Hello i have 2 Edge Router X, 1 of them is turned into a switch. I am trying to connect them to my cloud based UNMS Server. The one edge router which is the main router connects with now issues. The other edge router which is connected via fiber to the main edge router will not connect to the UNMS controller. I have multiple AP's that connect to UNMS thru the switch that wont connect. Has anyone else ran into this problem?
Edge Router X connecting to UNMS
Routing port 80 to internal webserver, same URL for internal + external use
Hi, I'm a new EdgeRouter X user trying to figure out how to get up and running. I run an internal web server that I want to be visible from the outside world on port 80 as well as reachable at the same URL on the internal network.
This seems... extremely difficult to do on the EdgeRouter. The Port Forwarding tab appears to do nothing for either internal or external use; port 80 is consistently hijacked by the EdgeRouter's own software, even if I change the default port. I managed to follow some helpful advice about configuring NAT manually to force port 80 to forward for outside traffic, so that's working.
Unfortunately, I still can't get that same URL to load internally--it's hijacked by the EdgeRouter's own webserver and redirected to an https 404 page every single time. The NAT Hairpin checkbox doesn't work, nor does anything else in Port Forwarding. And I can't figure out an alternative way to get local traffic that's hitting the EdgeRouter to instead be forwarded to the webserver.
Any advice or suggestions?
Thanks.
NAT Hairpin not WORK HELP
Hi, I have Problem with NAT hairpin i using 1:1 NAT from local ip 192.168.1.254 to public 82.119.119.xxx, I nedd to hairpin this IP to use domain on Local network. My router settings:
eth0 - wan (5 static ip)
eth1 - reserved secondary wan (not connected)
eth2 - vlan 2.10 local network 192.168.1.0/24
Please HELP me.
So what happens to my IPSec vpn when my Isp go to half-baked DSL-lite
So I have a pretty simple setup
4 sites all edge routers with VPNS AND VTI TUNNELS and OSPF
now my Isp says that it will start using the DS-Lite
DS-Lite will break my VPNS and VTI tunnels
what's my options?
Ipsec over IPv6 then create VTI tunnels then run ospfv3.
And how how does this work seeing each IPv6 ip is a public address ?
Just trying to to plan for the future with my 4 sites
Thanks
Edgerouter GUI broken 1.10 - no CPU speed, no firewall stats, no traffic analysis
Hi folks,
One of my routers running 1.10 just pulled a similar doozy to the known problem in 1.9.0 - see previous discussion - https://community.ubnt.com/t5/EdgeMAX/1-9-0-broke-dashboard-for-me-using-Firefox/td-p/1643729/highlight/true
In my case I needed to reinstall the firmware and reboot the router to get the gui's back working properly - which is always a bit of a terifying experience with an edgerouter-lite-3 given the possibility that any given reboot might be your last with the usb problems..
M
Creating a splash page in EdgeMAX
Hello,
I have an EdgeMax router and on:
eth0: I have connected a ADSL modem
eth1 (192.168.1.1/24): switch for local network
eth2 (192.168.2.1/24): nanostation loco m2 (directed south) sending internet to other nanostation loco m2 antennas
eth3 (192.168.3.1/24): nanostation loco m2 (direcrted north) sending internet to other nanostation loco m2 antennas
eth4 (192.168.4.1/24): nanostation loco m2 (directed west) sending internet to other nanostation loco m2 antennas
What i want to do without changin firmware to have a splash page for the quests accessing the router from any of the 3 nanostation loco m2 antennas.
Do I need to connect a UniFi Security Gateway Enterprise Gateway Router with Gigabit Ethernet (USG) on each ethernet (2,3 & 4) ?
Thanks
Check route reachability
Hello team,
i'd like to setup failover between 2 WAN connections based on reachability of primary ISP IP(not directly connected IP subnet). ISP has just static configured towards our network. is there way how to do it?
basically i'd like to do something similar to mikrotik command:
/ip route check-gateway=ping distance=1 gateway=a.b.c.d
router: edge Pro
Force POE on ER8p
Hi,
I have a situation where I need to enable PoE on a port on EdgePoint 8 while link is on. This is prohibited by default. The point is that I am extracting power from this port a and powering another device. Anyway I figured the the key is setting
/sys/module/ubnt_platform/ethX/poe
to the right value, however I am not sure what the correct value is and since it is a port capable of doing 24/48 V (eth2) and I need only 24V - 4 pair. Anybody knows what the right setting is ? It would save some climbing in very cold weather...
