Hi everyone!

I just got IPv6 all setup on my EdgeRouter Lite. Everything seems to be working pretty well, but Stateless DHCPv6 isn't consistently providing DNS servers to my clients.

I have the link local addresses of my LAN and WLAN interfaces listed as subnets so dhcpd will respond to requests on both interfaces. As a result, it looks like I sometimes get two replies to the information request -- one with DNS servers and one without. As you can see below, the server identifier is different between the two responses.

Frame 11: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Ubiquiti_9e:36:83 (44:d9:e7:9e:36:83), Dst: Apple_39:a7:52 (00:56:cd:39:a7:52)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3683, Dst: fe80::c0a:ba4e:e3be:c283
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x3b3e27
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 0001000121c9bf4c0056cd39a752
        DUID: 0001000121c9bf4c0056cd39a752
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Dec 17, 2017 17:50:36.000000000 Central Standard Time
        Link-layer address: 00:56:cd:39:a7:52
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001224015df44d9e79e3683
        DUID: 00010001224015df44d9e79e3683
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 17, 2018 13:07:27.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:83

Frame 12: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)
Ethernet II, Src: Ubiquiti_9e:36:83 (44:d9:e7:9e:36:83), Dst: Apple_39:a7:52 (00:56:cd:39:a7:52)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3683, Dst: fe80::c0a:ba4e:e3be:c283
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x3b3e27
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 0001000121c9bf4c0056cd39a752
        DUID: 0001000121c9bf4c0056cd39a752
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Dec 17, 2017 17:50:36.000000000 Central Standard Time
        Link-layer address: 00:56:cd:39:a7:52
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001223e067e44d9e79e3682
        DUID: 00010001223e067e44d9e79e3682
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 15, 2018 23:37:18.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:82
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 32
        Value: 200148604860000000000000000088882001486048600000...
         1 DNS server address: 2001:4860:4860::8888
         2 DNS server address: 2001:4860:4860::8844

Any idea how to correct this?

Thanks!

Have a remote location i need access to the equipment there. Its on a cellular connection and behind a Mikrotik router

I have setup a VPN server on my server thats hosted in a data center. The Tic is connected to the VPN

My home connection is Edgerouter. I have tried to connect the Edgerouter to the vpn and it will connect 

i have also tried to connect just the laptop to the VPN but i just cannot access the equipment on the other side.

How would i set this up so i can access the remote site without having a computer there running teamviewr?

For info - my home internet is behind nat internet so i cannot have a VPN here and the remote location is cellular behind nat so no VPN server there either

having trouble connecting to voice devices and dmz servers on different eth ports on erpro-8 i think i need to set up routing but not sure

secured lan is 172.16.0.1/19  eth0

dmz servers on 172.16.1.1/23   eth2

voice devices on 172.16.2.1/22    eth3

internet input is on eth1

i tryed to set voice device to   ip=172.16.2.2  gateway=172.16.0.1  dns=172.16.2.1  subnet=255.255.240.0

that did not open the web gui

im trying to connect to the voice device through the secured network  (172.16.0.1/19)

device connects to internet with following  ip=172.16.2.2  gateway=172.16.2.1  dns=172.16.2.1   subnet=255.255.240.0   however can not connect to web gui through secured network

Hi everyone!

I just got IPv6 all setup on my EdgeRouter Lite running v1.10.0. Everything seems to be working pretty well, but Stateless DHCPv6 isn't consistently providing DNS servers to my clients.

Here's how I have dhcpv6-server configured:

ubnt@ubnt# show service dhcpv6-server 
 shared-network-name LANv6 {
     name-server 2001:4860:4860::8888
     name-server 2001:4860:4860::8844
     subnet fe80::46d9:e7ff:fe9e:3682/128 {
     }
 }
 shared-network-name WLANv6 {
     name-server 2001:4860:4860::8888
     name-server 2001:4860:4860::8844
     subnet fe80::46d9:e7ff:fe9e:3683/128 {
     }
 }
[edit]

When a Windows client connects via my LAN interface, this is what I see. MAC Addresses and Client/Server Identifiers appear to be consistent. If the reply that contains the DNS server addresses is sent/recieved first, all is well. If it is received last, the DNS server addresses are not configured as expected.

