Hello,
We recently went through and changed some setting on our router to better solve a seperate issue, but now we ran into the issue that when the "Auto Firewall" checkbox is unchecked it disables our DPI filtering entirely. (we block Facebook and other social media sites).
To clarify, it worked previously when that checkbox was checked, but now nothing is being blocked. Running v1.10.3 (Have yet to update it)
If anyone has any advice pelase let me know.
Thank you,
Justin Smith
hi guys. i need help allowing my cloudkey (sitting on LAN) to adopt an AP (sitting on DMZ).
i have a zone based firewall setup, and so far i have done the following, but something is not working.
traffic from DMZ --> LAN
accept stablished
allow 80,8543,11143 tcp
allow 3478 udp
traffic from LAN --> DMZ
accept stablished
i assume the ap is the client, and theh cloudkey is the "server"..
also, i am plugging in a ap lite straight into eth2 on my edgerouter if that matters.
could someone guide me what i could be doing wrong?
i got the port numbers from here:
https://help.ubnt.com/hc/en-us/articles/115000169007-UniFi-Port-Requirements-for-Cloud-Key
thank you
I am trying to setup access to internal devices using just one of my public IPs as most of them are already in use.
currently i have public IPs A.x.x.90, B.x.x.92, and C.x.x.93 on WAN interface eth0. A.x.x.90 is for a vendor to have their own network access to their provided leased managed product. B.x.x.92 for general Web Access. C.x.x.93 for a private secured LAN.
i am trying to setup multiple port forwards for RDP access. I.E. 3389 for PC1, 3390 for PC2, 3391 for PC3 etc.....
also ports 4770,4880 for a NVR on Public IP D.x.x.94.
i have setup successful forward to single internal IPs but that accepts all incoming ports to a single internal IP. i know i am missing something on the forums here, but i can't seem to find the instructions on how to do this.
if anyone can help, it is greatly appreciated!
thanks,
Hi All,
I am very new to the EdgeRouter X SFP which I replaced our TP-Link LoadBalancer router.
I setup with 2 Interface WAN LB with one LAN Network
eth0 --> PPoE WAN1
eth1 --> DHCP WAN2
eth2/eth3/eth4 LAN 192.168.50.0/24 DHCP RANGE 192.168.50.51-245
All works perfectly well. But when I access our webmail service on browser I could see while login to page I could see
[ Your IP address has changed. Please log in again.]
This is because of LB frequently the request goes via either WAN1 to WAN2.
I able to resolve this issue in TP Link by policy Firewall.
Source 192.168.50.0/24 Destnation 143.36.145.1xx Port 1-65535 WAN1
How could I perform the same in Edge Router in UI or CLI.
I tried below command which they said it will resolve but still I could not able to achive even after I set this on the router
configure
set load-balance group G sticky source-addr enable
set load-balance group G sticky dest-addr enable
set load-balance group G sticky dest-port enable
commit
save
Whoever from my LAN try to access this 143.36.145.1xx it has to go via eth1
Thanks,
Keerthi
So, I have a client with 5 sites, A-E, that are interconnected with IPSec tunnels. All of them currently utilize the ERPro-8, firmware 1.10.3.
Using the guide to setup L2TP/IPSec VPN on the Edgerouter and client I previously setup a VPN to an isolated network used by a vendor, on Site C. Recently someone internally asked to use the same process to connect to those vendor systems there rather than drive over to the other site. So, I created a new internal user name and password and tested the VPN. Not a problem, or so I thought.
I tried to configure it for him, remotely and it wouldn't work. He works at Site B. So, I tried to configure a spare computer at another site (Site A) and it wouldn't connect. I configured a seperate machine at my office and it had no problem. So, at my next onsite to Site B I tried to connect to the L2TP/IPSec VPN at Site C with my laptop (which worked from my office and home) and like previous attempts from company sites it failed to even establish the connection. It never got to the authentication part.
Is it possible this has something to do with the L2TP and IPSec offloading? IPSec offloading is currently enabled.
