I am new to using Edgerouter X, and i need to setup the router to gaurantee 3.5 mbs/sec to a specfic computer so that it can stream to FB live. Our internet connection usually gives me 10 mb/s upload, so 3.5 shouln't be a problem.
I am not uber familiar with edgemax OS or how to implement this. Is there a tutorial for dummies?
thanks
Jeff
Below are the commands to setup a pppoe connection to my ISP using a Microtik RB750 router. it's the only router they support. I want to use Edgerouters to acheive this but so far have not figured out how to configure them so they work. Please help with the commands to create this in an ERX
On the cable connection, after customer plugs-in the router, it will get DHCP IP. After the IP is obtained and
able to go the internet, then customer logs into our ERX. ERX already presets the tunnel for the login ID and
Password and ERX routes the IP to the router. The tunnel IP is 172.16.1.x which the Frame IP
/interface bridge add name=Lan
/interface bridge port add interface=ether2 bridge=Lan
/interface bridge port add interface=ether3 bridge=Lan
/interface bridge port add interface=ether4 bridge=Lan
/interface bridge port add interface=ether5 bridge=Lan
!
/ip dhcp-client add interface=ether1 add-default-route=special-classless disabled=no
!
/ip address add address=208.110.114.41/30 interface=Lan disabled=no
/interface l2tp-client add name=Cable user=xxxx.vpn@pppoe.net password=xxxxxx connect-to=209.205.90.194 add-default-route=yes profile=default disabled=no
I don't enough about pppoe or the edgerouter to make this work. I have setup pppoe with a simple configuration as seen below but it doesn't work in this case
ethernet eth1 {
address dhcp
description Internet
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id xxxx.vpn@pppoe.net
}
speed auto
Hi,
I have weird issue relating to usage of ER-X as openVPN client and now after a few frustrating days investigation as alone, I need your eyes as help to find out that I don't see to cause problem. Issue is that I have two ER-X routers (ouluGW and kamppiGW) with almost identical configurations (two different physical locations), both are connecting as openVPN client to same openVPN server (Linux server as third location), but LAN machines (subnet: 192.168.10.0/24) behind of second ER-X (kamppiGW) are not able to reach subnet behind of openVPN server, but LAN machines (subnet: 192.168.35.10/24) behind of "ouluGW" ER-X are able to reach that subnet via openVPN server.
Image as description of network's topolocy:
In image seen IPSEC site-to-site tunnel between ERXs is working.
Here is configuration, routing etc details as background information of setup:
- ER-X configuration of ouluGW (with that ER-X all is working correctly), please see attachment file with name: oulugw_ERX.txt
- ER-X configuration of kamppiGW (LAN machines behind of this router at 192.168.10.0/24 subnet are not able to reach 192.168.25.0/24 subnet via openVPN server), please see attachment file with name: kamppigw_ERX.txt
- Routes at ouluGW relating to vtun0 interface:
S *> 192.168.20.0/24 [1/0] via 192.168.20.13, vtun0 C *> 192.168.20.13/32 is directly connected, vtun0 C *> 192.168.20.14/32 is directly connected, vtun0 S *> 192.168.25.0/24 [1/0] via 192.168.20.13, vtun0
- Routes at kamppiGW relating to vtun0 interface:
S *> 192.168.20.0/24 [1/0] via 192.168.20.17, vtun0 C *> 192.168.20.17/32 is directly connected, vtun0 C *> 192.168.20.18/32 is directly connected, vtun0 S *> 192.168.25.0/24 [1/0] via 192.168.20.17, vtun0
- OpenVPN server (APOLLO) has "192.168.20.0/24" as subnet where from ER-Xs as VPN clients get IP-address and "192.168.25.0/24" as subnet where this "APOLLO" server is providing some network services what LAN machines behind of "ouluGW" and "kamppiGW" routers are utilizing.
