Hello, fellow Ubiquiti guys.
This is the first time I post into this forum, so please don't be mad if anything is wrong.
I come from MIkrotik world, trying to get accustomed to UBNT way of doing things. Needless to say I expect ER-X which I bought this week to sing and dance the MIkrotik way unfortunately Image may be NSFW.
Clik here to view.
So the question I have has arisen based on the extensive trial and error method.
Basically my ISP provides a plain connection and IP address via DHCP without VLAN tag. On top of that I get VLAN6 for ITPV STBs and VLAN5 for VOIP. I want to setup ER-X to act as a router with some VLANs utilized without using any software bridges. The requirements are:
a) to carry VLAN5 and VLAN6 over from the ISP trunk on WAN side (eth4) to the VLAN trunk on the LAN side (eth0) for furher consumption of the STBs and VOIP phones connected to the switches furher down the line;
b) To create some local VLANs on the LAN side trunk (VLAN10, VLAN15, VLAN20, VLAN21, VLAN99);
c) To create access ports for VLAN10 on eth1;
d) To create access port for VLAN15 on eth2;
e) To create access port for VLAN6 on eth3.
I have managed to implement all the required steps using an internal switch0 interface without utilizing any firewall rules yet, BUT one big issue occurred: the traffic will not pass ER-X on the access ports eth1 / eth2. If I hook up the DNS listener to switch0.10 (eth1 access port) or switch0.15 (eth2 access port) I am able to resolve DNS addresses by issuing nslookup, dig and similar tools. The STB hooked up to eth3 which is an access port to ISP-supplied VLAN6 works fine.
The question is: have I stumbled upon a bug or a limitation in the ER-X SoC? I have all this setup on Mikrotik RB850GX2 without using bridges, pure switch configuration and it works OK but I need a hardware NAT capabilieties provided by ER-X. Also I am reluctant to use software bridge based on my experience with RB850GX2, where the TV channels start to stutter heavily if there is a heavy NATing happening when soft-bridges are utilized. If anyone has similar configuration implemented I would love to get some help.
Configuration:
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.55.1/24
description Local
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Internet
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address dhcp
description "Master Switch IF"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
vid 5
vid 6
vid 15
vid 20
vid 21
vid 99
}
}
interface eth2 {
vlan {
pvid 15
vid 5
vid 6
vid 10
vid 20
vid 21
vid 99
}
}
interface eth3 {
vlan {
pvid 6
vid 5
vid 10
vid 15
vid 20
vid 21
vid 99
}
}
interface eth4 {
vlan {
vid 5
vid 6
}
}
vlan-aware enable
}
vif 10 {
address 10.10.10.1/24
description "VLAN10 Native"
mtu 1500
}
vif 15 {
address 10.10.15.1/24
description "VLAN15 Storage"
mtu 1500
}
vif 20 {
address 10.20.20.1/24
description "VLAN20 Management"
disable
mtu 1500
}
vif 21 {
address 10.21.21.1/24
description "VLAN21 Reseved"
mtu 1500
}
vif 99 {
address 172.25.5.1/24
description "VLAN99 VPN"
mtu 1500
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0.10
lan-interface switch0.15
lan-interface switch0.20
lan-interface switch0.21
lan-interface switch0.99
wan-interface switch0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name dhcp_vlan10 {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 10.10.10.1
dns-server 212.59.2.2
lease 86400
start 10.10.10.20 {
stop 10.10.10.39
}
}
}
shared-network-name dhcp_vlan15 {
authoritative disable
subnet 10.10.15.0/24 {
default-router 10.10.15.1
dns-server 10.10.15.1
lease 86400
start 10.10.15.20 {
stop 10.10.15.39
}
}
}
shared-network-name dhcp_vlan20 {
authoritative disable
disable
subnet 10.20.20.0/24 {
default-router 10.20.20.1
dns-server 10.20.20.1
lease 86400
start 10.20.20.20 {
stop 10.20.20.39
}
}
}
shared-network-name dhcp_vlan21 {
authoritative disable
subnet 10.21.21.0/24 {
default-router 10.21.21.1
dns-server 10.21.21.1
lease 86400
start 10.21.21.20 {
stop 10.21.21.39
}
}
}
shared-network-name dhcp_vlan99 {
authoritative disable
subnet 172.25.5.0/24 {
default-router 172.25.5.1
dns-server 172.25.5.1
lease 86400
start 172.25.5.10 {
stop 172.25.5.19
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0.10
listen-on switch0.15
listen-on switch0.21
listen-on switch0.99
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface switch0
protocol all
source {
group {
}
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user darius {
authentication {
encrypted-password *removed*
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
Image may be NSFW.
Clik here to view.
Thanks!
Darius.