I've read many times about how turning on qos stops hardware acceleration working and therefore limiting throughput performance. Is this a hardware limitation of the cavium processor, or is it possible for some/any qos support in hardware?
Hardware accelerated qos
t-mobile cellspot
Anyone have a t-mobile cellspot at home working with ubiquiti. (https://support.t-mobile.com/community/coverage/personal-cellspot/4g-lte-cellspot)
I've tried forwarding UDP 4500,500,123 yet it still sits there blinking the internet light. I'm 100% sure its ubiquiti breaking something since if i plug it in directly to my modem it works just fine.
I'm hopeing someone else also had this issue.
ERL v1.9.0 - Flaky 'connection' - Packet loss mostly
I just upgraded my router a few days ago to v1.9.0 (from v1.8.5) and seem to randomly have some packet loss.
Pinging a few domains (and using mtr) seem to all point at my ERL being the issue. I started debugging this today and when connected directly to the modem (Surfboard SB6141) everything is perfect. Connected directly to eth1 (or eth2) and I get a decent amount of packet loss.
Network config:
- Comcast ISP
- Surfboard SB6141
- ERL:
- eth0: WAN
- eth1: Wired LAN 172.16.0.1/24
- eth2: Wireless LAN 172.16.1.1/24
- eth1 is connected to a Trendnet 8 port Gigabit switch
- eth2 is connected to a Ubiquiti AC access point
I just swapped the ERL out with this old Netgear WNDR3700-v2 router I have running OpenWRT and there's no packet loss when connected directly via ethernet or over the same access point which I connected to one of the 4 LAN ports. I also tried to restore to the factory config on the ERL by holding the reset button until the light was solid on eth2 and reset up via the Basic Config Wizard the same setup listed above.
Even with only my computer plugged into the eth1 port and the eth0 connected directly to the Surfboard modem, the packet loss resumed.
Thoughts on what I should debug from here?
Perhaps rolling back to v1.8.5 to verify that version isn't seeing the issue would work?
(Not sure if that's as easy as uploading that firmware or if there's a specific procedure).
Of course, happy to provide any other info that might help someone out there.
DynDns problems
I have DynDns set up on my ER-X and for some reason it does not update the ip address when it changes.
Here are my dynamic dns settings:
Interface: Eth0
Web: DynDns
Web-Skip: This box is blank
Service: DynDns
Hostname: my hostname here as set in dyndns panel
Login: My username (username, not email address)
password: my password
Protocol: -
Server: http://members.dyndns.org
Are these settings correct? If not, what are the correct settings?
I can reset my modem and get a new IP and go to the ER-X GUI and "Force-Update" it, and when I log in and check in my dyndns panel it still isn't changed. I have the dyndns update time set for a very short amount of time, too. TTL in dyndns panel under the host is set for 20s.
L2TP over IPSEC
Is it possible to set up VPN with a dynamic IP and dynamic dns hostname instead of ip address in client settings?
System log server
Does anyone have any recommendations on a System log server? And some pointers on how to set it up?
EdgeRouter setup for Swiss FTTH providers
I've had two EdgeRouter types connected to different Swiss FTTH ISPs and I was recently asked to share my experience. I still consider myself very much a beginner in managing these devices so feel free to improve upon my solution.
My devices are: EdgeRouter Lite, EdgeRouter-X SFP. First things first - both can handle your Gigabit connection. The ER-Lite out of the box, the ER-X (SFP) once you enable hardware offload. You can enable this by SSH'int into your box, type "configure", then type "set system offload hwnat enable", commit the change by typing "commit", followed by "save" to save the config (use that same procedure to make other CLI related changes later on).
So, which device you may want depends largely on your needs.. a device with a few switch ports and SFP allows for a smaller build, and it can even drive some UAPs (no idea why they still do 24V passive POE though.. everybody else does 802.11af).
Fiber7 Setup
Fiber7 is imho your best fiber option in Switzerland. If you need telephony, just add any IPTSP, and they now have TV without recompression (visibly better than some of the competing TV offers by DSL providers). And, they let you connect any router you like, and provide an IPv6 subnet on top.
The setup for Fiber7 is straightforward. Go through your wizard, pick the right interface for WAN (for Fiber7 you obviously want eth5, the SFP port on an ER-X SFP, for the ER-Lite it doesn't matter), enable IPv6, and you're ready to go. If you are coming from another router, make sure to release the WAN IP address before making the switch, as Fiber7 only hands out one IP per customer, and they stick with a device for a certain time.
