As soon as you try to connect to your public IP address from inside your network, you need NAT loopback / NAT hairpin. I recommend against doing so as this would actually route the traffic from within your network to the WAN port, turn it around just before it gets sent to the provider. In the next step the traffic will have to pass the port forward / NAT / firewall engine and finally the packets get routed to the local(!) destination. This is a huge detour and can be a bottleneck.

I'd rather create a simple DNAT rule that redirects traffic coming from the client's subnet targetted at the WAN IP to the server at eth2.100 directly. Unfortunately this won't work with a dynamic WAN IP + DDNS. If that's the case, you could add a custom DNS entry that links the DDNS address to the server's local IP and thus there'd be no need for NAT whatsoever.

From eth2, are you able to access the router at 172.16.1.1, or are you able to access devices in the 172.16.1.0/24 network ? Are different things, the access to the ip address 172.16.1.1 can be denied through an eth2_local ruleset (local direction), while to devices in the access to the 172.16.1.0/24 should be already denied, in case issue, on the router

sudo conntrack -F

And try again, for clarifications, take a look here.

Cheers,

jonatha

Hi , welcome to the UBNT forums!

PAT is generally referred to as 'Masquerade' on the EdgeMAX platform. 

To configure something similar to ip nat inside source list <acl> interface <if> overload, run:

configure
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
commit ; save

We also have an article on the subject here.

Ben

add system image <url to firmware.tar>

Get the proper URL for your router model HERE

Thanks for your replies. It seems that it’s only http and https that I seem to be able to access on 172.16.1.0/24, but it’s all hosts that serve web pages on that subnet including the router at 172.16.1.1. 

I'll take a look a bit further when I get the next chance. 

 Bstchris: why would the rule need to be applied to eth0? I’m try to block traffic from eth2 to eth1. 

---

 wrote:

Hi all.

 

Due to login-issues with League of Legends through my new ISP, I have to investigate a possible solution in throttling the bandwidth to their network.

What info do you need from me to set this up?

---

How about adding pertinent information I'll give some examples

1. What login-issues?

2. What the heck is League of Legends

3. What's your bandwidth

4. What Router do you have

5. What firmware are you using

Etc Etc

Quick question here.. Is there any reason to chose the ER4 over the ERL, if I don't need the SFP port?

I'm planning an upgrade/install in a coffee shop which sees pretty high foot traffic. The ER will be running DHCP/DNS Proxy. I figure I'll have a pretty big DHCP pool /22 for wifi clients with 4 hour leases so I want to make sure either can handle that.

Also, what should I be setting the DNS cache size to in this instance? And can either device handle DNS proxy with approx. 200 concurrent users?

2. What the heck is League of Legends

    It's a game. leagueoflegends.com

1. What login-issues?

    Since I switched from Ziggo to T-Mobile fiber, I have trouble logging into the game. 50/50 chance.

3. What's your bandwidth

    750 Mb up/down

4. What Router do you have

    ER X-SFP

5. What firmware are you using

    EdgeOS 1.10.6

Attached 2 files. Support tickets at Riot Games. All is explained in there.

I've requested support at T-Mobile (dutch) a while ago.

https://community.t-mobile.nl/t-mobile-thuis-internet-492/lol-client-op-macos-via-glasvezel-draytek-2132-fvn-probleem-304020/index1.html#post1466189

TL;DR

Traceroute prod.euw1.lol.riotgames.com:

31.201.4.1

10.10.80.149

80.249.211.66

104.160.141.52

104.160.141.101

104.160.141.105

185.40.64.65

Apparently there might be a router along the way with NIDS running (might be 80.249.211.66). As my login procedure is "happening" too fast it could block me for 5 minutes, each time I login.

I'm not looking for a perfect solution rightaway, only how to setup bandwidth-limiting to one or more IP's.

