I have gone through everything to get this to work with no sucess.  Tunnel is sucessfully up and running to AWS. Just can't ping the private network devices on the AWS VPC. Attached is my config. Can someone take a look and see what Im doing wrong.

I just discovered that I can't find "clear ipv6 bgp" is there some other command to reset neigbor?

Does anyone know if there is some feature to monitor the internet connectivity with(in) the ER-X?

Ideally i would like to see a graph of perhaps ping-times to some external IP.

I have enabled debian standard repos, so i guess i could let some simple screen run in a screen session, but would be nice if i could avoid these homegrown solutions A graph in the ER-GUI would be nice.

Hello All

I have connected my EdgeRouter X SFP this morning to my US-8-150W switch vis there SFP ports, I got a couple of Ubiquiti SFP ports and a Fiber optic lead to suit as I am setting up a Camera system and need all 8 ports for the system and a couple of Access points (5 Cameras, DVR and 2 Access Points using the onboard POE, all Ubiquiti equipment) in the meantime I am using port 1 as input using an existing Ethernet cable and port 2 and 3 for the 2 access points (Pro and a Mesh) and the other 5 points are unused until the cameras/DVR start getting wired in in the coming weeks.

Now I have installed the SFP ports and plugged in the cable, both the systems show the SFP ports as active (Green icons) but I can not get the EdgeRouter X to send the Data to the Switch via the SFP port, it keeps defaulting to the Ethernet port.

I assume there is a setting or configuration I'm missing?

Thanks

I've spent some time studying this diagram trying to wrap my head around some of the terminologies used in the ER-X (and other ERs I guess).

Layman's firewall explanation

The diagram seems to emphasize three elements...interfaces, routing, and services.

Firewall IN and LOCAL both define traffic entering the ER through an interface. While they are both headed in the same direction relative to the interface, IN is a branch headed to the routing stack, while LOCAL is a branch headed to everything else in the ER (software/services I guess?)

Firewall OUT defines the traffic leaving the routing part of the ER, and out of the interface.

In other words, IN and OUT are the directions relative to the routing stack. LOCAL is a detour into the software/services prior to going to the routing stack.

Have I misstated anything yet?

Overview

pixelserv is a simple webserver written in Go that returns a single transparent pixel or content loaded from a file

Features

• Prevents HTTP 404 page not found messages if used in conjunction with dnsmasq IP redirects

Compatibility

• edgeos-pixelserv has been tested on the EdgeRouter ERLite-3, ERPoe-5, ER-X: EdgeOS versions v1.7.0-v1.9.7+hotfix.4
• Note: the debian package will not successfully install in a UniFi Gateway, since there is also a default HTTP port 80 listener configured all interfaces

Installation

• edgeos-pixelserv installs itself as a service into /etc/init.d/pixelserv
• The installation will modify the router's configuration settings to move "service gui http-port 80" to "service gui http-port 8180" to prevent conflict with pixelserv on port 80

EdgeRouter ERLite-3, ERPoe-5 and similar MIPS based Edgerouters

curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/195918/1/edgeos-pixelserv_1.0.1_mips.deb.tgz | tar -xvz
sudo dpkg -i edgeos-pixelserv_1.0.1_mips.deb

EdgeRouter ER-X & ER-X-SFP

curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/195918/2/edgeos-pixelserv_1.0.1_mipsel.deb.tgz | tar -xvz
sudo dpkg -i edgeos-pixelserv_1.0.1_mipsel.deb

Removal

• Removal will modify the router's configuration settings to move "service gui http-port 8180" back to the default "service gui http-port 80"

EdgeMAX ERLite-x & EdgeMax ER-X

sudo apt-get remove edgeos-pixelserv

Usage

• Standalone binary

/config/scripts/pixelserv -h

• pixelserv service

service pixelserv {start|stop|status|restart|force-reload|reload}

Hi guys,

I need your help with basic ER-X setup.
I deleted my last similar topic here cause I've found some config errors and thought the problem had been solved, so this is the new one.

I've connected to Internet Service Providers' LAN with some resources in it (fileservers, radio etc). ISP grants Internet access via VPN tunnel (PPTP).
I've done some basic config: eth0 (192.168.1.1) for home PC (LAN) and eth1 (10.16.56.137) for ISP's LAN, pptpc0 client, basic firewall rules (accept GRE protocol and TCP port 1723 ), two masquerade NATs (for ISP LAN and for PPTP) and some of static routes for acess to ISP LAN fileservers.

