Hi, I've been working on replacing my Raspberry Pi which is today my OpenvPN Server.

I'd like to have my ER-Poe5 as OpenVPN Server.

It's been a week of complete Reset the device bescause I'va made incorrect settings and distroyed my actual setting...

Here is the topology of my Network :

ETH0 (WAN1) => 4G Modem (yes I know, I've got 3Mo of ADSL...) can't BRIDGE the modem

ETH1 (WAN2) => ADSL can't BRIDGE the modem

ETH2 => IP CCTV

ETH3 => Ubiquiti UAC Pro

ETH4 => LAN

Switch => ETH2 + ETH3 + ETH4

LAN for ETH0 is 192.168.8.0/24 subnet

LAN for ETH1 is 192.168.1.0/24 subnet

LAN for SWITCH is 192.168.10.0/24 subnet

The actual setting is that ETH1 is failover ETH0, so when I loose my 4G connection I've got the ADSL connection : that's working lovely !

Now what I want is the following : I want OpenVPN server working as it is today with WAN failover, and when I want to connect to it, it should use the ADSL connection to get to my LAN from outside.

I hope you'll understand my problem and have any idea what it is not working today

I thinking my problem is a NAT thing but I can't figure it out...

Here's a cat of my conf :

root@FW-UBNT:~# show configuration | cat
firewall {
all-ping enable
broadcast-ping disable
group {
address-group RaspberryPi {
address 192.168.10.20
description "Raspberry Pi 2 B / OpenVPN"
}
address-group Synology {
address 192.168.10.19
description "NAS Synology DS415+"
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description Allow_OpenVPN
destination {
group {
address-group RaspberryPi
}
port 443
}
log disable
protocol tcp
}
rule 20 {
action accept
description Allow_NASHTTPS
destination {
group {
address-group Synology
}
port 5001
}
log disable
protocol tcp
source {
}
}
rule 30 {
action accept
description Allow_NASHTTP
destination {
group {
address-group Synology
}
port 5000
}
log disable
protocol tcp
}
rule 40 {
action accept
description Allow_HTTP
destination {
group {
address-group Synology
}
port 80
}
log disable
protocol tcp
}
rule 50 {
action accept
description Allow_Webdav
destination {
group {
address-group Synology
}
port 5006
}
log disable
protocol tcp
}
rule 60 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 70 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow OpenVPN UBNT"
destination {
port 1194
}
log disable
protocol udp
}
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
description Foscam
duplex auto
mtu 1500
poe {
output 48v
}
speed auto
}
ethernet eth3 {
description Wifi
duplex auto
mtu 1500
poe {
output 48v
}
speed auto
}
ethernet eth4 {
description Lan
duplex auto
mtu 1500
poe {
output off
}
speed auto
}
loopback lo {
}
openvpn vtun0 {
description OpenVPN
encryption aes256
hash sha256
mode server
openvpn-option "--port 1194"
openvpn-option --tls-server
openvpn-option "--comp-lzo yes"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
server {
name-server 8.8.8.8
push-route 192.168.10.0/24
subnet 172.16.1.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/host.pem
dh-file /config/auth/dh2048.pem
key-file /config/auth/host-decrypted.key
}
}
switch switch0 {
address 192.168.10.253/24
description Local
firewall {
in {
modify balance
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
lb-local enable
lb-local-metric-change disable
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth4
rule 1 {
description LetsEncrypt
forward-to {
address 192.168.10.19
port 80
}
original-port 80
protocol tcp
}
rule 2 {
description NAS-WebDav
forward-to {
address 192.168.10.19
port 5006
}
original-port 5006
protocol tcp_udp
}
rule 3 {
description NAS_HTTPS
forward-to {
address 192.168.10.19
port 5001
}
original-port 5001
protocol tcp
}
wan-interface eth1
}
protocols {
static {
route 172.16.1.0/24 {
next-hop 192.168.10.253 {
}
}
route 192.168.10.0/24 {
next-hop 172.16.1.1 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.253
dns-server 1.1.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.10.100 {
stop 192.168.10.200
}
unifi-controller 192.168.10.251
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on vtun0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description Allow_OpenVPN
inbound-interface eth1
inside-address {
address 192.168.10.20
port 443
}
log disable
protocol tcp
type destination
}
rule 2 {
description Allow_NAStoHTTPS
destination {
group {
}
}
inbound-interface eth1
inside-address {
address 192.168.10.19
}
log disable
protocol all
type destination
}
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 522
protocol-version v2
}
unms {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name FW-UBNT
login {
user jessy {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name jessy
level admin
}
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}

THANK YOU for having a look at it !