Frame 1: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Ubiquiti_9e:36:82 (44:d9:e7:9e:36:82), Dst: Microsof_01:6e:b0 (00:15:5d:01:6e:b0)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3682, Dst: fe80::2502:a82:4ce7:486c
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x21d76b
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 00010001223f557900155d016eb0
        DUID: 00010001223f557900155d016eb0
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 16, 2018 23:26:33.000000000 Central Daylight Time
        Link-layer address: 00:15:5d:01:6e:b0
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001224015dd44d9e79e3682
        DUID: 00010001224015dd44d9e79e3682
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 17, 2018 13:07:25.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:82

Frame 2: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)
Ethernet II, Src: Ubiquiti_9e:36:82 (44:d9:e7:9e:36:82), Dst: Microsof_01:6e:b0 (00:15:5d:01:6e:b0)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3682, Dst: fe80::2502:a82:4ce7:486c
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x21d76b
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 00010001223f557900155d016eb0
        DUID: 00010001223f557900155d016eb0
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 16, 2018 23:26:33.000000000 Central Daylight Time
        Link-layer address: 00:15:5d:01:6e:b0
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001223e067e44d9e79e3682
        DUID: 00010001223e067e44d9e79e3682
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 15, 2018 23:37:18.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:82
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 32
        Value: 200148604860000000000000000088882001486048600000...
         1 DNS server address: 2001:4860:4860::8888
         2 DNS server address: 2001:4860:4860::8844

When a Windows client connects via my WLAN interface, this is what I see. MAC Addresses and Client/Server Identifiers appear to be inconsistent. If the reply that contains the DNS server addresses is sent/recieved first, all is well. If it is received last, the DNS server addresses are not configured as expected.

Frame 1: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Ubiquiti_9e:36:83 (44:d9:e7:9e:36:83), Dst: Microsof_1c:2b:1b (c4:9d:ed:1c:2b:1b)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3683, Dst: fe80::fdc2:401e:22d9:2949
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0xbb0393
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 000100012228f373c49ded1c2b1b
        DUID: 000100012228f373c49ded1c2b1b
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Feb 27, 2018 22:58:27.000000000 Central Standard Time
        Link-layer address: c4:9d:ed:1c:2b:1b
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001224015df44d9e79e3683
        DUID: 00010001224015df44d9e79e3683
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 17, 2018 13:07:27.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:83

Frame 2: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)
Ethernet II, Src: Ubiquiti_9e:36:83 (44:d9:e7:9e:36:83), Dst: Microsof_1c:2b:1b (c4:9d:ed:1c:2b:1b)
Internet Protocol Version 6, Src: fe80::46d9:e7ff:fe9e:3683, Dst: fe80::fdc2:401e:22d9:2949
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0xbb0393
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 000100012228f373c49ded1c2b1b
        DUID: 000100012228f373c49ded1c2b1b
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Feb 27, 2018 22:58:27.000000000 Central Standard Time
        Link-layer address: c4:9d:ed:1c:2b:1b
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 00010001223e067e44d9e79e3682 [Why isn't this 44d9e79e3683?]
        DUID: 00010001223e067e44d9e79e3682 [Why isn't this 44d9e79e3683?]
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Mar 15, 2018 23:37:18.000000000 Central Daylight Time
        Link-layer address: 44:d9:e7:9e:36:82 [Why isn't this 44:d9:e7:9e:36:83?]
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 32
        Value: 200148604860000000000000000088882001486048600000...
         1 DNS server address: 2001:4860:4860::8888
         2 DNS server address: 2001:4860:4860::8844

Anybody have any idea what's going on or how to correct this?

Thanks!

hello, i have 3 mains interfaces :

eth 0 : lan

eth 1 : wan

switch 0 : is TV interface, (eth 2 + eth 3 + eth4)

i have configured OPEN Dns as system DNS.

Firmware 1.10.0

-----------------------------------------------
   Nameservers configured for DNS forwarding
-----------------------------------------------
208.67.222.222 available via 'system'
208.67.220.220 available via 'system'
80.10.246.3 available via 'dhcp eth1.832'
81.253.149.10 available via 'dhcp eth1.832'

How could i configure eth0 to use only system DNS and configure switch0 to use only "dhcp eth1.832".

Thank you and have a good day.

anyone have an idea?

