Good evening, i have an Edge router lite, and i am following this guide https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

To set up a vnp, however when i connect from windows 10 i get the following

"The network connection between your computer and the VPN server could not be established becasue the remote server is not responding, this could be because one of the network devices between your computer and the remote server is not configutred to allow vpn connection."

Any ideas?  configs / logs below

Fiewall settings 

 all-ping enable
 broadcast-ping disable
 group {
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
     default-action accept
     description "WAN to internal"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 30 {
         action accept
         description "Drop invalid state"
         log disable
         state {
             invalid enable
         }
     }
 }
 name WAN_LOCAL {
     default-action accept
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 30 {
         action accept
         description IKE
         destination {
             port 500
         }
         log disable
         protocol udp
         state {
             invalid enable
         }
     }
     rule 40 {
         action accept
         description ESP
         log disable
         protocol esp
     }
     rule 50 {
         action accept
         description NAT-T
         destination {
             port 4500
         }
         log disable
         protocol udp
     }
     rule 60 {
         action accept
         description L2TP
         destination {
             port 1701
         }
         ipsec {
             match-ipsec
         }
         log disable
         protocol udp
     }
 }
 options {
     mss-clamp {
         mss 1412
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable

Result of Sudo swanctl --log  whilsttrying to connect to vpn

sudo swanctl --log
01[NET] received packet: from 82.20.171.210[500] to 192.168.0.254[500] (408 bytes)
01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
01[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
01[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
01[IKE] received NAT-T (RFC 3947) vendor ID
01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
01[IKE] received FRAGMENTATION vendor ID
01[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
01[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
01[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
01[IKE] 82.20.171.210 is initiating a Main Mode IKE_SA
01[ENC] generating ID_PROT response 0 [ SA V V V ]
01[NET] sending packet: from 192.168.0.254[500] to 82.20.171.210[500] (136 bytes)
10[NET] received packet: from 82.20.171.210[500] to 192.168.0.254[500] (228 bytes)
10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
10[NET] sending packet: from 192.168.0.254[500] to 82.20.171.210[500] (212 bytes)
01[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
01[ENC] parsed ID_PROT request 0 [ ID HASH ]
01[CFG] looking for pre-shared key peer configs matching 192.168.0.254...82.20.171.210[192.168.0.18]
01[CFG] selected peer config "remote-access"
01[IKE] IKE_SA remote-access[99] established between 192.168.0.254[192.168.0.254]...82.20.171.210[192.168.0.18]
01[IKE] DPD not supported by peer, disabled
01[ENC] generating ID_PROT response 0 [ ID HASH ]
01[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (76 bytes)
12[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
12[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
12[IKE] received 3600s lifetime, configured 0s
12[IKE] received 250000000 lifebytes, configured 0
12[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
12[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
03[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
03[ENC] parsed QUICK_MODE request 1 [ HASH ]
03[IKE] CHILD_SA remote-access{41} established with SPIs c4859ad1_i a56ca6f6_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
06[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
06[ENC] parsed QUICK_MODE request 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[IKE] received 3600s lifetime, configured 0s
06[IKE] received 250000000 lifebytes, configured 0
06[IKE] detected rekeying of CHILD_SA remote-access{41}
06[ENC] generating QUICK_MODE response 2 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
14[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
14[ENC] parsed QUICK_MODE request 2 [ HASH ]
14[IKE] CHILD_SA remote-access{41} established with SPIs c8e66420_i 320340b0_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
05[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
05[ENC] parsed INFORMATIONAL_V1 request 4216048040 [ HASH D ]
05[IKE] received DELETE for ESP CHILD_SA with SPI a56ca6f6
05[IKE] closing CHILD_SA remote-access{41} with SPIs c4859ad1_i (0 bytes) a56ca6f6_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
06[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
06[ENC] parsed QUICK_MODE request 3 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[IKE] received 3600s lifetime, configured 0s
06[IKE] received 250000000 lifebytes, configured 0
06[IKE] detected rekeying of CHILD_SA remote-access{41}
06[ENC] generating QUICK_MODE response 3 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
14[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2677374342 [ HASH D ]
14[IKE] received DELETE for ESP CHILD_SA with SPI 320340b0
14[IKE] closing CHILD_SA remote-access{41} with SPIs c8e66420_i (0 bytes) 320340b0_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
12[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
12[ENC] parsed QUICK_MODE request 3 [ HASH ]
12[IKE] CHILD_SA remote-access{41} established with SPIs c3e7331f_i 66aa53f2_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
16[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
16[ENC] parsed QUICK_MODE request 4 [ HASH SA No ID ID NAT-OA NAT-OA ]
16[IKE] received 3600s lifetime, configured 0s
16[IKE] received 250000000 lifebytes, configured 0
16[IKE] detected rekeying of CHILD_SA remote-access{41}
16[ENC] generating QUICK_MODE response 4 [ HASH SA No ID ID NAT-OA NAT-OA ]
16[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
12[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
12[ENC] parsed QUICK_MODE request 4 [ HASH ]
12[IKE] CHILD_SA remote-access{41} established with SPIs c21fc119_i ba54abee_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
10[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 205215436 [ HASH D ]
10[IKE] received DELETE for ESP CHILD_SA with SPI 66aa53f2
10[IKE] closing CHILD_SA remote-access{41} with SPIs c3e7331f_i (0 bytes) 66aa53f2_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
14[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
14[ENC] parsed QUICK_MODE request 5 [ HASH SA No ID ID NAT-OA NAT-OA ]
14[IKE] received 3600s lifetime, configured 0s
14[IKE] received 250000000 lifebytes, configured 0
14[IKE] detected rekeying of CHILD_SA remote-access{41}
14[ENC] generating QUICK_MODE response 5 [ HASH SA No ID ID NAT-OA NAT-OA ]
14[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
02[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
02[ENC] parsed QUICK_MODE request 5 [ HASH ]
02[IKE] CHILD_SA remote-access{41} established with SPIs cff9d9d7_i da65ea62_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
03[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
03[ENC] parsed INFORMATIONAL_V1 request 4288422591 [ HASH D ]
03[IKE] received DELETE for ESP CHILD_SA with SPI ba54abee
03[IKE] closing CHILD_SA remote-access{41} with SPIs c21fc119_i (0 bytes) ba54abee_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
02[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (444 bytes)
02[ENC] parsed QUICK_MODE request 6 [ HASH SA No ID ID NAT-OA NAT-OA ]
02[IKE] received 3600s lifetime, configured 0s
02[IKE] received 250000000 lifebytes, configured 0
02[IKE] detected rekeying of CHILD_SA remote-access{41}
02[ENC] generating QUICK_MODE response 6 [ HASH SA No ID ID NAT-OA NAT-OA ]
02[NET] sending packet: from 192.168.0.254[4500] to 82.20.171.210[4500] (204 bytes)
12[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (60 bytes)
12[ENC] parsed QUICK_MODE request 6 [ HASH ]
12[IKE] CHILD_SA remote-access{41} established with SPIs c25474ff_i 5a9dfb5e_o and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
12[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
12[ENC] parsed INFORMATIONAL_V1 request 1487839218 [ HASH D ]
12[IKE] received DELETE for ESP CHILD_SA with SPI da65ea62
12[IKE] closing CHILD_SA remote-access{41} with SPIs cff9d9d7_i (0 bytes) da65ea62_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
14[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (76 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 975110675 [ HASH D ]
14[IKE] received DELETE for ESP CHILD_SA with SPI 5a9dfb5e
14[IKE] closing CHILD_SA remote-access{41} with SPIs c25474ff_i (0 bytes) 5a9dfb5e_o (0 bytes) and TS 192.168.0.254/32[udp/l2f] === 82.20.171.210/32[udp/l2f]
01[NET] received packet: from 82.20.171.210[4500] to 192.168.0.254[4500] (92 bytes)
01[ENC] parsed INFORMATIONAL_V1 request 533339283 [ HASH D ]
01[IKE] received DELETE for IKE_SA remote-access[99]
01[IKE] deleting IKE_SA remote-access[99] between 192.168.0.254[192.168.0.254]...82.20.171.210[192.168.0.18]

