I have been evolving my configuration through the following thread and I'm very happy with the responses I'm getting:

ER-X Switch VLAN PVID and VID and Trunk Port

I think the bulk of my configuration is good, but I'll need to test during some network quiet time. For some background, I'm hosting my private VLAN on switch0.3 where the bulk of my household devices will live. I'm also hosting a public subnet from my ISP (x.y.z.136/29) and am using a VLAN on switch0.4 to isolate that traffic and get the data to my household switch port, where some virtual machines are hosted using public IPs.

I used the Basic wizard, and setup the Eth0 interface to handle a PPPoE connection. That all seems to work fine. My question concerns the default firewall rules that are generated for the PPPoE interface. I'm trying to wrap my head around the firewall terminologies and am using this thread to start:

Layman's firewall explanation

My question is this: Do the default firewall rules on the PPPoE interface block ALL unsolicited traffic, regardless of the protocol, destination, etc.?

Default PPPoE Firewall Rules

It is my understanding that it would block everything, as that would be most sensible, but I would rather not test that understanding with fire just yet. On establishing my PPPoE connection, that is assigned a static IP by my ISP. They are then using that static IP to route my x.y.z.136/29 subnet to me. On my switch0.4 VIF, I have assigned x.y.z.137/29 as the interface address, which should act as the gateway for that /29 subnet. What happens to the /29 subnet at the firewall? In my head, I feel like maybe the /29 rides the PPPoE link to inside the router, thus bypassing the WAN firewall rules. But that is just a feeling. Ideally, the entire /29 will be completely blocked at the WAN port...if not, then can someone tell me what needs to be done for that?

For testing, I could then gradually isolate all the networks, then start opening up the WAN port for the /29 to expose the virtual machines, while still protecting the private network. I hope this makes sense.

I've had my ERL (v1.9.7+hotfix.4) in my home office setup for a couple of years and it has worked great until the past couple of months. I live in a rural area and my ISP connection is via wireless radio, which has been great through snow, ice and wind. My setup is the ISP's poe radio (I beleive it is Ubiquiti device) outside on the dish that goes to my ERL that is then plugged into a dumb gigabit switch. Several wired CPUs into that switch and then two Unifi APs.

The past two months I am getting dropped once or twice a day. This morning was dropping me every 15 minutes. When I say dropped I mean I login to the ERL UI and there is no IP (DHCP) from my ISP on that port. Local network still works fine and you can connect to WiFi but no internet access at all. When this first started happening I could go to the Edgemax interface and choose config for the WAN port and then choose renew DHCP and about 50% of the time it would get a new IP and things worked again. As of the past 2 or 3 weeks this does not work. I have to reboot the router and then it will work again. 

I have contacted my provider and they are reporting no issues, that my radio/modem(?) is visable on their end. They do at times have issues with their radio towers and there are outages, it happens maybe once every 3 to 6 months, in those times rebooting the router obviously is of no use. I have a simple setup with just a couple of firewall rules to shut off the kids interent at night.

I am begining to think maybe the router is faulty. I'm a programmer by day and not a network guy, so the ERL is right at the top of my comfort level. I am considering buying the USG at this point as it looks like it has a simplified interface and new hardware might be the quickest answer. Before I throw in the towel though I wanted ask here if these symptoms resonate with anyone? Is this indicative of some common configuration problem or does it sound like my ISP is hosing me? I read about MTU and MSS clamping which seems simple enough but that seems to only apply to PPPoE connections? Config file is attached.

I think I have a switch problem but I’m not sure, I’m hoping someone can offer some advice. Here’s the problem: I had a EdgerouterX SFP and an Edgeswitch 8-150 running for about a year with no problems. UFiber modules UF-MM-16 on both the Edgerouter and Switch with a 12” fiber cable connecting them. Worked perfectly for about a year. One day about 3 months ago I lost connectivity between the router and switch, strange problem as the lights are operating correctly and show a connection but the router Control Panel graph shows theres no data being transferred. The switch Control Panel also shows a SFP connection. Looking at the control panels everything looks correct but the SFP port doesn’t work.

Not a major problem as I just eliminated the fiber and switched to an ethernet cable, worked as it should but the reason for the problem bothers me. In my spare time I’ve been trying to determine what happened. First I swapped out the old fiber modules for new ones, same problem. Next I replaced the fiber cable, same problem. Next I replaced the EdgerouterX with a new Edgerouter 4, same problem.

Since I replaced everything but the switch I’m beginning to think that somehow the switch SPF port is bad. The switch is running firmware 1.7.3. There were no power outages or configuration changes to cause the problem, everything is running thru a CyberPower UPS. One minute it was working as it should, the next minute the SPF port seems to be dead. I could just ignore the problem and use the ethernet connection but the problem bothers me. The only thing I haven’t tried yet is replacing the switch with a new one, this is a little expensive.

Anyone have any suggestions? I’ve read that in the past there were SPF problems with some switches, could I have one of these faulty switches? Anything else I can try to figure out what happened?