---

 wrote:

The test date is only on the shipping box, however, you could also use the date code which is on the unit itself before the MAC ID. Anything on or after the date codes below for each model includes the new bootloader from the factory:

ER-X - 1818G

ER-X-SFP - 1820G

EP-R6 - 1830G

---

Based what is said above

ER-X code of 1821G   with a Test Date of 05/28/18

sudo md5sum /dev/mtdblock2
828a6788a539809103bd42d121634211  /dev/mtdblock2

That md5 shoud be the new bootloader....

Thsi was initially posted in the Unifi Routing & Switching forum as it's relating to a USG-XG but I've had no luck there. Given the USG is really just an EdgeRouter (it runs EdgeOS) without the GUI I'm going to try posting it here in the hope someone has seen a similar issue and can point me in the right direction to get it fixed...

Background : The client needs to create a IKE V2 IPSEC VPN to a cisco ASA using certificate based authentication. I've figured out most of the necessary config and largely got it set up  with one major hurdle - I cannot, no matter what I try, get it to accept the other side's certificate. I know Cisco had an issue with one version IoS but I've checked with the remote side and they are not running an affected version. They've also confirmed they have this particular cert in use already with other clients.

I did send this to UBNT support but got directed back to the forums. Any help would be appreciated.

Jim.

When connecting, we get the following (sanitised) :

07[KNL] creating acquire job for policy 185.**.**.**/32[ipencap] === 217.**.**.**/32[ipencap] with reqid {7}
16[IKE] initiating IKE_SA peer-217.**.**.**-tunnel-vti[4] to 217.**.**.**
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
16[NET] sending packet: from 185.**.**.**[500] to 217.**.**.**[500] (308 bytes)
13[NET] received packet: from 217.**.**.**[500] to 185.**.**.**[500] (44 bytes)
13[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
13[IKE] initiating IKE_SA peer-217.**.**.**-tunnel-vti[4] to 217.**.**.**
13[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 185.**.**.**[500] to 217.**.**.**[500] (324 bytes)
15[NET] received packet: from 217.**.**.**[500] to 185.**.**.**[500] (1187 bytes)
15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ V ]
15[IKE] received cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA"
15[IKE] received cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
15[IKE] received cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
15[IKE] received 34 cert requests for an unknown ca
15[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA"
15[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
15[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
15[IKE] authentication of 'OU=Domain Control Validated, OU=PositiveSSL, CN=gateway.THIS_ROUTER.co.uk' (myself) with RSA signature successful
15[IKE] sending end entity cert "OU=Domain Control Validated, OU=PositiveSSL, CN=gateway.THIS_ROUTER.co.uk"
15[IKE] establishing CHILD_SA peer-217.**.**.**-tunnel-vti
15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
15[NET] sending packet: from 185.**.**.**[4500] to 217.**.**.**[4500] (2552 bytes)
07[NET] received packet: from 217.**.**.**[4500] to 185.**.**.**[4500] (1816 bytes)
07[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH N(NO_PROP) ]
07[IKE] received end entity cert "OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com"
07[CFG] using certificate "OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com"
07[CFG] using trusted intermediate ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
07[CFG] checking certificate status of "OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com"
07[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy Inc., CN=Go Daddy Validation Authority - G2"
07[CFG] ocsp response is valid: until Sep 12 10:13:13 2018
07[CFG] using cached ocsp response
07[CFG] certificate status is good
07[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
07[CFG] checking certificate status of "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
07[CFG] ocsp response verification failed, no signer certificate 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy Inc., CN=Go Daddy Validation Authority - G2' found
07[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
07[CFG] ocsp response is valid: until Sep 12 19:18:44 2018
07[CFG] using cached ocsp response
07[CFG] certificate status is good
07[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] reached self-signed root ca with a path length of 1
07[IKE] signature validation failed, looking for another key
07[CFG] using certificate "OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com"
07[CFG] using trusted intermediate ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
07[CFG] checking certificate status of "OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com"
07[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy Inc., CN=Go Daddy Validation Authority - G2"
07[CFG] ocsp response is valid: until Sep 12 10:13:13 2018
07[CFG] using cached ocsp response
07[CFG] certificate status is good
07[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
07[CFG] checking certificate status of "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
07[CFG] ocsp response verification failed, no signer certificate 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy Inc., CN=Go Daddy Validation Authority - G2' found
07[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
07[CFG] ocsp response is valid: until Sep 12 19:18:44 2018
07[CFG] using cached ocsp response
07[CFG] certificate status is good
07[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] reached self-signed root ca with a path length of 1
07[IKE] signature validation failed, looking for another key
07[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
07[NET] sending packet: from 185.**.**.**[4500] to 217.**.**.**[4500] (88 bytes)