Sorry for any mistakes I'm French.

Regards

Hello,

my Fritzbox 7590 is connected to eth0 of my EdgeRouter ER-X. I use the wan2eth0 wizzard.

The Fritzbox is used for dect, VPN and WLAN.

The EdgeRouter is used for connecting PCs, etc.

The Fritzbox is the 192.168.155.220 and the edgerouter eth0 is 192.168.155.55. I added a static route to

the Fritzbox 192.168.154.0 Mask 255.255.255.0 Gateway 192.168.154.55.

I think there is something missing behause it Impossible to access a pc from wlan for example from 192.168.155.50 to access 192.168.154.26 or the EdgeRouter at 192.168.155.55 or 192.168.154.1.

Can you help me?

Thank you in advance.

I have tried to install bcast-relay.tgz on my EdgeRouter X with this command (I get it from here: https://community.ubnt.com/t5/EdgeRouter/Multicast-Sonos-Phorus-amp-Play-Fi-Broadcast-255-255-255-255-lt/m-p/1268559/highlight/true#M67208):

cd /tmp; curl -o ubnt-bcast-relay.tgz http://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/67208/1/ubnt-bcast-relay.tgz

But i get the error: Couldn't resolve host 'community.ubnt.com'.

Here is the printscreen:

What did i do wrong?

Hi team.

I have a EdgeRouter Pro8. I config it running 2 WAN (Load balancing) on eth0 and eth1 at the moment.

Today, i try disable WAN 1 (FPT - eth0) to test fail over, but i cant ping to WAN 1 IP from outside network, internet still working.

After that, i try disable WAN 2 (VNPT - eth1). I cant ping to WAN 2 IP from outside network too and internet still working.

Can you help me this case. Everything is only OK when 2 WAN connect.

I have attach support file.

Thanks you

I've been configuring and flashing and configuring so now it is stable for me to register the products with Ubiquit. But I can't for the life of Brian find where to? Does anyone know how to register Ubiquiti products?

Hi there,

I have a 1Gbps/200Mbps fiber connection at home and I'm currently using an ASUS AC68U router for this but I've been thinking of replacing it with and EdgeRouter, I'm just not sure which.

However, I don't want to fully it replace it for now... I mean, I still would like to use the AC68U for WiFi for now because I can't really afford to upgrade my whole network to Ubiquiti hardware, although that's the goal. For now I just want to upgrade to an EdgeRouter and in the future install UniFi APs to fully replace the AC68U.

But what exactly is the best router for me? Here's my hardware requirements:

• I'd like something that could support the 1Gbps downlink from my ISP as best as possible.
• I currently have 4 devices (PC, Synology NAS, SHIELD Android TV and my ISP Set-top box) connected by ethernet directly to the AC68U (no switch in between). I'd like to keep this configuration with an EdgeRouter. I don't think I'll need more than 4 ethernet ports and if I do, I don't mind using a switch if needed. In other words, I don't need a more expensive router with more than 4 ethernet ports.
• My ISP fiber connection is provided through an ONT device which connects to the WAN port on the AC68U through an ethernet cable. I believe I need to do the same with an EdgeRouter without forgetting the previous point. In other words, this excludes the EdgeRouter Lite and the EdgeRouter 4, correct?