First, is it ok to have more than one DHCP server on a single Interface on an EdgeRouter Pro? Like 192.168.101.1/24 and 192.168.102.1/24.

If so, is it better to have such multiple DHCP servers on one port, or increase the DHCP server to 192.168.101/23 ?

If you change from a /24 to a /23, what happens to the connected clients?

Thanks!

I couldn't find a good place for general suggestions or requests.

When a configuration file is downloaded, can the default filename please include the full timestamp? ISO 8601 defines a standard for timestamping, and it would be helpful to have it down to the minute, but you might as well make it seconds for completeness. This way if multiple files are downloaded in a given day, the filenames are unique, and they will be sorted automatically.

This would be helpful if someone is making a lot of changes in a day, like setting up a new router, or documenting a tutorial.

So it seems that when i go to certain websites my ER-4 becomes unresponsive and i have to reboot it to get interent back. I can only access it from console when this happens as well. 

The two (so far) websites are:

PingID website for work

retailmenot.com

Config:

firewall {
 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
 default-action drop
 description "Inbound WAN to (W)LAN"
 rule 5000 {
 action accept
 description "Allow Established/Related"
 log disable
 protocol all
 state {
 established enable
 invalid disable
 new disable
 related enable
 }
 }
 rule 5001 {
 action drop
 description "Drop Invalid"
 log disable
 protocol all
 state {
 established disable
 invalid enable
 new disable
 related disable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "Inbound WAN to Local Router"
 rule 5000 {
 action accept
 description "Allow Established/Related"
 log disable
 protocol all
 state {
 established enable
 invalid disable
 new disable
 related enable
 }
 }
 rule 5001 {
 action drop
 description "Drop Invalid"
 log disable
 protocol all
 state {
 established disable
 invalid enable
 new disable
 related disable
 }
 }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 address dhcp
 description WAN
 duplex auto
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 speed auto
 }
 ethernet eth1 {
 duplex auto
 mtu 9000
 speed auto
 vif 4 {
 address 10.10.10.1/24
 description MLAN
 }
 vif 5 {
 address 10.10.11.1/24
 description VPN_OUT
 }
 vif 7 {
 address 192.168.1.1/24
 description WLAN_G
 }
 vif 8 {
 address 192.168.2.1/24
 description WLAN_N
 }
 }
 ethernet eth2 {
 duplex auto
 speed auto
 }
 ethernet eth3 {
 duplex auto
 speed auto
 }
}
port-forward {
 auto-firewall enable
 hairpin-nat enable
 lan-interface eth1.4
 lan-interface eth1.7
 rule 1 {
 description Web_Server
 forward-to {
 address 10.10.10.3
 port 80
 }
 original-port 80
 protocol tcp
 }
 rule 2 {
 description DSM_HTTP
 forward-to {
 address 10.10.10.3
 port 5000
 }
 original-port 5000
 protocol tcp
 }
 rule 3 {
 description DSM_HTTPS
 forward-to {
 address 10.10.10.3
 port 5001
 }
 original-port 5001
 protocol tcp
 }
 rule 4 {
 description Sureillance_Station
 forward-to {
