Had my internet service upgraded from my local cable provider.  The required them to install their cable modem.  This cable modem, has a built in firewall.  So I have to setup port forwards in order to make my VPN on the EdgeRouter X work again.  Got the VPN working.  But for some reason my DNS name resolution on my local area network behind the EdgeRouter X is not working.  In the doc for the L2TP VPN setup, it mentions that you have to setup a rule for ESP.  But I can find out if I need to setup a port forward in the cable modem firewall as well.  Do I need to, in order to get DNS name resolution to work?   If so, how do I configure the port forwarding setup?

NOTE: My L2TP VPN setup was working flawlessly, before getting my internet service upgraded by my cable provider.

New EdgeRouter 4 running 1.10.5, took the default configuration of eth0 WAN, eth1 LAN1, eth2 LAN2. Unmanaged switch connected to LAN1 with macOS machine connected to switch. Able to communicate with router fine if manually configuring the IP. Router is successfully routing WAN to LAN, works great.

DHCP servers enabled for LAN1 and LAN2. Have tried reseting router, restarting DHCP services, and connecting directly from Mac to router instead of through switch - no matter what I am not able to get a DHCP lease for the Mac, automatically or by forcing renew. DHCP authoritative is enabled (which was the default). Haven't changed any settings on router from defaults. Any ideas why this might not be working? Thanks.

I'm really trying to get some type of VPN going for a roadwarrior on a ERP-8. Either with this or OpenVPN, but this seems more simple. Either way, I'm running into issues, in this specific case, when attempting to connect to the L2TP connection on my windows laptop, it just hangs until it fails, any assistance is appreciated, a copy of the config is below

Continued from https://community.ubnt.com/t5/EdgeRouter/Updated-Google-Fiber-EdgeRouter-Lite-PoE-IPv4-amp-IPv6-config/m-p/2379855/highlight/false#M211128 

My purpose is to segreated my main home network from my home-lab.  After the fiber jack I hacve a gs748t set up like oh so many guides on the internet but this one is what I used: both parts 1 and 2

https://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-1-vlans/

I'm getting google fiber (albeit not that fast of speeds it seems so I'll try to get QoS fixed) but I'm not even getting a DHCP address for the "lab leg"

Fiber Jack -> GS748t

GS748t->ERL->(port2)c7000/(port3)ddwrt) 

GS748t->GFNB+->ALl other devices

I'm able to get to all LAN devices on the ubiquiti.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
        rule 40 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-name WANv6_OUT {
        default-action accept
        description "WAN outbound traffic"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "LAN to Internal"
        rule 10 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Port Forward - Router SSH"
            destination {
                address 192.168.1.1
                port 22
            }
            protocol tcp
        }
        rule 30 {
            action accept
            description "Port Forward - Router HTTPS"
            destination {
                address 192.168.1.1
                port 443
            }
            protocol tcp
        }
        rule 40 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Google Fiber Jack"
        duplex auto
        speed auto
        vif 2 {
            address dhcp
            description "Google Fiber WAN"
            dhcpv6-pd {
                pd 0 {
                    interface eth1 {
                        host-address ::1
                        prefix-id :0
                        service slaac
                    }
                    interface eth2 {
                        host-address ::1
                        prefix-id :1
                        service slaac
                    }
                    prefix-length /56
                }
                rapid-commit enable
            }
            egress-qos "0:3 1:3 2:3 3:3 4:3 5:3 6:3 7:3"
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
                out {
                    ipv6-name WANv6_OUT
                    name WAN_OUT
                }
            }
        }
    }
    ethernet eth1 {
        address 192.168.99.1/24
        description "Local Config Port"
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.1.1/24
        description LAN
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 10 {
        description "Router SSH"
        forward-to {
            address 192.168.1.1
            port 22
        }
        original-port 2222
        protocol tcp_udp
    }
    rule 20 {
        description "Router HTTPS"
        forward-to {
            address 192.168.1.1
            port 443
        }
        original-port 8080
        protocol tcp_udp
    }
    wan-interface eth0.2
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name Config {
            authoritative disable
            subnet 192.168.99.0/24 {
                default-router 192.168.99.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.99.101 {
                    stop 192.168.99.254
                }
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                domain-name lab.example.com
                lease 86400
                start 192.168.1.101 {
                    stop 192.168.1.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 500
            listen-on eth2
            name-server 2001:4860:4860::8888
            name-server 2001:4860:4860::8844
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "Masquerade for WAN"
            log disable
            outbound-interface eth0.2
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name example.com
    host-name lab-gateway
    login {
        user ubnt {
            authentication {
                encrypted-password 
                plaintext-password "showmewhatyougot"
            }
            level admin
        }
    }
    name-server 2001:4860:4860::8888
    name-server 2001:4860:4860::8844
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.1.5067571.180305.1750 */

