I have a new ERL, upgraded to v1.9.0 and used the Basic Setup Wizard to attempt to configure as PPPoE router for my ISP (Andrews & Arnold / AAISP in the UK) that delegates a /64 block of IPv6s.

Unfortunately, this doesn't seem to be working correctly. On the Dashboard, the PPPoE connection is showing as Disconnected when I do have a network connection over the PPPoE link. Could this be indicative of a bigger problem?

Also,  and no IPv6 has been allocated to my system. 

Below is my config, and comparing ths with some of the guides / other IPv6 configs, I can see that some of the prefix delegation commands seem to be missing but I would welcome your feedback on what the problem could be.

Please see my config below.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        mtu 1508
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
            }
            mtu 1500
            name-server auto
            password ****************
            user-id ********
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.0.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 10.10.0.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                lease 86400
                start 10.0.0.38 {
                    stop 10.0.0.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.10.0.0/24 {
                default-router 10.10.0.1
                dns-server 10.10.0.1
                lease 86400
                start 10.10.0.38 {
                    stop 10.10.0.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name mydomain.org
    host-name ubnt
    login {
        user ** {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
    traffic-analysis {
        dpi enable
        export enable
    }
}

Thanks in advance, 

Matt

Hello,

I got my 2 first Ubiquiti devices yesterdy and I'v sat still for a good amount of hours playing around, but there is one thing I cannot wrap my head around how to do, hoping someone here can explain how its done

From my ISP I got a media converter which converts from fiber to CAT6, and then connects to the Modem/Router combo box. The Modem/Router box is basicly trash, and has problems fuctioning normally when in Bridged mode, and has to few features in "Router mode" to be usefull to me. So it needs to be gone.

So I got my hands on a ERLite-3, beautiful product overall, but some things are new to me and I'm probalby just not ticking the right boxes. My ISP supplies the media converter with several VLAN's, but there is only two I wish to use.

VLAN 101 for TV

VLAN 102 for Internet

But I got problems setting it up on the ERLite-3, What I'v managed to do is to lock myself out entierly and had to Factory Reset the whole box, several times... So Im pretty familiar with the factory reset procedure. So heres another question, can I access the Web Interface within VLAN 102?

Theres an attached picture of how I want it, Im not sure if its even possible with the ERLite-3, but if someone can tell me how or why not, I'd be over the top.

I have an EdgeRouter X that I'd like to redirect one URL to a different URL. Can this be done and if so how? I've looked through the GUI but don't see an option to do so. Am I overlooking the setup?

Hi,

I had enabled IPv6 in my ER-X, all seemed to work well until I had to reboot it this morning. Now I see that these processes are using up lots of CPU:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10822 root 20 0 13024 7256 3520 S 30.5 2.8 0:00.93 dhcpv6-pd-respo
10827 root 20 0 12564 6324 3140 R 29.2 2.5 0:00.89 dhcpv6-pd-respo
10829 root 20 0 11208 5260 2872 R 20.3 2.1 0:00.62 vyatta_gen_radv

And this shows up in the log files repeatedly:

Aug 14 10:30:43 172.16.26.1 <27>Aug 14 10:30:43 ERXCORE01 radvd[9374]: Exiting, privsep_read_loop is complete.
Aug 14 10:30:47 172.16.26.1 <28>Aug 14 10:30:47 ERXCORE01 radvd[9399]: exiting, 1 sigterm(s) received
Aug 14 10:30:47 172.16.26.1 <27>Aug 14 10:30:47 ERXCORE01 radvd[9400]: Exiting, privsep_read_loop had readn return 0 bytes
Aug 14 10:30:47 172.16.26.1 <27>Aug 14 10:30:47 ERXCORE01 radvd[9400]: Exiting, privsep_read_loop is complete.
Aug 14 10:30:49 172.16.26.1 <28>Aug 14 10:30:49 ERXCORE01 radvd[9427]: exiting, 1 sigterm(s) received
Aug 14 10:30:49 172.16.26.1 <27>Aug 14 10:30:49 ERXCORE01 radvd[9428]: Exiting, privsep_read_loop had readn return 0 bytes
Aug 14 10:30:49 172.16.26.1 <27>Aug 14 10:30:49 ERXCORE01 radvd[9428]: Exiting, privsep_read_loop is complete.
Aug 14 10:30:53 172.16.26.1 <28>Aug 14 10:30:53 ERXCORE01 radvd[9451]: exiting, 1 sigterm(s) received
Aug 14 10:30:53 172.16.26.1 <27>Aug 14 10:30:53 ERXCORE01 radvd[9452]: Exiting, privsep_read_loop had readn return 0 bytes
Aug 14 10:30:53 172.16.26.1 <27>Aug 14 10:30:53 ERXCORE01 radvd[9452]: Exiting, privsep_read_loop is complete.
Aug 14 10:30:55 172.16.26.1 <28>Aug 14 10:30:55 ERXCORE01 radvd[9479]: exiting, 1 sigterm(s) received
Aug 14 10:30:55 172.16.26.1 <27>Aug 14 10:30:55 ERXCORE01 radvd[9480]: Exiting, privsep_read_loop had readn return 0 bytes
Aug 14 10:30:55 172.16.26.1 <27>Aug 14 10:30:55 ERXCORE01 radvd[9480]: Exiting, privsep_read_loop is complete.