Firewall starts to run only after reboot ?
Hello
I have 2 routers Edgerouter Pro v. 1.10.0.
I noticed that the rules ACCEPT and others on the firewall are starting to run only after rebooting router.
Unfortunately, one router can not reboot must work all the time. Is there any possibility to activate the firewall without rebooting the router?
Port forwarding
Hello,
Usually I read community and experiment with configuration, but this time my knowledge and practice is not enough.
The issue:
We have a small company and the main router is Edgerouter POE 5 and we usually use our inner server for file exchange with other companies files.domain.com
Initially I set up the router in Port Forwarding menu and everything worked fine except firewall (https://community.ubnt.com/t5/EdgeMAX/GEO-IP-Blocking/td-p/754928/page/2) and in the log files of the server I could find a lot of scanners and bruteforcers. Then I read somewhere that you should do port forwarding via NAT - so that firewall rules apply. And that worked!
It seemed that I solved the problem but now I can't solve another one: the automatic switch of port 80 to port 443 (as it had been beforewhen I used Port Forwarding) . 80 port is needed for the correct functioning of lets encrypt.
What do I want to get in the end?
I want to do NAT hairpins for LAN1 and LAN2 and redirecting from 80 to 443 port -
http://files.domainn.com>> https://files.domainn.com
Network topology
Configuration
firewall { all-ping enable broadcast-ping disable group { address-group ET-A { } network-group ET-N { } port-group CL-F { description "Cloud port forwarding" port 80 port 443 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable name GUEST_IN { default-action accept description "" rule 20 { action drop description "block access to the resources of the company" destination { address 192.168.1.0/24 } log disable protocol all source { } } rule 30 { action drop description "block access to the resources of the company" destination { address 192.168.2.0/24 } log disable protocol all } } name GUEST_LOCAL { default-action drop description "" rule 10 { action drop description "drop invalid" log disable protocol all state { established disable invalid enable new disable related disable } } rule 20 { action accept description "accept established / related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 30 { action accept description "accept dest udp port 53 (for DNS)" destination { port 53 } log disable protocol udp } rule 40 { action accept description "accept dest udp port 67 (for DHCP)" destination { port 67 } log disable protocol udp } } name LAN_IN { default-action accept rule 10 { action reject description "Cam1 only local" destination { address !192.168.1.0/24 } log disable source { address 192.168.1.6 } } rule 20 { action reject description "Cam2 only local" destination { address !192.168.1.0/24 } log disable source { address 192.168.1.7 } } rule 30 { action reject description "ipmi pve only local" destination { address !192.168.1.0/24 } log disable source { address 192.168.1.3 } } rule 40 { action reject description "ipmi panzer only local" destination { address !192.168.1.0/24 } log disable source { address 192.168.1.4 } } rule 41 { action reject description "controller AC only local" destination { address !192.168.1.0/24 } disable log disable source { address 192.168.1.250 } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action drop description "Black List - A" log disable protocol all source { group { address-group ET-A } } } rule 20 { action drop description "Black List - N" log disable protocol all source { group { network-group ET-N } } } rule 30 { action accept description "Cloud Port Forwarding" destination { address 192.168.1.9 group { port-group CL-F } } log disable protocol tcp } rule 40 { action drop description "Drop invalid state" state { invalid enable } } rule 50 { action accept description "Allow established/related" state { established enable related enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action drop description "Black List - A" log disable protocol all source { group { address-group ET-A } } } rule 20 { action drop description "Black List - N" log disable protocol all source { group { network-group ET-N } } } rule 30 { action drop description "Drop invalid state" state { invalid enable } } rule 40 { action accept description "Allow established/related" state { established enable related enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 12.34.56.78/28 description Internet duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } poe { output off } speed auto } ethernet eth1 { address 192.168.1.1/24 description Local duplex auto firewall { in { name LAN_IN } } poe { output off } speed auto } ethernet eth2 { description "Local 2" duplex auto poe { output off } speed auto } ethernet eth3 { description "Local 2" duplex auto poe { output off } speed auto } ethernet eth4 { description "Local 2" duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.2.1/24 description "Local 