Dear all,

i have some issue with the remote access of my er-x.

so the situation is the following, i had before wireless internet breakout and had no issue with the remote management of the router. i Set in the FW setting to allow any type of connection.

since 3 Weeks, we swapped the wireless internet connection to fiber, router settings are still the same, and i can ping remotely the router but if i try to access the GUI I'm getting timeout.

i have some DVR behind the router, and i made port forwarding to see it remotely and they are working fine.

by the way, router has also a port forwarding from port inside 80 to port outside  80.

please if someone has a similar situation and has found a solution for it, then let me know.

Thank you.

Hi all, I just setup a new EdgeRouterX and I’m trying to setup an on demand internet kill switch of sorts to temporary disable internet access to a specific MAC address for about 5 seconds and then have it renable access. It doesn’t need to be automatic just something I can do at will.

This is something I could do on my old linksys using restrictions.

Thanks!

Hello all,

As a part of our network design, we push a /32 to the client's router.  We do this by adding the following to our DHCP config:

shared-network-parameters 'option subnet-mask 255.255.255.255;'

This works well with airGateway, AirCube and many other non-Ubuiqiti devices.  Unfortuantely, we have ran across many consumer routers that do not like the subnet format being /32.  We have many Netgear routers on our network, but some work and some don't.  Same issue with other brands. 

Has anyone else experienced similar issues?  It's very frustrating.  We don't want to push our WiFi solution, but we also can't spend countless hours trying to get the customer's router to work.

Please let me know your suggestions.  Thank you!

- Jason

I am upgrading from an EdgeRouter X SFP to an EdgeRouter 4 and want to know if this is possible or now. I think I know the answer, but would like a sanity check.

On the ERX, I had 3 ports going to Unifi APs (for POE) and the other to a 16 port TP Link switch. 

I would like to use the ERX to continue powering the APs if possible to avoid the additional adapaters. I can't buy another dedicated POE switch at the moment either. I know I can set up the ERX/SFP as a switch pretty easily so this part shouldn't be a problem. Question is, is it possible to connect the ER4 to the ERX via the SFP ports to do this AND use VLANs/subnets that are in use on the port going to the TP Link switch? I believe that since the ER4 does not have an internal switch, this would only be possible if I bridged ports. I'm assuming this is the case and I would have to connect the ERX behind the TP Link switch if I want to avoid bridging on the ER4.

Are these assumptions correct?

I recently replaced a USG and Unifi Switch8 for a ER-XSFP in my network panel. I configured the ER-X-SFP using the wizard WAN 2LAN2 to create WAN on eth5 and LAN on switch0.  I added a single port forwarding TCP rule, and changed the default subnet to 10.0.1.0/24.  The SFP port (eth5) has a 10GTek 1000Mbps  SFP module (Ubiquiti 10/100/1000 module on order). Firmware upgraded to 1.10.5.

I'm currently on Comcast Gigabit Tier plan (1000/35Mbps).  Previously, with the USG and Unifi Switch 8 I was able to consistently speed test in the 900Mbps / 39Mbps range.  Now with the ER-X-SFP I'm only able to achieve 512Mbps on the dowload, where the upload is the same.

I read through all the related posts and followed the troubleshooting below.  There is something that is still capping my download speed at 500Mbps.

Troubleshooting:

• Reboot SURFboard SB8200 DOCSIS Cable Modem
• Reboot ER-X-SFP
• Enabled hwnat in CLI, Commit, Save, Reboot
• QoS and DPI do not appear to be enabled in the UI

Side comment: Does hwnat need to be enabled to achieve Gigabit download speeds?  Given the reported problems with hwnat enabled and IPv6 on Comcast, I would prefer to leave it disabled.  I did not see a speed increase enabling it.

I'm going to post what I would like to acheive.  If anyone has suggestions on how to set this up, please let me know.

There is an office complex with several different businesses.  Each business is segmented by their own VLAN.

A few businesses also have remote locations, which need access to their VLAN resources, i.e. servers.