I believe I have a few choices but I'm still not sure because there's a few things I don't understand. The way I see it, I have these choices:

• EdgeRouter X (least expensive)
• EdgeRouter X SFP
• EdgeRouter PoE
• EdgeRouter 6P (most expensive)

Besides having you guys help me decide on the best EdgeRouter for me, I'd also like to understand a few things:

1. The ER-X and the ER-X-SFP feel very similiar but their design confuses me:
   1. What exactly is the PoE IN port for and why the ER-X-SFP doesn't have one?
   2. Can I use the single PoE IN port on the ER-X and the five PoE IN ports on the ER-X-SFP to power UniFi devices or is PoE only required for airMAX devices? Can these ports be used to power other types of devices or are they designed for Ubiquiti hardware only?
   3. What exactly is the SFP port for on the ER-X-SFP? Is this where I connect the ethernet cable from the ONT device like the WAN port on my AC68U? Why is the port smaller? Does it really fit a typical ethernet cable tip or does it need a different type of tip/cable?
   4. What about the ER-X, where do I connect the ethernet cable from the ONT device? Does it need to be connected to the PoE IN port or does it work on any ethernet port?
   5. The comparison table between these 2 models show that the ER-X has "Passive PoE Passthrough" while the ER-X-SFP has "24V Passive PoE". What exactly are the differences? What does this mean?
2. Now let's compare the ER-X-SFP and the ERPoe-5:
   1. For starters, the page for the ERPoe-5 states a performance of 1 million pps, but the page for the ER-X-SFP doesn't say anything. What's the ER-X-SFP performance and which one is required to power my 1Gbps ISP connection?
   2. The ERPoe-5 supports 5 ethernet ports, just like the ER-X-SFP, but doesn't come with an SFP port. Where do I connect the ethernet cable from the ONT device on the ERPoe-5? To the console port? To any of the other ethernet ports?
   3. What exactly is the console port for on the ERPoe-5?
   4. Why is there a connecting like drawn on the back of the ERPoe-5 router between eth2 and wth4 ports? What does this represent?
3. To finish, let's compare the ER-6P with everything else. This feels like an ERPoe-5 but with an SFP port like the ER-X-SFP, correct? If I get answers to all my questions above, I believe I don't have much else to ask here because the answers will also apply to this model. But I do have a few others:
   1. This model comes with a USB3 port. What could this be used for?
   2. The ER-6P is also much performant compared to the others with 3.4 million pps. Do I need this for my ISP's 1Gbps connection or is this overkill? In what scenario would such performance be needed?

To fnish, I have one other question not related to which model should I pick (I think) but how how easily it would be to connect my ONT to an EdgeRouter, configure the EdgeRouter to provide Internet to all my ethernet devices and then connect the EdgeRouter to the ASUS AC68U and use that device only to provide an WiFi network to my mobile devices, allowing every device (wired or wireless) to connect to any device on the same network, in other words, have all devices in a 192.168.0.0/24 subnet. Is this setup feasible with all described? How easy or how hard is it to setup?

Sorry for the big post, but I have so many questions and I need to understand everything to make an informed choice and purchase

Thought it would be worth remarking on the forums here, the EdgeRouter PoE works out of the box as a replacement for the Google Wifi mesh device provided by Google Fiber in the San Antonio market. The Fiber Jack model that was provided was GLFT300. Using some of the config.boots I found here that worked in other markets do not work here. (The vlan2 vif will not be assigned an IP address) but the default eth0 does in fact get an address assigned and right away. IPv4 and IPv6. 

We have a Edgerouter Infinity here, with 3 UF-RJ45-1G in ports 1-4. Those ports are set to 1000 full duplex, like intended.

However we see quit a bit of dropped packets on our internet link which is 500mbit. Due to the nature of the Infinity and the use of SFP modules to connect to Ethernet we can't see the connection speed or duplex setting of the Gig-E SFP.

I replaced the patch cables twice with new ones, but no luck. We are running a BGP router with full tables, no firewall rules.

RX: bytes packets errors dropped overrun mcast
743073581722 1424744638 0 19707 0 0
TX: bytes packets errors dropped carrier collisions
1266942580171 1565496981 0 0 0 0

show interfaces ethernet eth2 sfp
connector=Unknown
vendor=UBNT
oui=00-00-00
part=UF-RJ45-1G
rev=1.0
serial=X18042804524
date=180330

show interfaces ethernet eth2 physical
Settings for eth2:
Auto-negotiation: off
Speed: 1000Mb/s
Duplex: Full
Link detected: yes

Hello, 

I have a EdgeMax router lite which needs to be replaced now with Edgerouter Pro. How can I do that? I have the config file from the lite. But is it simple that I can just upload the config file and it will all start working? I am not sure if that is the way to do it.

