all it takes is a dNAT rule, inbound on eth1. It should mimic dNAT rule present on eth0
Well , it solved your problem. And if your WAN speed allows it , this is fine.
But it shows something might be broken in hwnat, probably causing out of order packets, confusing your skype connection
I have set up port address translation in the gui but it is not working. I like to check if it is ok using the CLI but fail to find documentation on this sites. I have experience with cisco products and no problem to setup PAT there.
Please point me in the right direction.
Now that the new F/W is out I like to upgrade using CLI. Is that described somewhere?
Hi all,
Eth0 = internet
Eth1 = LAN 1
Eth2 = completely separate LAN that needs to be completely separate from LAN 1. Both LANs need to access eth0, which they can.
My problem is that I can't seem to block traffic from eth2 to eth1.
I've created a default rule to accept all traffic in from eth2, but with a drop rule for invalid traffic and for traffic that connects to the subnet used for LAN 1... But still traffic gets through.
I'm configuring through the GUI, but here's an extract from the configuration file:
name eth2_in {
default-action accept
description ""
rule 1 {
action drop
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 2 {
action drop
destination {
address 172.16.1.0/24
}
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
}
I'm doing this all through the GUI, so my suspicion is that there's something somewhere that I've overlooked, but I've no idea what or where.
According to the logging from the interface, it appears as though traffic to an IP in 172.16.1.0/24 doesn't match the rule I've created, and just goes under the default accept all.
Steps I took
Hi,
This issue is driving me crazy:
I hard resetted my ERL-3 and configured it through SSH (Putty).
It works perfectly with WAN on eth0 and LAN on eth1 (10.10.10.x), eth2 unsed.
Synoogy NAS on 10.10.10.111
But as soon as I reboot it or when I power it OFF then ON it gets completely unreachable. I tried to reach it on eth1 and eth0. I tried 192.168.1.1 and 10.10.10.1, no success.
The only solution is to hard reset it again and upload a saved config.
I was running firmware 1.10.6 and tried 2.00 beta3 with the same results.
I read tons of posts concerning similar problems and could not find the solution. It seems to be related with some error in my config file. As I am far from being an expert I am now asking for your help.
Thank you.
So here is my config.boot:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description Drop
rule 1 {
action accept
description Enable
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description ""
enable-default-log
rule 10 {
action accept
description "Permet acces au router"
destination {
port 80,443
}
disable
log enable
protocol tcp
}
rule 20 {
action accept
description "Accepte established et related"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action accept
description PPTP
destination {
port 1723
}
protocol tcp
}
rule 40 {
action accept
description GRE
log disable
protocol gre
}
rule 50 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
options {
mss-clamp {
interface-type all
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.10.10.1/24
description "Local 2"
duplex auto
ipv6 {
disable-forwarding
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
speed auto
}
ethernet eth2 {
description Local
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description ""
forward-to {
address 10.10.10.1
port 443
}
original-port 81
protocol tcp_udp
}
rule 2 {
description "ServeurCave FTP"
forward-to {
address 10.10.10.111
port 21
}
original-port 2021
protocol tcp_udp
}
rule 3 {
description "ServeurCave Transmission"
forward-to {
address 10.10.10.111
}
original-port 9091
protocol tcp_udp
}
rule 4 {
description "ServeurCave pyLoad"
forward-to {
address 10.10.10.111
}
original-port 7272
protocol tcp_udp
}
rule 5 {
description "NUC TV Backend"
forward-to {
address 10.10.10.105
}
original-port 9981
protocol tcp_udp
}
rule 6 {
description "Imprimante Laser"
forward-to {
address 10.10.10.156
port 80
}
original-port 1100
protocol tcp_udp
}
rule 7 {
description "Synology http"
forward-to {
address 10.10.10.111
}
original-port 5000,5001
protocol tcp_udp
}
rule 8 {
description "FTP Synology"
forward-to {
address 10.10.10.111
port 21
}
original-port 5021
protocol tcp_udp
}
rule 9 {
description "Plex sur Synology"
forward-to {
address 10.10.10.111
}
original-port 32400
protocol tcp
}
rule 10 {
description "Synology Portail des applications"
forward-to {
address 10.10.10.111
}
original-port 10002,10003,7000,7001,8000,8001,6690,55536-55567
protocol tcp
}
rule 11 {
description ""
forward-to {
address 10.10.10.111
}
original-port ftp
protocol tcp
}
rule 12 {
description ""
forward-to {
address 10.10.10.111
port 5001
}
original-port 443
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name truanLAN {
authoritative disable
subnet 10.10.10.0/24 {
bootfile-name Rescue.iso
bootfile-server 10.10.10.111
default-router 10.10.10.1
dns-server 10.10.10.1
domain-name truan.lan
lease 120
start 10.10.10.200 {
stop 10.10.10.243
}
static-mapping Ampli-Onkyo {
ip-address 10.10.10.153
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Blu-Ray {
ip-address 10.10.10.157
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Chromecast-Ampli {
ip-address 10.10.10.154
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Chromecast-TV {
ip-address 10.10.10.155
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping David-PC {
ip-address 10.10.10.115
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping David-PC-2 {