Both remote locations and the main building will have edgerouters.

Is there a way to let Client A remotely access their resources, but not Client B's resources, and vice versa?

I know how to setup VPN connections, but all clients get an Address from the same DHCP pool.

I need to somehow setup different VPN connections, so the only resources a client has access to is their internal VLAN.

I have looked over the forum, but not found anything directly covering this issue.

I've tried just about everything I can think of...  My setup is Eth0 is my WAN, I have ETH1 plugged into another switch.  The IP assigned to ETH1 is 192.168.77.252.  I'm trying to forward port 7510 to 192.168.77.131.  I can ping 131 from my ERX, no problem.  I thought that maybe my ISP was the issue, so I enabled ICMP just to see if I could ping the ERX, and I can do that without issue.  when I try to connect to port 7510 via my WAN interface, however, nothing happens.  I'm including a pic of my port forwarding config.  I've tried switching all the options to see if maybe that would help, but it hasn't.  Anyone have any idea what I'm doing wrong?

Hello ..i have an "idea" but i don't know if it possible..

I have already set up Smart Queue and i have good results  but i am thinking if we can have a script that will do the following tasks..

1. Disable the Smart Queue function.(or something simillar)

2. Make a speedtest in via speedtest cli (or something simillar) in a specific server.

3. Take the values from speedtest and apply them in Smart Queue..

4. Enable again Smart Queue with the new values from speedtest..

And finally via cron tab to run this script every etc. 1 hour...

I think this is the "holy grail" for gamers like me to have every time the best connection to prevent bufferbloat.

Any help will be appreciated

Sorry for my English..it is not my familiar language.

Hello again.
  I have finished configuring my networks via the Mr. Pott's guide.  As far as I can tell, everything looks good, save for one huge thing.  I cannot seem to get internet access anywhere.  Eth0 looks connected, with an IP address but that is about it.  All of the networks seem to work fine. I can ping them and get IP addresses on all of them.  Computer is set to obtain DHCP & DNS automatically. I unplug modem before changing routers.  The only thing I have spotted so far, is that the old router is using dnsmasq on DHCP & DNS, whereas the ER-X configuration is not.  Any ideas?


firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group GUEST_GROUP {
            address 192.168.6.0/24
            description "Guest WiFi Net"
        }
        address-group MOJO_GROUP {
            address 192.168.3.0/24
            description "Home Network"
        }
        address-group MULTIPLE_GROUP {
            address 192.168.3.0/24
            address 192.168.4.0/24
            address 192.168.6.0/24
            address 192.168.7.0/24
            description "Multiple Networks excluding Private"
        }
        address-group OPENDNS_SERVERS_GROUP {
            address 208.67.222.222
            address 208.67.220.220
            description "OpenDNS Servers"
        }
        address-group PRIVATE_GROUP {
            address 192.168.5.0/24
            description "Private Network"
        }
        address-group WFIOT_GROUP {
            address 192.168.7.0/24
            description "WiFi IOT Net"
        }
        address-group WIOT_GROUP {
            address 192.168.4.0/24
            description "Wired IOT Net"
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_LOCAL {
        default-action drop
        description "Guest WiFi Local"
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                port 67-68
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name MOJO_OUT {
        default-action accept
        description "Home Out"
        rule 1 {
            action accept
            description "Allow WIot Replies"
            log disable
            protocol all
            source {
                group {
                    address-group WIOT_GROUP
                }
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Rest-Of WIot Traffic"
            log disable
            protocol all
            source {
                group {
                    address-group WIOT_GROUP
                }
            }
        }
        rule 3 {
            action accept
            description "Allow Guest WiFi Replies"
            log disable
            protocol all
            source {
                group {
                    address-group GUEST_GROUP
                }
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 4 {
            action drop
            description "Drop rest/of Guest Wifi Traffic"
            log disable
            protocol all
            source {
                group {
                    address-group GUEST_GROUP
                }
            }
        }
        rule 5 {
            action accept
            description "Allow WFIOT Replies"
            log disable
            protocol all
            source {
                group {
                    address-group WFIOT_GROUP
                }
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 6 {
            action drop
            description "Drop rest/of WFIOT Traffic"
            log disable
            protocol all
            source {
                group {
                    address-group WFIOT_GROUP
                }
            }
        }
    }
    name PRIVATE_IN {
        default-action accept
        description "Private In"
        rule 1 {
            action drop
            description "Block Multiple Networks"
            destination {
                group {
                    address-group MULTIPLE_GROUP
                }
            }
            log disable
            protocol all
        }
    }
    name PRIVATE_LOCAL {
        default-action drop
        description "Private Local"
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                port 67-68
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name PRIVATE_OUT {
        default-action accept
        description "Private Out"
        rule 1 {
            action drop
            description "Drop MoJo to Private"
            log disable
            protocol all
            source {
                group {
                    address-group MOJO_GROUP
                }
            }
        }
        rule 2 {
            action drop
            description "Drop WIOT to Private"
            log disable
            protocol all
            source {
                group {
                    address-group WIOT_GROUP
                }
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WFIOT_LOCAL {
        default-action drop
        description "WFIOT Local"
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                group {
                    address-group WFIOT_GROUP
                }
                port 67-68
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow Only OpenDNS"
            destination {
                group {
                    address-group OPENDNS_SERVERS_GROUP
                }
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    name WIOT_LOCAL {
        default-action drop
        description "WIOT Local"
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                group {
                    address-group WIOT_GROUP
                }
                port 67-68
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow Only OpenDNS"
            destination {
                group {
                    address-group OPENDNS_SERVERS_GROUP
                }
                port 53
            }
            log disable
            protocol tcp_udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.4.1/24
        description "MoJo WIOT Net"
        duplex auto
        firewall {
            local {
                name WIOT_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.5.1/24
        description "MoJo Private Net"
        duplex auto
        firewall {
            in {
                name PRIVATE_IN
            }
            local {
                name PRIVATE_LOCAL
            }
            out {
                name PRIVATE_OUT
            }
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.3.1/24
        description "MoJo Home Net"
        firewall {
            out {
                name MOJO_OUT
            }
        }
        mtu 1500
        switch-port {
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 6 {
            address 192.168.6.1/24
            description "MoJo Guest WiFi Net"
            firewall {
                local {
                    name GUEST_LOCAL
                }
            }
            mtu 1500
        }
        vif 7 {
            address 192.168.7.1/24
            description "MoJo WFIOT Net"
            firewall {
                local {
                    name WFIOT_LOCAL
                }
            }
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name GuestDHCP {
            authoritative enable
            subnet 192.168.6.0/24 {
                default-router 192.168.6.1
                dns-server 208.67.222.222
                dns-server 208.67.220.220
                domain-name GuestNet
                lease 86400
                start 192.168.6.38 {
                    stop 192.168.6.243
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 208.67.222.222
                dns-server 208.67.220.220
                domain-name WIOTNet
                lease 86400
                start 192.168.4.38 {
                    stop 192.168.4.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                domain-name MoJoNet
                lease 86400
                start 192.168.3.38 {
                    stop 192.168.3.243
                }
            }
        }
        shared-network-name PrivateDHCP {
            authoritative enable
            subnet 192.168.5.0/24 {
                default-router 192.168.5.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                domain-name PrivateNet
                lease 86400
                start 192.168.5.38 {
                    stop 192.168.5.243
                }
            }
        }
        shared-network-name WFIOTDHCP {
            authoritative enable
            subnet 192.168.7.0/24 {
                default-router 192.168.7.1
                dns-server 208.67.222.222
                dns-server 208.67.220.220
                domain-name WFIOTNet
                lease 86400
                start 192.168.7.38 {
                    stop 192.168.7.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on eth2
            listen-on eth1
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "Exclude OpenDNS Guest WiFi"
            destination {
                group {
                    address-group OPENDNS_SERVERS_GROUP
                }
                port 53
            }
            exclude
            inbound-interface switch0.6
            inside-address {
                port 53
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 2 {
            description "Force OpenDNS Guest WiFi"
            destination {
                port 53
            }
            inbound-interface switch0.6
            inside-address {
                address 208.67.220.220
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth11
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name ubnt
    login {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 1.1.1.1
    name-server 1.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable

Hello, 

I am currently facing an issue with port forwarding on the Edge Router X. 

for content, my Internet provider is BT fibre. meaning my connection type is PPPoE which is currently configured over eth0

i am trying to create two port forwarding rules

1) To my web server. IE forwarding port 80 -> 80

2) To My plex server IE forwarding port 32400 -> 32400

I am doing this using the automatic port forwarding wizard using the following settings: 

however this does not appear to be working. any advise would be greatly appreciated.

Thank you! 

Apologies if I should know this more intuitively--I'm new to ubiquiti.

I'm hoping to set up fairly extensive QOS covering an 8 apartment network... Any guesses what kind of hardware I'm going to need? I'm guessing an EdgeRouterX won't cut it, but what might?

On a related question, could I look at the UniFi security gateway lineup for QOS instead?

thanks!

Hi, so I had an ER-X and had no problem configuring vlans and using unifi switches. But I upgraded to an ER-4 and it is not quite working out now.

These are the vlans I have set now on eth2. eth0 and eth1 are WAN interfaces. 

Now on my UniFi controler I have set up the same networks and tagged VLAN10 on port 4 of UniFi 16 port switch, but when I connect to port 4 my pc doesn't pick up any IP. If I connect to any other port thet is set to ALL y get an IP from 172.17.1.0/24. Same thing happens if I set on any port an other vlan (20, 30 and 40). 

I cant find what did I miss in my configuration.

Sorry this is a semi-complex question and I will try my best to explain:

AT&T Business Fiber coming into my office. They have a really crappy NGV595router that has a NAT limit of 2000 Sessions (even if you don't use NAT, it's actually connection-tracking). If you go over that, the connection slows/dies.

So, I have an EdgeRouter Pro in-front of my AT&T Router, and I forward all the Auth packets to AT&T router and all the normal traffic with static IPs (a /26) out over Eth5 at a particular Mac Address.  See line 108:

https://pastebin.com/1XvhQs40

Line 108: 

ebtables -t nat -A PREROUTING -p IPv4 -i eth7.2 --ip-dst $OUR_PUB_IP_RANGE -j dnat --to-dst $MAC_INTERNALFW --dnat-target ACCEPT

So all this works 

Hanging off Eth5 of the ER Pro, I have an ER-4 EdgeRouter into Eth1.  This has a static IP and I am able to get to it no problem from the outside world and it can connect to the outside world.

Since all the Traffic is routed to a particular mac address on the ER-4, I need it to pass the rest of the public IP space to other devices on the network, such as other routers, public servers. 

I've tried removing the ER-4 from the picture and putting in a switch and set the mac address of the switch, the switch will answer on the public IP space, but nothing behind it.

So I need a way of forwarding Public IPs to other devices through the edge router. I think something like Proxy-ARP would do this but I am not sure how to configure.

Thanks so much. I will pay for a solution! Seriously. Maybe there is a way to modify line 108 to forward the packets a different way. I MUST HAVE public IPs on my LAN. These run public servers and they can't have private IPs in them.

Hello,

I am struggling to find help for setting up a secure (IPSEC) VPN from head office for remote home office users (using hardware).

Setup is:

Head Office has an Edgerouter Lite v10.5 with a fixed public IP address for eth0 (WAN) with a server connected to eth1.

Remote offices have an edgerouter X 10.5 with dynamic publlice IP address with eth0 plugged into existing router (BT/SKY etc... ) for which we have no configuration options.  Eth1 is plugged into laptop.

Can anyone assist with setup so that remote users can connect their laptop to eth1 on X and communicate with server.

This will be for multiple remote users (all supplied with Edgerouter X) although I need to ensure that all remote remote users have no method of interactive communcaions with eachother.

