Looks like you need to explicitly import and trust the CA cert that was used to sign mercury.THEIR_ROUTER.com 

07[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=mercury.THEIR_ROUTER.com' not allowed by trustchain, ignored
07[CFG] reached self-signed root ca with a path length of 1
07[IKE] signature validation failed, looking for another key

Some items were removed ( and marked with /// Info removed ///  ) for security..

But I have also whiped the config clean, and installed the Basic Setup Wizard  with no additional changes 

and it still acts the same.

The VPN inferface is not being used and is Disabled.  

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify pia_route {
        rule 10 {
            action modify
            description PIA
            modify {
                table 1
            }
            source {
                address 192.168.1.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 192.168.1.1/24
        aging 300
        bridged-conntrack disable
        description "Local Bridge"
        firewall {
            in {
                modify pia_route
            }
        }
        hello-time 2
        max-age 20
        priority 32768
        promiscuous enable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description MediaServer
        duplex auto
        speed auto
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        description LivingRmSwitch
        duplex auto
        speed auto
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        description MacMini
        duplex auto
        speed auto
    }
    ethernet eth4 {
        bridge-group {
            bridge br0
        }
        description WinPC
        duplex auto
        speed auto
    }
    ethernet eth5 {
        bridge-group {
            bridge br0
        }
        description WiFi
        duplex auto
        speed auto
    }
    ethernet eth6 {
        bridge-group {
            bridge br0
        }
        description NAS
        duplex auto
        speed auto
    }
    ethernet eth7 {
        bridge-group {
            bridge br0
        }
        description Switch
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/udp-chi2_udp.ovpn
        description "Private Internet Access"
        disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    rule 1 {
   /// Rule Info Removed ///
    }

    wan-interface eth0
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN_BR {
            authoritative enable
            subnet 192.168.1.0/24 {
                bootfile-name pxelinux.0
                bootfile-server 192.168.1.54
                default-router 192.168.1.1
                dns-server 8.8.4.4
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
		/// DYNDNS Info Removed ///
                }
                web dyndns
            }
        }
        forwarding {
            cache-size 150
            listen-on br0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description PIA
            log disable
            outbound-interface vtun0
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
        rule 5001 {
            description default
            log disable
            outbound-interface eth0
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name Router
    login {
    /// Login info removed ///
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        custom-category SNews {
            name snews
        }
        dpi enable
        export enable
    }
}
traffic-control {
}

thank you.  I did not realize I could use the PoE adapter to power the ERX also.  Good to know for backup

Just to expand on what  said

mkdir /usr/share/ca-certificates/mercury.router.com
cp /location/to/ca.crt/usr/share/ca-certificates/mercury.router.com/ca.cert
vi /etc/ca-certificares.conf
#add at the end
mercury.router.com/ca.crt

Last step

sudo update-ca-certificates

You can't do QoS at 750Mb/s link speed.

Can you try with hwnat disabled?

It will limit all download speed.....as it makes the CPU do all the routing

Hi guys,

having trouble with my hairpin NAT settings.

ETH0 = WAN

SWITCH0 = LAN (192.168.100.0/24)

My config here

name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 40 {
            action accept
            description ELO
            destination {
                port 8080
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description RDP
            destination {
                port 3389
            }
            log disable
            protocol tcp_udp
        }
        rule 60 {
            action accept
            description SQL
            destination {
                port 1433
            }
            log disable
            protocol tcp_udp
        }

interfaces {
    ethernet eth0 {
        address dhcp
        description INET1
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        address dhcp
        description INET2
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        disable
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    pvid 1
                    vid 10
                    vid 11
                }
            }
            interface eth2 {
                vlan {
                    pvid 1
                    vid 10
                    vid 11
                }
            }
            interface eth3 {
                vlan {
                    pvid 1
                    vid 10
                    vid 11
                }
            }
            interface eth4 {
                vlan {
                    pvid 1
                    vid 10
                    vid 11
                }
            }
            vlan-aware enable
        }
        vif 1 {
            address 192.168.100.1/24
            description DefaultVlan
            mtu 1500
        }
        vif 10 {
            address 192.168.101.1/24
            description WiFi
            mtu 1500
        }
        vif 11 {
            address 192.168.102.1/24
            description WiFiGuests
            firewall {
                in {
                    name GUESTS_IN
                }
                local {
                    name GUESTS_LOCAL
                }
            }
            mtu 1500
        }
    }
}

nat {
        rule 10 {
            description ELO
            destination {
                address (WAN)
                port 8080
            }
            inbound-interface eth0
            inside-address {
                address 192.168.100.240
                port 8080
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 21 {
            description hairpinELO
            destination {
                address (WAN)
                port 8080
            }
            inbound-interface switch0
            inside-address {
                address 192.168.100.240
                port 8080
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5000 {
            description hairpinMASQ
            destination {
                address 192.168.100.240
                port 8080
            }
            log disable
            outbound-interface switch0
            protocol tcp_udp
            source {
                address 192.168.100.0/24
            }
            type masquerade
        }
        rule 5010 {
            description "masquerade for INET1"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5011 {
            description "masquerade for INET2"
            disable
            log disable
            outbound-interface eth5
            protocol all
            type masquerade
        }
    }

