ERPro with an interface with a lot of firewall rules on it. Some are DPI, and DPI is enabled. I can change and modify rules but I cannot re-arrange the order. When I try I get an error: " Error: Unable to allocate new dpi mark".
I have disabled all my DPI rules but I hate to delete them.
Any thoughts on what I should look for as a cause for this error?
TIA
My ISP, BT residential, only gives IPv6 via DHCPv6-PD. It doesnt give a DHCPv6 address so the WAN interface (pppoe0) only gets a link-local address.
Any ideas how I can manage it remotely (ssh) over IPv6?
Many thanks
I have a functional SFP RJ45 module (Cisco-AGILENT) plugged into an ER-XFP-X.
The speed seems to be fixed at 1000Mbps...but it is connected to a 10/100 router.
When I try to alter the 1000 speed, it shows the following:
configure
set interfaces ethernet eth5 speed 100
100 is not valid for SFP port
Value validation failed
Set failed
The module has 10/100/1000 cappacity, but it seems if I try to change the speed of the module to 100, it just won't work. If I set everythong to auto, it doesn´t work either... the speed is fixed on 1000.
show interfaces ethernet eth5 sfp
connector=LC
vendor=CISCO-AGILENT
oui=00-00-00
part=HBCU 5710R
rev=2.1
serial=AGM1652213L
date=130430
show interfaces ethernet eth5 physical
Settings for eth5:
Auto-negotiation: on
Speed: 1000Mb/s
Duplex: Half
Link detected: yes
I have an edge router, a unifi 8 port switch and unifi AP Pro in my network. The router was configured with the basic wizard and has been working fine. I was in the router interface looking at possibly reconfiguring it using a different wizard and jus cancelled out of it and closed the interface. When I tried to connect to the router later I could not get into the router. I kept getting g the message, “The connection was reset “ “the connection to the router was reset while page was loading”. I tried everting rebooting the router, trying a different browser but nothing worked. So I decided to reset it to factory settings. I followed the instructions in the Edge QS guide and still can’t get in to the router. The green console light is on and when I connect my Mac to eth0 , the green light comes on and flashes like it is communicating but I still can’t access the inter face. The Router IP is 192.168.1.1 and I have the Ethernet port on my Mac set to 192.168.1.10. I will admit I am a novice and have had to watch a lot o utube videos to get to this point Can some one give me so idea what is happening.?
Im having issues with my Edge Router, and my 4G modem.
The setup wizards went fine, everything seems good.
But when I connect the Router to my modem, at eth0 as it's configured for internet.
The router just stops responding to anything in 5seconds, cannot even access the maintenance page on it.
I unplug the ethernet cable, then I can connect to it normally.
In the modem it sees the edgereouter at 192.168.1.1 as active, so it seems normal for the modem.
The modems ip is 192.168.1.254, and it has DHCP on. Tried to have DHCP turned on and off on the router.
Tried that the router is the only device connected to the modem, but nothing seems to be working.
All other devices can connect to the internet throught this modem, except th Edge Router.
I'm trying to find an example for the following:
Port 1 - 2 - 3 are desktop PC's
Port 4 is the WiFi router
Last port is my internet uplink
I'd like to put the wifi router on it's own vlan to have it 'isolated' from the desktop computers (for security reasons)
Are there any examples of this?
Hello. Is there any way to see static iP’son the UNMS app or in the GUI besides using the cli command?
it would be handy when assigning a static address to additional cameras.
just curious. I have looked all over the place but the only way to see the static up addresses is with another network scanning app.
Fine if not. It’s just drove me a bit crazy wondering why they don’t show automatically.
Thanks.
I can't seem to get a forwarded /28 IP to my internal apache2/unms server. Does anyone see anything wrong with my config? My ISP gave me a /30 (192.168.27.254/30) with a /28 block (192.168.0.144/28) and I want one of those IP's to forward to my internal server.
Sorry I'm a networking noob! 
I've been running an Er-X-SFP on my symmetric 1Gbit connection, and I do not get more than ~800 Mbps with hwnat enabled. Apparently this is a hardware limitation, which is understandable given the relatively low cost of the Er-X series.
I'd like to get the full speed that I'm paying for.
Will the ER-6P be able to handle symmetric 1 Gbps? I want the 6p because of the SFP port - it's one less thing to worry about if I can plug my SFP module directly into the 6p.
Thanks.
Hey all,
over the course of the last two days I was experiencing some weird issues with my EdgeRouter X where the download speeds would drop to under 1 MBit/s with some packet loss to the point where it became unuseable from previously up to 100 MBit/s. The upload speeds stayed fine as they were before.
This happened yesterday and today. In both cases a reboot seemed to have fixed the issue. CPU/memory load looked fine in both cases. I already tried disabling the QoS, but that didn't change anything. I also updated to the newest firmware after the first occurence, but that apparently also didn't work. The setup didn't change for maybe the last half year and was completely fine before.
I'm on a DSL PPPoE 100/20 connection and am using the v1.10.7 firmware. This is my config (it's a little big).
At the moment I have no idea what could've caused this or where to look for issues. I'd appreciate any input on this.
Cheers
hi experts
i tried to upgrade my EdgeRouter X 5-Port firmware today via GUI and it failed stating unknown error, i tried 2 times but still failed. However, this is the message i get via cli, i am not sure if i should reboot.
admin@erx:/var/log$ show system image
The system currently has the following image(s) installed:
v1.10.7.5127989.181001.1227 (default boot)
v1.10.6.5112725.180809.1227 (running image)
A reboot is needed to boot default image
admin@erx:/var/log$ show system image storage
Image name Read-Only Read-Write Total
------------------------------ ------------ ------------ ------------
v1.10.7.5127989.181001.1227 78500 108 78608
v1.10.6.5112725.180809.1227 78108 560 78668
admin@erx:/var/log$ show version
Version: v1.10.6
Build ID: 5112725
Build on: 08/09/18 12:27
Copyright: 2012-2018 Ubiquiti Networks, Inc.
HW model: EdgeRouter X 5-Port
HW S/N: xxxxxx
Uptime: 11:48:08 up 1:02, 2 users, load average: 1.63, 1.45, 1.35
what are my options. I just don't want a bricked device and start this all over again. Is there a way set default image to running image?
I have a question.
I have 2 ER-Lite's in my lab. These will be directly connected to the internet when this is working.
ERL1 and ERL2
ERL1
eth0 = WAN = 192.168.178.220 (internetfacing will have a public ip when done)
eth1 = LAN - 192.168.1.1 with 192.168.1.0/24 subnet
eth1.1003 = guest wifi with 172.16.1.1/24 is only internet acces
openvpn tunnel ip = 10.255.12.1
ERL2
eth0 = WAN = 192.168.178.227 (interfacing will have a public ip when done)
eth1 = LAN - 192.168.2.1 with 192.168.2.0/24 subnet
eth1.1003 = guest wifi with 172.16.2.1/24 is only internet access
openvpn tunnel ip = 10.255.12.2
What i want is that both routers have internet access. for their subnets and the guest vlan and a vpn tunnel with each other over the internet that will route all traffic from and to 192.168.x.x so that i can reach servers and clients on both locations.
it is openvpn now. And probably needs to be more secure than it is now (advice is welcome) but vpn method can be ipsec or something else if needs be.
Tunnel is up.
ubnt@gw# run show openvpn status site-to-site
OpenVPN client status on vtun0 [OpenVPN]
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) 192.168.178.227 10.255.12.2 564.2K 552.0K N/A
[edit]
ubnt@gw#
and traffic flows through them.from the erl1 side i am able to ping the erl2 tunnel ip(10.255.12.2) and eth1 ip (192.168.2.1)
from the erl2 side the same. But i am unable to ping or connect to the lan networks (the 192.168.2.0/24 and 192.168.1.0/24 subnets)
i think it is because i miss something in the firewall policies but i cannot find what.
The config is attached, the other side has the same config but with ip addresses adapted.
any advice? other advice to make it as secure as possible is welcome.
any help is welcome,
thank you and much appreciated.
----------
Hey,
I've an ER-Lite3 running. Until today, it has been running on 1.10.0, without any change or any trouble for a few months.
Today I updated it to 1.10.7, and after a reboot I was briefly able to access the Internet, but after SSH server and GUI became available, connectivity died.
My setup is pretty easy: ISP VDSL modem (FritzBox 7580) connected to eth0 (in router mode, so it does DHCP, NAT etc.).
It's LAN 1 is connected to the ER's eth0. eth1 is empty, eth2 is LAN (with one untagged and 3 tagged VLANs, only untagged in use ATM). ER's IP on eth0 is fixed, but I also tried DHCP, no difference.
So - update applied, rebooting ER. Internet works for ~1 minute, but when GUI + SSH become available, the ER turns dead on eth0.
It can still be accessed via eth2 without any issue.
I tried the following:
Connecting a laptop to LAN2 of FritzBox. Starting a ping to the IP of ER's eth0 interface.
It works for the first minute, but at some point the ER stops responding to ping. When the ARP entry on the laptop times out, it stops pinging, sends ARP requests. I can see all of that via
tcpdump -i eth0 -nn -B4096
ARP requests hit the ER, but it doesn't send out anything, it also does not respond to ping (on that interface). It just seems to be completely dead.
Did also check iptables, no DROP or REJECT matches, and all those entries have counters of 0.
I did not change any config before or after the update, and I rebooted the box multiple times, the behavior was consistent. I figured it had to do with the update, but couldn't find anything on the forums or in the release notes that seems to fit.
Therefore, I started to downgrade version by version. 1.10.7, .6 and .5 show the same behavior. After downgrade to .3, everything went back to normal, and it works again.
Before I sanitize my config, my question to the regulars here: Is any such behavior known or documented for those versions, or do you have any idea where to look?
I have read https://community.ubnt.com/t5/EdgeRouter/IPTV-IGMP-Multicast-Solution-for-Edgemax-Router/td-p/1253350 and many other topics related but none go with my setup. I have a need to allow local and remote users to see IPTV , receive DHCP from it and separately - be able to access local hosts from the remote location. I did not go the complex route for IPTV.
I am doing no routing at all. On a local router I simply separated IPTV traffic which comes on VLAN6 from internet traffic by bridging eth0 to eth1 on VLAN 6 as you can see in the image. I then simply use Edgswitch to distribute IPTV traffic and untag VLAN 6 so IPTV boxes can take the traffic. So all works locally.
For remote router - I already have setup IPsec site-to-site VPN and remote users can access local hosts on 192.168.0.x subnet and all works fine. I just cannot figure out how can I bridge ETH1.6 on local router to ETH2 on a remote router (or should it be eth2.6 as well?) I tried setting up GRE tunnel based on https://help.ubnt.com/hc/en-us/articles/204961754-EdgeMAX-Layer-2-bridge-over-GRE-tunnel but it did not work for me nor I could see if a tunnel exists (is up) as a command "show vpn ipsec status" was showing just 1 active tunnel which is for the 192.168.0.x subnet.
Would appreciate if someone could guide me how to get ETH1.6 interface multicast IPTV traffic with DHCP bridged to the remote ETH2 interface.
Hi, I currently own an ER-Lite3 and one of the UAP-AC-PRO devices. So far I've been pretty happy with their setup. I'd like to add some of their wired cameras to monitor my home.
However, I need some Ethernet runs to make this happen. Reliable contractors in my area seem to be hard to pin down since they make more money from commercial installs. I had one guy come out and give me a quote for a Vivotech camera system, but I tried to follow-up with him to consider a bid with Ubiquiti gear and haven't heard back. I'm guessing he's not that interested.
I've contacted our local Ubnt dealer here in Oregon, but they aren't open until Monday. Suggestions welcome.