-- Relating routes at APOLLO server:
192.168.20.2 dev tun0 proto kernel scope link src 192.168.20.1 192.168.10.0/24 via 192.168.20.2 dev tun0 192.168.20.0/24 via 192.168.20.2 dev tun0 192.168.35.0/24 via 192.168.20.2 dev tun0 192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.10
-- Configuration of openVPN server:
port 1194 proto udp dev tun ca ca.crt cert apollo.crt key apollo.key dh dh1024.pem server 192.168.20.0 255.255.255.0 ifconfig-pool-persist "/etc/openvpn/ipp.txt" 10 client-config-dir "/etc/openvpn/ccd" route 192.168.10.0 255.255.255.0 route 192.168.35.0 255.255.255.0 client-to-client keepalive 10 60 tls-auth ta.key cipher DES-EDE3-CBC comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun status "/etc/openvpn/openvpn-status.log" management /var/run/openvpn.mgmt unix log "/var/log/openvpn.log" log-append "/var/log/openvpn_append.log" verb 6 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
-- Both VPN clients are using same configuration where only differences are inlined KEY and CERT details per client:
client dev tun proto udp remote x.x.x.x 1194 resolv-retry infinite remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 86400 remote-cert-tls server auth-user-pass /config/openvpn/apollo_vpnauth.txt comp-lzo verb 4 route-nopull fast-io cipher DES-EDE3-CBC keysize 192<ca></ca> key-direction 1 <tls-auth></tls-auth><key></key><cert></cert>
-- OpenVPN server has CCD file per client to define IP and subnet what is existing behind of client (as information for openVPN server):
Okey, if I start from working setup (ouluGW):
- When I ping from LAN machine at "192.168.35.0/24" subnet to IP-address at "192.168.25.0/24" (for example: 192.168.25.10) at APOLLO server, I get response correctly as is able to seen from below tcpdumps, packages from LAN machine at IP-addres 192.168.35.102 to 192.168.25.10 goes correctly and return correctly:
# TCPDUMP from workstation at 192.168.35.0/24 network point of view looking for eth0 interface: 13:21:35.152225 IP 192.168.35.102 > 192.168.25.10: ICMP echo request, id 6044, seq 1, length 64 13:21:35.210125 IP 192.168.25.10 > 192.168.35.102: ICMP echo reply, id 6044, seq 1, length 64 # TCPDUMP from APOLLO's point of view looking for tun0 interface: 14:18:41.386466 IP 192.168.35.102 > 192.168.25.10: ICMP echo request, id 6031, seq 1, length 64 14:18:41.386494 IP 192.168.25.10 > 192.168.35.102: ICMP echo reply, id 6031, seq 1, length 64
- When I ping from ER-X (ouluGW with VPN IP: 192.168.20.14) to 192.168.25.10 at APOLLO, packages leave correctly via "vtun0" interface at ER-X and "tun0" at APOLLO get then in and return route is also OK:
#TCPDUMP from ouluGW point of view for vtun0 interface: 15:24:16.860084 IP 192.168.20.14 > 192.168.25.10: ICMP echo request, id 11320, seq 1, length 64 15:24:16.917294 IP 192.168.25.10 > 192.168.20.14: ICMP echo reply, id 11320, seq 1, length 64 # TCPDUMP from APOLLO's point of view looking for tun0 interface: 14:19:54.441171 IP 192.168.20.14 > 192.168.25.10: ICMP echo request, id 10983, seq 1, length 64 14:19:54.441199 IP 192.168.25.10 > 192.168.20.14: ICMP echo reply, id 10983, seq 1, length 64
- I can ping from APOLLO to "192.168.35.0/24" subnet behind of "ouluGW" ER-X as well as "ouluGW" itself:
# TCPDUMP from APOLLO's point of view looking: 18:22:58.927844 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10296, seq 11, length 64 18:22:58.985811 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10296, seq 11, length 64 # TCPDUMP from ouluGW point of view looking: 19:25:29.870730 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10310, seq 1, length 64 19:25:29.871248 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10310, seq 1, length 64 # TCPDUMP from 192.168.35.0/24 subnet machine point of view looking: 17:26:41.724282 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10311, seq 1, length 64 17:26:41.724306 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10311, seq 1, length 64
Then what doesn't for some reason will works and I just cannot understand and see, why (kamppiGW):
- When I ping from LAN machine at "192.168.10.0/24" subnet to IP-address at "192.168.25.0/24" subnet at APOLLO server, I can see packages to leave via vtun0 interface of ER-X and arriving to APOLLO via tun0 interface as ICMP request, but ICMP reply won't go out from APOLLO:
# Ping from 192.168.10.51 to 192.168.25.10 from APOLLO's point of view looking: 09:30:14.871439 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 380, length 40 09:30:19.599280 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 381, length 40 # From kamppiGW point of view looking: 10:32:27.384204 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 388, length 40 10:32:32.063683 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 389, length 40
- But I am able to ping APOLLO from kamppiGW and able to ping that LAN machine at "192.168.10.0/24" subnet from APOLLO:
# ping from APOLLO to LAN machine from APOLLO's point of view: 10:06:10.769927 IP 192.168.20.1 > 192.168.10.51: ICMP echo request, id 8541, seq 14, length 64 10:06:10.828172 IP 192.168.10.51 > 192.168.20.1: ICMP echo reply, id 8541, seq 14, length 64 # ping from APOLLO to LAN machine from kamppiGW point of view: 11:04:41.121912 IP 192.168.20.1 > 192.168.10.51: ICMP echo request, id 8489, seq 17, length 64 11:04:41.123171 IP 192.168.10.51 > 192.168.20.1: ICMP echo reply, id 8489, seq 17, length 64 I was able to see packages at LAN machine with Wireshark (this one is windows 10 machine)!