ip-address 10.10.10.116
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Four-Samsung {
ip-address 10.10.10.160
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Garmin-Edge-1000 {
ip-address 10.10.10.108
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Google-Home {
ip-address 10.10.10.163
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Google-Home-Mini {
ip-address 10.10.10.162
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Honor-V10 {
ip-address 10.10.10.109
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping IKEA-Bridge {
ip-address 10.10.10.161
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Imprimante-Laser-Brother {
ip-address 10.10.10.156
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Justicier {
ip-address 10.10.10.159
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping LG-G4-Kubiak {
ip-address 10.10.10.107
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping MacBookPro-Eva {
ip-address 10.10.10.104
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Moto-David {
ip-address 10.10.10.113
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping NUC {
ip-address 10.10.10.105
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Philips-Hue {
ip-address 10.10.10.158
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping RockNRoll2-Cable {
ip-address 10.10.10.100
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping RockNRoll2-Wifi {
ip-address 10.10.10.101
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping RocknRoll3-Cable {
ip-address 10.10.10.102
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping RocknRoll3-WiFi {
ip-address 10.10.10.103
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping ServeurCave {
ip-address 10.10.10.110
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonoff-interrupteur {
ip-address 10.10.10.180
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonoff-4Ch-Pro {
ip-address 10.10.10.181
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonoff-4Ch-Pro-1 {
ip-address 10.10.10.182
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonoff-4Ch-Pro-2 {
ip-address 10.10.10.183
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonos-Cuisine {
ip-address 10.10.10.151
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Sonos-SDB {
ip-address 10.10.10.152
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Synology_LAN1 {
ip-address 10.10.10.111
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Tablette-Samsung-Pascal {
ip-address 10.10.10.106
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Unifi-Cave {
ip-address 10.10.10.12
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Unifi-Julien {
ip-address 10.10.10.11
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping Unifi-Salon {
ip-address 10.10.10.10
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping iPhone-Eva {
ip-address 10.10.10.114
mac-address xx:xx:xx:xx:xx:xx
}
static-mapping iPhonedePauline {
ip-address 10.10.10.112
mac-address xx:xx:xx:xx:xx:xx
}
tftp-server-name 10.10.10.111
unifi-controller 10.10.10.103
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 400
listen-on eth1
name-server 8.8.8.8
name-server 8.8.4.4
options listen-address=10.10.10.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
disable-host-validation
port 22
protocol-version v2
}
unms {
disable
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
}
upnp2 {
listen-on eth1
nat-pmp enable
secure-mode enable
wan eth0
}
}
system {
domain-name truan.lan
host-name EdgeRouter
ipv6 {
blacklist
disable
disable-forwarding
}
login {
user admin {
authentication {
encrypted-password xxxxxxxxxxx$YLc6T7OcWteoctiZNdw1NikzQ0aANk6NaRN6uFg.4RbxEiY4n8dzR29ovyJekeN0e1VtKNQSuq9floUV3uCJA0
}
level admin
}
}
name-server 127.0.0.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
}
static-host-mapping {
host-name imprimante.truan.lan {
alias print.truan.lan
inet 10.10.10.156
}
host-name kodi.truan.lan {
alias k.truan.lan
alias kodi
inet 10.10.10.105
}
host-name pascal.truan.lan {
alias p.truan.lan
inet 10.10.10.103
}
host-name routeur.truan.lan {
alias r.truan.lan
alias router.truan.lan
inet 10.10.10.1
}
host-name serveurcave.truan.lan {
alias sc.truan.lan
alias cave.truan.lan
alias serveurcave
inet 10.10.10.111
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Zurich
traffic-analysis {
dpi enable
export enable
}
}
vpn {
pptp {
remote-access {
authentication {
local-users {
username xxxx {
password xxxxxxx
}
}
mode local
}
client-ip-pool {
start 10.10.100.250
stop 10.10.100.255
}
dhcp-interface eth0
dns-servers {
server-1 10.10.10.1
}
mtu 1492
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.0-alpha.3.5121962.180910.1410 */
Hi
I am new to this and appreciate if someone can help me create a config file that I can use
ETH0 = WAN1 = pppoe . 100/30 connection
username: nb482euc3u@3bbfttx
password: tJps4mck
ETH1 = WAN2 = pppoe . 100/30 connection
VLAN ID = 10
username: 8801178790
password: 8801178790
ETH2 = LAN = 192.168.1.1/24
I have tried all possible ways to add vlan to eth1 but not getting internet
Prefer to do load balance with WAN2 as failover
Your help is appreciated.
Rule 1 action accept, established enable, related enable and nothing more, rule 2 action drop, destination address <eth1 network address>. Try this.
I am trying to configure a Site-to-Site VPN. I have gotten to the point where my tunnel is up, but I cannot pass any traffic through the tunnel. I believe this is down to a firewall rule not being applied, but I'm new to this product and don't know exactly what's going on. I would very much appreciate some help getting this set up.
Here's my setup.
