Why is EdgeOS complaining with one of these lines:
Warning: leased IP address [##########] not in any of the pools
for every lease issued to a reservation that falls outside the dynamic pool (but is obviously within the subnet)?
It's a pretty common practice to define static reservations outside the dynamic pool.
I think this started when I switched the DHCP server from ISC to DNSMasq, but it's growing to be more of an annoyance as the list of static reservations increases for various reasons.
I just bought an EdgeRouter X and followed this guide: https://help.ubnt.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch0-with-Inter-VLAN-Firewall-Limiting
After completing the guide, the issue I am having is that any device that connects to the 10.0.10.X, 10.0.20.X, or 172.16.1.X network is unable to connect to the internet. Only the 192.168.1.X network is able to connect and display websites.
My Configuration:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
description ""
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description ""
rule 1 {
action drop
description "Drop traffic to other LANs"
destination {
group {
network-group PRIVATE_NETS
}
}
log disable
protocol all
}
}
name LAN_LOCAL {
default-action drop
description ""
rule 1 {
action accept
description "Allow client DHCP"
destination {
port 67
}
log disable
protocol udp
}
rule 2 {
action accept
description "Allow client DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 172.16.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth2 {
vlan {
pvid 1
}
}
interface eth3 {
vlan {
pvid 20
}
}
interface eth4 {
vlan {
pvid 1
vid 10
}
}
vlan-aware enable
}
vif 1 {
address 192.168.1.1/24
mtu 1500
}
vif 10 {
address 10.0.10.1/24
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
mtu 1500
}
vif 20 {
address 10.0.20.1/24
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
mtu 1500
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.11 {
stop 192.168.1.150
}
static-mapping unifi_ap_ac_pro {
ip-address 192.168.1.2
mac-address XX:XX:XX:XX:XX
}
unifi-controller 192.168.1.3
}
}
shared-network-name VLAN10 {
authoritative disable
subnet 10.0.10.0/24 {
default-router 10.0.10.1
dns-server 10.0.20.11
lease 86400
start 10.0.10.11 {
stop 10.0.10.150
}
}
}
shared-network-name VLAN20 {
authoritative disable
subnet 10.0.20.0/24 {
default-router 10.0.20.1
dns-server 10.0.20.11
lease 86400
start 10.0.20.11 {
stop 10.0.20.150
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0.1
listen-on switch0.10
listen-on switch0.20
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
My setup is the ubiquiti edgerouter. I have the wan on port 0 with a static ip. I have four addresses assigned statically to powerbeams. ( one ap and one remote station for each of two locations ) On port one i have a powerbeam that is set up as an access point going to a remote location. On the other port is another powerbeam setup as an ap going to another location. I have them set up in bridge mode, and i have a router at each seperate location to do the local networking. At each seperate location is a server for cameras. everything is working fine except i am not able to view the cameras from the outside network.my local network for location a is 192.168.10.1 location b is 20.1 From what i've gathered i need to set up nat but i'm not sure how to do it. Any help would be appreciated. My web server is 192.168.10.100
and 192.168.20.100
I have 5 router to connect the internet and I use ERP-8 for create Load Balancing these 5 internet together.
Every client got the problem "The connection was reset" rapidly on their google chrome or any browser. But when I disable all other 4 port the problem got solved.
How can I fixed this problem ?
Hi, i need some help to find the best way to create a guest network isolated from my home network.
This is the map of my actual network. As you can see i have a ER-X acting as a router.
I was thinking about creating a VLAN on the ports i know i will use in my home network and a VLAN on the ports i know will be used for guest network.
In this map there is a future change in the network but it should not be a problem.
At the moment if someone in guest network sets a custom ip address in his device, he will be able to access all my home network ( and this is not good ).
Can you help me on which configuration are needed in ER-X and AirCube AC ?
Thank you
Hi,
I have DNS forwarding working properly since a while. Today I have added a ruleset to lock down communication towards the ER itself (so that SSH and GUI is not public available). After that DNS forwarding stopped working.
I have added a rule to accept NTP & DNS traffic TO (from local devices to router) and FROM the router (from ER to internet). Unfortunately it's still not working.
WAN_local:
name WAN_Telenet_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description "OpenVPN 4444"
destination {
port 4444
}
log disable
protocol udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 20 {
action accept
description "OpenVPN 1197"
destination {
port 1197
}
log disable
protocol udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action accept
description "OpenVPN 11941"
destination {
port 11941
}
log disable
protocol udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow firewall ping"
log disable
protocol icmp
}
rule 41 {
action accept
description "Allow DNS & NTP traffic FROM router "
log disable
protocol tcp_udp
source {
port 53,ntp
}
}
rule 44 {
action drop
description "Block SSH"
destination {
port 22
}
log disable
protocol tcp
}
rule 45 {
action accept
description "Allow DNS & NTP traffic TO router "
destination {
port 53,ntp
}
log disable
protocol tcp_udp
source {
}
}
}Out:
name WAN_Telenet_OUT {
default-action accept
description ""
}
DNS forwarding:
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.100
listen-on vtun0
listen-on vtun1
listen-on vtun4
name-server 8.8.8.8
name-server 8.8.4.4
system
}
}Interface:
interfaces {
ethernet eth0 {
address dhcp
description "WAN - Telenet"
duplex auto
firewall {
in {
name WAN_Telenet_IN
}
local {
name WAN_Telenet_LOCAL
}
out {
name WAN_Telenet_OUT
}
}
poe {
output off
}
speed auto
}Any ideas?
Thanks!
I have setup a temporary network using a Netgear LB1110 LTE modem setup in bridge mode.
My problem is connection is dropped and renew of DHCP is not working, so network looses connection to Internet.
I need to powercycle LB1110 to get access again.
I'm not sure it's the EdgeRouter, but never the less I need help with troubleshooting. Is it the EdgeRouter, the LB1110 or the LTE Mobiledata connection causing problems ?
I can see that I get a lease for 30 hours...
ubnt@gw-internet:~$ show dhcp client leases interface : eth2 ip address : XX.YYY.39.96 [Active] subnet mask: 255.255.255.255 router : XX.YYY.39.1 name server: XX.YYY.39.1 dhcp server: XX.YYY.39.1 lease time : 108000 last update: Tue Jul 10 11:19:37 CEST 2018 expiry : Wed Jul 11 17:19:36 CEST 2018 reason : BOUND
I'm using ETH2 for Internet interface....
Here's log from EdgeRouter...
Jul 8 00:11:01 gw-internet kernel: eth2: Link down
Jul 8 00:11:01 gw-internet dhclient: send_packet: Network is unreachable
Jul 8 00:11:01 gw-internet dhclient: send_packet: please consult README file regarding broadcast address.
Jul 8 00:11:01 gw-internet dhclient: dhclient.c:2257: Failed to send 300 byte long packet over fallback interface.
Jul 8 00:11:02 gw-internet ntpd[7791]: ntpd exiting on signal 15
Jul 8 00:11:04 gw-internet ntpd[26972]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 8 00:11:04 gw-internet ntpd[26973]: proto: precision = 0.525 usec
Jul 8 00:11:05 gw-internet kernel: eth2: 1000 Mbps Full duplex, port 3
Jul 8 00:11:06 gw-internet ntpd_intres[26974]: host name not found: 0.dk.pool.ntp.org
Jul 8 00:11:06 gw-internet ntpd_intres[26974]: host name not found: 1.dk.pool.ntp.org
Jul 8 00:11:09 gw-internet ntpd[26973]: ntpd exiting on signal 15
Jul 8 00:11:11 gw-internet ntpd[27106]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 8 00:11:11 gw-internet ntpd[27107]: proto: precision = 0.531 usec
Jul 8 00:22:57 gw-internet kernel: eth2: Link down
Jul 8 00:22:57 gw-internet dhclient: send_packet: Network is unreachable
Jul 8 00:22:57 gw-internet dhclient: send_packet: please consult README file regarding broadcast address.
Jul 8 00:22:57 gw-internet dhclient: dhclient.c:2257: Failed to send 300 byte long packet over fallback interface.
Jul 8 00:22:58 gw-internet ntpd[27107]: ntpd exiting on signal 15
Jul 8 00:23:00 gw-internet ntpd[28054]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 8 00:23:00 gw-internet ntpd[28055]: proto: precision = 0.531 usec
Jul 8 00:23:01 gw-internet kernel: eth2: 1000 Mbps Full duplex, port 3
Jul 8 00:23:02 gw-internet ntpd_intres[28056]: host name not found: 0.dk.pool.ntp.org
Jul 8 00:23:02 gw-internet ntpd_intres[28056]: host name not found: 1.dk.pool.ntp.org
Jul 8 00:23:05 gw-internet ntpd[28055]: ntpd exiting on signal 15
Jul 8 00:23:07 gw-internet ntpd[28199]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 8 00:23:07 gw-internet ntpd[28200]: proto: precision = 0.531 usec
Jul 9 00:02:20 gw-internet kernel: eth2: Link down
Jul 9 00:02:20 gw-internet dhclient: send_packet: Network is unreachable
Jul 9 00:02:20 gw-internet dhclient: send_packet: please consult README file regarding broadcast address.
Jul 9 00:02:20 gw-internet dhclient: dhclient.c:2257: Failed to send 300 byte long packet over fallback interface.
Jul 9 00:02:21 gw-internet ntpd[28200]: ntpd exiting on signal 15
Jul 9 00:02:23 gw-internet ntpd[6027]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 9 00:02:23 gw-internet ntpd[6028]: proto: precision = 0.525 usec
Jul 9 00:02:24 gw-internet kernel: eth2: 1000 Mbps Full duplex, port 3
Jul 9 00:02:25 gw-internet ntpd_intres[6029]: host name not found: 0.dk.pool.ntp.org
Jul 9 00:02:25 gw-internet ntpd_intres[6029]: host name not found: 1.dk.pool.ntp.org
Jul 9 00:02:28 gw-internet ntpd[6028]: ntpd exiting on signal 15
Jul 9 00:02:30 gw-internet ntpd[6171]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 9 00:02:30 gw-internet ntpd[6172]: proto: precision = 0.531 usec
Jul 9 00:14:12 gw-internet kernel: eth2: Link down
Jul 9 00:14:12 gw-internet dhclient: send_packet: Network is unreachable
Jul 9 00:14:12 gw-internet dhclient: send_packet: please consult README file regarding broadcast address.
Jul 9 00:14:12 gw-internet dhclient: dhclient.c:2257: Failed to send 300 byte long packet over fallback interface.
Jul 9 00:14:13 gw-internet ntpd[6172]: ntpd exiting on signal 15
Jul 9 00:14:15 gw-internet ntpd[7144]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 9 00:14:15 gw-internet ntpd[7145]: proto: precision = 0.525 usec
Jul 9 00:14:17 gw-internet kernel: eth2: 1000 Mbps Full duplex, port 3
Jul 9 00:14:17 gw-internet ntpd_intres[7146]: host name not found: 0.dk.pool.ntp.org
Jul 9 00:14:17 gw-internet ntpd_intres[7146]: host name not found: 1.dk.pool.ntp.org
Jul 9 00:14:21 gw-internet ntpd[7145]: ntpd exiting on signal 15
Jul 9 00:14:23 gw-internet ntpd[7276]: ntpd 4.2.6p2@1.2194-o Fri Jun 22 15:05:27 UTC 2018 (1)
Jul 9 00:14:23 gw-internet ntpd[7277]: proto: precision = 0.531 usec
Jul 9 12:21:09 gw-internet kernel: eth2: Link down
If I renew from router interface everything is working again. It's like EdgeRouter not automatically renewing IP-address....
Any help is appreciated. Should just work, don't like solutions like turn off/on clock etc.
Hello friends,
I have been for some time trying to configure network for VPN on Windows Server 2016, but sometimes it`s working, sometimes not. Bellow are attachemnts of screenshots of my network and current configuration. Can you tell me if the setup is correct, or needs updates/changes?
Network devices:
TPLINK MR200 (for LTE internet)
EdgeRouter ER-X SFP
UAP-AC-PRO
UAP-AC-LR
Config:
Hey Folks
we have set up a router in the following scenario on our EdgeRouter-4:
Every once in a while the internal subnets are offline because traffic reaches the EdgeRouter via VPN but gets then forwarded to the internet instead of the eth2 (or its vlan sub interfaces).
What we have observed: at some point, all "connected" routes vanish from the additional routing tables 201/202 and therefore all traffic is routed via the default route directly to the internet.
From what I have learned, the router triggers the script /usr/sbin/ubnt-add-connected.pl periodically - this script fails in our scenario:
/usr/sbin/ubnt-add-connected.pl Error no prefix found
I took a look at the code and it calls vtysh to get a list of routes:
vtysh -c "show ip route json"
In our scenario, this returns a list of prefix objects (in that case a lot, because it lists all the internal OSPF routes received via IPSEC). However, it also contains an additional list item, which fails the script's sanity check (as there is no 'pfx' item):
[...]
{
"pfx" : "1.2.3.0/30",
"nh" : [
{
"up" : "00:10:23",
"via" : "10.0.0.2",
"intf" : "tun1",
"metric" : "110/2010",
"t" : "O>*"
}
]
},
{
"pfx" : "1.2.4.0/30",
"nh" : [
{
"t" : "O>*",
"metric" : "110/2010",
"intf" : "tun1",
"via" : "10.0.0.2",
"up" : "00:10:23"
}
]
},
{
"too_many_routes" : "1"
}
]It seems to be related to this part of the code:
foreach my $r (@routes) {
my $pfx = $r->{pfx};
if (!defined $pfx) {
print "Error no prefix found\n";
exit 1;
}Does anyone know a sensible quick fix for this?
For completeness, this is our current config and we are running 1.10.5 as of today:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group Other-Workstations-Nets {
network 1.2.3.128/25
network 4.5.6.0/23
}
network-group Our-Prefixes {
description "All of our public Networks"
network 1.2.0.0/20
network 4.5.6.0/20
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify WAN_POLICY {
rule 10 {
action modify
destination {
group {
network-group !Our-Prefixes
}
}
modify {
lb-group WAN_FAILOVER
}
}
rule 20 {
action modify
destination {
group {
network-group Our-Prefixes
}
}
modify {
lb-group WAN_FAILOVER
}
source {
address 192.168.0.0/24
}
}
}
name VPN_IN {
default-action drop
description "VPN to local workstation network"
rule 05 {
action accept
description "Allow OSPF on GRE tunnel"
protocol ospf
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow Traffic from other Workstation networks"
source {
group {
network-group Other-Workstations-Nets
}
}
}
rule 40 {
action accept
description "Allow incoming ICMP via tunnel"
protocol icmp
}
}
name VPN_LOCAL {
default-action drop
description "WAN to router"
rule 05 {
action accept
description "Allow OSPF on tunnel interface"
protocol ospf
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow Management SSH access"
destination {
port 22
}
protocol tcp
source {
group {
network-group Other-Workstations-Nets
}
}
}
rule 40 {
action accept
description "Allow incoming ICMP via tunnel"
protocol icmp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow Management SSH access"
destination {
port 22
}
protocol tcp
source {
group {
network-group Other-Workstations-Nets
}
}
}
rule 40 {
action accept
description "Allow sipgate VPN"
source {
address 1.2.0.10
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 7.7.5.6/30
description Cable-Connection
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description VDSL-Connection
duplex auto
speed auto
vif 7 {
description VDSL-Vlan
pppoe 0 {
default-route none
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password SECRET
user-id SECRET@SECRET.COM
}
}
}
ethernet eth2 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
vif 100 {
address 1.2.5.129/25
description Workstations
firewall {
in {
modify WAN_POLICY
}
}
}
vif 408 {
address 192.168.0.1/24
description Guests
firewall {
in {
modify WAN_POLICY
}
}
}
}
ethernet eth3 {
disable
duplex auto
speed auto
}
loopback lo {
address 1.2.0.5/32
}
tunnel tun0 {
address 10.0.0.2/30
encapsulation gre
firewall {
in {
name VPN_IN
}
local {
name VPN_LOCAL
}
}
ip {
ospf {
cost 10
dead-interval 4
hello-interval 1
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 7.7.5.5
mtu 1300
multicast disable
remote-ip 1.2.0.11
ttl 255
}
tunnel tun1 {
address 10.0.0.6/30
encapsulation gre
firewall {
in {
name VPN_IN
}
local {
name VPN_LOCAL
}
}
ip {
ospf {
cost 1000
dead-interval 4
hello-interval 1
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 8.8.9.9
mtu 1300
multicast disable
remote-ip 1.2.0.10
ttl 255
}
}
load-balance {
group WAN_FAILOVER {
interface eth0 {
}
interface pppoe0 {
failover-only
}
lb-local enable
lb-local-metric-change disable
}
}
protocols {
ospf {
area 0.0.0.0 {
network 10.0.0.0/30
network 10.0.0.4/30
}
area 0.0.0.12 {
network 1.2.5.128/25
network 192.168.1.0/24
network 11.2.0.5/32
}
parameters {
abr-type standard
router-id 11.2.0.5
}
passive-interface eth2.100
passive-interface eth2
passive-interface eth2.408
passive-interface lo
}
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
interface-route 1.2.0.10/32 {
next-hop-interface pppoe0 {
}
}
route 0.0.0.0/0 {
next-hop 7.7.5.5 {
}
}
route 1.2.0.11/32 {
next-hop 7.7.5.5 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Guest-WLAN {
authoritative enable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name localdomain.com
lease 86400
start 192.168.0.2 {
stop 192.168.0.254
}
}
}
shared-network-name Management {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name localdomain.com
lease 86400
start 192.168.1.5 {
stop 192.168.1.254
}
}
}
shared-network-name Workstations {
authoritative enable
subnet 1.2.5.128/25 {
default-router 1.2.5.129
dns-server 1.2.5.129
domain-name localdomain.com
lease 86400
start 1.2.5.131 {
stop 1.2.5.254
}
}
}
static-arp enable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.408
listen-on eth2.100
}
}
nat {
rule 5001 {
outbound-interface eth0
type masquerade
}
rule 5002 {
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name localdomain.com
host-name router-office
login {
user admin {
authentication {
encrypted-password SECRET
}
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Berlin
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group office-provider-1-esp {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
esp-group office-provider-2-esp {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group office-provider-1-ike {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 5
encryption aes256
hash sha1
}
}
ike-group office-provider-2-ike {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 5
encryption aes256
hash sha1
}
}
site-to-site {
peer 1.2.0.11 {
authentication {
mode pre-shared-secret
pre-shared-secret SECRET
}
connection-type initiate
default-esp-group office-provider-2-esp
ike-group office-provider-2-ike
ikev2-reauth inherit
local-address 7.7.5.6
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
protocol gre
}
}
peer 1.2.0.10 {
authentication {
mode pre-shared-secret
pre-shared-secret SECRET
}
connection-type initiate
default-esp-group office-provider-1-esp
ike-group office-provider-1-ike
ikev2-reauth inherit
local-address 8.8.9.9
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
protocol gre
}
}
}
}
}
I currently have a very generic setup with a single provider based router/modem fibre setup. I've started introducing a few IOT devices and already have a host of others (laptops, games consoles, phones etc.) and I am looking to segment the network. I have decided the edge router x may be my best choice, would any of you advise differently?
I would ideally be looking to leave my current router/modem in place to provide wifi and use the edge router to segregate my IOT devices on a vlan. It has been a long time since I've worked with managed switches and vlans etc. but fairly confident I'll pick it up again when I get started, my main question would be that as my current generic router/modem will be providing wifi for now (may introduce AP's later) and my IOT devices are wirelessly connected, will I be able to vlan them in the way I need to keep them seperate?
Is there a difinitive list somewhere of things that will disable, break or otherwise prevent offloading on ubnt Edgerouters?
Thank you.
Hey,
For a few weeks, i'm having a wierd issue.
I'm running ERLite3 and have 2 systems (w10/w2016) hooked up via unifi switch.
I have normal connectivity via wired and wifi (unifi) and able to max out my line (200mps).
However i get the little "!" on my network icon on both of my boxes and windows
reports that i have no connectivity.
I have nothing fancy... 1 computer is via DHCP and the other using static IP (with several vms).
I've tried to reset my network and upgraded to 1.10.5 firmware but to no avail.
Please assist me 
Thanks!
Hi. i need help hooking up the Edge Router POE.
Which port does the modem connect to?
I want to have everyting under one network. But i think eth 1 is 192.168.1.1 whereas eth 2 onwards is 192.168.2.1.
I have 2 unifi AP to connect via POE.
Also 8 IP cameras that will need an additional POE switch.
Sorry im not very tech savvy. Was given these gear and my friend help set it up.
Please advise on how to configure. Thanks.
Is it possible to run tcpdump on swithc0 on an ER-X to cath SMB authentication packets between two hosts?
I have an issue that may be related to Symantec Endpoint Firewall preventing two computers from sharing files over SMB, and I wanted to use an ER-X to troubleshoot.
However, I don't seem to catch any packets when running TCPdump on switch0 when monitoring on the SMB port.
Hello!
When I type "configure" command on my ERLite system starts asking password. Current user's password and default password "ubnt" does not work. It happened right after I upgrade firmware from 1.10.3 to 1.10.5. http(s) access works just fine. I can change parameters on config tree.
Can someone help me with this?
Thank you.
So I recently ditched my old asus combo router/wifi and went to unifi ap and an edge router x. While I am trying to learn I am still fairly noobish with networking protocols. The problem I have is now none of my windows machines can see each other via the network explorer tab. I can still see various devices and printers but not any of the computers. I also cannot remote desktop or map any network drives by the computer names. I can still access them via IP address but not their names. They are all in the same workgroup.
When I setup the router I did the wan2lan wizard. Wan is currently coming into eth0 and lan is eth1 which goes to a switch which then connects to everything else. Is there a config or service I need to impliment to get windows machines to see each other by name/workgroup?
Hello,
We have our main site. We have Data and we also have VoIP Phones. Currently we have two ISP's but getting ready to upgrade one and we will launch Peering with the Edgerouter. We currently have the USG and we are putting all data traffic through one ISP and voice traffic through the other.
After we get our new ISP and peering setup, traffic will all flow through the Edgerouter.
My concern is QoS. Does anyone have any recommendations on how we should set the network up to account for QoS and our VoIP Phones? My local IT Engineer is not suggesting we put QoS on the Edgerouter but thats the only way QoS will work is if its on the router where all traffic will pass.
Thank You
I'm trying to learn my way around the EDGE OS by using the ER-X. I used the wizard to set up eth0 as the WAN, eth1 as the 192.168.1.1 network and S0 as the 192.168.2.1 network. My understanding is that ER_X should by default route between the two networks with no further configuration. But it doesn't work for me. I cannot ping from one network to the other. I coonected both hosts to a dumb switch to make sure I didn't have any widows firewall issues or ther config isuues. The hosts can ping each other just fine on the dumb switch.
What am I missing?
A liitle help would be appreciated.
I have an EdgeRouter Lite (ERLite-3). We bought it in the field and powered it up, but Safari would not let us login to it due to an untrusted certificate. We did not have a RJ45/DB9 cable at the lab, so we were forced to unplug the router (rfs is mounted rw, not ideal) Clobbered something apparently. I was able to get in through the serial console back in the office, but dhcpd cannot run, as described here:
https://community.ubnt.com/t5/EdgeRouter/DHCPD-Service-Fail-configfile-interface-failed/td-p/1910538
I solved it by setting a static IP on my MacBook, and then using Firefox (which still allows Security Exceptions). Once I added a DHCP Server, /opt/vyatta/etc/dhcpd.conf was restored and functionality was returned.