I've setup my ERX using one of the wizards, but at some point, I'd like to be able to setup an edgerouter on the command line from scratch. So I'm reading through my config to understand what the wizard did.
Could someone explain the following firewall rules:
ip-src-route disable
send-redirects enable
source-validation disable
syn-cookies enable
Thank you!
I have a new Edge Router 4 running 1.10.8.
I am trying to setup multiple external IPs with DNAT and I am not able to get more than 1 of them to work.
I have followed all of the documentation on both UBNT.com as well as other resources online.
I first tried setting just the x.x.x.221/29 interface address with proxy-arp turned on. The .221 address DNATs work – but none of the other IPs work. I then added all of the other IPs as secondary addresses as I read some people suggest (see my configuration below). The other IPs still do not work.
As I mentioned, the DNAT entries I create for the first entry x.x.x.221 work just fine (I see the NAT count incrementing). The other addresses never increment the DNAT counter. When I tcpdump on the EdgeRouter I do see the traffic for the secondary address .220/.219/.218/.217 addresses come into the EdgeRouter – but they never hit the DNAT rule.
I hear others talk about this same issue from years ago and that code 1.8 broke this. I see many people say this should work.
This is my interface config:
ethernet eth0 {
address x.x.x.221/29
address x.x.x.220/29
address x.x.x.219/29
address x.x.x.218/29
address x.x.x.217/29
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
ip {
enable-proxy-arp
}
speed auto
}This is my DNAT config:
nat {
rule 1 {
description "UXWEBx - HTTP" (This one never increments DNAT counter)
destination {
address x.x.x.217
port 80
}
inbound-interface eth0
inside-address {
address 192.168.1.71
port 80
}
log enable
protocol tcp
type destination
}
rule 3 {
description "1.70 HTTP" (This one works fine)
destination {
address x.x.x.221
port 80
}
inbound-interface eth0
inside-address {
address 192.168.1.70
port 80
}
log enable
protocol tcp
type destination
}Any suggestions?
Thanks!
Hi,
I have a 75/6 Internet package. When connected behind the ER-4, both my MacBook Air and Windows 10 PC max out at ~50mbps down. If I bypass the ER-4, both max out at 70+ mbps. Disabling Smart Que makes no difference. Do I need to upgrade routers?
Thanks,
->g.
Hi Guys
Im looking for a way so i can load and enable de unms option on mi edgerouters i have version 1.10.7, i can only access them on ssh
any help is welcome
thanks
Ernesto
Hi,
I got an EdgeRouter X setup with DHCPV6-PD and firewall rules setup as documented here. Problem is that the firewall rules don't seem to be blocking external traffic as expected. Checking for open ports from an IPv6 Port Scanner on other network shows ports that are open on the routher and other internal devices.
My firewall rules are follows
ipv6-name V6_WAN_IN {
default-action drop
description "IPv6 WAN to Network"
rule 10 {
action accept
description "Accept Related"
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description "Accept ICMP v6"
icmpv6 {
}
}
}
ipv6-name V6_WAN_LOCAL {
default-action drop
description "IPv6 WAN to Router"
rule 10 {
action accept
description "Accept Related"
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description "Accept ICMP v6"
icmpv6 {
}
}
}These has have been applied eth4 (WAN Interface) as follows
firewall {
in {
ipv6-name V6_WAN_IN
name V4_WAN_IN
}
local {
ipv6-name V6_WAN_LOCAL
name V4_WAN_LOCAL
}
}Have I missed something in the setup?
Cheers,
Craig
Hi there,
i got a Vodafone DSL 500 Mbit with DS-Lite.
It is connected via a Router from Vodafone with very less settings to adjust. (dont know the model or manufacturer right now)
Behind that router i have a EdgeRouter X for one Building and a Unify Security Gateway for the other (each with AP AC Lite)
Dont want to change that setup.
So i set the Vodafone-Router in Bridge-Mode and set another EdgeRouter X via Setup Wizard to get its IP via DHCP and IPv6 with DHCPv6 on eht0. The Router also sends it own DHCP on all 4 remaining Interfaces.
