You should use something like
set interfaces switch switch0 vif XX firewall in modify express_vpn_route
Once the firewall modify ruleset has been correctly created ..
Cheers,
jonatha
↧
Re: ERX Wifi vlan routed to VPN connection
↧
Re: EdgeRouter X/X-SFP check bootloader version
828a6788a539809103bd42d121634211 /dev/mtdblock2
I have updated the bootloader blog post with more details to include this information.
In the future, rather than using the old script to update the bootloader, we will release a new bootloader version for devices and you will be able to use:
add system boot-image ...
Then using show system boot-image will show the active bootloader version rather than "UNKNOWN".
↧
↧
Re: Hairpin NAT issues
wrote: For the NAT rules, switch0 isn't your LAN interface , switch0.1 is
So, if your theory is correct, then this should work:
I just changed that, and asked the client to test again.
Makes sense, since VLAN1 is the default.. but then that should be incorporated in the WebUI!
↧
Re: VOIP issues
wrote: ER-PoE5 won't be able to do QoS at 100Mb/s
If you end up with 100% CPU, you might be better off without QoS
I normally set QoS bandwidth at 85...90% of link speed.
Thanks, I'll give this a try now.
↧
Re: Question about OpenVPN instructions in UBNT help
By default, is in routed mode, with its own address space, but, what you ask...yes, it is possible (even if personally I hate the software bridges ... 
)
Take a look here.
Cheers,
jonatha
↧
↧
Re: ER8Pro dropping SIP packets
Thank you very much!
What is the purpose of the SIP conntrack helper? If it is needed to keep track of the ports in use so that the firewall doesn't get in the way, I might need it.
I'll try it tomorrow and see what happens ...
↧
Route based site-to-site vpn edgerouter 8pro x2 not able to establish
Scenario:
Edgerouter 8pro <-> Edgerouter 8pro
route based site-to-site ipsec vpn
multiple ourside IPs on both sides
Unable to establish vti connection.
always wants to use the 'default' outbound IP instead of the one specified in the site-to-site configuration.
Testing environment:
Configurations from the Edgerouter 8Pros have been adapted to the Edgerouter 4s below)
Edgerouter 4 (eth0 - site A) <-> Edgerouter Lite (eth0) <> (eth2) <-> Edgerouter 4 (eth0 - site B)
SITE A Internet SITE B
12.x.x.234/30 ISP <-------> 12.x.x.233/30 (eth0) <> (eth2) 157.x.x.1/24 <-> 157.x.x.63/24 ISP
12.x.x.226/27 primary outbound 157.x.x.227 primary outbound
12.x.x.227/27 157.x.x.228
12.x.x.229/27 site-to-site 157.x.x.229 site-to-site
10.254.254.1/30 (vti0) 10.254.254.2/30 (vti0)
SITE A: tcpdump = IP 12.x.x.226.500 > 157.x.x.139.500: isakmp: parent_sa ikev2_init[I]
SITE B: tcpdump = IP 157.x.x.137.500 > 12.x.x.229.500: isakmp: parent_sa ikev2_init[1]
This is all I get. It's suppose to go out 12.x.x.229 but it is not. how can I force this to go our .229 and .139 (respective) interface?
The Edgerouter lite has very little config (to let all traffic flow between interfaces...(aka the internet)
I've followed:
https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN
but that's a single outside address <-> single outside address
I can include the relevant configs (sanitized) if needed...(it would take a ton of effort as there >2300 lines)
↧
Re: VOIP issues
Try disabling SIP helper module as well.
↧
Re: Hairpin NAT issues
switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1
I normally use CLI, and checked GUI: All my VLANs on switch0 are available on both port forward and nat tab
↧
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
Add /32 routes for ipsec peer IP, to force VPN to use proper WAN link
↧
Re: ER8Pro dropping SIP packets
SIP helper aims at allowing SIP (and RTP) through NAT...but for most devices it isn't needed, and the helper only makes matters worse
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
So...
peer IP/32 {
local address IP/32
?
commit failed.