Router connects to ISP LAN successfully, pptpc0 obtains IP address from DNS correctly, I can ping all ISP LAN services, also ping and traceroute to Internet sites from the router itself are successful.

BUT still I ain't got no Internet connection on my PC. I can ping only eth0 and eth1 interfaces from it, nothing more. All other ping attempts (like pinging the DNS) came with "Transmit failed. General failure" message.

I see almost no eth0 Tx data (but Rx is around 2,5 Mbits/sec) on the dashboard and 0 packets to firewall rules allowing GRE and 1723

I think, it's issue with firewall rules or NAT.
I've been doing RTFM for weeks now, tried different configs, but with no success.

Sanitized config below, please take a look at it.

http://pasted.co/71dc26e7

Thanks in advance,
Vasiliy.

Hi All,


I have a problem in some windows computers.

I have a problem in the windows computers with connect to wifi.

If i am conect with ethernet cable to external router i can connect perfectly to vpn l2tp.
if i am conect with wifi with the same router i can't connect to vpn l2tp
if i am connect with wifi to my mvl such as ruter in same computer i can connect to vpn l2tp

i dont have any idea.

Every time a client connects to this error

cavium_delete_hndl : NULL Sa/SA Handle : with x 8000000089407800 x->sa_handle (nil)

Is it possible to configure dnsmasq for dns forwarding in ubiquite erl-3 firmware 1.9.7+hf4 to listen port 443? like in dnsmasq in linux system have option server=208.67.220.220#443 ?

Because my ISP hijacked all DNS public server IP (google, opendns, and etc) to their DNS server for censorship.

In OPNsense and mostly linux os there is option to add server=208.67.220.220#443, so all dns traffic encrypted using SSL.

I cannot doing it in erl-3, name-server 208.67.220.220#443 or name-server 208.67.220.220:443

Thanks.

 forwarding {
            cache-size 400
            listen-on switch0
            name-server 8.8.8.8
            name-server 8.8.4.4

Hi,

i am using an EdgeRouter Lite with newest firmware. My goal is to do an 1:1 NAT between 2 subnets within our organisation.
We use 2 subnets:

10.200.102.128/26 (which connects to the outside/internet) - eth0

142.93.98.128/26 (intern network) - eth1

The adress 10.200.102.129 should be translated to 142.93.98.129, 10.200.102.130 to 143.93.98.130 and so on ...

I created a nat rule for this, which is working.

But i have to add every IP adress to the eth0 (10.200.102.128/26) interface to transfer data between the networks. Without the extra IP adresses no request from the 200 network is natted to the 142 network.

Is there an easier way (without adding each IP adress on thier own) to get the NAT working?

I am pretty sure i miss something ....

Greetings
Joe

Hi.

I understand this has been asked everywhere in multiple forms but I can't figure the answer or what I'm doing wrong.

Any help would be appreciated !

I have 2 routers, ERX is the one handling OpenVPN.

On it I have a switch set-up for eth2, 3 and 4 on 192.168.2.0/24

Eth1 is used for the second router on 192.168.1.0/24.

Only the switch is configured to use the VPN, I followed this topic for the set-up:

https://community.ubnt.com/t5/EdgeMAX/OpenVPN-Client-and-Routing/td-p/986871

Steps:

define a table going to vtun0

set protocols static table 1 route 0.0.0.0/0 next-hop-interface vtun0

- modify your traffic to go through

set firewall modify SOURCE_ROUTE rule 10 description 'Subnet to VPN'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.2.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1

 - apply to interface

set interfaces switch switch0 firewall in modify SOURCE_ROUTE

 Add 'route-nopull' in the VPN client config file and masquerade: outbound interface vtun0 and source address 192.168.2.0/24

This works great, except when vtun0 is up, 192.168.1.0/24 cannot reach 192.168.2.0/24.

If I disabled vtun0, everyone can talk to each other.

These are the routes on ERX when vtun0 is up
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.254.0   U     0      0        0 vtun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
172.21.86.0     0.0.0.0         255.255.254.0   U     0      0        0 vtun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 switch0

And when it's down:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 switch0

Final note, 192.168.1.0/24 can still ping 192.168.2.0/24 in any case.