I followed the tutorial below.
https://help.ubnt.com/hc/en-us/articles/204952274-EdgeMAX-Policy-based-routing-source-address-based

With the aim of routing a specific VLAN to ISP1 and routing a specific other VLAN to ISP2.

I now have two ISPs (Dutch Ziggo and KPN Fiber)
Now this works so far that if both ISPs have a connection, the traffic from the VLANs will go via the right ISPs.

If I disconnect the KPN fiber connection then, as defined, no WAN traffic is possible anymore from that VLAN (As desired)
If I break the Ziggo connection (KPN connected) then all traffic goes over the KPN connection, also the VLAN which will actually have to go to Ziggo.

Someone an idea what I overlook?
The LAN to LAN Traffic item in the tutorial is not executed, does not apply.

ETH0 - Ziggo
ETH1 - LAN (with VLANs)
ETH2 - KPN Glass

Hi guys,

I have restarted router today and after that I cannot reach it in the LAN. Is is reacheable over internet.

I did FW and bootloader update but it did not helped. What is interesting I have also AP which is available upon a restart but I cannot connect to it with my MAC, after some time it desappears. I do not have much experience with this router so I so not know how to troubleshout. I would like to try to solve the problem without a factory restart. Any suggestions what to do ?

txn in advance...

My ERPro-8 has been occasionally showing : "Process 724 (ubnt-util) has crashed (parent 579 (ubnt-daemon) signal 11, code 0, addr 0000024300000000), coredumps disabled".

Its has been previously stated by Ubiquiti that process 749 crash will be fixed in future release.  My question is : Will the process 724 crash be part of this future release that fixes the process 749 crash ?

Why can I only see 1 wizard. I see videos of other people using their devices and can't work out why I can't see more than 1 wizard. I have two internet connections and I want to do load balancing between them.

Equipment:

EdgeMAX 8 Pro

I've been trying to tidy up my firewall logs and eliminate noise. I was seeing a lot of ICMP type 3 messages cluttering up the log, and some investigation showed that packets to any RFC1918 destinations which weren't in my LAN were being forwarded out of the ER-Lite's WAN port to my ISP. Such are the joys of having default routes in place.

The ISP, of course, was correctly sending back ICMP type 3 messages, effectively telling me to stop it and go away. This noise was filling up my firewall's logs unnecessarily. And, of course, if my equipment was configured properly in the first place, it wouldn't be sending RFC1918 packets to my ISP and causing my ISP to do extra work.

So I figured, why not just stop the RFC1918 traffic at the door? So I put a WAN_OUT firewall rule in place, configured to allow everything outbound except RFC1918 destinations:

 firewall {
     group {
         network-group RFC1918 {
             description RFC1918
             network 10.0.0.0/8
             network 172.16.0.0/12
             network 192.168.0.0/16
         }
     }
     name WAN_OUT {
         default-action accept
         description "WAN traffic outbound"
         rule 1 {
             action drop
             description "Prevent outbound RFC1918 traffic"
             destination {
                 group {
                     network-group RFC1918
                 }
             }
         }
     }
 interfaces {
     ethernet eth0 {
         pppoe 0 {
             firewall {
                 in {
                     name WAN_IN
                 }
                 local {
                     name WAN_LOCAL
                 }
                 out {
                     name WAN_OUT
                 }
             }
         }

Now my firewall's logs are much less cluttered and more relevant, and my ISP doesn't have to deal with the detritus escaping my network.

What do I need to connect a single mode duplex fiber optic cable (LC to LC) between the SFP ports on an EdgeRouter 4 and a UniFi Switch 8-150W? None of the SFP modules on the Ubiquiti website seem to be the right fit from what I can tell. Thanks in advance for help.

Hi all,

I am new to Ubiquiti routers. I bought mine yesterday and have managed to get everything working except OpenVPN clients can't reach anything on the LAN. I followed this guide:

https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server

Originally I couldn't even access the router after connecting to the server but the following post made me look at my ciphering and compression.

https://community.ubnt.com/t5/EdgeRouter/Can-t-ping-LAN-via-OpenVPN/m-p/1651300#M124050

I was missing the following options steps:

set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 hash md5

So now I am able to connect to my router but still can't reach anything on the LAN. 

