Hello.

I have a working setup with dual wan (both providers on pppoe) after i followed this article: https://help.ubnt.com/hc/en-us/articles/205145990-EdgeRouter-Dual-WAN-Load-Balance-Feature

I also followed this article: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

Everything works great, when the first ISP on pppoe0 fails it switches in a couple of seconds to pppoe1 on the second ISP.

I have found myself in the need of one particular computer to always use the internet from the second ISP, on pppoe1.

How does this affect my load balance with failover setup?

I am thinking of adding two vifs with different vlans on switch0 one for every body else and one for the special computer.

Or just a vif with a vlan on eth3, the port on which this special needs computer is connected.

I am having trouble understanding vif on swtich0 vs vif on a particular port, and how to set different routes for different vlans.

I also wonder how does this affect my load balance with failover setup?

Please share your similar setup or suggestions, thank you.

HI,

I am asking for help with config

I have ER-X and on port eth0 is connected PowerBeam M5. At ER-X I am dialing PPPOE connection throw PB-M5. PB-M5 is set up as bridge. This works fine for me but I am not able to manage PB-M5. Can anybody help me with configuration VLANs on both devices?

I've got an EdgeRouter which seems to work fine, however every few days I have to restart it because it starts going horribly slow.  Like less that 1mbps slow.  I've set system offload for everything which has not helped.  The only thing that I can figure is that the issue seems to happen more frequently when I re-dock my laptop after taking it somewhere.  Docked, the laptop is using an ethernet connection, undocked and it is wireless.  No idea if there's a correlation there, but it's all I've got. Any ideas?

Hey there.  New to the forum, new to EdgeRouter 4 platform.  New out of the box last night, applied 1.10 firmware.  Ran the Wan-2Lan wizard for my PPPoE FTTH gigabit connection.  All is well there.  I can connect.

Tried to add in the port forward rule for my internal Plex server.  Been running well for the last 2 years on my Sophos Home UTM 9 box.  TCP port 32401 outside to inside server IP and port 32400.  I have the box checked to make appropriate firewall rules - but no dice.

Up late working on it and finally threw in the towel.  Tried firewall rules and couldn't see straight so deleted all of them.  The port forward never created rules I could see.  Testing port 32401 from the outside doesn't work and Plex shows it's not reachable out of my network.

Please advise.

Thanks!

Installing SSL will kill the gui and it wont restart. 

Followed the guide here for post 1.8.5+  https://community.ubnt.com/t5/EdgeRouter/How-to-install-a-Valid-Certificate-on-the-ER-version-1-8-5-and/m-p/1634700#M121338

Getting error and the gui fails to start .

c[ service gui ]
Starting the GUI service. coWarning - the service might have not started properly:
2018-03-15 19:03:48: (network.c.537) SSL: BIO_read_filename('/config/auth/shaqee.crt') failed

any ideas? 

Greetings. I am new to the EdgeRouter Lite (still in the process of setting it up) and came over from a consumer grade router running AdvancedTomato. One feature set that I'm looking for the best possible way to mimic / replace is the access restriction functionality of Tomato. I have a few different access restrictions setup based on day of the week / time (disable Internet access after a particular time, re-enable the next morning for a subset of devices on the network) and then have several MAC addresses assigned to each access restriction group. It's easy to enable / disable and adjust times / days as needed (which I occassionally have to do) at the group level rather than on a per-rule per-mac level one at a time.

I've read enough to see that setting up such rules is possible on a single MAC per rule basis, but that would be a cumbersome mess to manage when this would easily turn into something 30 or so rules (about 10 or so MAC addresses spread across 3+ rules right now on Tomato). Is there still no support for groups of MAC addresses for rules? If not, is there potentially some other creative way I could put in place date / time based access restrictions for several MAC addresses that would prevent me from having to touch each rule per MAC when I want to make adjustments? It lt looks like it's possible to do something like this at the IP address level, but someone could easily change to a static IP and get around this (though I know someone could spoof a MAC as well, though I see this as far less likely with my audience).

I have a few half baked ideas to potentially try out, but wanted to feel out where the status was on this matter and if it's still not really possible.

Hello.

I found a pretty serious bug...

If you configure dhcpv6-pd for a vlan interface on eth0, the complete eth0 config gets deleted on a reboot. See the attached config for details. This happens on multiple ER-X running v1.10.0.

