So I have my ER setup and working with my VPN connection and I get that all working but what I am trying to do is say route anything going to a specific IP or Port over the VPN but not all traffic. So from any host on my LAN I want to route say anything to a specific IP or set of IP's on the internet and I want that traffic to go over VPN the rest I just want to use standard ETH0.
Let me know if you need any config info, more just wondering if its possible and if so how would I go about it.
Hi,
I want to Authenticate edge router and E400 wifi router using freeradius. Can anyone tell me the process to do this.
Thanks
Mohit Bakshi
I Would like to know how to block a URL from been accessed via my lan.
I would like to block adult sites, can anyone post the settings to enable me to do this
Thank You
Edge Router Lite
I've been attempting to configure IPv6 via PPPoE since v1.7, I've been seeing the same issue and now with v1.9 I thought it was time to ask for assistance as I'm not having any luck getting it working.
I have used the suggestions I've found in this forum and duplicated others working configuration but still have the same issue of ppp flapping if I enable ipv6 on the pppoe0 interface. The PPPoE connections comes up for 5 seconds, IPv4 works fine and then pppd is terminated and restarted.
My ISP has allocated a /48 prefix and I'm attemping to allocate a /64 to the LAN.
Here is the IPv6 details from my configuration.
edit interfaces ethernet eth0 pppoe 0 set dhcpv6-pd pd 0 interface switch0 host-address '::1' set dhcpv6-pd pd 0 interface switch0 prefix-id ':0' set dhcpv6-pd pd 0 interface switch0 service slaac set dhcpv6-pd pd 0 prefix-length /48 set dhcpv6-pd prefix-only set dhcpv6-pd rapid-commit enable set firewall in ipv6-name IPv6-OUTSIDE-IN set firewall local ipv6-name IPv6-OUTSIDE-LOCAL set ipv6 address autoconf set ipv6 dup-addr-detect-transmits 1 set ipv6 enable
edit interfaces switch switch0
set address 172.25.0.1/24 set firewall in modify ROUTE-INSIDE-IN set firewall in name INSIDE-IN set firewall out name INSIDE-OUT set ipv6 dup-addr-detect-transmits 1 set ipv6 router-advert cur-hop-limit 64 set ipv6 router-advert link-mtu 0 set ipv6 router-advert managed-flag true set ipv6 router-advert max-interval 600 set ipv6 router-advert other-config-flag false set ipv6 router-advert prefix '::/64' autonomous-flag true set ipv6 router-advert prefix '::/64' on-link-flag true set ipv6 router-advert prefix '::/64' valid-lifetime 2592000 set ipv6 router-advert reachable-time 0 set ipv6 router-advert retrans-timer 0 set ipv6 router-advert send-advert true set mtu 1500 set switch-port interface eth2 set switch-port interface eth3 set switch-port interface eth4 set switch-port vlan-aware disable
Just allowing all IPv6 for now in case that was the problem
set ipv6-name IPv6-OUTSIDE-IN default-action accept set ipv6-name IPv6-OUTSIDE-IN rule 10 action accept set ipv6-name IPv6-OUTSIDE-IN rule 10 description Established/Related set ipv6-name IPv6-OUTSIDE-IN rule 10 log disable set ipv6-name IPv6-OUTSIDE-IN rule 10 state established enable set ipv6-name IPv6-OUTSIDE-IN rule 10 state related enable set ipv6-name IPv6-OUTSIDE-LOCAL default-action accept set ipv6-name IPv6-OUTSIDE-LOCAL rule 10 action accept set ipv6-name IPv6-OUTSIDE-LOCAL rule 10 state established enable set ipv6-name IPv6-OUTSIDE-LOCAL rule 10 state related enable set ipv6-receive-redirects disable set ipv6-src-route disable
I'm pretty sure I'm doing something wrong, but I just can't figure out where.
If there is any additional information I can provide to assist in diagnosing this issue please let me know.
Kinds Regards,
Mark
Hi guys! first time around here.
I recently got a job in a school as an IT Manager, and find out they have an ERP-8 in their main rack, they requested me to do something I honestly don't know how to do, or if is it possible to do it, let me explain it to you.
We have 2 ISP:
ISP A = 1 cable, 2Vlans with internet.
ISP B = 1 cable with internet.
Right now, we are not using ISP B, we are using a switch to separate Vlans and to redirect to a couple of routers, and then to clients, they would like to do something totally different.
Connect ISP A lets say in eth0 (Vlan 1 it would be WAN1, Vlan 2 it would be WAN2)
Connect ISP B lets say in eth1 (it would be WAN3)
Connect eth2 Windows Server with NAT
Connect eth3 Surviallence system
Connect eth4 Linux Server
So, I really don't know if is it possible, I tried yesterday, like for 4 hours trying to make it work, but I failed.
Thanks in advance for your time!
Hi,
To add interface to zone-policy takes like forever. Some time I can wait about 10-15 minutes. Could you fix it?
Version:
I bought two ER8-Pro routers, configured them to use VRRP, installed v1.9.0, and the system is stable. It is running on one switch for 10 days. When I switch routers to run on the secondary router, everything works, but usually within 1 or 2 days the switch randomly reboots.
To verify v1.9.0 is solid, I also have had it running for a 5+ days on an internal firewall. v1.9.0 is working well on the ER8-Pros I am using, except for the one router. I don't think it is the version causing a problem.
For the failing router, I am convinced the configuration is okay because it is running now for 10+ days. Since I count on DPI and the routers are working, I can only test the bad router with offline diagnostics. This sounds like a hardware problem. Are there hardware diagnostics that can be run, or is this an RMA?
Not sure if this can be fixed but I figured its with a shot.
My Apple TVs are currently on one subnet (10.0.0.0/21) and users are on another (10.0.8.0/21).
Whenever I stream content from the users subnet to the Apple TVs, its a bit choppy and the audio skips. Does anyone know what could possibly be causing this? Possible latency issue?
I do not have QoS enabled, only some DPI firewall rules on the users subnet.
Thanks in advance.
I forgot to mention, our network is currently on an EdgeMax Pro.
Hi,
I had an ospf session go down and shot after some bgp sessions fell aswell.
Since then when i login to the webgui it is non responsive, no traffic graphs, 0 prefixes shown, and so on.
The traffic is flowing as it should, but i would like to get normal operation back on the gui.
Any ideas on how to do that without rebooting the box?
Kind Regards
M
hello from india, a big time ubnt user.
i have 2200 customers now and all are on pppoe only.
My network design : Core Microtik Router CCR1036 >> UBNT EdgeSwitch >> Unmanaged and Managed switches mixed >> Customers on PPPoE.
Since last few days, my customers are complaining that, they get a lot of packet loss and disconnection randomly in every 5-10 minutes. In all the managed switches I have RSTP off and Loop protection on and Broadcast Storm for broadcast, multicast, unicast on for 1M in each switch.
And whole day, each of those managed switches log keeps on showing, BROADCAST STORM APPEARS ON PORT X , MULTICAST STORM APPEARS ON PORT X.
I guess, since the whole network is facing heavy broadcast storm, may be thats the reason, Im losing packets and facing random ping cuts to our devices and wireless access points and all managed switches or whatever and thats the reason, the customers are dying.
Is there a way to completely stop or kill the whole broadcast storm ?
What is the reason, why its happening ?
Hi,
First I'd like to apologize, I'm not a native english speaker. Please tell me if my post is hard to understand.
I own an ERLite-3, running the 1.9.0 firmare. I'm running a dual WAN configuration, one on a broadband connection and another on a DSL one. I've defined two load-balance groups, one defaulting on the broadband for devices needing mostly download or upload speed, an one defaulting on the DSL for devices needing a lower average latency.
I was running the default ping test for the watchdog until I ran into issues with the broadband provider. Ping would still work, but TCP connections were just slow as hell and randomly crashing.
I tried to experiment with a custom script, fetching the google.com homepage with curl.
Now is the weird issue. I'm reading conflicting situations with the "show load-balance status", which shows that both of my Internet connections are up, and the "show load-balance watchdog" which says one of my connection is failing the watchdog test.
show load-balance status
Group LB-LAN
interface : eth1
carrier : up
status : active
gateway :
route table : 201
weight : 100%
flows
WAN Out : 31557
WAN In : 39
Local Out : 33456
interface : eth2
carrier : up
status : failover
gateway :
route table : 202
weight : 0%
flows
WAN Out : 0
WAN In : 35
Local Out : 0
Group LB-LowPing
interface : eth2
carrier : up
status : failover
gateway :
route table : 204
weight : 0%
flows
WAN Out : 0
WAN In : 0
Local Out : 0
interface : eth1
carrier : up
status : active
gateway :
route table : 203
weight : 100%
flows
WAN Out : 0
WAN In : 0
Local Out : 0show load-balance watchdog Group LB-LAN eth1 status: Running pings: 7466 fails: 8 run fails: 0/3 route drops: 0 test script : /config/scripts/connectivity.sh - OK eth2 status: Waiting on recovery (0/5) failover-only mode pings: 3 fails: 3 run fails: 3/3 route drops: 1 test script : /config/scripts/connectivity.sh - FAIL last route drop : Thu Aug 25 10:12:01 2016 Group LB-LowPing eth1 status: Running failover-only mode pings: 5983 fails: 12 run fails: 0/3 route drops: 1 test script : /config/scripts/connectivity.sh - OK last route drop : Thu Aug 25 16:27:07 2016 last route recover: Thu Aug 25 16:28:10 2016 eth2 status: Waiting on recovery (0/5) pings: 3 fails: 3 run fails: 3/3 route drops: 1 test script : /config/scripts/connectivity.sh - FAIL last route drop : Thu Aug 25 10:12:03 2016
Here's my load-balance configuration :
load-balance {
group LB-LAN {
interface eth1 {
route-test {
count {
failure 3
success 5
}
initial-delay 60
interval 15
type {
script /config/scripts/connectivity.sh
}
}
}
interface eth2 {
failover-only
route-test {
count {
failure 3
success 5
}
initial-delay 60
interval 15
type {
script /config/scripts/connectivity.sh
}
}
}
lb-local enable
}
group LB-LowPing {
interface eth1 {
failover-only
route-test {
count {
failure 3
success 5
}
initial-delay 60
interval 15
type {
script /config/scripts/connectivity.sh
}
}
}
interface eth2 {
route-test {
count {
failure 3
success 5
}
initial-delay 60
interval 15
type {
script /config/scripts/connectivity.sh
}
}
}
lb-local enable
}
}
Here's the connectivity.sh script source :
#!/bin/bash
GROUP=$1
INTF=$2
STATUS=$3
CHECKDOMAIN="http://google.com"
case "$(curl -s --max-time 2 --interface ${INTF} -I ${CHECKDOMAIN} | sed 's/^[^ ]* *\([0-9]\).*/\1/; 1q')" in
[23]) echo "HTTP connectivity is up"; exit 0;;
5) echo "The web proxy won't let us through";exit 1;;
*)echo "Something is wrong with HTTP connections. Go check it."; exit 1;;
esac
exit 0
Just wondering if anyone uses an ERL (or an ERX, or a USG) in transparent bridge type mode, where the unit acts as:
- a filter and/or
- traffic shaping type of box.
I'm tired of pfSense. Their latest version has been frustrating.
It's inline as a transparent filter, basically, but I'd also like to do some basic traffic shaping which, that's where I'm frustrated with it.
I have an ERL. I worry that it won't handle a full gigabit internet connection if/when that happens (next year). Are there higher end models that'd be better suited to these tasks? A UniFi Gateway? I'm sure this little unit (ERL) could handle our current connections (much less than a gigabit...)
Basically, the pfSense box is doing
- pfBlockerNG - a few sets of filter lists... I've seen that ERLs can do this...
- DNS (after the internal AD servers - it's set to use OpenDNS servers...)
- ...I wish it did shaping...
- ...I wish it did Squidguard... which seems to fail in transparent mode.
Any suggestions on using Ubiquiti hardware for this kind of a job? Any others doing this in a medium environment? (just under 1k users, several web servers, etc.)
All I want is for it to be "inline" and to be able to help with some shaping, a little filtering, and it'd be really nice if I could set rules per-VLAN, per IP, per user, or, something. We used to have a Cymphonix for this (which got bought by Untangle). In a nutshell, I'm curious if Ubiquiti can do anything similar.
Opps I posted this in the wrong forum.
Wan is setup as eth1 and I have a Unifi AC LR plugged into eth2. I've setup two SSIDs one just for my Xbox Ones with a vlan2 tag. I setup a DHCP server with 192.168.3.0/24 subnet and then setup switch0.2 to point to that DHCP server. The Xbox One pulls the 192.168.3.0/24 subnet ip address just fine but it can't get out to the internet. The same goes for any device that connects to that wifi network. My plan was to put the two Xbox Ones on the same vlan and allow UPNP on that vlan to allow the Xbox ones to both communicate to Xbox Live. I've attached a few screenshots of my version, interfaces and configuration. This is my first Ubiquiti device. Any help would be appreciated.
Hello,
My setup currently consists of an EdgeRouter-X (Standard) to handle my Routing, VLANs, etc... From there I have an ethernet cable which runs to the other end of the room. I connect that to a Dell PowerConnect 2708 which then connects to my EdgeRouter-X-SFP. Because of how long the Fiber run is, I use SFP from the EdgeRouter-X-SFP to a secondary EdgeRouter-X-SFP in the far basement. Both units work great, I can connect out to the internet. However the primary purpose of this was to be able to connect a camera and it gets an IP straight from the Security VLAN.
I tried setting VLAN-Aware and adding the PVID, I also added the VLAN on the homepage for the Switch. Nothing is working. I'm sure I'm just missing something small. The VLAN is tagged on the PowerConnect 2708, and I know that's working because the AP outputs the VLAN for the UVC-Micros without an issue. The issue is between the 2 EdgeRouters. Any and all help would be appreciated as to how I should configure these EdgeRouter-X-SFP's. Otherwise I'll have to figure out an alternative.
I just replaced my ERL with the ER-X-SFP and cannot get IPv6 to work at all. Has anyone been able to get it done?
Tried migrating the old config in with no success. Tried to configure from scratch with no luck either.
Attached my config with some sanitized portions.
Any help is greatly appreaciated.
$ sudo ipsec up peer-sombody.no-ip.org-tunnel-1 initiating Main Mode IKE_SA peer-sombody.no-ip.org-tunnel-1[5] to their.ip.xx generating ID_PROT request 0 [ SA V V V V ] sending packet: from my.ip.xx[500] to their.ip.xx[500] (156 bytes) received packet: from their.ip.xx[500] to my.ip.xx[500] (128 bytes) parsed ID_PROT response 0 [ SA V V ] received NAT-T (RFC 3947) vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from my.ip.xx[500] to their.ip.xx[500] (244 bytes) received packet: from their.ip.xx[500] to my.ip.xx[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: 2b:42:2c:c0:f1:cf:e0:d2:1b:b4:ae:5f:e3:1c:82:0b received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 generating INFORMATIONAL_V1 request 1953053623 [ N(INVAL_KE) ] sending packet: from my.ip.xx[500] to their.ip.xx[500] (56 bytes) establishing connection 'peer-sombody.no-ip.org-tunnel-1' failed
ubnt@ubnt# show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer sombody.no-ip.org {
authentication {
mode pre-shared-secret
pre-shared-secret somekey
}
connection-type initiate
description "sombody Network"
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.0.0/24
}
remote {
prefix 172.16.1.3/32
}
}
}
}
}
any ideas?
Let's start with I'm new to this router, but I did RTFM and the forums and I can't figure out what should be a simple thing.
I have an EdgeRouter X and I updated it to the new v1.9 firmware.
I ran the WAN+2LAN2 wizard.
I plugged my Internet connection into lan0
I plugged in some Raspberry Pi's on the other ports
I set the name of each Pi in its respective /etc/hostname and /etc/hosts files
All of the Pi's got addresses and I can see the IP leases along with their names in the ubnt control panel
All of the PI's can get out on the Internet
All of the PI's can ping each other by their IP addresses
The Router can ping the PI's by their IP addresses
What doesn't work, is that none of the PI's can ping each other by host name, and the router can't ping them by hostname, either.
If I manually add all of the PI's to each PI's /etc/hosts file then that will work, but that seems silly to me since I have this fancy router that should, you know, route stuff. I feel like there is probably one setting that I need to change, but I can't find it. Any help would be appreciated. Thanks.