VPN config 

 ipsec {
     ipsec-interfaces {
         interface eth0
     }
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username user1 {
                     password mypassword
                 }
                 username test {
                     password test
                 }
             }
             mode local
             require chap
         }
         client-ip-pool {
             start 192.168.0.20
             stop 192.168.0.30
         }
         dns-servers {
             server-1 192.168.0.2
             server-2 8.8.8.8
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret PennineManufacturing2000
             }
         }
         outside-address 0.0.0.0
     }
 }

Interface settings

 bridge br0 {
     address 192.168.0.254/24
     aging 300
     bridged-conntrack disable
     description "Local Bridge"
     hello-time 2
     max-age 20
     priority 32768
     promiscuous enable
     stp false
 }
 ethernet eth0 {
     address dhcp
     description "Internet (PPPoE)"
     duplex auto
     pppoe 0 {
         default-route auto
         firewall {
             in {
             }
             local {
                 name WAN_LOCAL
             }
         }
         mtu 1492
         name-server auto
         password 
         user-id 
     }
     speed auto
 }
 ethernet eth1 {
     bridge-group {
         bridge br0
     }
     description "Local Bridge"
     duplex auto
     speed auto
 }
 ethernet eth2 {
     bridge-group {
         bridge br0
     }
     description "Local Bridge"
     duplex auto
     speed auto
 }
 loopback lo {
 }

Hi,

I have an Edgerouter Lite configured with a 172.16.0.0/16 that is connected to Azure with a L2tp/IPSec VPN. on the other side the vnet is 172.20.0.0/16. I've added a static route with a vti, everything is up and working perfectly. traffic works in both directions

Now where it gets messy... I've deployed a PfSense router inside Azure at 172.20.16.6 I want to route all my traffic to it. For some testing purpose, I've tried to add a static route 2.2.2.2 to 172.20.16.6 but that may not be the way to go since it doesn't seem to work... 

How can I route traffic from the Edgerouter Lite, through the VPN, to the other router.

I cannot simply forward the traffic to the VPN directly because Azure will drop any traffic that is not part of the Vnet. this is why I have the PfSense router.

Thanks for the help!

One of our clients, who is on an EdgeRouter X SFP just failed their PCI compliance because a scan by their credit card processing company indicates that TLSv1.0 is available on port 443, the https port of the router.

Is there a way to disable this in favor of TLSv1.2 or something higher?

Noticed in my Pi-Hole today that I had nearly 20,000 requests from my Edgerouter 4 to my primary Pi-Hole requesting an A record for hostname "afdd87eb276b.". The DNS server responds with NODATA as that's not even a real hostname.