From other bug threads i've read i believe this happens because eth2.10 doesn't exist yet when the eth0 config tries referencing it.

interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :8
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :9
                    service slaac
                }
                interface eth2.10 {
                    host-address ::1
                    prefix-id :10
                    service slaac
                }
                prefix-length 56
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name IPV6_WAN_IN
                name IPV4_WAN_IN
            }
            local {
                ipv6-name IPV6_WAN_LOCAL
                name IPV4_WAN_LOCAL
            }
            out {
                ipv6-name IPV6_WAN_OUT
                name IPV4_WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.8.1/24
        description LAN
        duplex auto
        firewall {
            out {
                ipv6-name IPV6_LAN_OUT
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag true
                max-interval 600
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.9.1/24
        description WLAN
        duplex auto
        firewall {
            in {
                ipv6-modify IPV6_MARK_WLAN
                ipv6-name IPV6_WLAN_IN
                name IPV4_WLAN_IN
            }
            local {
                ipv6-name IPV6_WLAN_LOCAL
                name IPV4_WLAN_LOCAL
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag true
                max-interval 600
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description Guest-WLAN
            firewall {
                in {
                    ipv6-modify IPV6_MARK_WLAN
                    ipv6-name IPV6_GUESTWLAN_IN
                    name IPV4_GUESTWLAN_IN
                }
                local {
                    ipv6-name IPV6_GUESTWLAN_LOCAL
                    name IPV4_GUESTWLAN_LOCAL
                }
            }
            ipv6 {
                dup-addr-detect-transmits 1
                router-advert {
                    cur-hop-limit 64
                    link-mtu 0
                    managed-flag true
                    max-interval 600
                    other-config-flag false
                    prefix ::/64 {
                        autonomous-flag true
                        on-link-flag true
                        valid-lifetime 2592000
                    }
                    reachable-time 0
                    retrans-timer 0
                    send-advert true
                }
            }
        }
    }
}

Greetings, I'm having a bit of a time troubleshooting the logs for a print job via port 515 LPD. We've got a printer (IP 172.16.200.201) that is set to print on that port from WAN IP 75.125.100.100, but print jobs coming in essentially time out and eventually die in the ether somewhere. The logs are the following:

Mar 15 15:36:54	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=7314 PROTO=TCP SPT=62354 DPT=515 WINDOW=8192 RES=0x00 ACK URGP=0
Mar 15 15:36:54	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=7306 PROTO=TCP SPT=62354 DPT=515 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 15 15:34:24	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=52016 PROTO=TCP SPT=61363 DPT=515 WINDOW=8192 RES=0x00 ACK URGP=0
Mar 15 15:34:24	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=52001 PROTO=TCP SPT=61363 DPT=515 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 15 15:31:59	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=31503 PROTO=TCP SPT=60370 DPT=515 WINDOW=8192 RES=0x00 ACK URGP=0
Mar 15 15:31:59	ERL kernel: [WAN_IN-20-A]IN=eth2 OUT=eth7 MAC=24:a4:3c:3c:60:5b:84:3d:c6:68:cb:9c:08:00 src=75.125.100.100 DST=172.16.200.201 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=31500 PROTO=TCP SPT=60370 DPT=515 WINDOW=65535 RES=0x00 SYN URGP=0