2" mtu 1500 switch-port { interface eth2 { } vlan-aware disable } vif 1003 { address 10.0.10.1/27 description "Vader Guest" firewall { in { name GUEST_IN } local { name GUEST_LOCAL } } mtu 1500 } } } port-forward { auto-firewall enable hairpin-nat enable lan-interface eth1 rule 1 { description Panzer forward-to { address 192.168.1.254 port 22 } original-port 89326 protocol tcp } rule 2 { description CCTV forward-to { address 192.168.1.5 port 22 } original-port 89327 protocol tcp } wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name GUEST { authoritative disable subnet 10.0.10.0/27 { default-router 10.0.10.1 dns-server 10.0.10.1 lease 86400 start 10.0.10.6 { stop 10.0.10.30 } static-mapping Bar { ip-address 10.0.10.4 mac-address f0:9f:c2:f0:97:8c } static-mapping Designers { ip-address 10.0.10.3 mac-address 80:2a:a8:96:76:13 } static-mapping Reception { ip-address 10.0.10.5 mac-address f0:9f:c2:dc:32:c4 } } } shared-network-name LAN1 { authoritative enable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 domain-name vader.local lease 86400 start 192.168.1.30 { stop 192.168.1.130 } static-mapping AC { ip-address 192.168.1.250 mac-address 00:0B:3A:00:08:28 } static-mapping Camera1 { ip-address 192.168.1.6 mac-address bc:ad:28:b0:e6:30 } static-mapping Camera2 { ip-address 192.168.1.7 mac-address bc:ad:28:b0:e7:b8 } static-mapping Panzer { ip-address 192.168.1.254 mac-address 40:16:7e:41:0a:38 } static-mapping PowerConnect_5548 { ip-address 192.168.1.2 mac-address d0:67:e5:98:fc:74 } static-mapping cloud { ip-address 192.168.1.9 mac-address d6:f8:2e:57:fb:96 } static-mapping ipmi-panzer { ip-address 192.168.1.4 mac-address 2c:4d:54:52:27:3f } static-mapping ipmi-pve { ip-address 192.168.1.3 mac-address bc:5f:f4:bb:9e:c0 } static-mapping pve { ip-address 192.168.1.10 mac-address bc:5f:f4:bb:9a:f1 } static-mapping unms { ip-address 192.168.1.8 mac-address 2e:09:ee:6b:d7:3b } static-mapping ups { ip-address 192.168.1.11 mac-address 00:20:52:e3:4d:f4 } } } shared-network-name LAN2 { authoritative enable subnet 192.168.2.0/24 { default-router 192.168.2.1 dns-server 192.168.2.1 domain-name vader.local lease 86400 start 192.168.2.30 { stop 192.168.2.160 } static-mapping Cloudkey { ip-address 192.168.2.3 mac-address 78:8a:20:45:25:22 } static-mapping NPI771D9C { ip-address 192.168.2.8 mac-address 54:35:30:91:a1:bd } static-mapping NPIBD4107 { ip-address 192.168.2.7 mac-address d8:0f:99:59:2b:45 } static-mapping TOUGHSwitch-PoE-PRO { ip-address 192.168.2.2 mac-address dc:9f:db:29:73:b0 } static-mapping UniFi-AP-AC-Pro1 { ip-address 192.168.2.4 mac-address 80:2a:a8:96:76:13 } static-mapping UniFi-AP-AC-Pro2 { ip-address 192.168.2.5 mac-address f0:9f:c2:f0:97:8c } static-mapping UniFi-AP-AC-Pro3 { ip-address 192.168.2.6 mac-address f0:9f:c2:dc:32:c4 } static-mapping VFDP1 { ip-address 192.168.2.95 mac-address 00:26:5a:68:c3:0a } unifi-controller 192.168.2.3 } } static-arp disable use-dnsmasq enable } dns { forwarding { cache-size 1500 listen-on eth1 listen-on switch0 listen-on switch0.1003 name-server 12.34.56.78 name-server 8.8.8.8 } } nat { rule 5 { description "DNAT Hairpin" destination { group { address-group ADDRv4_eth0 } port 80,443 } inbound-interface eth1 inside-address { address 192.168.1.9 } log disable protocol tcp source { address 192.168.1.0/24 } type destination } rule 6 { description "DNAT Cloud" destination { group { port-group CL-F } } inbound-interface eth0 inside-address { address 192.168.1.9 port 443 } log disable protocol tcp type destination } rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } rule 5030 { description "NAT Hairpin" destination { address 192.168.1.9 port 80,443 } log disable outbound-interface eth1 protocol tcp source { address 192.168.1.0/24 } type masquerade } } ssh { listen-address 192.168.1.1 port 22 protocol-version v2 } ubnt-discover { disable } unms { connection wss://192.168.1.8:443+hc8HID0RHNgJIblx_j8t3SvNJxecL0OLKJLXcbmS9DIQRXG+allowSelfSignedCertificate } } system { domain-name vader.local gateway-address 12.34.56.78 host-name router login { user drdodo { authentication { encrypted-password **************** plaintext-password **************** } full-name Frusciante level admin } } name-server 127.0.0.1 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } } static-host-mapping { host-name AC { alias ac.vader.local inet 192.168.1.250 } host-name Panzer { alias panzer.vader.local inet 192.168.1.254 } host-name Router { alias router.vader.local inet 192.168.1.1 } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Moscow traffic-analysis { dpi enable export enable } } traffic-control { advanced-queue { root { queue 1023 { attach-to global bandwidth 1000mbit description UBNT-BQ } } } smart-queue Qos { download { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 100mbit } upload { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 100mbit } wan-interface eth0 } }
Issue with OpenVPN client & internet traffic
Hi,
The last few days, I've been struggling to get PBR working on a Edgerouter X, 1.10.1.