 address 10.10.10.3
 port 9901
 }
 original-port 9901
 protocol tcp
 }
 rule 5 {
 description Audio_Station
 forward-to {
 address 10.10.10.3
 port 8881
 }
 original-port 8881
 protocol tcp
 }
 rule 6 {
 description PLEX
 forward-to {
 address 10.10.10.50
 port 32400
 }
 original-port 32400
 protocol tcp
 }
 rule 7 {
 description RDP
 forward-to {
 address 10.10.10.100
 port 3391
 }
 original-port 3391
 protocol tcp
 }
 rule 8 {
 description FTP
 forward-to {
 address 10.10.10.3
 port 21
 }
 original-port 21
 protocol tcp
 }
 rule 9 {
 description Drive/Cloudstation
 forward-to {
 address 10.10.10.3
 port 6690
 }
 original-port 6690
 protocol tcp
 }
 rule 10 {
 description "FTP Passiv"
 forward-to {
 address 10.10.10.3
 port 55536-55567
 }
 original-port 55536-55567
 protocol tcp_udp
 }
 rule 11 {
 description SS
 forward-to {
 address 10.10.10.3
 port 9901
 }
 original-port 9901
 protocol tcp
 }
 wan-interface eth0
}
service {
 dhcp-server {
 disabled false
 hostfile-update disable
 shared-network-name MLAN_DHCP {
 authoritative disable
 subnet 10.10.10.0/24 {
 default-router 10.10.10.1
 dns-server 10.10.10.4
 dns-server 10.10.10.1
 domain-name keroberos.local
 lease 86400
 start 10.10.10.150 {
 stop 10.10.10.200
 }
 }
 }
 shared-network-name WLAN_G_DHCP {
 authoritative disable
 subnet 192.168.1.0/24 {
 default-router 192.168.1.1
 dns-server 10.10.10.4
 dns-server 192.168.1.1
 domain-name keroberos.local
 lease 86400
 start 192.168.1.100 {
 stop 192.168.1.150
 }
 }
 }
 shared-network-name WLAN_N_DHCP {
 authoritative disable
 subnet 192.168.2.0/24 {
 default-router 192.168.2.1
 dns-server 10.10.10.4
 dns-server 192.168.2.1
 domain-name keroberos.local
 lease 86400
 start 192.168.2.100 {
 stop 192.168.2.150
 }
 }
 }
 use-dnsmasq disable
 }
 }
 }
 }
 forwarding {
 cache-size 1000
 listen-on eth1.4
 listen-on eth1.7
 listen-on eth1.8
 listen-on eth1.5
 system
 }
 }
 gui {
 http-port 80
 https-port 443
 listen-address 10.10.10.1
 older-ciphers enable
 }
 nat {
 rule 5000 {
 description WAN_MASQ
 log disable
 outbound-interface eth0
 protocol all
 type masquerade
 }
 }
 snmp {
 community public {
 authorization ro
 }
 }
 ssh {
 listen-address 10.10.10.1
 port 22
 protocol-version v2
 }
 unms {
 disable
 }
 upnp2 {
 listen-on eth1.7
 listen-on eth1.4
 nat-pmp enable
 secure-mode enable
 wan eth0
 }
}
system {
 }
 }
 name-server 208.67.222.222
 name-server 208.67.220.220
 ntp {
 server 0.ubnt.pool.ntp.org {
 }
 server 1.ubnt.pool.ntp.org {
 }
 server 2.ubnt.pool.ntp.org {
 }
 server 3.ubnt.pool.ntp.org {
 }
 }
 offload {
 hwnat disable
 ipv4 {
 forwarding enable
 vlan enable
 }
 }
 static-host-mapping {
 host-name bender {
 inet 10.10.10.3
 }
 host-name download {
 inet 10.10.10.20
 }
 host-name er4 {
 inet 10.10.10.1
 }
 host-name flexo {
 inet 10.10.10.21
 }
 host-name leela {
 inet 10.10.10.10
 }
 host-name librenms {
 inet 10.10.10.51
 }
 host-name lordnibbler {
 inet 10.10.10.50
 }
 host-name zapp {
 inet 10.10.10.4
 }
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone America/New_York
 traffic-analysis {
 dpi disable
 export disable
 }
}