Any ideas ?

FWIW, here is my config.

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name insidev6 default-action accept
set firewall ipv6-name insidev6 rule 10 action accept
set firewall ipv6-name insidev6 rule 10 description 'Log New'
set firewall ipv6-name insidev6 rule 10 log enable
set firewall ipv6-name insidev6 rule 10 protocol all
set firewall ipv6-name insidev6 rule 10 state established disable
set firewall ipv6-name insidev6 rule 10 state invalid disable
set firewall ipv6-name insidev6 rule 10 state new enable
set firewall ipv6-name insidev6 rule 10 state related disable
set firewall ipv6-name outsidev6 default-action drop
set firewall ipv6-name outsidev6 enable-default-log
set firewall ipv6-name outsidev6 rule 10 action drop
set firewall ipv6-name outsidev6 rule 10 description 'Drop invalid state'
set firewall ipv6-name outsidev6 rule 10 state invalid enable
set firewall ipv6-name outsidev6 rule 20 action accept
set firewall ipv6-name outsidev6 rule 20 description 'Allow established/related sessions'
set firewall ipv6-name outsidev6 rule 20 state established enable
set firewall ipv6-name outsidev6 rule 20 state related enable
set firewall ipv6-name outsidev6 rule 30 action accept
set firewall ipv6-name outsidev6 rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name outsidev6 rule 30 protocol ipv6-icmp
set firewall ipv6-name outsidev6 rule 40 action accept
set firewall ipv6-name outsidev6 rule 40 description 'allow dhcpv6'
set firewall ipv6-name outsidev6 rule 40 destination port 546
set firewall ipv6-name outsidev6 rule 40 protocol udp
set firewall ipv6-name outsidev6 rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name inside default-action accept
set firewall name inside rule 10 action accept
set firewall name inside rule 10 description 'Log New'
set firewall name inside rule 10 log enable
set firewall name inside rule 10 protocol all
set firewall name inside rule 10 state established disable
set firewall name inside rule 10 state invalid disable
set firewall name inside rule 10 state new enable
set firewall name inside rule 10 state related disable
set firewall name outside default-action drop
set firewall name outside enable-default-log
set firewall name outside rule 10 action drop
set firewall name outside rule 10 description 'Drop invalid'
set firewall name outside rule 10 log enable
set firewall name outside rule 10 state established disable
set firewall name outside rule 10 state invalid enable
set firewall name outside rule 10 state new disable
set firewall name outside rule 10 state related disable
set firewall name outside rule 20 action accept
set firewall name outside rule 20 description 'Related, established'
set firewall name outside rule 20 log disable
set firewall name outside rule 20 state established enable
set firewall name outside rule 20 state related enable
set firewall name outside rule 30 action accept
set firewall name outside rule 30 description 'Permit ping'
set firewall name outside rule 30 icmp type-name echo-request
set firewall name outside rule 30 log enable
set firewall name outside rule 30 protocol icmp
set firewall name outside rule 30 state new enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 172.16.26.1/24
set interfaces ethernet eth0 description inside
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name insidev6
set interfaces ethernet eth0 firewall in name inside
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth0 ipv6 router-advert link-mtu 0
set interfaces ethernet eth0 ipv6 router-advert managed-flag false
set interfaces ethernet eth0 ipv6 router-advert max-interval 600
set interfaces ethernet eth0 ipv6 router-advert other-config-flag false
set interfaces ethernet eth0 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces ethernet eth0 ipv6 router-advert prefix '::/64' on-link-flag true
set interfaces ethernet eth0 ipv6 router-advert prefix '::/64' valid-lifetime 2592000
set interfaces ethernet eth0 ipv6 router-advert reachable-time 0
set interfaces ethernet eth0 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth0 ipv6 router-advert send-advert true
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 94 address 10.0.24.1/22
set interfaces ethernet eth0 vif 94 description lan
set interfaces ethernet eth0 vif 94 firewall in ipv6-name insidev6
set interfaces ethernet eth0 vif 94 firewall in name inside
set interfaces ethernet eth0 vif 94 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 vif 94 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth0 vif 94 ipv6 router-advert link-mtu 0
set interfaces ethernet eth0 vif 94 ipv6 router-advert managed-flag false
set interfaces ethernet eth0 vif 94 ipv6 router-advert max-interval 600
set interfaces ethernet eth0 vif 94 ipv6 router-advert other-config-flag false
set interfaces ethernet eth0 vif 94 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces ethernet eth0 vif 94 ipv6 router-advert prefix '::/64' on-link-flag true
set interfaces ethernet eth0 vif 94 ipv6 router-advert prefix '::/64' valid-lifetime 2592000
set interfaces ethernet eth0 vif 94 ipv6 router-advert reachable-time 0
set interfaces ethernet eth0 vif 94 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth0 vif 94 ipv6 router-advert send-advert true
set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description outside
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0 host-address '::1'