Here's the wizard on an ER-Lite. On the ER-X SFP, simply select eth5 as the WAN port.
Unfortunately, the Wizard does not cover the subnet size (/48) that Fiber7 offers. So, after the device has rebooted, SSH into it and set the proper prefix length. On an ER-X SFP, that would be
"set interfaces ethernet eth5 dhcpv6-pd pd 0 prefix-length 48". On the ER-Lite, replace eth5 with your chosen WAN interface (I'm using eth0 on mine).
Fiber7.tv
For a few months, Fiber7 also has their own TV offering. It is based on multicast, so we need to set up igmp on our router. This is once again a job for the CLI. Here's how to do it for an ER-X
configure edit protocols igmp-proxy set interface switch0 alt-subnet 0.0.0.0/0 set interface switch0 role downstream set interface switch0 threshold 1 edit protocols igmp-proxy set interface eth5 alt-subnet 0.0.0.0/0 set interface eth5 role upstream set interface eth5 threshold # commit save
This marks switch0 (the switch on the device) a downstream port for IGMP, and eth5 the upstream port. On an ER-Lite, you'd swap out switch0 with the physical lan interface, and WAN is eth0. If you have different subnets on different physical ports, you can add multiple downstream ports just fine.
You should see a message "Starting IGMP proxy" when you commit.
Your config should now contains a block like this
protocols { igmp-proxy { interface eth5 { alt-subnet 0.0.0.0/0 role upstream threshold 1 } interface switch0 { alt-subnet 0.0.0.0/0 role downstream threshold 1 } } }
That takes care of IGMP, but of course, your network also has to support it, so turn on IGMP on every switch, or get switches that support it out of the box.
Next, we need to allow multicast traffic to enter our network. So far I don't have a list of addresses where the multicast streams originate from, so I'm allowing multicast from everywhere. If you can get those addresses, feel free to share so I can update my instructions.
And, we can do this using the GUI
Go to Firewall/NAT, then Firewall/Nat Groups.
Create a new Address group and call it IPTV-Multicast
Add the following: 239.0.0.0/8
And save.
Then go to Firewall Policies, and edit the ruleset.
Add a new rule, call it "Allow IPTV Multicast UDP", with source being 0.0.0.0/0, and destination being the address-group IPTV Multicast, action: allow, and protocol: UDP
Add another rule, call it "Allow IGMP", action: allow, protocol: igmp.
Then repeat this process for the WAN_LOCAL firewall policy.
Your config should now show these rules in both WAN_IN and WAN_LOCAL. The rule number doesn't match
rule 10 { action accept description "Allow IPTV Multicast UDP" destination { group { address-group IPTV-Multicast } } log disable protocol udp source { address 0.0.0.0/0 } } rule 30 { action accept description "Allow IGMP" log disable protocol igmp }
and the address group definition is also inside the firewall
group { address-group IPTV-Multicast { address 239.0.0.0/8 } }
And that's it folks. If you get no picture, try doing a "restart igmp-proxy".. and if you get a warning that the igmp-proxy was not running, cat /var/log/messages to see if anything in your igmp-proxy config was off.
Sunrise
While Sunrise does not actively try to block you from using your own hardware, they make it rather difficult to replace their own router. In addition, there's two types of Sunrise FTTH connection. They have their own hardware in local telephony central offices in major cities (Zurich, Basel, Berne, Geneva, Fribourg,Winterthur, St.Gallen), but rely on Swisscom's BBCS reseller service for other locations. On top, their own hardware only goes to 100mbit so far, so if you order Gigabit in one of the cities mentioned, you'll get a Swisscom service again. My instructions are for Sunrise on BBCS as ths is what I have access to. I'll try to find the config items for the other setup later on.
To get started, run the Wizard. Sunrise on BBCS uses VLAN 10 so make sure you enable VLAN on the WAN (shown here for an ER-Lite)
Basic Setup Wizard on ER-Lite
Once the wizard has run and the device rebooted, we need to fix a bug in the wizard of firmware 1.9:
Go to Firewall/Nat, then click the NAT tab.
Note the masquerade to eth0. That is wrong.. your WAN interface on the ER-Lite is eth0.10 (VLAN 10), or eth5.10 on the ER-X SFP. Adapt that rule, otherwise none of your connected devices will be able to access the Internet.
