I've successfully had openvpn running on my Edgerouter4 (and previously on my ERPro) connected to IPVanish to route certain subnets and addresses through the VPN. I basically used the instructions in this post about configuring PIA for the same purpose (policy based routing, etc etc).

I recently set up ESXi on a machine with dual Xeons and figured since it's running 24/7, why not make a VM to run OpenVPN client and route traffic through it since it's got a lot more CPU plus AES-NI instructions. This was successful too and I'm able to get clients on the VM's subnet to route through the VM (Ubuntu 16.04 server). With this setup my IPVanish openvpn speeds are in the 220/170 Mbps range (up & down respectively) instead of 32/32 with the ER4 handling the encryption.

My question is how to set up routing/NAT to go through this VM (10.0.12.2). Normally there is a static route and NAT rule set up like this:

 static {
     table 1 {
         interface-route 0.0.0.0/0 {
             next-hop-interface vtun0 {
             }
         }

 rule 5000 {
 description IPVanish
 log disable
 outbound-interface vtun0
 protocol all
 source {
 group {
 address-group AG_IPVanish
 }
 }
 type masquerade
 }

I tried this which doesn't work:

 static {
     table 1 {
         route 0.0.0.0/0 {
             next-hop 10.0.12.2 {
             }
         }

Plus I don't want to masquerade to 10.0.12.2 since the VM acting as a router is already masquerading. I tried some different combinations of SNAT and couldn't get it working. 

Hopefully I'm just overthinking this and the solution is simple. Here's what I'm trying to accomplish:

Instead of masquerading IPVanish_address_group to vtun0, I want to route it to 10.0.12.2 located on eth3.15 without masquerade. Currently there are no firewall rules on eth3.15 except for the firewall modify:

 address 10.0.12.1/24
 description IPVanish2
 firewall {
     in {
         modify OPENVPN_ROUTE
     }
 }
 mtu 1500

I don't think it matters, but the OpenVPN connection on the VM is made through 10.0.10.1 located on eth2. 

Thanks for reading.

Hello all!

Whats the best vpn configuration for android clients?

Sometimes i need to send magic packet into my server.

I tried pptp and works fine but its lacks on security.

Also tried L2PT like this (L2PT Over pppoe)

After i apply this changes my ipsec tunels stop working

Does anyone know why it happens?

L2PT Settings:

configure
set firewall name INTERNET_LOCAL rule 11 action accept
set firewall name INTERNET_LOCAL rule 11 description 'permitir L2TP'
set firewall name INTERNET_LOCAL rule 11 destination port 500,1701,4500
set firewall name INTERNET_LOCAL rule 11 protocol udp
set firewall name INTERNET_LOCAL rule 12 action accept
set firewall name INTERNET_LOCAL rule 12 description 'permitir ESP'
set firewall name INTERNET_LOCAL rule 12 protocol esp
set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn l2tp remote-access outside-address 0.0.0.0
set vpn l2tp remote-access client-ip-pool start 192.168.3.200 
set vpn l2tp remote-access client-ip-pool stop 192.168.3.220
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxxxxxx
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username xxxxxx password xxxxx
set vpn l2tp remote-access mtu 1492
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
commit
save

We are having some trouble with our L2TP access after swapping our old routing equipment for an ERPro8.

Users were reporting intermittent failures trying to connect. After a bit of troubleshooting I figured out that the ERPro8 is only allowing one L2TP session from any device that had NAT and more than one client trying to connect. So if one person dialed in, any subsequent users trying to connect from that network fail.

This was not an issue with our old router, is this a configuration issue?

This is really crippling our remote access, we have a few sites where:

1. I don't have any control over the network/routing equipment at the client end, so site-to-site will not work (we may be behind a NAT already)

2. It's not possible to bring in our own ISP.

Is this something that can be fixed via configuration?