Thanks,

T

Does anyone know if Policy-Based Routing disables offload on the ER-X?  The article doesn't really say (https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading). I remember the progression seemed to be:

1. recommended to disable offload if you use PBR as it will mess things up

2. you can enable offload, the router will not offload PBR traffic but will at least offload other traffic

3. PBR traffic using "table" or "lb-group" will be offloaded, but not other PBR traffic

The only thing is, most of this discussion was around the Cavium routers but I just have ER-Xs.  I remember UBNT-ancheng saying that the Cavium offload did less "out of the box" but was more flexible/programmable, where the MediaTek offload did more as soon as we got it, but was very difficult to fine-tune or adjust. 

At most sites I have 2 WAN connections that I load balance, sometimes I want to put certain traffic on one WAN or the other, and also I use a transparent squid proxy.  My lan-in modify firewall looks like this

    modify LAN_IN_MOD {
        description "modify for squid proxy and load balance"
        rule 10 {
            action modify
            description "send packets to squid proxy"
            destination {
                port 80
            }
            modify {
                table 1 # route 0.0.0.0/0 next-hop squid proxy server IP
            }
            protocol tcp
            source {
                group {
                    address-group SQUID_CLIENTS # includes everybody but the squid proxy itself
                }
            }
        }
        rule 20 {
            action modify
            description "do not load balance local traffic"
            destination {
                address 192.168.0.0/16
            }
            modify {
                table main
            }
        }
        rule 25 {
            action modify
            description "do not load balance port forwarded traffic"
            destination {
                address [WAN1 public IP]
            }
            modify {
                table main
            }
        }
        rule 27 {
            action modify
            description "put squid HTTP traffic on WAN1"
            destination {
                port 80
            }
            modify {
                table main
            }
            protocol tcp
            source {
                address 192.168.1.40
            }
        }
        rule 28 {
            action modify
            description "put IPTV traffic on WAN2"
            modify {
                lb-group IPTV # I use this rather than a table b/c the IPTV WAN is DHCP
            }
            source {
                address 192.168.25.0/24
            }
        }
        rule 30 {
            action modify
            description "load balancer"
            modify {
                lb-group WLB
            }
        }
    }

Do you think it breaks offload?  I noticed traffic (specifically iPhone updates which are a few gigs) moving at about 300Mbps from the squid proxy to clients on my LAN.  At first I figured the squid proxy was just a bit slow, it's on a mechanical hard drive that is also used for video recording, but then I thought that 300Mbps is in the ball park for the ER-X operating without offload. 

If nobody knows I will set up a couple of laptops and a spare ER-X and run some tests with iperf.

Hello community experts!

I have a curiosity specifically related to the EP-R8 platform.  When I look online at the hardware offload capabilities it mentions that bridged interfaces are not offloaded.  It mentions PPPoE interfaces are offloaded.

Quick version:

  Setup:

             EP-R8 latest firmware

             NS-5AC-Gen2-US latest firmware

             Customer router doing PPPoE

  Question:

  If a set of ethernet interfaces participate in a bridge-group and the PPPoE server is bound to that bridge group are the PPPoE sessions hardware offloaded even though the bridge-group traffic is not?

Longer Version:

I've thus far been trying to keep my bridge interfaces constrained to vlans on the ethernet interfaces of the EP-R8 for use of managment related traffic (not really performance heavy or needing offload performance).  This leaves the native interface for all of my client traffic (and presumably all the hardware offloaded goodness that comes from no bridge).

I have come across an interesting by-design behavior with the airMax CPE devices where if you put the device in routed mode and have a management interface on a VLAN the expectation is that there is also a valid WAN IP configuration (IP/DNS/Default Gateway etc) present.  With the PPPoE proxy feature and PPPoE configured from the customer router there is really no requirement for any WAN IP configuration on the device to function and still provide internet conectivity.  This is desirable for me as I can leave the device in a "routed" configuration (protecting my network from all sorts of customer misconfiguration) while not needing to configure any static routes on the EP-R8 to provide connectivity to that customer (via PPPoE + PPPoE relay).

