Quantcast
Channel: All EdgeRouter posts
Viewing all 60861 articles
Browse latest View live

Re: ERX Wifi vlan routed to VPN connection

$
0
0

You should use something like

set interfaces switch switch0 vif XX firewall in modify express_vpn_route

Once the firewall modify ruleset has been correctly created ..

Cheers,

jonatha

 


Re: EdgeRouter X/X-SFP check bootloader version

$
0
0

  That's correct, the units that ship with the updated bootloader from the factory show: 

828a6788a539809103bd42d121634211  /dev/mtdblock2

 

I have updated the bootloader blog post with more details to include this information.

 

In the future, rather than using the old script to update the bootloader, we will release a new bootloader version for devices and you will be able to use:

add system boot-image ...

Then using show system boot-image will show the active bootloader version rather than "UNKNOWN".

Re: Hairpin NAT issues

$
0
0

 wrote:

For the NAT rules, switch0 isn't your LAN interface , switch0.1 is


So, if your theory is correct, then this should work:

NAT_hairpin.png

I just changed that, and asked the client to test again.
Makes sense, since VLAN1 is the default.. but then that should be incorporated in the WebUI!

Re: VOIP issues

$
0
0

 wrote:

ER-PoE5 won't be able to do QoS at 100Mb/s

If you end up with 100% CPU, you might be better off without QoS

 

I normally set QoS bandwidth at 85...90% of link speed.


Thanks, I'll give this a try now.

Re: Question about OpenVPN instructions in UBNT help

$
0
0

By default, is in routed mode, with its own address space, but, what you ask...yes, it is possible (even if personally I hate the software bridges ... Man Happy)

Take a look here.

Cheers,

jonatha

Re: ER8Pro dropping SIP packets

$
0
0

Thank you very much!

 

What is the purpose of the SIP conntrack helper?  If it is needed to keep track of the ports in use so that the firewall doesn't get in the way, I might need it.

 

I'll try it tomorrow and see what happens ...

 

Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

Scenario:

Edgerouter 8pro <-> Edgerouter 8pro

route based site-to-site ipsec vpn

multiple ourside IPs on both sides

 

 

Unable to establish vti connection.

always wants to use the 'default' outbound IP instead of the one specified in the site-to-site configuration.

 

 

Testing environment:

Configurations from the Edgerouter 8Pros have been adapted to the Edgerouter 4s below)

Edgerouter 4 (eth0 - site A) <-> Edgerouter Lite (eth0) <> (eth2) <-> Edgerouter 4 (eth0 - site B)

 

SITE A                                                            Internet                                                       SITE B

12.x.x.234/30  ISP            <------->   12.x.x.233/30 (eth0)  <> (eth2) 157.x.x.1/24  <->  157.x.x.63/24  ISP  

12.x.x.226/27  primary outbound                                                                                    157.x.x.227 primary outbound

12.x.x.227/27                                                                                                                  157.x.x.228

12.x.x.229/27 site-to-site                                                                                                157.x.x.229 site-to-site

10.254.254.1/30 (vti0)                                                                                                     10.254.254.2/30 (vti0)

 

 

SITE A:  tcpdump =  IP 12.x.x.226.500 > 157.x.x.139.500: isakmp: parent_sa ikev2_init[I]

SITE B:  tcpdump = IP 157.x.x.137.500 > 12.x.x.229.500: isakmp: parent_sa ikev2_init[1]

 

This is all I get.  It's suppose to go out 12.x.x.229 but it is not.  how can I force this to go our .229 and .139 (respective) interface?

 

The Edgerouter lite has very little config (to let all traffic flow between interfaces...(aka the internet)

 

I've followed: 

https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN

but that's a single outside address <-> single outside address

 

I can include the relevant configs (sanitized) if needed...(it would take a ton of effort as there >2300 lines)

 

 

Re: VOIP issues

$
0
0
Try disabling SIP helper module as well.

Re: Hairpin NAT issues

$
0
0

switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1

I normally use CLI, and checked GUI:  All my VLANs on switch0 are available on both port forward and nat tab

Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

Add /32 routes for ipsec peer IP, to force VPN to use proper WAN link

Re: ER8Pro dropping SIP packets

$
0
0

SIP helper aims at allowing SIP (and RTP) through NAT...but for most devices it isn't needed, and the helper only makes matters worse

Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

So...

 

peer IP/32 {

    local address IP/32

?

 

 

 

commit failed.

 

Re: Hairpin NAT issues

$
0
0

 wrote:

switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1

I normally use CLI, and checked GUI:  All my VLANs on switch0 are available on both port forward and nat tab


Well, I have to use br0, bc I have eth1 + switch0 for the LAN (eth1 downlinked to non-PoE switch, 3 switch ports for APs).

