I'm fairly new to UBNT hardware, but I've managed to setup my basic network with only a couple of problems. I fixed everything but one issue, and I couldn't find anything that worked for me on the Internet. I have an Edgerouter X with eth0 set to WAN and eth 1 to 4 set to switch0. I have an Unifi AP AC Lite plugged into eth4, with PoE passthrough. On the AP there's 2 WLANs, one is for my home devices and the other is a guest WLAN. I created a VLAN on the ER-X with ID 2 and assigned it to switch0 on eth4. I also created 2 DHCP servers for 192.168.1.0/24 and 192.168.2.0/24 and setup DNS forwarding on both switch0 and switch0.2. The AP correctly sees the VLAN and assigns devices to the right LAN properly, with my home devices on LAN 192.168.1.x and guest devices on 192.168.2.x. My goal is to block all traffic from the guest VLAN to my home LAN but allow traffic to a few specific devices on the LAN (eg. printer). From what I learned by default the ER-X should allow traffic between VLANs, but that doesn't seem to be the case for me. I have my desktop PC on the LAN and I can ping all devices on the LAN. However once I move one of these devices to the guest VLAN I cannot ping them anymore from my PC, unless I connect it to the guest VLAN. Here's my router config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.0.2/24
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password XXXX
user-id XXXX
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
poe {
output pthru
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
vlan {
vid 2
}
}
vlan-aware enable
}
vif 2 {
address 192.168.2.1/24
description "Guest Network"
mtu 1500
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Guests {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.50 {
stop 192.168.2.200
}
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.50 {
stop 192.168.1.200
}
static-mapping Desktop {
ip-address 192.168.1.20
mac-address XXXX
}
static-mapping Printer {
ip-address 192.168.1.30
mac-address XXXX
}
static-mapping Unifi-AP-AC-Lite {
ip-address 192.168.1.10
mac-address XXXX
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on switch0.2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
rule 5011 {
description modem
destination {
address 192.168.0.0/24
}
log disable
outbound-interface eth0
protocol all
source {
address 192.168.1.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name Edgerouter
login {
user XXXX {
authentication {
encrypted-password XXXX.
}
level admin
}
}
name-server XXXX
name-server XXXX
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone XXXX
}
traffic-control {
smart-queue DSL {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 16mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 1mbit
}
wan-interface eth0
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */I'm not sure if I'm encountering a bug or there's something I misunderstood. I followed the basic wizard and didn't really mess with the router that much other than enabling QoS. What can I do to fix this?