Please advise.

Hi

I have tried to do this step from a manual:

"Untar the tarball ubnt-bcast-relay.tgz in a directory on your Edge Router with space: e.g. cd /tmp; sudo tar zxvf ubnt-bcast-relay.tgz"

My input in CLI: cd /tmp; sudo tar bcast ubnt-bcast-relay.tgz

But i get this error: "tar: invalid option -- 'b'"

What did I do wrong?

I hooked up a new EdgeRouter X today. Plugged my computer directly into it, set my ip to 192.168.1.100, logged in to the web gui, updated the firmware, and configured everything. After all that was complete, I moved the router to replace my other one and nothing worked. I don't think I had everything configured right. So, I unhooked all the ethernet wires, and plugged my computer directly into it. Tried everything and can not get connected back. 

I tried to reset it. With it powered on, I held in the reset button. It never would flash like the directions say. So I tried unplugging it and holding the reset button in as I turned it back on. This time it flashed as it said. But now, I am still no longer able to log in. Tried everything the same way I did the first time. I can get no response from the router.

Is there something else I can do to reset it?

Thanks

I've got a strange problem. Trying to get IPv6 working on my EdgeRouter PoE with Google Fiber service. I have read it needs a /56 prefix. It's assigning a full /128 address to eth0 (WAN) but no other v6 address is being configured. I've been every which way with this and I've run into a wall. It's probably misconfigured, but I am stuck. Here is my current configuration (minus a few irrelevant params like timezone.)

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LANv6_IN {
        default-action accept
        description "LAN to Internal"
        enable-default-log
        rule 10 {
            action drop
            description "drop invalid state"
            state {
                invalid enable
            }
        }
        rule 20 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
    }
    name LAN_IN {
        default-action accept
        description "LAN to Internal"
        enable-default-log
        rule 10 {
            action drop
            description "drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to Internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to Router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1460
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface switch0 {
                    host-address ::1
                    prefix-id :0
                    service slaac
                }
                prefix-length 56
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        poe {
            output 48v
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.99.1/24
        description "ETH Console"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Cabinet LAN"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Living Room LAN"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.10.0.1/24
        description "LAN Switch"
        firewall {
            in {
                name LAN_IN
            }
        }
        ipv6 {
            address {
                autoconf
            }
            dup-addr-detect-transmits 1
            router-advert {
                managed-flag true
                prefix ::/56 {
                }
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.10.99.0/24 {
                default-router 10.10.99.1
                dns-server 10.10.99.1
                lease 86400
                start 10.10.99.38 {
                    stop 10.10.99.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.10.0.0/24 {
                default-router 10.10.0.1
                dns-server 10.10.0.1
                domain-name local
                lease 86400
                start 10.10.0.38 {
                    stop 10.10.0.243
                }
                unifi-controller 10.10.0.10
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 3000
            listen-on eth1
            listen-on switch0
            name-server 2001:4860:4860::8888
            name-server 2001:4860:4860::8844
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
}

Anything look out of the ordinary here?

FIrst, let me say that I tried the solution from this thread:

https://community.ubnt.com/t5/EdgeRouter/Dynamic-DNS-and-hairpin/m-p/2398143#M212817

Which was to use static mapping for a hostname, but it did not work for me.

I have a Synology Diskstation which I recently setup with a dynamic DNS (domain registered with Namecheap, and using their freeDNS' dynamic DNS service). Let's just say the domain is example.com.

I can access the Diskstation from outside the LAN by navigating to https://example.com or https://www.example.com. If I try WITHIN the LAN, the connection times out. This leads me to believe it's an issue with Hairpin NAT, which should be simple a matter of checking a box in the WebGUI to enable. Unfortunately, this doesn't work. I have two other VLANs other than my main VLAN, one for IoT devices, and one as a Guest network.

Please note there is mention of a "Pi-Hole DNS Server" at 10.10.10.20, and some firewall rules to allow DNS, but this server has been outright replaced (at the same IP address) with a RADIUS server (for my L2TP-IPSec VPN), and DNS is now being handled by Google's 8.8.8.8 server.