15:36:54.327912	IP 172.16.200.201.515 > 75.125.100.100.62354: Flags [R], seq 433725005, win 0, length 0
15:36:54.268678	IP 172.16.200.201.515 > 75.125.100.100.62354: Flags [F.], seq 4:5, ack 139, win 1, length 1
15:36:54.115112	IP 172.16.200.201.515 > 75.125.100.100.62354: Flags [P.], seq 1:2, ack 11, win 31000, length 1
15:36:54.104819	IP 75.125.100.100.62354 > 172.16.200.201.515: Flags [.], ack 1, win 8192, length 0
15:36:54.032360	IP 172.16.200.201.515 > 75.125.100.100.62354: Flags [S.], seq 433724999, ack 1862725210, win 30, options [mss 1460,wscale 0,eol], length 0
15:36:54.031532	IP 75.125.100.100.62354 > 172.16.200.201.515: Flags [S], seq 1862725209, win 65535, options [mss 536,nop,wscale 5,TS val 577707606 ecr 0,nop,nop], length 0
15:34:24.603340	IP 172.16.200.201.515 > 75.125.100.100.61363: Flags [R], seq 492270011, win 0, length 0
15:34:24.540865	IP 172.16.200.201.515 > 75.125.100.100.61363: Flags [F.], seq 4:5, ack 139, win 1, length 1
15:34:24.389447	IP 172.16.200.201.515 > 75.125.100.100.61363: Flags [P.], seq 1:2, ack 11, win 31000, length 1
15:34:24.378957	IP 75.125.100.100.61363 > 172.16.200.201.515: Flags [.], ack 1, win 8192, length 0
15:34:24.309175	IP 172.16.200.201.515 > 75.125.100.100.61363: Flags [S.], seq 492270005, ack 2972176430, win 30, options [mss 1460,wscale 0,eol], length 0
15:34:24.308559	IP 75.125.100.100.61363 > 172.16.200.201.515: Flags [S], seq 2972176429, win 65535, options [mss 536,nop,wscale 5,TS val 577561392 ecr 0,nop,nop], length 0
15:31:59.573134	IP 172.16.200.201.515 > 75.125.100.100.60370: Flags [R], seq 484273385, win 0, length 0
15:31:59.509479	IP 172.16.200.201.515 > 75.125.100.100.60370: Flags [F.], seq 4:5, ack 139, win 1, length 1
15:31:59.344574	IP 172.16.200.201.515 > 75.125.100.100.60370: Flags [P.], seq 1:2, ack 11, win 31000, length 1
15:31:59.279078	IP 75.125.100.100.60370 > 172.16.200.201.515: Flags [.], ack 1, win 8192, length 0
15:31:59.219283	IP 172.16.200.201.515 > 75.125.100.100.60370: Flags [S.], seq 484273379, ack 3783209056, win 30, options [mss 1460,wscale 0,eol], length 0
15:31:59.197709	IP 172.16.200.201.515 > 75.125.100.100.60370: Flags [S.], seq 484273379, ack 3783209056, win 30, options [mss 1460,wscale 0,eol], length 0
15:31:59.196807	IP 75.125.100.100.60370 > 172.16.200.201.515: Flags [S], seq 3783209055, win 65535, options [mss 536,nop,wscale 5,TS val 577419681 ecr 0,nop,nop], length 0

    name WAN_IN {
        default-action drop
        description ""
		enable-default-log
        rule 10 {
            action accept
            description "Allow ICMP Ping"
            log disable
            protocol icmp
            source {
                group {
                }
            }
        }
        rule 20 {
            action accept
            description "Allow print jobs"
            destination {
                group {
                    port-group Print-Queue
                }
            }
            log enable
            protocol all
            source {
                group {
                }
            }
        }
        rule 30 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }

        port-group Print-Queue {
            description "Allow printer to receive print jobs"
            port 515
        }

Is the printer just not acknowledging or what? Thanks in advance for your help. (And if there is a good tutorial site about reading firewall logs, I'd appreciate a heads up and link for it. My Google-fu was not working well today.)

I've set up OpenVPN on my Edgerouter X, following the instructions at https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server. My network is setup on 192.168.1.0/24, with the VPN clients on 192.168.2.0/24 via vtun0. All my local network devices are on switch0, and eth0 is connected via pppoe to my DSL modem.

While the VPN works great, it seems that I cannot control the interactions between vtun0 and switch0 using the firewall. I tried making a simple ruleset on iterface vtun0/in, with the default action set as "drop". While the firewall did a great job blocking internet access (via pppoe0) to VPN users, it did not stop me from connecting to devices on switch0, such as my wireless AP on ip 192.168.1.11. I also noticed that when I tried pinging the AP, the "stats" for the firewall rule didn't even move at all. However, if I tried pinging an internet server, the stats started incrementing and the pings were blocked. It appears that when I try connecting to local devices, the firewall rules are completely bypassed. I activated logging which showed all requests through pppoe0, but nothing through switch0 despite constant pinging.

Of course, I've tried setting rules for vtun0 blocking all access to 192.168.1.0/24, or to interface switch0, without any success. Like the above, the stats didn't even move as well and those rules didn't even seem to exist (at least to the vpn client).

Is there a way to get the firewall to actually handle all requests coming from vtun0, so I can treat them accordingly? My goal is to let vpn users access the internet and a specific device on my LAN (my server on 192.168.1.2), and nothing else.

I can provide my config file if necessary.

Thanks!

I have a uniqe situation, and haven't found the right solution. I could use some help.

I have access to two WANs. 

Wan1 - Satellite based 10x4mbps with ~700-800ms of latency, no data cap. I can stream 1080p content on this network just fine. 

Wan2 - Microwave 3x1mbps with very low latency, 15GB data cap. Very fast (for me) for non-streaming content. 

