I have a wireless AP that I need to stop from getting updates from the internet. My intention is to block the AP from all internet access since everything else hasn't worked. How can I do it without blocking the clients conected throught it?

Thank you in advance for any help.

Hi All,

When the router has been running for four or five days, it restarts.
The only thing I see in the remote log:
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 INFO: task ubnt-util:21527 blocked for more than 120 seconds.
 cavium_delete_hndl : NULL Sa/SA Handle : with x 800000008137a000 x->sa_handle (nil)

We Have a Edgerouter Pro in the version  EdgeRouter Pro v1.9.7+hotfix.4

I completely understand about how to initially setup any EdgeRouter: connect ethernet cable to router from computer (use lowest number ethX port), set static IP on computer to address in range of router 192.168.1.x, open a browser and navigate to 192.168.1.1.

What I am not clear about, is how you access the dashboard/configure GUI (i.e. through browser), after this point. Do you ALWAYS need to do this process of connecting an ethernet cable directly from your computer to a default port on the router? Or can you connect that default port (or any port) to an Access Point (e.g. UAP-AC-LITE UniFi Access Point) and access the router configuration GUI wirelessly (by typing in the same 192.168.1.1 address in your browser over WiFi)?

I simply want to be able to configure/access/manage my router wirelessly, without needing to directly plug an ethernet cable from my main computer into the router. Any help/comments would be greatly appreciated.

My Edgerouter x constantly looses link status and connection speed (drops between 1000mbit and 100mbit and goes up and down all the time).

Any idea what I could do to fix this. Tried different cables (they work when I plug them in to my airport extreme without any issues)

Jan 28 18:38:14 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:39:01 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:39:03 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:42:46 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:42:49 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:42:50 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:42:53 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:43:40 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:43:42 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:47:11 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:47:15 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:47:16 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:47:18 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:48:04 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:48:07 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:48:07 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:48:11 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:48:12 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:48:14 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:49:01 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:49:03 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:52:37 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:52:40 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:52:41 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:52:44 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:53:31 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:53:34 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:56:42 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:56:46 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:56:47 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:56:51 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 18:57:37 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 18:57:39 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:01:14 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:01:18 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:01:19 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:01:22 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:02:08 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:02:10 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:05:40 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:05:44 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:05:45 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:05:47 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:06:34 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:06:36 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:10:05 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:10:08 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:10:09 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:10:12 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:10:59 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:11:01 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:14:30 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:14:33 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:14:34 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:14:37 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:15:23 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:15:25 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:18:54 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:18:58 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:18:59 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:19:01 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:19:48 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:19:50 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:23:20 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:23:23 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:23:24 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:23:27 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Jan 28 19:24:13 ubnt kernel: ESW: Link Status Changed - Port3 Link Down

Jan 28 19:24:16 ubnt kernel: ESW: Link Status Changed - Port3 Link UP

Hello everyone. I have a strange problem with both edge router lite and X. After the basic setup and customization i get them both to work perfectly, however they both suffer from same problem. A bit of info: I bought Edge router X and had this problem with it, then i researched it and did not find anything, so i decided to get the Lite and see how it works, and if i still get the issue. Turns out that Lite has the issue as well. I narrowed it down to the router by process of elimination. I returned the X, but i really want to keep the Lite and get it working as i really like the company and the product. So this is a bit of background to help understand my situation.

Now to the problem: My setup is very simple, cable into the cable modem, then cable modem to my pc. I needed a router so that i can use my pc and my voip device at the same time. I have an old wireless router that does this job fine, but wireless is not something i find desirable right now, so it was time for upgrade. Now i have my cable modem connected to Edge router Lite and from there i have my pc and voip hooked up to router. Now the strange thing is that eth1 port works like a charm, websites load ncie and fast speedtest is good etc. Eth 2 port is another matter... websites do not load a lot, other times they load fine, sometimes they take ages, other times it times out. Huge intermittency.  Games drop connection etc. I used different cables and it's the same issues ( i tested 3 different cables, 2 of them brand new, these very same cables work with no router in the equation) Now i find that if i open the router GUI the problem resolves itself, just by sitting in the dashboard of the GUI, most odd ( but worth noting in case someone might know why). I tried using just 1 port vs having both in use, did not make a difference, among trying a lot of other things, some advanced, to no avail.

Now back to Edge router X, it had the exact same problem, just on different router port.  So it is deffinately router related, but maybe something i am not configuring right or maybe ISP related ( the isp had no clue as apparently they never heard of such a router ). So at this point like i said i really want to keep this thing, but need help. I am no novice but i am far from expert either so i will do my best to try any suggestions ( i really don't want to get a refund as i think these routers are really good hardware, and nothing quite like them out there)

Thank you in advance!