Here's my configuration as-is, only with passwords blanked out. Please let me know how to fix!

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group DNS_SERVER {
            address 10.10.10.20
            description "Pi-Hole DNS Server"
        }
        network-group LOCAL_LANS {
            description "Subnet addresses of other LANs and VLANs to block traffic coming from IoT"
            network 10.10.10.0/24
            network 10.10.30.0/24
        }
        network-group TRUSTED {
            description "Trusted Network"
            network 10.10.10.0/24
        }
        port-group VideoStation {
            description "Synology Video Station"
            port 9025-9040
            port 1900
            port 5000
            port 5001
            port 5002
            port 5004
            port 65001
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name IOT_TO_LAN {
        default-action accept
        description "Guest network to other LAN networks"
        rule 10 {
            action accept
            description "Allow regular LAN clients to access isolated clients, and allow isolated clients to respond"
            destination {
                group {
                    network-group TRUSTED
                }
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow IoT to access Video Station on Synology NAS"
            destination {
                address 10.10.10.10
                group {
                    port-group VideoStation
                }
            }
            log disable
            protocol tcp_udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            description DNS
            destination {
                group {
                    address-group DNS_SERVER
                }
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action drop
            description "Drop all packets from IoT to other LANs"
            destination {
                group {
                    network-group LOCAL_LANS
                }
            }
            log disable
            protocol all
        }
    }
    name IOT_TO_LOCAL {
        default-action drop
        description "IoT to EdgeRouter"
        rule 2 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
        }
        rule 3 {
            action accept
            description "Allow Router to ping IoT clients"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 50 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 60 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    pvid 40
                }
            }
            interface eth2 {
                vlan {
                    pvid 10
                }
            }
            interface eth3 {
                vlan {
                    pvid 10
                }
            }
            interface eth4 {
                vlan {
                    pvid 10
                    vid 30
                    vid 40
                }
            }
            vlan-aware enable
        }
        vif 10 {
            address 10.10.10.1/24
            description Regular
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description Guest
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description SKYNET-IoT
            firewall {
                in {
                    name IOT_TO_LAN
                }
                local {
                    name IOT_TO_LOCAL
                }
            }
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description HTTP
        forward-to {
            address 10.10.10.10
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    rule 2 {
        description "Synology DSM"
        forward-to {
            address 10.10.10.10
            port 5373
        }
        original-port 5373
        protocol tcp_udp
    }
    rule 3 {
        description SSL
        forward-to {
            address 10.10.10.10
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DHCP {
            authoritative disable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                dns-server 8.8.8.8
                lease 86400
                start 10.10.10.10 {
                    stop 10.10.10.244
                }
                static-mapping SKYNET {
                    ip-address 10.10.10.15
                    mac-address 78:8a:20:5c:10:5a
                }
                static-mapping pi-hole {
                    ip-address 10.10.10.200
                    mac-address b8:27:eb:8d:07:a3
                }
                static-mapping pizero {
                    ip-address 10.10.10.20
                    mac-address b8:27:eb:63:67:90
                }
                static-mapping example.com {
                    ip-address 10.10.10.10
                    mac-address 00:11:32:52:52:a2
                }
            }
        }
        shared-network-name Guest {
            authoritative disable
            subnet 10.10.30.0/24 {
                default-router 10.10.30.1
                dns-server 8.8.8.8
                lease 86400
                start 10.10.30.2 {
                    stop 10.10.30.254
                }
            }
        }
        shared-network-name IoT {
            authoritative disable
            subnet 10.10.40.0/24 {
                default-router 10.10.40.1
                dns-server 8.8.8.8
                lease 86400
                start 10.10.40.2 {
                    stop 10.10.40.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service namecheap {
                    host-name @
                    login example.com
                    password [PASSWORD]
                    protocol namecheap
                    server dynamicdns.park-your-domain.com
                }
                web https://dynamicdns.park-your-domain.com/update
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name ubnt
    login {
        user motionnt {
            authentication {
                encrypted-password [PASSWORD]
                plaintext-password ""
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    static-host-mapping {
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                }
                mode radius
                radius-server 10.10.10.20 {
                    key [PASSWORD]
                }
                require mschap-v2
            }
            client-ip-pool {
                start 10.10.10.245
                stop 10.10.10.250
            }
            dhcp-interface eth0
            dns-servers {
                server-1 10.10.10.20
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret [PASSWORD]
                }
                ike-lifetime 3600
                lifetime 3600
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.5.5098943.180622.1555 */

Hi

I had my edgemax connected to an isp router via eth0, and openvpn client was working.