My available routers are a USG or a EdgeRouter PoE. My AP is a UAP-Lite.

What I'd like to do - Have all non-streaming content load over Wan2, and streaming content load over Wan1. And yes, the latency that comes with Wan1 does make a big enough difference to want to use Wan2 for the day to day.

Can anyone point me in the right direction? 

Hi,

I'm trying to set up a separate subnet and wifi network within our primary network, but I'm a bit over my head. Under our primary network, I have a separate subnet for public devices. This was running off of an asus router to an unmanaged switch as well as several access points strewn about the building. This network was impossible to manage. Separate access points were used by for the corporate network as well. This made the wifi slow and unreliable. 

I am replacing this with an edgerouter lite and UNIFI access points and a separate wan IP for client devices.

Here's what I need to have happen:

• HP Procurve switches take lan and public internet vlan from upstairs  to a single port downstairs.
• Building lan and public access vlan come into eth0
• A nat'd subnet fed from the public internet vlan exits eth1 to a switch to feed wired public devices
• The internal lan and a public network vlan exit eth2 to feed devices on a POE switch
• The cameras and UniFi APs have ip addresses on the internal lan, and are managed by a controller on the internal lan
• The UniFi APs broadcast an internal wifi network as well as a guest network, fed from a public network vlan
• Devices on the internal wifi must be able to communicate with the internal network and the rest of the domain.
• Devices on the public wifi must be able to communicate with other devices on the public lan
• Devices on the public network must not be able to communicate with the internal networks.

I know this is a bit of a noob question, but I'm at a loss for how to configure this. I've tried quite a few things from the community but have had no succes. If I need to get a different piece of hardware such as an edgerouter x or change the topology, I will. 

Attached is a crude mspaint diagram of what I'm hoping to accomplish. Any help would be greatly appreciated.

It would appear that the new flow-accounting-ipt feature in v1.10.0 (still) doesn't enable IPv6 flow export, even with version 9 or 10 configured.  Is there a reason for this, other than missing ip6tables rule generation?  ipt_NETFLOW has full support for v6, so I'm somewhat surprised to see this left out.

Also, a relatively minor issue: when deleting the flow-accounting-ipt config, the kernel module remains loaded with whatever config was set prior, resulting in continued Netflow traffic until the module is unloaded by hand (or the router rebooted).

-Rob

I've set up a few servers on my network along with a vpn. I have a separate machine on a vtun0 that I would like to connect to via VNC when I VPN in to my network on the ERL3. The problem is, I can't connect to it when I VPN in, but I can connect to it and my other machines on the network fine when im on the actual LAN (not vpn'ed in). This particular machine sends all external traffic over vtun0, but has access to local machines as well.  Everything is running fine, except for the VNC ability while connect to my ERL3 VPN. I just  can't figure out what's wrong. I also had no luck with my OPENV_PORTS settings for forwarding certain traffic using certain ports to vtun0. I've gone over this thing 1000 times, can someone help?

