Yes it's perfectly possible. Note that it is generally cheaper both in outlay and running costs (fibre SFP's consume less power) to link the two with multimode SFP's than RJ45 SFP's. However if the two are close together then even though they are only SFP's running at 1Gbps, direct attach SFP+ cables designed for 10Gbps Ethernet "just work" and this option is generally even cheaper than the fibre optic solution.
↧
Re: Use EdgeRouter 4 SFP for main LAN
↧
Re: VLAN only on the edgerouter and then to the trunk
firewall {
all-ping enable
broadcast-ping disable
group {
address-group MGMT_Trusted {
address xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
description ""
}
network-group LAN-MNGMT {
description ""
network 192.168.4.0/24
}
network-group LAN-Trusted {
description ""
network 192.168.2.0/24
}
network-group LAN-Untrusted {
description ""
network 192.168.3.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN-Depreter_IN {
default-action drop
description ""
rule 10 {
action accept
description "allow any any"
log disable
protocol all
}
rule 20 {
action accept
description "allow HTTP"
destination {
port 80
}
log disable
protocol tcp
}
rule 30 {
action accept
description "allow HTTPS"
destination {
port 443
}
log disable
protocol tcp
}
rule 40 {
action accept
description "allow SMTP SSL /TCP465"
destination {
port 465
}
log disable
protocol tcp
}
rule 50 {
action accept
description "allow IMAP SSL /tcp993"
destination {
port 993
}
log disable
protocol tcp
}
rule 60 {
action accept
description "allow POP SSL /tcp995"
destination {
port 995
}
log disable
protocol tcp
}
rule 70 {
action accept
description "allow RDP"
destination {
port 3389
}
log disable
protocol tcp
}
rule 80 {
action accept
description "allow TeamSpeak UDP"
destination {
port 9987
}
log disable
protocol udp
}
rule 90 {
action accept
description "allow TeamSpeak TCP"
destination {
port 30033,10011,41144
}
log disable
protocol tcp
}
rule 100 {
action accept
description "allow Discord"
destination {
port 50000-65535
}
log disable
protocol udp
}
rule 110 {
action accept
description "allow NTP"
destination {
port 123
}
log disable
protocol udp
}
rule 120 {
action accept
description "allow UniFi server"
destination {
port 8443
}
log disable
protocol tcp
}
}
name LAN-Depreter_LOCAL {
default-action drop
description ""
rule 20 {
action accept
description "Allow DNS to firewall"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description ICMP
log disable
protocol icmp
}
rule 40 {
action accept
description MNGMT-BartPC&extra
destination {
port 80,443
}
log disable
protocol tcp
source {
address 192.168.2.xxx-192.168.2.xxx
}
}
}
name LAN-MNGMT {
default-action accept
description ""
}
name LAN-Zonnepanelen_IN {
default-action drop
description ""
rule 10 {
action accept
description "Allow HTTP"
destination {
port 80
}
log disable
protocol tcp
}
rule 20 {
action accept
description "Allow HTTPS"
destination {
port 443
}
log disable
protocol tcp
}
rule 21 {
action accept
description "allow NTP"
destination {
port 123
}
log disable
protocol udp
}
}
name LAN-Zonnepanelen_LOCAL {
default-action drop
description "Guest to router"
rule 1 {
action accept
description "allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 2 {
action accept
description "allow ICMP"
log disable
protocol icmp
source {
address !192.168.3.0/24
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description MGMT_SSH/22
destination {
port 22
}
log disable
protocol tcp
source {
group {
address-group MGMT_Trusted
}
}
}
rule 20 {
action accept
description MGMT_HTTPS/80&443
destination {
port 80,443
}
log disable
protocol tcp
source {
group {
address-group MGMT_Trusted
}
}
}
rule 30 {
action accept
description "Allow ICMPv4"
log disable
protocol icmp
}
rule 40 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.4.1/24
description LAN-MNGMT
duplex auto
firewall {
in {
name LAN-MNGMT
}
}
speed auto
vif 2 {
address 192.168.2.1/24
description LAN-Depreter
firewall {
in {
name LAN-Depreter_IN
}
local {
name LAN-Depreter_LOCAL
}
}
mtu 1500
}
vif 999 {
description OUTSIDE
mtu 1500
}
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
address 192.168.0.240/24
description WAN-Depreter
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth4 {
address 192.168.3.1/24
description LAN-Zonnepanelen
duplex auto
firewall {
in {
name LAN-Zonnepanelen_IN
}
local {
name LAN-Zonnepanelen_LOCAL
}
}
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
mtu 1500
switch-port {
interface eth1 {
vlan {
vid 999
}
}
interface eth2 {