1. I'm connected via the SFP port to my ISP (Bell Fiber). I have to create a PPPoE connection over VLAN 35 to connect. I get a public IP once I connect
2. Local network is 192.168.5.0/24. Remote network is 192.168.6.0/24
3. The internet connection works perfectly.
4. The remote router is running PfSense. The configuration listed at the bottom of the post gets the tunnel up and running.
Output from various debug commands
----
show vpn ike status
IKE Process Running
PID: 4465
----
show vpn ipsec sa
peer-REDACTED-tunnel-1: #1, ESTABLISHED, IKEv1, 16ee1b9fc41c62f0:431069d5607b4f42
local '76.XX.XX.XX' @ 76.XX.XX.XX
remote '38.XX.XX.XX' @ 38.XX.XX.XX
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1700s ago, reauth in 26140s
----
show vpn ipsec status
IPSec Process Running PID: 4465
0 Active IPsec Tunnels
IPsec Interfaces :
----
show vpn ipsec policy
src 192.168.6.0/24 dst 192.168.5.0/24
dir fwd priority 5955
tmpl src 38.XX.XX.XX dst 76.XX.XX.XX
proto esp reqid 1 mode tunnel
src 192.168.6.0/24 dst 192.168.5.0/24
dir in priority 5955
tmpl src 38.XX.XX.XX dst 76.XX.XX.XX
proto esp reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.6.0/24
dir out priority 5955
tmpl src 76.XX.XX.XX dst 38.XX.XX.XX
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
-----------------
Configuration File
----------------
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description Local
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
vif 35 {
description "Internet (PPPoE)"
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password REDACTED
user-id REDACTED
}
}
}
loopback lo {
}
switch switch0 {
address 192.168.5.1/24
description Local
mtu 1500
switch-port {
interface eth0 {
}
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
service {
dns {
dynamic {
interface pppoe0 {
service afraid {
host-name REDACTED
login REDACTED
password REDACTED
server freedns.afraid.org
}
}
}
forwarding {
cache-size 150
listen-on LISTENONPORT
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name REDACTED
host-name edgerouter
login {
user REDACTED {
authentication {
encrypted-password REDACTED
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Toronto
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer REDACTED{
authentication {
mode pre-shared-secret
pre-shared-secret REDACTED
}
connection-type initiate
description Colo
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.5.0/24
}
remote {
prefix 192.168.6.0/24
}
}
}
}
}
}
Unfortunately that wasn't successful.
I tried what you suggested, and then retried it with the order below, and it still didn't work.
name eth2_in {
default-action accept
description ""
rule 10 {
action drop
destination {
address 172.16.1.0/24
}
log disable
protocol all
}
rule 20 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
First of all: That's no PAT. PAT stands for PortAddress Translation. In your case the port remains as it is and thus doesn't get translated at all. If you would forward external tcp 2222 to internal tcp 22, that would be PAT. However, it's just a name..
How did you test your setup? Did you test the DNAT from eth0 (I guess that's your WAN) or did you test it from eth1+? To test DNAT it's recommended to do a real life test. That includes testing from a seperate WAN connection. Did you test ssh with a ssh client or with a port "tester"? Did you check the target device at 192.168.111.2? Be sure to open the devices firewall to allow incoming connections on tcp 22 from public IP addresses.
You might want to test the DNAT by making a tcpdump on the ssh-device to see if there are packets incoming. If so, the ER works as intended and it's probably the ssh-server not responding to the incoming connection.
Did you assign the firewall ruleset to eth2_in? Check the ruleset's interfaces tab and assign it to eth2 + direction in.
Please post your current configuration (cli -> show configuration | cat).
Yes, it's assigned to an interface.
Config attached.
I am glad that you make such an effort to help me so of course its not a issue if you dont respond for a couple days.
Anyway. I did read most of the posts you mentioned and it seemsa bit weird that this bug is still present in the latest version (v1.10.5 although .6 is released it looks like it has no fixes for the 6p).
I removed the lb-local-metric on both groups and let it run for about an hour. My co-worker mentioned that the internet started lagging again so i quickly did a status and watchdog check. Both are the same as before. It does not show the WAN1 as being online even though it works fine (i was connected with wifi directly to the modem). The weird thing that i did notice though was that i cannot ping the modem itself when this happens.
I will downgrade the firmware later tonight when the connections arent used. Ppl are starting to dislike me for rebooting every hour or so 
Since i removed WAN2 from the firewall its maybe easier to stick to the WAN0 and WAN1 that are present like you mentioned before. It maybe makes it easier to spot the problems.
eth0.999 won't be able to access anything on switch0.999 as eth0 is not part of switch0 and thus it's not the same vlan. Readd eth0 to switch0, configure eth0@switch0 as trunk and it should work.
Hi all.
Due to login-issues with League of Legends through my new ISP, I have to investigate a possible solution in throttling the bandwidth to their network.
What info do you need from me to set this up?
It looks like you need to apply the firewall rule to the vif 10 interface under eth0
ethernet eth0 {
description "eth0 - Internet"
duplex auto
speed auto
vif 10 {
address dhcp
firewall {
in {
name WAN_IN
}
local {
name WAN_Local
}
}
}
}