I then moved pppoe to the edgemax on eth0 and now I get TX traffic when I enable vtun0 but no RX traffic, and I am unable to ping the vpn gateway (external ip and vpn ip)

I see the following errors in the logs.

Any advice would be appreciated

Aug 15 19:49:36 ubnt openvpn[2305]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2018
Aug 15 19:49:36 ubnt openvpn[2305]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 15 19:49:36 ubnt openvpn[2305]: Socket Buffers: R=[180224->131072] S=[180224->131072]
Aug 15 19:49:36 ubnt openvpn[2306]: UDPv4 link local: [undef]
Aug 15 19:49:36 ubnt openvpn[2306]: UDPv4 link remote: [AF_INET]104.131.49.146:1194
Aug 15 19:49:36 ubnt openvpn[2306]: TLS: Initial packet from [AF_INET]104.131.49.146:1194, sid=c87eafbe 6794467a
Aug 15 19:49:36 ubnt openvpn[2306]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain
Aug 15 19:49:36 ubnt openvpn[2306]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
Aug 15 19:49:39 ubnt openvpn[2306]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 15 19:49:39 ubnt openvpn[2306]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 15 19:49:39 ubnt openvpn[2306]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 15 19:49:39 ubnt openvpn[2306]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 15 19:49:39 ubnt openvpn[2306]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Aug 15 19:49:39 ubnt openvpn[2306]: [server] Peer Connection Initiated with [AF_INET]104.131.49.146:1194
Aug 15 19:49:41 ubnt openvpn[2306]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Aug 15 19:49:41 ubnt openvpn[2306]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 172.16.200.1,topology net30,ping 20,ping-restart 60,ifconfig 172.16.200.6 172.16.200.5'
Aug 15 19:49:41 ubnt openvpn[2306]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 15 19:49:41 ubnt openvpn[2306]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 15 19:49:41 ubnt openvpn[2306]: OPTIONS IMPORT: route options modified
Aug 15 19:49:41 ubnt openvpn[2306]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 15 19:49:41 ubnt openvpn[2306]: ROUTE_GATEWAY ON_LINK IFACE=pppoe0 HWADDR=00:00:00:00:00:00
Aug 15 19:49:41 ubnt openvpn[2306]: TUN/TAP device vtun0 opened
Aug 15 19:49:41 ubnt openvpn[2306]: TUN/TAP TX queue length set to 100
Aug 15 19:49:41 ubnt openvpn[2306]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip link set dev vtun0 up mtu 1500
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip addr add dev vtun0 local 172.16.200.6 peer 172.16.200.5
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip route add 104.131.49.146/32 via 0.0.0.0
Aug 15 19:49:41 ubnt openvpn[2306]: ERROR: Linux route add command failed: external program exited with error status: 2
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip route add 0.0.0.0/1 via 172.16.200.5
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip route add 128.0.0.0/1 via 172.16.200.5
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip route add 192.168.1.0/24 via 172.16.200.5
Aug 15 19:49:41 ubnt openvpn[2306]: ERROR: Linux route add command failed: external program exited with error status: 2
Aug 15 19:49:41 ubnt openvpn[2306]: /sbin/ip route add 172.16.200.1/32 via 172.16.200.5
Aug 15 19:49:41 ubnt openvpn[2306]: Initialization Sequence Completed
Aug 15 19:50:32 ubnt openvpn[2306]: /sbin/ip route del 172.16.200.1/32
Aug 15 19:50:32 ubnt openvpn[2306]: /sbin/ip route del 154.131.49.146/32
Aug 15 19:50:32 ubnt openvpn[2306]: ERROR: Linux route delete command failed: external program exited with error status: 2
Aug 15 19:50:32 ubnt openvpn[2306]: /sbin/ip route del 0.0.0.0/1
Aug 15 19:50:32 ubnt openvpn[2306]: /sbin/ip route del 128.0.0.0/1
Aug 15 19:50:32 ubnt openvpn[2306]: Closing TUN/TAP interface
Aug 15 19:50:32 ubnt openvpn[2306]: /sbin/ip addr del dev vtun0 local 172.16.200.6 peer 172.16.200.5
Aug 15 19:50:32 ubnt openvpn[2306]: SIGTERM[hard,] received, process exiting