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.0.5056246.180125.1007 */

----------------
Running configuration
----------------
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group OPENVPN_HOSTS {
            address 192.168.2.0/24
            address 192.168.8.8
            description "OpenVPN Hosts"
        }
        port-group OPENVPN_PORTS {
            description "OpenVPN Ports"
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 1 {
            action modify
            description "LAN traffic to vtun"
            modify {
                table 1
            }
            source {
                group {
                    address-group OPENVPN_HOSTS
                }
            }
        }
        rule 2 {
            action modify
            description "LAN traffic to vtun ports"
            modify {
                table 1
            }
            source {
                group {
                    port-group OPENVPN_PORTS
                }
            }
        }
    }
    name LAN_IN {
        default-action accept
        description "LAN to other networks"
    }
    name LAN_LOCAL {
        default-action accept
        description "LAN to router"
    }
    name OPENVPN_IN {
        default-action drop
        description "internal to WAN"
        enable-default-log
        rule 20 {
            action accept
            description "allow established/related/new"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 40 {
            action drop
            description "deny all"
            log disable
            protocol all
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
    }
    name OPENVPN_LOCAL {
        default-action accept
        description "traffic from VPN to router"
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            destination {
            }
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description plex
            destination {
                address 192.168.8.7
                port 32400
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action drop
            description "Drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.8.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify OPENVPN_ROUTE
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
            out {
                modify OPENVPN_ROUTE
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        firewall {
            in {
                modify OPENVPN_ROUTE
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
            out {
            }
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/vpn-client1.ovpn
        firewall {
            in {
                name OPENVPN_IN
            }
            local {
                name OPENVPN_LOCAL
            }
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface eth2
    rule 1 {
        description plex
        forward-to {
            address 192.168.8.7
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    wan-interface eth0
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
            route 0.0.0.0/0 {
                blackhole {
                    distance 200
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.8.0/24 {
                default-router 192.168.8.1
                dns-server 192.168.8.1
                lease 3600
                start 192.168.8.101 {
                    stop 192.168.8.253
                }
                static-mapping Asus {
                    ip-address 192.168.8.2
                    mac-address ac:22:0b:ce:f6:a0
                }
                static-mapping DCS-5020L {
                    ip-address 192.168.8.4
                    mac-address 28:10:7b:0a:47:9e
                }
                static-mapping DNR-202L {
                    ip-address 192.168.8.12
                    mac-address 28:10:7b:1e:f1:08
                }
                static-mapping dev {
                    ip-address 192.168.8.10
                    mac-address 00:0C:29:7A:32:6D
                }
                static-mapping freenas {
                    ip-address 192.168.8.9
                    mac-address 00:01:2e:35:48:1d
                }
                static-mapping jakc3-PC {
                    ip-address 192.168.8.174
                    mac-address ec:08:6b:4a:14:79
                }
                static-mapping media {
                    ip-address 192.168.8.7
                    mac-address 4c:cc:6a:0e:61:00
                }
                static-mapping raspberrypi {
                    ip-address 192.168.8.6
                    mac-address b8:27:eb:ed:d4:88
                }
                static-mapping roku-dev {
                    ip-address 192.168.8.5
                    mac-address d0:4d:2c:1e:3d:df
                }
                static-mapping torrent {
                    ip-address 192.168.8.8
                    mac-address 00:50:56:2f:4a:59
                }
            }
        }
        shared-network-name Local {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 3600
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
                static-mapping rt-n66u {
                    ip-address 192.168.2.2
                    mac-address 10:c3:7b:e1:52:90
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 1024
            listen-on eth1
            listen-on eth2
            listen-on eth0
            name-server 8.8.8.8
            name-server 8.8.4.4
            name-server 2001:4860:4860::8888
            options listen-address=192.168.8.1
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 192.168.8.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface vtun0
            protocol all
            source {
                group {
                    port-group OPENVPN_PORTS
                }
            }
            type masquerade
        }
        rule 6000 {
            description "masquerade for WAN"
            log disable
            outbound-interface vtun0
            protocol all
            source {
                group {
                    address-group OPENVPN_HOSTS
                }
            }
            type masquerade
        }
        rule 7000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            source {
                address 192.168.8.0/24
            }
            type masquerade
        }
        rule 8000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.8.1
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    host-name ubnt
    login {
        user ryan {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            vlan enable
        }
        ipv6 {
            forwarding disable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ****************
            url http://http.us.debian.org/debian
            username ""
        }
        repository wheezy-security {
            components main
            distribution wheezy/updates
            password ****************
            url http://security.debian.org
            username ""
        }
    }
    static-host-mapping {
        host-name asus {
            inet 192.168.8.2
        }
        host-name dcs-5020l {
            inet 192.168.8.4
        }
        host-name dev {
            inet 192.168.8.10
        }
        host-name dnr-202l {
            inet 192.168.8.3
        }
        host-name freenas {
            inet 192.168.8.9
        }
        host-name jakc3 {
            inet 192.168.8.174
        }
        host-name jakc3-pc {
            inet 192.168.8.174
        }
        host-name media {
            inet 192.168.8.7
        }
        host-name raspberrypi {
            inet 192.168.8.5
        }
        host-name roku-dev {
            inet 192.168.8.5
        }
        host-name torrent {
            inet 192.168.8.8
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal disable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username bob {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.8.201
                stop 192.168.8.253
            }
            dhcp-interface eth0
            dns-servers {
                server-1 192.168.8.1
                server-2 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            mtu 1492
        }
    }
}

Hi everyone,

I bought an ER-Lite and, even with the help of userguides, forums and youtube, it won't work properly. I just would like to plug in to the router my WAN (eth0) and 2 switches (eth1 and eth2) and use a IP range in the 10.0.0.x, without bridging. I thought the WAN+2LAN would do the work but that's not the case. WAN+2LAN2 either.

Is there a config file or a clear step by step for dummies? I'm to the point to buy a new router... and I consider myself not being a dummy in networking.

