Hello folks,
I'm fairly new to Ubiquiti (having previously worked with MikroTik), and I'm trying to replace a god-awful Draytek 300B that currently acts as a load balancer on my network with an Edgerouter X. I'm also self-taught, so it's quite likely I overlooked something.
The ER-X runs EdgeOS 1.9.0.
I'm working bit by bit from the KB articles and forums. The network is fairly simple:
WAN: I get 3 PPPoE 80/20Mbps links in that I'm trying to balance. My ISP provides the same DNS server on all 3 links.
LAN: 10.10.10.0/24 is my management subnet where the ER-X, Cloud Key, and UAP Pro units will be eventually.
My clients will connect to the UAP Pro units on two VLANs, 28 & 34, with addresses at 10.10.28.0/24 and 10.10.34.0/24, respectively. There will also be a guest VLAN 50, which isn't in use yet.
This is the configuration I've put together so far:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 40 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe2
}
}
modify {
table main
}
}
rule 50 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe3
}
}
modify {
table main
}
}
rule 60 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe4
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to LAN"
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
invalid enable
}
}
}
}
interfaces {
ethernet eth0 {
address 10.10.10.1/24
description "management LAN"
firewall {
in {
modify balance
}
}
duplex auto
speed auto
vif 28 {
address 10.10.28.1/24
description "VLAN 28"
mtu 1500
}
vif 34 {
address 10.10.34.1/24
description "VLAN 34"
mtu 1500
}
vif 50 {
address 192.168.1.1/24
description "VLAN GUEST"
mtu 1500
}
}
ethernet eth1 {
description "management LAN 2"
duplex auto
speed auto
}
ethernet eth2 {
description "WAN 1"
duplex auto
pppoe 2 {
default-route none
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password ***********
user-id ***********
}
speed auto
}
ethernet eth3 {
description "WAN 2"
duplex auto
pppoe 3 {
default-route none
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password ***********
user-id ***********
}
speed auto
}
ethernet eth4 {
description "WAN 3"
duplex auto
pppoe 4 {
default-route none
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password ***********
user-id ***********
}
speed auto
}
switch switch0 {
address 10.10.1.1/24
description Local
firewall {
in {
modify balance
}
}
mtu 1500
switch-port {
interface eth1 {
}
vlan-aware disable
}
}
loopback lo {
}
}
load-balance {
group G {
interface pppoe2 {
}
interface pppoe3 {
}
interface pppoe4 {
}
lb-local enable
sticky {
dest-addr enable
dest-port enable
source-addr enable
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe2 {
}
next-hop-interface pppoe3 {
}
next-hop-interface pppoe4 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name guest-dhcp {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.6 {
stop 192.168.1.243
}
unifi-controller 10.10.10.10
}
}
shared-network-name LAN {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 10.10.10.1
lease 86400
start 10.10.10.38 {
stop 10.10.10.243
}
unifi-controller 10.10.10.10
}
}
shared-network-name WLAN-28 {
authoritative disable
subnet 10.10.28.0/24 {
default-router 10.10.28.1
dns-server 10.10.28.1
lease 86400
start 10.10.28.6 {
stop 10.10.28.243
}
unifi-controller 10.10.10.10
}
}
shared-network-name WLAN-34 {
authoritative disable
subnet 10.10.34.0/24 {
default-router 10.10.34.1
dns-server 10.10.34.1
lease 86400
start 10.10.34.6 {
stop 10.10.34.243
}
unifi-controller 10.10.10.10
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 300
listen-on eth0
listen-on eth1
listen-on eth0.28
listen-on eth0.34
listen-on eth0.50
}
}
gui {
https-port 443
}
nat {
rule 5004 {
description "masquerade for WAN 1"
outbound-interface pppoe2
type masquerade
}
rule 5006 {
description "masquerade for WAN 2"
outbound-interface pppoe3
type masquerade
}
rule 5008 {
description "masquerade for WAN 3"
outbound-interface pppoe4
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name EDGEROUTERX
login {
user *********** {
authentication {
encrypted-password ***********
plaintext-password ***********
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server *ISP.DNS.1*
name-server *ISP.DNS.2*
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/London
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
smart-queue WAN2_queue {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 64mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 16mbit
}
wan-interface pppoe2
}
smart-queue WAN3_queue {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 64mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 16mbit
}
wan-interface pppoe3
}
smart-queue WAN4_queue {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 64mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 16mbit
}
wan-interface pppoe4
}
}The problem is that clients can't reach the internet. They get assigned an address by their respective DHCP server, and DNS seems to work fine - I can ping a website from the client, the address succesfully resolves, but I get no replies. Disabling the smart queues doesn't help, and CPU & memory use are fairly low on the Dashboard.
Note: I'm not intending to use the switch0 interface, and eth1 also isn't in use, so I just assigned eth1 to switch0 and gave it a dummy address. I couldn't delete the switch0 interface, that's why i left it in.
Is there anything obvious that I've missed from the configuration? I'd appreciate any assistance.