My config is as follows

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password ******
            user-id **********
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/openvpn/client.conf
        disable
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password *******
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.5.5098943.180622.1555 */

My vpn config (client.conf) is as follows

client
dev tun
proto udp

#Server IP and Port
remote 154.131.49.146 1194

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
ca /config/openvpn/certs/ca.crt
cert /config/openvpn/certs/home.crt
key /config/openvpn/certs/home.key

I'm new-ish to the world of EdgeOS and have been running an EdgeRouter-X for more than a year with literally zero issues that I couldn't search and find the answers to. So far, my network has been working with the following kind of layout:

eth0 - WAN
switch0 192.168.1.1/24
eth1 - multi-role PC (plex/file server etc.)
eth2 - 8 port unmanaged switch (xboxes/printer/tv etc.)
eth3 - WAP
eth4 - unused

Now, I've been asked to set eth4 up as a vlan that would:

1. Completely separate the network for work-from-home
2. have it's own DHCP scope & firewall
3. allow no traffic to or from the other LAN and ideally,
4. have qos or something set up to prevent choking out that vlan's traffic

Essentially they want her to have her own isolated, dedicated connection. I've been trying to set it up to do that, but I don't think I'm making any progress toward my goal. I've searched for a few weeks now and it seems like all the tutorials and solutions I'm finding are based on using a managed switch, but alas, that's an option right now. I've tried to adapt as much of the instructions as I can to my specific needs, but I think I'm definitely missing something, right? Can this be done without a managed switch? Any help is greatly appreciated!

I have two WAN, WAN1 on eth0 and WAN2 on eth1 and WAN2 is failover-only. My LAN is on eth2. WAN1 is 15/5mbps and WAN2 is 1024/512kbps. I have been told shapers can only be applied on the out direction of an interface. So should be on out of LAN (eth2) for download and and on out direction of eth0 for uplod. But I would like to create a new shaper for download when using WAN2. To my understanding applying shaper on out direction eth2 will affect both WAN1 and WAN2.

So how can I link shaper to eth0 and eth1? (both have static IP)

to set shaper to my vlans I did

set traffic-policy shaper client-down class 10 match ADDR ip destination address 172.17.10.0/24

If I do next would it link the shaper to each WAN?

set traffic-policy shaper client-down class 10 match ADDR ip source address "WAN ip"

Thanks

Hi all :-)

i'm searching for a way to route a existing Network (VPN) an the WAN on my Network (and back :-)).

WAN1 (172.16.25.2/27 GW=.1)   eth0   Internet

WAN2 (172.16.25.34/27 GW=.33)   eth1   Internet and 172.16.28.0/24 Network (VPN)

switch0   local network 172.16.30.1/24

- Load balancing works fine, with IPv6 to

- Route from the VPN-Network to the internal Network is set

- balance modify also, that the VPN-Network traffic goes to eth1 / 172.16.25.33 Gateway

I have tested several scenarios to set route, open firewall, read many howto's but i don't bring the Gateway to Route a ping or something from the internal network to WAN2.

Test with Traceroute only shows the EdgeRouter (172.16.30.1) as first hop and then nothing.

What all must be set? Someone good links, or the thing i don't thinking at?

THX - Meik

Downloaded firmware ER-e50.v1.10.5.5098943.tar today.

After uploading the firmware via the GUI and waiting for the firmware to be installed I performed a reboot when prompted.

After rebooting it's no longer possible to connect to the router via the GUI or CLI interface.

What to do???

I have a PiHole running on an Ubuntu server in my house that I use for network-wide ad blocking -- I have 4 VLANs (Home, Ultilities, IOT, Guest), and I've set up 4 DNAT rules to not allow anything with hardcoded/manually configured DNS servers to get around the PiHole.