Thank you!

Hi,

    I have errors on my cable sometime when it is set at 1Gb so I tried to use 100Mb but when I do it is slow, less than 5Mb and something more like 1-2Mb? I am not sure what to do, I did reset the settings and just went with the basic setup with the wizard.

I have a 60Mb connection so I don't need 1Gb between the cable modem and the Ubiquiti EdgeRouter X v1.10.0.

I tried different thing like changing the port speed 100Mb Full Duplex or half duplex, different ethernet card,  change the speed setting on the cards themselves etc..

I ran some diagnostic between the router and the ethernet card and there is no interference so it must be something between the router and the cable modem.

My main cable is about 25 feet and run sometime along electric wire which is probably the reason why I have the interference. 

Before I do something drastic and having to do some other rerun of cable and other complicate diagnostic to find the real source of interference is there anybody with suggestion?

Thank you

Hello, I recently replaced my aging Cisco 2811 with an ERL-3 and it's been great. I get ~950Mbps down and 400Mbps up. That said, I've been having a hell of a time with the l2tp setup. My android can connect just fine, but cannot access the internet or my internal resources. Strangely enough, my W10 tablet can connect to SOME internal resources and access the web.

WAN -> eth0 

eth1 - LAN switch (192.168.128.0/25)

eth2 - LAN switch (192.168.128.128/25)

Config

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
    }
    options {
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.128.1/25
        description MS225-24P
        duplex auto
        mtu 9000
        speed auto
    }
    ethernet eth2 {
        address 192.168.128.129/25
        description MS220-8P
        duplex auto
        mtu 9000
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface eth1
    lan-interface eth2
    rule 1 {
        description SIP
        forward-to {
            address 192.168.128.7
        }
        original-port 5060
        protocol tcp_udp
    }
    rule 2 {
        description Minecraft
        forward-to {
            address 192.168.128.11
        }
        original-port 25565-25568
        protocol tcp
    }
    rule 3 {
        description Plex
        forward-to {
            address 192.168.128.9
        }
        original-port 32400
        protocol tcp
    }
    rule 4 {
        description RTP
        forward-to {
            address 192.168.128.7
        }
        original-port 19000-21000
        protocol udp
    }
    rule 5 {
        description OVPN
        forward-to {
            address 192.168.128.9
        }
        original-port 1194
        protocol udp
     }
    wan-interface eth0
}
protocols {
    static {
        route 192.168.3.0/25 {
            next-hop 192.168.128.10 {
                description OpenVPN
                distance 1
            }
        }
    }
}
service {
    dhcp-relay {
        interface eth2
        interface eth1
        server 192.168.128.10
    }
    dns {
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers disable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    snmp {
        v3 {
            engineid 0x80001f888005689aeb5a6ba636
            group defaultgroup {
                mode ro
                seclevel auth
                view defaultview
            }
            user defaultuser {
                auth {
                    encrypted-key ****************
                    type sha
                }
                engineid 0x80001f888005689aeb5a6ba636
                group defaultgroup
                mode ro
                privacy {
                    encrypted-key ****************
                    type aes
                }
            }
            view defaultview {
                oid 1 {
                }
            }
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name router
    login {
        user r00t {
            authentication {
                encrypted-password ****************
                public-keys imported-openssh-key {
                    key ****************
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server 192.168.128.10
    ntp {
        server 192.168.128.10 {
            prefer
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe disable
            vlan enable
        }
        ipv6 {
            forwarding disable
            pppoe disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi disable
        export disable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username user1 {
                        password ****************
                    }
                    username user2 {
                        password ****************
                    }
                }
                mode local
                require mschap-v2
            }
            client-ip-pool {
                start 192.168.3.129
                stop 192.168.3.254
            }
            dhcp-interface eth0
            dns-servers {
                server-1 192.168.128.10
                server-2 192.168.128.8
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
                lifetime 3600
            }
        }
    }
}

Debugging Stuff

Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte
---------- --------- ----- -----   --------------- ------ ------ ------ ------
user1      00h00m05s L2TP  l2tp0   192.168.3.129      21   1.7K     22   2.8K

Total sessions: 1

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Inactive - Not applied to any interfaces or zones.