After that i couldn't get anything through - no website and no ping directly to an IP etc.
Probably its a firewall isue - but i read that the wan-out traffic should all be accepted by default.
I also tested with my laptop directly on the Bridge-Moded Router and that worked fine. So i think no error on that side.
Any ideas how to solve this?
I am having an issue with 1 way audio and dropped calls. This is very intermittent and does not happen all the time. I have worked extensivly with the VOIP provider (Coredial Hosted PBX) and they see our phone constantly flapping between there 2 data centers which uses DNS SRV to direct to redundant datacenters. They have not been able to find any issues on there side and are pointing at the Edgemax POE router as being the problem.
The router connects via ETH0 directly the ISP Router which is bridged and no firewall and ETH1 to the local lan which has between 20-30 phones per site across 3 diffrent sites with all sites having the same issues. I have a firewall rule allowing ALL traffic and also have tried with FW completely off. I have Hairpin NAT enabled, SIP module disabled, indirect media and indirect signalling both turned on. Please see config below and let me know what I may need to do to get this working. We are at risk of losing a very large customer if we cant get this fully resolved asap
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name fw {
default-action accept
description ""
rule 1 {
action accept
description fw
log disable
protocol all
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address x.x.x.x/29
description Internet
duplex auto
firewall {
in {
name fw
}
out {
name fw
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address 10.10.11.1/24
description Local
duplex auto
firewall {
in {
name fw
}
out {
name fw
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
description "Local 2"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
description "Local 2"
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
description "Local 2"
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.2.1/24
description "Local 2"
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 97.68.84.185 {
}
}
}
}
service {
dhcp-server {
disabled false
global-parameters "option option-66 code 66 = string;"
hostfile-update disable
shared-network-name LAN1 {
authoritative disable
subnet 10.10.11.0/24 {
default-router 10.10.11.1
dns-server 8.8.8.8
dns-server 1.1.1.1
lease 86400
start 10.10.11.2 {
stop 10.10.11.200
}
subnet-parameters "option option-66 "ftp://atalabeca:xxxxxxxxxx@sipregistration.com";"
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
connection wss://x.x.x.x:8444+cxUJehowsadMwsf0RPFTpBVA96mmHNNYis4o8s5K3joAAAAA+allowUntrustedCertificate
}
}
system {
conntrack {
expect-table-size 2048
hash-size 32768
modules {
sip {
disable
enable-indirect-media
enable-indirect-signalling
}
}
table-size 262144
timeout {
icmp 30
other 600
udp {
other 360
stream 360
}
}
}
domain-name ubnt
flow-accounting {
disable-memory-table
ingress-capture post-dnat
interface eth0
netflow {
enable-egress {
engine-id 1
}
engine-id 0
server 71.43.198.50 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 9
}
syslog-facility daemon
}
host-name Suntree-BEC
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 1.1.1.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding disable
pppoe disable
vlan disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export disable
}
}
traffic-control {
smart-queue Voip {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 100mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 10mbit
}
wan-interface eth0
}
}
hi, i've been trying to ping between two different subnet to no avail, need help on how to configure a static route?
my current connection:
internet -> Edgeroute eth0 -> eth1 (192.168.1.0/24) TV, Android box
-> eth2 (192.168.2.0/24) PC, Nas
eth1 and eth2 is connected to two different rounter in AP mode, DHCP supply by eth0
i can't seems to communicate from my PC to TV, or vice versa.
i'm trying to access my NAS by using android box to no avail, need help here. i'm new to networking
regards,
Keith
I've got a few of these and I'm updating to fiber.
On the latest firmware, when I go to get the unit setup. I go to the config, setup the unit as a switch with the wizard, add my vlans. Get it working fine.
When I go into the switch config and add eth5 to the switch, it stalls out and I have to factory reset to recover.
Not sure what the issue is.
Hi, I have an EdgeRouter 4 as a DHCP server and a AmplifiHD as wifi bridge. How can I block/ kick/ban a mac adress from my network?