Many thanks for anyone who took the time to read this and is willing to help !

I had an IP range assigned to a VLAN sub interface.  I deleted that sub interface, but the OSPF advertisement is still showing:

admin@CR0-WQBR:~$ show ip ospf interface eth2.3
eth2.3 is up, line protocol is up
  Internet Address 10.1.1.0/29, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 10.100.254.3, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec,  State DR, Priority 1, TE Metric 1
  Designated Router (ID) 10.100.254.3, Interface Address 192.81.87.233
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:09
  Neighbor Count is 0, Adjacent neighbor count is 0
  Hello received 0 sent 656247, DD received 0 sent 0
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0
  No authentication

admin@CR0-WQBR:~$ show interfaces ethernet eth2.3
Invalid interface [eth2.3]

eth2         -                                 u/u  RVI WAN                     
eth2.1       10.200.81.1/24                    u/u  Old Global Management       
eth2.2       192.81.86.1/24                    u/u  RVI Data                    
             10.200.80.1/24                   
eth2.50      10.200.70.1/29                    u/u  EVC Management              
             10.200.70.9/29                   
eth2.55      10.200.55.1/24                    u/u  AMRW Management             
eth2.56      10.200.56.1/24                    u/u  WQBR Management             
eth2.300     10.200.90.1/30                    u/u  ChiliTech                   
eth2.301     100.64.0.1/24                     u/u  CT-AMRW Temp                
eth2.500     10.200.90.33/27                   u/u  Router IX                   
eth2.610     x.x.x.x/27                  u/u  AMRW Data                  

I had an IP range assigned to a VLAN sub interface.  I deleted that sub interface, but the OSPF advertisement is still showing:

admin@CR0-WQBR:~$ show ip ospf interface eth2.3
eth2.3 is up, line protocol is up
  Internet Address 10.1.1.0/29, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 10.100.254.3, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec,  State DR, Priority 1, TE Metric 1
  Designated Router (ID) 10.100.254.3, Interface Address 192.81.87.233
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:09
  Neighbor Count is 0, Adjacent neighbor count is 0
  Hello received 0 sent 656247, DD received 0 sent 0
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0
  No authentication

admin@CR0-WQBR:~$ show interfaces ethernet eth2.3
Invalid interface [eth2.3]

eth2         -                                 u/u  RVI WAN                     
eth2.1       10.200.81.1/24                    u/u  Old Global Management       
eth2.2       192.81.86.1/24                    u/u  RVI Data                    
             10.200.80.1/24                   
eth2.50      10.200.70.1/29                    u/u  EVC Management              
             10.200.70.9/29                   
eth2.55      10.200.55.1/24                    u/u  AMRW Management             
eth2.56      10.200.56.1/24                    u/u  WQBR Management             
eth2.300     10.200.90.1/30                    u/u  ChiliTech                   
eth2.301     100.64.0.1/24                     u/u  CT-AMRW Temp                
eth2.500     10.200.90.33/27                   u/u  Router IX                   
eth2.610     x.x.x.x/27                  u/u  AMRW Data   

clear ip ospf process

did not fix anything.             

hello! I have a "EdgeRouter X SFP" device.

It has 5 physical ethernet ports.

I would like to use ONE device but have TWO firewalls (NAT). This would require 4 physical LAN ports.

The setup should look like this:

eth0 and eth1 are assigned to firewall A.

eth0 is INTERNAL, eth1 is EXTERNAL. (masquerade eth0 to eth1) eth0 is @ 192.168.1.1/24. eth1 is @ 192.168.0.10/24.

eth2 and eth3 are assigned to firewall B.

eth2 is INTERNAL, eth3 is EXTERNAL. (masquerade eth2 to eth3) eth2 is @ 192.168.2.1/24. eth3 is @ 192.168.0.11/24.

the 192.168.0.0/24 net has a default gateway of 192.168.0.1 (which again NATs to the internet w/ public IP from ISP)

I have tried this setup but ran into problems about "default route"; the device can only have ONE default route? the "default route" cannot be per interface?

If this doesn't work (two NAT using 4 separate LAN ports on one device) please help with a solution so that following is possible?