Is there any way to disable http/2 at the firewall on an edgemax router? to force clients into using http 1.1? Our web filtering software does not support http/2 yet so sites that should be blocked are allowed when the browser is able to use this protocol.

Thank you.

I just completed load balance using wizard. It is not fail over. 2 WAN ran concurrently. Unfortunately, when 1 of the WAN unplug, 2nd WAN not really supporting the network. The internet seems all down.

I need access my data center using single public IP, however, since my network is dual wan, i have 2 IP. How do i set it using single IP?

both ISP using PPoE with dynamic public IP.

Im looking at this example https://help.ubnt.com/hc/en-us/articles/205145990-EdgeRouter-Dual-WAN-Load-Balance-Feature

which under : Making sessions stay with the same WAN 

configure
set load-balance group G sticky source-addr enable
set load-balance group G sticky dest-addr enable 
set load-balance group G sticky dest-port enable
commit
save
exit

 should i use that?  so, if i use this? which WAN I will use?
i have 2 different ISP with load balance using ERlite

admin@ubnt:~$ show configuration|cat 
firewall { 
 all-ping enable 
 broadcast-ping disable 
 group { 
 network-group PRIVATE_NETS { 
 network 192.168.0.0/16 
 network 172.16.0.0/12 
 network 10.0.0.0/8 
 } 
 } 
 ipv6-receive-redirects disable 
 ipv6-src-route disable 
 ip-src-route disable 
 log-martians disable 
 modify balance { 
 rule 10 { 
 action modify 
 description "do NOT load balance lan to lan" 
 destination { 
 group { 
 network-group PRIVATE_NETS 
 } 
 } 
 modify { 
 table main 
 } 
 } 
 rule 20 { 
 action modify 
 description "do NOT load balance destination public address" 
 destination { 
 group { 
 address-group ADDRv4_pppoe0 
 } 
 } 
 modify { 
 table main 
 } 
 } 
 rule 30 { 
 action modify 
 description "do NOT load balance destination public address" 
 destination { 
 group { 
 address-group ADDRv4_eth1 
 } 
 } 
 modify { 
 table main 
 } 
 } 
 rule 110 { 
 action modify 
 modify { 
 lb-group G 
 } 
 } 
 } 
 name WAN_IN { 
 default-action drop 
 description "WAN to internal" 
 rule 10 { 
 action accept 
 description "Allow established/related" 
 state { 
 established enable 
 related enable 
 } 
 } 
 rule 20 { 
 action drop 
 description "Drop invalid state" 
 state { 
 invalid enable 
 } 
 } 
 } 
 name WAN_LOCAL { 
 default-action drop 
 description "WAN to router" 
 rule 10 { 
 action accept 
 description "Allow established/related" 
 state { 
 established enable 
 related enable 
 } 
 } 
 rule 20 { 
 action drop 
 description "Drop invalid state" 
 state { 
 invalid enable 
 } 
 } 
 } 
 options { 
 mss-clamp { 
 mss 1412 
 } 
 } 
 receive-redirects disable 
 send-redirects enable 
 source-validation disable 
 syn-cookies enable 
} 
interfaces { 
 ethernet eth0 { 
 description WAN 
 duplex auto 
 pppoe 0 { 
 default-route auto 
 firewall { 
 in { 
 name WAN_IN 
 } 
 local { 
 name WAN_LOCAL 
 } 
 } 
 mtu 1492 
 name-server auto 
 password **************** 
 user-id wan1@wan.wan 
 } 
 speed auto 
 } 
 ethernet eth1 { 
 address dhcp 
 description "WAN 2" 
 duplex auto 
 firewall { 
 in { 
 name WAN_IN 
 } 
 local { 
 name WAN_LOCAL 
 } 
 } 
 speed auto 
 } 
 ethernet eth2 { 
 address 192.168.1.1/24 
 description Local 