Syslog when it happens:

Feb 3 06:25:09 er4 rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 3 06:25:09 er4 kernel: Linux version 3.10.87-UBNT (root@ubnt-builder2) (gcc version 4.7.0 (Cavium Inc. Version: SDK_BUILD build 45) ) #1 SMP Wed Aug 23 06:30:43 PDT 2017
Feb 3 06:25:09 er4 kernel: CVMSEG size: 3 cache lines (384 bytes)
Feb 3 06:25:09 er4 kernel: Checking for the multiply/shift bug... no.
Feb 3 06:25:09 er4 kernel: Checking for the daddiu bug... no.
Feb 3 06:25:09 er4 kernel: Zone ranges:
Feb 3 06:25:09 er4 kernel: DMA32 [mem 0x00400000-0xefffffff]
Feb 3 06:25:09 er4 kernel: Normal empty
Feb 3 06:25:09 er4 kernel: Movable zone start for each node
Feb 3 06:25:09 er4 kernel: Early memory node ranges
Feb 3 06:25:09 er4 kernel: node 0: [mem 0x00400000-0x00e9afff]
Feb 3 06:25:09 er4 kernel: node 0: [mem 0x01100000-0x0fcfffff]
Feb 3 06:25:09 er4 kernel: node 0: [mem 0x20300000-0x4eefffff]
Feb 3 06:25:09 er4 kernel: Primary instruction cache 78kB, virtually tagged, 39 way, 16 sets, linesize 128 bytes.
Feb 3 06:25:09 er4 kernel: Primary data cache 32kB, 32-way, 8 sets, linesize 128 bytes.
Feb 3 06:25:09 er4 kernel: Secondary unified cache 512kB, 4-way, 1024 sets, linesize 128 bytes.
n. Total pages: 251137
Feb 3 06:25:09 er4 kernel: Policy zone: DMA32
Feb 3 06:25:09 er4 kernel: Kernel command line: root=/dev/mmcblk0p2 rootdelay=10 rw rootsqimg=squashfs.img rootsqwdir=w mtdparts=spi32766.0:3072k(boot0),1024k(dummy),64k(eeprom) console=ttyS0,115200
Feb 3 06:25:09 er4 kernel: Checking for the daddi bug... no.
Feb 3 06:25:09 er4 kernel: Installing handlers for error tree at: ffffffff80d09da0
Feb 3 06:25:09 er4 kernel: SCSI subsystem initialized
Feb 3 06:25:09 er4 kernel: 3 cmdlinepart partitions found on MTD device spi32766.0
Feb 3 06:25:09 er4 kernel: Creating 3 MTD partitions on "spi32766.0":
Feb 3 06:25:09 er4 kernel: 0x000000000000-0x000000300000 : "boot0"
Feb 3 06:25:09 er4 kernel: 0x000000300000-0x000000400000 : "dummy"
Feb 3 06:25:09 er4 kernel: 0x000000400000-0x000000410000 : "eeprom"
Feb 3 06:25:09 er4 kernel: octeon-ethernet 2.0
Feb 3 06:25:09 er4 kernel: Node 0 Interface 0 has 4 ports (QSGMII)
Feb 3 06:25:09 er4 kernel: Node 0 Interface 1 has 4 ports (QSGMII)
Feb 3 06:25:09 er4 kernel: Node 0 Interface 2 has 4 ports (NPI)
Feb 3 06:25:09 er4 kernel: Node 0 Interface 3 has 4 ports (LOOP)
Feb 3 06:25:09 er4 kernel: Node 0 Interface 4 has 1 ports (AGL)
Feb 3 06:25:09 er4 kernel: ubnt_platform: module license 'Proprietary' taints kernel.
Feb 3 06:25:09 er4 kernel: Disabling lock debugging due to kernel taint
Feb 3 06:25:09 er4 kernel: eth0: 1000 Mbps Full duplex, port 1
Feb 3 06:25:09 er4 kernel: eth1: 1000 Mbps Full duplex, port 2
Feb 3 06:25:12 er4 NSM[591]: NSM-6: Initializing memdbg: ptr=0x6929e4 history-size=1024 memdbg-size=143552
Feb 3 06:25:12 er4 kernel: ip_set: protocol 6
Feb 3 06:25:13 er4 NSM[598]: NSM-6: 10 MB
Feb 3 06:25:13 er4 NSM[598]: NSM-6: 1000 MB
Feb 3 06:25:13 er4 NSM[598]: NSM-6: 1000 MB
Feb 3 06:25:13 er4 NSM[598]: NSM-6: 10 MB
Feb 3 06:25:13 er4 NSM[598]: NSM-6: ioctl() returned illegal value. Setting bandwidth to 0
Feb 3 06:25:13 NSM[598]: last message repeated 7 times
Feb 3 06:25:13 er4 RIB[603]: RIB-6: Initializing memdbg: ptr=0x586a04 history-size=1024 memdbg-size=143552
Feb 3 06:25:13 er4 NSM[598]: NSM-4: Could not create VRF table with identifier 1 in the MPLS Forwarder
Feb 3 06:25:13 er4 RIB[619]: RIB-6: RIBd (1.2.0) starts
Feb 3 06:25:18 er4 IMI[588]: IMI-6: imi_server_send_config called (PM 1)
Feb 3 06:25:18 er4 IMI[588]: IMI-6: imi_server_send_config called (PM 42)
Feb 3 06:25:22 er4 rl-system.init: Checking/creating SSH host keys.
Feb 3 06:25:25 er4 rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 3 06:25:25 er4 rsyslogd: set SCM_CREDENTIALS failed on '/dev/log': Protocol not available
Feb 3 06:25:35 er4 NSM[598]: NSM-6: 1000 MB
Feb 3 06:25:35 er4 ntpd[1382]: ntpd 4.2.6p2@1.2194-o Mon Jan 23 08:22:26 UTC 2017 (1)
Feb 3 06:25:35 er4 ntpd[1383]: proto: precision = 0.531 usec
Feb 3 06:25:35 er4 NSM[598]: NSM-6: 1000 MB
Feb 3 06:25:39 NSM[598]: last message repeated 2 times
Feb 3 06:25:39 er4 ntpd[1383]: ntpd exiting on signal 15
Feb 3 06:25:42 er4 ntpd[1648]: ntpd 4.2.6p2@1.2194-o Mon Jan 23 08:22:26 UTC 2017 (1)
Feb 3 06:25:42 er4 ntpd[1651]: proto: precision = 0.533 usec
Feb 3 06:25:42 er4 ntpd[1651]: ntpd exiting on signal 15
Feb 3 06:25:44 er4 ntpd[1723]: ntpd 4.2.6p2@1.2194-o Mon Jan 23 08:22:26 UTC 2017 (1)
Feb 3 06:25:44 er4 ntpd[1724]: proto: precision = 0.520 usec
Feb 3 06:25:44 er4 ntpd[1724]: ntpd exiting on signal 15