I can't seem to confirm this 100% from previous posts, so just want to be sure:

I would like to use one port from an ER-X-SFP (main basement switch) to power an ER-X (uplinked upstairs) and power a UAP-AC-Lite connected to that same ER-X's POE passthrough.  Both ER's would be used as switches only:

I just want to confirm there is enough capacity on a single ER-X-SFP POE port to power both devices like this.  

Thanks very much.

I've searched through discussion boards and visted every support forum with little to no success, this just happens to be my final attempt to get this working. I currently have dual wan failover configured with static ip addresses on eth1 and eth2 with static routes configured, but it seems that whenever I make the connection on eth2 I lose access to the internet and have to disable the stsic route on eth2 to resolve it. After that I noticed there are two different routes that were not configured. Can anyone shed some light on the this?

SV-Admin@cfi:~$ show configuration all
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify balance {
        rule 1 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 3 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 4 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
            }
            modify {
                table main
            }
        }
        rule 7 {
            action modify
            modify {
                lb-group LAN_NETWORKS
            }
        }
    }
    name CORPORATE_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Corporate to Corporate"
            destination {
                group {
                    address-group NETv4_eth0.2
                }
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop corporate to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name CORPORATE_LOCAL {
        default-action drop
        rule 1 {
            action accept
            description "DHCP Server"
            destination {
                port 67
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow corporate DNS"
            destination {
                address 192.168.1.1
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name GUEST_IN {
        default-action accept
        rule 1 {
            action drop
            description "Drop guests to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action drop
        rule 1 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow guests DNS"
            destination {
                address 192.168.1.1
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 3 {
            action drop
            description "Drop guests to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name VIDEO_IN {
        default-action accept
        rule 1 {
            action drop
            description "Drop video to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name VIDEO_LOCAL {
        default-action drop
        rule 1 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow video DNS"
            destination {
                address 192.168.1.1
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name VOIP_IN {
        default-action accept
        rule 1 {
            action drop
            description "Drop voip to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
        }
    }
    name VOIP_LOCAL {
        default-action drop
        rule 1 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow voip DNS"
            destination {
                address 192.168.1.1
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description Remote_to_Applianz
            destination {
                address 192.168.2.3
                port 30000-30060
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 4 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 5 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 6 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Management
        duplex auto
        mtu 1500
        speed auto
        vif 2 {
            address 192.168.2.1/24
            description Corporate
            firewall {
                in {
                    name CORPORATE_IN
                }
                local {
                    name CORPORATE_LOCAL
                }
            }
            mtu 1500
        }
        vif 3 {
            address 192.168.3.1/24
            description Guest
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
            mtu 1500
        }
        vif 4 {
            address 192.168.4.1/24
            description VOIP
            firewall {
                in {
                    name VIDEO_IN
                }
                local {
                    name VIDEO_LOCAL
                }
            }
            mtu 1500
        }
        vif 5 {
            address 192.168.5.1/24
            description Video
            firewall {
                in {
                    name VOIP_IN
                }
                local {
                    name VOIP_LOCAL
                }
            }
            mtu 1500
        }
    }
    ethernet eth1 {
        address xxx.xxx.xxx.xxx/xx
        description WAN_MAIN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        mtu 1500
        speed auto
    }
    ethernet eth2 {
        address xxx.xxx.xxx.xxx/xx
        description WAN_BACKUP
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        mtu 1500