I've added the GoDaddy intermediate & Root certificates manually as needed (copied to /etc/ipsec.d/cacerts) and can verify they are loaded correctly :

root@ubnt:/home/admin# ipsec listcacerts

List of X.509 CA Certificates:

subject: "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
issuer: "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
serial: 07
validity: not before May 03 08:00:00 2011, ok
not after May 03 08:00:00 2031, ok 
pubkey: RSA 2048 bits
keyid: b4:55:50:14:83:45:1f:ee:8c:a0:a1:0c:f5:af:de:3a:4c:5e:11:59
subjkey: 40:c2:bd:27:8e:cc:34:83:30:a2:33:d7:fb:6c:b3:f0:b4:2c:80:ce
authkey: 3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de

subject: "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
issuer: "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
serial: 00
validity: not before Sep 01 01:00:00 2009, ok
not after Dec 31 23:59:59 2037, ok 
pubkey: RSA 2048 bits
keyid: 21:0f:2c:89:f7:c4:cd:5d:1b:82:5e:38:d6:c6:59:3b:a6:93:75:ae
subjkey: 3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de

subject: "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA"
issuer: "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
serial: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07
validity: not before Feb 12 00:00:00 2014, ok
not after Feb 11 23:59:59 2029, ok 
pubkey: RSA 2048 bits
keyid: 49:7c:68:68:e4:84:cc:f0:ba:06:01:a6:c4:0b:7f:10:07:2c:6a:3c
subjkey: 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4:3a:28:da:e7
authkey: bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec:d9:32:32:d4
pathlen: 0

Google is of little help identifying this problem so I'm somewhat stuck - it doesn't matter what I try (I've even tried manually editing the ipsec.conf to specify a ricghtca (it defaults to same) with no improvement.

If it helps, the remote side is a Cisco ASA which is not under my control and they have verified the certificate is in use with other clients for VPN with no issues.

Since last Friday, I am experiencing DNS resolving issues.

bnt@ubnt:~$ show dns forwarding nameservers 
-----------------------------------------------
   Nameservers configured for DNS forwarding
-----------------------------------------------
208.67.220.220 available via 'statically configured'
8.8.4.4 available via 'statically configured'
208.67.222.222 available via 'statically configured'
8.8.8.8 available via 'statically configured'

ubnt@ubnt:~$ show dns forwarding statistics  
----------------
Cache statistics
----------------
Cache size: 150
Queries forwarded: 2870
Queries answered locally: 7043
Total DNS entries inserted into cache: 2935
DNS entries removed from cache before expiry: 853

---------------------
Nameserver statistics
---------------------
Server: 8.8.8.8
Queries sent: 1655
Queries retried or failed: 167

Server: 208.67.222.222
Queries sent: 1698
Queries retried or failed: 182

Server: 8.8.4.4
Queries sent: 1273
Queries retried or failed: 45

Server: 208.67.220.220
Queries sent: 1553
Queries retried or failed: 235

I am using a BT Openreach Fibre (white) modem connected to the ER-X with PPPoE.

It has been fine for 6 months.