P.S. - AmplifiHD have an option to block wifi users but doesnt work while in a bridge mode.
Thank you.
Hi Guys,
Really hoping someone has some ideas about what is going on with this IPSec tunnel I am trying to get working.
First off, this is the topology:
The AWS bit is largely negligible as this is just there to show that we are connected to AWS with an IPSec tunnel and are running BGP through it. We are then redistributing the BGP routes into OSPF. As it is a small network, everything is running in area0.
What we currently have is an OpenVPN tunnel between the 'Remote site' and the 'Colo' site. The Colo ER-8 router is also acting as an OpenVPN server for client VPN access. We have been seeing very high latency and CPU usage on the Colo ER-8, so to alleviate this, we are changing the tunnel to the remote site to be an IPSec tunnel, to make use of the hardware offloading for IPSec and lighten the load on the CPU.
The remote site is located in a shared office and sits behind a managed router for internet access. It's outside interface is using DHCP for the IP and default route, so we are using NAT-T to establish the VPN between the Colo and remote sites and use hardware IPSec offloading at both ends.
My plan to move over to the IPSec tunnel is to establish the IPSec tunnel first and configure OSPF with higher costs than are on the OpenVPN tunnel. Then it is just a case of shutting down the OpenVPN vtun interface (or raise the cost) and allow traffic to flow over the IPSec tunnel.
Before doing this, I ensured the tunnel is up and both ends are talking OSPF over it. I did this and all looks good, the OSPF timers are behaving as they should and could see 0% packet loss after sending a few thousand large pings down the tunnel.
So, the time came that I am moving the traffic over to the IPSec tunnel and I did so by shutting the OpenVPN vtun interface. This is where the problems begin. As soon as traffic starts flowing over the IPSec tunnel, we see major packet loss (50%+). The OSPF dead timer frequently expires, breaking the OSPF neighborship. Thinking the issue may just be to do with OSPF, I removed that from the equation and just statically routed traffic over the IPSec tunnel, but this did not help, we still see huge packet loss.
I have tried debugging the VPN, but I just can't seem to find any detailed enough info. I have tried the following:
show vpn debug sudo swanctl --log show vpn log
...and there is no info of real use in any of those. The main bit I have got from these commands is that the remote site is frequently re-initiating the connection fort no apparent reason:
xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
The IKE lifetime is 28800, the ESP lifetime is 3600 and the above log entry is appearing way more frequently than every hour.
On the remote site (on the Unifi GW4) I am seeing very frequent re-key and delete events in the log:
Dec 19 08:18:00 04[IKE] <peer-1.1.1.1-tunnel-vti|6> CHILD_SA peer-1.1.1.1-tunnel-vti{1} established with SPIs c0908a3e_i c1f57195_o and TS 0.0.0.0/0 === 0.0.0.0/0
Dec 19 08:19:43 05[KNL] creating rekey job for ESP CHILD_SA with SPI c5ae299b and reqid {1}
Dec 19 08:22:51 14[KNL] creating rekey job for ESP CHILD_SA with SPI c1f79cb6 and reqid {1}
Dec 19 08:35:33 07[KNL] creating delete job for ESP CHILD_SA with SPI c5ae299b and reqid {1}
Dec 19 08:35:33 07[IKE] <peer-1.1.1.1-tunnel-vti|6> closing expired CHILD_SA peer-1.1.1.1-tunnel-vti{1} with SPIs c5ae299b_i c1f79cb6_o and TS 0.0.0.0/0 === 0.0.0.0/0
Dec 19 08:35:33 02[KNL] creating delete job for ESP CHILD_SA with SPI c1f79cb6 and reqid {1}
Dec 19 08:45:01 12[IKE] <peer-1.1.1.1-tunnel-vti|6> reauthenticating IKE_SA peer-1.1.1.1-tunnel-vti[6]
Dec 19 08:45:01 12[IKE] <peer-1.1.1.1-tunnel-vti|6> initiating Main Mode IKE_SA peer-1.1.1.1-tunnel-vti[7] to 1.1.1.1
Dec 19 08:45:02 05[IKE] <peer-1.1.1.1-tunnel-vti|7> IKE_SA peer-1.1.1.1-tunnel-vti[7] established between 10.80.125.63[10.80.125.63]...1.1.1.1[1.1.1.1]
Dec 19 09:01:11 14[KNL] creating rekey job for ESP CHILD_SA with SPI c0908a3e and reqid {1}
Dec 19 09:01:11 07[IKE] <peer-1.1.1.1-tunnel-vti|7> CHILD_SA peer-1.1.1.1-tunnel-vti{1} established with SPIs ccc201f1_i c2b5449c_o and TS 0.0.0.0/0 === 0.0.0.0/0
Dec 19 09:08:56 14[KNL] creating rekey job for ESP CHILD_SA with SPI c1f57195 and reqid {1}(1.1.1.1 is the public IP of the Colo router)
I am thinking this is a bug or an issue with IPSec offloading as I can't think of any reason why it would work fine before routing traffic over it and then fall to pieces as soon as it is commissioned, so I'd really like some input from UBNT on this as I feel the solution is out of my hands.
Help me Ubnt, you're my only hope!
Configs are attached
Hello UBNT community!
So I've bought myself an Edgerouter Pro and an Edgeswitch (24 250w).
Router firmware version: 1.10.8
Switch firmware version: 1.8.1
I have my WAN_IN on eth7 (SFP) and then I've connected the router (eth6) to the switch (port 25) where I have a few vlans.
On one of these vlans (vlan50) I've built an ubuntu VM which I am now trying to allow SSH externally (yes it works locally).
So I first tried the simple port forwarding in the router via the port-forward tab, this didn't work. I've made sure the router can ping the ubuntu server on vlan50 which it can, so the basics is at least sorted.
I then tried setting it up a bit more manually by using DNAT as instructed by this video:
https://www.youtube.com/watch?v=7QSRNwFo6os
No luck there either.
Any idea how I can successfully add this port forward?
Hello,
I have been working on configuring my new ER-4, and I have a general question about the firewall that I haven't been able to google a definitive answer for.
I have a setup with a WAN IP and a routed /29, all traffic is going into eth0, I have the WAN IP used in a NAT configuration for a LAN on eth2, and the /29 is routed to eth1 where I have a couple of servers.
All this is working is it should, traffic is flowing as expected.
Then I moved onto the firewall part, and after a couple of hours and a lot of trial and error I have gotten it to work, but I am not 100% certain its the "right way" to do it.
My question boils down to, are rulesets bound to the in part of an interface checked when traffic is moving between ports, internally in the router, or is it only when entering or leaving the port, so to speak.
Case is, I have a ruleset allowing traffic for the /29 on eth0/in (this is allow all, as I wanted to have the server specific ruleset separate, if possible)
So, I did a second ruleset which I bound to eth1/in, but it did not seem to have any effect on traffic going to the port. When I moved it to eth1/out and adjusted destination accordingly, it seems to work as it should.
I might have solved my own problem, but, if someone can confirm that this is indeed the case, it would help me a lot, its pretty hard debugging and testing this for real, and I would hate to expose services not intended for the internet without my knowledge 
Thanks a lot in advance,
Peter
Will it be possible to use DNAT for Lets Encrypt so more local login,
Edgerouter, Edgeswitch, Unifi, unms, nextcloud, and more local pages
can use https without you spending so much time entering your username
and password in Chrome.
It seems that its possible manually with DNAT and point port 80 and 443 into
more on several local ip or host names. It seems
Willie Howe is around and about DNAT in this video
https://www.youtube.com/watch?v=7QSRNwFo6os
All advice is welcome, maybe another way..
I know use Firefox No I like use Chrome
Hello all, I have a Edgerouter 6P that I set up around a two weeks ago and installed onsite in my companys server room, without power, since that time. I went in today to test everything prior to the company opening and brought my laptop. I connected to the wifi network previously set up with no issue, and then went to the edgemax portal page but it wouldn't accept my credentials to log in.