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0 prefix-id 1
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0.94 host-address '::1'
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0.94 prefix-id 2
set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth0.94 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 1 prefix-length /56
set interfaces ethernet eth1 dhcpv6-pd rapid-commit disable
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 firewall in ipv6-name outsidev6
set interfaces ethernet eth1 firewall in name outside
set interfaces ethernet eth1 firewall local ipv6-name outsidev6
set interfaces ethernet eth1 firewall local name outside
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 mtu 1500
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth0
set port-forward lan-interface eth0.94
set port-forward wan-interface eth1
set protocols static route 10.0.0.0/8 next-hop 172.16.26.2
set protocols static route 192.168.88.0/24 next-hop 172.16.26.2
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name inside authoritative disable
set service dhcp-server shared-network-name inside subnet 172.16.26.0/24 default-router 172.16.26.1
set service dhcp-server shared-network-name inside subnet 172.16.26.0/24 dns-server 10.0.32.10
set service dhcp-server shared-network-name inside subnet 172.16.26.0/24 dns-server 10.0.32.4
set service dhcp-server shared-network-name inside subnet 172.16.26.0/24 lease 3600
set service dhcp-server shared-network-name inside subnet 172.16.26.0/24 start 172.16.26.100 stop 172.16.26.200
set service dhcp-server shared-network-name lan authoritative disable
set service dhcp-server shared-network-name lan subnet 10.0.24.0/22 default-router 10.0.24.1
set service dhcp-server shared-network-name lan subnet 10.0.24.0/22 dns-server 10.0.32.10
set service dhcp-server shared-network-name lan subnet 10.0.24.0/22 dns-server 10.0.32.4
set service dhcp-server shared-network-name lan subnet 10.0.24.0/22 lease 3600
set service dhcp-server shared-network-name lan subnet 10.0.24.0/22 start 10.0.26.1 stop 10.0.26.254
set service dhcp-server use-dnsmasq disable
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5000 log enable
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 protocol all
set service nat rule 5000 source address 172.16.26.0/24
set service nat rule 5000 type masquerade
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth1
set service nat rule 5001 protocol all
set service nat rule 5001 source address 10.0.24.0/22
set service nat rule 5001 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service webproxy cache-size 0
set service webproxy default-port 3128
set service webproxy enable-access-log
set service webproxy listen-address 10.0.24.1
set service webproxy listen-address 172.16.26.1
set service webproxy mem-cache-size 5
set service webproxy url-filtering squidguard allow-ipaddr-url
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category malware
set service webproxy url-filtering squidguard block-category phishing
set service webproxy url-filtering squidguard block-category publicite
set service webproxy url-filtering squidguard block-category marketingware
set service webproxy url-filtering squidguard block-category ddos
set service webproxy url-filtering squidguard block-category dangerous_material
set service webproxy url-filtering squidguard block-category bitcoin
set service webproxy url-filtering squidguard block-category proxy
set service webproxy url-filtering squidguard block-category redirector
set service webproxy url-filtering squidguard block-category strict_redirector
set service webproxy url-filtering squidguard block-category strong_redirector
set service webproxy url-filtering squidguard default-action allow
set service webproxy url-filtering squidguard local-ok 10.0.32.10
set service webproxy url-filtering squidguard local-ok 10.0.32.4
set service webproxy url-filtering squidguard local-ok 10.92.24.5
set service webproxy url-filtering squidguard local-ok 10.92.25.56
set service webproxy url-filtering squidguard local-ok 10.92.25.55
set service webproxy url-filtering squidguard local-ok 10.92.25.54
set service webproxy url-filtering squidguard local-ok 10.92.25.57
set service webproxy url-filtering squidguard local-ok 10.92.25.58
set service webproxy url-filtering squidguard local-ok 10.0.34.6
set service webproxy url-filtering squidguard local-ok 10.92.24.4
set service webproxy url-filtering squidguard local-ok 10.92.25.4
set service webproxy url-filtering squidguard log all
set service webproxy url-filtering squidguard redirect-url 'http://10.0.32.10/blocked.html'
set system host-name ERXCORE01
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system offload hwnat enable
set system offload ipsec enable
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy password ''
set system package repository wheezy url 'http://http.us.debian.org/debian'
set system package repository wheezy username ''
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security password ''
set system package repository wheezy-security url 'http://security.debian.org'
set system package repository wheezy-security username ''
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system syslog host 10.0.32.8 facility all level warning
set system time-zone America/Montreal
set system traffic-analysis dpi enable
set system traffic-analysis export enable
set system traffic-analysis signature-update update-hour 3