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        mtu 1500
    }
}
load-balance {
    group WAN_FAILOVER {
        interface eth1 {
            route-test {
                count {
                    failure 3
                    success 3
                }
                initial-delay 10
                interval 5
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
        }
        interface eth2 {
            failover-only
        }
        lb-local disable
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop xxx.xxx.xxx.xxx {
                description "ISP [ Smartnet ]"
                disable
            }
            next-hop xxx.xxx.xxx.xxx {
                description "ISP [ Surge Broadband ]"
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Corporate {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.1.1
                lease 28800
                start 192.168.2.96 {
                    stop 192.168.2.146
                }
                static-mapping Annette_PC {
                    ip-address 192.168.2.18
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping Applianz {
                    ip-address 192.168.2.3
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping BROTHER_MFC_L2740DW {
                    ip-address 192.168.2.65
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping BROTHER_MFC_L5850DW {
                    ip-address 192.168.2.66
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping BROTHER_MFC_L8900CDW {
                    ip-address 192.168.2.67
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping CC-MACHINE {
                    ip-address 192.168.2.78
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping Howard_PC {
                    ip-address 192.168.2.17
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping Joe_PC {
                    ip-address 192.168.2.19
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping WorkStation_1 {
                    ip-address 192.168.2.20
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping WorkStation_3 {
                    ip-address 192.168.2.21
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping WorkStation_4 {
                    ip-address 192.168.2.22
                    mac-address xx:xx:xx:xx:xx:xx
                }
                unifi-controller 192.168.1.3
            }
        }
        shared-network-name Guest {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.1.1
                lease 1800
                start 192.168.3.101 {
                    stop 192.168.3.130
                }
                unifi-controller 192.168.1.3
            }
        }
        shared-network-name VOIP {
            authoritative disable
            disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.1.1
                lease 86400
                unifi-controller 192.168.1.3
            }
        }
        shared-network-name Video {
            authoritative disable
            disable
            subnet 192.168.5.0/24 {
                default-router 192.168.5.1
                dns-server 192.168.1.1
                lease 86400
                unifi-controller 192.168.1.3
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 500
            listen-on eth0.2
            listen-on eth0.3
            listen-on eth0.4
            listen-on eth0.5
            name-server 8.8.8.8
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description Remote_to_Applianz
            destination {
                address xxx.xxx.xxx.xxx
                port 30000-30060
            }
            inbound-interface eth1
            inside-address {
                address 192.168.2.3
                port 30000-30060
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description Remote_to_Applianz_2
            destination {
                address xxx.xxx.xxx.xxx
                port 30000-30060
            }
            inbound-interface eth2
            inside-address {
                address 192.168.2.3
                port 30000-30060
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5002 {
            description "masquerade for WAN"
            outbound-interface eth1
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 2"
            outbound-interface eth2
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name cfi.east.r1
    login {
        user SV-Admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "xxx"
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/St_Thomas
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth1
            interface eth2
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username xxxxxxxx {
                        password ****************
                    }
                    username xxxxxx {
                        password ****************
                        static-ip 192.168.1.13
                    }
                    username xxxxxxxxxx {
                        password ****************
                        static-ip 192.168.1.14
                    }
                }
                mode local
                require mschap-v2
            }
            client-ip-pool {
                start 192.168.2.49
                stop 192.168.2.62
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            outside-address 0.0.0.0
        }
    }
}
SV-Admin@cfi:~$:::