To debug the problem, I have changed cables, changed the BT modem, flashed the ER-X firmware, reset it both ways (runtime and on power), changed the setup of the ER-X to use PoE, etc. tried MSS clamping and hwoffload tweaks, changed system DNS servers, changed it to not use dnsmasq, but it makes no difference... the resolving both in the ER-X or from a network PC is very very patchy and inconsistent.

Can anyone help?

Paully

Took me a while to get it ... but I finally have a serial cable and all. But sadly that's pretty uneventful

This is the output:

INIT: Switching to runlevel: 6
INIT: Sending processes the TERM signal
Stopping DHCP server daemon...
Stopping network plug daemon: netplugd.
[ ok ] Stopping routing services...imi...done.
[ ok ] Removing all routes.
[ ok ] Stopping DNS forwarder and DHCP server: dnsmasq.
[ ok ] Stopping EdgeOS router: rl-system.
[ ok ] Asking all remaining processes to terminate...done.
[ ok ] All processes ended within 3 seconds...done.
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Mounting root read-only...done.
[ ok ] Mounting root dev read-only...done.
[info] Will now restart.
reboot: Restarting system

Looking for valid bootloader image....
Jumping to start of image at address 0xbfc80000


U-Boot 1.1.1 (UBNT Build ID: 4670715-gbd7e2d7) (Build time: May 27 2014 - 11:16:22)

BIST check passed.
UBNT_E100 r1:2, r2:18, f:4/71, serial #: 788A207F4291
MPR 13-00318-18
Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  512 MB
Clearing DRAM....... done
Flash:  4 MB
Net:   octeth0, octeth1, octeth2

USB:   (port 0) scanning bus for devices... 1 USB Devices found
       scanning bus for storage devices...
  Device 0: Vendor:          Prod.: UDinfo UF2 4GB   Rev: PMAP
            Type: Removable Hard Disk 
            Capacity: 3824.0 MB = 3.7 GB (7831552 x 512)                                                                                                                                                                                                                                                                                                                                                                               0
reading vmlinux.64
.............................

