Is it possible to upgrade/replace the memory on the Edgerouter 6P like the Edgerouter Pro?
↧
Edgerouter 6P memory upgrade/replacement
↧
Creating a configuration template for edgerouter
I am still new to Edge coming from Unifi, I do see the advantage of the Edge in some ways. And one way could be setting up a new edgerouter quickly by just pasting a bunch of commands into the "configuration".
I see that there are several examples of this like:
set system offload ipv4 forwarding enable set system offload ipv4 gre enable ...... set system offload ipv4 forwarding enable set system offload ipv4 gre enable ...........
Is it possible to create a template with several commands like this for the whole edgerouter?
If so when creating is there an sorting order one should follow, or will it sort itself?
↧
↧
edgerouter lite dead? or screwed up OS
hi guys so lastnight i got notified that my edgerouter had gone down, 10 min later a phonecall form the wife saying the internet is down.... once i got home i checked a few things lights on network ports etc.... all looks good i used a console cable and this is what it does when it boots up... i dont think the USB is dead, but i can assume my config is gone. any informtion to help
↧
L2TP VPN Setup Issues
Edgerouter-X, attempting to setup L2TP VPN, followed the instructions exactly, see below. Windows client and phone, both don't connect. Enabled MS-CHAP v2 on L2TP adapter.
Any suggestions? -thanks
configure
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <HIDDEN>
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <HIDDEN> password <HIDDEN>
set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
set vpn l2tp remote-access dhcp-interface eth0
set vpn ipsec ipsec-interfaces interface eth0
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description ike
set firewall name WAN_LOCAL rule 50 destination port 500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description esp
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol esp
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description nat-t
set firewall name WAN_LOCAL rule 70 destination port 4500
set firewall name WAN_LOCAL rule 70 log disable
set firewall name WAN_LOCAL rule 70 protocol udp
set firewall name WAN_LOCAL rule 80 action accept
set firewall name WAN_LOCAL rule 80 description l2tp
set firewall name WAN_LOCAL rule 80 destination port 1701
set firewall name WAN_LOCAL rule 80 ipsec match-ipsec
set firewall name WAN_LOCAL rule 80 log disable
set firewall name WAN_LOCAL rule 80 protocol udp
commit
Save
↧
Load balance with Huawei 4G router
Hi all
I have a relatively well functioning EdgeRouter X SFP that load balances as follows:
1. Fiber internet on WAN1 50%
2. Huawei 4G router on WAN2 50%
When WAN1 goes down, WAN2 takes 100% load and all is well. Link is also restored correctly.
When WAN2 goes down, WAN1 attempts to take over, but the Huawei router has a habit of attempting to auto redirect to 192.168.8.1, which causes the load balancing to fail and causing the internet to go down. I cannot change any setting in the Huawei router to change this behaviour.
How can I configure WAN2 load balance settings to ignore these redirects upon WAN2 failure and continue sending traffic down WAN1 as expected? I also want 50/50 link restoration once WAN2 comes back online (i.e. stops redirecting to 192.168.8.1).
Any thoughts highly welcome. Thanks!
↧
↧
Script to monitor/limit VLAN usage
I'm looking to limit a user to a certain number of hours of network usage per day. That user has their own VLAN. I'm imagining (fantasizing?) that it would be possible to write a script (Python?) running on my ER-X that would check their VLAN traffic every 5 min to see if they're using the Internet, by checking for activity above a certain threshold. As the time accumulates, I'd send a warning email or text message when certain milestones are hit (e.g., one hour of time left today). Then After they've used the network allotment, the VLAN gets shut down until the next morning,
I'm primarily looking for any pointers to how I can check traffic from a script running on the ER-X. Any other thoughts appreciated, too. And if there's a better way to do this, e.g., with somethingg like Nagios running external to the ER-X, that's even better, but I haven't figured out how to do that.
Thanks!
↧
Edgerouter Azure VPN
Tried to setup a connection between my on-premises environment and Azure but it somehow fails to connect. Followed this link to configure the VPN device: https://help.ubnt.com/hc/en-us/articles/115012305347
But i can't figure out what is wrong?