Hello all,

I have configured a Microsoft Remote Desktop Services server and deployed it with a certificate signed by my domains CA. When I connect inside of the network it works perfectly but for some reason when I connect externally to it clients are presented with the self-signed ER-X certificate instead of the expected web server certificate from DOMYNYK (RDS).

What could the reason be for this happening?

I checked the knowledge base on this, but didn't see anything...

I have small business service from my ISP for the sole purpose of getting a static IP address so I can run email/web/DNS from my home network.

My ISP now wants to raise my rate by 35% plus charge me an additional $10/mo for a static IP.  (They are trying to BS me into telling me that there are fewer static IPs than dynamic IPs available...LOL )

Since I don't really run a small business, I am considering going back to residential service because of the rate increase, which will be less than half the new rate.

The only catch is, I can't get a static IP with residential service.

How well does the ERL work with dynamic WAN IPs?  I use the Firewall, NAT, and hairpin NAT features.

I know I won't be able to run a DNS server on my home system anymore.  What other kinds of issues can I expect moving from a static to dynamic WAN address?  SSL cert issues?

Thanks..

I have encountered a situation whereby I can consistently crash an ERX, well several of them at the same time actually.

By crash I mean that the ERX does not respond on any port to ping or other probes. The link lights continue to flash, but nothing short of power cycling the devices will bring them back.

The crash happens when hwnat offload'ing is enabled and does not happened when it is disabled.

Only tested with V1.9. (Note, all ERXs have the updated bootloader.)

The rest of this post provides context, details and instructions to recreate.

However since I don't want to redact my configs, I am not posting them. If someone from Ubnt wants them, please let me know where to send them.

- - - -

Before making some major upgrades to my tower config I wanted to recreate it on the bench so I could test the planned changes.



 

The following image shows the test set up. While technically a logical network map, the only difference from the physical network map is that there is only one physical switch using untagged vlans to keep things separate. OSPF is used to manage the routes between all of the devices.



The large, dark gray box represents the equipment at the tower. The two iperf3 boxes are linux servers.

For the ERXs, the IP address inside the blue box is assigned to switch0. Other IPs are assigned to the indicated ports.

iperf3 servers are started on each end with:

    iperf3 -s -i 1

iperf3 clients are started with:

    On 10.0.0.10:  iperf3 -c 10.1.0.10 -i 1 -P 4

    On 10.1.0.10:  iperf3 -c 10.0.0.10 -i 1 -P 4

With hwnat offloading disabled, iperf3 clients can be started at each end and all is fine. Total traffic is around 650 Mbps with minor retransmissions.