DNS servers distributed by the DHCP of my router:

Primary - PiHole: 192.168.10.7

Secondary (Quad9) - 9.9.9.9

I want to make sure that if my Ubuntu server crashes/loses power/etc, the secondary DNS distributed by my router will still function.  This is purely for belt & suspenders redundancy, b/c my spouse works at home, and if for some reason the PiHole crashed when I was at work, I would get some frantic calls.

One thing I struggled with was in the DNAT field for destination, I'd like to be able to list two not (!) IP addresses to allow for devices to use the backup DNS if for some odd reason my Ubuntu server crashes/loses power/etc...  

After researching this, I found this thread describing exactly what I wanted -- and the answer says to include an exclude rule first in the DNAT reul list.  I set this up, and tested it -- and I think I've got it working.

Does this look right?  One thing that threw me for a loop is that when I set up the exclude rules, I had to enter a translation address, which didn't really make sense to me since the purpose of the rule is to not apply NAT.

Also - can anyone explain why I need the SNAT masquerade rule on the switch.10 interface?  I copied from this thread and it seems to work, but I don't understand why it's only needed for the VLAN that the pi-hole is on.

ubnt@ubnt# show service nat
 rule 2 {
     description "Home - Allow Quad9"
     destination {
         address 9.9.9.9
         port 53
     }
     exclude
     inbound-interface switch0.10
     inside-address {
         port 53
     }
     log disable
     protocol tcp_udp
     type destination
 }
 rule 3 {
     description "Utils - Allow Quad9"
     destination {
         address 9.9.9.9
         port 53
     }
     exclude
     inbound-interface switch0.20
     inside-address {
         port 53
     }
     log disable
     protocol tcp_udp
     type destination
 }
 rule 4 {
     description "IOT - Allow Quad9"
     destination {
         address 9.9.9.9
         port 53
     }
     exclude
     inbound-interface switch0.30
     inside-address {
         port 53
     }
     log disable
     protocol tcp_udp
     type destination
 }
 rule 5 {
     description "Guest - Allow Quad9"
     destination {
         address 9.9.9.9
         port 53
     }
     exclude
     inbound-interface switch0.40
     inside-address {
         port 53
     }
     log disable
     protocol tcp_udp
     type destination
 }
 rule 6 {
     description "Home - Force PiHole DNS"
     destination {
         port 53
     }
     inbound-interface switch0.10
     inside-address {
         address 192.168.10.7
         port 53
     }
     log disable
     protocol tcp_udp
     source {
         address !192.168.10.7
     }
     type destination
 }
 rule 7 {
     description "Utils - Force PiHole DNS"
     destination {
         port 53
     }
     inbound-interface switch0.20
     inside-address {
         address 192.168.10.7
         port 53
     }
     log disable
     protocol tcp_udp
     source {
     }
     type destination
 }
 rule 8 {
     description "IOT - Force PiHole DNS"
     destination {
         port 53
     }
     inbound-interface switch0.30
     inside-address {
         address 192.168.10.7
         port 53
     }
     log disable
     protocol tcp_udp
     source {
     }
     type destination
 }
 rule 9 {
     description "Guest - Force PiHole DNS"
     destination {
         port 53
     }
     inbound-interface switch0.40
     inside-address {
         address 192.168.10.7
         port 53
     }
     log disable
     protocol tcp_udp
     source {
     }
     type destination
 }
 rule 5010 {
     description "masquerade for WAN"
     outbound-interface eth0
     type masquerade
 }
 rule 5011 {
     description "masquerade for DNS"
     destination {
         address 192.168.10.7
         port 53
     }
     log disable
     outbound-interface switch0.10
     protocol tcp_udp
     source {
         address 192.168.10.0/24
     }
     type masquerade
 }

I've had my edgerouter a few days and I have been able to build a configuration that I like including a couple vlans.  All is working well.

To rebuild, I can run the "Basic Setup" wizard (one lan, enable firewall), and then run several cli commands to complete the configuration.

I would like have everything done via the cli.  I found the directory where the validation json is stored for the wizard, but what are the cli command the wizard is running, includng blowing away the prior configuration?  

Thanks.