Quantcast
Channel: EdgeRouter topics
Viewing all 20028 articles
Browse latest View live

Hardware accelerated qos

$
0
0

I've read many times about how turning on qos stops hardware acceleration working and therefore limiting throughput performance. Is this a hardware limitation of the cavium processor, or is it possible for some/any qos support in hardware?


t-mobile cellspot

ERL v1.9.0 - Flaky 'connection' - Packet loss mostly

$
0
0

I just upgraded my router a few days ago to v1.9.0 (from v1.8.5) and seem to randomly have some packet loss.

 

Pinging a few domains (and using mtr) seem to all point at my ERL being the issue. I started debugging this today and when connected directly to the modem (Surfboard SB6141) everything is perfect. Connected directly to eth1 (or eth2) and I get a decent amount of packet loss.

 

Network config:

  • Comcast ISP
  • Surfboard SB6141
  • ERL:
    • eth0: WAN
    • eth1: Wired LAN 172.16.0.1/24
    • eth2: Wireless LAN 172.16.1.1/24
  • eth1 is connected to a Trendnet 8 port Gigabit switch
  • eth2 is connected to a Ubiquiti AC access point

 

I just swapped the ERL out with this old Netgear WNDR3700-v2 router I have running OpenWRT and there's no packet loss when connected directly via ethernet or over the same access point which I connected to one of the 4 LAN ports. I also tried to restore to the factory config on the ERL by holding the reset button until the light was solid on eth2 and reset up via the Basic Config Wizard the same setup listed above.

Even with only my computer plugged into the eth1 port and the eth0 connected directly to the Surfboard modem, the packet loss resumed.

 

Thoughts on what I should debug from here?

Perhaps rolling back to v1.8.5 to verify that version isn't seeing the issue would work?

(Not sure if that's as easy as uploading that firmware or if there's a specific procedure).

 

Of course, happy to provide any other info that might help someone out there.

DynDns problems

$
0
0

I have DynDns set up on my ER-X and for some reason it does not update the ip address when it changes.

 

Here are my dynamic dns settings:

 

Interface: Eth0

Web: DynDns

Web-Skip: This box is blank

 

Service: DynDns

Hostname: my hostname here as set in dyndns panel

Login: My username (username, not email address)

password: my password

Protocol: -

Server: http://members.dyndns.org

 

 

Are these settings correct? If not, what are the correct settings? 

 

I can reset my modem and get a new IP and go to the ER-X GUI and "Force-Update" it, and when I log in and check in my dyndns panel it still isn't changed. I have the dyndns update time set for a very short amount of time, too. TTL in dyndns panel under the host is set for 20s.

L2TP over IPSEC

$
0
0

Is it possible to set up VPN with a dynamic IP and dynamic dns hostname instead of ip address in client settings?

System log server

$
0
0

Does anyone have any recommendations on a System log server? And some pointers on how to set it up?

EdgeRouter setup for Swiss FTTH providers

$
0
0

I've had two EdgeRouter types connected to different Swiss FTTH ISPs and I was recently asked to share my experience. I still consider myself very much a beginner in managing these devices so feel free to improve upon my solution.

 

My devices are: EdgeRouter Lite, EdgeRouter-X SFP. First things first - both can handle your Gigabit connection. The ER-Lite out of the box, the ER-X (SFP) once you enable hardware offload. You can enable this by SSH'int into your box, type "configure", then type "set system offload hwnat enable", commit the change by typing "commit", followed by "save" to save the config (use that same procedure to make other CLI related changes later on).

 

So, which device you may want depends largely on your needs.. a device with a few switch ports and SFP allows for a smaller build, and it can even drive some UAPs (no idea why they still do 24V passive POE though.. everybody else does 802.11af).

 

Fiber7 Setup

Fiber7 is imho your best fiber option in Switzerland. If you need telephony, just add any IPTSP, and they now have TV without recompression (visibly better than some of the competing TV offers by DSL providers). And, they let you connect any router you like, and provide an IPv6 subnet on top.

 

The setup for Fiber7 is straightforward. Go through your wizard, pick the right interface for WAN (for Fiber7 you obviously want eth5, the SFP port on an ER-X SFP, for the ER-Lite it doesn't matter), enable IPv6, and you're ready to go. If you are coming from another router, make sure to release the WAN IP address before making the switch, as Fiber7 only hands out one IP per customer, and they stick with a device for a certain time.

 

Here's the wizard on an ER-Lite. On the ER-X SFP, simply select eth5 as the WAN port.