5755008 bytes read
argv[2]: coremask=0x3
argv[3]: root=/dev/sda2
argv[4]: rootdelay=15
argv[5]: rw
argv[6]: rootsqimg=squashfs.img
argv[7]: rootsqwdir=w
argv[8]: mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@1024k(eeprom)
ELF file is 64 bit
Allocating memory for mapped kernel segment, alignment: 0x400000
Allocated memory for ELF segment: addr: 0x400000, size 0x6863d0
Processing PHDR 0
  Loading 57ba80 bytes at 400000
  Clearing 10a950 bytes at 97ba80
## Loading Linux kernel with entry point: 0x007e5ff0 ...
Bootloader: Done loading app on coremask: 0x3
Linux version 3.10.107-UBNT (root@dc9c2e14f2e4) (gcc version 4.7.0 (Cavium Inc. Version: SDK_BUILD build 51) ) #1 SMP Thu Aug 9 06:45:26 UTC 2018
CVMSEG size: 2 cache lines (256 bytes)
Cavium Inc. SDK-3.1.2
bootconsole [early0] enabled
CPU revision is: 000d0601 (Cavium Octeon+)
Checking for the multiply/shift bug... no.
Checking for the daddiu bug... no.
Determined physical RAM map:
 memory: 000000000053b000 @ 0000000000400000 (kernel data and code)
 memory: 0000000000045000 @ 000000000093b000 (usable after init)
 memory: 0000000000107000 @ 0000000000980000 (kernel data and code)
 memory: 0000000007400000 @ 0000000000d00000 (usable)
 memory: 0000000007c00000 @ 0000000008300000 (usable)
 memory: 000000000fc00000 @ 0000000410300000 (usable)
software IO TLB [mem 0x0170d000-0x0174d000] (0MB) mapped at [800000000170d000-800000000174cfff]
Zone ranges:
  DMA32    [mem 0x00400000-0xefffffff]
  Normal   [mem 0xf0000000-0x41fefffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00400000-0x00a86fff]
  node   0: [mem 0x00d00000-0x080fffff]
  node   0: [mem 0x08300000-0x0fefffff]
  node   0: [mem 0x410300000-0x41fefffff]
Primary instruction cache 32kB, virtually tagged, 4 way, 64 sets, linesize 128 bytes.
Primary data cache 16kB, 64-way, 2 sets, linesize 128 bytes.
Secondary unified cache 128kB, 8-way, 128 sets, linesize 128 bytes.
PERCPU: Embedded 10 pages/cpu @800000000178a000 s10880 r8192 d21888 u40960
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 125878
Kernel command line:  bootoctlinux $loadaddr coremask=0x3 root=/dev/sda2 rootdelay=15 rw rootsqimg=squashfs.img rootsqwdir=w mtdparts=phys_mapped_flash:512k(boot0),512k(boot1),64k@1024k(eeprom) console=ttyS0,115200
PID hash table entries: 2048 (order: 2, 16384 bytes)
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
Memory: 495244k/504084k available (4032k kernel code, 8840k reserved, 1321k data, 276k init, 0k highmem)
Hierarchical RCU implementation.
        Additional per-CPU info printed with stalls.
NR_IRQS:511
Calibrating delay loop (skipped) preset value.. 1000.00 BogoMIPS (lpj=5000000)
pid_max: default: 32768 minimum: 501  
Security Framework initialized
Mount-cache hash table entries: 256   
Checking for the daddi bug... no.
SMP: Booting CPU01 (CoreId  1)...
CPU revision is: 000d0601 (Cavium Octeon+)
Brought up 2 CPUs
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource OCTEON_CVMCOUNT
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 4, 65536 bytes)
TCP bind hash table entries: 4096 (order: 4, 65536 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
octeon_pci_console: Console not created.
HugeTLB registered 2 MB page size, pre-allocated 0 pages
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering unionfs 2.5.13 (for 3.10.34)
aufs 3.10.x-20141215
msgmni has been set to 967
io scheduler noop registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 6 ports, IRQ sharing disabled
1180000000800.serial: ttyS0 at MMIO 0x1180000000800 (irq = 34) is a OCTEON
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
1180000000c00.serial: ttyS1 at MMIO 0x1180000000c00 (irq = 35) is a OCTEON
loop: module loaded
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
OcteonUSB 16f0010000000.usbc: Octeon Host Controller
OcteonUSB 16f0010000000.usbc: new USB bus registered, assigned bus number 1
OcteonUSB 16f0010000000.usbc: irq 56, io mem 0x00000000
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
OcteonUSB: Registered HCD for port 0 on irq 56
usbcore: registered new interface driver usb-storage
octeon_wdt: Initial granularity 5 Sec
TCP: cubic registered
NET: Registered protocol family 17
NET: Registered protocol family 15
Bootbus flash: Setting flash for 4MB flash at 0x1f800000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bank. Manufacturer ID 0x0000c2 Chip ID 0x0000a7
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.1.
phys_mapped_flash: Swapping erase regions for top-boot CFI table.
number of CFI chips: 1
3 cmdlinepart partitions found on MTD device phys_mapped_flash
Creating 3 MTD partitions on "phys_mapped_flash":
0x000000000000-0x000000080000 : "boot0"
0x000000080000-0x000000100000 : "boot1"
0x000000100000-0x000000110000 : "eeprom"
Waiting 15sec before mounting root device...
usb 1-1: new high-speed USB device number 2 using OcteonUSB
usb-storage 1-1:1.0: USB Mass Storage device detected
scsi0 : usb-storage 1-1:1.0
scsi 0:0:0:0: Direct-Access              UDinfo UF2 4GB   PMAP PQ: 0 ANSI: 6
sd 0:0:0:0: [sda] 7831552 512-byte logical blocks: (4.00 GB/3.73 GiB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] No Caching mode page found
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] No Caching mode page found
sd 0:0:0:0: [sda] Assuming drive cache: write through
 sda: sda1 sda2
sd 0:0:0:0: [sda] No Caching mode page found
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] Attached SCSI removable disk
kjournald starting.  Commit interval 3 seconds
EXT3-fs (sda2): using internal journal
EXT3-fs (sda2): mounted filesystem with journal data mode
VFS: Mounted root (aufs filesystem) on device 0:11.
Freeing unused kernel memory: 276K (ffffffffc053b000 - ffffffffc0580000)
Algorithmics/MIPS FPU Emulator v1.5
INIT: version 2.88 booting
INIT: Entering runlevel: 2
[....] Starting SSH recovery service in the background
ssh-recovery: starting...
ssh-recovery: if=(all) port=(60257) terminate-timeout=(60)
ssh-recovery: enabling link on interfaces...
ssh-recovery: eth0 :: mac=(78:8a:20:7f:42:91)
ssh-recovery: eth1 :: mac=(78:8a:20:7f:42:92)
ssh-recovery: eth2 :: mac=(78:8a:20:7f:42:93)
[ ok ] Starting daemon monitor: monit.
[....] Starting routing daemon: rib nsm ribdssh-recovery: service started :: pid=(663)
. ok 
[....] Starting EdgeOS router: migrate rl-systemsync: ignoring all arguments
[ ok igure.
Starting network plug daemon: netplugd.