But that's not all. Other than using VLANs, Sunrise uses DHCP Option 60 to "get to the right network". If you don't set that value properly, you'll end up in the Swisscom network, where they won't let you go further since you're no Swisscom customer after all. So to add DHCP option 60, we need the CLI again.
configure edit interfaces ethernet eth5 vif 10 dhcp-options set client-option "send dhcp-client-identifier "dslforum.org,Fast5360-sunrise";" commit save
This will restart the DHCP client on your WAN interface and you should now see an IP addresson the Internet Interface in the Dashboard (or if you like cli.. "sudo ifconfig eth5.10") Again, replace eth5.10 with eth0.10 if you're on an ER-Lite.
And that's the Internet folks. For customers who have the non gig variety at Sunrise, and got an AVM Fritzbox, their DHCP option is "AVM dhcpdiscover 1.0 dslforum.org", so the command would be
set client-option "send dhcp-client-identifier "AVM dhcpdiscover 1.0 dslforum.org";"
However, since Sunrise now also ships the Sunrise Internet Box for their non gig offers, it may be that the first string always works.
Here's the config that you should have
interfaces { ethernet eth5 { duplex auto speed auto vif 10 { address dhcp description "Internet Sunrise" dhcp-options { client-option "send dhcp-client-identifier "dslforum.org,Fast5360-sunrise";" default-route update default-route-distance 210 name-server update } firewall { in { name WAN_IN } local { name WAN_LOCAL } } } }
Sunrise TV
Sunrise has different TV boxes - a "big" one, one that still has a harddisk in it, and the smaller box without a harddisk (and there's supposed to be a new 4K box coming soon). I've done this with the "big" box, also called Amulet. I can't say whether it is different for smaller boxes.
Once again, Sunrise also uses multicast for their IPTV solution. So we need to enable the igmp-proxy. Follow the instructions for Fiber7.tv on how to turn on multicast and how to configure the firewall.
In addition to the TV channels that are multicast in the 239. address range, Sunrise uses multicast DNS on the 224. network. So, add this address range to the IPTV-Multicast address group: 224.0.0.0/4
So, your firewall config should now contain this address-group
group { address-group IPTV-Multicast { address 224.0.0.0/4 address 239.0.0.0/8 } }
The firewall rules themselves are the same as for Fiber7.tv. If somebody gets a list of sources for those streams, please share so we can make the firewall more restrictive.
And now if you boot your Sunrise TV box, you'll be asked to contact customer support. Sunrise likes to make thing s a bit more difficult, but don't despair.. there's a solution.
First off, you need to figure out the IP/MAC of your Sunrise TV Box. So look for leases on your DHCP Server (Services - DHCP Server, then LAN1). The box I used to set this up was made by Entone, so the MAC address begins with 00:03:e6. If you have another box - if you're willing to dive into the CLI depths of ubnt hardware, I'm sure you'll figure out which is your TV box
Now add a static lease for your TV box. Why? because the TV box needs custom DHCP parameters, and we want to only send them fo the TV box, not our entire network.
Then, fire up the cli again.
configure set service dhcp-server global-parameters "option unifi-address code 43 = string;" edit service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 set static-mapping sunrisetv static-mapping-parameters "option domain-name-servers 212.98.37.128, 194.230.55.99;" set static-mapping-parameters "option unifi-address 8d:0e:54:56:53:30:30:30:31:31:35:34:35:32:30:30:6a:6c:68:74:74:70:73:3a:2f:2f:77:65:62:61:63:73:2e:69:70:74:76:2e:63:68:2f:3f:63:6f:6e:66:69:67:3d:33:32:26:6d:6c:70:63:3d:24:50:52:4f:56:49:53:49:4f:4e:49:4e:47:5f:43:4f:44:45:26:6d:61:63:3d:24:4d:41:43:3b:68:74:74:70:3a:2f:2f:77:65:62:61:63:73:2e:69:70:74:76:2e:63:68:2f:3f:63:6f:6e:66:69:67:3d:33:30:26:6d:61:63:3d:24:4d:41:43;" commit save
In the above, replace subnet 192.168.1.0/24 with the subnet you've chosen for your lan, and "sunrisetv" with the name you gave the static DHCP assignment for your Sunrise TV Box.
Now, what does this do: First off, it defines DHCP option 43, gives it a name "unifi-address", and makes it a string.