 duplex auto 
 firewall { 
 in { 
 modify balance 
 } 
 } 
 speed auto 
 vif 2 { 
 address 192.168.2.1/23 
 description "Internal Vlan" 
 firewall { 
 in { 
 modify balance 
 } 
 } 
 mtu 1500 
 } 
 vif 4 { 
 address 192.168.4.1/24 
 description "Guest Vlan" 
 firewall { 
 in { 
 modify balance 
 } 
 } 
 mtu 1500 
 } 
 } 
 loopback lo { 
 } 
} 
load-balance { 
 group G { 
 interface eth1 { 
 } 
 interface pppoe0 { 
 } 
 lb-local enable 
 lb-local-metric-change disable 
 } 
} 
port-forward { 
 auto-firewall enable 
 hairpin-nat enable 
 lan-interface eth2.2 
 lan-interface eth2.4 
 lan-interface eth2 
 rule 1 { 
 description ES-24-250W 
 forward-to { 
 address 192.168.1.2 
 port 5555 
 } 
 original-port 5555 
 protocol tcp_udp 
 } 
 rule 2 { 
 description CCTV 
 forward-to { 
 address 192.168.1.10 
 port 37777 
 } 
 original-port 37777 
 protocol tcp_udp 
 } 
 rule 3 { 
 description ALARM 
 forward-to { 
 address 192.168.1.11 
 port 37778 
 } 
 original-port 37778 
 protocol tcp_udp 
 } 
 rule 4 { 
 description CCTV 
 forward-to { 
 address 192.168.1.10 
 port 554 
 } 
 original-port 554 
 protocol tcp_udp 
 } 
 rule 5 { 
 description CCTV 
 forward-to { 
 address 192.168.1.10 
 port 80 
 } 
 original-port 80 
 protocol tcp_udp 
 } 
 wan-interface pppoe0 
} 
service { 
 dhcp-server { 
 disabled false 
 hostfile-update disable 
 shared-network-name Guest { 
 authoritative disable 
 subnet 192.168.4.0/24 { 
 default-router 192.168.4.1 
 dns-server 8.8.8.8 
 dns-server 8.8.4.4 
 lease 86400 
 start 192.168.4.1 { 
 stop 192.168.4.255 
 } 
 } 
 } 
 shared-network-name Internal { 
 authoritative disable 
 subnet 192.168.2.0/23 { 
 default-router 192.168.2.1 
 dns-server 8.8.8.8 
 dns-server 8.8.4.4 
 lease 86400 
 start 192.168.2.1 { 
 stop 192.168.3.255 
 } 
 } 
 } 
 shared-network-name LAN { 
 authoritative enable 
 subnet 192.168.1.0/24 { 
 default-router 192.168.1.1 
 dns-server 8.8.8.8 
 dns-server 8.8.4.4 
 lease 86400 
 start 192.168.1.38 { 
 stop 192.168.1.243 
 } 
 } 
 } 
 use-dnsmasq disable 
 } 
 dns { 
 dynamic { 
 interface pppoe0 { 
 service custom-noip { 
 host-name wan1ip.com 
 login wan1isp 
 password **************** 
 protocol noip 
 server dynupdate.no-ip.com 
 } 
 } 
 } 
 forwarding { 
 cache-size 150 
 listen-on eth2 
 listen-on eth2.2 
 listen-on eth2.4 
 } 
 } 
 gui { 
 http-port 80 
 https-port 443 
 older-ciphers enable 
 } 
 nat { 
 rule 5000 { 
 description "masquerade for WAN" 
 outbound-interface pppoe0 
 type masquerade 
 } 
 rule 5002 { 
 description "masquerade for WAN 2" 
 outbound-interface eth1 
 type masquerade 
 } 
 } 
 ssh { 
 port 22 
 protocol-version v2 
 } 
} 
system { 
 conntrack { 
 expect-table-size 4096 
 hash-size 4096 
 table-size 32768 
 tcp { 
 half-open-connections 512 
 loose enable 
 max-retrans 3 
 } 
 } 
 host-name ubnt 
 login { 
 user admin { 
 authentication { 
 encrypted-password **************** 
 } 
 level admin 
 } 
 } 
 ntp { 
 server 0.ubnt.pool.ntp.org { 
 } 
 server 1.ubnt.pool.ntp.org { 
 } 
 server 2.ubnt.pool.ntp.org { 
 } 
 server 3.ubnt.pool.ntp.org { 
 } 
 } 
 offload { 
 hwnat disable 
 ipv4 { 
 forwarding enable 
 pppoe enable 
 } 
 } 
 syslog { 
 global { 
 facility all { 
 level notice 
 } 
 facility protocols { 
 level debug 
 } 
 } 
 } 
 time-zone UTC 
} 