PurposeTo have a reverse-proxy for serving internet traffic from 80/443 to different IP to internal network servers based on DNS names.Materials	Edgerouter Lite 3 (3 GbEthernet ports)	Management switch (Tp-Link 5 GbEthernet ports)	Server 1 (celeron machine)	Server 2 (odroid hc1)SoftwareRouter	EdgeOS 1.10.5 (last update)	Lighttpd (build in)	Nginx 1.10.3Server 1	Mail server (kerio)	Web server (apache)Server 2	Cloud server (DietPI/ownCloud 10)The networkPublic static IP DHCP - router eth2 - 192.168.23.x classServer 1 - switch eth1 - static IP internal class - 192.168.23.15Server 2 - switch eth2 - static IP internal class – 192.168.23.16The design for the network it’s below:Step 1Setting the GUI to use non standard ports. For me those ports for GUI is: 8080 and 8443You have to do this in web-interface or in CLI. The CLI commands are:configureset service gui http-port 8080set service gui https-port 8443commitsaveexitNow you have 80 and 443 standard ports free ready for use by anoter web server. NGINXTest your router web-interface with new ports to see if it’s working well.https://192.168.23.1:8443Step 2Give to EdgeOS the repositories for installing NGINX. I took this script from internet and it did all I need. I'd put this one in /config/scripts/post-config.d/ for having it after the EdgeOS update.####-------------------BEGIN OF THE SCRIPT#! /bin/bashvcfg=/opt/vyatta/sbin/vyatta-cfg-cmd-wrapperecho Updating package repositories ...echo$vcfg begin$vcfg delete system package$vcfg set system package repository jessie url http://ftp.us.debian.org/debian$vcfg set system package repository jessie components "main contrib non-free"$vcfg set system package repository jessie distribution jessie$vcfg set system package repository jessie-backports url http://ftp.us.debian.org/debian$vcfg set system package repository jessie-backports components "main contrib non-free"$vcfg set system package repository jessie-backports distribution jessie-backports$vcfg commit$vcfg endapt-get updateechoecho Setting repoisitory priorities ...echoecho "Package: *Pin: release a=jessiePin-Priority: 900Package: *Pin: release a=jessie-backportsPin-Priority: 910">/etc/apt/preferences.d/jessieechoecho Temporarily stopping the current web interface ...echokill -SIGTERM $(cat /var/run/lighttpd.pid)echoecho Installing nginx-light ...echoecho "#! /bin/bash[ -d /var/log/nginx ] || mkdir /var/log/nginx">/config/scripts/post-config.d/create_nginx_log_dirchmod a+x /config/scripts/post-config.d/create_nginx_log_dir[ -d /var/log/nginx ] || mkdir /var/log/nginxapt-get install nginx-light -V -yechoecho Restarting the old web interface ...echoservice nginx stop/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf#echo#echo Updating the nginx default site listen on non-standard ports ...#echo#sed -i -E 's/^(\s*)(listen\s+(:|\[|\])*)([0-9]+)(;|\s)/\1\2\4\4\5/g' /etc/nginx/sites-enabled/default##i’d remove this because I don’t need non-standard ports for nginx#echo#echo Making symlink for site#echo#ln -s /etc/nginx/sites-available/your-domain.conf /etc/nginx/sites-enabled/echoecho Starting the nginx service ...echoservice nginx startechoecho Installation complete.####-------------------end of the script------------------------Now you have NGINX in your system running and ready to serve you.For check if NGINX listen the 80/443 ports you can use one of commands from below (all give you the same informations)netstat -tuwanp4netstat -lnptulsof -iTCP -sTCP:LISTENStep 3Test you new webserver (NGINX) from local network.http://your-router-internal-iphttp://your-static-ip/http://your-domain/You should see the standard NGINX web page. If your not see that from the internal network you need to check if:- nginx is running - listen 80 port- your domain is linked with your ip- you typed the right ip addressStep 4For making the server visible from internet, you have to open 80, 443 to be accessed from internet. For this you have to use CLI with commands:configureset firewall name WAN_ IN rule 30 action acceptset firewall name WAN_ IN rule 30 description web-80set firewall name WAN_ IN rule 30 destination port 80set firewall name WAN_ IN rule 30 log disableset firewall name WAN_ IN rule 30 protocol tcpset firewall name WAN_IN rule 40 action acceptset firewall name WAN_IN rule 40 description web-443set firewall name WAN_IN rule 40 destination port 443set firewall name WAN_IN rule 40 log disableset firewall name WAN_IN rule 40 protocol tcpcommitsaveNow your web server (NGINX) is visible from internet and you should be able to open the NGINX standard web-page from internet.