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    2686        681193      ACCEPT  Allow established/related
20    227         11100       DROP    Drop invalid state
30    6           4512        ACCEPT  IKE
40    0           0           ACCEPT  ESP
50    5           780         ACCEPT  NAT-T
60    9           873         ACCEPT  L2TP
10000 851         103813      DROP    DEFAULT ACTION

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:00:24.282209 IP <Cell Phone LTE IP>.48962 > <ERL-3 Public IP>.4500: UDP-encap: ESP(spi=0xc4662ebc,seq=0x28), length 132
09:00:24.296760 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x2b), length 260
09:00:24.392393 IP <Cell Phone LTE IP>.48962 > <ERL-3 Public IP>.4500: UDP-encap: ESP(spi=0xc4662ebc,seq=0x29), length 116
09:00:24.403188 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x2c), length 116
09:00:24.449406 IP <Cell Phone LTE IP>.48962 > <ERL-3 Public IP>.4500: UDP-encap: ESP(spi=0xc4662ebc,seq=0x2a), length 116
09:00:24.472116 IP <Cell Phone LTE IP>.48962 > <ERL-3 Public IP>.4500: UDP-encap: ESP(spi=0xc4662ebc,seq=0x2b), length 308
09:00:24.483460 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x2d), length 116
09:00:24.484509 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x2e), length 1460
09:00:24.484748 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x2f), length 1188
09:00:24.545410 IP <Cell Phone LTE IP>.48962 > <ERL-3 Public IP>.4500: UDP-encap: ESP(spi=0xc4662ebc,seq=0x2c), length 132
09:00:24.573727 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x30), length 1460
09:00:24.832759 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x31), length 1460
09:00:25.350661 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x32), length 1460
09:00:26.386690 IP <ERL-3 Public IP>.4500 > <Cell Phone LTE IP>.48962: UDP-encap: ESP(spi=0x04e702d2,seq=0x33), length 1460
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel

sudo swanctl --log
14[NET] received packet: from <Cell Phone LTE IP>[27948] to <ERL-3 Public IP>[500] (724 bytes)
14[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
14[IKE] received NAT-T (RFC 3947) vendor ID
14[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
14[IKE] received FRAGMENTATION vendor ID
14[IKE] received DPD vendor ID
14[IKE] <Cell Phone LTE IP> is initiating a Main Mode IKE_SA
14[ENC] generating ID_PROT response 0 [ SA V V V ]
14[NET] sending packet: from <ERL-3 Public IP>[500] to <Cell Phone LTE IP>[27948] (136 bytes)
02[NET] received packet: from <Cell Phone LTE IP>[27948] to <ERL-3 Public IP>[500] (284 bytes)
02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
02[IKE] remote host is behind NAT
02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
02[NET] sending packet: from <ERL-3 Public IP>[500] to <Cell Phone LTE IP>[27948] (300 bytes)
16[NET] received packet: from <Cell Phone LTE IP>[48962] to <ERL-3 Public IP>[4500] (124 bytes)
16[ENC] parsed ID_PROT request 0 [ ID HASH ]
16[CFG] looking for pre-shared key peer configs matching <ERL-3 Public IP>...<Cell Phone LTE IP>[192.0.0.4]
16[CFG] selected peer config "remote-access"
16[IKE] IKE_SA remote-access[4] established between <ERL-3 Public IP>[<ERL-3 Public IP>]...<Cell Phone LTE IP>[192.0.0.4]
16[ENC] generating ID_PROT response 0 [ ID HASH ]
16[NET] sending packet: from <ERL-3 Public IP>[4500] to <Cell Phone LTE IP>[48962] (108 bytes)
06[NET] received packet: from <Cell Phone LTE IP>[48962] to <ERL-3 Public IP>[4500] (140 bytes)
06[ENC] parsed INFORMATIONAL_V1 request 4261891639 [ HASH N(INITIAL_CONTACT) ]
04[NET] received packet: from <Cell Phone LTE IP>[48962] to <ERL-3 Public IP>[4500] (700 bytes)
04[ENC] parsed QUICK_MODE request 3051463582 [ HASH SA No ID ID ]
04[IKE] received 28800s lifetime, configured 0s
04[ENC] generating QUICK_MODE response 3051463582 [ HASH SA No ID ID NAT-OA NAT-OA ]
04[NET] sending packet: from <ERL-3 Public IP>[4500] to <Cell Phone LTE IP>[48962] (220 bytes)
14[NET] received packet: from <Cell Phone LTE IP>[48962] to <ERL-3 Public IP>[4500] (108 bytes)
14[ENC] parsed QUICK_MODE request 3051463582 [ HASH ]
14[IKE] CHILD_SA remote-access{3} established with SPIs c0b6b3de_i 01479628_o and TS <ERL-3 Public IP>/32[udp/l2f] === <Cell Phone LTE IP>/32[udp]
08[KNL] 10.255.255.0 appeared on ppp0
02[KNL] 10.255.255.0 disappeared from ppp0
01[KNL] 10.255.255.0 appeared on ppp0
16[KNL] interface l2tp0 activated

show log | match 'xl2tpd|pppd'