When hwnat offloading is enabled:

An iperf3 client running on only one end (doesn't matter which end), can run unthrottled without crashing the ERXs. Total bandwidth is over 800 Mbps.

However, when iperf3 clients are started at each end and are not throttled, then the ERXs will crash after a short period of time, typically well less than 5 minutes.

To test if the crashing was due to the amount of traffic I tried a number of tests, starting with fairly low bandwidth and increasing until a crash occurred.

    iperf3 -c 10.0.0.10 -i 1 -P 4 -b 50M

    iperf3 -c 10.1.0.10 -i 1 -P 4 -b 50M

I started at 50 Mbps from each end and increase the bandwidth in 50 Mbps until things crashed.

Note, the “-P 4” means 4 parallel stream. So 4 x 50 Mbps => 200 Mbps from one client.

So with two clients running with “-b 50M” a total of 400 Mbps is generated.

Things are fine with both clients using “-b 150M”.

But the ERXs crash when “-b 200M” is used on both clients, when there is 800 Mbps. Anything higher or with the two iperf clients unthrottled, causes the ERXs to crash.

A single unthrottled iperf3 client can generate over 800 Mbps and not crash the ERXs.

It is only when a) hwnat offloading is enabled, and b) there are two iperf3 clients running with sufficient traffic that the ERXs crash.

Let me know if someone at Ubnt wants the configs to create this set up.

Cheers

Mark

I'm trying to setup a VPN connection in my EdgeMAX Lite router with this tutorial: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server

I have a FTTH router from my ISP and next the EdgeMAX Router, and i have no idea what IP I have to put in the outside-address command.

Can you help me? this is my schema:

ISP Router

WAN: Dynamic IP

LAN: 10.10.10.1/24

DMZ: 10.10.10.2/24

EdgeMAX

WAN: 10.10.10.2/24

Thanks!

So I've been searching for an hour, but nothing seems to apply to my issue. I've set up DNS forwarding on my ERLite (1.9.0) and the correct servers are listed on "show dns forwarding nameservers". When I query with dig, I just get a timeout. If I query for a name in the hosts file, I get a perfectly fine reply. If I query for a name in the hosts file with nslookup, I get "DNS request timed out.
timeout was 2 seconds." once and then a reply. Obviously this means nothing works in production.

Help me choose, which EdgeRouter is best for me . . .

It's long overdue that I upgrade my home router. I have 4 Windows 10 desktops, two Windows 10 laptops, one good (HP) network printer, an Xbox One, a few network drives and a Wi-Fi hot-spot all wire feed and operating through a 24-port gigabit switch. I have plans to add a network TV tuner. My current router is a Linksys DGL-4100. The DGL-4100 has wat is called "gamefuel" - a method of setting highest priority to the Xbox. That's why it's called "a gaming router".
I want to replace that old router with an EdgeRouter. I am consisting one of three choices;
1. Ubiquiti ERLite-3 Edgemax EdgeRouter 3-Port
2. Ubiquiti ERPOE-5 EdgeRouter PoE Advanced 5-Port Router
3. Ubiquiti ER-8 EdgeRouter (rack mount) 8-port

My questions;
1. Are the underlying engines in these three routers identical? Can I expect the same firmware/performance?
2. If not, can someone say somthing about performance?
3. Which router would you choose if you were me?

You see, I feel I should base my choice on performance alone. And am only consisting the ER-8 becase my 24-port switch is already rack mountable.

Thanks all,

- Stan

Might I make a suggestion. There really should be a Dealer / Reseller support section. I work for a AV/IT company and we install Ubiquiti routers and waps in over 50% of the homes we do. The only thing keeping us from completly moving away from Pakedge is the support (or lack of dealer support) thats offered by Ubiquiti.

A forum section at least would be a move in the right direction i would think. And i hope that most dealers / resellers would feel the same about this

I'm trying to change my MAC address, but getting a failure every time I try to commit:

admin@ERPOE:~$ configure
[edit]
admin@ERPOE# set interfaces ethernet eth4 mac 01:23:45:67:89:10
[edit]
admin@ERPOE# commit
[ interfaces ethernet eth4 ]
Failed to set MAC address

Commit failed
[edit]
admin@ERPOE#

Happens whether interface is enabled or disabled. I tried upgrade to 1.9 and rebooting.

Any ideas?

Folks,

Recently acquired a new ER-X, updated to v1.9.0

The GUI when viewing the DHCP Server and selecting the Leased tab, does not show all of the leases.

Yet if I go to the CLI and use SHOW ARP it will show the leases.

How do you refresh the GUI to display all of the currently assigned and active leases?

It would also be nice if the GUI were also to show all currently attached devices with staticly assigned IP's.

Thanks

DJ

Folks,

When turning off/disconnecting a device from the network the CLI SHOW ARP is very slow to depopulate.

IMO when the command SHOW ARP is issued from the CLI it should query for devices and not rely on some static stale data table for display.

How is one to determine what devices are or are not connected in near real time? This should be doable particularly in an enterprise situation.

Thanks

DJ

I've set up a simple policy-based route set up on an EdgeRouter X. I can get this configuration to work just fine in 1.7.0 but it fails to work on 1.9.0.

I want to have a set of IP addresses forced through an OpenVPN tunnel where all the other LAN devices will go through the default route advertised from the WAN port.

Two configurations were attempted: one where I started from the factory fresh 1.7.0 install, and another where I started after upgrading to 1.9.0. Each configuration was tested on 1.7.0, 1.8.5 and 1.9.0. I'll summarize my results below:

1. I had a working configuration on 1.7.0. This was generated by the WAN+2LAN wizard then adding the OpenVPN and policy-based routing sections. I upgraded to 1.9.0 and the EdgeRouter X became unresponsive and requires a reset in order to regain access. I then uploaded the configuration and the EdgeRouter X again became unresponsive after a reboot.
2. I then started over on 1.9.0 using the wizard there and again added the OpenVPN and policy-based routing sections. This configuration on 1.9.0 successfully established the OpenVPN tunnel but the policy-based routing never came into effect - that is, when I set a machine to the IP address 192.168.254.10, it still went out the WAN default route and *not* the OpenVPN tunnel.
3. Then I took the 1.9.0 configuration and downgraded to 1.8.5. The policy-based routing was still inoperative.
4. Then I took the 1.9.0 configuration and downgraded to 1.7.0. The 1.9.0 configuration worked perfectly.

I'd really like to get this working on 1.9.0, any thoughts?

The 1.9.0 configuration is below:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify SOURCE_ROUTE {
        rule 10 {
            action modify
            modify {
                table 1
            }
            source {
                address 192.168.254.10/32
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        encryption aes128
        mode client
        protocol udp
        remote-host vpn.endpoint.dns.name
        remote-port 443
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/vpn.crt
            key-file /config/auth/vpn.key
        }
    }
    switch switch0 {
        address 192.168.254.1/24
        description Local
        firewall {
            in {
                modify SOURCE_ROUTE
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    static {
        table 1 {
            route 0.0.0.0/0 {
                next-hop 10.8.254.1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.254.0/24 {
                default-router 192.168.254.1
                dns-server 192.168.254.1
                lease 86400
                start 192.168.254.20 {
                    stop 192.168.254.200
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5001 {
            outbound-interface vtun0
            type masquerade
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $6$passwordhash
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

FYI the diff between the 1.9.0 configuration (works on 1.7 and 1.9) and the 1.7.0 configuration (works on 1.7 but keeps the router from booting in 1.9) is (note this isn't a true diff as I erased lines that contained sensitive information):