Group A of wifi-clients on net 192.168.1.x/24 go thru eth0 & some firewall rules to get to gateway-internet w/ IP: 192.168.0.1.

Group B of wifi-clients on net 192.168.2.x/24 go thru eth2 & some (other) firewall rules to get to gateway-internet w/ IP:192.168.0.1.

Group A (plugged-in at eth0) and Group B (plugged in at eth2) CANNOT see each other ...

Thank for hints or help! : )

edit:

the problem is that i don't want to add one more DUMB switch which connects to: eth1 and eth3 and to 192.168.0.1 (GW).

since i have 5 ports available, i would like to have eth1, eth3 and eth4 as a switch?!

eth4 then connects to 192.168.0.1 (GW). is this possible?

The Config Tree in the Edgerouter GUI actually works as a primitive GUI for OpenVPN

After successfully operating OpenVPN server and client together on the Edgerouter X, I updated my infrastructure to 2048 bits and added some addtional hardening (TLS Auth, mostly).

In the middle of this, I discovered the Config Tree actually supports some OpenVPN parameters directly.  It also takes care of the "delete/set" CLI pair of commands when changing a value.

It's not a GUI that helps show you the way (like the Firewall/NAT tab, for example). You still need to (and in principle, should) understand every command in the OpenVPN CLI configuration, but it does save time when tweaking or replacing multiple parameters. 

I wish I'd found it sooner.  

Can someone in the fourm who has xs4all and edgeOS please post their configuration so that i can get my edgerouter 4 up and running. I'm new to edgeOS so I would appreciate not too technical an explanation. For xs4all I have fiber internet with IPTV and VOIP. Any assistance would be greatly appreciated. Thanks

Hey all,

Just trying to do some research on trying to find a router with a switch built in, i know that turning on bridged mode on these pieces of hardware including USG's has a performance impact and i'd prefer not to have that especially as ill be using some 10Gb Switches in the environment.

My question is this why do the Lower end hardwares seem to contain Switch-Chips yet the higher priced Routers do not?  to me it would seem backwards almost that either all of them should have the switch chips or the lower end routers have software based bridging.    What i would like to do is treat the router as a core almost as well since it handles all the L3 Gateways at that point since as far as i know there arent any L3 Switches available via Unifi.

What i would like to do is replace my PFSense with an ER-8 then it have a switch chip on it to connect to my 4 switches on the same LAN without taking a performance hit then do some interlinking on the switches so that way they can use STP appropriately and create a nice loop just in case one piece of hardware goes offline the others can take over. 

Thoughts?

I'm trying to install the "psmisc" package (which contains the pstree tool that I wanted to use) and hit some kind of conflict:

$ sudo apt-get install psmisc
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following NEW packages will be installed:
 psmisc
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/129 kB of archives.
After this operation, 670 kB of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 34596 files and directories currently installed.)
Unpacking psmisc (from .../psmisc_22.19-1+deb7u1_mips.deb) ...
dpkg: error processing /var/cache/apt/archives/psmisc_22.19-1+deb7u1_mips.deb (--unpack):
 trying to overwrite '/usr/bin/killall', which is also in package ubnt-debian 9:0.1.22
Errors were encountered while processing:
 /var/cache/apt/archives/psmisc_22.19-1+deb7u1_mips.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any ideas on how to get past this?

My apologies if this is somewhere in these forums but I'm not even sure how I would sesrch for this particular problem.

I have a piece of hardware that communicates over it's own dynamic dns service. At the same time I have a registered DYNDNS account that is currently setup and running perfectly on the EdgeRouter Lite.

The problem is that when we setup the app to use it's own dynamic dns service that is provided by the manufacturer there is no connection. When we use the DYNDNS account we setup it works fine. Both DNS services point to the same IP address so I'm not sure what I'm doing wrong. Because it works using one of the two dynamic dns names I assume the port forwarding is configured correctly.

What would cause one entry to work but not the other?

I set this up using the basic WAN2LAN2 wizard and modified only for the port forwarding + added a PPTP VPN till I figure out how to get L2TP going. I have basic networking skills and have configured the router using information from these forums.

If this has already been covered somewhere please point me in the right direction.

Tim

I've been seeing 100% CPU usage for a couple of days on one of my ER-PRO8.

TOP reveals netflow as the culprit

 any ideas without having to kick off netflow?