If eth4 is disconnected, the ETH4 interface is down, and its IP address might become unreachable as a result.
If you can't route between VLANs, look into issue # 10
https://community.ubnt.com/t5/EdgeMAX/Known-Issues-of-EdgeMax-Series/td-p/1805816
↧
Re: Why can't I access eth4 from switch0?
↧
Re: Why can't I access eth4 from switch0?
Did I technically create vlan's by using a switch and different subnets? I didn't define any explicitly within the switch config...
↧
↧
Re: DNS Adblocking & Blacklisting dnsmasq Configuration Integration Package v1.0.3
sudo apt-get update; sudo apt-get upgrade edgeos-dnsmasq-blacklist
↧
Re: Why can't I access eth4 from switch0?
These ip addresses (172.16.99.3 and 172.16.99.4) overlap, you cannot use the same network space on two different routed interfaces.
Cheers,
jonatha
↧
Re: How to Switch from DHCP to PPPoE without loosing config?
The default-route seems via 192.168.2.1 ...
↧
↧
Re: Why can't I access eth4 from switch0?
No, you did not create proper VLANs -- you've put multiple addresses onto a single interface (switch0), but this does not consitute a VLAN configuration.
Is your intention to setup VLANs? If so, you should do the following:
- Before you begin the process, make sure you can use eth1 or eth4 for the purpose of configuration... If using eth4, it to a unique network scope (say 10.1.1.0/24 or something you're not setting up as a VLAN on switch0) and be sure to setup a DHCP server, too (actually not required, but makes it much easier). Connect your computer to eth4, and assuming it is allowing access to the router, continue the process...
- delete all addresses from switch0.
- add VLANs under switch0 for those network scopes deleted previously and any others you want to add
- change the switch configuration to enable VLAN aware mode
- assign the PVID and VID port assignments as desired to eth2 and eth3.
- check eth2 and/or eth3 to make sure you've got the VLANs working as expected based on your PVID and VID assignments.
- if desired, now you can add eth4 to the vlan aware switch by first removing the address from eth4 and then adding it to the switchports for switch0.
↧
Re: Why can't I access eth4 from switch0?
Also, is it really your intent to have such large networks scopes? Specifically, your network assignment of 10.10.0.75/16 creates a huge network (65k hosts), and it overlaps your 10.10.97.0/24 subnet.
Your computer also doesn't benefit from the larger range from the subnet mask of 255.255.0.0 (also 65k hosts) when that network is defined as a /24 (255.255.255.0).
Unless you're working with a really big network, it is usually easiest to use /24 networks, especially in SOHO type setups. This way, you have aaa.bbb.ccc.xxx where xxx is the only variable (handling up to 254 hosts) within any given subnet/VLAN.
↧
Re: dnscrypt-proxy, DNSSEC and dnsmasq on Edgerouter Lite
Huh. I... don't know what to make of this. Same guy who announced that he has abandoned the project, releases a V2 and continues on as if nothing's happened. He'd pulled all the DNSCRYPT stuff down from dnscrypt.info and started flogging DNS over SSL with the site. Now the DNSCRYPT stuff is back.
Seems rather schizophrenic behavior to me. Guess he changed his mind? That's fine, I suppose. Glad he did, because the small amount research I did into the current state of DNS over SSL was it's currently not ready to replace DNSCRYPT, even if it's ultimately a better protocol.
Nevertheless, it appears to be legit, insofar as it appears to be the same guy and same project. Looks like there's been some bugfixes, so I can't see why not?
I agree it is confusing and even suspicious. But maybe the author wanted to hand over just the dnscrypt-proxy v1 project to someone else - to create a new project in its place.
Here is one of the links I found that might shed more light: https://github.com/privacytoolsIO/privacytools.io/issues/384
Specifically, this comment confirms my assumption above:
"Denis has created a new repository under the same name as before, and is writing "a new implementation [of DNSCrypt] that sucks less."
As a EdgeRouter X user, I am pleased to see that MIPS little endian 32-bit binaries are provided on the official web site for the V2:
https://github.com/jedisct1/dnscrypt-proxy/releases
No need to compile them myself anymore. I will have to play with the new version.
↧
Two WANs, static IPs, Failover problems
Hi Everybody,
I'm setting up an ER-8 for a client who has two ISPs, each with static addresses. I'm trying to get failover-only to work from eth0 (primary) to eth1 (the failover), but I'm running up against a problem.