Firmware 1.10.0, ER-X

I have two DDNS service providers defined as shown on the picture

This ddclient config is written to /etc/ddclient/ddclient_pppoe0.conf ...and I can see there two entries, each for one of my service provider.

However, during DDNS update only the service provider that is in the config on last position gets updated and the first one is ignored.

For example, with config

root@router-brano:~# cat /etc/ddclient/ddclient_pppoe0.conf 
#
# autogenerated by vyatta-dynamic-dns.pl on Tue Feb 13 23:29:27 EST 2018
#
daemon=1m
syslog=yes
ssl=yes
pid=/var/run/ddclient/ddclient_pppoe0.pid
cache=/var/cache/ddclient/ddclient_pppoe0.cache
use=web, web='dyndns'


server=members.dyndns.org,protocol=dyndns2
max-interval=28d
login=xxx
password=yyy
xxx.mydomain.com

server=updates.opendns.com,protocol=dyndns2
max-interval=28d
login=xxx
password=yyy
xxx.mydomain.com

Only the last entry - opendns - will get updated on IP change.

Hello all,

Very new to Ubiquiti equipment so I have a question about a  possible setup.  We are looking to use an ER X SFP in the following scenario:

e0 - Static public IP from ISP.

e1 - LAN with only 1 PC (hosting screenconnect so will need ports forwarded)

e2 - Unifi AP lite with internal wifi (on diff vlan from e1) and guest wifi (open wifi with limited bandwidth, on 3rd vlan)

Vlans need to be separate with no connectivity to each other, only to e0 for internet access.

Attached is a basic diagram in paint of what I envisioned.  Is this doable on the ERXsfp without using an extra switch, only the ports in the ERXsfp itself? 

Thanks in advance!

Hi All,

We have shifted to a hosted Mitel VOIP solution provided by our ISP, since day 1 we have been experiencing voice quality issues inbound. This has resulted in extremely bad call quality to softphone users. Interestingly, we do have Mitel branded handsets and cisco ATA's that don't exhibit the same call quality issues. Calls out are fine, we can workaround the inbound call quality issue by putting the caller on hold and taking them off again - but this is obviously undesirable.

None of this is a problem with a cloud hosted FreePBX server and a single test DDI (hosted on VULTR). Calls in and out are absolutely fine, which is mildly amusing.

Our setup is:

Core Switch (Allied Telesis Switchblade x8100) ------ Palo Alto 5020 -------- UBNT ER-PRO --------- ISP Juniper SRX  

Some notes:

1) ATA's are configured to connect to the same server address as softphone clients

2) SIP ALG is disabled on both the PA and the UBNT

3) 1Gbps bidirectional internet pipe

4) QOS is enabled on both the PA and the UBNT

5) 1.10.0 firmware with UNMS enabled

Our ISP has been helping us troubleshoot this and they have indicated that something is adding SDP information to traffic that is traversing our gear, that is creating issues with their SBC's as they don't support the attribute which in turn is causing a drop at every 5th packet.

So I'm now on a mission to find what's adding the SDP info, rule out the UBNT router and potentially look at the PA as the culprit.

I'm hoping the voip guru's in the UBNT community can assist me here. Many thanks in advance.

Hi guys,

I have an EdgeRouter Lite at home and I want to connect it to a Digital Ocean droplet I have so all the traffic comming into the EdgeRouter can exit through the remote droplet. I know I just need to setup a simple site to site vpn between the edge router and the droplet but what the simplest way to do it? Should I use a simple IPSec vpn? Do you have any tutorial to install this vpn on the digital ocean droplet?

Best regards

I'm trying to setup a connection between an ER-3 and an OpenVPN access server I've setup. Based on the instructions I've read on this forum, it should be very easy. Download the config file from the access server, upload it to the router, enter this code

set interfaces openvpn vtun0 config-file /config/client.ovpn

commit
save

I've also gone into the config file and added:

auth-user-pass auth.txt

Then I created a file auth.txt with the first line being the username, and the second line being the password. I uploaded that to the edgerouter and it stopped giving me the Enter Auth Username:failed to start OpenVPN error, however the client still does not start. Im getting this error:

OpenVPN configuration error: Failed to start OpenVPN tunnel

Ive tested this configuration and it works in Windows to connect to the Access Server. I can't seem to find a log file or what exactly is missing to cause the client not to connect. And the original thread that had these instructions here is 4 years old with no further information.

Folks,

I used to have a Raspberry-Pi as my DHCP server, now I bought a brand new ERLITE-3 and want to migrate the DHCP server to the new router. In my old settings, I don't allow un-registered MACs to get an IP by using "ignore unknown-clients" in dhcpd.conf file. Is there anyone here knows how to configure this feature in ERLITE-3?

Thanks

Hi,

As a new user of ubnt products, i'm trying to set up a IPSEC VPN over IPv6 using VTI. My ipsec paquet will carry ipv4 unicast paquets.

If have followed some tutorials on KB, but none works with ipv6. All configuration commit reject "local-address" line. Do you have any hint regarding this issue ?