Step 5In this moment NGINX according with standard configuration listen only on 80 port. You have to define rules for acting like a reverse proxy including for SSL connection for your internal servers.Make a new file in /etc/nginx/sites-available/ or override the default configuration (your choice). I prefer to have 1 new file and keep the standard config file for emergency.touch /etc/nginx/sites-available/your-domain.confOpen the your-domain.conf nano /etc/nginx/sites-available/your-domain.confWrite/adapt the text from below to your needs######--------------BEGIN of the scriptserver {listen 80;server_name your-domain;#       redirect http to httpsreturn 301 https://$server_name$request_uri;client_max_body_size 0;proxy_http_version 1.1;proxy_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;location / {proxy_pass http://192.168.23.15;}}server {listen 80;server_name subdomain.your-domain;#       redirect http to httpsreturn 301 https://$server_name$request_uri;client_max_body_size 0;proxy_http_version 1.1;proxy_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;location / {proxy_pass http://192.168.23.16;}}server {listen 443 ssl;listen [::]:443 ssl;server_name your-domain;ssl_certificate /config/.acme.sh/your-domain/fullchain.cer;ssl_certificate_key /config/.acme.sh/your-domain/your-domain.key;access_log /var/log/nginx/your-domain.access.log;error_log /var/log/nginx/your-domain.error.log;ssl_session_timeout 1d;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-S$ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;#dh paramssl_dhparam /config/ssl/dhparam.pem;# Enable HTTP Strict-Transport-Security# If you have a subdomain of your site,# be carefull to use the 'includeSubdomains' optionsadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";# XSS Protection for Nginx web serveradd_header X-Frame-Options DENY;add_header X-XSS-Protection "1; mode=block";add_header X-Content-Type-Options nosniff;ssl_session_cache shared:SSL:10m;add_header X-Robots-Tag none;client_max_body_size 0;proxy_http_version 1.1;proxy_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;location / {proxy_pass https://192.168.23.15;}}server {listen 443 ssl;server_name subdomain.your-domain;ssl_certificate /config/.acme.sh/subdomain.your-domain/subdomain.your-domain.cer;ssl_certificate_key /config/.acme.sh/subdomain.your-domain/subdomain.your-domain.key;access_log /var/log/nginx/subdomain.your-domain.access.log;error_log /var/log/nginx/subdomain.your-domain.error.log;ssl_session_timeout 1d;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SH$ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;#dh paramssl_dhparam /config/ssl/dhparam.pem;# Enable HTTP Strict-Transport-Security# If you have a subdomain of your site,# be carefull to use the 'includeSubdomains' optionsadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";# XSS Protection for Nginx web serveradd_header X-Frame-Options DENY;add_header X-XSS-Protection "1; mode=block";add_header X-Content-Type-Options nosniff;add_header X-Robots-Tag none;client_max_body_size 0;proxy_http_version 1.1;proxy_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;location / {proxy_pass https://192.168.23.16;}}#######-----------------end of escript----------------------------Save the file, Ctrl-O, Ctrl-X.Make a symbolic link from this file in /etc/nginx/sites-enabled withln -s /etc/nginx/sites-available/your-domain.conf /etc/nginx/sites-enabled/Test your configurationservice nginx configtestYou should receive 1 error Is about the missing the ssl certificate and dhparam.pemStep 6Install the ssl/https certificate for using the secure connection.I use in this case Let's encrypt and after a lot of testing script all the credit goes to this guy:https://github.com/j-c-m/ubnt-letsencryptfollow the guide below:curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash. /config/scripts/renew.acme.sh -d your-domain -d subdomain.your-domain 4096If everything it's good now you have the Let's encrypt certificate for serving your domain/subdomain ready to go. Create a task schedule for automatically renew the certificate. Use the CLI commands below:configureset system task-scheduler task renew.acme executable path /config/scripts/renew.acme.shset system task-scheduler task renew.acme interval 1dset system task-scheduler task renew.acme executable arguments '-d your-domain -d subdomain.your-domain 4096'commitsaveNow you have completed steps for having working https connection.Test again the NGINX configurationservice nginx configtestYou will receive 1 error related to dhparam.pem.  To solve this error you have to build your dh certificate by your self. Use this command:openssl dhparam -dsaparam -out /config/ssl/dhparam.pem 4096

Test again NGINX and you shouldn't receive any error.

Start/restart the NGIX withservice nginx startand access your servers from the internet.https://your-domainhttps://subdomain.your-domainNow you have a working reverse-proxy installed in your EdgeRouter  based to NGINX - who redirect the trafic from the internet based to DNS name - to diferet IP addresses from your internal network.Final wordsThe reason to choose to use the additional web server instead to use default one – lighhtpd – it’s the missing capability for lighttpd to serve the ssl connections. For your network/data safety you should take in consideration using the another/separate device for acting like reverse proxy for your network and let the router to be only a router. For small networks a Raspberry Pi 3B+ can be use with success (this would be my next move),Do not forget to use a Intruder system alert or blocker. I prefer to use fail2ban/csf for bloking the ip access in my network action based to NGINX access.log and error.log.Enjoy the surfing.