On-premises setup:
- EdgeRouter Litev1.10.1
Azure setup
- Routebased VPN gateway
When running the command: sudo swanctl --log
04[NET] received packet: from 52.232.118.119[500] to 184.47.132.109[500] (620 bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
04[IKE] no IKE config found for 184.47.132.109...52.232.118.119, sending NO_PROPOSAL_CHOSEN
04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
04[NET] sending packet: from 185.47.132.109[500] to 52.232.118.119[500] (36 bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
04[IKE] no IKE config found for 184.47.132.109...52.232.118.119, sending NO_PROPOSAL_CHOSEN
04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
04[NET] sending packet: from 185.47.132.109[500] to 52.232.118.119[500] (36 bytes)
The ipsec.conf seems to be correct:
# generated by /opt/vyatta/sbin/vpn-config.pl
config setup
conn %default
keyexchange=ikev1
conn peer-52.232.118.119-tunnel-1
left=184.47.132.109
right=52.232.118.119
leftsubnet=192.168.2.0/24
rightsubnet=192.168.1.0/24
ike=aes256-sha1-modp1024!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha1-modp1024!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
#conn peer-52.232.118.119-tunnel-1
config setup
conn %default
keyexchange=ikev1
conn peer-52.232.118.119-tunnel-1
left=184.47.132.109
right=52.232.118.119
leftsubnet=192.168.2.0/24
rightsubnet=192.168.1.0/24
ike=aes256-sha1-modp1024!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha1-modp1024!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
#conn peer-52.232.118.119-tunnel-1
The VTI interface configuration:
}
vti vti0 {
}
vti vti0 {
}
The static route:
}
protocols {
static {
interface-route 192.168.1.0/24 {
next-hop-interface vti0 {
}
}
}
protocols {
static {
interface-route 192.168.1.0/24 {
next-hop-interface vti0 {
}
}
}
The VPN configuration:
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer 52.232.118.119 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description ipsec
ike-group FOO0
local-address 184.47.132.109
tunnel 1 {
esp-group FOO0
local {
prefix 192.168.2.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}
}
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer 52.232.118.119 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description ipsec
ike-group FOO0
local-address 184.47.132.109
tunnel 1 {
esp-group FOO0
local {
prefix 192.168.2.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}
}
↧
Bug EdgeRouter Lite v1.10.5: use 2x same domain name in two DHCP zones
So I have several DHCP zones with individual domains.
I went on to create two zones with the same domain. So far so good until I rebooted.
Then DHCP started to fail and no longer provided a lease.
It was instantly fixed the moment I renamed the domain to something else.
This was the weirdest things I've seen in a while:
My Mac kept receiving and losing a lease, some Windows here seemed fine, but my Chromebook could not get any lease on wired, wifi, any vlan, etc).
Config (with diff domain names):
yeri@sg-erl:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
network-group LAN_NETWORKS {
description "LAN Networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-name WAN6_IN {
default-action drop
rule 10 {
action accept
description "allow established"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "drop invalid packets"
protocol all
state {
invalid enable
}
}
rule 30 {
action accept
description "allow ICMPv6"
protocol icmpv6
}
}
ipv6-name WAN6_LOCAL {
default-action drop
rule 10 {
action accept
description "allow established"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "drop invalid packets"
protocol all
state {
invalid enable
}
}
rule 30 {
action accept
description "allow ICMPv6"
protocol icmpv6
}
rule 40 {
action accept
description "allow DHCPv6 client/server"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_IN {
default-action accept
description "Protect LAN from Guest and IoT"
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop LAN_NETWORKS"
destination {
group {
network-group LAN_NETWORKS
}
}
protocol all
}
}
name PROTECT_LOCAL {