Please find below my vpn setup:

vpn {
     ipsec {
         auto-firewall-nat-exclude enable
         esp-group FOO0 {
             lifetime 3600
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group FOO0 {
             dead-peer-detection {
                 action restart
                 interval 15
                 timeout 30
             }
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
+        site-to-site {
+            peer 2a06:8bc0:XXX:XXXX:: {
+                authentication {
+                    mode pre-shared-secret
+                    pre-shared-secret XXXXXXXXX
+                }
+                connection-type initiate
+                description TEST
+                ike-group FOO0
+                local-address 2a01:e35:2e10:a3d0:f29f:c2ff:fe11:d8b0
+                vti {
+                    bind vti0
+                    esp-group FOO0
+                }
+            }
+        }
     }

When i commit, i have following messages:

Error: an IP address is expected rather than "2a01:e35:2e10:a3d0:f29f:c2ff:fe11:d8b0"
Cannot find device "vti0"
Cannot find device "vti0"
Cannot find device "vti0"
sysctl: cannot stat /proc/sys/net/ipv4/conf/vti0/disable_policy: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv4/conf/vti0/disable_xfrm: No such file or directory

Thanks.

Hi All,

We have shifted to a hosted Mitel VOIP solution provided by our ISP, since day 1 we have been experiencing voice quality issues inbound. This has resulted in extremely bad call quality to softphone users. Interestingly, we do have Mitel branded handsets and cisco ATA's that don't exhibit the same call quality issues. Calls out are fine, we can workaround the inbound call quality issue by putting the caller on hold and taking them off again - but this is obviously undesirable.

None of this is a problem with a cloud hosted FreePBX server and a single test DDI (hosted on VULTR). Calls in and out are absolutely fine, which is mildly amusing.

Our setup is:

Core Switch (Allied Telesis Switchblade x8100) ------ Palo Alto 5020 -------- UBNT ER-PRO --------- ISP Juniper SRX  

Some notes:

1) ATA's are configured to connect to the same server address as softphone clients

2) SIP ALG is disabled on both the PA and the UBNT

3) 1Gbps bidirectional internet pipe

4) QOS is enabled on both the PA and the UBNT

5) 1.10.0 firmware with UNMS enabled

Our ISP has been helping us troubleshoot this and they have indicated that something is adding SDP information to traffic that is traversing our gear, that is creating issues with their SBC's as they don't support the attribute which in turn is causing a drop at every 5th packet.

So I'm now on a mission to find what's adding the SDP info, rule out the UBNT router and potentially look at the PA as the culprit.

I'm hoping the voip guru's in the UBNT community can assist me here. Many thanks in advance.

New user to Ubiquitit gear and wow, it's fantastic so far. I am running Fios Gigabit via ethernet right into the er-x along with 2x ap-ac Lites(one on either end of the house). It's a really basic setup from a config standpoint.

I was using firmware 1.9.7 hotfix 4 and had hardware offload enabled. Speeds were fantastic, 950/950 - What I did notice though was that certain web pages (facebook, youtube for example) wouldn't load in fully or properly. For example on facebook, albums with pictures would just load a black picture, and then load in on refresh. youtube wouldn't buffer or would freeze when skipping video. To note: I never had any load issues when using my archer c7's.

I updated to the latest 1.1.0 firmware yesterady and saw a post from  in the thread about offloading issues where browsing becomes slow and unresponsive / not load. I figured I'd make a post to check if anyone had any suggestions

If I disable hardware offloading - everything is snappy and responsive, loads perfect and seems to function like it should. I read into MTU and TCP MSS Clamping - both are in their default state right now (MTU = 1500 and TCP MSS is disabled).

Is this standard for having hardware offload enabled? Will post configs if needed - Any help is greatly appreciated,  thanks! 

New user to Ubiquiti gear - loving it so far. I am running an Er-X with 2x ap-ac-lites with ethernet from my fios ONT right into the er-x.

I was previously running the 1.9.7 hotfix 4 with a pretty basic setup. I noticed with hardware offload enabled that web pages elements would randomly be really slow to load. I noticed this most frequently with facebook where image albums wouldn't load or present a black box, and then all of a sudden load in on refresh or after waiting. I also noticed youtube videos wouldn't buffer properly or freeze when fast forwarding sometimes.