vlan {
vid 999
}
}
vlan-aware enable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth0
lan-interface eth4
lan-interface eth0.2
wan-interface eth3
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DHCP_LAN-Depreter {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
domain-name xxxx.xxxxx
lease 86400
start 192.168.2.100 {
stop 192.168.2.199
}
static-mapping 192.168.2.103 {
ip-address 192.168.2.40
mac-address FC:AA:14:2E:E4:57
}
static-mapping BRW2C337A31B549 {
ip-address 192.168.2.129
mac-address EC:59:E7:EA:2E:B4
}
static-mapping CI00041493 {
ip-address 192.168.2.145
mac-address a0:88:69:e5:3f:e4
}
static-mapping Canon-Pixma {
ip-address 192.168.2.127
mac-address 2C:9E:FC:8C:AD:57
}
static-mapping Chromecast {
ip-address 192.168.2.122
mac-address C8:02:10:5D:59:89
}
static-mapping DESKTOP-PHB41R9 {
ip-address 192.168.2.106
mac-address 60:F6:77
A:68:4E
}
static-mapping xxxxx-PC {
ip-address 192.168.2.136
mac-address 4C:CC:6A:6B:E6:15
}
static-mapping xxxx-Ubuntu {
ip-address 192.168.2.107
mac-address 48:5a:b6:bb:87:59
}
static-mapping XBIAN {
ip-address 192.168.2.142
mac-address B8:27:EB81:05
}
}
}
shared-network-name DHCP_LAN-Zonnepanelen {
authoritative disable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 86400
start 192.168.3.100 {
stop 192.168.3.120
}
}
}
shared-network-name DHCP_MNGMT {
authoritative disable
subnet 192.168.4.0/24 {
default-router 192.168.4.1
dns-server 192.168.4.1
domain-name xxxxx.xxxxx
lease 86400
start 192.168.4.100 {
stop 192.168.4.199
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth4
listen-on eth0.2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "DNS destination NAT redirect eth0.2"
destination {
port 53
}
inbound-interface eth0.2
inside-address {
address 192.168.2.1
}
log disable
protocol tcp_udp
type destination
}
rule 2 {
description "DNS destination NAT redirect eth4"
destination {
port 53
}
inbound-interface eth4
inside-address {
address 192.168.3.1
}
log disable
protocol tcp_udp
type destination
}
rule 3 {
description "DNS destination NAT redirect eth0"
destination {
port 53
}
inbound-interface eth0
inside-address {
address 192.168.4.1
}
log disable
protocol tcp_udp
type destination
}
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth3
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name xxxx.xxxxx
gateway-address 192.168.0.1
host-name XXXXXXXXXX
login {
user xxxxxxxxxxx {
authentication {
encrypted-password
plaintext-password
}
full-name "xxxxxxx"
level admin
}
user xxxxxxxxxx {
authentication {
encrypted-password
plaintext-password
}
full-name "xxxxxxxxxxxxx
level admin
}
}
name-server 208.67.222.222
name-server 208.67.220.220
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec enable
}
static-host-mapping {
host-name firewall.xxxxxxxx.xxxxx {
alias firewall
inet 192.168.2.1
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Brussels
}
Masqueraded some sensitive information with XXXXX
↧
↧
Re: Edge Router Site to Site
Hi
Either another ER-4 or a USG would work perfectly for this type of setup. Both the USG and the ER-4 are capable of Site-to-Site VPNs (also to each other). We have an article on the subject here.
Ben
↧
Re: Edge Router Site to Site
Yes perfect i did a test using my personal edge router lite and my works edge router 4 the vpn status says up on both but i can only ping to one side and not the other
↧
Re: Edge Router Site to Site
Do you have the 'Automatic NAT/firewall' feature enabled on both EdgeRouters? Are the clients themselves also allowing ICMPv4 (ping) packets in their local firewall (Windows blocks this by default)?
Ben
↧
↧
Re: Edge Router Site to Site
Yes, the checkmark for "Automatically open firewall and exclude from NAT" are checked on both edge routers. I am remoted into my home desktop pc using anydesk and from my home desktop i can ping all the devices, servers, and so on at my work place. but on the work pc side i cant ping anything on my home network
↧
Re: Support for g.fast SPF
Reading through that (abeit in Google translation) the driver for the Cisco is two fold. Firstly it is possibly the Ethernet Boot Management so you can read the status of the device and secondly so that the Cisco device does not reject the SFP as being "unknown". The first is not actually needed to get a working link, the second obviously is.
So if the EdgeRouter recognises the g.Fast SFP then you are good to go at the link layer. The issue then becomes you need to send magic DHCP option 60 responses to get things working, though not if you are using PPPoE.