I manually added a IPv6 address network configuration to the Unifi XG server so I can 

ssh ubnt@unifi-server.ad.local

ubnt@unifi-server.ad.local's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Thu Jul 12 13:30:43 2018 from 10.0.1.222
ubnt@unifi-server:~$

sudo nano /etc/network/interfaces.d/eno3

Then add a valid IPv6 configuration

iface eno3 inet6 static
    address 2001:db8::1::51
    netmask 64
    gateway 2001:db8::1::1
    dns-nameservers 2001:db8::1::222 2001:db8::1::100

Make sure that the server DNS name resolves both a A and a AAAA record

ubnt@unifi-server:~$ host unifi-server.ad.local
Using domain server:
Name: ns.local
Address: 2001:db8::1::222#53
Aliases:

unifi-server.ad.local has address 192.168.27.51
unifi-server.ad.local has IPv6 address 2001:db8::1::51

You should now be able to reach various Unifi services on the appliance over IPv6. (UNMS, Unifi Video)

There currently is no other way to add IPv6 addresses to the Unifi Server appliance version (0.5.1 | GUI 1.1.1)

Hello!

I want to redirect all DNS request to OpenDNS with DNAT. So i have to create a DNAT rule for switch0 which translates all packets with destination port 53 to the OpenDNS IP.

My question is now: Do i have to care for the return traffic? Because if a client computer on switch0 sends a DNS request to the Google DNS server, it expects an answer from 8.8.8.8 and not from the OpenDNS IP.

Do i have to create an additional SNAT rule on switch0 which translate all packets which have port 53 on source side to the original (for example Google IP)?

Just installed a ER-X and used the wizard to configure. It looks like it added firewall protection during the setup. Is this adequate or is more protection needed.

If so, what is recommended?

Hi

I would like to block specific urls on my network, is there an easy quick way to do this.

Thank You

Hi

Can anyone help with the following

I have a l2tp vpn but after configuring vtuns on my router i can no longer connect to my vpn from outside my lan.

Please see my config attached.