I upgraded to the latest 1.1.0 and the issue still persists with hardware offload enabled. If I disable hardware offload, everything seems to be run flawless - zero load issues on the exact same sites. Please also note when using my Archer C7's, I had zero load issues.

Is this expected performance with hardware offload enabled? I did read about MTU and MSS Clamping, both are in their default state (MTU = 1500 and MSS Clamping = disabled). This seemed to be more of an issue when using PPPoE from what I was reading?

Will post configs if necessary (not around the cpu right now), thanks for any help or suggestions!

I have a scenario where an edgrouter is deployed to a remote location, receives a DHCP address from the LAN, builds a tunnel back to the datacenter, and needs to allow a print server to print to a printer on the LAN. The issue is the LAN uses the 192.168.1.0/24 subnet, which overlaps all over the place, and I can not change this. Nor can I create a route for this subnet on the print server.

What I want to do is

Print server -> VPN server - > vton0 on edgrouter -> masquerade to eth1 on edgrouter -> LAN

Destination NAT does not masquerade, and normally you don't want it to, so the printer responds by trying to route through the default gateway on the LAN subnet.

Is there a way to have destination NAT rules where they are masqueraded through the forwarded interface?

Hello all,

I have an ER-4 out in the field acting a little crazy.  The router reports disconnects (im assuming the IPSEC tunnel is dropping) through UNMS but the uptime on the device is 7 days.  Each time I get a message from UNMS, it states the router has disconnected and CPU 100%.  I just ssh'd into the router and here is what I am seeing for CPU usage,

ER-4 100% CPU USAGE - IPSEC TUNNEL DISCONNECTING

I'm working on a lab network, and I'm getting stumped by this issue.

I have an Edgerouter ER-X running EdgeRouter X v1.9.7+hotfix.4.  I used the Wan +2Lan wizrd to setup the router.  I am able to get my device setup and running.  I can connect to it at this point.  The next step I do is connect my WAN cable to the router.  When I plug it in, I can no longer use the GUI or ping the device.  The WAN connection is a DHCP connection.  When I use my machine connected to the WAN cable, I can get to the Internet.  I'm not sure how to troubleshoot this issue. 

I recently purchased a domain name and am trying to get my Edgerouter X to allow me to remotely access my Zoneminder server, but port forwarding does not seem to be working at all.  I have finally been able to get into my router remotely and have the ddns working properly, however I cannot seem to get any deeper into my network.

- I am currently running 1.9.7+hotfix.4

- I have switched modems a few times recently, but believe I currently am using an ARRIS SURFboard SBG6580

- Port forwarding does not seem to be creating the correct rulesets in the firewall.  Unless I manually edit the rules (as I have done in the Wan_Local) the ports remain closed.  Once I apply the rules to the ports, I can then view them remotely.  This is the only way that I have been successful getting into the router

- I have tried manually setting the forwarding using DNat and have no luck their either.

- Zoneminder can be accessed from inside my network using the specified ip address that I have pointed the ER-X to.

- A Netstat on Zoneminder shows it to be listening on 80 & 22.

This shouldn't be so hard to get functioning, but I have read hours of forum postings, and spent a lot of time trouble shooting this set-up.  At this point I am very frustrated with this Ubiquity product and am hoping some fresh eyes may see something I have not.

Configuration:

Hello, I just purchased an EdgeRouter Lite and setup a very basic configuration using the Wizard. I enabled off-loading for IPv4 as well.

However the CPU seems to be jumping around like crazy with not even 50% of my pipe used. Running at about 250Mbps up & down, CPU is at 90%-ish. I randmoly get drops and latency from the CPU spiking. My internet connection is 1Gbps, so I'm worried this unit isn't designed to handle that kind of traffic?

Is this normal usage for this bandwidth? I haven't even configured a single VPN user yet.