is nothing in the /var/log/messages or other log files that provides a hint.

The unit is powered by an EdgePower w/ 4 x 50 AmpH batteries. Power has not been lost and the EdgePower apears to be running fine.

Via POE, it powers a AF-5XHD, and 2 EP-6s with a mix of 4 R5-AC-PTMPs & R5-Prism-Gen2s attached

I've order a replacement unit which will be swapped in as soon at it arrives.

In the mean time, have anyone seen a similar problem? 

Thanks

Mark

Can anyone please critique my firewall setup? I didn't use the wizard to create it.

ETH0 = WAN (Verizon FiOS)

ETH1 = LAN (10.10.2.1)

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Limit pings"
            icmp {
                type-name echo-request
            }
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
        rule 30 {
            action accept
            description OpenVPN-vtun0
            destination {
                port 1194
            }
            log enable
            protocol udp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "Out to WAN"
        enable-default-log
        rule 10 {
            action drop
            description "Block Amcrest Camera"
            log enable
            protocol all
            source {
                address 10.10.2.50-10.10.2.59
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.2.1/24
        description LAN
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
       ...
    }
}

A EP-R8 that we installed last fall has rebooted twice in the last 3 days. Before the other day it was very stable. Traffic at the time of both reboots was negligible (aprox 8Mbps down, 3 Mbps up).

$ show version
Version: v1.9.7+hotfix.4
Build ID: 5024021
Build on: 10/05/17 05:33
Copyright: 2012-2017 Ubiquiti Networks, Inc.
HW model: EdgePoint Router 8-Port
HW S/N: 44D9E7FF2270
Uptime: 20:08:07 up 1:39, 1 user, load average: 0.02, 0.04, 0.05

There is nothing in the /var/log/messages or other log files that provides a hint.

The unit is powered by an EdgePower w/ 4 x 50 AmpH batteries. Power has not been lost and the EdgePower apears to be running fine.

Via POE, it powers a AF-5XHD, and 2 EP-6s with a mix of 4 R5-AC-PTMPs & R5-Prism-Gen2s attached

I've order a replacement unit which will be swapped in as soon at it arrives.

In the mean time, have anyone seen a similar problem? 

Thanks

Mark

This is a complete recode in Go(lang) of the integration I released here: Adblocking and blacklisting. This is a pre-release, so as ever, use at your own risk.

edgeos-dnsmasq-blacklist dnsmasq DNS blacklisting and redirection

Features

• Adds DNS blacklisting integration to the EdgeRouter configuration
• Generates configuration files used directly by dnsmasq to redirect dns lookups
• Integrated with the EdgeMax OS CLI
• Any FQDN in the blacklist will force dnsmasq to return the configured dns redirect IP address

Compatibility

• edgeos-dnsmasq-blacklist has been tested on the EdgeRouter ERLite-3, ERPoe-5, ER-X, UniFi Security Gateway USG3 routers, EdgeOS versions v1.7.0-v1.9.7+hotfix.4

Installation

• Download and untar the package for your router type
  • sudo tar -zxvf  edgeos-dnsmasq-blacklist_<version>_<arch>.deb

EdgeRouter ERLite-3, ERPoe-5 & UniFi-Gateway-3

• sudo dpkg -i edgeos-dnsmasq-blacklist_0.0.7_mips.deb

EdgeRouter ER-X & ER-X-SFP

• sudo dpkg -i edgeos-dnsmasq-blacklist_0.0.7_mipsel.deb

Removal

EdgeMAX ERLite-x & EdgeMax ER-X

• sudo apt-get remove edgeos-dnsmasq-blacklist

Hello to everyone.

I am managing a video management system network and all devices use static IP.   The video never leaves the local network.   I allow the system servers to access the WAN for sending system messages to email and sync with a time standard server.  I would like to ensure that five video workstations do not access the WAN.   I spent some time looking about the forums and tried several ideas through the router's web client but either block nothing from the WAN or block everything from the WAN.   I'm curious to know what I am doing wrong.

For starters:  WAN is connected to eth0 with WAN static IP address 172.27.60.158/24 while the LAN is on eth1 with LAN router static IP of 192.168.2.254/24  I'm desiring to block 192.168.2.240 through 192.168.2.247 from accessing the WAN.

First thing that I did was create an firewall/NAT address group and use the range specified above.   I then created a ruleset and a rule with the address group as the source, the router's LAN internal IP address as the destination, action to drop all packets for new, established and related connection types.   Finally, I set eth1 to accept inward traffic but to block outbound.   That accomplished nothing.   For grins, I set the rules to eth0 with the same directionals and that blocks everything.

Curious to know if I'm headed in the right direction.   I'm hoping that I don't need to write code in the CLI to accomplish this.

Thanks for any assistance!   The router has been in service for a year now and it has been working quite well. 

I've successfully configured load balncing on my edge router lite and used dnat and firewall settings. Everything works perfectly for a while. Then within a day or two one of the ethernet ports stops routing any traffic. It is typicaly eth1 but not always. A simple disabling of the port  and a re-enable through the dashboard of the gui corrects the problem. For a while. Is anyone else experiencing this? Any ideas on how to correct?