Thank you

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN_NETWORK {
            description "LAN NETWORK IP ADDRESSES"
            network 192.168.1.0/24
            network 192.168.2.0/24
            network 10.0.1.0/24
            network 10.0.2.0/24
            network 10.0.3.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OpenVPN_Route {
        rule 10 {
            action modify
            description "Traffic from ETH0.50 to IPVanish"
            modify {
                table 1
            }
            source {
                address 10.0.3.0/24
            }
        }
    }
    modify SOURCE_ROUTE {
        rule 10 {
            action modify
            description "Traffic from VLAN 50 to IPVANISH"
            modify {
                table 1
            }
            source {
                address 10.0.3.0/24
            }
        }
        rule 60 {
            action modify
            description "Traffic from VLAN 60 to IPVANISH UK"
            modify {
                table 2
            }
            source {
                address 10.0.6.0/24
            }
        }
    }
    name VLAN10_IN {
        default-action accept
        description "VLAN10 Firewall"
        rule 20 {
            action accept
            description "ALLOW WiFi Access to Unifi Controller"
            destination {
                address 10.0.1.50
                port 8080,8443,8880
            }
            log enable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description "ALLOW WiFi Access to Office Printer"
            destination {
                address 192.168.1.30
            }
            log enable
            protocol tcp_udp
        }
        rule 40 {
            action drop
            description "Drop LAN-Networks"
            destination {
                group {
                    network-group LAN_NETWORK
                }
            }
            log enable
            protocol all
        }
        rule 50 {
            action accept
            description "Accept Established / Related"
            log enable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 60 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name VLAN10_LOCAL {
        default-action drop
        description "VLAN10 Firewall"
        rule 1 {
            action accept
            description "Accept Established / Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            log enable
            protocol udp
        }
        rule 3 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            log enable
            protocol udp
        }
        rule 4 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name VLAN50_IN {
        default-action accept
        description "VLAN10 Firewall"
        rule 1 {
            action accept
            description "ALLOW WiFi Access to Unifi Controller"
            destination {
                address 10.0.1.50
                port 8080,8443,8880
            }
            log enable
            protocol tcp_udp
        }
        rule 11 {
            action drop
            description "Drop LAN-Networks"
            destination {
                group {
                    network-group LAN_NETWORK
                }
            }
            log enable
            protocol all
        }
        rule 12 {
            action accept
            description "Accept Established / Related"
            log enable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 13 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name VLAN50_LOCAL {
        default-action drop
        description "VLAN10 Firewall"
        rule 1 {
            action accept
            description "Accept Established / Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            log enable
            protocol udp
        }
        rule 3 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            log enable
            protocol udp
        }
        rule 4 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Catrinas Internal Site"
            destination {
                port 8081
            }
            disable
            log enable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "PLEX WEB"
            destination {
                port 32400
            }
            log enable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 40 {
            action accept
            description "3389 Paul Laptop"
            destination {
                port 3389
            }
            log enable
            protocol tcp_udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "L2TP/IPSEC IKEv2"
            destination {
                port 500,1701,4500
            }
            log enable
            protocol udp
        }
        rule 3 {
            action accept
            description ESP
            log enable
            protocol esp
        }
        rule 4 {
            action accept
            description GRE
            log enable
            protocol gre
        }
        rule 5 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.1.1/24
        description LAN1
        duplex auto
        speed auto
        vif 10 {
            address 192.168.2.1/24
            description "VLAN10 GUEST"
            firewall {
                in {
                    name VLAN10_IN
                }
                local {
                    name VLAN10_LOCAL
                }
            }
            mtu 1500
        }
        vif 20 {
            address 192.168.1.1/24
            description "VLAN20 PRIVATE"
        }
        vif 50 {
            address 10.0.3.1/24
            description BFT_USA
            firewall {
                in {
                    modify SOURCE_ROUTE
                    name VLAN50_IN
                }
                local {
                    name VLAN50_LOCAL
                }
            }
        }
        vif 60 {
            address 10.0.6.1/24
            description "IPVanish _BFT_UK"
            firewall {
                in {
                    modify SOURCE_ROUTE
                }
            }
            mtu 1500
        }
    }
    ethernet eth2 {
        address 10.0.2.1/24
        description LAN2
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/ipvanish-US-Chicago-chi-a01.ovpn
    }
    openvpn vtun1 {
        config-file /config/ipvanish-UK-London-lon-c11.ovpn
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1.10
    lan-interface eth1.20
    wan-interface eth0
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                    distance 2
                }
                next-hop-interface vtun1 {
                    distance 2
                }
            }
            route 0.0.0.0/0 {
                blackhole {
                    distance 100
                }
            }
        }
        table 2 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun1 {
                    distance 2
                }
            }
            route 0.0.0.0/0 {
                blackhole {
                    distance 100
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name BFT_UK {
            authoritative disable
            subnet 10.0.6.0/24 {
                default-router 10.0.6.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.0.6.2 {
                    stop 10.0.6.30
                }
                unifi-controller 10.0.1.50
            }
        }
        shared-network-name BFT_USA {
            authoritative disable
            subnet 10.0.3.0/24 {
                default-router 10.0.3.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.0.3.2 {
                    stop 10.0.3.6
                }
                unifi-controller 10.0.1.50
            }
        }
        shared-network-name LAN1 {
            authoritative disable
            subnet 10.0.1.0/24 {
                default-router 10.0.1.1
                dns-server 8.8.8.8
                lease 86400
                start 10.0.1.38 {
                    stop 10.0.1.243
                }
                static-mapping NAS_NIC3_FOR_VMS {
                    ip-address 10.0.1.56
                    mac-address 24:5e:be:18:03:16
                }
                static-mapping WAP_BACK_HALLWAY {
                    ip-address 10.0.1.41
                    mac-address 44:d9:e7:fc:13:a3
                }
                static-mapping WAP_LIVINGROOM {
                    ip-address 10.0.1.40
                    mac-address 44:d9:e7:fc:13:ec
                }
                unifi-controller 10.0.1.50
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 10.0.2.0/24 {
                default-router 10.0.2.1
                dns-server 8.8.8.8
                lease 86400
                start 10.0.2.38 {
                    stop 10.0.2.45
                }
                unifi-controller 10.0.1.46
            }
        }
        shared-network-name VLAN10_GUEST_DHCP {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.2 {
                    stop 192.168.2.254
                }
                static-mapping Catrinas_Phone {
                    ip-address 192.168.2.4
                    mac-address 14:9a:10:36:8c:e8
                }
                static-mapping Pauls_Phone {
                    ip-address 192.168.2.2
                    mac-address d4:37:d7:3e:34:93
                }
                unifi-controller 10.0.1.46
            }
        }
        shared-network-name VLAN20_PRIVATE_DHCP {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.2 {
                    stop 192.168.1.254
                }
                static-mapping CatrinaLaptop {
                    ip-address 192.168.1.96
                    mac-address ac:d1:b8:13:68:71
                }
                static-mapping Chromecast {
                    ip-address 192.168.1.98
                    mac-address a4:77:33:22:81:8f
                }
                static-mapping HP-ILO-Server-NIC {
                    ip-address 192.168.1.119
                    mac-address 1c:98:ec:0f:49:c2
                }
                static-mapping NAS1 {
                    ip-address 192.168.1.155
                    mac-address 24:5e:be:18:03:14
                }
                static-mapping One_Lan_RDP_Box {
                    ip-address 192.168.1.154
                    mac-address 38:60:77:df:c7:33
                }
                static-mapping PaulMC-IPhone-5S {
                    ip-address 192.168.1.123
                    mac-address 68:fb:7e:6b:3e:39
                }
                static-mapping WNS_Pauls_Laptop {
                    ip-address 192.168.1.140
                    mac-address 5c:51:4f:a0:ce:18
                }
                unifi-controller 10.0.1.46
            }
        }
        shared-network-name VLAN100_USA_WIFI {
            authoritative disable
            subnet 10.0.4.0/24 {
                default-router 10.0.4.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.0.4.1 {
                    stop 10.0.4.5
                }
                unifi-controller 10.0.1.50
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description PLEX
            destination {
                port 32400
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.165
                port 32400
            }
            log enable
            protocol tcp
            type destination
        }
        rule 2 {
            description "3389 One Lan RDP Box"
            destination {
                port 3389
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.140
                port 3389
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 3 {
            description "Catrinas Internal Site"
            destination {
                port 8081
            }
            disable
            inbound-interface eth0
            inside-address {
                address 192.168.1.155
                port 8081
            }
            log enable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description "IPVANISH USA"
            log disable
            outbound-interface vtun0
            protocol all
            source {
                address 10.0.3.0/24
                group {
                }
            }
            type masquerade
        }
        rule 5012 {
            description "IPVANISH UK"
            log enable
            outbound-interface vtun1
            protocol all
            source {
                address 10.0.6.0/24
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name EDLFirewall
    login {
        banner {
            post-login "Authorised users only "
            pre-login "Welcome Paul "
        }
        radius-server 192.168.1.14 {
            port 1812
            secret xxxxxxxxxxxxxxxx
            timeout 2
        }
        user sysadmin {
            authentication {
                encrypted-password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                plaintext-password ""
            }
            full-name "Paul"
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
    traffic-analysis {
        custom-category PORN {
        }
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username xxxxxxxxx {
                        password xxxxxxxxxxxxxx
                    }
                    username xxxxxxxx {
                        password xxxxxxxxxxxxx
                    }
                }
                mode local
                radius-server 192.168.1.14 {
                    key xxxxxxxxxxxxxxxx
                }
                require mschap-v2
            }
            client-ip-pool {
                start 192.168.1.200
                stop 192.168.1.210
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxxxxxxxxxxxx
                }
                ike-lifetime 3600
                lifetime 3600
            }
            mtu 1500
            outside-address xxxxxxxxxxxxxxxxxxx
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.0.5056246.180125.1007 */