However, the ER4 tries again every 5 seconds, without fail. Here is a tcpdump showing the behavior:

ubnt@ubnt01:~$ sudo tcpdump -n -i eth1 host 10.0.1.1 and host 10.0.1.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:04:03.429941 IP 10.0.1.1.50794 > 10.0.1.2.53: 64868+ A? afdd87eb276b. (30)
14:04:03.430731 IP 10.0.1.2.53 > 10.0.1.1.50794: 64868 0/0/0 (30)
14:04:08.428998 IP 10.0.1.1.60695 > 10.0.1.2.53: 62151+ A? afdd87eb276b. (30)
14:04:08.429761 IP 10.0.1.2.53 > 10.0.1.1.60695: 62151 0/0/0 (30)
14:04:13.427923 IP 10.0.1.1.56978 > 10.0.1.2.53: 64408+ A? afdd87eb276b. (30)
14:04:13.428804 IP 10.0.1.2.53 > 10.0.1.1.56978: 64408 0/0/0 (30)
14:04:18.394387 IP 10.0.1.1.35541 > 10.0.1.2.53: 33180+ A? afdd87eb276b. (30)
14:04:18.395186 IP 10.0.1.2.53 > 10.0.1.1.35541: 33180 0/0/0 (30)
14:04:23.428831 IP 10.0.1.1.43798 > 10.0.1.2.53: 3387+ A? afdd87eb276b. (30)
14:04:23.429655 IP 10.0.1.2.53 > 10.0.1.1.43798: 3387 0/0/0 (30)
14:04:28.429779 IP 10.0.1.1.56497 > 10.0.1.2.53: 502+ A? afdd87eb276b. (30)
14:04:28.430532 IP 10.0.1.2.53 > 10.0.1.1.56497: 502 0/0/0 (30)
14:04:33.433121 IP 10.0.1.1.38617 > 10.0.1.2.53: 10756+ A? afdd87eb276b. (30)
14:04:33.433910 IP 10.0.1.2.53 > 10.0.1.1.38617: 10756 0/0/0 (30)
14:04:38.321460 IP 10.0.1.1.53864 > 10.0.1.2.53: 61674+ A? afdd87eb276b. (30)
14:04:38.322201 IP 10.0.1.2.53 > 10.0.1.1.53864: 61674 0/0/0 (30)
14:04:43.436188 IP 10.0.1.1.55265 > 10.0.1.2.53: 15390+ A? afdd87eb276b. (30)
14:04:43.436984 IP 10.0.1.2.53 > 10.0.1.1.55265: 15390 0/0/0 (30)
14:04:48.395567 IP 10.0.1.1.43231 > 10.0.1.2.53: 43130+ A? afdd87eb276b. (30)
14:04:48.396349 IP 10.0.1.2.53 > 10.0.1.1.43231: 43130 0/0/0 (30)
14:04:53.429579 IP 10.0.1.1.37112 > 10.0.1.2.53: 10337+ A? afdd87eb276b. (30)
14:04:53.430390 IP 10.0.1.2.53 > 10.0.1.1.37112: 10337 0/0/0 (30)
14:04:58.432012 IP 10.0.1.1.60172 > 10.0.1.2.53: 7402+ A? afdd87eb276b. (30)
14:04:58.433380 IP 10.0.1.2.53 > 10.0.1.1.60172: 7402 0/0/0 (30)
14:05:03.430920 IP 10.0.1.1.32831 > 10.0.1.2.53: 7596+ A? afdd87eb276b. (30)
14:05:03.432278 IP 10.0.1.2.53 > 10.0.1.1.32831: 7596 0/0/0 (30)
14:05:08.431120 IP 10.0.1.1.34995 > 10.0.1.2.53: 18306+ A? afdd87eb276b. (30)
14:05:08.432502 IP 10.0.1.2.53 > 10.0.1.1.34995: 18306 0/0/0 (30)
14:05:13.433487 IP 10.0.1.1.52259 > 10.0.1.2.53: 17868+ A? afdd87eb276b. (30)
14:05:13.434927 IP 10.0.1.2.53 > 10.0.1.1.52259: 17868 0/0/0 (30)
14:05:18.396560 IP 10.0.1.1.52801 > 10.0.1.2.53: 45718+ A? afdd87eb276b. (30)
14:05:18.398364 IP 10.0.1.2.53 > 10.0.1.1.52801: 45718 0/0/0 (30)
14:05:23.438731 IP 10.0.1.1.60843 > 10.0.1.2.53: 4704+ A? afdd87eb276b. (30)
14:05:23.439480 IP 10.0.1.2.53 > 10.0.1.1.60843: 4704 0/0/0 (30)
14:05:28.432912 IP 10.0.1.1.45587 > 10.0.1.2.53: 12968+ A? afdd87eb276b. (30)
14:05:28.433682 IP 10.0.1.2.53 > 10.0.1.1.45587: 12968 0/0/0 (30)

Any ideas on what could be causing these requests?

Hi all!

Currently I run dnsmasq as pure DNS caching and forwarding: now I want to use it as dhcp server as well.

To achieve this goal, according to the UBNT Support's article on Edgerouter configuration the only commands I have to pass to my ER-X are

configure
set service dhcp-server use-dnsmasq enable 
commit
save
exit

The rest of that guide is mostly versed into adjusting DNS forwarding (and static / local name resolution if needed). Even external "guides" (such as this one) do mostly the same.

But what about the basic settings to configure any dhcp server? I mean gateway, subnet and range? How may I customize those and other dhcp-related options?

I thought to add to dnsmasq.conf (editing it as su) some dnsmasq options (which I picked from dnsmasq man page, they are the last, uncommented lines in the following example) and then restarting the service:

#
# autogenerated by vyatta-dns-forwarding.pl on Wed Mar 14 15:40:02 CET 2018
#
log-facility=/var/log/dnsmasq.log
interface=switch0
cache-size=4096
server=109.239.247.98   # statically configured
server=88.149.128.12    # statically configured
server=109.239.247.99   # statically configured
server=88.149.128.22    # statically configured
server=8.8.4.4          # statically configured
server=208.67.222.222   # statically configured
server=8.8.8.8          # statically configured
server=208.67.220.220   # statically configured
server=185.121.177.177  # statically configured
server=198.251.90.143   # statically configured
server=163.172.168.171  # statically configured
server=193.183.98.66    # statically configured
server=51.255.48.78     # statically configured
server=172.104.136.243  # statically configured
server=127.0.0.1        # system
server=::1              # system
bogus-priv
domain-needed
enable-ra
expand-hosts
localise-queries
domain=home.local
all-servers
no-resolv
#dhcp-range=192.168.1.21,192.168.1.50,24h     	#set leases pool and lease time
#dhcp-option=1,255.255.255.0                    #set default netmask
#dhcp-option=3,192.168.1.3                      #set default router, '3' equals to option:router
#dhcp-option=5,192.168.1.3                      #set default name server
#dhcp-option=42,193.204.114.232                 #set default ntp server, '42' equals to option:ntp-server

First of all: are these last lines correct? But above all, I'm afraid that those modifications may not survive to a reboot: am I wrong?