All of this portion works as expected, but when I do this UNMS and all reachability to the management IP of the device stops.  What I have found is that the airMax devices, in this configuration, issue a DHCP Request without the default-gateway or domain-name-server options set. The DHCP server on the RP-R8 happily replies to the request with just the IP and subnet.

Without any routes or DNS configured as a result of no WAN configuration and only getting back an IP address on the management interface, the airMAX device is sitting there with no ability to respond to any inbound off-subnet IP traffic and no ability to resolve names.  This leaves the device kind of broken from a management perspective.

After a quick and helpful discussion on the airMax forums this appears to be a by-design behavior as proper IP configuration on the WAN interface was always presumed and the MGMT vlan was intended to route through the WAN interface for DNS and any off-link routes (I've still got an ongoing sort of discussion here, but this will likely turn into a feature request as it does not appear to be a bug).

The purpose behind the bridge interface on the EP-R8  was to get efficient usage of my management IP space for all of the devices by using a single /24 for all the management interfaces across the 4 ethernet ports which will have customer radios attached.  I knew that per the EP-R8 specifications that bridged traffic would not be hardware offloaded.  Now that I have to move to an untagged interface configuration I have what I think are a few options:

• Assign the phiscial interfaces to a bridge group and run both mgmt DHCP and client PPPoE server on the bridge group.
  • I'll go this route if I learn that PPPoE sessions established over bridge interfaces are still offloaded. (not holding my breath here)
• Assign the physical interfaces to a bridge group, and run the mgmt DHCP server on the bridge group, but keep the PPPoE server bound to the physical interface
  • Not even sure this option will work.  Going to do some testing on this today when I get home but I'd expect that the broadcast packets will be intercepted by the bridge before making it to the PPPoE server bound on the physical interface and this will result in no PPPoE connection for the customer device.
• Move to a unique management DHCP subnet per interface and not use bridge groups and keep PPPoE server bound to each individual interface
  • This will be sure to work but then I'm running way more DHCP servers than I actually need (4) and wasting a tiny bit of address space (basically break the /24 up into 4 /26's at the cost of losing 6 usable IPs)

Looking to learn from the community on this one.  I am thinking I'm just going to need to bite the bullet and split my /24 up into 4 /26's and just allocate per interface but I figured I would exhaust all my options if nothing more than for education on my part.

I am also going to be messing around with all of this in my lab and will report back my findings as well.  Are there any tools to dump the offloaded sessions or connections currently from the hardware so I can tell if a PPPoE session is being offloaded without doing a "performance" based tests?

Thanks to anyone who's taking a look at this.  I've been enjoying the Ubiquiti equpment and configurations and the community forums and help resources have been invaluable towards me getting this far.

Hello, All.

I recently configured OpenVPN on my EdgeRouter X SFP to connect to "Private Internet Access" VPN (vtun1) for specific hosts on my LAN.  All is working well for those specific hosts except when they attempt to access a port forwarded port.  If I'm using a host that is being routed through the VPN, I'm not able to access any of the forwarded ports on my router.  It's as if the Hairpin NAT isn't working.  

Example.  If i'm on my laptop which is being routed out the VPN (vtun1), I cannot access an IP camera via my Router's External IP (non VPN) that has a forwarded port.  

Scenario: Laptop (192.168.1.10) > VPN (vtun1) (172.15.15.15) > Router External IP from ISP (65.5.5.5) > Camera (192.168.1.15 port 3000).  I cannot access 65.5.5.5:3000 while on a host that's routed out of VPN.  If I remove the "Laptop" from the VPN Firewall Group, I can access 65.5.5.5:3000. 

I would rather not have to define two separate connections.  External IP/Hostort and Internal IPort (to be used when on VPN)

Any ideas?  Thanks!