Hi Everyone, I wanted to see if you could help out with an issue me and my team are having right now we use Azure Site-to-Site VPN and were having an issue with getting our EdgeRouter to connect to The Azure S2S. Right now our Azure S2S VPN is connecting with RRAS as Route-based any help would be great. I can add the config if needed any help or feedback on this would be great. Right now the EdgeRouter has a local LAN Conntection of 192.168.x.x but all our in-house network items servers, etc. will run on a 10.x.x.x.x network when everything goes live were just trying to get it tested to see if it will work right, etc. The VPN type is Site-to-site (IPsec) we tried to follow the steps listed on the UBNT help file but with no luck

What determins how many remmote users can connect to an EdgeRouter VPN at the same time?

Wouldn't these settings suggest 40?

remote-access client-ip-pool start 192.168.1.200
remote-access client-ip-pool stop 192.168.1.240

 I can only get one to connect at a time.

Hi,

I'm pretty new to Edgerouters but so far have managed to configure the device to work as expected.

This implies the use of static host mapping that used to work just fine.

After updating the Edgerouter X to FW 1.10.3 the static host mapping no longer works.

I've checked config.boot.

The Hostmapping section looks like this:

    static-host-mapping {
         host-name et9x00.local {
            alias sat.local
            inet 192.168.1.82
        }
        host-name hm.local {
            inet 192.168.1.140
        }
    }
 

The dns section in "service":

    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }

Restarting does not help.

Thanks for any advice

Best regards TomTom54

Good day everyone, I apologize in advance for the lengthy read. I'm moderately inclined technically and this is my first time using Edgerouter HW/SW. I was recruited by a friend to comeplete a somewhat complicated setup with 2 Edgerouters, one being an Pro 8 and the other an X-SFP. I myself need some help with this. I've done well so far with getting things up and running by reading the guides, but this part here has stumped me. The setup is as follows:

Main Site:

ERP-8 w/ 2x Static IP WAN Purely for Failover (eth4/5)

1x LAN Network Bridged to eth0 through 2

OpenVPN Site to Site Tunnel to/from Satellite Site

Port Forwarding and Some DNAT Rules for machines that needed to use a 192.168.1.0/24 network

Satellite Site:

ERX-SFP w/ 2x Static IP WAN Purely for Failover (eth3/4)

1x LAN Network (switch0 which includes eth0-2)

OpenVPN Site to SIte Tunnel to/from Main Site

After many hours, I got this setup working just fine, but now my friend is leaving state for a while and wants a personal VPN tunnel to at least the main site from his iPhone and or Laptop so I tried to setup L2TP on the Main Site router using the support guide, even tinkering with it a bit. Furthest I've gotten is that it would work if I was on the same network as the router, but would never connect from the outside. I've tried messing with the trusted network and the in interfaces with no luck in addition to firewall rules. The bulk of the stuff I can understand and work with even though it's a little difficult for me, but VPNs stump me greatly on top of that. So what I want to know is is it possible to have both OpenVPN and L2TP running at the same time properly or is there a way to setup a second instance of OpenVPN just in server mode? Any info/config needed just let me know how to give it to you and I will as I have access to both routers at all times. Thanks in advance for your help.