In case, if those modifications were not permanent, which are the relevant 'set' commands I should use? CLI auto-completion (tab) wasn't that useful this time (or probably I wasn't enough able).

And eventually, what about the default dhcp server set by the GUI Wizard I used for setting my current load balancing setup (1 LAN 2 WAN)? Should I disable it in GUI Services/DHCP Server Tab, or the above quoted command

set service dhcp-server use-dnsmasq enable 

just do that?

Well, thanks in advance for your patience, any useful insight is really welcome!

I'm testing an ER-8 for future WISP deployments. I hand out out IP's via DHCP and authenicate the users via RADIUS. I can't seem find howto authenicate DHCP requests with a RADIUS, is this possible with EdgeOS v1.9.1.1

Thanks in advance

Jared

v1.9.1.1.4977347.170426.0359   (running image)

Avast Scan of a network

We have identified the following problem with your router or Wi-Fi hotspot device:

DnsMasq heap buffer overflow vulnerability

Severity: High

Reference: CVE-2017-14491 | Google Security Blog

Description:
The affected device's DNS service is running an outdated version of the DnsMasq software which is known to have a heap buffer overflow vulnerability. A remote attacker can gain control of your network device and your Internet connection by sending malformed DNS packets to the device. It allows the attacker to intercept connections and perform a traffic hijack, or execute arbitrary code with unrestricted privileges as well as access all important and private data stored on the device -- your device login/password combination, your Wi-Fi password, and your configuration data.

Impact:
Any device connected to your network, including computers, phones, tablets, printers, security cameras, or any other networked device in your home or office network, may have an increased risk of compromise.

Recommendation:
The issue was fixed in DnsMasq software version 2.78, released in October 2017.

To solve the vulnerability on your device, apply the firmware or system update that contains DnsMasq software version 2.78 or higher provided by your device's manufacturer.

If an update addressing the vulnerability is not yet available for your device, you can secure your router or Wi-Fi hotspot with a strong password to minimize risks imposed by the vulnerability. We also advise you not to visit suspicious websites or run software from questionable sources.

I have a couple of ER-X configured so they have two ports on the WAN and three on the LAN.  When I try to NAT the internal addresses using the external VIF as the outside-address, the NAT rule does not appear to work.

Relevant config bits:

 ethernet eth0 {
     description site-int
     duplex auto
     speed auto
 }
 ethernet eth1 {
     description site-int
     duplex auto
     speed auto
 }
 ethernet eth2 {
     description site-int
     duplex auto
     speed auto
 }
 ethernet eth3 {
     description site-ps5ac-omni
     duplex auto
     poe {
         output 24v
     }
     speed auto
 }
 ethernet eth4 {
     description site.cust
     duplex auto
     poe {
         output 24v
     }
     speed auto
 }
 ethernet eth5 {
     description site-sfp
     duplex auto
     speed auto
 }
 loopback lo {
 }
 switch switch0 {
     mtu 1500
     switch-port {
         interface eth0 {
             vlan {
                 pvid 172
             }
         }
         interface eth1 {
             vlan {
                 pvid 172
             }
         }
         interface eth2 {
             vlan {
                 pvid 172
             }
         }
         interface eth3 {
             vlan {
                 pvid 24
                 vid 88
             }
         }
         interface eth4 {
             vlan {
                 pvid 24
                 vid 88
             }
         }
         interface eth5 {
             vlan {
                 pvid 24
                 vid 88
             }
         }
         vlan-aware enable
     }
     vif 24 {
         address 100.70.24.3/24
         description site.ext
         mtu 1500
     }
     vif 88 {
         address 10.0.24.3/24
         description mgmt
         mtu 1500
     }
     vif 172 {
         address 172.23.11.1/24
         description site.int
         mtu 1500
     }
 }
[edit]

admin@site-erx# show service nat
 rule 1 {
     description "inbound SSH"
     destination {
         address 100.70.24.3
         port 22
     }
     inbound-interface switch0.24
     inside-address {
         address 172.23.11.203
         port 22
     }
     log disable
     protocol tcp
     source {
         address 100.70.24.101
     }
     type destination
 }
 rule 5000 {
     destination {
     }
     log disable
     outbound-interface switch0.24
     outside-address {
         address 100.70.24.3
     }
     protocol all
     source {
         address 172.23.11.0/24
     }
     type source
 }
[edit]

If I ping from one of the inside machines to our gateway router (through the tower router) while running tcpdump on the tower router I see the original unmodified source address in the pings:

16:34:20.762304 IP 172.23.11.203 > 10.0.11.1: ICMP echo request, id 1904, seq 1, length 64
16:34:21.777301 IP 172.23.11.203 > 10.0.11.1: ICMP echo request, id 1904, seq 2, length 64
16:34:22.777293 IP 172.23.11.203 > 10.0.11.1: ICMP echo request, id 1904, seq 3, length 64

I recently decided to move my VMWare server to something that doesn't sound like jet engines running (Dell server and Cisco 3750 switches). Having read about the hardware offload now available to the ER-X I thought it was time to dust off the ER-X and my TP-Link switch. Upgraded the ER-X to the 1.10.x firmware and configured the switch and ER-X with many vlan interfaces.