If I try to go from the outside, no problem (firewall works ok, destination NAT rule 10 ok)

If I try to open from LAN using LAN address, no problem (inside routing ok, server FW ok)

If I try to open from LAN using (WAN) adress, it doesnt open.

Any advice would be highly appreciated.

Yup either the unifi or edgmax switches should do fine in that situation. 

The unifi switches might be nice since its easier to see the temps of the switch through the unifi control panel.

Edgemax can do the same using UNMS but that's still in beta. 

Thanks for the reply.  It's very intriguing for its simplicity but your writing style has raised many questions.  I am an engineer, so I take ever word literally.

Please let me ask some questions to clarify your idea:

• "Assign static to new spare port for 192.168.3.0/24 network on ERX"

Assume I use eth4 as the "spare port".  Do you mean assign IP address 192.168.3.100 (or other convenient 192.168.3.X subnet IP address) to ERX interface eth4?

• Put new port + eth0 from EXR into switch with your radios.

This is very confusing:  does this mean: plug a patch cable from eth0 into switch and plug a patch cable from eth4 into switch.  Plug radio cable into switch.

• Make sure switch is set to static IP

If this refers to an unmanaged switch, I don't know what it means.  If it refers to a managed switch, I understand it but I don't have one of those.

OR, do you mean that I should reconfigure the ERX internal switch and bring the radio cable into an external switch and then use patch cables into eth0 AND eth4 (where eth4 is set to 192.168.3.0/24)?

To do it via EdgeOS commands you can use

set vpn ipsec site-to-site peer your_peer authentication x509 ca-cert-file /config/auth/CA.PEM

Can I load a config from an ER-8 to a ER-8pro without any issues? 

GoDaddy is the mail service provider. Do you feel the problem may be at their end?

Perhaps there's a deeper level of debugging information which might reveal what actually changes in the er-x between its okay and problem states?

Hi,

I'm seeing messages like these in the log:

Sep 17 14:53:43 ubnt kernel: nf_ct_sip: dropping packet: cannot add expectation IN= OUT= src=192.168.250.63 DST=192.168.220.196 LEN=652 TOS=0x00 PREC=0x00 TTL=63 ID=25357 DF PROTO=TCP SPT=39108 DPT=5060 SEQ=3353979728 ACK=2582592983 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A002BC8443703FD68)

I understand that apparently (some) SIP packets are being dropped rather than routed, and I don't understand why.  What is "cannot add expectation" supposed to tell me?

Should I disable conntrack for SIP, and if so, how?

I got exactly what you describe recently on a client's site ER-PoE (maybe after upgrading to 1.10.6?).

Accessing a services over Cellular works, accessing the same services over internal IPs too... but when accessing with the working DynDNS-fqdn from within the local LAN (wired or WiFi), it doesn't.

, any outstanding bugs regarding hairpin NAT/loopback?

Hum,digging a bit deeper I found this on the Metanoia website

MT-G5321 SFP is one of the Metanoia PHY SFP product series complying with the ITU-T G.9701/ G.9700 G.Fast standard which can provide  up to 1Gbps data rate. This G.fast SFP can be easily plugged into any CPE Gateway which has an SFP cage on board. In order to Identify G.Fast SFP after insert to SFP slot, MT5321 G.Fast SFP will follow SFF-8472 first 128 byte format let Host to read these 128 bytes information prior to loading the program into SFP device through 2-wire I2C interface.

Which suggests that the host needs to upload firmware into the SFP once it has been inserted. That might well explain the need for OS updates on the Cisco, and is as I understand it a departure from the VDSL version of the device which does not require any such requirement for a firmware upload.

So to support this on a Ubiquiti we would need to extract the firmware from somewhere and write a program to upload it to the SFP. Some diggging around and I have found what I think is a download for the firmware used by the Swisscom box. Time to do some digging around in that and see what we can find out.

https://www.swisscom.ch/en/residential/help/internet/firmware-aktualisierungen-fuer-ihre-internet-box.html#tab=2

How easy it is to write a program to upload the firmware on a Ubiquiti router is another question altogether.