Basically, I'm trying to make a Guest subnet, but allow it to access the other devices within the Guest subnet.

Following this guide: https://help.ubnt.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Protect-a-Guest-Network

The rule is blocking access to all internal networks, including its own. If I add an 'allow' rule, will that override, or conflict, or not work?

Ex. I allow 10.10.10.0/24, but the rule already drops 10.0.0.0/8.

Any examples would be appreciated. Thanks!

HI folks, I have been impressed with this forum and am seeking its help. 

I have been reading various docs and searching these forums for the past few days looking for a parallel answer that would illuminate me but I am too dense, now I am turning to you all.

I have two WAN connections (eth0 and eth1), but I am only using one (eth 0) this  moment while getting these things confirgured. I expect to bring up the other(eth1) one and direct some particular traffic (subnet) thriough it in the future, but it is disabled for now). 

My LAN is eth2 (192.168.1.0).

I have two point to point IPSEC VPNs connecting successfully to the ER8. 

I am now looking to configure an L2TP VPN connection to allow me to connect via RDP to a couple of machines on the primary network (192.168.1.0).

The L2TP connection is up and woprking, I am able to Ping and see www services through it to both the the Pt to PT VPN's (192,168.0.0 & 192.168.7.0 repsectively), I can aslo see the ER8 host(192.168.1.1).

I cannot ping machines on 192.168.1.0...

The two machines that I am seeking RDP with (192.168.1.14  and .7) reply with request timed out.

I tried to ping a couple fo printers (192.168.1.99 and 192.168.1.9 on that interface (192.168.1.0  eth2) and they provide destinantion host unreachable.

I assume this is a FW and or routing issue, but I do not know what to open up and where in the config to place the rule(s) to do so.  As an relative newbie (I have successfully worked with Zywall USG50), I am inexperienced with the CLI and EdgeOS and my knowledge of routing is self taught by necessity ans therefore spotty and suspect. Managuing routing and firewall configuration is not my primary day job, but it is part of muy duty, so I am hoping you all will be able to point me to success.

TIA-

C

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description RemAcER8
            destination {
                port 80,443,22
            }
            log enable
            protocol tcp
        }
        rule 30 {
            action accept
            description ike
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description esp
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description nat-t
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description l2tp
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
    }
    name Watch {
        default-action accept
        description "NAT for ******"
        rule 1 {
            action accept
            description "***** NAT"
            destination {
                address *******
            }
            log disable
            protocol tcp_udp
            source {
                group {
                    address-group ADDRv4_eth0
                }
                port ******
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 216.173.****
        description WAN
        duplex auto
        firewall {
            in {
                name Watch
            }
            local {
                name WAN_LOCAL
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 50.0.*****
        description "WAN 2"
        disable
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.1.1/24
        description Local
        duplex auto
        firewall {
            local {
                name Watch
            }
        }
        speed auto
    }
    ethernet eth3 {
        address 192.168.1.220/24
        description "local 2"
        duplex auto
        speed auto
    }
    ethernet eth4 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth5 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth6 {
        address 192.168.100.1/24
        address 192.168.200.1/24
        description wifi-Guest-snowcrash
        duplex auto
        speed auto
    }
    ethernet eth7 {
        address 192.168.50.2/24
        description phones
        duplex auto
        firewall {
            in {
            }
            out {
            }
        }
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description Frankie
        forward-to {
            address ********
            port 80
        }
        original-port *******
        protocol tcp_udp
    }
    rule 2 {
        description Main
        forward-to {
            address*******
            port 80
        }
        original-port *******
        protocol tcp_udp
    }
    rule 3 {
        description Comp
        forward-to {
            address *******
            port *******
        }
        original-port *******
        protocol tcp_udp
    }
    rule 4 {
        description Batch
        forward-to {
            address *******
            port *******
        }
        original-port *******
        protocol tcp_udp
    }
    rule 5 {
        description comp.2
        forward-to {
            address *******
            port *******
        }
        original-port *******
        protocol tcp_udp
    }
    wan-interface eth0
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 50.0.******* {
            }
            next-hop 216.173******* {
                description GWonPOE
                distance 1
            }
            next-hop 216.173.******* {
                disable
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name MICPHdhcp {
            authoritative disable
            subnet 192.168.50.0/24 {
                default-router 192.168.50.2
                dns-server 208.*******
                dns-server 208.*******
                lease 86400
                start 192.168.50.10 {
                    stop 192.168.50.60
                }<bunch of phones>
                }
            }
        }
        shared-network-name MNETDHCP {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 208.*******
                dns-server 192.168.1.1
                domain-name mnet
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.179
                }<bunch of hosts>
                }
            }
        }
        shared-network-name Snowcrash {
            authoritative disable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 192.168.1.1
                dns-server 208.201.224.11
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.149
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 750
            listen-on eth2
            listen-on eth3
            listen-on eth4
            listen-on eth5
            listen-on eth6
            listen-on eth7
            name-server 192.168.1.7
            name-server 208.*******
            name-server 208.*******
            name-server 208.*******
            name-server 208.*******
            name-server 8.8.8.8
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
        timeout {
            udp {
                other 30
                stream 300
            }
        }
    }
    host-name ubntER8
    login {
        user ******* {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 208.67.222.222
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        esp-group FOO1 {
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group FOO0 {
            proposal 1 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        ike-group FOO1 {
            proposal 1 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer 63.249.70.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description 1020OCEAN
                ike-group FOO0
                local-address 216.173.*******
                tunnel 1 {
                    esp-group FOO0
                    local {
                        prefix 192.168.1.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
            peer 67.180.160.57 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Seacliff_PH2
                ike-group FOO1
                local-address 216.173.*******
                tunnel 1 {
                    esp-group FOO1
                    local {
                        prefix 192.168.1.0/24
                    }
                    remote {
                        prefix 192.168.7.0/24
                    }
                }
            }
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username ******* {
                        password ****************
                    }
                    username ******* {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.1.250
                stop 192.168.1.251
            }
            dns-servers {
                server-1 192.168.1.1
                server-2 192.168.1.7
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
            }
            mtu 1450
            outside-address 216.173.*******
        }
    }
}