Hi,

I'm looking for new router, and i have this two in my radar. I'm reading info about it, and it looks that both have similar WAN speed with offload on, it's this correct?

On the other hand, it's looks that the ER Lite has a better LAN connections.

I have multiple Synology in house and offer some services to the network, so i need a good performance in both, lan and wan.

I'm also open to other suggestions, now we have 600Mbps but in the near future we are going to have 1Gbps FTTH connection, so i'm looking for options that gives me that speed.

Thank you!

See release notes here -> https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-security-release-v1-10-0/ba-p/2233263

Your feedback is highly appreciated

My main interest in the EdgeRouter is the "enterprise" aspect of the router (i.e. it is a more serious router for small to medium business networks). While I have successfully researched the EdgeRouter and Ubiquiti AP for enterprise applications, I have yet to see anything related to modems.

My question is this: does anyone have any recommendations for an "enterprise" modem that compliments the EdgeRouter and Ubiquiti AP setup? 

As follow up question, is an "enterprise" modem a necessity? Does it exist?

Any help/comments/recommendations would be greatly appreciated.

Thanks in advance.

Hi,

I have a test VMWare server that has been transplanted to my home from a hosted location and is likly to be moved to a different location at some point.  The server has a whole Active Directory (AD) network on it (DC, DNS, DHCP, etc) thus I do not want to change any of the IP addresses it currently has.

My end objective is to be able to RDP into any of the Virtual servers running on it.

I have used some firewalls to segregate it from my home network, but I always hit the same issue, which is that I have to port forward (using a different port) to each server, But a, this is clunky and b, I run out of port forwarding slots.

I have purchased an EdgeRouter X, with a view to being able to access servers on the test subnet without the having to set up port forwards.

But I cannot get it to work.

The set up is:-

Internet - ISP Router - Main Home Lan

              192.168.0.1  - 192.168.0.0/24

                     |

              Managed Network Switch   - 192.168.0.5  My PC

                     |

              192.168.0.206 - eth0

                   ERX

              192.168.50.206 - eth2

                     |

              UnManaged Switch

                      | |

                ESxi Server

        Network servers - 192.168.50.0/24

I have a route on my PC that directs traffic to the 192.168.50.x  network to 192.168.0.206

All the servers have a def gateway of 192.168.50.206

But I cannot RDP to to any of the VM's

On odd thing is that I CAN connect to the ESxi server using VMware's Managment software and I can connect to both sides of the router from My pc.

Any Ideas appreciated

Hi,

As per the subject, does anyone know honestly what is going on with the EdgeRouter 4 and EdgeRouter 6?

The ER4 was "released" months ago, yet all the retailers, in the UK at least and I believe further afield, do not have any stock. 

I am reluctant to "grab" a unit when retailers have like 1 in stock as it does not inspire me with confidence about the product.

So:

1. Is there a fundemental flaw with the products which mean Ubiquiti is not manufacturing them?

2. It there a manufacturing issue which means production volumes are incredibly low?

3. Is the distribution to retailers just incredibly slow / poor? 

I am lothed to buy more EdgeRouter Lites currently as the ER4 is far superior, but unless I gain confidence that the ER4 and ER6 do not have a basic issue preventing their wider availability that is what I may well have to do.

We just need openes and honesty about what is going on.

Marcus

Hi,

I have about a dozen RV042 routers currently doing site-2-site VPN tunnels. Seeing as many internet connections are now exceeding the bandwidth these devices are capable of combined with them being EOL we are looking to upgrade.

Since I've started using Unifi WiFi APs and like the single dashboard we are considering using the Ubiquiti Unifi Security Gateway (USG) as a replacement. Seeing as we will not be replacing all at once I need to make sure we can integrate the 2 while we do the cutover (which may take some time as in sites where there is no real need to upgrade just yet we will be leaving as-is).

What are thoughts on this? Easy or hard? Can be done through the dashboard or will require CLI customizations?

Thanks

I have tried to search and not found much that can help me solve my issue.  What I am trying to do it just setup openvpn on my edgerouter x so that when I am away I can access my local network and shares behind the edgerouter x.  I finally got openvpn working on the edgerouter after sorta combining the guide from Ubiquiti that sets it up for only certain incoming IPs and SparkLabs tutorial that covers the masqurading.  My issue is that while I can directly access IP address say for my VMs I cannot access any local network resource like my shared folders.  What am I doing wrong or what else do I need to configure?  It was so easy on my old asus.. just hit export file and everything was set =p  While I understand the need for all the control on the edgerouter x and enjoy learning I also enjoy being able to actually get to my files when away.  My searching has not found any solutions so any ideas?

I have been trying to figure this out for a few days now.  I hope someone can help.  I have an Edge Router X on 1.9.7+hotfix.4

I would like to configure it as follows:

Dual Wan.  Failover both ways.

Split LAN subnet into 2. 

DHCP 192.168.1.2 to 192.168.1.150 <-route to WAN 1 exclusive with failover to WAN 2

NON DHCP (assigned manually) 192.168.1.154 to 192.168.1.254 -< Route to WAN 2 exclusive with failover to WAN 1

Any help will be appreciated.  I have read and tried to manipulate some sample configurations I have found but I just can't seem to get it to work correctly.

Thanks

I posted a question previously in the UniFi forum https://community.ubnt.com/t5/UniFi-Wireless/AC-Mesh-in-a-standalone-configuration-Project-change-help/m-p/2180253 but had no configuration at the time to post for assistance (or idea how to achieve what I needed) reading/learing more I think I think this might be a better place to ask as well...

I've read many similar posts/solutions such as https://community.ubnt.com/t5/EdgeMAX/DHCP-relay-setup/td-p/814988 which is almost exactly what I'm looking for i believe, a controller on a upstream edgerouter with a AP behind another edgerouter giving a ssid on the "lan" side if it as well as one from the "wan" side. I've also read on multi-tenant setups which are "almost" applicable with each tenant on their own edgerouter, as well as VOIP setups which isolate the local network but allow it through based on vlan, but I can't seem to put a working solution together for my situation/hardware properly (plus I'm a little out of my knowledge base but learning very quickly)...