I've got eth0 connected to a switch, which is connected to a router interface configured with eth0's next-hop address. I'm getting traffic from the LAN side of the ER-8 to the internet with no problem. When I disconnect the ethernet cable from eth0, it fails over to eth1 as expected.
However, when I keep eth0 connected to the switch, but disconnect the switch from the next-hop router, failover doesn't happen.
The load-balance watchdog shows that ping.ubnt.com is PINGABLE from eth0, so I have to assume that the ping from eth0 is being routed via eth1 to its next-hop and out. This is a complete no-brainer with load-balancing two DHCP connections or one static/one DHCP, but the two statics have me stumped.
I'm obiously missing something here. Can somebody nudge me in the right direction?
EDIT: I'm on v1.10.0
My config . . .
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 40 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 190 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 200 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 180 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 190 {
action accept
description "Allow PING"
log disable
protocol icmp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 200 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 210 {
action drop
description Drop_All_Inbound
log disable
protocol all
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 6x.xxx.xx.97/24
description "WAN 1 - Fiber"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mac 00:17:c5:51:59:56
speed auto
}
ethernet eth1 {
address 5y.yyy.yyy.129/30
description "WAN 2 - Cable"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.1.1/24
description "Primary LAN"
duplex auto
speed auto
}
ethernet eth3 {
address 10.149.0.1/23
description "Guest Wifi"
duplex auto
speed auto
}
ethernet eth4 {
description UNCONFIGURED/DISABLED
disable
duplex auto
speed auto
}
ethernet eth5 {
description UNCONFIGURED/DISABLED
disable
duplex auto
speed auto
}
ethernet eth6 {
description UNCONFIGURED/DISABLED
disable
duplex auto
speed auto
}
ethernet eth7 {
description UNCONFIGURED/DISABLED
disable
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
lb-local disable
lb-local-metric-change disable
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 5y.yyy.yyy.130 {
description "Cable Gateway"
distance 2
}
next-hop 6x.xxx.xx.1 {
description "Fiber Gateway"
distance 1
}
}
}
}
service {
dhcp-server {
disabled true
hostfile-update disable
shared-network-name LAN_Subnet {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.101 {
stop 192.168.1.200
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on br0
}
}
gui {
http-port 80
https-port 4443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5020 {
description "masquerade for WAN2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22222
protocol-version v2
}
unms {
connection redacted
disable
}
}
system {
config-management {
commit-archive {
location ftp://redacted
}
commit-revisions 100
}
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name fsi-ER8
login {
user admin {
authentication {
encrypted-password yup-redacted
}
level admin
}
}
name-server 10.10.250.2
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
}Load-balance watchdog when the eth0 next-hop is disconnected from the switch.
admin@fsi-ER8:~$ show load-balance watchdog Group G eth0 status: Running pings: 115 fails: 3 run fails: 0/3 route drops: 1 ping gateway: ping.ubnt.com - REACHABLE last route drop : Sun Feb 25 15:00:20 2018 last route recover: Sun Feb 25 15:01:01 2018 eth1 status: Running failover-only mode pings: 149 fails: 2 run fails: 0/3 route drops: 0 ping gateway: ping.ubnt.com - REACHABLE
↧
↧
Wizards do not change LAN subnet
Hi,
I have purchased a Ubiquiti EdgeRouter Lite and upgraded to firmware ER-e100.v1.10.0.5056246 immediately and I have 2 issues with it.
1.
When I use the wizards Basic Setup or WAN+2LAN2 and set the LAN subnet to 192.168.50.0/24, then the LAN subnet stays 192.168.1.0/24.
Isn't that odd?
2.
When I click on wizard WAN+2LAN, then I get the message:
This template is currently unavailable because the router's configuration has been changed. Please reset the configuration back to the default settings if you wish to use a setup wizard.
Even when I revert to factory settings, I still get this message.
Am I the only one?
I have tried firmwares ER-e100.v1.9.7.5001798 and ER-e100.v1.9.7+hotfix.4.5024004 too with the same result.
Greetings.
↧
Re: Edge Router X - possibly bricked after running wizard
Yup, did both and router still didn't come back to life via conf eth0.
↧
Re: dnscrypt-proxy, DNSSEC and dnsmasq on Edgerouter Lite
wrote:
It's a shame that new dnscrypt-resolver is encrypted.
The one on dyne not updated/checked.