Hi all, the first thing I would like to say is I am very new to all of this. The edgerouter is in my homelab so it is not in some big corporation. With that said, I have set up two LANs, one for servers, one for home network. I am trying to make it so that all communication from LAN 2 (server lan) is blocked and cannot enter LAN 1(home). However, I want to be able to access the servers from only my computer on the home network. Obviously I need the servers to be able to connect to the internet but I don't want them to be able to access the router login (192.168.1.1 or 192.168.2.1). LAN 1 has an address of 192.168.1.1 and LAN 2 an address of 192.168.2.1. Finally please keep any instructions to the GUI as I am not totally confident in the CLI yet. Any help is greatly appreciated. Thanks!
I live near the boarder of Illionois / Indiana, in Indiana. There is a feature called "Familar Faces" with Nest cams and doorbells, but it isn't allowed in the state of Illionois. Nest tells me that my IP may be pulling from Illionois not Indiana.
When I called Xfinity, they told me this isnt true, and that I need to set my Nest Hello Doorbell IP to DMZ on either my CM1000 Netgear router or my Router. I looked in the modem and there is not way to add that ip to a DMZ.
Could someone tell me where I would make this change on the Edgerouter? The support guy said once I add it to the DMZ that it will always pull an Indiana IP.
I just bought an ER-4 to try and maximize the speed I get out of my 1 Gbit FTTH connection. With the ISP's modem (Bell Fibe), I can easily get 940/940 Mbps on dslreports.com/speedtest, and the same kinds of speeds via iperf3 to a server in a datacenter behind a 1 Gbit connection (my personal server).
I had a ER-X-SFP, but was never able to get more than ~800 Mbps, no matter what.
I just plugged in the ER 4, but I'm still not getting faster speeds than with my ER-X. I'm plugged directly into the ER-4, and have tried dslreports, speedtest.net, and iperf3 to the same server. It's consistently slow. Shouldn't I be getting faster speeds out of the ER-4? At least faster than the ER-X?
offload is enabled.
IP offload module : loaded
IPv4
forwarding: enabled
vlan : disabled
pppoe : enabled
gre : disabled
IPv6
forwarding: disabled
vlan : disabled
pppoe : disabled
IPSec offload module: loaded
Traffic Analysis :
export : disabled
dpi : disabled
version : 1.422FW is updated -> 1.10.7
My config is pasted below.
It's a very basic config - all I'm doing is connecting to the net.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
}
ethernet eth1 {
address 192.168.5.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
mtu 1508
speed auto
vif 35 {
description "Internet (PPPoE)"
mtu 1508
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1500
name-server auto
password SNIP
user-id SNIP
}
}
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name SNIP
host-name edgerouter
login {
user SNIP {
authentication {
encrypted-password SNIP
}
level admin
}
}
name-server 1.1.1.1
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
So I am running into an issue. to me its something new and cant really find the anwser. I have 3 subnets:
192.168.0.1 - Desktop Connection
192.168.1.1 - 16 Port PoE
192.168.2.1 - 24 Port
I am trying to make it so all the computers on each subnet can talk to each other and having a hard time figuring it out. I have never dabled in firewall rules all to much.
ETH0: Static IP over PPoE
ETH1: LAN network (192.168.3.1)
I have problem that when I connect via OpenVPN I can not see network (computers and other devices on network).
OpenVPN is made based on web instructions:
https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server
I can ping every device, I can connect to specific IP address in case that firewall is set correctly, but I can not connect to NAS (QNAP). Also if I'm on OpenVPN with my Android phone in that case Google Play service download is not working etc... But web pages opens normal..
So I need somehow to resolve NAT forwarding etc... Can anybody help me?
If you need how I have configured firewall etc.. please give me instructions how to get this from router..
Also, I give some screenshots about OpenVPN and what was solution so that I can connect to Windows network share PC - this is not longway solution.
So is the problem somehow firewall or NAT forwarding?
