Hello to all.

My network look like:

Internet -> eth0 (static ip) -> eth2 -> switch (internal ips).

I'd installed in my router (ERL-3) a server (nginx) what listening the 80 and 443 ports. That server act like a reverse proxy for another 2s servers from internal network (mail and file server).

My issue it's about acces from internet those 2 router ports - 80 and 443. The router reverse proxy working good from internal network but nothing happens from internet and I don't know how/where should do for oppening those ports from internet accesing.

TIA to all.

My dhcp-server config is in an inconsistent state resulting in the configuration aborting during the commit attempt.   Taking the offending static mapping out, committing and saving and then adding them back and committing again doesn't clear the error.   The commit with the items back give exactly the same error.  There is some state that I can't seem to clear.   Hints?

root@gw# load /tmp/config.boot
Loading configuration from '/tmp/config.boot'...

Load complete. Use 'commit' to make changes active.
[edit]
root@gw# commit added wifi static mappins for spi*
[ service dhcp-server ]
Static DHCP lease IP '192.168.33.68' under static mapping 'spi0.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.69' under static mapping 'spi1.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.73' under static mapping 'spi2.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.74' under static mapping 'spi3.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.75' under static mapping 'spi5.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.67' under static mapping 'spi6.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.70' under static mapping 'spi7.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.71' under static mapping 'spi8.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
Static DHCP lease IP '192.168.33.72' under static mapping 'spi9.wsrcc.com'
under shared network name 'WIFI' is already is in by static-mapping ''.
DHCP server configuration commit aborted due to error(s).

[edit]

Hello,

I just bought an Edgerouter 6P to handel all the Internet traffic.

My first setup was:

1 Netgear R7800 as router (ground floor)

1 Netgear R7000 as accesspoint (1st floor)

1 Netgear switch (2nd floor)

On this setup the R7800 handled the DHCP requests and did the port forwarding.

New Setup

1 Edgerouter 6p as router with ETH1 / ETH2 / ETH3 bridged and as DHCP server, port forwarding

1 R7800 (did an factory reset) act as accesspoint

1 R7000 as accesspoint

1 Netgear switch

After 1 day the R7800 was up and running but the clients did not recive any DHCP any more, after an reset of the Edgerouter all was working again.

After day 2 R7000 the clients did not recive any DHCP any more, after an reset of the Edgerouter all was working again.

What is going on here?

Good morning, I have an edgerouter PoE with a load balcance of two different isp, internet works normally, but the voip peripherals are disconnected continuously, how can I tell edgerouter PoE to run a single ip or ip range on a single isp (wan)?

Hey guys,

I've searched the forums, read documentation, searched Google, etc etc. But I can not find the answers I'm looking for.

I have a test-ip-range from ExtraIP and I want to use that range through my Edgerouter Lite 3. They have given me these commands:

configure
edit interfaces tunnel tun0
set encapsulation gre
set local-ip <my current ip>

set remote-ip 87.233.64.250

set description "Extra-IP" 

set interfaces ethernet eth1 address 37.148.196.33/29

set protocols static route 87.233.64.250/32 <GATEWAY PROVIDER>
set protocols static interface-route 0.0.0.0/0 next-hop-interface tun0

exit
commit

What I don't understand is the following:

1. How should I see this configuration? Do the extra ip's connect to my WAN port? Or are they all on my tun0 interface?

2. Do I treat the tun0 interface as an extra internet connection, that needs extra setup for NAT and routing?

3. In above example, do I use ETH0 or ETH1? My WAN port is ETH0. My LAN is ETH1. Above configuration doesn't make sense to me. But I might be wrong!

The first few steps work perfectly. When I exit and commit, I have a tun0 interface added and it SAYS connected. But I have no way of testing if it works, since I struggle with the routing and/or firewalling.

The problems arise at SET INTERFACES ETHERNET 

From there on I get errors and I'm starting to get confused.

Any help would be appreciated here. 

Thank you in advance!