# Ping from APOLLO to kamppiGW from apollo's point of view: 09:33:53.298899 IP 192.168.20.10 > 192.168.25.18: ICMP echo request, id 11629, seq 1, length 64 09:33:53.298931 IP 192.168.25.18 > 192.168.20.10: ICMP echo reply, id 11629, seq 1, length 64 # Ping from APOLLO to kamppiGW from kamppiGW's point of view: 10:35:33.842667 IP 192.168.20.10 > 192.168.25.18: ICMP echo request, id 11702, seq 1, length 64 10:35:33.897732 IP 192.168.25.18 > 192.168.20.10: ICMP echo reply, id 11702, seq 1, length 64
- There is no any firewall rules to block/reject traffic IN or OUT at APOLLO server relating to subnet 192.168.10.0/24.
So, any ideas what is reason, why LAN machine at 192.168.10.0/24 subnet is not able to reach subnet 192.168.25.0/24?
Hi,
I need to make a point-to-point connections between 2 sites.
we have already a ptp link bridge working
i have to make a layer 2 streching for making a cisc hsrp (provider equipment) working between site-a and site-b.
would a L2Bridge over Openvpn be the way to go ?
maybe a better suggestion to accomplish that router on site-a and router on site-b would be able to do a hsrp ?
any help appriciated.
I would prefer to keep the l2traffic between my equipment and the equipment of the provider to be "seperated"
Thanks
Hey Guys,
I have been looking through the forums and still having an issue. Disclaimer that I am a EdgeRouter Noob but familiar with firewalls in general. We are using firmware version 1.10.0 (most recent firmware). This is configured with an IPSEC s2s vpn without vti.
So ill say it was a heck of a time just getting the tunnel established. For whatever reason the WAN interface wasn't responding. Finally got that working.
Remote = EdgeRouter side Network = 192.168.0.0/24 GW = 192.168.0.1 coming out of eth2. eth0 is the WAN port
Local = Sonicwall side Network = 192.168.1.0/24 GW = 192.168.1.1
My pc's behind the Edgerouter are able to ping through the tunnel to where they need to be on my local network. My local network can ONLY get to the GW of the edgerouter and no further.
The check box to create local firewall and NAT rules was checked with at the creation of the VPN. I know that it has to be a firewall rule but I cannot for the life of me find where it is (there are no firewall rules listed in the GUI that would block any traffic to that interface, unless there is a hidden implicit deny somewhere).
Any pointers will be appreciated 
EdgeRouter X: 1.10.0
It seems to be a straight forward process to create a connection to a NordVPN server.
However, I receive the following error when using said instructions:
XXXXX@ubnt:~# configure [edit] XXXXX@ubnt# set interfaces openvpn vtun0 config-file /config/openvpn/us1606.nordv pn.com.tcp.ovpn [edit] XXXXX@ubnt# commit [ interfaces openvpn vtun0 ] OpenVPN configuration error: Failed to start OpenVPN tunnel. Commit failed [edit] XXXXX@ubnt#
If I edit the configuration file by using auth-user-pass nordvpnauth.txt, I receive an error stating the configuration file cannot be opened. If I use auth-user-pass /config/openvpn/nordvpnauth.txt, I receive the error above.
I have tried three different configuration files and even changed thier permissions to 777 with no resolution.
Does anyone have any suggestions?
Hi guys,
I'm struggling to get this working. It connects fine (i.e. certs fine / gives appropriate IP adress), but I can't connect to either the other side of the VPN or any of the VPN side subnet.