↧
Re: Hairpin NAT issues
wrote: switch0 is hardware , bridge0 is software. so use switch0.1 for vlan1
I normally use CLI, and checked GUI: All my VLANs on switch0 are available on both port forward and nat tab
Well, I have to use br0, bc I have eth1 + switch0 for the LAN (eth1 downlinked to non-PoE switch, 3 switch ports for APs).
I know this isn't ideal... but it happened historically. Already told the client to invest in a 24 or 48p PoE switch, so everything can be connected to that one, and the need for bridging in software on the router will disappear.
Also that client doesn't have any VLANs, bc they didn't need a guest-network or other segment/subnet.
↧
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
Use:
set vpn ipsec site-to-site peer REMOTE_WAN_IP local-address DESIRED_LOCAL_WAN_IP
Like this:
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
At site A:
↧
Re: NAT Reflection between eth1 and eth3
I don't have a dNAT rule for eth0, how are these supposed to be configured between source/destination/translation?
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
I do have that (Peer and Local). But also..I'm not using a policy based configuration but rather route based.
My first objective is to get the site-to-site connection before I even bother with the routes.
example:
set protocols static interface-route x.x.x.x/16 next-hop-interface vti0
so..anyting going to x.x.x.x/16 would go out the S2S VPN.
↧
↧
Re: Support for g.fast SPF
Well binwalk tells me that it is basically a big endian JFFS2 file system. So that suggests unsurprisingly that it's a MIPS device. Had to install Jefferson to extract the JFFS2 file system.
Poking around in there I find the following
/usr/lib/dsl_sfp/drivers/libmetanoia.so /usr/lib/package/setup/metanoia_fw.sh /usr/lib/metanoia /usr/lib/metanoia/metanoia-definitions.odl /usr/lib/metanoia/metanoia.odl /usr/lib/metanoia/firmware_package.b /usr/lib/metanoia/metanoia-defaults.odl /etc/init.d/metanoia /etc/rc6.d/K20metanoia /lib/modules/3.4.11-rt19/extra/metanoia_dyinggasp.ko
So we have a kernel module for handling dying gasp. A quick check with strings shows that it's GPL licensed so if it is not submitted upstream to the kernel we can ask for it. However you don't have to have dying gasp to make it work.
Poking about a bit more and firmware_package.b is the firmware but binwalk tells me nothing, and it seems oddly small at only 860KB, but maybe I am just being ignorant here about how large the firmware file should be.
The whole lot is written by a firm called SoftAtHome that specializes in writing middleware for internet devices. They have this application called pcb_app (I think) that is called by /etc/init.d/dsl_sfp on entering runlevel 2 that loads libmetanoia.so as a driver into the app. After taking a punt and installing the binutils-mips-linux-gnu package on my laptop that is apparently a elf32-tradbigmips binary. Runing objdump with -T would suggest that this a a program that communicates via the fabled Ethernet Boot Management protocol with a Metanoia SFP. At least there is a whole bunch of routines called things like
mt_ebm_boot ebm_task_cancel mt_ebm_get_value_by_addr ebm_get_value_by_mib mt_ebm_get_value_by_mib ebm_set_value_by_mib mt_ebm_set_value_by_mib ebm_get_type_from_str mt_ebm_set_value_by_addr ebm_get_type_from_str mt_ebm_access_oid
There is also a routine called handle_downloadfw_metabin_withpacktool. A bit of Googling on packtool suggests the firmware might be XOR encrypted. There is a likely list of OID's in there too, seems the EBM might well be using SNMP.
Anyway at this point my MIPS assembler is some lacking to understand the disassembly.
I would suggest the next step would be to ask for the source code for the metanoia_dyinggasp Linux kernel module.
↧
Re: NAT Reflection between eth1 and eth3
Something like:
set service nat rule 10 destination address 98.x.x.x.
set service nat rule 10 destination port 80
set service nat rule 10 inbound-interface eth1
set service nat rule 10 inside-address address 192.168.2.1
set service nat rule 10 log disable
set service nat rule 10 protocol tcp
set service nat rule 10 type destination
As you don't have a dNAT rule on WAN (eth0), you're using port forward tab. First try on that tab to add both eth1 and eth3 as LAN interfaces
↧
Re: NAT Reflection between eth1 and eth3
Ah okay, that is correct, I already added them as LAN interfaces.
↧