It's not encrypted but encoded. You can use https://dnscrypt.info/stamps and decode it to see all the details of a particular DNS provider.
↧
Re: IPSec tunnels with main site prefix overlapping remote site networks no long works in v1.8
There has been nothing patched with this yet. I had tried all the v1.8 and v1.9 codes with the same exact results. Today I tried the v1.10 code; same thing. You need to manually add a route into the 220 table for the local networks every time you reboot the router or else you need to stay on v1.7 code. It appears that a lot of talk happend with Ubiquiti techs and then they just dropped it a year ago.
This is really upsetting my clients as I have quite a few with VPNs with 0.0.0.0/0 on one end and the local subnet at the other and they don't like the fact that they are running on code that's almost three years old.
↧
↧
VPN to LAN
Hi,
I am complete novice with this but I would like to VPN from my home network to another network. I have been reading up on the cloud key but I am not sure if that is the correct device to use. My goal is to be able to VPN to this remote LAN and access various device webservers and access various equipment using there software which would be located on my PC.
Please help.
↧
Re: dnscrypt-proxy, DNSSEC and dnsmasq on Edgerouter Lite
wrote:
It's a shame that new dnscrypt-resolver is encrypted.
The one on dyne not updated/checked.
To be fair, Dyne stated up-front they were just going to keep it running, they didn't intend to make any changes.
wrote: No need to compile them myself anymore. I will have to play with the new version.
Yeah, since the new one is written in Go, I'm grateful that he's providing MIPS64 binaries, because I'd really rather not figure out a new cross-compile toolchain in a build environment and language I've never used.
I've posted a new tarfile in the new thread on v2. I've included the binaries (as well as drill) as a convenience (unarchive and go), but the new version is a lot easier to self-install from scratch, if folks wish to.
↧
Re: DNSCrypt-Proxy 2
Thank you so much for sharing this!
I've noticed you have Softethter VPN releases in your dropbox files. Can you please share some posts about Softethter VPN configuration? I've been searching solutions for uk-cn vpn workaround on my erlite-3 for a while, but the results are very limited.
Currently I'm using Raspberrypi (shadowsocks + dnscrypt-proxy + dnsmasq) as my gateway to get it working, but the effciency is quite aweful...Slows down my whole network since it only has 100M port and the package processing rate is slow.
Thanks in advance.
↧
Re: DNSCrypt-Proxy 2
wrote: Thank you so much for sharing this!
I've noticed you have Softethter VPN releases in your dropbox files. Can you please share some posts about Softethter VPN configuration? I've been searching solutions for uk-cn vpn workaround on my erlite-3 for a while, but the results are very limited.
I'm afraid you're in the wrong thread, friend. There are no Dropbox links in this post, and no discussion of VPN. I think you're confusing any number of things, I have no idea what you're referring to.
It's very frustrating to spend hours writing up a procedure and have the first response be a non sequitur. The discussion at-hand is DNSCrypt-Proxy 2, please be respectful and start a new topic if you wish to discuss something else.
↧
↧
ERP + EdgeSwitch ES24-500 SFP Connection
I have an Edge Router Pro.
I just got a heck of a deal on a EdgeSwitch ES24-500. Now I can upgrade from my two 8 port POE switches!
I want to connect the ERP to the ES24 via SFP.
Will this transciever and cable below work for the connection?
Tranciever Amazon Link: https://www.amazon.com/gp/product/B01MY5498F/ref=od_aui_detailpages00?ie=UTF8&psc=1
Cable Amazon Link: https://www.amazon.com/gp/product/B00552PLMK/ref=oh_aui_search_detailpage?ie=UTF8&psc=1
Thanks for the help!
John
↧
Re: DNSCrypt-Proxy 2
I'm truly sorry for ruining your mood and for commenting in the wrong thread. I thought you maybe know these things because I read the topic https://community.ubnt.com/t5/EdgeMAX/dnscrypt-proxy-DNSSEC-and-dnsmasq-on-Edgerouter-Lite which you recently created.
I should have found more polite and respectful way to do this. Starting a new topic and ask around may be the better way.
↧
Re: DNSCrypt-Proxy 2
But... I didn't discuss it there either. I don't have a Dropbox. Or use a VPN.
Unfortunately, the only discussion of VPN on the other thread was off-topic comments as well. Either way, your best path forward for getting the answers you want is by starting a new topic and attracting responses there.
↧