Feb 3 06:25:46 er4 ntpd[1784]: ntpd 4.2.6p2@1.2194-o Mon Jan 23 08:22:26 UTC 2017 (1)
Feb 3 06:25:46 er4 ntpd[1785]: proto: precision = 0.538 usec
Feb 3 06:25:48 er4 ubnt-service-ssh: waiting for netplugd to be started...
Feb 3 06:25:49 er4 ubnt-service-gui: waiting for netplugd to be started...
Feb 3 06:25:50 er4 dhcpd:
Feb 3 06:25:50 er4 dhcpd: No subnet declaration for eth1.5 (10.10.11.1).
Feb 3 06:25:50 er4 dhcpd: ** Ignoring requests on eth1.5. If this is not what
Feb 3 06:25:50 er4 dhcpd: you want, please write a subnet declaration
Feb 3 06:25:50 er4 dhcpd: in your dhcpd.conf file for the network segment
Feb 3 06:25:50 er4 dhcpd: to which interface eth1.5 is attached. **
Feb 3 06:25:50 er4 dhcpd:
Feb 3 06:25:50 er4 dhcpd:
Feb 3 06:25:50 er4 dhcpd: No subnet declaration for eth0 (108.24.114.81).
Feb 3 06:25:50 er4 dhcpd: ** Ignoring requests on eth0. If this is not what
Feb 3 06:25:50 er4 dhcpd: you want, please write a subnet declaration
Feb 3 06:25:50 er4 dhcpd: in your dhcpd.conf file for the network segment
Feb 3 06:25:50 er4 dhcpd: to which interface eth0 is attached. **
Feb 3 06:25:50 er4 dhcpd:
Feb 3 20:40:59 er4 snmpd[2158]: [init_smux] bind failed: Cannot assign requested address
Feb 3 20:41:00 er4 miniupnpd[2197]: could not open lease file: /var/log/upnp.leases
Feb 3 20:41:00 er4 miniupnpd[2197]: HTTP listening on port 40323
Feb 3 20:41:00 er4 miniupnpd[2197]: Listening for NAT-PMP/PCP traffic on port 5351
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: updating keroberos.com: authorization failed (HTTP/1.1 401 Unauthorized =UTF-8
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: Connection: close
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: Cache-Control: private, must-revalidate
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: WWW-Authenticate: Basic realm="No-IP DNS Update API"
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: pragma: no-cache
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: expires: -1
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: Date: Sun, 04 Feb 2018 01:41:02 GMT
Feb 3 20:41:02 er4 ddclient[2229]: FAILED:
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: badauth
Feb 3 20:41:02 er4 ddclient[2229]: FAILED: )
Feb 3 20:41:03 er4 netplugd: Starting network plug daemon: netplugd.
Feb 3 20:41:03 er4 miniupnpd[2197]: ioctl(s, SIOCGIFADDR, ...): Cannot assign requested address
Feb 3 20:41:03 er4 miniupnpd[2197]: Failed to get IP for interface eth0
Feb 3 20:41:03 er4 miniupnpd[2197]: SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Feb 3 20:41:09 er4 ubnt-service-ssh: starting the SSH service (see messages from sshd).
Feb 3 20:41:10 er4 ubnt-service-gui: starting the GUI service.
eth0.cache, line 3: Invalid Value for keyword 'ip' = ''
Feb 3 20:42:02 er4 ddclient[2229]: WARNING: skipping update of keroberos.com from <nothing> to 108.24.114.81.
Feb 3 20:42:02 er4 ddclient[2229]: WARNING: last updated <never> but last attempt on Sat Feb 3 20:41:01 2018 failed.
Feb 3 20:42:02 er4 ddclient[2229]: WARNING: Wait at least 5 minutes between update attempts.
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: updating keroberos.com: authorization failed (HTTP/1.1 401 Unauthorized
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: Content-Type: text/plain; charset=UTF-8
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: Connection: close
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: Cache-Control: private, must-revalidate
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: WWW-Authenticate: Basic realm="No-IP DNS Update API"
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: pragma: no-cache
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: expires: -1
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: Date: Sun, 04 Feb 2018 01:43:02 GMT
Feb 3 20:43:03 er4 ddclient[2229]: FAILED:
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: badauth
Feb 3 20:43:03 er4 ddclient[2229]: FAILED: )
Feb 3 20:44:03 er4 ddclient[2229]: WARNING: file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = ''
Feb 3 20:44:03 er4 ddclient[2229]: WARNING: skipping update of keroberos.com from <nothing> to 108.24.114.81.
Feb 3 20:44:03 er4 ddclient[2229]: WARNING: last updated <never> but last attempt on Sat Feb 3 20:43:02 2018 failed.
Feb 3 20:44:03 er4 ddclient[2229]: WARNING: Wait at least 5 minutes between update attempts.
Feb 3 20:45:03 er4 ddclient[2229]: WARNING: updating keroberos.com: nochg: No update required; unnecessary attempts to change to the current address are considered abusive