--- config.old/config.boot	2016-08-11 00:50:51.000000000 -0400
+++ config.works/config.boot	2016-08-11 23:13:03.000000000 -0400
@@ -5,15 +5,16 @@
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify SOURCE_ROUTE {
         rule 10 {
             action modify
-            description "default route through OpenVPN connection"
             modify {
                 table 1
             }
             source {
-                address 192.168.254.254/32
+                address 192.168.254.10/32
             }
         }
     }
@@ -93,10 +94,6 @@
     ethernet eth4 {
         description Local
         duplex auto
-        firewall {
-            in {
-            }
-        }
         speed auto
     }
     loopback lo {
@@ -123,10 +120,15 @@
         }
         mtu 1500
         switch-port {
-            interface eth1
-            interface eth2
-            interface eth3
-            interface eth4
+            interface eth1 {
+            }
+            interface eth2 {
+            }
+            interface eth3 {
+            }
+            interface eth4 {
+            }
+            vlan-aware disable
         }
     }
 }
@@ -145,20 +147,17 @@
         disabled false
         hostfile-update disable
         shared-network-name LAN {
-            authoritative disable
+            authoritative enable
             subnet 192.168.254.0/24 {
                 default-router 192.168.254.1
                 dns-server 192.168.254.1
                 lease 86400
-                start 192.168.254.38 {
-                    stop 192.168.254.243
-                }
+                start 192.168.254.20 {
+                    stop 192.168.254.200
                 }
             }
         }
+        use-dnsmasq disable
     }
     dns {
         forwarding {
@@ -167,10 +166,12 @@
         }
     }
     gui {
+        http-port 80
         https-port 443
+        older-ciphers enable
     }
     nat {
-        rule 5000 {
+        rule 5001 {
             outbound-interface vtun0
             type masquerade
         }

Thanks for any help!

Folks,

Attempting to replace an old NetGear router with an ER-X.

Was making good progress with the setup, using my laptop and talking with the ER-X and using the GUI and CLI, and reading many of the forum posts then when I put it into my network...

Unfortunately some of my devices would not get an IP from the ER-X and others do. Reinstall the NetGear and everything is fine. This leads to only one conclusion that the ER-X is at fault in some fashion.

I did try using new network cables that work with the devices that get an IP to those that don't and still those devices will not get an IP.

Powered down and up the devices to ensure that networking was restarted, and still no IP given.

Put the cable back to the working device and it gets an IP and works. This rules out network cables.

I did a hard reset of the ER-X and chose the Basic setup from the wizard again and went through the above steps and still the same behavior. Did not restore my saved config. This rules out a config error I may have made.

The ER-X at times says it issued an IP to a device but the device says no it does not have an IP. This occurs with Linux boxes, Windows boxes, Roku's, RaspPi's, and other devices and it's always the same devices that will not get an IP.

Though again the NetGear router gives everthing an IP with out fail and everything works!

I may have gotten a dud ER-X and if so, so be it. It is easily returned and I will look for other alternatives, most likely build a PfSense box.

Thanks, Take Care & Enjoy

DJ

Hello all,

I'm trying to set up an EdgeRouter POE with an isolated guest wifi, the closest that I've found on these forums is about a guest wireless on an Airport. My setup is a little different:



This is how it would look like. The EdgeRouter will have some devices connected to it, a soho router with DD-WRT configured in switch/wireless AP mode will be connected to one of the ports on the EdgeRouter. the DD-WRT will have devices physically connected to it and also run two wireless networks.

I would like to isolate the following:

1. Everybody that connects to the guest network can get DHCP & internet but not access any part of the local network

2. some of the devices directly connected to the EdgeRouter will be isolated in the same way.

Number 2 is easy, based on what I've gathered I can just put arbitrary ports on the EdgeRouter into a separate guest VLAN and then configure the firewall rules accordingly. Since the EdgeRouter POE has 3 switchable ports grouped as switch0, would I even be able to just do that and put switch0 into an isolated VLAN?

Number 1 is what I'm really confused by. Since the DD-WRT router will have physically connected devices as well as two sets of wireless radios. I want the physically connected devices, the own wireless network, and any non-isolated devices attached directly to the EdgeRouter to all be able to access the local network. So I don't think I can just isolate the DD-WRT's port altogether.

I imagine setting up guest isolation on the DD-WRT would be useless since it won't be the one actually controlling traffic when it's acting as a switch for the EdgeRouter.

So How would I isolate just the guest network on the DD-WRT?

Thanks!

I found this CLI , but it doesn't seem to work. 

set system login user root authentication plaintext-password "passwordGoesHere"

Nor does creating the user root in the GUI....

Is it possible?

Hi all,

I have purchased EdgeRouter PoE and i would like to check is it possible to set 4 WANs and 2 LANs on the Router?

If yes, any guides to configure load balancing for the 4 WANS?

Regards,

Nicholas 

Hello All...

Please be so kind as to confirm what package repository I should use to add a few bits and pieces to the new 1.9.0 version for the ER-8.

Thanks..!!!!