I'm brand new to Ubiquity products... have owned the ER Lite for 3 weeks and am impressed, but...
I'm having a problem.
I have a dual-WAN setup, with one fast connection WAN0 (data capped) and a slow connection WAN1 (no caps).
In most situations, I want to load balance between the two, and that works using the examples here.
However, for certain traffic, like backups, I want it to only go via the uncapped WAN1 route. I have tried adding a specific "modify" rule before the main load balance rule, and one of two things happens:
1. If I list the WAN1 (EN1) as an interface in the new load balance group, even with "failover-only" - all traffic is split between the interfaces. It seems to ignore my rule.
2. If I remove WAN1 (EN1), leaving only pppoe0 (WAN0), it stops load balancing, and all traffic is via this one only.
I've tried many ways around. I'm not sure what I'm missing, but I could use some guidance to get this working right.
I've attached the config, and a screen shot of the traffic with scenario #2 going.
firewall {
all-ping enable
broadcast-ping disable
group {
address-group mgservers {
address xx.xx.xx.xx
address xx.xx.xx.xx
description "MG servers backup etc"
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 40 {
action modify
description "send server traffic frontier"
destination {
group {
address-group mgservers
}
}
modify {
lb-group FRT_ONLY
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.0.3/24
description WAN
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
}
}
mac xx:xx:xx:xx:xx:xx
pppoe 0 {
default-route none
firewall {
in {
modify balance
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password ****************
user-id ******@connect.frontier.com
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
modify balance
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
}
load-balance {
group FRT_ONLY {
interface pppoe0 {
route-test {
initial-delay 60
interval 10
type {
ping {
target xx.xx.xx.xx
}
}
}
weight 100
}
lb-local enable
}
group G {
interface eth1 {
route-test {
initial-delay 60
interval 10
type {
ping {
target xx.xx.xx.xx
}
}
}
weight 35
}
interface pppoe0 {
route-test {
initial-delay 60
interval 10
type {
ping {
target xx.xx.xx.xx
}
}
}
weight 65
}
lb-local enable
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 5000
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
rule 5003 {
description "masqerade for actiontek"
destination {
address 192.168.0.1
}
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user xxx {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Boise
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
advanced-queue {
filters {
match 1 {
attach-to 1023
ip {
destination {
address 192.168.2.0/24
}
}
target 1
}
}
leaf {
queue 1 {
bandwidth 20mbit
parent 1023
queue-type UBNT_BQ_FQ_CODEL
}
}
queue-type {
fq-codel UBNT_BQ_FQ_CODEL {
}
}
root {
queue 1023 {
attach-to global
bandwidth 1000mbit
description UBNT-BQ
}
}
}
}Thanks in advance for your help getting this working right.
M