v1.9.8 was announced for ER-4/6P

https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-9-8/ba-p/2188440

But I don't see a link to the GPL archive for the e300, following the archive name syntax UBNT is using it should be available at https://dl.ubnt.com/firmwares/edgemax/v1.9.8/GPL.ER-e300.v1.9.8.5012183.tbz2 but I get a 404 not found.

Is it available? I'm looking for the ER-4 (e300) uboot DTS.

Cheers,

/jonathan

Hi

Ubquity EdgeMax EdgeRouter Lite.  Clients on LAN just route to internet via router, no proxy.

Working fine, but the built-in reporting for both bandwidth and web traffic analysis is lacking.

Only have Windows PCs available on LAN.

Planning on using MRTG/PRTG to monitor/recorsd bandwidth usage which should be Ok? 

But any way to send "cllient iP" and "URL requested" to some form of software on a PC?  Preferabluy free/cheap.  Basic web reporting per user is fine.

Any suggestions for this?

Many thanks

hi folks,

I got myself the edgerouter lite and a switch to replace my fiberoptic internet modem. Works all great. Now I have some devices that are "calling" home, e.g. an onkyo receiver. It forces you to accept its usage policy otherwise for instance its chromecast functionality is disabled. So I want to block it from sending any data "home" so i thought i could block the domain or ip of onkyo or redirect requests to that url, e.g. in linux I would add to the /etc/hosts file something like "0.0.0.0 onkyo.com" or block the domain/ip using iptables. In Edgelite I found out I can do the hosts thing but that is not ideal as I would need to add all domains one by one, also I would need to entries like with "www.onkyo.com" and "onkyo.com" and then https still seems to work. Not ideal, also iptables does not seem to be supported in EdgeOS.

I also tried the dpi traffic blocking thing, but onkyo.com is not in the established categories, so I can't block. Also I added a custom category but how to add domains to it so those domains gets blocked?

Sorry for all the n00b questions, I googled around a lot on searched on the forum and there are similar topics but I couldn't figure it out on how to do it so hope someone can help me with dummie proof steps thank you in advance!

Last Thursday, while on National Guard duty, my son calls and says "Dad there's no Internet". And soon after my wife also calls to complain. So I tell my wife to reset a Linksys LGS308P that have been the root cause a couple of times before. This did not work.

(Linksys hasn't updated the firmware for LGS308P since 2014 so I hoping it'll die soon so I can replace it with an US-16-150...) 

So then I have to find time to find the root cause and fix the root cause while I'm a bit constrained with regards to both time and bandwidth...

Long story short; I check in UNMS and see that the "switch0" interface is gone. This tells me two things; a) The problem isn't at the ISP, b) My ERPoUE-5 has Internet access. 

But since UNMS don't have the possibility to add a "switch0" interface, I connect to the router through an L2TP IPSec VPN. 

Next I SSH into the CLI and try to configure "switch0". But I'm not allowed since the interface "exists". So I try to delete it; But I can't since it's not configured. What to do?

Since this is my home router I haven't created a backup of the config, so I couldn't just restore /config/config.boot.

I hadn't followed the advice to manage the config file. So I had no nice set of previous commits to use. But I found the current config.boot and two previous config.boot-files from firmware upgrades in /config.

The next step was to scp theses config files to my computer. (You can't be on duty without a computer...) Then I had to do some config file reconstruction. In the /config/config.boot the whole switch0 section was missing. In the other two files I found my current VPN config in one and in the other the correct firewall config. 

After a bit of cut and paste and several rereadings of config files I finally had two config files. One with all references to "switch0" removed and a second one with the config I want to have. After a last check to see that the VPN config was correct I uploaded the first config with scp. But I didn't dare to just replace /config/config.boot with the new config. What if I had a syntax error or something in it and lost all connection to my router?

Luckyily i found someone who had had a similiar question regarding config.boot on the forums. This taugth me the load command. Well after a few rounds of load /config/config.boot.temp and commit I had found the final snags in my config free of any references to switch0.

Then I took a deep breath and typed save and then reboot... And a couple of minutes later my VPN came back up and I repeated the process with the second complete config. Now finally I was allowed to configure switch0 and after a last reboot everything worked as before.

Lessons learned:

• Config backups are smart even at home...
• Config commit revisions are even smarter
• Always have a working VPN or other remote access to your router
• Use the great resources on UBNT Support and the community forum

Hi,

I am newby and have an edgerouter POE that dirves my two wifi access points with a netgear cable mdem. My cable modem typically connects to port 0 to provide internet to router. I have set my macbook network ip address to 192.168.1.100 connected my laptop to the edgerouter at port 0. In network settings on laptop it says I am connected to 192.168.1.100. When I open a safari page and enter https://192.168.1.1 it can't access page. I think my issue is no internet connection to the router so I tried connecting my modem to the router in another port other than 0 and it does not work. I am thinking i need to reset the router? I did not orgianlly set up the router and wifi acess points so I was trying to not do a reset. Appreciate any help.

Port forwarding rules notwork

Hi all,

I am using an ER 8 PRO with two /29 subnets and a few networks to NAT. One /29 subnet is facing the ISP. one /29 subnet is used for "inside the building".