Situation: in a gantry, we share one internet connection, using a port per floor. For several reasons irrelevant to this question, I'm trying to get per-subnet and per-IP routing over a NordVPN/OpenVPN vtun. To achieve this I've used the forums (link, link and more) and help, with no avail.
I did manage to "enforce" it, but it is not permanent. By creating a routing table via /etc/iproute2 and ip rule add was able to get a different result from a "curl ifconfig.co" command. So, I'm sure that we should be able to get this working.
What I've done so far:
# set up VPN: set interfaces openvpn vtun0 config-file /config/openvpn/nordvpn.conf # with route-nopull # set interfaces openvpn vtun0 description NordVPN # set up PBR table for VPN set protocols static table 10 description 'VPN Routing Table' set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface vtun0 # set up SNAT for interface: set service nat rule 5000 description 'masquerade VPN' set service nat rule 5000 outbound-interface vtun0 set service nat rule 5000 type masquerade # Set up policy for given source ip, which I hope to extend to a set of nets and ips. set firewall modify VPN description 'Forward through VPN' set firewall modify VPN rule 10 action modify set firewall modify VPN rule 10 description 'Traffic from these subnets' set firewall modify VPN rule 10 modify table 10 set firewall modify VPN rule 10 source address 10.100.3.2
To my interpretation, and based on what I've read so far, this should do the trick. But I'm sure I'm missing a big thing here. For a complete impression, I've added the config as attachment.
What I've noticed is that Edgeos seems to apply the ip rule by using fwmark, whereas I'd rather see a subnet or IP there (I think it's because it enables you to mark multiple sources in stead of having a rule per source).
Can anyone give me a nudge in the right direction?
Thanks
Bauke
[Solved] Issue with OpenVPN client & internet traffic
Hi,
The last few days, I've been struggling to get PBR working on a Edgerouter X, 1.10.1.
Situation: in a gantry, we share one internet connection, using a port per floor. For several reasons irrelevant to this question, I'm trying to get per-subnet and per-IP routing over a NordVPN/OpenVPN vtun. To achieve this I've used the forums (link, link and more) and help, with no avail.
I did manage to "enforce" it, but it is not permanent. By creating a routing table via /etc/iproute2 and ip rule add was able to get a different result from a "curl ifconfig.co" command. So, I'm sure that we should be able to get this working.
What I've done so far:
# set up VPN: set interfaces openvpn vtun0 config-file /config/openvpn/nordvpn.conf # with route-nopull # set interfaces openvpn vtun0 description NordVPN # set up PBR table for VPN set protocols static table 10 description 'VPN Routing Table' set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface vtun0 # set up SNAT for interface: set service nat rule 5000 description 'masquerade VPN' set service nat rule 5000 outbound-interface vtun0 set service nat rule 5000 type masquerade # Set up policy for given source ip, which I hope to extend to a set of nets and ips. set firewall modify VPN description 'Forward through VPN' set firewall modify VPN rule 10 action modify set firewall modify VPN rule 10 description 'Traffic from these subnets' set firewall modify VPN rule 10 modify table 10 set firewall modify VPN rule 10 source address 10.100.3.2
To my interpretation, and based on what I've read so far, this should do the trick. But I'm sure I'm missing a big thing here. For a complete impression, I've added the config as attachment.
What I've noticed is that Edgeos seems to apply the ip rule by using fwmark, whereas I'd rather see a subnet or IP there (I think it's because it enables you to mark multiple sources in stead of having a rule per source).
Can anyone give me a nudge in the right direction?