Hi,

I see that on Edger Router ports eth2/3/4 are combined as the same switch0 when Wizard is run. While I can manually remove say eth4 from the this switch (and assigned a specific LAN to it), I wonder why these ports are combined. They also marked as grouped on the switch.

Is this because they are on the same internal fabric/chip?

If I remove one of the interfaces, would it degrade performance?

thanks

Looking for a bit of assistance on this as I am struggling to get the routing to work.

I have a ERX-SFP with a few different networks. One network is configured into eth1 for DMZ/IOT devices, while the rest are configured in Switch0. The default network is switch0 10.20.255.1/24 with 3 different vlans created. One for production network(vlan 66), one for guest wifi(vlan 200) and the other I just created for the wifi VPN(vlan 94).

Basically what I am trying to do is forward all traffic on the wifi_VPN group over the wireless. I am able to get the tunnel up, I am seeing the NAT masquerade get hits but it doesn't seem to get any traffic to go over the tunnel. If I had to guess it has to do with the route.

here is the configuration I did for the VPN. I think my problem is the set interfaces but I am not sure.

set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_australia_-_brisbane_udp.ovpn
set interfaces openvpn vtun0 description 'ExpressVPN'

set service nat rule 5000 description ExpressVPN
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 10.94.66.0/24
set service nat rule 5000 type masquerade

set service nat rule 5001 description default
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 source address 10.94.66.0/24
set service nat rule 5001 type masquerade


set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

set firewall modify express_vpn_route rule 10 description 'ExpressVPN'
set firewall modify express_vpn_route rule 10 source address 10.94.66.0/24
set firewall modify express_vpn_route rule 10 modify table 1

set interfaces vti 94 firewall in modify modify express_vpn_route 
(also tried as set interfaces switch switch0 firewall in modify express_vpn_route with no luck)

Below is my config minus what you see above. I have reverted to a prior config to make sure anything I did incorrect is not there.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZ_Local {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            log disable
            protocol udp
        }
    }
    name Guest_Local {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            log disable
            protocol udp
        }
    }
    name PROD_IN {
        default-action drop
        description ""
    }
    name PROD_OUT {
        default-action drop
        description ""
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description DMZ_IOT
        duplex auto
        firewall {
            in {
            }
            local {
                name DMZ_Local
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.20.255.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 66 {
            address 10.66.94.1/24
            description Prod_Home
            mtu 1500
        }
        vif 200 {
            address 172.16.200.1/24
            description Guest_Wifi
            firewall {
                local {
                    name Guest_Local
                }
            }
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest_Wifi {
            authoritative disable
            subnet 172.16.200.0/24 {
                default-router 172.16.200.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 172.16.200.100 {
                    stop 172.16.200.120
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.20.255.0/24 {
                default-router 10.20.255.1
                dns-server 10.20.255.1
                lease 86400
                start 10.20.255.38 {
                    stop 10.20.255.243
                }
                unifi-controller 10.66.94.252
            }
        }
        shared-network-name Prod_Home {
            authoritative disable
            subnet 10.66.94.0/24 {
                default-router 10.66.94.1
                dns-server 10.66.94.252
                lease 86400
                start 10.66.94.10 {
                    stop 10.66.94.200
                }
                unifi-controller 10.66.94.252
            }
        }
        shared-network-name VPN_Wifi {
            authoritative disable
            subnet 10.94.66.0/24 {
                default-router 10.94.66.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.94.66.100 {
                    stop 10.94.66.120
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}

ER-PoE5 won't be able to do QoS at 100Mb/s

If you end up with 100% CPU, you might be better off without QoS

I normally set QoS bandwidth at 85...90% of link speed.

Right now we are doing 1;1 NAT and we have Proxy Arp on with the Mikrotik Cloud Core being our core router

Currently, our clients use a Mikrotik and we Bridge it to our cloud Core and can do 1:1 NAT and bridge the public IP's so the client uses the actual Public IP's

We would like to move to use the ER-x for the clients How can I bridge 2 Public IP's into a ER-X?

This Client is wanting to see the accutal publics in the servers not  the 1:1 NAT IP's

The ER-X has an internal switch chip.  Eth2/3/4 are included on the switch chip by the wizard, so you can operate a small network without needing a separate switch.

Yes, you can remove one or more more interfaces from the switch chip.  There will be no performance penalty.  To use an interface that you remove from the switch chip, you will need to assign a new distinct subnet to that interface.