The IP address are assigned to the interfaces on the router:

Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         213.xx.58.2/29                    u/u
eth1         -                                 u/u
eth1.100     172.18.100.254/24                 u/u
eth1.101     172.18.101.254/24                 u/u
eth1.102     172.16.1.254/23                   u/u
eth1.199     172.18.199.254/24                 u/u
eth1.201     172.18.201.254/24                 u/u
eth2         172.18.50.254/24                  u/u
eth3         172.18.200.254/24                 u/u
eth4         172.18.58.254/24                  u/u
eth5         213.xx.58.105/29                  u/u
eth6         -                                 u/D
eth7         -                                 u/D
lo           127.0.0.1/8                       u/u
             ::1/128

I have masked teh second octet, but beleive me, the numbers are the same

This is teh routing table:

S    *> 0.0.0.0/0 [1/0] via 213.xx.58.1, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.0.0/23 is directly connected, eth1.102
C    *> 172.18.50.0/24 is directly connected, eth2
C    *> 172.18.58.0/24 is directly connected, eth4
C    *> 172.18.100.0/24 is directly connected, eth1.100
C    *> 172.18.101.0/24 is directly connected, eth1.101
C    *> 172.18.199.0/24 is directly connected, eth1.199
C    *> 172.18.200.0/24 is directly connected, eth3
C    *> 172.18.201.0/24 is directly connected, eth1.201
C    *> 213.xx.58.0/29 is directly connected, eth0
C    *> 213.xx.58.104/29 is directly connected, eth5

I have connected my laptop on port eth5 and gave it the IP address 213.xx.58.110

But I can not ping the router, and I cannot ping my laptop. And yes firewall is disabled.

If I do a traceroute on teh router to IP address 213.xx.58.110 I see this output:

traceroute 213.xx.58.110
traceroute to 213.xx.58.110 (213.xx.58.110), 30 hops max, 38 byte packets
 1  213.xx.58.2 (213.xx.58.2)  3001.390 ms !H  2993.591 ms !H  2999.887 ms !H

Why is 213.x.58.2 is used and not 213.xx.58.105 ?

In teh Arp table I see IP addresses I whould expect on eth5 and not eth0:

213.xx.58.3              ether   00:0b:82:bc:a2:fb   C                     eth0
213.xx.58.106                    (incomplete)                              eth0
213.xx.58.110                    (incomplete)                              eth0

What am I doing wrong?

I am using edgerouter 8 PRO as a router using firmware:

v1.9.7+hotfix.4.5024021.171005.0533

Thanks in advance,

Mitchell

Hello,

We are trying to replace our Cisco 2900 series router with ER8pro we are having some difficulty with the inbound VoiP traffic from customers not working at all, internet traffic works great. Currently we have eth0 as our handoff to our provider, eth6 has 3 Vlans, 10 Mgmt 172.17.0.x, 20 Customer DHCP 172.17.4.x, 30 Customer Public ip's 74.xx.xx.xx. We are using the default firewall rules nothing more, we have tried using Snat and Dnat rules with no sucess. can anyone point me in the right direction?

Thank you.

ATT support really lacks, so I am reaching out to here to see if I can finally solve this. I appreciate any help with this.

What I have

Pace 5268AC

ER Lite

I have a Static IP block lets call it x.x.x.128/29

5268AC Public IP 162.x.x.140

Cascaded set up in the pace

ISSUE

All Inbound works fine. All outbound traffic from public x.x.x.128/29 shows up as 162.x.x.140

Background

Worked with ATT and ConnectTech for days. There resolution was to set one IP from x.x.x.128/29 to the WAN of the ER. This IP showed inbound and outbound correctly.

I scrapped that because it was only one IP, in and out.

I have all 5 IPS working inbound, but outbound is the issue

I only had one inbound IP working, would love to get the rest of my IP working.

Hi,

i've a little problem using our new EdgeRouter Infinity.
In this moment the setup only contains a few (8 source- and 5 destination NAT Rules) and 3 LANs. We've 8 public IPs on eth8.
Inside the LAN, everything works fine, but when i use ssh over the public ip, the connection is laggy. The same happens using the gui, it needs much longer time than using the LAN-connection.
I'm using a ssh tunnel to reach VMware insinde the LAN and it ist also very slow. But using a Source-NAT Rule  is fine. So the internet-connection (1 Gbit/s (really)) is not the Problem. Speedtest gives me arround 850 Mbit/s in both directions behind (!!) the EdgeRouter.

I tried to find something out using tcpdump, but after 2 restarts (too much output?) i gave up.

Does anyone has an idea?

Kindly regards,

Sven

I think I have a switch problem but I’m not sure, I’m hoping someone can offer some advice. Here’s the problem: I had a EdgerouterX SFP and an Edgeswitch 8-150 running for about a year with no problems. UFiber modules UF-MM-16 on both the Edgerouter and Switch with a 12” fiber cable connecting them. Worked perfectly for about a year. One day about 3 months ago I lost connectivity between the router and switch, strange problem as the lights are operating correctly and show a connection but the router Control Panel graph shows theres no data being transferred. The switch Control Panel also shows a SFP connection. Looking at the control panels everything looks correct but the SFP port doesn’t work.