↧
Setting up RDP via Dashboard on EdgeRouter X
The title says it all. I have very little experience with networking. I have an EdgeRouter X that is currently being used for a LAN. I want other computers on the network to be able to RDP into the server. All computers are running Linux Ubuntu 16.04. Currently I can only ssh into the server (using either openssh, Apache Guacamole and/or Remmina). Trying RDP using Guacamole and Remmina fails and I have come to the conclusion that it has to be the router. I imagine there is a setting in the dashboard that will allow this? Any pointers would be appreciated.
↧
Transitioning from Single Wan to Dual Wan (Failover Only)
Hey I've been reading a bunch of posts on creating a dual wan in failover only where you use the wizard and start from scratch. I'm wondering if anyone knows of a way to add a second wan to an already functioning setup. We have site to site as well as L2TP VPNs setup plus our APs and DHCP all running off of this router with a single fiber connection. Now we want to add a DSL line for redundancy, so it would be awesome to simply add the second connection without having to re-configure all over again.
↧
↧
Re: VPN Best Practice? iOS devices, site-to-site, dual wan?
Excellent, ok, so that is half of my issue. If I understand you correctly anyway. I have not been able to get it to work yet but I'll keep trying.
The other half is: How do you recommend I offer VPN connectivity to my mobile devices? If the L2TP ports are chewed up for the site-to-site what is the solution to get the mobile users in. Specifically: ios devices do not natively support pptp.
↧
Re: Support for g.fast SPF
With the g.fast module in, this is the output
connector=Unknown vendor=METANOIA oui=00-00-00 part=MT5321 rev=0001 serial= date=
With the previously working unit, when I have FTTH, the output is
connector=LC vendor=OEM oui=00-00-00 part=1000BX-S34-10DI rev=2.0 serial=ED602139909 date=160222 temp=30.687 C voltage=3.33 V current=20.32 mA tx_power=0.33 mW rx_power=0.00 mW tx_fault=no rx_los=yes
Clearly some difference at the OS support level. Sending DHCP option 60 isn't an issue if I even get to that part.
Do you think something can be loaded to support this?
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
Are you trying to RDP from outside of your network into a server on your LAN? If so, you need to open up port 3389 for TCP traffic on Firewall/NAT tab, click Advanced options and enable Auto Firewall rule.
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
That's what I am seeing here:
https://help.ubnt.com/hc/en-us/articles/217367937-EdgeRouter-Port-Forwarding
Everything that I have tried so far since finding this has failed. The forward-to address should be the static IP of the server, correct? Also I'm not sure what I should select for WAN and LAN. I am not using WAN (I think that is eth5 on the EdgeRouter) and the LAN is setup using switch0. Using port 3389 and these settings isn't working.
↧
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
post your sanitized config here:
show configuration | cat
If you are not using WAN, how is your router connected to the internet?
show configuration | cat
If you are not using WAN, how is your router connected to the internet?
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
Screenshot of settings is attached.
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
The network is connected to the internet via a USB modem/hotspot that is being shared. Don't ask, lol. Where do I find the config file?
↧
Re: EdgeRouter PoE v1.10.3 allows 22 inbound thought this was blocked by default
I figured out that one of the VPNs I use was supposed to be restricted but was not (and was reconfigured correctly after finding this out) and so this was causing the access I was not expecting. I should have checked the other VPNs before making an assumption.
Mike
↧
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
interfaces {
ethernet eth0 {
description "Switch Port"
duplex auto
speed auto
}
ethernet eth1 {
description "Switch Port"
duplex auto
speed auto
}
ethernet eth2 {
description "Switch Port"
duplex auto
speed auto
}
ethernet eth3 {
description "Switch Port"
duplex auto
speed auto
}
ethernet eth4 {
description "Switch Port"
duplex auto
speed auto
}
ethernet eth5 {
description "Switch Port"
duplex auto
speed auto
}
switch switch0 {
address 192.168.1.1/24
switch-port {
interface eth0 {
}
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
interface eth5 {
}
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description RDP
forward-to {
address 192.168.1.2
port 3389
}
original-port 3389
protocol tcp
}
wan-interface eth5
}
service {
gui {
https-port 443
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user username {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
Your ER-X is acting as a switch and not doing any routing. You do not need any firewall rules or port forwarding rules there.
Where is the USB modem connected to? That device is your router and that is where you need to do port forwarding if you want to allow outside access. I do not recommend doing it that way. Better to use a VPN for accessing your local LAN from the internet.
Where is the USB modem connected to? That device is your router and that is where you need to do port forwarding if you want to allow outside access. I do not recommend doing it that way. Better to use a VPN for accessing your local LAN from the internet.
↧
Re: Setting up RDP via Dashboard on EdgeRouter X
The USB modem is connected to the computer acting as the server and being shared via that computer. Ideally, I only want to RDP into the server from the machines connected to the LAN, not necessarily any computer from anywhere. Obviously I am dealing with a less than ideal situation here with having to use the USB modem, but it is what it is.
↧