I'll post my current configs below but I don't know if they'll help or hinder as I'm not sure if i'm going down the right track or going off a cliff.

To try and keep it concise without over simplifying (i hope), so please consider consider:

The Setup:

• I have 3 Edgerouter X-SFP's, 3 AP AC-Mesh devices, a toughswitch poe, 3 stand alone ip based devices, and a pc with unms & unifi controller
• Each router, RTR0, RTR1, and RTR2 has a AC-Mesh plugged into ETH4;
• RTR0 was initially configured as a router via wan2lan2, made vlan aware and had all ports moved to vlans, it gets a IP from another network on ETH0, incomming 80,443 will get port forwarded to the pc (static ip).
• it has a stand alone device on eth2 with a static 10.10.10.50 ip,
• the controller pc plugged into eth3 with a couple static ip's (virtual unms/unifi ubuntu & a windows web server),
• the toughswitches eth5 is plugged into eth4 and has a static ip 10.10.10.11

The other two routers have their ETH0 plugged into ETH1 and ETH2 of the toughswitch and were configured as switches initially (yep, with static ip's)

• each has a ip based device plugged into eth2 (same as above with yep, a static ip) these stand-alone devices provide a simple web interface on 80,443.

no firewalls are required for security/privacy as this is a completely isolated network (ouside the fact that its wireless, its basically remote data logging), there are also very few devices here, and at most maybe 2-3 clients max at the worst of times.

What I'm after;

• rtr0 is essentially head/top router and provides port forwarding for 80,443 from the upstream network if its connected to the pc's web server via eth0
• its ap on eth4 gets a ip from it and it broadcasts the ssid "ALL".
• connecting to "ALL" puts you on the "main" network, you can connect to the pc's interfaces and to the upstream network if required.
• rtr1,2 should be essentially switches under rtr0 connected to the toughswich via their eth0, so plugging into eth1 gets a ip from rtr0; the AP connected to eth4 also broadcasts the "ALL" ssid.

So far so good, simple and straight forward; now the 1st kink:

• rtr1,2 have a ip device on eth3 who's ip can't be easily changed (192.168.10.15), they need ports 80,443 forwarded to this device.
• they need to broadcast a unique ssid "LOCAL" also giving access to that device and provide DHCP for a wireless device which connects to that "LOCAL" ssid or get plugged into eth2.
• those "clients" should also be able to connect to any other device on the "main" network.

This I've been able to get working, however, the 2nd kink:

• rtr1,2 could be disconnected from rtr0 at any time, they still need to provide the ssid "LOCAL", dhcp for wireless devices that connect or a device that gets plugged into eth2.

The last point is what's breaking for me...

The Goal:

• RTR1/2 should look essentially like a single device to clients on from 10.10.10.0, connecting to 10.10.80.10 or .20 just gets the web interface from its 192.168.10.50 device.
• a client connecting to SSID "ALL" from any AP gets a IP in 10.10.10.0 from rtr0, and can connect as above,
• a client connecting to SSID "LOCAL" (the ssid LOCAL is overridden in each device to a unique name) from the AP on rtr1 get a 192.168.10.0 ip from rtr1, but can connect to any device via its 10.10.10.0 address as above, its local device via its 10.10.80.10 address, or locally directly to the local device via its 192.168.10.50.

What I've had/have working:

RTR0:

• is setup wan/lan initially via wan2lan2, all ports were made part of the switch, vlan99 setup for the internet so eth0 set to pvid99, vif99 gets a dhcp wan ip from another network (currently 192.168.68.68/24) on ETH0 (other network).
• vlan11 was setup incase I lock myself out, eth1 is tagged pvid11, with vif11 10.11.11.10/24 and a dchp server 10.11.11.10.
• vlan1 was setup as the default vlan, eth2,3,4 are pvid1, with vif1 10.10.10.10/16 and dhcp 10.10.10.10.,
• it provides DHCP for 10.10.10.0/16 .200-.240, and a SSID "ALL" which is untagged in the controller and needs to be broadcast on all 3 AP's.
• the toughswith is configured on 10.10.10.11/16

RTR1 & RTR2 are each setup essentially the same:

• initially configured as vlan aware switches, eth0 and eth1 vlan tagged pvid1, eth2 &3 pvid192, eth 4 pvid1 vid192 for the AP
• vlan (vif?)1 has a static ip on each router, switch0 eth0 has pvid1, vif1 ip's 10.10.80.10/16 and 10.10.80.20/16 respectively
• eth1 is also set pvid1 on switch0 so plugging into it gets a ip from rtr0
• vlan192 (vif192) has ip 192.168.10.10/24, dhcp setup 192.168.10.10 w/ router 192.168.10.10. switch0 eth2,3 are set pvid 192.
• eth3 has a simple web server on a static address 192.168.10.50, ports 80,443 on switch0.1 are forwarded to it.
• eth4 has the AP, on switch0 is set pvid1, vid 192, so its broacasting "ALL" which would give a ip from RTR0, and "LOCAL" (which is set vlan192 in the controller) which give clients a 192.168.10.0/24 IP from the same router.
• clients connected to "LOCAL" with a 192.168.10.0 ip connecting to 10.10.80.10 for eg get hairpin nat redirected back to the local device interface at 192.168.10.50, but connecting to 10.10.80.20 connects to the other devices interface.

Everything is almost working with what I have:

• I can connect to "LOCAL_1" get ip from rtr1, and access the 192.168.10.50 device via its 192. and 10. addresses, rtr0, rtr2 and its device via its 10. address, the pc, the upstream network, and the pc can see each device via its 10.10.80.x address.
• I can connect to "ALL" and get a ip from rtr0, access upstream, the pc, and each device via its 10.10.80.x address.
• if rtr1 eth0 gets disconnected from the switch it still works, mesh takes over and after ~60 seconds everythings back to normal via the wireless connection (this was a bonus)

however, if rtr0 looses power the AP's who got a ip from it all go offline and there is no wireless access, plugging into eth2 gets a local 192 address and I can connect to the local device, but this is the situation I need wireless access for, I believe I know why its not working (ap looses its ip), but I'm not sure how to fix it...

Any help/guidance would be greatly appreciated, I'm also open to changing everything, the only thing I cant control are that each router/device (rtr1,2) needs a fixed static ip which in the end relates to its unique ID, as well each needs to work standalone and provide wireless access without rtr0 being available.

current (likely greatly incorrect) configs, (i only removed the login/cert info):

rtr00:

firewall {
 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
 default-action drop
 description "WAN to internal"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "WAN to router"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 description "eth0 upstream network vlan99"
 duplex full
 poe {
 output off
 }
 speed 100
 }
 ethernet eth1 {
 description "eth1 Local backup vlan11"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth2 {
 description "eth2 Local vlan1"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth3 {
 description "eth3 Local vlan1"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth4 {
 description "eth4 AP POE Port"
 duplex auto
 poe {
 output 24v
 }
 speed auto
 }
 ethernet eth5 {
 description "eth5 SFP Port (unused)"
 disable
 duplex auto
 speed auto
 }
 loopback lo {
 }
 switch switch0 {
 description "switch0"
 mtu 1500
 switch-port {
 interface eth0 {
 vlan {
 pvid 99
 vid 1
 }
 }
 interface eth1 {
 vlan {
 pvid 11
 }
 }
 interface eth2 {
 vlan {
 pvid 1
 }
 }
 interface eth3 {
 vlan {
 pvid 1
 }
 }
 interface eth4 {
 vlan {
 pvid 1
 }
 }
 vlan-aware enable
 }
 vif 1 {
 address 10.10.10.10/16
 description "vlan1 default vlan"
 mtu 1500
 }
 vif 11 {
 address 10.11.11.10/24
 description "vlan11 backup access"
 mtu 1500
 }
 vif 99 {
 address dhcp
 description "vlan99 upstream"
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 mtu 1500
 }
 }
}
protocols {
 static {
 }
}
service {
 dhcp-server {
 disabled false
 hostfile-update disable
 shared-network-name LAN1 {
 authoritative disable
 subnet 10.10.0.0/16 {
 default-router 10.10.10.10
 dns-server 10.10.10.10
 lease 86400
 start 10.10.10.170 {
 stop 10.10.10.189
 }
 unifi-controller 10.10.10.102
 }
 }
 shared-network-name LAN11 {
 authoritative disable
 subnet 10.11.11.0/24 {
 default-router 10.11.11.10
 dns-server 10.11.11.10
 lease 86400
 start 10.11.11.101 {
 stop 10.11.11.109
 }
 unifi-controller 10.10.10.102
 }
 }
 use-dnsmasq disable
 }
 dns {
 forwarding {
 cache-size 150
 listen-on switch0.1
 listen-on switch0.99
 listen-on switch0.11
 }
 }
 gui {
 http-port 80
 https-port 443
 older-ciphers enable
 }
 nat {
 rule 5010 {
 description "masquerade for WAN"
 log disable
 outbound-interface switch0.99
 protocol all
 type masquerade
 }
 }
 ssh {
 port 22
 protocol-version v2
 }
 unms {
 connection wss://10.10.10.102:9443*******
 }
}
system {
 host-name Rtr00
 name-server 127.0.0.1
 ntp {
 server 0.ubnt.pool.ntp.org {
 }
 server 1.ubnt.pool.ntp.org {
 }
 server 2.ubnt.pool.ntp.org {
 }
 server 3.ubnt.pool.ntp.org {
 }
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024279.171006.0255 */