Mar 16 09:01:58 router xl2tpd[9522]: Connection established to <Cell Phone LTE IP>, 42875.  Local: 5992, Remote: 29026 (ref=0/0).  LNS session is 'default'
Mar 16 09:01:58 router xl2tpd[9522]: Call established with <Cell Phone LTE IP>, PID: 16295, Local: 62979, Remote: 35822, Serial: -239984349
Mar 16 09:01:58 router pppd[16295]: pppd 2.4.4 started by root, uid 0
Mar 16 09:01:58 router pppd[16295]: Connect: ppp0 <-->
Mar 16 09:01:59 router pppd[16295]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Mar 16 09:01:59 router pppd[16295]: Cannot determine ethernet address for proxy ARP
Mar 16 09:01:59 router pppd[16295]: local  IP address 10.255.255.0
Mar 16 09:01:59 router pppd[16295]: remote IP address 192.168.3.130
Mar 16 09:02:23 router xl2tpd[9522]: Maximum retries exceeded for tunnel 37301.  Closing.

sudo cat /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=<ERL-3 Public IP>


  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600
  keylife=3600
### Vyatta L2TP VPN End ###

sudo cat /etc/xl2tpd/xl2tpd.conf
;### Vyatta L2TP VPN Begin ###
[global]
listen-addr = <ERL-3 Public IP>

[lns default]
ip range = 192.168.3.129-192.168.3.254
local ip = 10.255.255.0
refuse pap = yes
require authentication = yes
name = VyattaL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### Vyatta L2TP VPN End ###

sudo cat /etc/ppp/options.xl2tpd
### Vyatta L2TP VPN Begin ###
name xl2tpd
linkname l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.128.10
ms-dns 192.168.128.8
noccp
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
require-mschap-v2
idle 1800
### Vyatta L2TP VPN End ###

Basically, when trying to browse the internet, I get a message like "A network change was detected" and it fails to ever load a page. Same for internal resources. SOME things appear to work though, if i google whatsmyip, google will show me my ip (which is correct through the VPN) but if i try to goto the whatsmyip site, it fails. 

In some of my troubleshooting, i mss clamped and set mtu on the vpn down to 1412, it had no effect. It's a little crazy to me that the W10 tablet works "somewhat" but the phone just doesnt work. I know I need to refine my mtu and mss-clamping, but hell.. something should work here. Any help would be greatly appreciated, but my issue isn't critical as I have an openvpn server I can connect to from all devices in the interim.

Thanks!

    Recently we've had our public IP address blacklisted and someone within our network has a botnet. The way our edgerouter was setup it doesn't appear I have the ability thru the traffic analysis tab to search destination IPs to find the culprit. Is there a feature that I can add or some way I can configure the edgerouter to be able to log the source and destination IPs in our network?  

Hi.

I have ER-X with native IPv6 connectivity (dualstack) which works fine for clients on LAN - discussed here https://community.ubnt.com/t5/EdgeRouter/IPV6-on-Edgerouter-X/m-p/2118406#M183425. But I would like to also get IPv6 when I am connected via VPN https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server. Now when I connect to VPN I get only IPv4 address. How can I get also IPv6 address with IPv6 connectivity? I would like to use the VPN server also as a IPv6 tunnel, because usually when I work remotely I don't have native IPv6 connectivity.

Hello,

I would like to make a rule on an ERX for force the use of OpenDNS.

If it's possible all the request made with other DNS to be block (or if it's possible intercept and redirect to OpenDNS).

(the DHCP is provided by a Server, not the ERX)

Thanks in advance.

here is the settings of the ERX (nothing fancy XD)

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group remote {
            address ***.***.***.***
            description ""
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description remote
            destination {
                port 80,443
            }
            log disable
            protocol tcp_udp
            source {
                group {
                    address-group remote
                }
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.10.60/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on LISTENONPORT
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection ********************************************************************************
    }
}
system {
    host-name ******************
    login {
        user ubnt {
            authentication {
                encrypted-password ********************************************************************************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.0.5056246.180125.0954 */