I know this isn't ideal... but it happened historically. Already told the client to invest in a 24 or 48p PoE switch, so everything can be connected to that one, and the need for bridging in software on the router will disappear.

Also that client doesn't have any VLANs, bc they didn't need a guest-network or other segment/subnet.

Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

 

Use:

set vpn ipsec site-to-site peer REMOTE_WAN_IP local-address DESIRED_LOCAL_WAN_IP

 

Like this:

 

set vpn ipsec site-to-site peer 176.103.28.141 local-address 73.93.218.40

 

 

 

 

Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

At site A:

set protocols static route 157.x.x.63/32 next-hop 12.x.x.233

Re: NAT Reflection between eth1 and eth3

$
0
0

I don't have a dNAT rule for eth0, how are these supposed to be configured between source/destination/translation?

Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish

$
0
0

I do have that (Peer and Local).  But also..I'm not using a policy based configuration but rather route based.

 

My first objective is to get the site-to-site connection before I even bother with the routes.

 

example:

 

set protocols static interface-route x.x.x.x/16 next-hop-interface vti0

 

so..anyting going to x.x.x.x/16 would go out the S2S VPN.

 

 

Re: Support for g.fast SPF

$
0
0

Well binwalk tells me that it is basically a big endian JFFS2 file system. So that suggests unsurprisingly that it's a MIPS device. Had to install Jefferson to extract the JFFS2 file system.

 

Poking around in there I find the following

 

 

/usr/lib/dsl_sfp/drivers/libmetanoia.so
/usr/lib/package/setup/metanoia_fw.sh
/usr/lib/metanoia
/usr/lib/metanoia/metanoia-definitions.odl
/usr/lib/metanoia/metanoia.odl
/usr/lib/metanoia/firmware_package.b
/usr/lib/metanoia/metanoia-defaults.odl
/etc/init.d/metanoia
/etc/rc6.d/K20metanoia
/lib/modules/3.4.11-rt19/extra/metanoia_dyinggasp.ko

 

 

So we have a kernel module for handling dying gasp. A quick check with strings shows that it's GPL licensed so if it is not submitted upstream to the kernel we can ask for it. However you don't have to have dying gasp to make it work.

 

Poking about a bit more and firmware_package.b is the firmware but binwalk tells me nothing, and it seems oddly small at only 860KB, but maybe I am just being ignorant here about how large the firmware file should be.

 

The whole lot is written by a firm called SoftAtHome that specializes in writing middleware for internet devices. They have this application called pcb_app (I think) that is called by /etc/init.d/dsl_sfp on entering runlevel 2 that loads libmetanoia.so as a driver into the app. After taking a punt and installing the binutils-mips-linux-gnu package on my laptop that is apparently a elf32-tradbigmips binary. Runing objdump with -T would suggest that this a a program that communicates via the fabled Ethernet Boot Management protocol with a Metanoia SFP. At least there is a whole bunch of routines called things like

 

 

mt_ebm_boot
ebm_task_cancel
mt_ebm_get_value_by_addr
ebm_get_value_by_mib
mt_ebm_get_value_by_mib
ebm_set_value_by_mib
mt_ebm_set_value_by_mib
ebm_get_type_from_str
mt_ebm_set_value_by_addr
ebm_get_type_from_str
mt_ebm_access_oid

 

 

There is also a routine called handle_downloadfw_metabin_withpacktool. A bit of Googling on packtool suggests the firmware might be XOR encrypted. There is a likely list of OID's in there too, seems the EBM might well be using SNMP.

 

Anyway at this point my MIPS assembler is some lacking to understand the disassembly.

 

I would suggest the next step would be to ask for the source code for the metanoia_dyinggasp Linux kernel module.

 

Re: NAT Reflection between eth1 and eth3

$
0
0

Something like:

 

set service nat rule 10 description Reflection
set service nat rule 10 destination address 98.x.x.x.
set service nat rule 10 destination port 80
set service nat rule 10 inbound-interface eth1
set service nat rule 10 inside-address address 192.168.2.1
set service nat rule 10 log disable
set service nat rule 10 protocol tcp
set service nat rule 10 type destination

As you don't have a dNAT rule on WAN (eth0), you're using port forward tab.  First try on that tab to add both eth1 and eth3 as LAN interfaces

Re: NAT Reflection between eth1 and eth3

$
0
0

Ah okay, that is correct, I already added them as LAN interfaces. 

Viewing all 60861 articles
Browse latest View live