Then, we assign two public DNS servers to the sunrisetv static DHCP assignment. For whatever reason, Sunrise does not seem to trust its own hardware to proxy DNS for the TV box. Your PC will get the address of the Sunrise Internet Box as DNS, but not your TV box. And then, we set the value for DHCP Option 43 to hex. Why.. perhaps @ubnt can tell us why.. but all instructions for option 43 contain this bit about string to hex conversion. In case you're wondering what's in that string, here's the string representation:
TVS00011545200jlhttps://webacs.iptv.ch/?config=32&mlpc=$PROVISIONING_CODE&mac=$MAC;http://webacs.iptv.ch/?config=30&mac=$MAC
So it seems to tell the box where to get its config from. And I hope the start of the string is not something that identifies the customer... (they're not using your phone number as identifier.. if you look at the SIP registration, they're using some other string there, too). In case this shouldn't work for you, here's how I got that information: put a switch with sniffing capabilities between your Sunrise router and the TV box, and then boot up the TV box and look for DHCP traffic.
And that's it.. reboot your TV box, and after the eternity it takes to boot up, you should be ready to go.
Swisscom
First off, I don't have access to a Swisscom line, so the instructions are based on what Swisscom publishes themselves about using third party routers, and the config posted here.
The Internet setup is exactly the same as for Sunrise. The only difference is that the DHCP option 60 string is 100008,0001.
So, after running the wizard, you'd ssh into your ruter and do this
configure edit interfaces ethernet eth5 vif 10 dhcp-options set client-option "send dhcp-client-identifier "100008,0001";" commit save
Also, don't forget to correct the error that the wizard creates in the NAT rule (see Sunrise instructions).
At the end, you should have this config
interfaces { ethernet eth5 { duplex auto speed auto vif 10 { address dhcp description "Internet Swisscom" dhcp-options { client-option "send dhcp-client-identifier "100008,0001";" default-route update default-route-distance 210 name-server update } firewall { in { name WAN_IN } local { name WAN_LOCAL } } } }
Swisscom TV
Just like other providers, Swisscom uses Multicast, so you have the create an address group that holds those multicast addresses. Swisscom uses the 239. range for their TV channels, and I suspect uses multicast DNS in the 224. range as well. In addition, a previous poster opened up a unicast address range - I'm not sure if those are the addresses where unicast traffic (replay TV) comes from. Feel free to test this out and report back.
Refer to the Sunrise TV instructions on how to build your address-group. But for Swisscom TV, we know where their multicast streams come from, so we can add another address-group called SCTV-MC-Source:
group { address-group IPTV-Multicast { address 224.0.0.0/4 address 239.0.0.0/8
address 195.186.0.0/16 }
address-group SCTV-MC-SOURCE {
address 213.3.72.0/24
description "SWISSCOM MULTICAST SOURCE"
} }
Thanks to @XDan for posting his config.
Then, use those address groups to build two new firewall rules that allow traffic from the Swisscom Multicast Source to the IPTV-Multicast destination as well as allowing the igmp protocol.
rule 10 { action accept description "Allow IPTV Multicast UDP" destination { group { address-group IPTV-Multicast } } log disable protocol udp source { address-group SCTV-MC-SOURCE } } rule 30 { action accept description "Allow IGMP" log disable protocol igmp }
These rules need to be in both WAN_IN and WAN_LOCAL.
And that should be it. Swisscom does not write anything else about other DHCP option for the SCTV box, so hopefully your box will boot up and you can watch TV.
Final words:
As I wrote before, I'm by no means an expert, so feel free to point out where I can improve. And if you figure out the address range for those multicast streams from Fiber7 or Sunrise, please share so I can update this post.
Many thanks to @nooleech whose post here allowed me to get my TV box going, and @XDan for the configuration for Swisscom.
Is something wrong with my Cron/VPN check script?
Hi
I have a bit of a randomly dodgy DSL line. It behaves itself mostly, but, it can randomly (very recently twice per day) drop the VPN and not come back.
I never got DPD working and instead I used the method I found on the forum:
#!/bin/bash /bin/ping -c 1 -W 2 lan-ip-of-remote-end 1>/dev/null 2>&1 if [ $? -ne 0 ]; then echo "Failed" /bin/vbash -ic 'clear vpn ipsec-peer public-ip-of-remote-end' fi
along with adding the following config to the system:
task-scheduler { task vpncheck { executable { path /config/vpncheck.sh } interval 1m } }
This always seemed to work fine in the past, but recently it doesn't seem to fire.
My VPN just dropped and logging on to the remote end, I could see an inbound trying to reestablish every 20 seconds, but failing.
I usually log on to my edgerouter and I run "restart vpn" which works, but, this time I tried calling "/config/vpncheck.sh" (just in case the script broke) which also immediately started working.
I can only assume the cron/task isn't firing and before I try loads of things, I was wondering if anyone has seen this before and can recommend anything?