Hi nice people,

I've set up OpenVPN on my Edgerouter X and everything is working--as long as I'm on my LAN.  But with both my android phone and my laptop pc, when I try to connect remotely, it says, 'waiting for server reply', then it times out and restarts as though it's not getting through at all.    I've tried every combination of firewall rule and NAT setting that I've been able to dredge up from forums across the web, but nothing has worked EXCEPT, somebody said he switched to TCP in a similar situation and that fixed it.  --Same here.  Just changed protocol in the client and server and made sure my port forwards allowed both, and boom, I'm in, which suggests a malfunction.  Somewhere UDP on port 1194 is getting eaten by a firewall or something.  Why would it work over a peer connection and not a remote connection?  The crazy thing is that the port forward rules stats showed traffic when I would attempt to connect, but the server did not respond.  There would be nothing about the connection attempts in the var/log/messages file.  How can the port be forwarding data, (it's getting past the firewall in other words), but the openvpn server not be receiving it?  Where is it going?  And why would changing to the tcp protocol make any difference?  It's definitely an issue inside the Edgerouter X since I have openvpn functioning fine on a secondary router over UDP. 

Also, just comparing the two, internet traffic tunneled through the Edgerouter X over TCP is painfully slow, while the UDP connection through my Netgear R6300v2 dd-wrt is a little laggy, but usable.  Wondered if that be due to TCP, or the fact that the Netgear is basically idle and can dedicate all its processing power to the vpn.   So I tried TCP on the Netgear and it's comparable to the speed of UDP according to a couple of speedtests--not scientific.  Went back to the TCP connection through the Edgerouter and I can't even get through a speedtest without 'network communication issues. 

Why would that be?  The ER-X doesn't show that it's CPU is maxxed out while trying to run the speedtests--and the data is all going through it to the Netgear, it seems as though it ought to be shorter and faster to skip the secondary device. 

Hello community,

i have used the wizard "WAN2LAN2" on my edge X-router and have now two different networks:  192.168.1.1/24   and 192.168.220.1/24.

Is there a posibility to give an admin-user with extra rights the permission to reach via NAT-rule the each other network?

If this is not possible by user-permissions, maybe by a special known port-address?

Greetz

Reinhard

I have created 20 vlans but only 10 can be added to the Intervlan routing.

Is EdgeSwitch limited to 10 InterVlan routing?

Hello friends!

I am researching info for an upcoming VLAN project. The idea is to split an existing network into 2 separate networks - one for administration and management, and the other for guest use. The guest network would be limited to Internet, DHCP, and DNS only. Time is of the essence in this project and a complete overhaul would likely not be feasible.

I've browsed through these forums the entire day and found lots of helpful and relevant information, but have a few questions which I would feel very grateful to have clarified.

A bit about the current setup (sorry, didn't create a diagram yet)

I'm working with an EdgeRouter PoE v1.9.1.1. eth0 is the WAN link. eth1 is the uplink for the main switch (UniFi Switch 48) with 192.168.1.1/24 IP. eth2-4 are under switch0 with 192.168.2.1/24, and a PoE Controller CloudKey living on eth4. DHCP and DNS are enabled on each LAN, with 95% of all IP addresses ending up on 2.1. 1.1 acts as a backup in this configuration which was set up before my time. I'd like to disconnect eth1 entirely during this project.

There are 5 UniFi 8 PoE switches besides the main switch scattered throughout the property, each either connecting to the main switch or to one another, with 26 APs (a combination of Unifi AP, AP-LR, AP AC Pro, AP AC Mesh, and AP AC Lites) currently connected in total, a few bridged by Nanobeam ACs. The APs are broadcasting two separate SSID's with the Guest SSID currently only limited in bandwidth. The goal is to separate them through VLAN and proper firewall rules as well.

Now onto the questions:

1) Would there be any potential problems or difficulties if I just went ahead and created a, say switch0.30 VLAN with an IP of 10.0.0.1 in the EdgeRouter with DNS and DHCP enabled, and then had the Main Switch ports configured to redirect guest traffic to it? I presume I would need to create a corresponding VLAN network within the Main Switch also - Would I create it as a "Corporate Network" with the gateway pointing to the IP of the switch0.30 interface, or as a "Vlan Only" network with 30 under VLAN. Would I then simply provision the new Guest SSID through the APs and get a proper guest IP address?

2) Within the switch0 interface, 192.168.2.1 traffic will by default remain untagged. Is this correct? Would I need the Vlan-Aware setting which is not supported by the PoE version for any reason whatsoever in this setup?

3) Are there any disadvantages to using switch0 for vlans, as opposed to eth1? My concern is having to re-adopt all access points and switches or losing access to the CloudKey Controller in case something goes wrong, if I were to leave the current setup and migrate it all onto eth1. Somewhere I read switch0 is limited in throughput to 1Gbps and that could be a potential bottleneck. Any advice?

4) Would any of the Nanobeams powering smaller switches and APs need to be re-configured to pass along the new switch0.30 Vlan, or does it happen automatically?

5) Are there any potential difficulties in creating firewall rules to segregate Guest traffic from LAN in my proposed switch0/switch0.30 setup, since they're technically all on the same "switch"?

Thanks in advance for any and help you can provide!