Thanks
Bauke
Firewall Advice
I have opened ports 22 and 443 to allow in WAN_LOCAL to allow outside access to SSH and HTTPS for the GUI.
I have a prior DROP rule with "Recent Time = 120" and "Recent Count = 4" to secure against attacks.
The SSH part works fine, but I am having trouble with the HTTPS on port 443. I get to the EdgeOS GUI logon screen but after entering my username and password it wont connect.
Without Port 443 in the DROP rule it works fine.
Any advice.
Thanks
Reset all BGP-Peers by modifying inbound-filter | ER-Pro8 | v.1.10.0
Hi!
I've added a new rule to a existing inbound-filter.
I have commited the changes, and issued "clear ip bgp x.x.x.x in"
After that, all peers were resetted!
Your BGP implementation is so buggy.
VPN Site-to-Site help + websites not loading
Hey all,
I've read a ton of similar posts to mine, but still cannot get this ERL3 working.
Issue 1--Before even configuring the VPN, I am unable to browse to a lot of sites.
- Example: I can browse to google.com, reddit.com, imgur.com
- I CANNOT browse to ebay.com, microsoft.com.
I played with the MSS-Clamp value to try to resolve, and was able to get google.com to resolve which was not originally working, but I still cannot load most sites.
Issue 2--VPN. As soon as I configure the VPN, I lose local connectivity to the ERL
- The tunnel comes up on the remote end (Palo Alto firewall)
- I can console into the ERL and see the tunnel is up as well, but no traffic is passing
I have attached my config. Any help would be greatly appreciated.
EDIT: One more thing to add--This setup works great with a Cisco ASA, so I know the issue is isolated to the ERL.
Thank you.
Issus with skype not connecting
I have an odd issue with a new router.
Everything works great except for connecting to skype.
We have no rules blocking outbound connectivity.
All other internet connectvity works fine except skype.
Has anyone seen something like this?
Advice requested on BGP router
Hello,
We are expanding our network (with about 500 clients) with multiple transit providers. We are now designing our infrastructure and are looking for advice on the most appropriate hardware, in particular for the BGP router.
We need to connect to two different providers with different AS numbers.
- Do we need two separate routers to connect to the two providers or do these routers enable connections to two other parties?
- Would EdgeMax do the job? Are there alternative cost-effective commercial solutions?
- Are there Linux systems which can be rigged up for this job? How much memory and compute power would be required for 600,000 routes? Recommendations, perhaps for make & model?
EdgeRouter work fine on GUI config upload but not after a reboot
EdgeRouter Lite 3 ports
Running v1.9.7+hotfix.4
I had the case twice now that after a power outrage the router does not give users internet acces, but everything that should work lights up green in the GUI.
The solution I found is to upload the same configuration 'edgeos_ubnt_20180219.tar.gz' file trough the GUI the router, reboot it, and everything works fine.
What am I missing here?
Thanks!
Time based traffic policy shaper with firewall rules?
Hello, EdgeMax community.
I am interested in setting up a time-based traffic policy shaper for a particular IP address and am at a loss at how to do it.
It seems that it is possible by using firewall mody "mark" rules, but I see no way to do that in the Web UI.
If it is not possible using the Web UI, how would I go about creating such a configuration?
(EdgeRouter X with 1.10.0 software installed)
DUAL WAN Failover Only does not fail over clients.
Currently in office:
Comcast => eth0
Level3 => eth1
eth2 => EdgeSwitch for LAN
When Comcast goes down (or interface is brought offline) the failover is nearly immediate *and* the site-to-site VPN connection re-establishes quite quickly.
When this happens, nearly all members in the office still experience "the internet being down" and seems that they don't end up getting failed over.
I've ensured sticky connections is completely disabled so they shouldn't be "sticking" to eth0 traffic on Comcast, but it seems that this is the case.
Even when I set eth0 (Comcast to be failover) and delete the failover directive for eth1 (level3) it seems there's still a ton of traffic trying to go over eth0 (Comcast) instead of using Level3 (eth1).
set load-balance group G interface eth0 route-test count failure 3 set load-balance group G interface eth0 route-test count success 10 set load-balance group G interface eth0 route-test initial-delay 60 set load-balance group G interface eth0 route-test interval 15 set load-balance group G interface eth0 route-test type ping target 8.8.8.8 set load-balance group G interface eth1 failover-only set load-balance group G lb-local enable set load-balance group G lb-local-metric-change disable
Is there any reason that this is happening or somewhere else I can look for additional information on it? I'm not sure why it doesn't seem to fail over.