I'm losing my mind trying to get DNS up and running properly on my VPN. I want to connect to the VPN using my Android phone and view a page served by octopi.local, which is 192.168.2.134 on the LAN. At this point when I connect I get the following behavior:
Phone- connects to VPN, can ping the IP, but does not load the web page using the IP or domain name
Laptop- connects to VPN, can ping the IP, will load the web page using the IP but not the domain name
I originally had the vpn on 192.168.3.x, but have moved the client pool into the LAN subnet with no change in behavior.
This is on an ERL running 1.10.3. LAN is eth0, WAN is pppoe. Any insight would be greatly appreciated!
Sanitized config:
Good Afternoon Everyone!
I just got my new Edge Router X In the mail today. I started to set it up and felt a little overwalmed for some reason. So i thought i would post my config here before implementing it and see what everyone thought.
Please see attachment.
It seems that all rfc1918 addresses that do not belong on my LAN are being routed through my default gateway and actually quite a few hops due to how my isp seem to (not) handle rfc1918:
$ traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max
1 192.168.0.1 0.184ms 0.101ms 0.073ms
2 <isp default gw> 1.705ms 0.473ms 8.484ms
3 <isp router> 19.848ms 21.455ms 20.527ms
4 <isp router> 21.082ms 20.942ms 21.058ms
5 <isp router> 18.696ms 18.613ms 19.373ms
6 <isp router> 21.509ms 22.091ms 21.628ms
7 <isp router> 18.668ms 18.471ms 18.469ms
While reading through some VyOS documentation this appears to be quite common and the solution is to drop invalid packages in the firewall (https://wiki.vyos.net/wiki/User_Guide#NAT).
I assume they are suggesting a rule like this:
rule 2 {
action drop
state {
invalid enable
}
The thing is, my firewall is zone-based and I actually have a rule like that for each zone and in all directions.
I wonder if someone can shed some light on this?
Hi Experts!
I did some firewall rules on my EdgeRouter Lite for website filtering using DPI and seems perfectly working on clients using desktop and laptops.
Blocked Social Media Sites and Top Adult Sites if they are using web browser but when they use facebook app, twitter app, IG app, it bypasses the firewall and continue to load contents.
My question is, is it possilble to block those applications on the firewall of Edge Router Lite?
TIA,
Curious if this is even possible at the moment. I have 2 Edgerouters, an Edgerouter 4 acting as my Edge to the internet, and I have another edgerouter lite behind that segmenting my VMs. Is there a way to use prefix delegation to get a couple /64s for my Edgerouter lite?
ATT --> Edgerouter 4 -----> Edgerouter lite ---> VMs
^
|
Comcast---
Hello group 
How would this best be done with Edge OS. Trying to duplicate some rules in a Sonicwall which has a different approach. In SW you specify the service (define port to a name, like RDP to 3389), then in access rules you can specify both sides IP's ranges.
So for example: source 65.123.321.12 , destination 192.168.1.5, service name RDP (which was set to 3389 in prev step), then set to allow. 'so only allows a certain public IP to access machine via RDP, all other requests dropped'.
I'm used to how Sonicwall sets these rules up but need to duplice with EdgeOS on an ER4 (with eth0 WAN and eth1 LAN).
Greetings!
I need to reset EdgeRouter X to defaults. But usual ways does not reset to brand new factory state. I don't see license agreement message at first connect to device.
I know there is some ways to get it back with two resets in a row. But I don't know the correct sequence.
This concerns all Edge family.
I will try all your suggestion.
Thank you.
If I do a firmware update (currently 1.10.5) or a cold boot, my internet connection drops after one hour.
If I then reboot my EdgeRouter Lite (3p) everything works as should be.
I've got this problem over the past firmwares.
In the (external) syslog nothing is showed why the internet connection dropped.
Relevant information:
EdgeRouter Lite currently running 1.10.5
eth0: LAN1
eth1: Internet interface
eth1 VIF 34: Internet VLAN. IP by DHCP
eth2: LAN2
I need help blocking 4 specific MAC addresses from accessing internet while on my network. I can't seem to figure out how to do this basic task on the EdgeRouter Lite.
Has anyone else experienced strange issues when using the Edgerouter as the DNS resolver/forwarder? Recently, we have had some Edgerouters spontaneously stop forwarding DNS. The fix is we had to login and explicitly define:
Yesterday I upgraded my home ER-X-SFP to 1.10.5. When I did this, DNS resolution broke in a similar manner except in that case I had to explicitly define the name-servers for forwarding even though the output from DNS statistics showed the nameservers were being inherited from the system config.