        UNAUTHORIZED USE OF THIS SYSTEM
        IS STRICTLY PROHIBITED!

 SSHing into the machine

yeri@sg-erl:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms

yeri@sg-erl:~$ show vpn ipsec sa 
IPSec Process NOT Running

yeri@sg-erl:~$ configure 
[edit]
yeri@sg-erl# load /config/config.boot
Loading configuration from '/config/config.boot'...
Load complete.  Use 'commit' to make changes active.
[edit]
yeri@sg-erl# commit 
[ vpn ]
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.
[edit]

yeri@sg-erl# exit
Warning: configuration changes have not been saved.
exit
yeri@sg-erl:~$ show vpn ipsec sa 
peer-be.yeri.be-tunnel-1: #1, ESTABLISHED, IKEv1, etc etc etc

Hi jonatha,

thanks for the hint - I've choosen only eth2.

Now everything works fine.

Regards Mark

Thanks for the explanation about hairpin.

Now everything works fine.

Regards Mark

It does't appear that it was explicitly blocking that port, as I had the same problem a few days later with 1193. I moved it to a higher numbered port and it's been working for a few days, but if the traffic starts being dropped again, I will have to dig in further and see what is going on. Interestingly, my client/server OpenVPN instance on 1194 has remained unaffected. At any rate, it does not appear to be an issue with the EdgeRouter or my configuration.

After more research I'm quite sure my tunnel is working fine. However, even though the auto-firewall rule shoule be setting up the firewall correctly, it appears to be doing nothing. Can someone tell me the firewall rules so that I can pass traffic.

The OpenVPN instructions (https://help.ubnt.com/hc/en-us/articles/115015971688) contains in step 18 and 19 the use of IP addresses in the 172.16.1.xxx range. What do these mean? The inside LAN is 192.168.1.xxx.

In the standard L2TP the clients get an internal IP address via DHCP in the 192.168.1.xxx range. Am I correct in concluding that the OpenVPN has its own range and the clients get addresses in that range (e.g. could be 192.168.5.xxx too)? Would it be possible to let OpenVPN end up with addresses for the clients in the 192.168.1 range just like with the standard L2TP VPN?

Sorry I didn't read which interfaces you specified properly.

It's late and I'm having trouble working out how exactly the hairpin nat and port forwards could be the cause, but that configuration does create automatic firewall iptables rules. I would look at disabling that and you might need to create your DNAT/SNAT/firewall rules for them manually.