My config is included below:

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group PIA_VPN_COMPUTERS {
             address 10.24.75.206
             description "PIA Hosts"
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify PIA_VPN_ROUTE {
         rule 1 {
             action modify
             description "traffic from Devices to vtun1 (PIA)"
             modify {
                 table 1
             }
             source {
                 group {
                     address-group PIA_VPN_COMPUTERS
                 }
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 5 {
             action accept
             description "Allow OpenVPN"
             destination {
                 port 1194
             }
             log disable
             protocol tcp_udp
         }
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         poe {
             output off
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth5 {
         duplex auto
         speed auto
     }
     loopback lo {
     }
     openvpn vtun0 {
         local-port 1194
         mode server
         openvpn-option --tls-server
         openvpn-option --comp-lzo
         openvpn-option "--user nobody --group nogroup"
         openvpn-option --persist-key
         openvpn-option --persist-tun
         openvpn-option --persist-local-ip
         openvpn-option --persist-remote-ip
         openvpn-option "--keepalive 8 30"
         openvpn-option "--verb 3"
         openvpn-option --client-to-client
         openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun0-ipp.txt"
         openvpn-option "--push redirect-gateway def1"
         openvpn-option "--push dhcp-option DNS 10.24.75.1"
         openvpn-option "--push route 10.24.75.0 255.255.255.0"
         openvpn-option "--tls-auth /config/auth/openvpn/keys/ta.key 0"
         openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn"
         openvpn-option "--cipher AES-256-CBC"
         openvpn-option "--tls-cipher DHE-RSA-AES256-SHA"
         openvpn-option --float
         protocol tcp-passive
         server {
             subnet 10.7.95.0/24
         }
         tls {
             ca-cert-file /config/auth/openvpn/keys/ca.crt
             cert-file /config/auth/openvpn/keys/server.crt
             dh-file /config/auth/openvpn/keys/dh2048.pem
             key-file /config/auth/openvpn/keys/server.key
         }
     }
     openvpn vtun1 {
         config-file /config/auth/pia.ovpn
         description "Private Internet Access VPN"
     }
     switch switch0 {
         address 10.24.75.1/24
         description Local
         firewall {
             in {
                 modify PIA_VPN_ROUTE
             }
         }
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
         vif 2001 {
             address 192.168.11.1/24
             description "Guest VLAN"
             mtu 1500
         }
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface switch0
     rule 6 {
         description "OpenVPN TCP"
         forward-to {
             address 10.24.75.1
             port 1194
         }
         original-port 443
         protocol tcp
     }
     rule 7 {
         description "OpenVPN UDP"
         forward-to {
             address 10.24.75.1
             port 1194
         }
         original-port 1194
         protocol udp
     }
     wan-interface eth0
 }
 protocols {
     static {
         table 1 {
             interface-route 0.0.0.0/0 {
                 next-hop-interface vtun1 {
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         global-parameters "log-facility local2;"
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 10.24.75.0/24 {
                 default-router 10.24.75.1
                 dns-server 10.24.75.1
                 domain-name zzzz.com
                 lease 3600
                 start 10.24.75.200 {
                     stop 10.24.75.239
                 }
             }
         }
         use-dnsmasq enable
     }
     dns {
         dynamic {
             interface eth0 {
                 service dyndns {
                     host-name blahblahblah.dyndns.zzz
                     login ZZZZZZZZ
                     password ZZZZZZZZ
                     protocol dyndns1
                 }
             }
         }
         forwarding {
             cache-size 150
             listen-on switch0
             listen-on vtun0
             listen-on vtun1
             name-server 1.1.1.1
             name-server 1.0.0.1
         }
     }
     gui {
         http-port 80
         https-port 81
         older-ciphers enable
     }
     nat {
         rule 5001 {
             description openvpn
             log disable
             outbound-interface vtun1
             protocol all
             type masquerade
         }
         rule 5010 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     unms {
         disable
     }
     upnp {
     }
 }
 system {
     config-management {
         commit-revisions 50
     }
     domain-name zzzzz.com
     domain-search {
     }
     host-name zzzz
     name-server 127.0.0.1
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     package {
         repository wheezy {
             components "main contrib non-free"
             distribution wheezy
             password ""
             url http://http.us.debian.org/debian
             username ""
         }
         repository wheezy-backports {
             components "main contrib non-free"
             distribution wheezy-backports
             password ""
             url http://ftp.ch.debian.org/debian
             username ""
         }
         repository wheezy-updates {
             components "main contrib"
             distribution wheezy/updates
             password ""
             url http://security.debian.org/
             username ""
         }
     }
     syslog {
         file dhcpd {
             archive {
                 files 5
                 size 3000
             }
             facility local2 {
                 level debug
             }
         }
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }

Hi everyone i run a small network for ahomless shelter right now i am running a Exdge router x witha open Wifi and i am need some serious help i am a cut and past coder be warned i am more of harware and network cable puler by trade.

Out network consisits of Eth 4 on Comcast businesss 25meg conection

our lan  192.168.10.0/24 and the Vlan is 10.0.10.0/24

I have begun router all guest wifi though our Vlan using 4 donated tplink eap225's Access Points

no the problem is we are housing 11 famlies that have near 50 wireless devices that is pegging our network to the max making it impossable for the staff to get any work fdone during the day today was so bad we count do out weekly skype video confrence.

I need to set the Vlan so it block all bittorrent actvity, thouttle netflit, youtube, Hule Amazon Video and so on i thisnk is is done though QOS

I just set up this roughter this week as of now i have the ptp VPN setup form my house and some basic firewall setting for PIng and remote access

thansk for any help

Switch0 has 2 addresses, one auto configured fe80:: and second, public 2001::. IPv6 connectivity works, if I configure client addresses/gateways manually. However in stateful mode:

At first I've configured dhcp like this:

     subnet 2001:...::/64 {
         address-range {
             start 2001:...::2:1 {
                 stop 2001:...::2:ffff
             }
         }
         name-server 2001:470:20::2
     }

It didn't work, dhcpv6 exited with "No subnet6 declaration for switch0 (fe80::....).", so configured it like this:

     subnet fe80::.../128 {
         address-range {
             start 2001:...::2:1 {
                 stop 2001:...::2:ffff
             }
         }
         name-server 2001:470:20::2
     }

This almost worked, almost because now dhcp starts correctly, it even reply to solicit/request messages however, sequence looks like this:

C: Solicit
S: Advertise; SomeNewAddressIn2001Network

C: Request SomeNewAddressIn2001Network

S: Reply with status code 4, NotOnLink

Server rejects request to bind to address witch it has offered in Advertise message...

Sooo, tried this:

     subnet 2001:...::/64 {
         address-range {
             start 2001:..::2:1 {
                 stop 2001:...::2:ffff
             }
         }
         name-server 2001:470:20::2
     }
     subnet fe80::.../128 {
         address-range {
             start 2001:...::2:1 {
                 stop 2001:...::2:ffff
             }
         }
         name-server 2001:470:20::2
     }

Configuration must be in this order, if subnets are swapped reply will contain code 4. And this almost works, clients can get addresses (reply has now status code 0). They see gateway at it correct fe80:: address but IPv6 doesn't work. Wireshark example for ping:

Packet is sent to correct destination address (ipv6/google) and gateway mac address, but there is no response. Then again - if this is configured manually, everything works. It also worked flawlessly when I've used radvd/wise-dhcpv6 on linux box. So, what am I missing here?

I succesively set up vpn connection to my router using this instructions.

Connection was working but OpenVPN log shows warning: No server certificate verification method has been enabled.

Link says that Man-in-the-middle attack is possible.

I added to client.ovpn line:

remote-cert-tls server

I also created tls-auth.key file

openvpn --genkey --secret tls-auth.key

tls-auth tls-auth.key 0 # - to server options

tls-auth tls-auth.key 1 # - to client config

Now I have connection error: Certificate does not have key usage extension.

According to HOWTO I should use easy-rsa scripts. I used CA.sh for script creation. Can CA.sh do this for me? How extension certificate should be added?