Not a major problem as I just eliminated the fiber and switched to an ethernet cable, worked as it should but the reason for the problem bothers me. In my spare time I’ve been trying to determine what happened. First I swapped out the old fiber modules for new ones, same problem. Next I replaced the fiber cable, same problem. Next I replaced the EdgerouterX with a new Edgerouter 4, same problem.

Since I replaced everything but the switch I’m beginning to think that somehow the switch SPF port is bad. The switch is running firmware 1.7.3. There were no power outages or configuration changes to cause the problem, everything is running thru a CyberPower UPS. One minute it was working as it should, the next minute the SPF port seems to be dead. I could just ignore the problem and use the ethernet connection but the problem bothers me. The only thing I haven’t tried yet is replacing the switch with a new one, this is a little expensive.

Anyone have any suggestions? I’ve read that in the past there were SPF problems with some switches, could I have one of these faulty switches? Anything else I can try to figure out what happened?

Hello there,

Hope someone can help me out. I have and edge router configured on a PPPOE ISP connection with ETH0 being WAN and ETH1 being the LAN. Equipment from ISP is one fiberoptic PON which I don't have access. But I don't think there a need to, as I can perfectly access my web server remotely if I connect my old $15 asus router.

I've got a web server on a VM which I can access internally on 10.0.0.56, a dedicated external IP from the ISP, and I want to be able to access this webserver remotely, either on port 80 or porforward on 8080 or something. When I go from the same network on my external IP, it opens Edge's GUI, and altought I've put a port forward on 8080 for my VM, it doesn't open up by web server's page. Externally I cannot access anything.

I'm noob at networking but I guess I need to open some kind of firewall/nat rule ? I can even add a DDNS for the external IP.

Thanks everyone.

This is my config.

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br0 {
aging 300
bridged-conntrack disable
hello-time 2
max-age 20
priority 32768
promiscuous enable
stp false
}
ethernet eth0 {
address dhcp
description "Internet (PPPoE)"
duplex auto
mac 1c:7e:e5:X:X:X
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password
user-id
}
speed auto
}
ethernet eth1 {
address 10.0.0.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description "ubuntu VM"
forward-to {
address 10.0.0.56
port 8080
}
original-port 80
protocol tcp_udp
}
rule 2 {
description ""
forward-to {
address 10.0.0.56
port 3112
}
original-port 22
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
dns-server 8.8.8.8
lease 86400
start 10.0.0.38 {
stop 10.0.0.243
}
static-mapping AC-Access-Point {
ip-address 10.0.0.39
mac-address 74:X:X:3c:c9:48
}
static-mapping VeraEdge {
ip-address 10.0.0.48
mac-address X:X:0c:1a:0e:ae
}
static-mapping Vistacam700 {
ip-address 10.0.0.43
mac-address X:X:0c:09:0f:93
}
static-mapping WORK-LAPTOP {
ip-address 10.0.0.38
mac-address X:X:5b:4c:4a:d3
}
static-mapping iPhone-Deea {
ip-address 10.0.0.50
mac-address X:1f:74:86:0e:X
}
static-mapping iPhone-Sorin {
ip-address 10.0.0.46
mac-address X:7a:55:03:X:f2
}
static-mapping ubuntu {
ip-address 10.0.0.56
mac-address 00:X:29:e2:X:0e
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $6$L5yDOHrcB2o.R$onlaMtPrIMYQlDZ3OSxb72mEmAcKMYXl0hjU3isGfQIbFCOlO.ca9I4.ULSwP3U9J1hQpDmtmIBAnjXnxv1eM.
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7.5001798.170720.0132 */

My end goal is to connect to this new host using it's hostname rather than it's ip address.

This is my first time configuring a CentOS minimal instance for future developement purposes. I've configured the hostname on the box itself. I now see that on the traffic analysis section of the edgeos there is it's hostname and IP. So the router recognizes the hostname. But on my windows computer when I perform an nslookup using that hostname it fails. Also performed host <hostname> on the cli within edgeos. No results in DNS. Why do my windows pc's automatically get added to the edgeos local dns? Any suggestions to get centos added automatically to DNS?

Thanks,

Tony

Hi,

From time to time, after several days or weeks, maybe months, the connection between my ERL3 and my router drops from Gigabit to 100Mb (Yellow LED).  This happens on both eth1 or eth2.  It won't renegociate back to Gigabit by itself.

Since eth1 and eth2 are bridged (br0), I usually change the cable from one to the other and the connection is restored to Gigabit (green LED), until it renegociate again after several days, weeks or months.

What are you suggesting?  Change the ethernet cable?  I think this one is pretty cheap and came with my old 100Mb TP-Link router.  It's only 3 feet long though.

Any dynamic test I could perform?