Any help would be MUCH appreciated. I've been playing with this for ages!!!! very frustrating!
ubnt@ubnt# show interfaces openvpn vtun0
description MainOpenVPN
encryption aes256
firewall {
in {
name VPN
}
local {
name VPN
}
out {
name VPN
}
}
hash sha256
local-port 1193
mode server
openvpn-option --tls-server
openvpn-option "--comp-lzo yes"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
protocol udp
server {
name-server 8.8.8.8
push-route 192.168.5.0/24
subnet 10.99.99.0/24
topology subnet
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server.pem
dh-file /config/auth/dhp.pem
key-file /config/auth/server.key
}And firewall settings:
ubnt@ubnt# show firewall
name Main {
default-action accept
description ""
rule 1 {
action accept
description OPENVPN
destination {
port 1193
}
log disable
protocol tcp
}
}
name VPN {
default-action accept
description ""
}And client settings:
client dev tun proto udp remote xxx 1193 resolv-retry infinite nobind persist-key persist-tun auth SHA256 comp-lzo verb 3
Hi all, I was reffering to the Router-on-a-stick article trying to set up with a Dell 2816 switch, CK and AC Pro.
1. I notice you can set eth1 an IP address, as well as, creating/tagging VLAN interfaces undernether/within eth1 and assigning subnets to it. Does it mean eth1 itself represents a native VLAN, aka un-tag / trunk port?
2. in case of network tagging VLAN 1 in a trunck (ie VLAN 1 not as trunk, but like a normal VLAN tagged within a trunk), does CK & AP AC Pro need to share VLAN 1 traffic? Coz I don't see a way/options that they will automatically regconised VLAN 1 traffic, if they sit on port with PVID not 1.
3. I see they exclude/forbidden VLAN 1 in trunck ports. Why forbidden? I thought VLAN 1 is neccesarry and they carry control Plane Traffic?
4. Is it correst that, for max security, VLAN should not be used as Native VLAN/Trunk and should used as tagged to isolate and carried along? How is that achivable with EdgeRouter and Unifi product?
Things I'm tyring to do, on ER4, connecting switch and AP via VLAN 10 and tag traffics accordingly.
---- VLAN 10 (Native VLAN / Trunk - eth1 10.1.10.0 /24) ----
-------- VLAN 1 (Default VLAN - eth1.1 10.1.1.0 /24) ---------
-------- VLAN 20 (Staff VLAN - eth1.20 10.1.20.0 /24) -------
-------- VLAN 30 (CCTV VLAN - eth1.30 10.1.30.0 /24) ------
-------- VLAN 88 (Guest VLAN - eth1.88 10.1.88.0 /24) ------
-------------------------------------------------------------------------------
Please feel free to correct me if anything is wrong. Much appreciated.
Hi
I'm just wondering if I can define external IP as an interface. I have an bridge sitting on the LAN side (connected via external switch) which I use for routing to another network. So instead of addressin it as IP in multiple locations I want to define it as an interface an use interface. Later I can change IP in once place and everything else will keep working.
Another advantage is to see graph with traffic on the web interface.
Thank you.
Hi
Where can I find the traffic/firewall logs for my Edgerouter Lite?
I'm noticing a lot of activity on the ETH0 LED, however no activity internally so am curious to find out what this is, or what's causingh it.
Hi guys,
I am working on a small school, but i can't seem to get the Edgerouter X running and i have the latest firmware.
I have 1 modem for my outgoing connection but it hasn't got DHCP.
I want my Edgerouter to give DHCP between 192.168.254.20 - 192.168.254.110 and my router to be @192.168.254.1 as gateway. I have no other routers in the school or products who can make conflicts. I also can't change the settings in the 'wizards' tab. If i save them and reboot they are resetted :-/ ? I see 192.168.1.1 ( even if i change it to 192.168.254.1 ) in the wizard tab. chech the following photo's.. I have an old router now working fine for the moment. Do i need to change anything on the 'switch' interface on the Edgerouter?
ETH 0 = my modem
ETH 1 = my switch
Thanks in advance.
Hello,
I've got 2 edgemax x routers, who does not have the file resolv.conf in the /etc directory. I see in ohter routers that this file is being created by vyatta.
The problem so far is that the router is unable to ping do domain name's while the can ping to the ip adress of the domains.
Now I have tried to manually edit the file, wich works, but the problem is after a reboot my modifications are gone.
Where of what do I need to adjust to make this config permanent ?
Kind regards.
