Hi Guys, I've got an Edgerouter Lite running v1.7.0.
For the last year or so it's been working fine with a single WAN connection. This past week we ordered a second WAN through another ISP for failover or load-balancing, either way.
I backed up my config, then ran the Load Balacing wizard, logged in and configured my DHCP servers, vlans, etc.
Now, whenever a client connects to one of my "vlans", they get random DNS errors, or SSL errors whenever accessing the internet. Sometimes the connection just fails all together. If I disable one of the WANs, the clients work as intended.
I was hoping someone could look at my config and clue me in. Ideally, I'd like to have eth0 as my primary WAN, and eth1 as my failover WAN, and eth2 as my LAN/WLAN.
Currently eth2 is plugged into a 24 port dumb switch, all hardwired clients plug into the dumb switch including 3 UniFi ap's. The UniFi ap's server up three different SSID's (ERVFC vlan 20, ERVFC-GUEST vlan 30, ERVFC-INTERNAL, untagged).
Thanks in advance!
Jason
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 1 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Comcast
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description CenturyLink
disable
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.1.1/24
description LAN
duplex auto
firewall {
in {
modify balance
}
}
speed auto
vif 20 {
address 192.168.20.1/24
description STAFF_WIFI
mtu 1500
}
vif 30 {
address 192.168.30.1/24
description GUEST_WIFI
mtu 1500
}
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
lan-interface eth2.20
lan-interface eth2.30
rule 1 {
description HTTP
forward-to {
address 192.168.1.25
port 80
}
original-port 80
protocol tcp
}
rule 2 {
description DVR1
forward-to {
address 192.168.1.58
port 37777
}
original-port 37777
protocol tcp
}
rule 3 {
description DVR2
forward-to {
address 192.168.1.58
port 37778
}
original-port 37778
protocol tcp
}
rule 4 {
description RDP
forward-to {
address 192.168.1.201
port 3389
}
original-port 3389
protocol tcp
}
rule 5 {
description UniFi
forward-to {
address 192.168.1.24
port 8443
}
original-port 8443
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name GUEST_WIFI {
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
dns-server 192.168.1.1
start 192.168.30.2 {
stop 192.168.30.253
}
unifi-controller 192.168.1.24
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.20
dns-server 192.168.1.21
domain-name <removed>
lease 86400
start 192.168.1.101 {
stop 192.168.1.243
}
}
}
shared-network-name STAFF_WIFI {
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.20.1
dns-server 192.168.1.1
start 192.168.20.2 {
stop 192.168.20.253
}
unifi-controller 192.168.1.24
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.20
listen-on eth2.30
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user jtetterton {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "removed"
level admin
}
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ""
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}