I tried the default login info, doublechecked that I was inputing the password correctly but still could not get in. Is there any reason it would have forgotten the setup due to it being without power for so long? It seems doubtful given the DHCP server was functioning correctly but I'm at a loss as to why this happened. My laptop doesn't have an ethernet port either so I couldn't direcly connect, is there a way via USB or over the wifi that I can log into this thing?
Hi
I have been working on some remote edgerouters, there a some of them that have errors when entering commands
Linux ubnt 3.10.107-UBNT #1 SMP Mon Oct 1 12:41:38 UTC 2018 mips
Welcome to EdgeOS
conectaless@Conectaless:~$ condfigure
-vbash: condfigure: command not found
conectaless@Conectaless:~$
any help thanks
elucero
I'm wondering if someone can direct me here.
Is there a way to create two "switched" port groups on the ER-X without huge latency issues? I tried bridging eth1 & eth2, while using eth3 & eth4 on the switch chip, but latency jumped from 20-50ms to 200-400ms (both for devices on the new bridge, as well as devices on switch0).
Could I somehow have screwed up a setting, or will latency take that much of a hit on the ER-X, just by bridging two ports?
I know it's time to purchase a switch & do some VLAN tagging, but is there any other creative way I can create two "switched" port groups & not take a huge hit on latency?
thanks!
Hi,
I'm pretty new to this stuff, but I have made a setup where I have an EdgeRouter (lite) and an EdgeSwitch (250W PoE, 24Ports).
I have an unmanaged small switch connected to a port on the EdgeSwitch. I have access to the normal/standard netowork and the VLANs on this port on the EdgeSwitch and thereby as well on the unmanaged switch. That is all fine.
The main part of the devices on the unmanged switch are to get assigned DHCP adresses from the standard network, that is all fine - and I can do the DHCP reservation I will here, all good so far. However for a particular device on the unmanaged switch I would like to make a DHCP reservation to VLAN20. Is that possible to do? (at least I cannot get it working, I have tried doing a DHCP reserveration for the given MAC adress pointing at the VLAN on the DHCP service for as well the VLAN as for the standard LAN)
Thanks in advance.
KR
Torben
We have stable OpenVPN tunnel (tcp on port 443) with ~700mbit throughput on a 1000mbit connection. Currently using Synology DS918+ as VPN endpoints. But we need to roll out more endpoints, and the Synology units are pricey, and we don't really need or want NAS units at every location. It would be less expensive and cleaner to consolodate everything onto EdgeRouters.
Can the new EdgeRouters with 4 cores handle routing for gigabit connection and the OpenVPN tunnel at, at least, 500mbit?
Hi all, have decided to upgrade my home network, house is a new build, cat 6 wired throughout all coming to a cabinet in the utility.
I have fibre broadband so first port of call was to ditch the modem and replace with an ER.
equipment i have is:
ER POE5
Unifi Switch 8
3 APs (Unifi)
Cloud Key
Currently the ER has wan on eth 0, eth 1 empty, cloud key eth 2 and a netgear switch on eth 3.
My plan is to tidy everything up, ditch the netgear switch, install the unifi one.
Currently i have everything set up via the cloud key.
Questions i have are:
For a relative newbie like me, is there any benefit in having a USG instead of the ER so that all are unifi products? or is the only downside using two different apps to login to them?
I will have enough devices to use all of my ethernet ports:
ER POE - eth 0 wan, eth 2 - AP1, eth 3 - AP2, eth 4 - Unifi switch
Unifi switch
Port 1 - ER, Port 2 - Sky Q, Port 3 - NAS, Port 4 - HD Anywhere matrix, Port 5 - Hue, Port 6 - AP, Port 7 - Cloud Key, Port 8 - Netgear Arlo
I understand bridging eth1 isnt advisable, also i have already set the cloud key up in eth 2 so assume it would be pain to move it to eth 1 (and probably beyond my rudimentary capabilities), is there anything else i could utilise it for, sky box perhaps as it doesnt matter if its on the same network just need it to have a good solid internet connection.
sorry if the queries are a bit foolish, thanks in advance for help