FYI:
Version: v1.7.0 Build ID: 4783374 Build on: 06/22/15 15:34 Copyright: 2012-2015 Ubiquiti Networks, Inc. HW model: EdgeRouter Lite 3-Port
Another Plex thread, Edge Router X v 1.8.0 -- port forwarding. (Solved, user is a user, lol.)
Config dump below, login section redacted for reasons.
When testing if the ports are opened, all of em fail. Can't figure out why, am networking nub.
CLI instructions appreciated, I'm less comfortable with GUI. CLI leaves no room to mess up.
firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet dhcp-options { default-route update default-route-distance 210 name-server no-update } duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto speed auto } loopback lo { } switch switch0 { address 192.168.1.1/24 description Local mtu 1500 switch-port { interface eth1 interface eth2 interface eth3 interface eth4 } } } load-balance { } port-forward { auto-firewall enable hairpin-nat enable lan-interface switch0 rule 1 { description HFS forward-to { address 192.168.1.136 port 8123 } original-port 8123 protocol tcp_udp } rule 2 { description Starcraft forward-to { address 192.168.1.136 port 6112 } original-port 6112 protocol tcp_udp } rule 3 { description Plex forward-to { address 192.168.1.136 port 32400 } original-port 32400 protocol tcp_udp } wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN { authoritative disable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 start 192.168.1.38 { stop 192.168.1.243 } } } } dns { forwarding { cache-size 150 listen-on switch0 name-server 8.8.8.8 name-server 4.2.2.1 } } gui { https-port 8443 } nat { rule 5010 { outbound-interface eth0 type masquerade } } ssh { port 8022 protocol-version v2 } telnet { listen-address 192.168.1.1 port 23 } } system { host-name ubnt name-server 127.0.0.1 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } traffic-control { advanced-queue { branch { } root { } } } zone-policy { } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.8.0.4853089.160219.1607 */
ipv6 dhcpv6-pd no-dns
Under what circumstances would I need to use no-dns when using SET commands?:
For example when I
set interfaces ethernet eth0 dhcpv6-pd 'no-dns'
or if I leave no-dns out like
set interfaces ethernet eth0 dhcpv6-pd
The result for me is the same --- my ISP provides me with a ipv6/128 address
So what are the circumstances that a no--dns directive must be used?
Dual WAN Failover with OpenVPN Client
I've got an ERPOE-5 with dual WAN setup in failover mode working perfectly... it's been working without hitch for years, but now I want to tunnel network traffic through a VPN and I can't seem to get it to work. I've followed all guides online, but for whatever reason it won't work.
The VPN link is up and the Edge Router gets assigned an IP and all, but traffic will not flow through. The only thing I can think of is that everything I've found referes to single WAN and the dual WAN needs something else configured??
Looking for some help to get this setup. Thanks!
EdgeRouter PoE - Multiple WAN IPs Port Forwarding v1.9
Hey Gang,
I have been running this OS as a nubie for about a year. I have learned a lot but cant seem to bust through this one. I have multiple static WAN ip addresses. I want to split traffic INCOMING to my WAN (eth0) to different LANs (eth1-eth4) based on external IP used. I have condfigured DNAT, SNAT (ensuring rule before masq) and created firewall rules. As far as I can tell I have it right but it wont work. I could use a hand.
Site-To-Site VPN not running on one end (both ERL with highly similar configs)
This is a bit frustrating. I had this briefly working and went to switch to using Dynamic DNS names instead of IP addresses, it took the tunnel down (expected) and never came back up (not expected). In particular, these are two EdgeRouter Lite units that have both been updated to the latest firmware, v1.9.0, and this is the relevant config and output from both devices. You can see the "ubnt" ERL is clearly making attempts to reach the "apartment" ERL and that's ending up in the logs. For some reason, though, it looks like the "apartment" ERL is NOT attempting to reach the "ubnt" ERL nor is it responding to the packets its receiving beyond logging the attempt. WTF?