Firewall configuration:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description OpenVPN
            destination {
                port 1194
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

vtun0 configuration:

    openvpn vtun0 {
        encryption aes128
        hash md5
        mode server
        replace-default-route {
        }
        server {
            name-server 208.67.222.222
            push-route 10.0.20.0/24
            subnet 10.0.25.0/24
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/server.pem
            dh-file /config/auth/dh.pem
            key-file /config/auth/server.key
        }
    }

I added a static route as well (suggested in some posts):

protocols {
    static {
        route 10.0.25.0/24 {
            next-hop 10.0.20.1 {
                description VPN-to-LAN
            }
        }
    }
}

NAT configuration:

    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }

Route table:

IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [210/0] via 70.113.144.1, eth0
C    *> 0.0.0.0/24 is directly connected, vtun0
C    *> 10.0.20.0/24 is directly connected, switch0
C    *> 10.0.25.0/24 is directly connected, vtun0
C    *> 70.113.144.0/21 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo

Any help would be appreciated.

Hello folks, 

I have an edgerouter lite. I posted config below.  Behind either LAN1 or LAN2 when i run google speedtest I get less than 1Gbps down and 1Gbps up.  If i plug my computer into Internet direct I get 4 down and 2 up.  Any idea what to try to figure out where the bottleneck is? I embarassedly found this out when I called ISP complaining about slow speeds and went thru online TS with them.

In my setup I have an EdgeRouter providing DHCP to a UniFi AP connected to it, as well as an EdgeSwitch. Everything is on the same internal network subnet. There are 3 devices on the WiFi connection that I wish to block from accessing several that are on the EdgeSwitch. Other devices on the WiFi are fine, I just want to block the specific 3 devices. They are currently statically mapped on the EdgeRouter if that helps any.

Is there some way to do this?

Hi,

I recently bought a EdgeRouter 4 and apparently the status LED for Port 1 refuses to turn on.

I can see that the link is actually UP with 'show interface ethernet eth1 physical' and from the opposite side.

I can also ping the machine on the other end so the link is definetely up, just no LED light.

I seriously doubt this but is this something I can fix via firmware update or something?

Or.. should I just request for replacement?

Thanks

I cannot find discord in the category list, and have tried instant-messaging category(in case it matched with IRC)

How can we get it added to a DPI category?

Hello, I have configured an L2TP remote-access vpn following the tutorial HERE. 

Using Android 8.1 I can connect to the tunnel without errors and I can access LAN resources.

I cannot, however, access the internet via the tunnel while it is connected.

Expanding on the tutorial linked above, I have tried setting a DNS server and setting route to 0.0.0.0/0 within the Android VPN settings to no avail.

I believe this is a DNS issue as I can go to 69.162.69.150 in my browser (icanhazip.com) but any site that requires DNS fails (such as using google's IP address)

Confusingly, using termux, I can also ping 8.8.8.8 and google.com while the tunnel is up but any other application relying on internet fails. 

I have a dynamic IP and have configured the l2tp dns settings. Please see the relavant info below:

remote-access {
     authentication {
         local-users {
             username testuser {
                 password testpassword
             }
         }
         mode local
     }
     client-ip-pool {
         start 192.168.10.201
         stop 192.168.10.250
     }
     dhcp-interface eth0
     dns-servers {
         server-1 8.8.8.8
         server-2 8.8.4.4
     }
     ipsec-settings {
         authentication {
             mode pre-shared-secret
             pre-shared-secret testsecret
         }
     }
 }

default-action drop
 description "Inbound WAN to EdgeRouter"
 rule 10 {
     action accept
     description "Allow established/related"
     log disable
     protocol all
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action accept
     description "Remote WebUI Management"
     destination {
         port 444
     }
     log disable
     protocol tcp
     source {
     }
     state {
         established enable
         invalid disable
         new enable
         related enable
     }
 }
 rule 30 {
     action accept
     description IKE
     destination {
         port 500
     }
     log disable
     protocol udp
 }
 rule 40 {
     action accept
     description ESP
     log disable
     protocol esp
 }
 rule 50 {
     action accept
     description NAT-T
     destination {
         port 4500
     }
     log disable
     protocol udp
 }
 rule 60 {
     action accept
     description L2TP
     destination {
         port 1701
     }
     ipsec {
         match-ipsec
     }
     log disable
     protocol udp
 }
 rule 70 {
     action accept
     description "rate limit ICMP 50/m"
     limit {
         burst 1
         rate 50/minute
     }
     log enable
     protocol icmp
 }
 rule 80 {
     action drop
     description "Drop invalid state"
     log disable
     protocol all
     state {
         invalid enable
     }
 }

Hello, I have configured an L2TP remote-access vpn following the tutorial HERE. 

Using Android 8.1 I can connect to the tunnel without errors and I can access LAN resources.

I cannot, however, access the internet via the tunnel while it is connected.

Expanding on the tutorial linked above, I have tried setting a DNS server and setting route to 0.0.0.0/0 within the Android VPN settings to no avail.

I believe this is a DNS issue as I can go to 69.162.69.150 in my browser (icanhazip.com) but any site that requires DNS fails (such as using google's IP address)

Confusingly, using termux, I can also ping 8.8.8.8 and google.com while the tunnel is up but any other application relying on internet fails. 

I have a dynamic IP and have configured the l2tp dns settings. Please see the relavant info below:

remote-access {
     authentication {
         local-users {
             username testuser {
                 password testpassword
             }
         }
         mode local
     }
     client-ip-pool {
         start 192.168.10.201
         stop 192.168.10.250
     }
     dhcp-interface eth0
     dns-servers {
         server-1 8.8.8.8
         server-2 8.8.4.4
     }
     ipsec-settings {
         authentication {
             mode pre-shared-secret
             pre-shared-secret testsecret
         }
     }
 }

default-action drop
 description "Inbound WAN to EdgeRouter"
 rule 10 {
     action accept
     description "Allow established/related"
     log disable
     protocol all
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action accept
     description "Remote WebUI Management"
     destination {
         port 444
     }
     log disable
     protocol tcp
     source {
     }
     state {
         established enable
         invalid disable
         new enable
         related enable
     }
 }
 rule 30 {
     action accept
     description IKE
     destination {
         port 500
     }
     log disable
     protocol udp
 }
 rule 40 {
     action accept
     description ESP
     log disable
     protocol esp
 }
 rule 50 {
     action accept
     description NAT-T
     destination {
         port 4500
     }
     log disable
     protocol udp
 }
 rule 60 {
     action accept
     description L2TP
     destination {
         port 1701
     }
     ipsec {
         match-ipsec
     }
     log disable
     protocol udp
 }
 rule 70 {
     action accept
     description "rate limit ICMP 50/m"
     limit {
         burst 1
         rate 50/minute
     }
     log enable
     protocol icmp
 }
 rule 80 {
     action drop
     description "Drop invalid state"
     log disable
     protocol all
     state {
         invalid enable
     }
 }

Has anyone successfully setup and used a Teleport when the AmpliFi base is behind an EdgeRouter? If so, how?

Thanks.

Hi

I have a er-x, with 3 wan (eth0, pppoe1, pppoe2) , 1 lan. When the eth0 is physically disconnected, the ping via that interface is still a success (hence load-balance check is a success even though it should have failed). Any idea why?

When eth0 is connected ping returns

$ sudo ping -I eth0  8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.50 eth0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=48 time=42.8 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=48 time=43.1 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.849/43.013/43.177/0.164 ms

But with eth0 disconnected  (10.42.0.1 is router ip)

sudo ping -I eth0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.42.0.1 eth0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=48 time=50.0 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=48 time=43.2 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 43.209/46.626/50.043/3.417 ms

The only observable change is that PING 8.8.8.8 from <address> changes, which I think is the source of the problem. I am using standard load-balancing wizard to setup. Any guide please.

 Route table when eth0 is disconnected : 

admin@ERX:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2> - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
K    *> 0.0.0.0/0 [0/0] via pppoe1
S       0.0.0.0/0 [1/0] is directly connected, pppoe1
                  [1/0] is directly connected, pppoe2
C    *> 0.0.0.0/23 is directly connected, vtun0
C    *> 10.42.0.0/24 is directly connected, switch0
C    *> 10.111.44.0/23 is directly connected, vtun0
C    *> 10.242.0.1/32 is directly connected, pppoe2
C    *> 10.242.58.4/32 is directly connected, pppoe2
C    *> 100.72.0.1/32 is directly connected, pppoe1
C    *> 100.72.115.236/32 is directly connected, pppoe1
C    *> 127.0.0.0/8 is directly connected, lo