Do these commands make exactly the same thing (preventing upstream providers from populating /etc/resolv.conf), but respectively for pppoe (WAN) interfaces and dhcp (WAN) ones, or do they have different purposes?
TIA.
Hey there,
i am just planing a redesign of my home network setup, which gets much more complicated by the fact that I have two flats which in the end should share the same network. Also I want to have multiple network zones, such as internal, guest, home automation and so on.
My plan is to use an EdgeRouter X on both sites as Router, Firewall and VPN Gateway. This poses a few questions, but as they seem connected to each other I try to make on thread.
1) I need some sort of VPN connection between both routers this should preferably some sort of IPSEC as the EdgeRouter has hardware acceleration for that. I am not shure if I need some sort of "VLAN" support here to accomplish question 2)
2) I need a firewall setup. I would prefer to do Zone based firewalling as this should be less of a hassle to maintain. But if I have one VPN Interface I have no clue to which network it should be assigned.
3) I would like to make an OSPF setup to propagate networks mutually. I hope that this is a solution which renders it unnecessary fo add routes mannualy for each network I add on either side. Also it would be an advantage if I had to integrate another site. I know how OSPF works, but I am unshure about the implications of the network and firewall zones and I am also not shure if OSPF needs a direct layer 2 link which in turn whould narrow the choise for question 1)
I am thankfull for every advice or any link to compareable setups.
Regards Lukas
P.S. I also had some ideas on how to solve it I will describe them here in case this is helpful for my question. (But you can safely ignore it if you have better ideas)
Use some VPN Technology which makes a layer 2 connection between the edge routers. Then make some VLANs over it for the different zones. After that the VLAN interfaces would be easy to assign a firewall zone. I assume this could work but here I am missing:
a) A possible VPN Layer 2 tunnel with IPSEC which allows VLANs over it.
b) My naive approach would be to run OSPF separately for each zone. But the edge router does not support this as I read from the internet and the Zones are not completely isolates (e.g. access from internal to guest should be possible) so this would point me to one ospf instance. I assume this whould work as they could find each other over multiple interfaces and the routing information is almost completely independent from the firewall.
Hello all.
I am new to the community and new to Ubiquiti. So this is all a bit of a learning curve for me.
Until recently, I was running Meraki network equipment at my house, an MX60 for my router and a single MR34 for wireless. And I have a 100 down / 50 up fiber link from my ISP.
I replaced the MX60 with an EdgeRouter X, and the MR34 with two Unifi AC-LR APs
After converting over to Ubiquiti, I notice that I get severely degraded performance on iPhone devices running iOS 11. Web sites will frequently take forever to load before timing out, same with speedtest.net. Ironically, youtube videos launch lightning fast. It seems like once I do get a connection to a site, it loads any subsequent links instantly. But it's werid, random slowdowns that I can't explain.
If I remove the EdgeRouter and put the MX60 back in, I do not get this issue with just the Unifi APs. So it looks like the issue is relegated to the ERX.
I did upgrade firmware on ERX to 1.10 as well. If anyone has any ideas where to start, please let me know.
Thank you!
Ever since upgrading my routers to 1.10, I've been getting this ubnt-util crash in the syslog about every 3-4 days. It doesn't seem to have any detrimental effect on operations. Here is the full message.
Process 22744 (ubnt-util) has crashed (parent 658 (ubnt-daemon) signal 11, code 0, addr 0000029200000000), coredumps disabled
Stephen
I need to agregate 2 WAN connections to improve bandwidth but also wish to guarantee a % of available bandwidth to a specific LAN when the bandwidth load is maxing out.
I have done basic shaping rules with one WAN before but how would I apply it to a ER running a 2WAN load balanance config when the WANs are on 2 seperate interfaces?
Hello,
I have a home network on an ER-Lite that is crudely configured. I have the router hosting the home's DNS (and DNS cache) - it maps itself (10.0.0.1) as 'router.', with a period. If I don't have the period, Windows doesn't seem to be able to use said name.
I am finding that when I try to connect to the router as https://router./, when I log in, it redirects itself to https://router/, which fails to connect as the period is no longer appended.
Is there any good way to fix this? Note that I am not a network engineer, but a humble software engineer.
Receiving intermittent slow speeds on WAN with DPI enabled on ERLite.
Sometimes recieving 350Mbps download, sometimes wont go higher than 100Mbps. CPU/Ram usage didnt go above ~80% while test running.
What should this unit be able to route with DPI enabled?