Morning folks,

I think this is pretty basic, but I'll ask anyway... I notice when I run a tracert, hostnames are often resolved.  How does that process work?  I assume that's rDNS or something?  would like to see my private router's names show up when I do a tracert, but a lot of them are private until they hit my public border.

I'm using the ubiqiti router as the DNS for my internal network. As I provision hosts, I'd like to add static host mappings for them since they are on a subnet with it's own DHCP server. (lab subnet).

Is there any way to add entries into the hosts file or UI remotely via api or script? Currently the way I've found was to dump the entry into the /etc/hosts file via ssh and restart dnsmasq which is less than optimal.

Hi everyone, hoping someone can help, point me in the right direction, or tell me this is absolutely not possible.

I have the EdgeRouter X. eth2, eth3, and eth4 are all configured to be part of switch0.

I'd like to have a LAN_LOCAL firewall rule that only allows full local access (SSH, GUI, etc.) to a device plugged into eth2, but not eth3 or eth4. Seems like no rules based on those interfaces are processed since they're all part of the switch0 interface.

I otherwise do want all 3 interfaces to be on the same LAN/subnet.

I'm clear on how to otherwise write the rule to do this on a single interface, already blocking everything except DHCP on eth1.

I considered having a rule for switch0 that only allows based on MAC address but seems like a surefire way to lock myself out when/if that particular device fails.

Any help is appreciated!

Edge Router POE 5 and Xfinity using a Motorola SB8600 Docsis 3.1. 

Hi all, I have a Edgerouter POE 5 and it was set by a third party and i cannot access the online gui

(following the instruction and setup the nic card) so it appears i have to do a reset.

Q) Once I reset the Edge router, how hard is it to get it up and running with Xfinity and SB8600?

Q) Do i have the modem MB8600 do the DHSCP and QOS or do I have Edge router do it?

Q) I have gig service with Xfinity but have heard some respots the Edge router doesnt get the speeds

it should (1000 mbps down and 35 up)? Is this a known deal?

Q) The modem SB8600 is also new to me (I had the XB6 technicolor version) but I like the idea dn features of the SB8600. Since I do alot of VoIP, Audio Video live streaming I am hoping this will be an improvement.

I am a bit nervous to wipe the router and start over but no other choice since the third party had configured it so they could remotely manage the device and that basically locks me out.

I have downloaded the latest firmware for edgerouter in anticipation of  getting thsi working as expected

Anyone have thoughts or experience with this setup please let me know the gotchas and prereq before i move forward

Thanks

Hi all,

Working on setting up IKEv2 on my ER4 and have been through the existing threads on the subject on this forum, and haven't been able to figure it out. I have OpenVPN working fine, but wanted to get IKEv2 running as well as a secondary option / something that might be able to take advantage of HW offloading.

First off: my setup is a home environment, not a corporate setup with many users. My use-case is remote client (i.e. me and my laptop) wishing to VPN back to my apartment to access local resources (#1) and perhaps also route all Internet traffic (#2). I've set up two OpenVPN profiles to achieve that effect, but haven't gotten IKEv2 working.

So far I have managed to get to the point where my remote machine (Windows 10) can authenticate using a machine certificate against the ER4's StrongSwan server. However, I think something is wrong in my firewall or configuration at this point as I think the wrong routes are being installed and/or there is a firewall mistake.

My network setup is currently pretty "dumb", it is just a single 172.16.1.1/24 on eth3 as LAN and DHCP on eth0 as WAN. OpenVPN uses 172.16.1.50/24 and pushes a route to 172.16.1.0/24 and seems to behave itself. Optimally, for this basic configuration, I'd like to get my IKEv2 tunnel either doing a similar setup where it's 172.16.x.0/24 and pushes a route to LAN, or as I have seen some configs here do, it simply allocates IP addresses out of DHCP range to the VPN clients from the 172.16.1.1/24 space.

My StrongSwan config is currently as follows, placed in ipsec.conf:

root@ubnt:/home/ubnt# cat /config/auth/ipsec/ipsec.conf
# Custom StrongSwan IPSec Configuration File
#
# Resources:
# Digital Ocean IKEv2 VPN Ubuntu 16.04 Guide

# General Setup
config setup
 # Configure Logging
 charondebug="ike 2, cfg 2, dmn 2, knl 1"
 uniqueids=no

ca myCA
 cacert=/config/auth/ipsec/ca.crt
 auto=add

conn split

 # Generic Parameters
 auto=add
 compress=no
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 type=tunnel
 fragmentation=yes
 ike=aes256-sha256-modp2048,aes256-sha1-modp1024!
 esp=aes256-sha256,aes256-sha1!
 mobike=yes

 # Dead-Peer / Cleanup
 dpdaction=clear
 dpddelay=90s
 rekey=no

 # Left (Local Settings)
 left=%any
 leftid=@apt.xxxxxxxxx.yyy
 leftsubnet=172.16.1.0/24
 leftcert=/config/auth/ipsec/edgerouter4.crt
 leftsendcert=ifasked
 leftfirewall=yes

 # Right (Remote Settings)
 # Allow access from any IP address. 
 right=%any
 rightid=%any
 rightsourceip=172.16.40.0/24
# rightsourceip=172.16.1.201-172.16.1.219
# rightsubnet=172.16.1.0/24
 rightdns=172.16.1.1
# rightauth=eap-mschapv2
 rightsendcert=never

 eap_identity=%identity

You can see I was playing with various rightsourciep/rightsubnet options...

And (I think) the relevant UBNT configs:

ubnt@ubnt# show vpn
 ipsec {
     auto-firewall-nat-exclude disable
     include-ipsec-conf /config/auth/ipsec/ipsec.conf
     include-ipsec-secrets /config/auth/ipsec/ipsec.secrets
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
 }

ubnt@ubnt# show firewall
 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
     default-action drop
     description "WAN to internal"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
 }
 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         description OpenVPN
         destination {
             port 1194
         }
         protocol udp
     }
     rule 40 {
         action accept
         description ike
         destination {
             port 500
         }
         log disable
         protocol udp
     }
     rule 50 {
         action accept
         description esp
         log disable
         protocol esp
     }
     rule 60 {
         action accept
         description nat-t
         destination {
             port 4500
         }
         log disable
         protocol udp
     }
     rule 70 {
         action accept
         description l2tp
         destination {
             port 1701
         }
         ipsec {
             match-ipsec
         }
         log disable
         protocol udp
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable

I feel like it's something on the strongswan side; several forum posts have had users set a global iptables command to allow for ipv4 forwarding or similar; I'm not sure how to do that / if that's a good idea in the context of the Ubiquiti routing platform.

And a log of a IKEv2 connection from swanctl:

root@ubnt:/home/ubnt# swanctl --log
09[NET] received packet: from client.ip.address[500] to edgerouter.ip.address[500] (632 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
09[ENC] received unknown vendor ID: [redacted]
09[ENC] received unknown vendor ID: [redacted]
09[ENC] received unknown vendor ID: [redacted]
09[ENC] received unknown vendor ID: [redacted]
09[IKE] client.ip.address is initiating an IKE_SA
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
09[NET] sending packet: from edgerouter.ip.address[500] to client.ip.address[500] (448 bytes)
11[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (580 bytes)
11[ENC] parsed IKE_AUTH request 1 [ EF ]
11[ENC] received fragment #1 of 6, waiting for complete IKE message
10[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (580 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF ]
10[ENC] received fragment #2 of 6, waiting for complete IKE message
13[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (580 bytes)
13[ENC] parsed IKE_AUTH request 1 [ EF ]
13[ENC] received fragment #3 of 6, waiting for complete IKE message
07[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (580 bytes)
07[ENC] parsed IKE_AUTH request 1 [ EF ]
07[ENC] received fragment #4 of 6, waiting for complete IKE message
16[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (580 bytes)
16[ENC] parsed IKE_AUTH request 1 [ EF ]
16[ENC] received fragment #5 of 6, waiting for complete IKE message
06[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (468 bytes)
06[ENC] parsed IKE_AUTH request 1 [ EF ]
06[ENC] received fragment #6 of 6, reassembling fragmented IKE message
06[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
06[IKE] received cert request for "C[redacted]"
06[IKE] received 46 cert requests for an unknown ca
06[IKE] received end entity cert [redacted]"
06[CFG] looking for peer configs matching edgerouter.ip.address[%any]...client.ip.address[[redacted]]
06[CFG] selected peer config 'split'
06[CFG]   using certificate "[redacted]"
06[CFG]   using trusted ca certificate "[redacted]"
06[CFG] checking certificate status of "[redacted]"
06[CFG] certificate status is not available
06[CFG]   reached self-signed root ca with a path length of 0
06[IKE] authentication of '[redacted]' with RSA signature successful
06[IKE] peer supports MOBIKE
06[IKE] authentication of 'edgerouter.domain.name' (myself) with RSA signature successful
06[IKE] IKE_SA split[2] established between edgerouter.ip.address[edgerouter.domain.name]...client.ip.address[[redacted]]
06[IKE] sending end entity cert "[redacted]"
06[IKE] peer requested virtual IP %any
06[CFG] reassigning offline lease to '[redacted]'
06[IKE] assigning virtual IP 172.16.40.1 to peer '[redacted]'
06[IKE] peer requested virtual IP %any6
06[IKE] no virtual IP found for %any6 requested by '[redacted]'
06[IKE] CHILD_SA split{2} established with SPIs c1afb32a_i aa230b1e_o and TS 172.16.1.0/24 === 172.16.40.1/32
06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
06[ENC] splitting IKE message with length of 1776 bytes into 4 fragments
06[ENC] generating IKE_AUTH response 1 [ EF ]
06[ENC] generating IKE_AUTH response 1 [ EF ]
06[ENC] generating IKE_AUTH response 1 [ EF ]
06[ENC] generating IKE_AUTH response 1 [ EF ]
06[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (532 bytes)
06[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (532 bytes)
06[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (532 bytes)
06[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (388 bytes)
08[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (80 bytes)
08[ENC] parsed INFORMATIONAL request 2 [ D ]
08[IKE] received DELETE for ESP CHILD_SA with SPI aa230b1e
08[IKE] closing CHILD_SA split{2} with SPIs c1afb32a_i (335 bytes) aa230b1e_o (0 bytes) and TS 172.16.1.0/24 === 172.16.40.1/32
08[IKE] sending DELETE for ESP CHILD_SA with SPI c1afb32a
08[IKE] CHILD_SA closed
08[ENC] generating INFORMATIONAL response 2 [ D ]
08[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (80 bytes)
13[NET] received packet: from client.ip.address[62939] to edgerouter.ip.address[4500] (80 bytes)
13[ENC] parsed INFORMATIONAL request 3 [ D ]
13[IKE] received DELETE for IKE_SA split[2]
13[IKE] deleting IKE_SA split[2] between edgerouter.ip.address[edgerouter.domain.name]...client.ip.address[[redacted]]
13[IKE] IKE_SA deleted
13[ENC] generating INFORMATIONAL response 3 [ ]
13[NET] sending packet: from edgerouter.ip.address[4500] to client.ip.address[62939] (80 bytes)
13[CFG] lease 172.16.40.1 by '[redacted]' went offline

 Windows route with IKEv2:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.12     50
     edgerouter.wan.ip  255.255.255.255      192.168.0.1     192.168.0.12     51
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.16.0.0      255.255.0.0         On-link       172.16.40.1     36
      172.16.40.1  255.255.255.255         On-link       172.16.40.1    291
   172.16.255.255  255.255.255.255         On-link       172.16.40.1    291
      192.168.0.0    255.255.255.0         On-link      192.168.0.12    306
     192.168.0.12  255.255.255.255         On-link      192.168.0.12    306
    192.168.0.255  255.255.255.255         On-link      192.168.0.12    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.0.12    306
        224.0.0.0        240.0.0.0         On-link       172.16.40.1    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.0.12    306
  255.255.255.255  255.255.255.255         On-link       172.16.40.1    291
===========================================================================

Edge Router POE 5 and Xfinity using a Motorola SB8600 Docsis 3.1. 

Hi all, I have a Edgerouter POE 5 and it was set by a third party and i cannot access the online gui

(following the instruction and setup the nic card) so it appears i have to do a reset.

Q) Once I reset the Edge router, how hard is it to get it up and running with Xfinity and SB8600?

Q) Do i have the modem MB8600 do the DHCP and QOS or do I have Edge router do it?

Q) I have gig service with Xfinity but have heard some respots the Edge router doesnt get the speeds

it should (1000 mbps down and 35 up)? Is this a known deal?

Q) The modem SB8600 is also new to me (I had the XB6 technicolor version) but I like the idea and features of the SB8600. Since I do alot of VoIP, Audio Video live streaming I am hoping this will be an improvement.

I am a bit nervous to wipe the router and start over but no other choice since the third party had configured it so they could remotely manage the device and that basically locks me out.

I have downloaded the latest firmware for edgerouter in anticipation of  getting this working as expected

Anyone have thoughts or experience with this setup please let me know the gotchas and prereq before i move forward

Thanks

Hello all,

I've been tasked by my employer to diagnose the slow LAN speeds we're getting when using the EdgeRouter.  Here's the original description I was given:

Hi ,

I thought I'd bump this thread, as I'm currently running an EdgeRouter Pro 8 on 1.10.3. Since deploying it in production on Friday, July 6, it has rebooted twice, once on Friday morning and again today, Monday, July 9, in the morning.

The first occurrence I believed was a result of me having the Web UI open. However, I was not logged onto the Web UI during the second occurrence; rather, I was using UNMS instead.

Unfortunately, I don't have any logs to provide, as they are wiped when the router reboots. I just enabled coredumps, and will provide these to you when the router reboots itself again.

Did you have any insights regarding this? I know this was supposedly fixed in 1.10.x, but it appears a few of us are still having issues. Please let me know if there's any additonal information I can provide or logging I should configure.

Appoligies if this has been answered before. I've searched a number of different ways and haven't found an answer (that helps).

I have an ERL connected to a UVerse Pace 5268ac GW. I've configured IP Passthrough/DMZ+ for IPv4, which is working fine, however, IPv6 is being a huge pain.

It appears AT&T is giving a /60 out to the GW which then issues /64 addresses to clients connected directly to it. Both the GW GUI and ERL interfaces confirm this. I can use SLAAC to issue addresses to my LAN but there are issues. Clients from the LAN can get out just fine. However, "unsolicited" inbound connections have a couple issues. 

1.) The GW will block all inbound IPv6 traffic by default. I can get around this by adding a very permissive firewall rule.

2.) Since the GW issued the /64 through SLAAC, it is assuming all addresses within that scope are local, not routed. In bound connections cause an ARP request which get no response since the WAN interface is routed on the ERL.

I tried adding an RA on the WAN interface back to the GW. This actually worked, except the ERL then returns an ICMP no route to host. I tried adding an interface route back to the LAN, but this didn't work since the /64 is already on the WAN interface as a route. 

I'm out of ideas and would appreciate any thoughts... AT&T made this super dumb.

Hello again Community.

I just setup successfully PPTP Server on my UBNT. I'm using Local-Users mode.
VPN Clients are getting IP's from this range: 172.16.44.100-110

Production LAN is: 192.168.1.0/24

Tunel is UP, I have acces to LAN devices and i'm able to browse web but ... this Internet traffic is going over VPN tunel ... How I can exclude it ?

I found this post: https://community.ubnt.com/t5/EdgeRouter/Routing-internet-traffic-outside-PPTP-VPN/m-p/1498170#M100688

When I disabled above option, I'm able to establish VPN but then I don't have access to any LAN devices.

Please advise.

Waiting for your feedback.

Thank you in advance

Maciej

New Ubiquiti customer here, having a quetison about the follwoing scenario, maybe I'm missing the terminology, but couldn't find any solution for it: 

I would like to dedicate one SSID to about 5 clients and reserve 10Mb only for them. The Other SSID could use the remaining bandwidth. This way I want to make sure that the 5 clients have always a stable speed when connected to their SSID.

It would be easier to set up with two AP's and asign 2 ports with different bantwidths, but is it also possible with one AP?

About 20-30 clients in one room

1x AC AP PRO

1x EdgeRouter X, 5-Port

Internet connection: 20-40Mb download 4-8Mb upload

I hope it's clear, thank you for your feedback!

I have EdgeRouter X SFP v1.10.5 and Unifi Ap-AC Lite for Wireless.

My house is more than often facing the problem when there is a new device connected to Wifi, the entire house would drop internet connection for several minutes or until I restart the router, Unifi or disable/enable DHCP in EdgeRouter. At first, I thought it was the Android and Chromecast but then the same issues happen with our latest iPhone X connecting. For example, when my wife entering the garage, her iphone X would pick up the Wifi and the house would have no internet. Once she leaves the garage, within seconds, I have internet again. Each time, I have to restart router/wifi just to fix.

Now I am thinking it has something to do with DHCP!! 

 Below is my router setting

So I see some devices connected with DHCP from the router:

Well at the same time I also see "some" devices in the same range 192.168.1.x in the Unifi Wireless. Is that that problem???

Here is the rest of the Router configs:

Here is the rest of the Unifi AP AC Lite configs:

If I have to disable one DHCP, which one?

Any other advise? Thanks

It looks like BFD is not properly marking a static route inactive when the peer bfd session state is down on my ER-4

I found a post from two years ago that describes my problem.  The resolution on that post was that a bug was opened.  Has this really been an unsolved problem for two years? (Post here)

Here is the relevent config:

set protocols static bfd interface eth0 ipv4
set protocols static route 0.0.0.0/0 next-hop XXX.YYY.ZZZ.1 distance 1
set protocols static route 0.0.0.0/0 next-hop XXX.YYY.ZZZ.2 distance 10

set protocols bfd echo
set protocols bfd interface eth0 echo interval 10
set protocols bfd interface eth0 enable
set protocols bfd interface eth0 interval 50 minrx 50 multiplier 5
set protocols static bfd interface eth0 ipv4

In that config I have tried all the options, global BFD config, interface BFD config, and route specific BFD config.  None of them seem to work as expected.  I used an old 1.8.0 as a starting point for BFD config and worked with some of the options from there (LINK HERE)

The BFD peers on the other side of the interface are Cisco ASR-1002X routers.  It's not a BFD session problem.  I can get the session state to go up and down as often as I would like.  The problem I see is that when the session goes down on the ER-4 it doesn't "withdraw" the static route.

Below is show when the session is down and the route is still active in the FIB.  You can see that the BFD session to the .1 router is down, but the route table show .1 as the FIB route.

show bfd session
Sess-Idx   Remote-Disc  Lower-Layer  Sess-Type   Sess-State  UP-Time   Remote-Addr
1          4109         IPv4         Single-Hop  Down        00:00:00  XXX.YYY.ZZZ.1/32
2          4100         IPv4         Single-Hop  Up          00:30:08  XXX.YYY.ZZZ.2/32
Number of Sessions:    2

show ip route static
IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] via XXX.YYY.ZZZ.1, eth0
S       0.0.0.0/0 [10/0] via XXX.YYY.ZZZ.2, eth0

Hi All,

I have a customer with an edgerouter X running FW 1.10.5 with 2 Wans in a load balance setup with WAN 2 setup as failover only.

When I unblock WAN 2 one of the Vlans looses the abilitity to resolve addresses. It can still ping to an internet ip address ie 1.1.1.1 but cant resolve google.com. However the main Lan can still resolve domains.

Please note that while Wan 2 is enabled it is not active and is still in failover only mode.

Sugestions would be much apprecicated