First, the apartment ERL:
jamesb2147@apartment:~$show configuration all [snipped down to vpn section] vpn { ipsec { auto-firewall-nat-exclude enable esp-group FOO0 { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } ike-group FOO0 { ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 14 encryption aes128 hash sha1 } } site-to-site { peer parents.embaucha.com { authentication { mode pre-shared-secret pre-shared-secret **************** } connection-type initiate description "Parents house" ike-group FOO0 ikev2-reauth inherit local-address any tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group FOO0 local { prefix 192.168.254.0/24 } remote { prefix 192.168.2.0/24 } } } } } } jamesb2147@apartment:~$
Now, the ubnt ERL config:
vpn { ipsec { auto-firewall-nat-exclude enable esp-group FOO0 { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } ike-group FOO0 { ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 14 encryption aes128 hash sha1 } } site-to-site { peer apartment.embaucha.com { authentication { mode pre-shared-secret pre-shared-secret **************** } connection-type initiate description ApartmentComcastConnection ike-group FOO0 ikev2-reauth inherit local-address any tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group FOO0 local { prefix 192.168.2.0/24 } remote { prefix 192.168.254.0/24 } } } } } } jamesb2147@ubnt:~$
Apartment ERL VPN logs, state, and status (notice the "state" has no result):
jamesb2147@apartment:~$ show vpn log tail Aug 25 13:15:13 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA Aug 25 13:16:11 08[KNL] interface ifb_eth0 deactivated Aug 25 13:16:11 06[KNL] fe80::e092:26ff:fe33:9b9e disappeared from ifb_eth0 Aug 25 13:16:11 04[KNL] interface ifb_eth0 deleted Aug 25 13:17:55 00[DMN] signal of type SIGINT received. Shutting down Aug 25 13:17:58 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64) Aug 25 13:18:03 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA Aug 25 13:18:25 00[DMN] signal of type SIGINT received. Shutting down Aug 25 13:18:28 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64) Aug 25 13:21:13 12[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA ^C jamesb2147@apartment:~$ show vpn ipsec state jamesb2147@apartment:~$ show vpn ipsec status IPSec Process Running PID: 3866 0 Active IPsec Tunnels IPsec Interfaces : jamesb2147@apartment:~$
Ubnt ERL VPN logs, state, and status:
jamesb2147@ubnt:~$ show vpn log tail Aug 25 13:09:29 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46141] === 192.168.254.65/32[tcp/http-alt] with reqid {1} Aug 25 13:09:30 16[IKE] <peer-apartment.embaucha.com-tunnel-1|3> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[3] to 73.210.40.85 Aug 25 13:12:14 12[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46147] === 192.168.254.65/32[tcp/http-alt] with reqid {1} Aug 25 13:12:15 13[IKE] <peer-apartment.embaucha.com-tunnel-1|4> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[4] to 73.210.40.85 Aug 25 13:15:12 10[KNL] creating acquire job for policy 192.168.2.145/32[tcp/55534] === 192.168.254.31/32[tcp/http-alt] with reqid {1} Aug 25 13:15:13 11[IKE] <peer-apartment.embaucha.com-tunnel-1|5> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[5] to 73.210.40.85 Aug 25 13:17:57 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/43752] === 192.168.254.31/32[tcp/http-alt] with reqid {1} Aug 25 13:17:58 16[IKE] <peer-apartment.embaucha.com-tunnel-1|6> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[6] to 73.210.40.85 Aug 25 13:21:12 11[KNL] creating acquire job for policy 192.168.2.145/32[tcp/44190] === 192.168.254.65/32[tcp/http-alt] with reqid {1} Aug 25 13:21:13 12[IKE] <peer-apartment.embaucha.com-tunnel-1|7> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[7] to 73.210.40.85 ^C jamesb2147@ubnt:~$ show vpn ipsec state src 98.223.90.74 dst 73.210.40.85 proto esp spi 0x00000000 reqid 1 mode tunnel replay-window 0 sel src 192.168.2.145/32 dst 192.168.254.65/32 proto tcp sport 44190 dport 8080 jamesb2147@ubnt:~$ show vpn ipsec status IPSec Process Running PID: 6359 0 Active IPsec Tunnels IPsec Interfaces : jamesb2147@ubnt:~$
Any help would be much appreciated. I don't know where to go from here. Is there any code outside of the VPN section that *might* conflict with a VPN config? It just boggles my mind that I had this working perfectly fine yesterday, and that switching to DNS peers (instead of explicit IP peers) somehow messed that up.
Thanks for any help and have a great day!
EdgeRouter with Avaya H.323 VPN remote phones
I have an Avaya 5610SW Remote VPN H.323 IP phone that I have not been able to get working with a new EdgeRouter PoE 5 in a home office. The EdgeRouter is quite a step up from the consumer router we had been using. We are running EdgeMax v1.9.0. The phone appears to establish to the IPSec tunnel with the server, but gets stuck at "Discover x.x.x.x". The consumer routers had a VPN Passthrough option that was enabled, but I have not been able to replicate this option with the EdgeRouter. The issue does not appear to be port related because I do not see any dropped packets in the syslog after enabling logging for all rules and default actions. I also tried setting the default action to accept on the default firewall rules created by the wizards. The sip and h323 modules have also been disabled as suggested in other posts and I am now wondering if the issue could be NAT related, but not sure what the proper configuration should be. I tried creating a source nat exclude rule for traffic between the phone's IP and the server, but then the VPN stopped working on the phone. I have tried both the Basic Setup and WAN+2LAN2 wizards for the initial setup. Does anyone have Avaya H.323 VPN phones working with an EdgeRouter at a remote site?