 

erlite-wizard-fiber7.PNG

 

Unfortunately, the Wizard does not cover the subnet size (/48) that Fiber7 offers. So, after the device has rebooted, SSH into it and set the proper prefix length. On an ER-X SFP, that would be

"set interfaces ethernet eth5 dhcpv6-pd pd 0 prefix-length 48". On the ER-Lite, replace eth5 with your chosen WAN interface (I'm using eth0 on mine).

 

Fiber7.tv

For a few months, Fiber7 also has their own TV offering. It is based on multicast, so we need to set up igmp on our router. This is once again a job for the CLI. Here's how to do it for an ER-X

 

 

 

configure
edit protocols igmp-proxy
set interface switch0 alt-subnet 0.0.0.0/0
set interface switch0 role downstream
set interface switch0 threshold 1
edit protocols igmp-proxy
set interface eth5 alt-subnet 0.0.0.0/0
set interface eth5 role upstream
set interface eth5 threshold #
commit
save

 

This marks switch0 (the switch on the device) a downstream port for IGMP, and eth5 the upstream port. On an ER-Lite, you'd swap out switch0 with the physical lan interface, and WAN is eth0. If you have different subnets on different physical ports, you can add multiple downstream ports just fine.

 

You should see a message "Starting IGMP proxy" when you commit.

 

Your config should now contains a block like this

 

protocols {
    igmp-proxy {
        interface eth5 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface switch0 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
}

 

That takes care of IGMP, but of course, your network also has to support it, so turn on IGMP on every switch, or get switches that support it out of the box.

 

Next, we need to allow multicast traffic to enter our network. So far I don't have a list of addresses where the multicast streams originate from, so I'm allowing multicast from everywhere. If you can get those addresses, feel free to share so I can update my instructions.

 

And, we can do this using the GUI Man Happy

 

Go to Firewall/NAT, then Firewall/Nat Groups.

Create a new Address group and call it IPTV-Multicast

Add the following: 239.0.0.0/8

And save.

 

Then go to Firewall Policies, and edit the ruleset.

Add a new rule, call it "Allow IPTV Multicast UDP", with source being 0.0.0.0/0, and destination being the address-group IPTV Multicast, action: allow, and protocol: UDP

Add another rule, call it "Allow IGMP", action: allow, protocol: igmp.

 

Then repeat this process for the WAN_LOCAL firewall policy.

 

Your config should now show these rules in both WAN_IN and WAN_LOCAL. The rule number doesn't match

 

 

rule 10 {
            action accept
            description "Allow IPTV Multicast UDP"
            destination {
                group {
                    address-group IPTV-Multicast
                }
            }
            log disable
            protocol udp
            source {
                address 0.0.0.0/0
            }
        }
        rule 30 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }

 

and the address group definition is also inside the firewall

 

 

group {
        address-group IPTV-Multicast {
            address 239.0.0.0/8
        }
    }

 

 

And that's it folks. If you get no picture, try doing a "restart igmp-proxy".. and if you get a warning that the igmp-proxy was not running, cat /var/log/messages to see if anything in your igmp-proxy config was off.

 

 

Sunrise

While Sunrise does not actively try to block you from using your own hardware, they make it rather difficult to replace their own router. In addition, there's two types of Sunrise FTTH connection. They have their own hardware in local telephony central offices in major cities (Zurich, Basel, Berne, Geneva, Fribourg,Winterthur, St.Gallen), but rely on Swisscom's BBCS reseller service for other locations. On top, their own hardware only goes to 100mbit so far, so if you order Gigabit in one of the cities mentioned, you'll get a Swisscom service again. My instructions are for Sunrise on BBCS as ths is what I have access to. I'll try to find the config items for the other setup later on.

 

To get started, run the Wizard. Sunrise on BBCS uses VLAN 10 so make sure you enable VLAN on the WAN (shown here for an ER-Lite)

 

Basic Setup Wizard on ER-LiteBasic Setup Wizard on ER-Lite

Once the wizard has run and the device rebooted, we need to fix a bug in the wizard of firmware 1.9:

Go to Firewall/Nat, then click the NAT tab.

erlite-nat-rule.PNG

Note the masquerade to eth0. That is wrong.. your WAN interface on the ER-Lite is eth0.10 (VLAN 10), or eth5.10 on the ER-X SFP. Adapt that rule, otherwise none of your connected devices will be able to access the Internet.