When I went to copy a file off of my VMWare hosted file server I wasn't expecting the 100 mbytes/sec I was getting with my Cisco switches but I did expect more than the 5-20 mbytes/sec that I got. My workstation NIC is doing VLAN interfaces so I put a VLAN interface with the server and downloaded the file. I got 75-80 mbyte/sec without going through the ER-X. I tried different cables to no effect. Exact same results.

What am I doing wrong?? Anything?

File copy bandwidth going through ER-X:

Interfaces (vif 192 is receive, vif 224 is send)

eth3.192@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 44:d9:e7:07:0a:05 brd ff:ff:ff:ff:ff:ff
    inet 10.0.192.1/24 brd 10.0.192.255 scope global eth3.192
       valid_lft forever preferred_lft forever
    inet6 fe80::46d9:e7ff:fe07:a05/64 scope link
       valid_lft forever preferred_lft forever
    Description: 192-it-management-users

    RX:  bytes    packets     errors    dropped    overrun      mcast
      16761724     144376          0          0          0      13727
    TX:  bytes    packets     errors    dropped    carrier collisions
      82852805     134488          0          0          0          0


eth4.224@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 44:d9:e7:07:0a:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.224.1/24 brd 10.0.224.255 scope global eth4.224
       valid_lft forever preferred_lft forever
    inet6 fe80::46d9:e7ff:fe07:a06/64 scope link
       valid_lft forever preferred_lft forever
    Description: 224-it-server

    RX:  bytes    packets     errors    dropped    overrun      mcast
       2124952      19061          0         10          0       5157
    TX:  bytes    packets     errors    dropped    carrier collisions
       2250243      19784          0          0          0          0

CPU usage on ER-X is 5-16% and that is almost entirely UBNT-UTIL and it is the same whether copying the file or not.

CPU usage on the switch sits around 4% during file copy..

Relavant config lines... I am only routing at this point. No NAT, No VPN, etc. Just routing.

interfaces {
    ethernet eth0 {
        duplex auto
        ip {
        }
        speed auto
        vif 8 {
            address 10.0.8.1/24
            description 8-user
        }
        vif 16 {
            address 10.0.16.1/24
            description 16-user
        }
        vif 24 {
            address 10.0.24.1/24
            description 24-user
        }
        vif 32 {
            address 10.0.32.1/24
            description 32-user
        }
        vif 40 {
            address 10.0.40.1/24
            description 40-user-remote
        }
        vif 48 {
            address 10.0.48.1/24
            description 48-user-guest
        }
    }
    ethernet eth1 {
        duplex auto
        speed auto
        vif 56 {
            address 10.0.56.1/24
            description 56-conference-room
        }
        vif 64 {
            address 10.0.64.1/24
            description 64-media-printer
        }
        vif 72 {
            address 10.0.72.1/24
            description 72-media-storage
        }
        vif 80 {
            address 10.0.80.1/24
            description 80-media-backup
        }
        vif 88 {
            address 10.0.88.1/24
            description 88-media-stream
        }
    }
    ethernet eth2 {
        duplex auto
        speed auto
        vif 96 {
            address 10.0.96.1/24
            description 96-security
        }
        vif 104 {
            address 10.0.104.1/24
            description 104-security
        }
        vif 112 {
            address 10.0.112.1/24
            description 112-wireless
        }
        vif 120 {
            address 10.0.120.1/24
            description 120-wireless
        }
        vif 128 {
            address 10.0.128.1/24
            description 128-deployment
        }
        vif 136 {
            address 10.0.136.1/24
            description 136-testing
        }
        vif 144 {
            address 10.0.144.1/24
            description 144-lab
        }
        vif 152 {
            address 10.0.152.1/24
            description 152-development
        }
    }
    ethernet eth3 {
        duplex auto
        speed auto
        vif 160 {
            address 10.0.160.1/24
            description 160-phone
        }
        vif 168 {
            address 10.0.168.1/24
            description 168-phone
        }
        vif 176 {
            address 10.0.176.1/24
            description 176-phone
        }
        vif 184 {
            address 10.0.184.1/24
            description 184-phone-system
        }
        vif 192 {
            address 10.0.192.1/24
            description 192-it-management-users
        }
        vif 200 {
            address 10.0.200.1/24
            description 200-it-management-remote
        }
        vif 208 {
            address 10.0.208.1/24
            description 208-it-management-equipment
        }
        vif 216 {
            address 10.0.216.1/24
            description 216-it-management-noc
        }
    }
    ethernet eth4 {
        duplex auto
        speed auto
        vif 224 {
            address 10.0.224.1/24
            description 224-it-server
        }
        vif 232 {
            address 10.0.232.1/24
            description 232-it-server
        }
        vif 240 {
            address 10.0.240.1/24
            description 240-it-server
        }
        vif 248 {
            address 10.0.248.1/24
            description 248-it-network
        }
        vif 252 {
            address 10.0.252.2/24
            description "M2loco connection"
        }
    }
    loopback lo {
        address 1.1.1.3/32
    }
    switch switch0 {
    }
}
protocols {
}
service {
    dhcp-relay {
        interface eth3.192
        interface eth2.112
        interface eth4.224
        interface eth0.16
        interface eth0.24
        interface eth0.32
        interface eth0.40
        interface eth0.48
        interface eth0.8
        interface eth1.56
        interface eth1.64
        interface eth1.72
        interface eth1.80
        interface eth1.88
        interface eth2.104
        interface eth2.120
        interface eth2.128
        interface eth2.136
        interface eth2.144
        interface eth2.152
        interface eth2.96
        interface eth3.160
        interface eth3.168
        interface eth3.176
        interface eth3.184
        interface eth3.200
        interface eth3.208
        interface eth3.216
        interface eth4.232
        interface eth4.240
        interface eth4.248
        server 10.0.224.250
    }

*

*

*

    offload {
        hwnat enable
        ipsec enable
    }

Any thoughts

So we've got some apartment complexes that we're looking to provide internet services for. We have a fiber from the provider for the main connection. Each unit has a sigle mode fiber run to it back to the central data closets. Would love to learn more about the GPON equipment from Ubiquiti and I suppose more of the fiber distribution. I see you can connect up to 128 clients to each port on the GPON unit but what hardware would be recommended for combining the fibers to connect to the OLT port is there a passive splitter by corning recommended for this? 