When I view the tcpdump traffic using wireshark I see the following:
Source Destination Protocol Info
<Eth0IP>:2070 <ServerIP>:500 ISAKMP Aggressive
<ServerIP>:500 <Eth0IP>:2070 ISAKMP Aggressive
<Eth0IP>:4500 <ServerIP>:4500 ISAKMP Aggressive
<ServerIP>:4500 <Eth0IP>:4500 ESP ESP (SPI=0xb14f9f64)
<Eth0IP>:4500 <ServerIP>:4500 UDPENCAP NAT-keepalive
<ServerIP>:4500 <Eth0IP>:4500 ESP ESP (SPI=0xb14f9f64)
<Eth0IP>:4500 <ServerIP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive
<Eth0> is 192.168.x.x obtained via DHCP from the ISP (with the source nat exclude rule enabled this IP is the phone's IP from Eth2)
<ServerIP> is a public IP address of the server
ERL v1.9.0 Slow WAN
on a 300/60 mbit connection i can max out the bandwidth on a speed test with v1.8.5 however after upgrading to v1.9.0 i only get half of this.
I have had to restore the original configuration as it's a business day tomorrow so i cannot test again yet. Anyone had similar issues ?
IPSEC v1.9.0 wont come up
Ok so I previously had an issue with v1.8.5 where I couldn't connect L2TP/IPSEC so I was hoping the 1.9.0 would fix this. Which it did, however now straight IPSEC tunnels do not work. You can see my previous thread and configs over at: http://community.ubnt.com/t5/EdgeMAX/Ipsec-L2tp-wont-connect/m-p/1615966#M118159
When I try to connect using IPSEC the only difference I see when I do a show vpn debug is this:
V1.9.0: peer-haven2.ignorelist.com-tunnel-1[1]: CONNECTING, 1.2.3.4[1.2.3.4]...5.6.7.8[%any]
V1.8.5: peer-haven2.ignorelist.com-tunnel-1[1]: CONNECTING, 1.2.3.4[1.2.3.4]...5.6.7.8[5.6.7.8]
There seems to be something in 1.9.0 that is not resolving and doing %any causing the connection to hang up?
Here is my IPSEC Config they are both exactly the same from the 1.8.5 version. If I revert the the old 1.8.5 system image the ipsec connection comes up no problem.
ch@ubnt# show vpn ipsec auto-update 600 auto-firewall-nat-exclude disable esp-group FOO0 { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } ike-group FOO0 { dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 7800 proposal 1 { dh-group 2 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0 } nat-networks { allowed-network 0.0.0.0/0 { } } nat-traversal enable site-to-site { peer haven2.ignorelist.com { authentication { mode pre-shared-secret pre-shared-secret ******* } connection-type respond ike-group FOO0 ikev2-reauth inherit local-address any tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group FOO0 local { prefix 192.168.11.0/24 } remote { prefix 192.168.1.0/24 } } tunnel 2 { allow-nat-networks disable allow-public-networks disable esp-group FOO0 local { prefix 192.168.11.0/24 } remote { prefix 192.168.0.0/24 } } } }
Did something change in IPSEC between 1.8.5 and 1.9.0 that causes my config not to work?
Also if it helps here is what the initiating side log is saying to the 1.9.0 ERL:
2016:08:25-18:33:30 sophos pluto[6183]: packet from 1.2.3.4:500: Main Mode message is part of an unknown exchange 2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: next payload type of ISAKMP Identification Payload has an unknown value: 104 2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?) 2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: sending encrypted notification PAYLOAD_MALFORMED to 1.2.3.4:500
I know the password is correct. I even changed it on both ends incase the ERL corrupted the entry or something stupid no luck.
Thanks,
Chris
Zone based firewall with IPSEC
If you are doing a zone based firewall, is there a way to capture ipsec traffic in a zone?
Unlike OpenVPN there is no interface to apply the rules to.
I found that internet-local will catch ipsec packets going from the remote subnet to the router but I can't seem to catch the rest of the packets that are going to the local network. (internet being the WAN interface)
Thanks,
Magnus
Tools for firewall log analysis?
