You should use something like
set interfaces switch switch0 vif XX firewall in modify express_vpn_route
Once the firewall modify ruleset has been correctly created ..
Cheers,
jonatha
You should use something like
set interfaces switch switch0 vif XX firewall in modify express_vpn_route
Once the firewall modify ruleset has been correctly created ..
Cheers,
jonatha
828a6788a539809103bd42d121634211 /dev/mtdblock2
I have updated the bootloader blog post with more details to include this information.
In the future, rather than using the old script to update the bootloader, we will release a new bootloader version for devices and you will be able to use:
add system boot-image ...
Then using show system boot-image will show the active bootloader version rather than "UNKNOWN".
wrote: For the NAT rules, switch0 isn't your LAN interface , switch0.1 is
So, if your theory is correct, then this should work:
I just changed that, and asked the client to test again.
Makes sense, since VLAN1 is the default.. but then that should be incorporated in the WebUI!
wrote: ER-PoE5 won't be able to do QoS at 100Mb/s
If you end up with 100% CPU, you might be better off without QoS
I normally set QoS bandwidth at 85...90% of link speed.
Thanks, I'll give this a try now.
By default, is in routed mode, with its own address space, but, what you ask...yes, it is possible (even if personally I hate the software bridges ... )
Take a look here.
Cheers,
jonatha
Thank you very much!
What is the purpose of the SIP conntrack helper? If it is needed to keep track of the ports in use so that the firewall doesn't get in the way, I might need it.
I'll try it tomorrow and see what happens ...
Scenario:
Edgerouter 8pro <-> Edgerouter 8pro
route based site-to-site ipsec vpn
multiple ourside IPs on both sides
Unable to establish vti connection.
always wants to use the 'default' outbound IP instead of the one specified in the site-to-site configuration.
Testing environment:
Configurations from the Edgerouter 8Pros have been adapted to the Edgerouter 4s below)
Edgerouter 4 (eth0 - site A) <-> Edgerouter Lite (eth0) <> (eth2) <-> Edgerouter 4 (eth0 - site B)
SITE A Internet SITE B
12.x.x.234/30 ISP <-------> 12.x.x.233/30 (eth0) <> (eth2) 157.x.x.1/24 <-> 157.x.x.63/24 ISP
12.x.x.226/27 primary outbound 157.x.x.227 primary outbound
12.x.x.227/27 157.x.x.228
12.x.x.229/27 site-to-site 157.x.x.229 site-to-site
10.254.254.1/30 (vti0) 10.254.254.2/30 (vti0)
SITE A: tcpdump = IP 12.x.x.226.500 > 157.x.x.139.500: isakmp: parent_sa ikev2_init[I]
SITE B: tcpdump = IP 157.x.x.137.500 > 12.x.x.229.500: isakmp: parent_sa ikev2_init[1]
This is all I get. It's suppose to go out 12.x.x.229 but it is not. how can I force this to go our .229 and .139 (respective) interface?
The Edgerouter lite has very little config (to let all traffic flow between interfaces...(aka the internet)
I've followed:
https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN
but that's a single outside address <-> single outside address
I can include the relevant configs (sanitized) if needed...(it would take a ton of effort as there >2300 lines)
switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1
I normally use CLI, and checked GUI: All my VLANs on switch0 are available on both port forward and nat tab
Add /32 routes for ipsec peer IP, to force VPN to use proper WAN link
SIP helper aims at allowing SIP (and RTP) through NAT...but for most devices it isn't needed, and the helper only makes matters worse
So...
peer IP/32 {
local address IP/32
?
commit failed.
wrote: switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1
I normally use CLI, and checked GUI: All my VLANs on switch0 are available on both port forward and nat tab
Well, I have to use br0, bc I have eth1 + switch0 for the LAN (eth1 downlinked to non-PoE switch, 3 switch ports for APs).
I know this isn't ideal... but it happened historically. Already told the client to invest in a 24 or 48p PoE switch, so everything can be connected to that one, and the need for bridging in software on the router will disappear.
Also that client doesn't have any VLANs, bc they didn't need a guest-network or other segment/subnet.
Use:
set vpn ipsec site-to-site peer REMOTE_WAN_IP local-address DESIRED_LOCAL_WAN_IP
Like this:
At site A:
I don't have a dNAT rule for eth0, how are these supposed to be configured between source/destination/translation?
I do have that (Peer and Local). But also..I'm not using a policy based configuration but rather route based.
My first objective is to get the site-to-site connection before I even bother with the routes.
example:
set protocols static interface-route x.x.x.x/16 next-hop-interface vti0
so..anyting going to x.x.x.x/16 would go out the S2S VPN.
Well binwalk tells me that it is basically a big endian JFFS2 file system. So that suggests unsurprisingly that it's a MIPS device. Had to install Jefferson to extract the JFFS2 file system.
Poking around in there I find the following
/usr/lib/dsl_sfp/drivers/libmetanoia.so /usr/lib/package/setup/metanoia_fw.sh /usr/lib/metanoia /usr/lib/metanoia/metanoia-definitions.odl /usr/lib/metanoia/metanoia.odl /usr/lib/metanoia/firmware_package.b /usr/lib/metanoia/metanoia-defaults.odl /etc/init.d/metanoia /etc/rc6.d/K20metanoia /lib/modules/3.4.11-rt19/extra/metanoia_dyinggasp.ko
So we have a kernel module for handling dying gasp. A quick check with strings shows that it's GPL licensed so if it is not submitted upstream to the kernel we can ask for it. However you don't have to have dying gasp to make it work.
Poking about a bit more and firmware_package.b is the firmware but binwalk tells me nothing, and it seems oddly small at only 860KB, but maybe I am just being ignorant here about how large the firmware file should be.
The whole lot is written by a firm called SoftAtHome that specializes in writing middleware for internet devices. They have this application called pcb_app (I think) that is called by /etc/init.d/dsl_sfp on entering runlevel 2 that loads libmetanoia.so as a driver into the app. After taking a punt and installing the binutils-mips-linux-gnu package on my laptop that is apparently a elf32-tradbigmips binary. Runing objdump with -T would suggest that this a a program that communicates via the fabled Ethernet Boot Management protocol with a Metanoia SFP. At least there is a whole bunch of routines called things like
mt_ebm_boot ebm_task_cancel mt_ebm_get_value_by_addr ebm_get_value_by_mib mt_ebm_get_value_by_mib ebm_set_value_by_mib mt_ebm_set_value_by_mib ebm_get_type_from_str mt_ebm_set_value_by_addr ebm_get_type_from_str mt_ebm_access_oid
There is also a routine called handle_downloadfw_metabin_withpacktool. A bit of Googling on packtool suggests the firmware might be XOR encrypted. There is a likely list of OID's in there too, seems the EBM might well be using SNMP.
Anyway at this point my MIPS assembler is some lacking to understand the disassembly.
I would suggest the next step would be to ask for the source code for the metanoia_dyinggasp Linux kernel module.
Something like:
As you don't have a dNAT rule on WAN (eth0), you're using port forward tab. First try on that tab to add both eth1 and eth3 as LAN interfaces
Ah okay, that is correct, I already added them as LAN interfaces.