Hello everyone,
First post here, I've been lurking for a while.
I generally recommend Ubiquiti products to clients, as they function very well, before and after elbow grease.
I am still getting used to the CLI formatting, being raised on a Cisco based degree, it is still quite a relief.
Here is my current issue:
I have a client that utilized an edgemax router at the top of their tree.
Everything works great, but I am experiencing a strange issue.
1.7 FW
I have configured a dual wan failover, weighted appropriately, all routes are proper, NAT is (90% confidence) proper, firewall rules are proper. I have excellent results on layer 2 and 3; my simple settings are functioning seemingly well as reported by various print commands in CLI. I did this using a ton of information from various posts on this forum, and I really appreciate the effort put in from the mods and community, it's been very helpful.
ANYWAYS, here's my current problem, upon loss of link brought on in any form of primary WAN, the watchdog functions correctly, and switches over to the secondary WAN. The secondary gateway is, and honestly, it's most likely the problem, a moFi LTE router/gateway combo I have set for IP pass through. I have tested each WAN link separately after setting up static routes, rules, every single thing I could think of. The hardwired WAN link works perfect, but when I'm swapped over to the other WAN as a singular unit, or through the failover process, my link to WAN is limited in strange ways. I have tried setting up a static address translation, using masquerade to LAN (which is what I use on the primary WAN link), but no matter what, I will timeout on almost every response. ICMP gets through with great performance and a proper route, but I can only access Google searches from any machine, switched or directly attached/addressed to a primary interface on the router. This is very bizarre to me, and any ideas would be greatly appreciated.
I will include my configuration with appropriate redacts. I am a bit suspicious this could be a NAT problem that I haven't seen before, or something I'm not familiarized with in the Ubiquiti system quite yet.
I have operated with multiple DNS options for testing, disabled all firewalls for testing, and dropped back to a pretty barebones config for testing as well. My hops are correct, but I can't include that information online, for obvious reasons. Some of the command strings I used were provided by community members here.
I don't want my client wasting anymore money or time on this mess. At this point, I'm basically asking if it's appropriate to blame the moFi router with its near disenfranchised openWRT source, it will maintain a layer 2 link, and seemingly a layer 3 link, but I am seeing strange behavior with this hardware. I just want to know if anything seems blantantly wrong with this configuration at a glance, my eyes are tired from beating on the same problem in different ways at this point. I will be worrying about all the 802.1q work and VLSM after this is sorted out. Again, the moFi model is a 4500 model, and it really does seem that printing commands are showing the router is functioning as intended.
Thank you in advance!
firewall {
all-ping enable
broadcast-ping disable
group {
network-group LAN {
description "Leave this alone"
network 192.168.3.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify WAN_WLB {
rule 10 {
action modify
destination {
group {
network-group LAN
}
}
modify {
table 25
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth1 {
address (redacted)/30
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address dhcp
description LTE
duplex auto
firewall {
in {
}
local {
}
}
mtu 1400
speed auto
}
ethernet eth3 {
address 192.168.3.1/24
description (redacted)
duplex auto
speed auto
}
ethernet eth4 {
disable
duplex auto
speed auto
}
ethernet eth5 {
disable
duplex auto
speed auto
}
ethernet eth6 {
disable
duplex auto
speed auto
}
ethernet eth7 {
disable
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group FO {
interface eth1 {
route {
default
}
}
interface eth2 {
failover-only
}
}
}
port-forward {
(redacted)
wan-interface eth1
}
protocols {
static {
route 0.0.0.0/0 {
next-hop (redacted){
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name FMP {
authoritative disable
subnet 192.168.3.0/24 {
lease 86400
start 192.168.3.50 {
stop 192.168.3.50
}
static-mapping FMPS {
ip-address 192.168.3.50
mac-address bc:5f:f4:fe:76:05
}
}
}
shared-network-name LAN1 {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.21 {
stop 192.168.1.240
}
(redacted)
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.21 {
stop 192.168.2.240
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth3
}
}
gui {
https-port 443
}
nat {
rule 5000 {
log disable
outbound-interface eth2
outside-address {
}
protocol all
type masquerade
}
rule 5001 {
log disable
outbound-interface eth1
type masquerade
}
}
ubnt-discover {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user (redacted) {
authentication {
(redacted)
plaintext-password ""
}
full-name ""
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
traffic-analysis {
dpi disable
export disable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.0.4783374.150622.1540 */