Basically my understanding is say we had 10 fibers to each floor to the unit those fibers would terminate into a passive splitter which then feeds up to 128 units via one fiber back to the OLT unit. 

I recently upgraded to faster cable internet and was excited to see ~95mbps/11mbps when connected directly to the new modem.

I reconnected my ER-X and saw a large performance drop across it. My test was 

time curl -o /dev/null http://speedtest.wdc01.softlayer.com/downloads/test500.zip

 and I achieved

• 72mbps from the ER-X directly
• 62mbps from a ~4 year old computer running Debian 9 via a 10/100 Netgear consumer switch
• 52mbps from a Raspberry Pi 3 Model B over the same switch

I have attached my router configuration here.

Does anyone have any thoughts on where my missing 20-30mbps are going?

I'm wondering if I can get a message (email) when a new client gets an IP from dhcpd.

Hello everyone,

I am new to the forum and in the use of a router, I have an ERX and I want to use it to get private access to the Internet (nordvpn).
I followed the instructions on this page: https://nordvpn.com/en/tutorials/edgerouter/openvpn/
But in the end I did not have access to the internet and I ended up discovering that it was necessary to pass the line "pull" by "road-nopull" ...
The vtun0 connects correctly, it seems, however, I can not redirect all the traffic directly into the vtun0.
My configuration is: eth0> wlan and eth1, eth2, eth3, eth4> switch0
Thank you for your help

So, as the title says, I am interested in how it would be possible to create an L2TP VPN (client to site) which:

1. Gives out client IP address from external DHCP server

2. Respects RADIUS Framed-IP-Address attribute for cleints which have one specified.

I am sure swan supports that using plugins for dhcp and radius, the question is how to accomplish this with vyatta config syntax?

Hi,

New to UBNT and followed the documentation for advanced queues:

https://help.ubnt.com/hc/en-us/articles/220716608-EdgeRouter-Advanced-queue-CLI-examples

Whereafter I added new leafs and made sure it matched my LAN subnet (10.1.2.0/24):

show traffic-control output:

 advanced-queue {
     branch {
         queue 100 {
             bandwidth 12mbit
             description Upload
             parent 1
         }
         queue 200 {
             bandwidth 110mbit
             description Download
             parent 1
         }
     }
     filters {
         match 100 {
             attach-to 1
             description "WAN upload"
             ip {
                 source {
                     address 10.1.2.0/24
                 }
             }
             target 100
         }
         match 101 {
             application {
                 category File-Transfer
             }
             attach-to 100
             description "Low priority server traffic - File transfer"
             ip {
                 destination {
                     address 10.1.2.50/24
                 }
             }
             target 104
         }
         match 102 {
             application {
                 category Web
             }
             attach-to 100
             description "Low priority server traffic - Web"
             ip {
                 destination {
                     address 10.1.2.50/24
                 }
             }
             target 101
         }
         match 103 {
             application {
                 category P2P
             }
             attach-to 100
             description P2P
             target 102
         }
         match 104 {
             attach-to 100
             description Usenet
             ip {
                 source {
                     port 119,563
                 }
             }
             target 103
         }
         match 105 {
             attach-to 100
             description Plex
             ip {
                 source {
                     port 32400
                 }
             }
             target 105
         }
         match 106 {
             application {
                 category Web
             }
             attach-to 100
             description HTTP
             target 101
         }
         match 107 {
             application {
                 category Remote-Access-Terminals
             }
             attach-to 100
             description "Remote access terminals"
             target 107
         }
         match 108 {
             application {
                 category Streaming-Media
             }
             attach-to 100
             description "Streaming services"
             target 107
         }
         match 109 {
             application {
                 category Security-Update
             }
             attach-to 100
             description "Windows update"
             target 104
         }
         match 110 {
             attach-to 100
             description "Telnet / SSH"
             ip {
                 source {
                     port 21-22
                 }
             }
             target 108
         }
         match 111 {
             attach-to 100
             description DNS
             ip {
                 source {
                     port 53
                 }
             }
             target 101
         }
         match 112 {
             application {
                 category Games
             }
             attach-to 100
             description Games
             target 108
         }
         match 113 {
             attach-to 100
             description "Apple TV"
             ip {
                 destination {
                     address 10.1.2.52/24
                 }
             }
             target 107
         }
         match 114 {
             attach-to 100
             description "Torrent - PR"
             ip {
                 source {
                     port 9998-9999
                 }
             }
             target 101
         }
         match 115 {
             attach-to 100
             description "Torrent - automation"
             ip {
                 source {
                     port 19898-19899
                 }
             }
             target 101
         }
         match 200 {
             attach-to 1
             description "WAN download"
             ip {
                 destination {
                     address 10.1.2.0/24
                 }
             }
             target 200
         }
         match 201 {
             application {
                 category File-Transfer
             }
             attach-to 200
             description "Low priority server traffic - File transfer"
             ip {
                 source {
                     address 10.1.2.50/24
                 }
             }
             target 204
         }
         match 202 {
             application {
                 category Web
             }
             attach-to 200
             description "Low priority server traffic - Web"
             ip {
                 source {
                     address 10.1.2.50/24
                 }
             }
             target 204
         }
         match 203 {
             application {
                 category P2P
             }
             attach-to 200
             description P2P
             target 202
         }
         match 204 {
             attach-to 200
             description Usenet
             ip {
                 destination {
                     port 119,563
                 }
             }
             target 203
         }
         match 205 {
             attach-to 200
             description Plex
             ip {
                 destination {
                     port 32400
                 }
             }
             target 205
         }
         match 206 {
             application {
                 category Web
             }
             attach-to 200
             description HTTP
             target 206
         }
         match 207 {
             application {
                 category Remote-Access-Terminals
             }
             attach-to 200
             description "Remote access terminals"
             target 207
         }
         match 208 {
             application {
                 category Streaming-Media
             }
             attach-to 200
             description "Streaming services"
             target 207
         }
         match 209 {
             application {
                 category Security-Update
             }
             attach-to 200
             description "Windows update"
             target 204
         }
         match 210 {
             attach-to 200
             description "Telnet / SSH"
             ip {
                 destination {
                     port 21-22
                 }
             }
             target 208
         }
         match 211 {
             attach-to 200
             description DNS
             ip {
                 destination {
                     port 53
                 }
             }
             target 208
         }
         match 212 {
             application {
                 category Games
             }
             attach-to 200
             description Gaming
             target 208
         }
         match 213 {
             attach-to 200
             description AppleTv
             ip {
                 source {
                     address 10.1.2.52/24
                 }
             }
             target 207
         }
         match 214 {
             attach-to 200
             description "Torrent - PR"
             ip {
                 destination {
                     port 9998-9999
                 }
             }
             target 202
         }
         match 215 {
             attach-to 200
             description "Torrent - automation"
             ip {
                 destination {
                     port 19898-19899
                 }
             }
             target 201
         }
     }
     leaf {
         queue 101 {
             bandwidth 10mbit
             ceiling 12mbit
             description "Unmatched traffic"
             parent 100
             priority 3
             queue-type FQCODEL_UP
         }
         queue 102 {
             bandwidth 8mbit
             description "Bulk / P2P traffic"
             parent 100
             priority 0
             queue-type FQCODEL_UP
         }
         queue 103 {
             bandwidth 8mbit
             description Usenet
             parent 100
             priority 2
             queue-type FQCODEL_UP
         }
         queue 104 {
             bandwidth 8mbit
             ceiling 10mbit
             description "Low priority server traffic"
             parent 100
             priority 3
             queue-type FQCODEL_UP
         }
         queue 105 {
             bandwidth 12mbit
             description "Streaming servers (Plex)"
             parent 100
             priority 6
             queue-type FQCODEL_UP
         }
         queue 106 {
             bandwidth 10mbit
             ceiling 12mbit
             description HTTP
             parent 100
             priority 4
             queue-type FQCODEL_UP
         }
         queue 107 {
             bandwidth 12mbit
             description "Priority traffic"
             parent 100
             priority 6
             queue-type FQCODEL_UP
         }
         queue 108 {
             bandwidth 12mbit
             description "Low latency traffic"
             parent 100
             priority 7
             queue-type FQCODEL_UP
         }
         queue 201 {
             bandwidth 100mbit
             ceiling 110mbit
             description "Unmatched traffic"
             parent 200
             priority 3
             queue-type FQCODEL_DOWN
         }
         queue 202 {
             bandwidth 100mbit
             description "Bulk / P2P traffic"
             parent 200
             priority 0
             queue-type FQCODEL_DOWN
         }
         queue 203 {
             bandwidth 100mbit
             description Usenet
             parent 200
             priority 2
             queue-type FQCODEL_DOWN
         }
         queue 204 {
             bandwidth 100mbit
             description "Low priority server traffic"
             parent 200
             priority 3
             queue-type FQCODEL_DOWN
         }
         queue 205 {
             bandwidth 110mbit
             description "Streaming servers (Plex)"
             parent 200
             priority 6
             queue-type FQCODEL_DOWN
         }
         queue 206 {
             bandwidth 110mbit
             description HTTP
             parent 200
             priority 5
             queue-type FQCODEL_DOWN
         }
         queue 207 {
             bandwidth 110mbit
             description "Priority traffic"
             parent 200
             priority 6
             queue-type FQCODEL_DOWN
         }
         queue 208 {
             bandwidth 110mbit
             description "Low latency traffic"
             parent 200
             priority 7
             queue-type FQCODEL_DOWN
         }
     }
     queue-type {
         fq-codel FQCODEL_DOWN {
             ecn disable
         }
         fq-codel FQCODEL_UP {
             ecn disable
         }
     }
     root {
         queue 1 {
             attach-to global
             bandwidth 132mbit
         }
     }
 }

Now the problem is that nothing seems to get into those queues, tried to set a limit of 10mbit at the download branch or leaves and line still maxed out at 120mbit.

This on a ER-6P with latest firmware (1.10) with ETH0 as WAN and ETH1-5 bridged into LAN, any idea what I'm doing wrong here?

Hi

I have a edge router lite. I have 2 lan on it non beite.

Lan1 is 1.1.1.1 and is only connected to my server wich is static on 1.1.1.200 ( not real ip )

Lan2 1.1.2.1 is all other things in the house so it runs to my manage switch

Lets say isp is 5.5.5.5

Is just defoult firewall rules on it now. 

My server runs a lot og email servers and webpages and some other stuff. If i try the web adress now i only get the router login page. The server i dont need any firewall on that lan since the server is secure. How can i det this lan in dmz, maybe 1to1 nat? Can someone show me. I did this on a mikrotik router and made it work, i dont find how to do it on ubnt. And i wish to  learn it since i bought it.

I am trying to get a new site setup, I have a brand new ERP running v1.10.0 and the ERP at our main location running v1.9.1.

I can not get the VPNs to come up. Below is the error message I am recieving when trying to establish the connection. 

I can provide any info needed.

ubnt@New Router~$ sudo ipsec up peer-PEERWAN-tunnel-1
initiating IKE_SA peer-PEER WAN-tunnel-1[14] to PEER WAN
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from LOCAL WAN[500] to PEER WAN[500] (432 bytes)
received packet: from PEERWAN[500] to LOCAL WAN[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'peer-PEER WAN-tunnel-1' failed

ubnt@NewRouter# show vpn
 ipsec {
     auto-update 60
     auto-firewall-nat-exclude enable
     esp-group vpntunnel {
         compression disable
         lifetime 86400
         mode transport
         pfs dh-group19
         proposal 10 {
             encryption aes256
             hash sha256
         }
     }
     ike-group vpntunnel {
         dead-peer-detection {
             action hold
             interval 30
             timeout 120
         }
         ikev2-reauth no
         key-exchange ikev2
         lifetime 86400
         proposal 10 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     ipsec-interfaces {
         interface eth1
     }
     logging {
         log-level 2
         log-modes ike
         log-modes enc
         log-modes asn
         log-modes mgr
         log-modes dmn
         log-modes net
         log-modes tls
         log-modes esp
         log-modes imc
         log-modes knl
     }
     nat-networks {
         allowed-network 10.6.0.0/16 {
         }
         allowed-network 192.168.254.0/29 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer PEER WAN {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret differentsupersecretpassword
             }
             connection-type respond
             description ""
             ike-group vpntunnel
             ikev2-reauth no
             local-address WAN
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group vpntunnel
                 local {
                 }
                 protocol gre
                 remote {
                 }
             }
         }
     }
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username routervpn {
                     password supersecretpassword
                 }
             }
             mode local
         }
         client-ip-pool {
             start 192.168.254.2
             stop 192.168.254.6
         }
         description Router-Acceess
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret supersecretpassword
             }
             ike-lifetime 3600
         }
         local-ip 192.168.254.1
         mtu 1492
         outside-address xxx.xxx.xxx.xxx
     }
 }

ubnt@MAINRouter-R01# show vpn
 ipsec {
     auto-firewall-nat-exclude enable
     esp-group vpntunnel {
         compression disable
         lifetime 86400
         mode transport
         pfs dh-group19
         proposal 10 {
             encryption aes256
             hash sha256
         }
     }
     ike-group vpntunnel {
         dead-peer-detection {
             action hold
             interval 30
             timeout 120
         }
         ikev2-reauth no
         key-exchange ikev2
         lifetime 86400
         proposal 10 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     logging {
         log-level 1
         log-modes ike
         log-modes tls
         log-modes net
         log-modes knl
         log-modes esp
         log-modes enc
         log-modes chd
         log-modes cfg
         log-modes asn
         log-modes tnc
         log-modes job
         log-modes imv
         log-modes imc
     }
     nat-networks {
         allowed-network 10.0.0.0/16 {
         }
         }
         peer PEER WAN {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret secret
             }
             connection-type respond
             ike-group vpntunnel
             ikev2-reauth no
             local-address WAN
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group vpntunnel
                 protocol gre
             }
         }
     }
 }
 }

Alright folks, got a couple questions that I know the collective should be able to help answer. Basically, I'm trying to decide between the EdgeRouter ER-8 and the USG-Pro.

Let me explain what I'm trying to do, and what I'm hoping to get out of my home network. I work in IT security and starting to get into networking, and am looking to get my hands dirty by building a robust home network. I want to be able to test something at home and have a working knowledge of it before I either put it to use at work or use that knowledge in a cert exam.

I currently have a Cisco 3750E managed PoE switch, a Checkpoint 2200 enterprise firewall, a Meraki MS220-8P, an EdgeRouter X(operating as a switch), an old Asus wireless N router(simply handling DHCP and NAT), a couple G3 cameras, and two UniFi AC-Pro WAPs. I'm looking for a router to dump that Asus so it needs to do DHCP(or point to my win server that could do DHCP/DNS/BootP), simple NAT, be able to handle a failover WAN(getting a Netgear 6100D with FreedomPop), and run LACP or port channel to my Checkpoint and possibly the Cisco if I put the Checkpoint as my edge device. Because my home is my test lab, in the near future I plan on getting a Nexus 5010 and a Checkpoint 4800(with a dual SFP+ expansion card) so I can convert everything possible to 10G fiber, which means speed and throughput are extremely important at this step.

Obviously the ER-8 will ultimately give me more flexibility and configuration options, but I also like the added options available in the UniFi suite(I have an Ubuntu box handling my UniFi WAP and NVR). I also wouldn't object to putting the ER-8 in place, then getting a small USG to put in front of my WAPs so they can report back more information than I'm currently getting from my UniFi implementation. My home internet is 300/20, not gig fiber but also not dirt slow like DSL, so whatever I get should not have any performance impact and let my devices use the full throughput my ISP provides. I welcome all suggestions and ideas, so thank you much in advance!

-X

As you see i have two lans, on lan1 i have just a server wich has dns becouse its runs mail and web services. I want this to be in DMZ so the server handels its own security. I have have hairpin nat enable but i get the router if i try my webpages. Can someone help me configure this so it runs smooth.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Dmz {
        default-action accept
        description ""
        rule 1 {
            action accept
            destination {
                address 192.168.1.200
            }
            log disable
            protocol all
            source {
                group {
                    address-group NETv4_eth1
                }
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface eth0
    lan-interface eth2
    wan-interface eth1
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.200
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.1.200
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}

        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    static-host-mapping {
        host-name MOLLER2 {
            inet 192.168.1.200
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.1.5067571.180305.1750 */