 

 

But that's not all. Other than using VLANs, Sunrise uses DHCP Option 60 to "get to the right network". If you don't set that value properly, you'll end up in the Swisscom network, where they won't let you go further since you're no Swisscom customer after all. So to add DHCP option 60, we need the CLI again.

 

 

 

configure
edit interfaces ethernet eth5 vif 10 dhcp-options
set client-option "send dhcp-client-identifier "dslforum.org,Fast5360-sunrise";"
commit
save

 

This will restart the DHCP client on your WAN interface and you should now see an IP addresson the Internet Interface in the Dashboard (or if you like cli.. "sudo ifconfig eth5.10") Again, replace eth5.10 with eth0.10 if you're on an ER-Lite.

 

 

And that's the Internet folks. For customers who have the non gig variety at Sunrise, and got an AVM Fritzbox, their DHCP option is "AVM dhcpdiscover 1.0 dslforum.org", so the command would be

 

set client-option "send dhcp-client-identifier "AVM dhcpdiscover 1.0 dslforum.org";"

 

However, since Sunrise now also ships the Sunrise Internet Box for their non gig offers, it may be that the first string always works. 

 

Here's the config that you should have

 

 

interfaces {
    ethernet eth5 {
        duplex auto
        speed auto
        vif 10 {
            address dhcp
            description "Internet Sunrise"
            dhcp-options {
                client-option "send dhcp-client-identifier "dslforum.org,Fast5360-sunrise";"
                default-route update
                default-route-distance 210
                name-server update
            }
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
        }
    }

 

 

Sunrise TV

Sunrise has different TV boxes - a "big" one, one that still has a harddisk in it, and the smaller box without a harddisk (and there's supposed to be a new 4K box coming soon). I've done this with the "big" box, also called Amulet. I can't say whether it is different for smaller boxes.

 

Once again, Sunrise also uses multicast for their IPTV solution. So we need to enable the igmp-proxy. Follow the instructions for Fiber7.tv on how to turn on multicast and how to configure the firewall.

 

In addition to the TV channels that are multicast in the 239. address range, Sunrise uses multicast DNS on the 224. network. So, add this address range to the IPTV-Multicast address group: 224.0.0.0/4

 

So, your firewall config should now contain this address-group

 

 

group {
        address-group IPTV-Multicast {
            address 224.0.0.0/4
            address 239.0.0.0/8
        }
    }

 

 

The firewall rules themselves are the same as for Fiber7.tv. If somebody gets a list of sources for those streams, please share so we can make the firewall more restrictive.

 

 

And now if you boot your Sunrise TV box, you'll be asked to contact customer support. Sunrise likes to make thing s a bit more difficult, but don't despair.. there's a solution.

 

First off, you need to figure out the IP/MAC of your Sunrise TV Box. So look for leases on your DHCP Server (Services - DHCP Server, then LAN1). The box I used to set this up was made by Entone, so the MAC address begins with 00:03:e6. If you have another box - if you're willing to dive into the CLI depths of ubnt hardware, I'm sure you'll figure out which is your TV box Man Wink

 

Now add a static lease for your TV box. Why? because the TV box needs custom DHCP parameters, and we want to only send them fo the TV box, not our entire network.

 

Then, fire up the cli again.

 

 

 

configure
set service dhcp-server global-parameters "option unifi-address code 43 = string;"
edit service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24
set static-mapping sunrisetv static-mapping-parameters "option domain-name-servers 212.98.37.128, 194.230.55.99;"
set static-mapping-parameters "option unifi-address 8d:0e:54:56:53:30:30:30:31:31:35:34:35:32:30:30:6a:6c:68:74:74:70:73:3a:2f:2f:77:65:62:61:63:73:2e:69:70:74:76:2e:63:68:2f:3f:63:6f:6e:66:69:67:3d:33:32:26:6d:6c:70:63:3d:24:50:52:4f:56:49:53:49:4f:4e:49:4e:47:5f:43:4f:44:45:26:6d:61:63:3d:24:4d:41:43:3b:68:74:74:70:3a:2f:2f:77:65:62:61:63:73:2e:69:70:74:76:2e:63:68:2f:3f:63:6f:6e:66:69:67:3d:33:30:26:6d:61:63:3d:24:4d:41:43;"
commit
save

 

In the above, replace subnet 192.168.1.0/24 with the subnet you've chosen for your lan, and "sunrisetv" with the name you gave the static DHCP assignment for your Sunrise TV Box.

Now, what does this do: First off, it defines DHCP option 43, gives it a name "unifi-address", and makes it a string.