I'm not 100% certain of the timing, but let's say 95%. I updated about a week ago, and early this week, we tried accessing our bank's online banking system (firstib.com) from their iPhone app. It wasn't working. It gave an error message that the service was unavailable.Of course, we didn't think much of it. Thought maybe my wife's phone needed an updated app. So the next day, I tried from my phone, which is up to date. Same thing. Seemed pretty distressing that their service could be down like 3 days at that point. Then tried  the web site. After entering credentials, just a blank screen came up. Called the bank, expecting them to be very apologetic, but no, they seemed to not know anything about a system-wide outage. So, at that point it seemed like maybe something was wrong with my account somehow. They were looking into it.

Well, this morning, I was at a cafe and tried accessing my account. And it worked! Both via the web site and the mobile app! I was relieved. But then when I got home, and tried to do the mobile deposit I was trying to do, it was broken again! Slowly, I began to put 2+2 together. I tested by turning off WiFi on my phone, and was then able to use the mobile app just fine. Turn wifi back on, and now I can't. So it seems to be a problem with my network, and the most interesting thing that has happened here since the last time we successfully used the banking app was the firmware update on the router.

I seem to recall reading issues in this forum about unusual problems accessing certain web sites. Perhaps related to MTU? But my recollection is fuzzy. My MTU is at the default (1500) setting.

Anyone know what could be going on? Thanks in advance!

Hi,

a search in the forum doesn't helped

plan: delegate parts of a dynamic allocation (assigned /56) to an other router (planned delegation /60).

environment:

pppoe0 as uplink interface

eth2 as the interface to the 2. router

snippet from config:

dhcpv6-pd {
pd 0 {
interface eth2 {
prefix-ID 8
service dhcpv6-stateless
}
}
prefix-length 56
}

Any tips and comments on where to set the delegated prefix (/60)?

Hope someone can help. We have a large camp site using quite a few EP-R6 devices as managed outdoor switches. No fancy configs, just to forward (tagged VLAN) traffic and powering Unifi accesspoints. We started using them earlier this year with FW 1.9.7Hotfix4, monitored with UNMS beta (latest). I upgraded all of them to 1.10.3 some time ago via UNMS. So far so good. Everything is working as expected.

Unboxed a new EP-R6 today. It was running old firmware. First upgraded the device to 1.9.7Hotfix4 using the GUI. No problem. Rebooted and put in the switch config as we need using import function in the GUI. No problem. Rebooted the device. Added the device to UNMS. Reloaded the GUI as asked by the GUI after autorizing the device in UNMS. Still working well.

UNMS gave me the option to upgrade FW to 1.10.5. Since it was not in production use yet, I immediately started the upgrade. Upgrade started according to UNMS, device rebooted, but is now no longer accessible. Left it for over an hour on my desk before unplugging it and rebooting it. Nothing. Tried the "soft" reset, no effect. Tried the power on reset. Lights blink as documented, but still not accessible. If a network cable is plugged in, the link light comes up and blinks on activity. Ran Wireshark to see if there's any data sent by the EP-R6. Nothing captured.

Any good advice or should just grab a new one? Thanks!