Rtr01 and 2 are identical except for ip address/name, and apparently in this backup is is missing one item I added last night to get upstream traffic working, a static gateway route from 0.0.0.0/0 to  next hop 10.10.10.10:

interfaces {
 ethernet eth0 {
 description "eth0 Local link"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth1 {
 description "eth1 Local link"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth2 {
 description "eth2 device Port vlan 192"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth3 {
 description "eth3 device Port vlan 192"
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 ethernet eth4 {
 description "Eth4 AP POE Port"
 duplex auto
 poe {
 output 24v
 }
 speed auto
 }
 ethernet eth5 {
 description "eth5 SFP Port (unused)"
 disable
 duplex auto
 speed auto
 }
 switch switch0 {
 description "switch0"
 mtu 1500
 switch-port {
 interface eth0 {
 vlan {
 pvid 1
 }
 }
 interface eth1 {
 vlan {
 pvid 1
 }
 }
 interface eth2 {
 vlan {
 pvid 192
 }
 }
 interface eth3 {
 vlan {
 pvid 192
 }
 }
 interface eth4 {
 vlan {
 pvid 1
 vid 192
 }
 }
 vlan-aware enable
 }
 vif 1 {
 address 10.10.80.10/16
 description "vlan1 default vlan"
 mtu 1500
 }
 vif 192 {
 address 192.168.10.10/24
 description "vlan192 Device vlan"
 mtu 1500
 }
 }
}
port-forward {
 auto-firewall enable
 hairpin-nat enable
 lan-interface switch0.192
 rule 1 {
 description http
 forward-to {
 address 192.168.10.50
 port 80
 }
 original-port 80
 protocol tcp_udp
 }
 rule 2 {
 description https
 forward-to {
 address 192.168.10.50
 port 443
 }
 original-port 443
 protocol tcp_udp
 }
 wan-interface switch0.1
}
protocols {
 static {
 }
}
service {
 dhcp-server {
 disabled false
 hostfile-update disable
 shared-network-name LAN192 {
 authoritative disable
 subnet 192.168.10.0/24 {
 default-router 192.168.10.10
 dns-server 192.168.10.10
 dns-server 10.10.10.10
 lease 86400
 start 192.168.10.101 {
 stop 192.168.10.109
 }
 unifi-controller 10.10.10.102
 }
 }
 use-dnsmasq disable
 }
 dns {
 forwarding {
 cache-size 150
 listen-on switch0.1
 listen-on switch0.192
 }
 }
 gui {
 http-port 81
 https-port 444
 older-ciphers enable
 }
 nat {
 rule 5000 {
 description "masquerade for WAN"
 log disable
 outbound-interface switch0.1
 protocol all
 type masquerade
 }
 }
 ssh {
 port 22
 protocol-version v2
 }
 unms {
 connection wss://10.10.10.102:9443*******
 }
}
system {
 conntrack {
 expect-table-size 4096
 hash-size 4096
 table-size 32768
 tcp {
 half-open-connections 512
 loose enable
 max-retrans 3
 }
 }
 host-name Rtr01
 name-server 127.0.0.1
 ntp {
 server 0.ubnt.pool.ntp.org {
 }
 server 1.ubnt.pool.ntp.org {
 }
 server 2.ubnt.pool.ntp.org {
 }
 server 3.ubnt.pool.ntp.org {
 }
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024279.171006.0255 */

Thanks again, any help will be greatly appreciated; 

I've configured an IPsec Route-Based (VTI) Site-to-Site VPN using the instructions provided here:

https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-IPsec-Route-Based-VTI-Site-to-Site-VPN

It says the ports and protocols required are UDP 500 IKE,  UDP 4500 NAT-T, and ESP Protocol 50.    My router provided by my provider allowed me to put my ER-X into a DMZ zone.  However, its become rather clear that their version of DMZ does not entirely unblock all ports as stated.

I can access the two routers WebGUI and I have allowed ICMP so I can ping from one ER-X to the other ER-X.   So as far as being able to connect to their external IPs this works just fine.   I was also blocked using port 22 for SSH and only after choosing to choose a source port of say 30 and forward to a destination of port 22 was I able to get this to work as intended.

So I would like to somehow change the default ports used for the site-to-site VPN to something other than 500, 4500, and 50.

Is this possible?  I feel this is the only way I'll be able to get this working.

Thanks.

Hi guys

I'm wondering if it's possible to enable or disable a firewall rule through PHP?