 

Then, we assign two public DNS servers to the sunrisetv static DHCP assignment. For whatever reason, Sunrise does not seem to trust its own hardware to proxy DNS for the TV box. Your PC will get the address of the Sunrise Internet Box as DNS, but not your TV box. And then, we set the value for DHCP Option 43 to hex. Why.. perhaps @ubnt can tell us why.. but all instructions for option 43 contain this bit about string to hex conversion. In case you're wondering what's in that string, here's the string representation:

 

TVS00011545200jlhttps://webacs.iptv.ch/?config=32&mlpc=$PROVISIONING_CODE&mac=$MAC;http://webacs.iptv.ch/?config=30&mac=$MAC

 

So it seems to tell the box where to get its config from. And I hope the start of the string is not something that identifies the customer... (they're not using your phone number as identifier.. if you look at the SIP registration, they're using some other string there, too). In case this shouldn't work for you, here's how I got that information: put a switch with sniffing capabilities between your Sunrise router and the TV box, and then boot up the TV box and look for DHCP traffic.

 

And that's it.. reboot your TV box, and after the eternity it takes to boot up, you should be ready to go.

 

Swisscom

First off, I don't have access to a Swisscom line, so the instructions are based on what Swisscom publishes themselves about using third party routers, and the config posted here.

 

The Internet setup is exactly the same as for Sunrise. The only difference is that the DHCP option 60 string is 100008,0001. 

 

 

So, after running the wizard, you'd ssh into your ruter and do this

 

configure
edit interfaces ethernet eth5 vif 10 dhcp-options
set client-option "send dhcp-client-identifier "100008,0001";"
commit
save

Also, don't forget to correct the error that the wizard creates in the NAT rule (see Sunrise instructions).

 

At the end, you should have this config

 

interfaces {
    ethernet eth5 {
        duplex auto
        speed auto
        vif 10 {
            address dhcp
            description "Internet Swisscom"
            dhcp-options {
                client-option "send dhcp-client-identifier "100008,0001";"
                default-route update
                default-route-distance 210
                name-server update
            }
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
        }
    }

 

Swisscom TV

 

Just like other providers, Swisscom uses Multicast, so you have the create an address group that holds those multicast addresses. Swisscom uses the 239. range for their TV channels, and I suspect uses multicast DNS in the  224. range as well. In addition, a previous poster opened up a unicast address range - I'm not sure if those are the addresses where unicast traffic (replay TV) comes from. Feel free to test this out and report back.

 

Refer to the Sunrise TV instructions on how to build your address-group. But for Swisscom TV, we know where their multicast streams come from, so we can add another address-group called SCTV-MC-Source: 

 

group {
        address-group IPTV-Multicast {
            address 224.0.0.0/4
            address 239.0.0.0/8
address 195.186.0.0/16 }
address-group SCTV-MC-SOURCE {
address 213.3.72.0/24
description "SWISSCOM MULTICAST SOURCE"
} }

 

Thanks to @XDan for posting his config.

 

Then, use those address groups to build two new firewall rules that allow traffic from the Swisscom Multicast Source to the IPTV-Multicast destination as well as allowing the igmp protocol.

 

 

rule 10 {
            action accept
            description "Allow IPTV Multicast UDP"
            destination {
                group {
                    address-group IPTV-Multicast
                }
            }
            log disable
            protocol udp
            source {
                address-group SCTV-MC-SOURCE
            }
        }
        rule 30 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }

These rules need to be in both WAN_IN and WAN_LOCAL.

 

 

And that should be it. Swisscom does not write anything else about other DHCP option for the SCTV box, so hopefully your box will boot up and you can watch TV.

 

 

 

Final words:

As I wrote before, I'm by no means an expert, so feel free to point out where I can improve. And if you figure out the address range for those multicast streams from Fiber7 or Sunrise, please share so I can update this post.

Many thanks to @nooleech whose post here allowed me to get my TV box going, and @XDan for the configuration for Swisscom.

 

Is something wrong with my Cron/VPN check script?

$
0
0

Hi

 

I have a bit of a randomly dodgy DSL line. It behaves itself mostly, but, it can randomly (very recently twice per day) drop the VPN and not come back. 

 

I never got DPD working and instead I used the method I found on the forum:

 

#!/bin/bash

/bin/ping -c 1 -W 2 lan-ip-of-remote-end 1>/dev/null 2>&1

if [ $? -ne 0 ]; then
        echo "Failed"
                /bin/vbash -ic 'clear vpn ipsec-peer public-ip-of-remote-end'
                fi

along with adding the following config to the system:

 task-scheduler {
     task vpncheck {
         executable {
             path /config/vpncheck.sh
         }
         interval 1m
     }
 }

This always seemed to work fine in the past, but recently it doesn't seem to fire.

 

My VPN just dropped and logging on to the remote end, I could see an inbound trying to reestablish every 20 seconds, but failing.

 

I usually log on to my edgerouter and I run "restart vpn" which works, but, this time I tried calling "/config/vpncheck.sh" (just in case the script broke) which also immediately started working.

 

I can only assume the cron/task isn't firing and before I try loads of things, I was wondering if anyone has seen this before and can recommend anything?

 

 

 FYI:

Version:      v1.7.0
Build ID:     4783374
Build on:     06/22/15 15:34
Copyright:    2012-2015 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Lite 3-Port

 


Another Plex thread, Edge Router X v 1.8.0 -- port forwarding. (Solved, user is a user, lol.)

$
0
0

Config dump below, login section redacted for reasons.

 

When testing if the ports are opened, all of em fail. Can't figure out why, am networking nub.

 

CLI instructions appreciated, I'm less comfortable with GUI. CLI leaves no room to mess up.

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
load-balance {
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description HFS
        forward-to {
            address 192.168.1.136
            port 8123
        }
        original-port 8123
        protocol tcp_udp
    }
    rule 2 {
        description Starcraft
        forward-to {
            address 192.168.1.136
            port 6112
        }
        original-port 6112
        protocol tcp_udp
    }
    rule 3 {
        description Plex
        forward-to {
            address 192.168.1.136
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            name-server 8.8.8.8
            name-server 4.2.2.1
        }
    }
    gui {
        https-port 8443
    }
    nat {
        rule 5010 {
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 8022
        protocol-version v2
    }
    telnet {
        listen-address 192.168.1.1
        port 23
    }
}
system {
    host-name ubnt
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
traffic-control {
    advanced-queue {
        branch {
        }
        root {
        }
    }
}
zone-policy {
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.0.4853089.160219.1607 */

 

ipv6 dhcpv6-pd no-dns

$
0
0

Under what circumstances would I need to use no-dns when using SET commands?:

 

For example when I

set interfaces ethernet eth0 dhcpv6-pd 'no-dns'

 

or if I leave no-dns out like

 

set interfaces ethernet eth0 dhcpv6-pd

 

The result for me is the same --- my ISP provides me with a ipv6/128 address

 

So what are the circumstances that a no--dns directive must  be used?

Dual WAN Failover with OpenVPN Client

$
0
0

I've got an ERPOE-5 with dual WAN setup in failover mode working perfectly... it's been working without hitch for years, but now I want to tunnel network traffic through a VPN and I can't seem to get it to work.  I've followed all guides online, but for whatever reason it won't work.

 

The VPN link is up and the Edge Router gets assigned an IP and all, but traffic will not flow through.  The only thing I can think of is that everything I've found referes to single WAN and the dual WAN needs something else configured??

 

Looking for some help to get this setup.  Thanks!

EdgeRouter PoE - Multiple WAN IPs Port Forwarding v1.9

$
0
0

Hey Gang,

 

I have been running this OS as a nubie for about a year. I have learned a lot but cant seem to bust through this one. I have multiple static WAN ip addresses. I want to split traffic INCOMING to my WAN (eth0) to different LANs (eth1-eth4) based on external IP used. I have condfigured DNAT, SNAT (ensuring rule before masq) and created firewall rules. As far as I can tell I have it right but it wont work. I could use a hand.

 

 

Site-To-Site VPN not running on one end (both ERL with highly similar configs)

$
0
0

This is a bit frustrating. I had this briefly working and went to switch to using Dynamic DNS names instead of IP addresses, it took the tunnel down (expected) and never came back up (not expected). In particular, these are two EdgeRouter Lite units that have both been updated to the latest firmware, v1.9.0, and this is the relevant config and output from both devices. You can see the "ubnt" ERL is clearly making attempts to reach the "apartment" ERL and that's ending up in the logs. For some reason, though, it looks like the "apartment" ERL is NOT attempting to reach the "ubnt" ERL nor is it responding to the packets its receiving beyond logging the attempt. WTF?

 

First, the apartment ERL: 

jamesb2147@apartment:~$show configuration all [snipped down to vpn section]
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer parents.embaucha.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description "Parents house"
                ike-group FOO0
                ikev2-reauth inherit
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.254.0/24
                    }
                    remote {
                        prefix 192.168.2.0/24
                    }
                }
            }
        }
    }
}
jamesb2147@apartment:~$

Now, the ubnt ERL config:

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer apartment.embaucha.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description ApartmentComcastConnection
                ike-group FOO0
                ikev2-reauth inherit
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.2.0/24
                    }
                    remote {
                        prefix 192.168.254.0/24
                    }
                }
            }
        }
    }
}
jamesb2147@ubnt:~$

 

Apartment ERL VPN logs, state, and status (notice the "state" has no result):

jamesb2147@apartment:~$ show vpn log tail
Aug 25 13:15:13 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA
Aug 25 13:16:11 08[KNL] interface ifb_eth0 deactivated
Aug 25 13:16:11 06[KNL] fe80::e092:26ff:fe33:9b9e disappeared from ifb_eth0
Aug 25 13:16:11 04[KNL] interface ifb_eth0 deleted
Aug 25 13:17:55 00[DMN] signal of type SIGINT received. Shutting down
Aug 25 13:17:58 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
Aug 25 13:18:03 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA
Aug 25 13:18:25 00[DMN] signal of type SIGINT received. Shutting down
Aug 25 13:18:28 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
Aug 25 13:21:13 12[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA
^C
jamesb2147@apartment:~$ show vpn ipsec state
jamesb2147@apartment:~$ show vpn ipsec status
IPSec Process Running PID: 3866

0 Active IPsec Tunnels

IPsec Interfaces :
jamesb2147@apartment:~$

Ubnt ERL VPN logs, state, and status:

jamesb2147@ubnt:~$ show vpn log tail
Aug 25 13:09:29 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46141] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:09:30 16[IKE] <peer-apartment.embaucha.com-tunnel-1|3> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[3] to 73.210.40.85
Aug 25 13:12:14 12[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46147] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:12:15 13[IKE] <peer-apartment.embaucha.com-tunnel-1|4> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[4] to 73.210.40.85
Aug 25 13:15:12 10[KNL] creating acquire job for policy 192.168.2.145/32[tcp/55534] === 192.168.254.31/32[tcp/http-alt] with reqid {1}
Aug 25 13:15:13 11[IKE] <peer-apartment.embaucha.com-tunnel-1|5> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[5] to 73.210.40.85
Aug 25 13:17:57 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/43752] === 192.168.254.31/32[tcp/http-alt] with reqid {1}
Aug 25 13:17:58 16[IKE] <peer-apartment.embaucha.com-tunnel-1|6> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[6] to 73.210.40.85
Aug 25 13:21:12 11[KNL] creating acquire job for policy 192.168.2.145/32[tcp/44190] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:21:13 12[IKE] <peer-apartment.embaucha.com-tunnel-1|7> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[7] to 73.210.40.85
^C
jamesb2147@ubnt:~$ show vpn ipsec state
src 98.223.90.74 dst 73.210.40.85
        proto esp spi 0x00000000 reqid 1 mode tunnel
        replay-window 0
        sel src 192.168.2.145/32 dst 192.168.254.65/32 proto tcp sport 44190 dport 8080
jamesb2147@ubnt:~$ show vpn ipsec status
IPSec Process Running PID: 6359

0 Active IPsec Tunnels

IPsec Interfaces :
jamesb2147@ubnt:~$

Any help would be much appreciated. I don't know where to go from here. Is there any code outside of the VPN section that *might* conflict with a VPN config? It just boggles my mind that I had this working perfectly fine yesterday, and that switching to DNS peers (instead of explicit IP peers) somehow messed that up.

 

Thanks for any help and have a great day!

EdgeRouter with Avaya H.323 VPN remote phones

$
0
0

I have an Avaya 5610SW Remote VPN H.323 IP phone that I have not been able to get working with a new EdgeRouter PoE 5 in a home office. The EdgeRouter is quite a step up from the consumer router we had been using. We are running EdgeMax v1.9.0. The phone appears to establish to the IPSec tunnel with the server, but gets stuck at "Discover x.x.x.x". The consumer routers had a VPN Passthrough option that was enabled, but I have not been able to replicate this option with the EdgeRouter. The issue does not appear to be port related because I do not see any dropped packets in the syslog after enabling logging for all rules and default actions. I also tried setting the default action to accept on the default firewall rules created by the wizards. The sip and h323 modules have also been disabled as suggested in other posts and I am now wondering if the issue could be NAT related, but not sure what the proper configuration should be. I tried creating a source nat exclude rule for traffic between the phone's IP and the server, but then the VPN stopped working on the phone. I have tried both the Basic Setup and WAN+2LAN2 wizards for the initial setup. Does anyone have Avaya H.323 VPN phones working with an EdgeRouter at a remote site?

 

When I view the tcpdump traffic using wireshark I see the following:

 

Source Destination Protocol Info
<Eth0IP>:2070 <ServerIP>:500 ISAKMP Aggressive
<ServerIP>:500 <Eth0IP>:2070 ISAKMP Aggressive
<Eth0IP>:4500 <ServerIP>:4500 ISAKMP Aggressive
<ServerIP>:4500 <Eth0IP>:4500 ESP ESP (SPI=0xb14f9f64)
<Eth0IP>:4500 <ServerIP>:4500 UDPENCAP NAT-keepalive
<ServerIP>:4500 <Eth0IP>:4500 ESP ESP (SPI=0xb14f9f64)
<Eth0IP>:4500 <ServerIP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<Eth0IP>:4500 <ServerIP>:4500 ESP ESP (SPI=0x651f84dd)
<ServerIP>:4500 <Eth0IP>:4500 UDPENCAP NAT-keepalive

 

<Eth0> is 192.168.x.x obtained via DHCP from the ISP (with the source nat exclude rule enabled this IP is the phone's IP from Eth2)
<ServerIP> is a public IP address of the server

ERL v1.9.0 Slow WAN

$
0
0

on a 300/60 mbit connection i can max out the bandwidth on a speed test with v1.8.5 however after upgrading to v1.9.0 i only get half of this.

 

I have had to restore the original configuration as it's a business day tomorrow so i cannot test again yet. Anyone had similar issues ?


IPSEC v1.9.0 wont come up

$
0
0

Ok so I previously had an issue with v1.8.5 where I couldn't connect L2TP/IPSEC so I was hoping the 1.9.0 would fix this. Which it did, however now straight IPSEC tunnels do not work. You can see my previous thread and configs over at: http://community.ubnt.com/t5/EdgeMAX/Ipsec-L2tp-wont-connect/m-p/1615966#M118159

 

When I try to connect using IPSEC the only difference I see when I do a show vpn debug is this:

 

V1.9.0: peer-haven2.ignorelist.com-tunnel-1[1]: CONNECTING, 1.2.3.4[1.2.3.4]...5.6.7.8[%any]

V1.8.5: peer-haven2.ignorelist.com-tunnel-1[1]: CONNECTING, 1.2.3.4[1.2.3.4]...5.6.7.8[5.6.7.8]

 

There seems to be something in 1.9.0 that is not resolving and doing %any causing the connection to hang up?

 

Here is my IPSEC Config they are both exactly the same from the 1.8.5 version. If I revert the the old 1.8.5 system image the ipsec connection comes up no problem.

 

ch@ubnt# show vpn ipsec
 auto-update 600
 auto-firewall-nat-exclude disable
 esp-group FOO0 {
     compression disable
     lifetime 3600
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes128
         hash sha1
     }
 }
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 30
         timeout 120
     }
     ikev2-reauth no
     key-exchange ikev1
     lifetime 7800
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer haven2.ignorelist.com {
         authentication {
             mode pre-shared-secret
             pre-shared-secret *******
         }
         connection-type respond
         ike-group FOO0
         ikev2-reauth inherit
         local-address any
         tunnel 1 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group FOO0
             local {
                 prefix 192.168.11.0/24
             }
             remote {
                 prefix 192.168.1.0/24
             }
         }
         tunnel 2 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group FOO0
             local {
                 prefix 192.168.11.0/24
             }
             remote {
                 prefix 192.168.0.0/24
             }
         }
     }
 }

Did something change in IPSEC between 1.8.5 and 1.9.0 that causes my config not to work?

 

Also if it helps here is what the initiating side log is saying to the 1.9.0 ERL:

2016:08:25-18:33:30 sophos pluto[6183]: packet from 1.2.3.4:500: Main Mode message is part of an unknown exchange

2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: next payload type of ISAKMP Identification Payload has an unknown value: 104
2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2016:08:25-18:34:46 sophos pluto[6183]: "S_Townhouse" #2621: sending encrypted notification PAYLOAD_MALFORMED to 1.2.3.4:500

I know the password is correct. I even changed it on both ends incase the ERL corrupted the entry or something stupid no luck.

 

Thanks,
Chris

Zone based firewall with IPSEC

$
0
0

If you are doing a zone based firewall, is there a way to capture ipsec traffic in a zone?

 

Unlike OpenVPN there is no interface to apply the rules to.

 

I found that internet-local will catch ipsec packets going from the remote subnet to the router but I can't seem to catch the rest of the packets that are going to the local network. (internet being the WAN interface)

 

Thanks,

Magnus

 

Tools for firewall log analysis?

$
0
0

New ER-X user here.  I was kind of bummed to see that there isn't any web representation of drops/rejects when you log them. 

 

Before I start thinking about a remote syslog host + something like LogStash, I wanted to check in and see what other folks are using to parse and analyze firewall logs. 

 

Thanks!

 

ER-X - 1.9.0 throughput peaks at 40MB/s

$
0
0

I have an ER-X in a home environment.  My network is laid out as follows:

 

eth0 - wan

eth1~4 - switched lan

 

if I host an iperf3 server on the lan and use the built in bandwidth tool to test it, I get around 200mbps.  If I increase the TCP window to 1024, I can get to 300mbps.  The throughput is very stable, but capped far below what I would expect.  Others report speeds of 600mbps, even 800mbps+ on the ER-X, so I would expect a lot better.  

 

I have hwnat on, and whether deep packet inspection is enabled or disabled makes no difference.  Can anyone figure out what is wrong here?

 

My config:

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Inside-to-Outside {
        default-action drop
        description "LAN to WAN"
        rule 1 {
            action accept
            description All
            destination {
                address 0.0.0.0/0
                group {
                }
            }
            log disable
            protocol all
            source {
                address 172.16.1.1/24
                group {
                }
            }
        }
    }
    name Outside-to-Inside {
        default-action drop
        description out-in
        rule 1 {
            action accept
            description Established
            destination {
                address 172.16.1.0/24
            }
            log disable
            protocol all
            source {
                address 0.0.0.0/24
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        firewall {
            out {
                name Inside-to-Outside
            }
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 172.16.1.1/24
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description Optivault_80
        forward-to {
            address 172.16.1.101
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    rule 2 {
        description Optivault_443
        forward-to {
            address 172.16.1.101
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    rule 3 {
        description Optivault_32400
        forward-to {
            address 172.16.1.101
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN-DHCP {
            authoritative disable
            subnet 172.16.1.0/24 {
                default-router 172.16.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 172.16.1.100 {
                    stop 172.16.1.200
                }
                static-mapping BD-S7e {
                    ip-address 172.16.1.111
                    mac-address a4:08:ea:15:7e:e0
                }
                static-mapping BD-ShieldTV {
                    ip-address 172.16.1.102
                    mac-address 00:04:4b:53:a6:11
                }
                static-mapping BD-Surface {
                    ip-address 172.16.1.110
                    mac-address c0:33:5e:17:2c:bf
                }
                static-mapping OptiVault {
                    ip-address 172.16.1.101
                    mac-address 00:11:32:50:83:5d
                }
                static-mapping UAP-AC-Pro {
                    ip-address 172.16.1.100
                    mac-address 44:d9:e7:f9:7b:b2
                }
                unifi-controller 172.16.1.101
            }
        }
        use-dnsmasq disable
    }
    gui {
        http-port 80
        https-port 443
        listen-address 172.16.1.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "LAN~WAN masquerade"
            destination {
            }
            log disable
            outbound-interface eth0
            protocol all
            source {
                address 172.16.1.0/24
            }
            type masquerade
        }
    }
    ssh {
        listen-address 172.16.1.1
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        [snip]
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */

 

ERL: Slow Internet

$
0
0

I'm having issues with slow internet speeds on my ERL. I'm on a 100x6 cable line. If I connect directly to the cable modem, I can get around 90-110 down, constantly 6 up. Once I have the cable modem connected to the ERL, speeds vary from 20 to 60 down. 

 

Any ideas? 

 

Config is below: 

 

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    name WAN_IN {                                                               
        default-action drop                                                     
        description "WAN to internal"                                           
        rule 10 {                                                               
            action accept                                                       
            description "Allow established/related"                             
            state {                                                             
                established enable                                              
                related enable                                                  
            }                                                                   
        }                                                                       
        rule 20 {                                                               
            action drop                                                         
            description "Drop invalid state"                                    
            state {                                                             
                invalid enable                                                  
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipv4 {
            gre enable
            pppoe enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
Viewing all 20028 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>