It really should go without saying but setting up a good user with a strong password is not enough, you MUST remove the default user. An unprotected ubnt account and someone could wipe your settings or worse, redirect all your traffic over a VPN for inspection. It's trivial to get a connection to the ER which is not logged with a remote IP, you'll have no way to trace it down unless you catch them in the act.
delete system login users ubnt
This is an example of a normal ssh login. IP tracked
Username Type Tty From Last login me vyatta pts/0 192.168.X.Y Wed Jun 27 21:51:22 2018 monitor vyatta never logged in
This is an example of another remote login... over the internet, that is not tracked. I've changed the name but have not removed the IP, it's not there. SSH need not be enabled for this to work.
Username Type Tty From Last login me vyatta pts/1 Thu Jun 28 10:45:51 2018 monitor vyatta never logged in
Hi there,
I'm very new to the Edgemax but can see great potential as I learn it. I have a very simple setup with a PPPOE connection on eth0 and a static IP connection on eth1 (4G backup/balancing) which is for the most part installed and working, however I have one client which streams video all day which I would like to force to use eth0 and not use the 4g on eth1.
I've found and tried to follow this guide: https://community.ubnt.com/t5/EdgeRouter/Dual-WAN-with-some-hosts-using-only-one-WAN/m-p/703493#M22093 which is very much what I want, but as a day 1 user I'm not sure how to interpret this and enter via the CLI.
I have DHCP running and statically assigned IPs where needed. Local network is all on 192.168.100.X and it's 192.168.100.6 that I need to use exclusively eth0 for its connection.
Separately, can someone advise on how best to change the balance of the split (I'd like 70/30 between eth0 and eth1 for all other traffic)
Thanks in advance.
hi all
it would be great if during the Configuration wizard for switch mode on the EP-R6
we can also enable POE using a check box per port.
right now we can define vlans , management IP but not we cant enable POE.
i have a EP-R6 in production with vlans addeds to the switch0 instead of using the advanced switch mode but i will have to go on site cause when the EP-R6 will reboot it will not have POE enable anymore on his ports...
thx
I have a new ER infinity 8 port router that I am setting up. So far, pretty unimpressed. I need to do a few things that I cannot find documentation for:
1. How do I create a NEW loopback interface? I am wanting to have a loopback (or bridge or whatever) do use as a place to hang NAT IPs, management IPs and such. I know I can use the existing loopback, but I want a new loopback.
2. Is there a way to dump the config in a format that is easier to read? Like, for example, the commands I used to add the config would be nice.
3. Still working with DHCP, but a bit more documentation would be nice. If it exists, Google hasn't found it.
I have seen stories about BGP being flakey....I hope this is resolved in recent firmwares....
I purchased an EdgeRouter X six months ago. I am new to Ubiquiti level of products as I have only used consumer grade in the past. No problems setting it up after watching a few YouTube videos.
All was working fine until all internet traffic stopped today. I think the EdgeRouter X is defective but can someone review what I have done so far and recommend anything further before I try to return it under warranty?
So far:
1. I have contacted cable company and reset Motorola modem to factory deafults. A single laptop connects fine to the modem and is able to access internet.
2. I unplugged EdgeRouter and modem several times and waited up to 30 minutes. Still no access to internet.
3. I reset the EdgeRouter using the reset button, changed my laptop IP to 192.168.1.11, plugged laptop into the eth0 port and was able to connect to roouter. I was prompted for the basic setup wizzard which I ran with the firewall option checked. I applied changes and the router rebooted.
4. I plugged my computer into eth1 port, modem into eth0, changed laptop IP to obtain IP address automatically and restarted computer. Still no connection to internet.
5. I ran windows connection diagnostic and the results were "Ehternet does not have a valid IP configuration". I tried to connect to 192.168.1.1 with laptop using dynamic IP and static of 192.168.11.
6. I restarted everything several times by unplugging. I waited 30 minutes for anything to become stable. Still no internet connection using laptop and dynamic IP plugged directly into eth1 port.
Plugging the laptop directly into cable mdem still works fine.
What else can I try before sending it back as defective?
Thank you for helping...