New ER-X user here. I was kind of bummed to see that there isn't any web representation of drops/rejects when you log them.
Before I start thinking about a remote syslog host + something like LogStash, I wanted to check in and see what other folks are using to parse and analyze firewall logs.
Thanks!
ER-X - 1.9.0 throughput peaks at 40MB/s
I have an ER-X in a home environment. My network is laid out as follows:
eth0 - wan
eth1~4 - switched lan
if I host an iperf3 server on the lan and use the built in bandwidth tool to test it, I get around 200mbps. If I increase the TCP window to 1024, I can get to 300mbps. The throughput is very stable, but capped far below what I would expect. Others report speeds of 600mbps, even 800mbps+ on the ER-X, so I would expect a lot better.
I have hwnat on, and whether deep packet inspection is enabled or disabled makes no difference. Can anyone figure out what is wrong here?
My config:
firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name Inside-to-Outside { default-action drop description "LAN to WAN" rule 1 { action accept description All destination { address 0.0.0.0/0 group { } } log disable protocol all source { address 172.16.1.1/24 group { } } } } name Outside-to-Inside { default-action drop description out-in rule 1 { action accept description Established destination { address 172.16.1.0/24 } log disable protocol all source { address 0.0.0.0/24 } state { established enable invalid disable new disable related enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp duplex auto firewall { out { name Inside-to-Outside } } speed auto } ethernet eth1 { duplex auto speed auto } ethernet eth2 { duplex auto speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto speed auto } loopback lo { } switch switch0 { address 172.16.1.1/24 mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } } port-forward { auto-firewall enable hairpin-nat enable lan-interface switch0 rule 1 { description Optivault_80 forward-to { address 172.16.1.101 port 80 } original-port 80 protocol tcp_udp } rule 2 { description Optivault_443 forward-to { address 172.16.1.101 port 443 } original-port 443 protocol tcp_udp } rule 3 { description Optivault_32400 forward-to { address 172.16.1.101 port 32400 } original-port 32400 protocol tcp_udp } wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN-DHCP { authoritative disable subnet 172.16.1.0/24 { default-router 172.16.1.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start 172.16.1.100 { stop 172.16.1.200 } static-mapping BD-S7e { ip-address 172.16.1.111 mac-address a4:08:ea:15:7e:e0 } static-mapping BD-ShieldTV { ip-address 172.16.1.102 mac-address 00:04:4b:53:a6:11 } static-mapping BD-Surface { ip-address 172.16.1.110 mac-address c0:33:5e:17:2c:bf } static-mapping OptiVault { ip-address 172.16.1.101 mac-address 00:11:32:50:83:5d } static-mapping UAP-AC-Pro { ip-address 172.16.1.100 mac-address 44:d9:e7:f9:7b:b2 } unifi-controller 172.16.1.101 } } use-dnsmasq disable } gui { http-port 80 https-port 443 listen-address 172.16.1.1 older-ciphers enable } nat { rule 5000 { description "LAN~WAN masquerade" destination { } log disable outbound-interface eth0 protocol all source { address 172.16.1.0/24 } type masquerade } } ssh { listen-address 172.16.1.1 port 22 protocol-version v2 } } system { host-name ubnt login { [snip] } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC traffic-analysis { dpi enable export enable } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.9.0.4901118.160804.1131 */
ERL: Slow Internet
I'm having issues with slow internet speeds on my ERL. I'm on a 100x6 cable line. If I connect directly to the cable modem, I can get around 90-110 down, constantly 6 up. Once I have the cable modem connected to the ERL, speeds vary from 20 to 60 down.
Any ideas?
Config is below:
firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 192.168.1.1/24 description Local duplex auto speed auto } ethernet eth1 { address dhcp description Internet duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth2 { address 192.168.2.1/24 description "Local 2" duplex auto speed auto } loopback lo { } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN1 { authoritative disable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 start 192.168.1.21 { stop 192.168.1.240 } } } shared-network-name LAN2 { authoritative disable subnet 192.168.2.0/24 { default-router 192.168.2.1 dns-server 192.168.2.1 lease 86400 start 192.168.2.21 { stop 192.168.2.240 } } } } dns { forwarding { cache-size 150 listen-on eth0 listen-on eth2 } } gui { https-port 443 } nat { rule 5010 { outbound-interface eth1 type masquerade } } ssh { port 22 protocol-version v2 } } system { host-name ubnt login { user ubnt { authentication { encrypted-password **************** } level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { ipv4 { gre enable pppoe enable vlan enable } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC }