I'm new to Ubiquiti hardware and really any sort of networking beyond basic typical consumer router config and recently installed an Edgerouter Lite X on my network for routing purposes. I've basically left all configuration as default except for:

• Made my name server under settings the internal IP of my rasberry pi (w/ pi-hole)
• Made the DHCP DNS also the IP of my pi

What I'm seeing is that certain sites will fail to load with either an dns_probe_finished_nxdomain or a connection refused. If the nxdomain message, using other browsers or devices on the network often gets it to load, or just refreshing after waiting a few minutes. For the connection refused, it won't load no matter what I do. Github is an example of the latter, I can't load it on my network. 

I'm expecting there's some simple firewall config at play here, but am not sure the best way to resolve. I've tried reverting above changes just to make sure it wasn't something w/ the pi config, but the same behavior happens. 

Any ideas for what I've gotten wrong here? 

Dear all,

I have the following setup :

2 load balance groups : 

• LBgroup 1 :
  • WAN eth0 (gateway 192.168.88.1) + WAN failover eth1 (gateway 192.168.89.1) 
  • LAN 1 on eth2 (offices networks) is using it
• LBgroup 2 :
  • WAN eth3 (gateway192.168.90.1) + WAN failover eth4 (192.168.202.1)
  • LAN 2 on eth5 (public access) is using it

Firewall rules prevent access between LAN 2 and LAN 1

My problem is that gateways 192.168.88.1 and 192.168.90.1 are on the same layer 2. Please have a look on the drawing below.

With the actual configuration, it seems that I end up with a brodcast storm. 

Please can you tell me what is the simplest way to prevent that ?  I guess I have to do something with VLANs, but I would like to avoid having to setup vlans all the way till the 2 gateways (there are several Powerbeam links, unmanaged switch etc).

Hi there,

This is my first post and my first ubiquiti device so bear with me please ,

I am trying to configure my brand new ER-4 to work with my cable modem (Thomson DCM475). Basically, I plugged my laptop into eth0, started up the web ui and upgraded the firmware to 1.10.9. So far so good. My cable internet settings are currently set as dynamic on my TPLink router.

I ran the basic config wizard to have my cable modem connected to eth0 while the laptop would be connected to eth1. Once all that would be running, I'd plug in eth1 to my switch. The ER-4 is set to manage DHCP as well. I applied changes, swapped my laptop on eth1 and went back into the ui so the config appears to be applied.

My issue is that eth0, which is now connected to the cable modem, stays off on the device and shows as down on edgeOS. I've tried several cables, I've tried to reset the router, reset the cable modem, restart both in various orders but to no avail. So I'm a bit stumped. Is there something that I am missing that needs to be done from the wizard to get eth0 to work? It's set on the wizard as the interface that will have the internet connection so I think it's all good.

I've also tried using the WAN2LAN wizard just to see and I get the same result (no light on eth1 since that's the interface for internet for that connection).

Unless there's some manual setting that I need to update from the config?

Any help would be greatly appreciated, otherwise I just won't be able to keep this device which is a shame because it took me a while to make up my mind to get it.

Thanks a lot!

Hi All,

I can't figre it out.  

I've read a million threads and I'm just trying to forward a few ports.  I've set it up to automatically configure the firewall, the computer(s) are plugged in through Eth4 through an AP but I've also tried using switch0.  I've tried just one and currently I've just added them all.  I'm sure this is something stupid but I can't figure it out.  

Canyouseeme says everything is still closed off.  

Please advise config posted below.  

Thanks 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.0.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface switch0
    lan-interface eth4
    lan-interface eth1
    lan-interface eth2
    lan-interface eth3
    rule 1 {
        description emby
        forward-to {
            address 192.168.0.69
        }
        original-port 8096
        protocol tcp_udp
    }
    rule 2 {
        description Radarr
        forward-to {
            address 192.168.0.69
        }
        original-port 7878
        protocol tcp_udp
    }
    rule 3 {
        description Sonarr
        forward-to {
            address 192.168.0.69
        }
        original-port 8989
        protocol tcp_udp
    }
    rule 4 {
        description Transmission
        forward-to {
            address 192.168.0.69
        }
        original-port 9093
        protocol tcp_udp
    }
    rule 5 {
        description NzbGet
        forward-to {
            address 192.168.0.69
        }
        original-port 6789
        protocol tcp_udp
    }
    rule 6 {
        description TEST
        forward-to {
            address 192.168.0.43
        }
        original-port 8898
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.228
                lease 86400
                start 192.168.0.70 {
                    stop 192.168.0.243
                }
                static-mapping MAC_Server {
                    ip-address 192.168.0.69
                    mac-address 70:73:CB:C4:00:C9
                }
                static-mapping raspberrypi {
                    ip-address 192.168.0.228
                    mac-address b8:27:eb:f2:a6:98
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service custom-noip {
                    host-name 1041holly.ddns.net
                    login mcasey6747@comcast.net
                    password matt6747
                    protocol noip
                }
                web dyndns
            }
        }
        forwarding {
            cache-size 150
            listen-on eth0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name ubnt
    login {
        user mcasey {
            authentication {
                encrypted-password $6$0Pw2pvRW9esllAcD$tbn06Bos7khc.E/CEmYetlnVrHi1myavirbw/UAX8KOi1sEquv3yP0/ZE3N1IocD5qH6RFAkhkA5ygKzO/8gM0
            }
            full-name "***"
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Denver
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue All {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 60mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 5mbit
        }
        wan-interface eth0
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.9.5166958.190213.1952 */

I have a dual-wan setup on my Edgerouter.  One WAN connection is to the internet.  The other WAN connection is to my internal network which can also provide limited fallback internet access.  Upon boot of the ER-X the static routes highlighted in the image below do not function.  If I toggle them by disabling them and then enabling them then they work fine.  I have to repeat this procedure whenever the Edgerouter reboots or loses power.  Is there a fix?

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 20
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description RSD
        dhcp-options {
            default-route no-update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 192.168.2.1/24
        description Isolated
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    static {
        interface-route 10.10.0.0/16 {
            next-hop-interface eth1 {
                description "Corporate Servers"
                distance 1
            }
        }
        interface-route 172.16.0.0/16 {
            next-hop-interface eth1 {
                description VOIP
                distance 1
            }
        }
        interface-route 192.168.0.0/16 {
            next-hop-interface eth1 {
                description Branches
                distance 1
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DHCPserver {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 10.10.0.75
                dns-server 1.1.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.200
                }
            }
        }
        shared-network-name DHCPserver2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 10.10.0.75
                dns-server 1.1.1.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.200
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5011 {
            description "Masquerade to WAN1"
            destination {
                group {
                }
            }
            log disable
            outbound-interface eth1
            protocol all
            source {
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
traffic-control {
    smart-queue Limit {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 3mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 3mbit
        }
        wan-interface eth1
    }
}

We have one of this hosting 3 WAN links. On the 15th of this month it stop working and only way to fix was to reboot the router itself. Attach is the latest downloaded supprt file. 

This is the second time this has happened. Last it happen in December last year, and I didnt get a chance to download the support file as I did the upgarde  to the lates version of edge OS that day 

Apprecaite anyhelp to determine the issue so we can sort it out

Regards

Ive been trying to configure QoS with advanced-queue using the global root. It does not appear that my DOWN rules are being hit at all. I'm not sure why. The Up rules have many hits and they are basically configured the same. I am using eth0 for wan and switch0 for LAN, where switch0 is all ports but eth0.

admin@router:~$ show traffic-control advanced-queue statistics global queue
qdisc parent type bytes packets dropped overlimits requeues
----- ------ ---- ----- ------- ------- ---------- --------
28672 root htb 5991248283 6146505 0 436084 0
28673 101 fq_codel 0 0 0 0 0
28674 102 fq_codel 0 0 0 0 0
28675 103 fq_codel 0 0 0 0 0
28676 104 fq_codel 0 0 0 0 0
28677 105 fq_codel 0 0 0 0 0
28678 110 fq_codel 0 0 0 0 0
28679 120 fq_codel 0 0 0 0 0
28680 199 fq_codel 0 0 0 0 0
28681 210 fq_codel 10676827 112547 14 0 0
28682 220 fq_codel 11005 78 0 0 0
28683 290 fq_codel 4850845 59361 0 0 0
28684 299 fq_codel 342433881 1843846 5888 0 0

config

Hi,

I have a Unifi network with a cloud key that use the 192.168.2.x subnet and connects to port eth1 (192.168.2.1/24) on the EdgeRouter.

I use a Source Nat Rule with a souce addr of 192.168.2.1/24 to 23.228.XXX.XXX (a fixed ip) on eth7 

This works fine and give internet access inside the business.

I need to add a second SSID to Unifi that connects to my internal LAN network. 

I have set this up in the cloud key.

The internal Lan can access the internet seperately.

The Internal Lan connects to port eth4 (10.0.0.201/24) 

Source Nat Rule with a souce addr of 10.0.0.201/24 to 23.228.XXX.XXX (a different fixed ip) on eth7 

Ok so here is where the problem happens.

The workstations on the new SSID need to use fixed IPs in the 10.0.0.x range.

When I add an additional address to eth1 (10.0.0.1/24) an unused IP on the subnet....

Everything goes down until I log in from the console and remove it.

I am not sure why I can't connect the two subnets together.

Thanks

John

I'm having repeated problems with my Edgerouter-X. It will just stop working for no apparent reason (DHCP servers not working especially). I have 2 vlans set up on this router, eth1 and eth3 on vlan10 (10.0.1.1/24), eth2 and eth4 on vlan 20 (192.168.2.1/24). eth0 is ppoe. 

When this behavior occurs, I have to perform a reset of the router and it comes back up with the default config. From there I attempt to upload a known good (recent) saved config, and everything looks good in the GUI (green box below upload with file name). Reboot prompt to which I say yes. The router reboots but the config doesn't load properly and nothing I do resolves - no DHCP servers and setting static IP on my management box doesn't gain me access on any of the ports using either of the vlan subnets or the default 192.168.1.1/24, either on LAN ports or eth0 - so it appears it loads the boot config, brings the box up but something prevents the config from properly loading.

The frustrating thing is that I have opened and verified my backup config and it looks good. And I have created fresh backup configs when the router is working well and tried with those configs as well. Nothing seems to allow me to successfully restore from a saved config. 

What makes this even more troubling is that the Edgerouter-X simply stops working randomly leaving me to manually set it up from default again. This has happened 4 times in the past week. I'm running the latest 1.10.9 firmware, but the problems occured on a prior release as well. 

I was able to CLI into my edgerouter via com2, but now it won't prompt me for credentials. Its just the green cursor and it repeats whatever I type. It does not respond to exit, or ? command. 

Does Ubiquiti have any plans or even ideas of providing EdgeOS as a standalone product to implement on other hardware? 

Ubiquiti has a bunch of hardware options, but the don't cover every need out there. 

Not a demand, or a request but just wondering if something along these lines was ever planned. 

Hello,

Our Internet provider is proving a fiber and a radio (for backup) connection.

We own a /24 public class and we have a bgp connection with the provider.

The problem that I am facing now is that our existent equipment does not support 2 peers with the same AS number.

It can only work with only one peer at a time. (is a known issue for that device)

I plan to do this on a Edge router, but I haven't found any wiki or quide to see if this is possable.

Is anyone that has done this?

Hi,

Trying to do a little split tunneling.

All traffic from VLAN1 goes out the regual IPS way. All traffic from VLAN 2 should go out the OpenVPN tunnel (vtun1) to my VPN provider. 

My config is mostally all good, but I can't figure out how to make the OpenVPN connection, receive the routes push the push, but NOT be set as the default gateway for the entire router, which is what happens.

I need to be able to establish vtun1, but only route my select traffic over that link. My understanding is that I somehow need to disable the push-reply of "redirect-gateway def1", but I can't figure out where how. I could just do a no-route, but then each time I connect vtun1 i would have to update my routing table with whatever the route is on the other side, which can change between connections.

Thoughts?

Thanks!

Hi, I  have a Ubiquiti router - ER-4 and a HPE OfficeConnect 1820 switch.  The setup is straightforward.  Last year I created 3 VLANs with no problem.  They are all independent/private from each other and all have Internet access.  Each PC is connected to the switch, with the router providing DHCP & Internet access.  Now I wish to create a 4th VLAN.  I believe I am doing exactly the same as last time (kept detailed instructions) and visually the configuration of the new VLAN in the switch and router looks identical to the working VLANs.  I cannot find any difference at all, but the new 4th VLAN won't work.  I must be missing something simple but I've recreated it 3 times now and am at a loss as to what could be different or where to look next.

Before any configuration the PCs connected to the switch have DHCP assigned addresses and Internet access through the ER.  As soon as I assign a switch port to a new VLAN and setup a new VLAN interface in the router with DHCP & DNS services - no DHCP address is given out / no Internet.  I've tried this before and after setting up any firewall rules - no change?? 

The switch is a layer 2 and requires a VLAN to be created and the ports to be associated with the vlan (untagged).  There is not a lot to setup in here.  On the ER I setup the VLAN interface and DHCP & DNS services.

I like to work GUI so have attached images of the ER.  My new VLAN is eth1.60

I'm trying to write two scripts which enables [ena1] and disables [dis1] a firewall policy. But I can't get it to work.

If I change the wrapper to /opt/vyatta/bin/vyatta-op-cmd-wrapper the configure command works, but the scripts stalls.

ubnt@ubnt# ./dis1
Invalid command "configure" for vyatta-cfg-cmd-wrapper
calling validateSetPath() without config session
Failed to generate committed config
Saving configuration to '/config/config.boot'...
Done
[edit]

[ena1]

#!/bin/vbash
run="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper"
$run configure
$run delete firewall name ChildBlock rule 3 disable
$run commit
$run save

[dis01]

#!/bin/vbash
run="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper"
$run configure
$run set firewall name ChildBlock rule 3 disable
$run commit
$run save

Hi,
I'm trying to setup (what I thought should be) a pretty simple policy based route for a single LAN address to route to either an interface or IP address, which ever works.
Our ER is on  10.4.1.1, it's gateway for the internet is 123.51.113.61

The single IP address is 10.4.1.255

I want traffic from this IP address to be routed to either ETH5 or 172.27.2.2

I've already got some PBR's in place and they are working an absolute treat, no problems at all.   This is my current setup:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group SITE_NETS {
            network 192.168.9.0/24
            network 10.4.40.0/24
            network 10.4.0.0/22
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify SITE_PBR {
        rule 5 {
            action modify
            modify {
                table 13
            }
            source {
                address 10.4.1.255
            }
        }
        rule 10 {
            action modify
            description "Inter-site traffic"
            destination {
                group {
                    network-group SITE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "Site 2 to local ISP"
            modify {
                table 11
            }
            source {
                address 10.4.0.0/22
            }
        }
        rule 30 {
            action modify
            description "Site 3 to Site 1 ISP"
            modify {
                table 12
            }
            source {
                address 10.4.40.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action drop
            description "Block DHCP"
            destination {
                address 0.0.0.0/0
                group {
                    port-group DHCP_Ports
                }
            }
            log disable
            protocol udp
            source {
                address 0.0.0.0/0
                group {
                    port-group DHCP_Ports
                }
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_Out {
        default-action accept
        description ""
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 10.4.1.1/22
        address 172.16.8.1/24
        aging 300
        bridged-conntrack disable
        description "Local Bridge"
        hello-time 2
        max-age 20
        priority 32768
        promiscuous enable
        stp false
    }
    ethernet eth0 {
        address 123.51.113.62/30
        address 123.51.125.225/28
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_Out
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description "Derrimut Drive LAN"
        duplex auto
        firewall {
            in {
                modify SITE_PBR
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        address 172.27.2.1/24
        description "Miles Radio (Mimosa)"
        duplex auto
        speed auto
    }
    ethernet eth6 {
        bridge-group {
            bridge br0
        }
        description "WMS WiFi"
        duplex auto
        speed auto
    }
    ethernet eth7 {
        address 172.27.1.1/24
        description "Stanford Radio (UBNT)"
        duplex auto
        firewall {
            in {
                modify SITE_PBR
            }
        }
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface br0
    wan-interface eth0
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 123.51.113.61 {
                distance 10
            }
            next-hop 172.27.2.2 {
                distance 200
            }
        }
        route 10.4.1.94/32 {
            next-hop 10.4.1.2 {
                description "Mark NG"
            }
        }
        route 10.4.1.100/32 {
            next-hop 10.4.1.2 {
                description "Amanda NG"
            }
        }
        route 10.4.40.0/24 {
            next-hop 172.27.1.2 {
                description "Stanford Street"
            }
        }
        route 10.4.40.254/32 {
            next-hop 172.27.2.2 {
                description "Stanford Internet"
            }
        }
        route 192.168.9.0/24 {
            next-hop 172.27.1.1 {
                disable
            }
            next-hop 172.27.2.2 {
                description "Miles Street"
            }
        }
        route 192.168.100.0/24 {
            next-hop 10.4.1.2 {
                description "Barracuda Firewall"
            }
        }
        table 11 {
            route 0.0.0.0/0 {
                next-hop 123.51.113.61 {
                    distance 10
                }
            }
        }
        table 12 {
            route 0.0.0.0/0 {
                next-hop 172.27.2.2 {
                }
            }
        }
        table 13 {
            interface-route 0.0.0.0/0 {
                next-hop-interface eth5 {
                }
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on br0
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 10.4.1.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description NGFW-NAT-Out
            log disable
            outbound-interface eth0
            outside-address {
                address 123.51.125.225
            }
            protocol all
            source {
                address 10.4.1.2
            }
            type source
        }
        rule 5001 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5002 {
            description "MASQ for Hairpin"
            destination {
                address 10.4.0.0/22
            }
            log disable
            outbound-interface br0
            protocol all
            source {
                address 10.4.0.0/22
            }
            type masquerade
        }
        rule 5003 {
            description "MASQ for Hairpin 2"
            destination {
                address 172.16.8.0/24
            }
            log enable
            outbound-interface br0
            protocol all
            source {
                address 172.16.8.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection wss://10.4.0.10:443+QKjdFpHEclF_PG4QQrrL78_wEuctHjphN5j0OmqMBXUAAAAA+allowUntrustedCertificate
    }
}
system {
    conntrack {
        expect-table-size 393216
        hash-size 3145728
        table-size 3145728
    }
    flow-accounting {
        disable-memory-table
        ingress-capture post-dnat
        interface eth0
        netflow {
            enable-egress {
                engine-id 1
            }
            engine-id 0
            server 10.4.0.10 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 60
                icmp 60
                max-active-life 60
                tcp-fin 10
                tcp-generic 60
                tcp-rst 10
                udp 60
            }
            version 9
        }
        syslog-facility daemon
    }
    host-name ubnt
    login {
        user UbiquitiUser {
            authentication {
                encrypted-password $6$GuYsGLQEG$6TtjDFI.mbaHOOXI8MKhWB.qOOEavT4yyHwruTHMRmDkOIHATCVcX.lBTDJRe/AwTbOliFeS/moqcL182FZkB1
                plaintext-password ""
            }
            full-name UbiquitiUser
            level admin
        }
        user admin {
            authentication {
                encrypted-password $6$Alet2Ce3$7QuymyIa7CWwQCr8j/XaZ2I6IF02bx3aSQQGHi0BmqsaVA/4q903gE6aFIG97/BbY89ZrfWtLOMv5nidaeY9t1
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe disable
            vlan disable
        }
    }
    syslog {
        global {
            facility all {
                level debug
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Australia/Melbourne
    traffic-analysis {
        custom-category Web_File_Transfer {
            name "Web File Transfer"
        }
        custom-category Windows_Updates {
            name "Microsoft Windows Update"
        }
        dpi disable
        export enable
    }
}
traffic-control {
    advanced-queue {
        root {
            queue 1023 {
                attach-to global
                bandwidth 1000mbit
                description UBNT-BQ
            }
        }
    }
    smart-queue Shaper {
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 20mbit
        }
        wan-interface eth0
    }
}
vpn {
    }
}

I hope I didn't strip too much out of this config file.  Thank you in advance for any help you can provide.

Regards,

-Warren

Hi,

I have been away from home for a year, returned 2 weeks ago and now since a few days I noticed slow download speeds. I have a 500/500 connection and I was only getting about 90-120 mbit download speed.

After some investigating I came to the conclusion that all traffic over IPv6 is normal, I get around 450-500 mbit but over IPv4 I max. get 120 mbit.

Offloading is on for both IPv4 & IPv6. If logged in over SSH the connection lags 3-5 seconds (SSH very slow) when downloading over IPv4 but not over v6. If I disable IPv6 offloading then it behaves the same as v4, slow as hell.

Any ideas? Running firmware 1.10.9

Config:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group IPTV {
            address 217.166.0.0/16
            address 10.16.0.0/16
            address 213.75.0.0/16
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
        rule 50 {
            action accept
            description OpenVPN
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name IPTV_IN {
        default-action drop
        description ""
        rule 1 {
            action accept
            log disable
            protocol udp
            source {
                group {
                    address-group IPTV
                }
            }
        }
    }
    name LAN_WAN {
        default-action accept
        description "LAN naar Internet"
    }
    name WAN_IN {
        default-action drop
        description "WAN to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to Edgerouter"
        enable-default-log
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 40 {
            action accept
            description ICMP
            destination {
                group {
                    address-group ADDRv4_pppoe0
                }
            }
            log disable
            protocol icmp
        }
        rule 50 {
            action accept
            description OpenVPN
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        aging 300
        bridged-conntrack disable
        hello-time 2
        max-age 20
        priority 32768
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        description "eth0 - FTTH"
        duplex auto
        mtu 1512
        poe {
            output off
        }
        speed auto
        vif 4 {
            address dhcp
            description "eth0.4 - IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            ip {
                source-validation loose
            }
        }
        vif 6 {
            description "eth0.6 - Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface switch0 {
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit disable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ****************
                user-id REMOVED@internet
            }
        }
        vif 7 {
            bridge-group {
                bridge br0
            }
            description "eth0.7 - VOIP"
            mtu 1500
        }
    }
    ethernet eth1 {
        description "eth1 - ExperiaBox"
        duplex auto
        poe {
            output off
        }
        speed auto
        vif 7 {
            bridge-group {
                bridge br0
            }
            description "eth1.7 - ExperiaBox VOIP"
            mtu 1500
        }
    }
    ethernet eth2 {
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-port 443
        mode server
        protocol tcp6-passive
        server {
            push-route 10.20.30.0/24
            subnet 10.100.100.0/24
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/server.pem
            dh-file /config/auth/dhp.pem
            key-file /config/auth/server.key
        }
    }
    switch switch0 {
        address 10.20.30.254/24
        description "switch0 - LAN"
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2001:4860:4860::8888
                name-server 2001:4860:4860::8844
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description "Reverse Proxy"
        forward-to {
            address 10.20.30.30
            port 80
        }
        original-port 80
        protocol tcp
    }
    rule 2 {
        description Mumble
        forward-to {
            address 10.20.30.30
            port 64738
        }
        original-port 64738
        protocol tcp_udp
    }
    wan-interface pppoe0
}
protocols {
    igmp-proxy {
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface switch0 {
            role downstream
            threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
        route 213.75.112.0/21 {
            next-hop 10.84.192.1 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update enable
        shared-network-name LAN {
            authoritative enable
            subnet 10.20.30.0/24 {
                default-router 10.20.30.254
                dns-server 10.20.30.254
                dns-server 208.67.222.222
                dns-server 8.8.8.8
                domain-name REMOVED.lan
                lease 86400
                start 10.20.30.100 {
                    stop 10.20.30.200
                }
                static-mapping Playstation4 {
                    ip-address 10.20.30.90
                    mac-address 00:d9:d1:f0:35:64
                }
                static-mapping Printer {
                    ip-address 10.20.30.105
                    mac-address e4:11:5b:77:91:a9
                }
                unifi-controller 10.20.30.30
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface pppoe0 {
                service dyndns {
                    host-name removed.ddns.net
                    login REMOVED
                    password ****************
                    server dynupdate.no-ip.com
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on vtun0
            listen-on switch0
            name-server 208.67.222.222
            name-server 208.67.220.220
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 8443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            type masquerade
        }
        rule 5001 {
            description IPTV
            destination {
                address 10.16.0.0/16
            }
            log disable
            outbound-interface eth0.4
            protocol all
            type masquerade
        }
        rule 5010 {
            description "KPN Internet"
            log disable
            outbound-interface pppoe0
            protocol all
            source {
                address 10.20.30.0/24
            }
            type masquerade
        }
        rule 5020 {
            description "OpenVPN to Internet"
            log disable
            outbound-interface pppoe0
            protocol all
            source {
                address 10.100.100.0/24
            }
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
        location Thuis
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode disable
        wan pppoe0
    }
}
system {
    domain-name REMOVED.lan
    flow-accounting {
        disable-memory-table
        ingress-capture post-dnat
        interface eth0
        interface switch0
        interface eth1
        netflow {
            enable-egress {
                engine-id 1
            }
            engine-id 0
            server 10.20.30.30 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 60
                icmp 60
                max-active-life 60
                tcp-fin 10
                tcp-generic 60
                tcp-rst 10
                udp 60
            }
            version 9
        }
        syslog-facility daemon
    }
    host-name router
    login {
        user REMOVED {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
                public-keys REMOVED {
                    key ****************
                    type ssh-rsa
                }
                public-keys root@server {
                    key ****************
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 208.67.222.222
    name-server 208.67.220.220
    name-server 2001:4860:4860::8888
    name-server 2001:4860:4860::8844
    name-server 2620:0:ccc::2
    name-server 2620:0:ccd::2
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            url http://http.us.debian.org/debian
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi enable
        export enable
    }
}

Everyone greetings:

  I set up a 802.1q Vlans on EG-X router, following the help KB for router on a stick.

  the router config is the 'basic config'.

 The vlans are set up and I can have client connecting to the vlan port and get IP address of that vlan successfully.

 However, the clients on the vlan can not connect to Internet nor the management plane (192.168.1.1). Per the default config, the outbound traffic is allowed and I am able to get to internet using other open ports on the same router.

attached is the config file.

 will appreciate if someone can share thoughts.

 thanks.

Hi,

i'm relatively new to edge router and i can't figure out how to complete this special setup.

Let me explain.

1. ( WORKING ) i have a edge router lite setup as a plain router, no NAT, to route a public IPv4 subnet in ETH1 that is bought to my ISP..They give me a static IP (not in my IPv4 subnet) for ETH0 to give to my router and then i route my IPv4 subnet.

It is working flawlessly right now.

2. ( WORKING ) Attached to the Edge router lite on ETH1 is a set of airmax gear to distribute the IPv4 subnet to remote plants (there is actualy 2 plants in service and more upcoming). Airmax gear are connected between plants router and the edge router lite ETH1. They are configured in a private subnet network (192.168.200.0/24) so i can configure all airmax gear when connected directly to one of them. However, since there is no gateway configured in the same subnet anywhere, they can't access internet and can't be remotely managed or monitored. It is also inconvenient when configuration is needed but it is working for the moment.

3. ( TO DO ) I want to create a VLAN on the edge router lite ETH1 where all airmax gear will use it as a gateway and can get internet access for update and management (i planned to use UNMS). Of course, i want to use the existing private subnet of the airmax gear to be able to manage/monitore them, NAT included, so they are not publicly visible to the internet. I know and tested where to go to change the management VLAN on the airmax gear.

4.( TO DO ) Also, i want to create a openvpn server config on the edge router lite to remotely manage the airmax gear securely. I can find some tutorial online but with the incomplete point 3, i can't figure out how to configure the edge router lite the way i need.

eth0 - connected to ISP

eth1 - IPv4 public bloc AND private airmax subnet

Does anyone have an idea (or some part of) ?

Here's the setup:

eth0- WAN: 5 available IPs: A.B.C.114~118

eth1- LAN: switch with 192.168.1.0/24 network

I currently have the router working so that LAN users can access the Internet. But I'm having problems setting up inbound rules.

Issue 1:

I have several web servers on the LAN that need to be accessed from the Internet. Here's a small sample:

A.B.C.114 -> 192.168.1.100 (HTTP)

A.B.C.115 -> 192.168.1.10 (HTTP)

A.B.C.114 -> 192.168.1.10 (HTTPS)

A.B.C.115 -> 192.168.1.10 (HTTPS)

Firewall rules:

NAT rules (I added some for other services, but took them out for this discussion)

Issue 2:

I have several IPs and networks that I want to block from accessing. What is the best/most efficient way to do this? I started a network group (BadNetworks) where I am adding the networks to block. Should I use a firewall rule or a NAT rule to block?

Thanks in advance!