default-action drop
description "Protect LAN from Guest and IoT"
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to Internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to Router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
invalid enable
related enable
}
}
rule 20 {
action accept
description "Allow ICMP"
limit {
burst 1
rate 120/minute
}
log disable
protocol icmp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action accept
description "Allow SSH"
destination {
port 1337
}
log disable
protocol tcp
}
rule 40 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
no-dns
pd 0 {
interface eth1 {
host-address ::1
no-dns
prefix-id :0
service slaac
}
interface eth1.10 {
host-address ::10
no-dns
}
interface eth1.50 {
host-address ::50
no-dns
}
interface eth1.99 {
host-address ::99
no-dns
}
interface eth2 {
host-address ::2
no-dns
}
prefix-length /64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WAN6_IN
name WAN_IN
}
local {
ipv6-name WAN6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.60.111.1/24
description "Lan 1"
duplex auto
speed auto
vif 10 {
address 10.60.222.1/24
description YeAgy
firewall {
in {
name PROTECT_IN
}
local {
name PROTECT_LOCAL
}
}
}
vif 50 {
address 10.33.128.1/24
description Guest
firewall {
in {
name PROTECT_IN
}
local {
name PROTECT_LOCAL
}
}
}
vif 99 {
address 10.60.99.1/24
description IoT
firewall {
in {
name PROTECT_IN
}
local {
name PROTECT_LOCAL
}
}
}
}
ethernet eth2 {
address 10.19.88.1/24
description "Lan 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
lan-interface eth1
lan-interface eth1.10
lan-interface eth1.50
lan-interface eth1.99
rule 1 {
description "HTTP for Synology"
forward-to {
address 10.60.111.160
port 80
}
original-port 80
protocol tcp
}
rule 2 {
description "HTTP for Synology"
forward-to {
address 10.60.111.160
port 5001
}
original-port 5001
protocol tcp
}
rule 3 {
description "HTTP for Synology"
forward-to {
address 10.60.111.160
port 5000
}
original-port 5000
protocol tcp
}
rule 4 {
description "HTTPS for UNMS"
forward-to {
address 10.19.88.9
port 433
}
original-port 8443
protocol tcp
}
rule 5 {
description UNMS
forward-to {
address 10.19.88.9
port 8444
}
original-port 8444
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update enable
shared-network-name Guest {
authoritative disable
subnet 10.33.128.0/24 {
default-router 10.33.128.1
dns-server 10.33.128.1
dns-server 8.8.8.8
domain-name guest.yeri.industries
lease 86400
start 10.33.128.2 {
stop 10.33.128.254
}
}
}
shared-network-name IoT {
authoritative disable
subnet 10.60.99.0/24 {
default-router 10.60.99.1
dns-server 10.60.99.1
dns-server 8.8.8.8
domain-name iot.0x04.com
lease 2678400
start 10.60.99.2 {
stop 10.60.99.254
}
}
}
shared-network-name LAN1 {
authoritative enable
subnet 10.60.111.0/24 {
default-router 10.60.111.1
dns-server 10.60.111.1
dns-server 8.8.8.8
domain-name sg.yeri.be
lease 2678400
start 10.60.111.2 {
stop 10.60.111.254
}
static-mapping Sennett-Pro {
ip-address 10.60.111.111
mac-address 80:2a:a8:c3:7b:e1
}
static-mapping SennettSwitch {
ip-address 10.60.111.122
mac-address 78:8a:20:df:f9:83
}
static-mapping Sinup {
ip-address 10.60.111.160
mac-address 00:11:32:74:cf:24
}
static-mapping arwen {
ip-address 10.60.111.200
mac-address 98:10:e8:f2:e5:3a
}
static-mapping nazgul {
ip-address 10.60.111.250
mac-address f4:0f:24:09:30:41
}
static-mapping r06-WSAP38 {
ip-address 10.60.111.222
mac-address 74:f0:6d:49:e5:cb
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 10.19.88.0/24 {
default-router 10.19.88.1
dns-server 10.19.88.1
dns-server 8.8.8.8
domain-name sg2.yeri.be
lease 2678400
start 10.19.88.2 {
stop 10.19.88.254
}
static-mapping Sinup {
ip-address 10.19.88.160
mac-address 00:11:32:74:cf:24
}
static-mapping liana {
ip-address 10.19.88.100
mac-address 94:c6:91:1a:ae:a2
}
}
}
shared-network-name YeAgy {
authoritative disable
subnet 10.60.222.0/24 {
default-router 10.60.222.1
dns-server 10.60.222.1
dns-server 8.8.8.8
domain-name agy.yeri.be
lease 2678400
start 10.60.222.2 {
stop 10.60.222.254
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service afraid {
host-name sgyeri.mooo.com
login yeri
password ****************
server freedns.afraid.org
}
web dyndns
}
}
forwarding {
cache-size 10000
listen-on eth1
listen-on eth2
listen-on eth1.10
listen-on eth1.50
listen-on eth1.99
system
}
}
gui {
http-port 80
https-port 443
older-ciphers disable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 1337
protocol-version v2
}
unms {
connection wss://10.19.88.9:8444+Y7mk32x42nvdPNr3abd9ofs3yo-U-pxKSu2Z-TeXnaAAAAAA+allowUntrustedCertificate
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
listen-on eth1.10 {
outbound-interface eth0
}
listen-on eth2 {
outbound-interface eth0
}
}
upnp2 {
listen-on eth1
listen-on eth2
listen-on eth0
nat-pmp disable
secure-mode disable
wan eth0
}
}
system {
domain-name yeri.be
host-name sg-erl
login {
banner {
post-login "\n\tsg.yeri.be greets you! Welcome to Singapore.\n"
pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED!\n\nI will murder you. \nYeri Tiete.\n\n\n"
}
user yeri {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys yeri@google.com {
key ****************
type ssh-rsa
}
public-keys yeri@nazgul.lan {
key ****************
type ssh-rsa
}
}
full-name "Yeri Tiete"
level admin
}
}
name-server 2001:4860:4860::8888
name-server 8.8.8.8
name-server 2001:4860:4860::8844
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Singapore
traffic-analysis {
dpi enable
export enable
signature-update {
update-hour 4
}
}
}
vpn {
ipsec {
auto-update 60
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 60
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer be.yeri.be {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description "VPN to be.yeri.be"
ike-group FOO0
ikev2-reauth inherit
local-address sg.yeri.be
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.0.0.0/8
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}
}
↧
Bug ERL: keep losing VPN config
For many many versions now (never got around to bug report this) whenever I reboot my ERL I lose all saved VPN config:
vpn {
ipsec {
auto-update 60
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 60
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer be.yeri.be {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description "VPN to be.yeri.be"
ike-group FOO0
ikev2-reauth inherit
local-address sg.yeri.be
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.0.0.0/8
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}
}So basically, at reboot, even though the config is saved, that part is entirely missing from my config.
What could be the cause ?
↧
↧
Can't log into GUI over IPSEC VPN - Grey Screen Only
I've seen older posts that mention this and the solution seemed to be to upgrade firmware. They were talking about much older versions though. Via SSH, mine reports, EdgeRouter.ER-e50.v1.10.1.5067582.180305.1832
I know there is a slightly newer version but Im hesitant to attempt a remote upgrade. Are there any other suggestions to be able to log into the GUI over IPSEC VPN?
↧
Multi-WAN setup with the 2nd WAN used for inbound connections only?
Our ISP assigned multiple static IPs to our office line. There's basically a small DHCP pool which our EdgeRouter gets the IP from, usually the same one, assigned to eth0. We have a public DNS record assigned to that IP which we use for VPN/SSHproxy purposes when working from home.
So, eth0 is WAN, eth1 is LAN and two other ehternet ports are disabled. Life is good.
Now we need to add a couple of publicly reachable services that compete for TCP ports and SNI is not a solution. What I would like to do is to connect two other ethernet ports to the ISP and get two more public IPs assigned to them, so I'll set up port forwarding from those WAN interfaces to corresponding VMs on our internal network.
Again, I don't need to load-balance or failover these WAN interfaces, they're all on the same cable after all. I only want the inbound connections to hit different LAN endpoints and I want all new outbound connections to go via eth0.
Here's what I've tried so far:
- I have enabled eth2 with DHCP.
- It successfully received an IP from the ISP, say 67.5.5.5. This resulted in a new static route to be created 0.0.0.0 -> 67.5.5.5
But the internet connection became barely usable, the web pages would take forever to load, etc. I suspect this happens because the two WAN routes aren't separated properly and the packets are getting dropped somewhere?
I've tried searching for answers, but all community material is focused on load-balancing WANs which is not what I need.
Thanks for the help!
↧
EdgeOS Site to Site VPN Question
I am replacing a firewall with the ERPoE-5 and I currenly have a site to site VPN on the firewall. The issue is the remote subnet. The remote subnet needs to be set to 0.0.0.0/0 as this is a work VPN and I am required to tunnel all work traffic over it. Is this possible?
↧
ER-X: Smart Queue causing bufferbloat on Download?
I recently got my hands on the ER-X, and a lovely UniFi UAP-AC-LITE which is seemingly working flawlessly most of the time, that is, until I start downloading from steam etc. then my ping spikes up a ton. In search of a solution I came across Smart Queue which gave me hope, but instead of helping it actually made the situation worse. My bufferbloat scores go from A/B -> C on dslreports when I setup Smart Queue on the Download side. (SQ on Upload only makes it go back to A/B)
I was wondering if there were any tweaks, or suggestions I could try to limit my bufferbloat? So far the temporary solution has been to only use Smart Queue on the upload, but that doesn't help me out alot when someone on my network is downloading.
Speed (average, tested multiple times) is:
- 101 mbit/s Download // 95 in SQ
- 51 mbit/s Upload // 47 in SQ
Running over a Coaxial Line to my ISP Modem (In bridge mode) > PoE Injector > ER-X etc.
↧
↧
OpenVPN Site to Site + L2TP Possible?
Good day everyone, I apologize in advance for the lengthy read. I'm moderately inclined technically and this is my first time using Edgerouter HW/SW. I was recruited by a friend to comeplete a somewhat complicated setup with 2 Edgerouters, one being an Pro 8 and the other an X-SFP. I myself need some help with this. I've done well so far with getting things up and running by reading the guides, but this part here has stumped me. The setup is as follows:
Main Site:
ERP-8 w/ 2x Static IP WAN Purely for Failover (eth4/5)
1x LAN Network Bridged to eth0 through 2
OpenVPN Site to Site Tunnel to/from Satellite Site
Port Forwarding and Some DNAT Rules for machines that needed to use a 192.168.1.0/24 network
Satellite Site:
ERX-SFP w/ 2x Static IP WAN Purely for Failover (eth3/4)
1x LAN Network (switch0 which includes eth0-2)
OpenVPN Site to SIte Tunnel to/from Main Site
After many hours, I got this setup working just fine, but now my friend is leaving state for a while and wants a personal VPN tunnel to at least the main site from his iPhone and or Laptop so I tried to setup L2TP on the Main Site router using the support guide, even tinkering with it a bit. Furthest I've gotten is that it would work if I was on the same network as the router, but would never connect from the outside. I've tried messing with the trusted network and the in interfaces with no luck in addition to firewall rules. The bulk of the stuff I can understand and work with even though it's a little difficult for me, but VPNs stump me greatly on top of that. So what I want to know is is it possible to have both OpenVPN and L2TP running at the same time properly or is there a way to setup a second instance of OpenVPN just in server mode? Any info/config needed just let me know how to give it to you and I will as I have access to both routers at all times. Thanks in advance for your help.
↧
Edgerouter with failover
Hi,
I install the Edgerouter X all the time and it works great for me. I have an office that wants a failover option on their router so if their DSL goes down, the Verizon USB mobile device will take over the WAN connection. I was looking at the Edgerouter 4 and see that it has a USB port on the front of it. Will this work well for a failover WAN connection? Thanks in advance for your help!
↧
VPN Firewall
Hi Community.
I have a EdgeMax POE.
I created a site-to-site vpn to a cisco ASA5515.
I want to create a firewall rule, so i can control what the ASA-end can access.
Can someone help me?
↧
Edgerouter X and VoIP
Hi,
I setup an Edgerouter X the other day and needed to set it up for QoS for the VoIP phones. When I initially set it up, I used the Basic Wizard so I could change the LAN IP as all of their devices were setup for 192.168.0.x and I could easily put 192.168.0.1 as the LAN IP to the router. After that, I went into the CLI and input the following:
configure
set system conntrack modules sip disable
commit
save
exit
configure
# Set-up the details of the DownStream Policy
set traffic-policy shaper DownStream description "DownStream QoS policy"
set traffic-policy shaper DownStream bandwidth 52000kbit
set traffic-policy shaper DownStream class 10 description "RTP"
set traffic-policy shaper DownStream class 10 bandwidth 25%
set traffic-policy shaper DownStream class 10 ceiling 100%
set traffic-policy shaper DownStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper DownStream class 20 description "SIP"
set traffic-policy shaper DownStream class 20 bandwidth 5%
set traffic-policy shaper DownStream class 20 ceiling 100%
set traffic-policy shaper DownStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper DownStream default bandwidth 70%
set traffic-policy shaper DownStream default ceiling 100%
# Set-up the details of the UpStream Policy
set traffic-policy shaper UpStream description "UpStream QoS policy"
set traffic-policy shaper UpStream bandwidth 11000kbit
set traffic-policy shaper UpStream class 10 description "RTP"
set traffic-policy shaper UpStream class 10 bandwidth 50%
set traffic-policy shaper UpStream class 10 ceiling 100%
set traffic-policy shaper UpStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper UpStream class 20 description "SIP"
set traffic-policy shaper UpStream class 20 bandwidth 5%
set traffic-policy shaper UpStream class 20 ceiling 100%
set traffic-policy shaper UpStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper UpStream default bandwidth 45%
set traffic-policy shaper UpStream default ceiling 100%
# Apply the policies to the interfaces (this example has eth0 is WAN, eth2 LAN)
set interfaces ethernet eth0 traffic-policy out DownStream
set interfaces ethernet eth2 traffic-policy out UpStream
# Commit, Save, and Exit
commit
save
exit
The modem is plugged into eth0 and the network switch is plugged into eth2.
After I reboot the router, I can't connect back to the device and DHCP is no longer working. I have to reset the Edgerouter and go through the basic wizard again. I know that I'm doing something wrong here. Can you please tell me where I'm wrong? Thanks in advance for your help!
Matt
↧
↧
CA.sh -newca does not seem to do anything anymore
Was following guide for OpenVPN when I entered the wrong thing for the challange passphrace and ctrl-C out.
Went to try again and now when I enter
./CA.sh -newca
I just get a return carrage.
root@ubnt:/usr/lib/ssl/misc# ./CA.sh -newca
root@ubnt:/usr/lib/ssl/misc#
Currently running EdgeOSv1.10.3
↧
ERX with Telekom Magenta zu Hause Start
At the moment I'm running the ERX behind a Vigor130 at a regualr Telekom VDSL 50 line.
We just bought a house where we can get a 100 MBit fiber from innogy that is rented by Telekom. Authentication, SIP etcetera is handled by Telekom but in a special way. Das anybody use the ERX with a Telekom Magenta Zu Hause Start plan and has a working config?
Best regards
Chris
↧
How to protect LAN1 LAN2
Hi,
I have an ER-X, which today I've upgraded to 1.10.5 and run a full reset + Basic wizard for 2 LAN. It is working well, but I cannot figure out how to put LAN2 into a "guest network" mode.
I'd like to make sure that:
- LAN2 cannot reach the NAS device on LAN1
- LAN2 cannot access the router's GUI
Is there anything else I need to do to make LAN2 a guest network?
Here is my full config (99% identical to a Basic Wizard):
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "remote GUI"
destination {
port 33399
}
log disable
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.0.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description Synology
forward-to {
address 192.168.0.2
port 5001
}
original-port 39876
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.0.38 {
stop 192.168.0.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
}
gui {
http-port 80
https-port 33399
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ubnt-discover {
disable
}
unms {
disable
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ...
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
↧