I'm trying to get this to work

<?php
$connection = ssh2_connect('192.168.1.1', 22);
echo "Sanity check - SSH variable set<br>";
ssh2_auth_password($connection, 'user', 'password');
echo "<br>Sanity check - SSH2 auth password"."<br>";
$stream = ssh2_exec($connection, 'set firewall name WAN_IN rule 10 disable');
echo "<br>Sanity check - Set firewall rule<br><br>";
echo $stream;
$stream = ssh2_exec($connection, 'commit');
echo "<br>Sanity check - Commit<br><br>";
echo $stream;
echo "<br>Sanity check - end of script";
?>

Output:

Sanity check - SSH variable set

Sanity check - SSH2 auth password

Sanity check - Set firewall rule

Resource id #2
Sanity check - Commit

Resource id #3
Sanity check - end of script

The firewall rule is not disabled.

Any thoughts on making this work?

Hi All,

I'm quite new to Ubitquti products and am currently in the process of setting up a Network between numerous buildings, with various Wi-Fi Access Points and Networks. 

It is as follows:

Eth0: Internet WAN (IN) Fibre (150MBPS - May update to 1GB)

Eth1: Building 1 (Connected to TP-Link Switch) - 2 Ac-Lites. 2-Ac-Pros. Wired Connections, Cloud Key Etc. (192.168.1.x) (DC Network)

Eth2: Building 2: (Connected to NanoBeam AC Gen2) Bring Seperate Network to another building 400m away. (192.168.2.x) (R Network)

Eth3: As Above (Switch)

Eth4: Building 3: Wired Directly to Building via cat6 cable 60m. A-Ac-Pros. 1 x Network Switch. (192.168.3.x) (TH Network)

Currently the Internet Works on both Eth1/ Eth2, but not on Eth3. Each network assigns IP Addresses on specific subnets. I want and believe I have settings that each Eth port is seperate to the other and acts as a standalone network. All networks have the same DNS Settings/ Cloud Key.

Any advise would be greatly appreciated. I have made a video on YouTube which demostrates my control panel. If you need more information please don't hesitate to contact me.

Ps - I absoutely love Unfi/ Ubitquti products - they are brilliant! 

https://www.youtube.com/watch?v=E67-8W5lYYQ&feature=youtu.be

Hi Everyone,

I really hate to post about a topic that has been covered before, but I have gone through every instruction I've read and still can't get it to work.

My set up is simple, I have two ISP's at home and I have a link to my office just a few blocks away, 

What I want: LAN1 for home and LAN2 for work, each one served by ISP1 and ISP2 respectively (No load balancing), when on my office I need to be on LAN2 and when on home I have to jump from LAN2 to LAN1 and viceversa frequently. 

Currently I'm able to achieve this using a couple of old home routers and switches, I wanted to upgrade the network hardware and simplfy devices so I got an EdgeRouter X.

I dove into the ER-X GUI and CLI, for typical setups the wizards worked fine, for DUAL WAN + DUAL LAN everyone points to Policy Based Routing (PBR) so that's what I did, but before I started with a wizard for basic configurations.

What I did:

1. Update firmware to v1.9.7+hotfix.4.5024279

2. Went through the Basic setup wizard 

3. Leave eth0 as is for ISP1 w/DHCP

4. Set eth1 to DHCP for ISP2 

5. Set eth2 to static 192.168.1.1 for LAN1

6. Set swtch0 (eth3/eth4) to static 192.168.2.1 for LAN2

7. Include eth1 alongside eth0 in the firewall rules WAN_IN and WAN_LOCAL 

8. Add the source subnet 192.168.1.0/24 (LAN1) to the masquerade for WAN1 NAT rule

8. Create a masquerade for WAN2 NAT rule adding source subnet 192.168.2.0/24 (LAN2)

Note: at this point if I plug WAN1 trafic from LAN1 goes out through ISP1, the same for WAN2, but if I plug both WANs then traffic slows down on either LAN to the point that nothing gets through, so I figured that's where policy based routing comes to play.

9. I follow this PBR tutorial 

10. Replaced the VLANs mentioned on the tutorial for my WAN1 and WAN2  interfaces eth0 and eth1 

11. Used the current ISPs IPs for their respective next hop static routes and define table 1 for WAN1 and table 2 for WAN2

11. Set the source traffic from LAN1 192.168.1.0/24 to be routed to table 1 and LAN2 192.168.2.0/24 to table 2

12. Everything else is as described in the tutorial

The problem is that after applying PBR I got no internet at all, not even plugging one WAN as it was working before PBR, I tried many variations including the obvious: deleting the WAN_IN and WAN_OUT firewall rules and the source address on the masquerade NAT rules. I even tried to skip the basic wizard and just configure the interfaces before applying PBR to avoid possible conflicting rules, didn't work, exact same result. 

I'd greatly appreciate any help to get me out of this hole,

Attached my configuration just after doing PBR.

Thanks