↧
Re: Can't get DPI Social-Network firewall rule to work
↧
Re: PPPoE connection doesn't recover after drop
ubnt@ubnt:~$ show interfaces ethernet eth0 physical
Settings for eth0:
Auto-negotiation: on
Speed: 10Mb/s
Duplex: Half
Link detected: no
ubnt@ubnt:~$
this is my port for pppoe, what the heck is going on? There was a storm last weekend and since then no internet on the pppoe. It is a Ubnt mesh antenna as client works onto this port.
log keeps saying this:
ubnt pppd[1970]: Timeout waiting for PADO packets
Please help how to troubleshoot on this further more.
↧
↧
Re: Support for g.fast SPF
Wow, impressive.
I had literally fired up my Windows machine, installed Linux services and Ubuntu 18.04 LTS. Got binwalk up and running, hit the jefferson missing part and then installed the full set of dependencies for binwalk.
Extracted the filesystem and just at that moment thought I would check the thread to see if there was an update. :0)
When you say ask them for the source, would that be SoftAtHome or some other party?
This all looks potentially possible considering the basic moving parts seem to be identified. However, I am definitely now well outside of my comfort zone knowledge wise and really appreciate your efforts so far. Do you think you can take this any further?
↧
Re: Limit bandwidth to a specific destination IP / IP's
Doesn't make a difference.
↧
Re: Support for g.fast SPF
Quick question, which file did you download to examine. I pulled the one for the Internet Box 2 and don't seem quite the same layout of files.
This device supports the g.fast protocol out of the box with no need for the sfp device. which is why it might not have the driver and firmware files of the version 1 device...
↧
↧
Re: Support for g.fast SPF
Probably Swisscom in the first instance. Ask for all the GPL source code in the product they shipped to you. I checked the latest stable Linux kernel and could find no mention of the Metanoia dying gasp driver. See what you get back. I guess you could ask SoftAtHome, but I really have zero experience in requesting GPL software source code.
↧
Re: Support for g.fast SPF
wrote: Quick question, which file did you download to examine. I pulled the one for the Internet Box 2 and don't seem quite the same layout of files.
This device supports the g.fast protocol out of the box with no need for the sfp device. which is why it might not have the driver and firmware files of the version 1 device...
Internet Box plus as that appears to be the only one with an SFP cage. My interest is potentially understanding the EBM protocol so one can communicate with a Metanoia VDSL SFP. No access to g.Fast where I am in the UK.
↧
Re: Firewall Rule Accessing VLAN ETH2.100 TO WAN1 Port Forward
wrote: I'd rather create a simple DNAT rule that redirects traffic coming from the client's subnet targetted at the WAN IP to the server at eth2.100 directly. Unfortunately this won't work with a dynamic WAN IP + DDNS. If that's the case, you could add a custom DNS entry that links the DDNS address to the server's local IP and thus there'd be no need for NAT whatsoever.
Yes, you can use DNAT to redirect a dest WAN IP to the internal server even with a dynamic WAN IP. In the DNAT rule, just use
destination group address-group ADDRv4_ethX
where X if adjusted to the eth port used for WAN.
↧
Re: Support for g.fast SPF
Ok thanks.
The internet box 2 also has an SFP cage but supports g.fast over vdsl directly without using the SFP unit. I just happened to be sent one through the mistake of Swisscom.
I am assuming that getting the device recognised, firmware injected etc. by the Edgerouter would be enough to have it act like a standard SFP and the g.fast side of things is handled transparently. Does that sound reasonable?
↧
↧
Re: Support for g.fast SPF
Request to Swisscom made, and I also have contacted SoftAtHome to see whether they are willing to help explain the full end to end picture of getting the unit up and running.
Fingers crossed.
↧
Re: when to use destination port vs source port?
HI, 16 again.. so i've made attempts on this and i can't still get it to work.. i added both a source and destination rule on each zone, and even port fwd. i get no hits. could you help me out, please?
dnat rules:
nat {
rule 5000 {
description "masquerade to eth0"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5001 {
description "masquearade to vtun0"
log enable
outbound-interface vtun0
protocol all
type masquerade
}
}traffic from LAN to WAN
name LAN-WAN {
default-action drop
description "LAN to WAN"
enable-default-log
rule 10 {
action accept
description "Established/Related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
log enable
state {
invalid enable
}
log disable
protocol tcp
}
rule 300 {
action accept
description "FTP,SFTP"
destination {
port 20,21,22
}
log enable
protocol tcp
}
rule 301 {
action accept
description "SFTP ports"
log enable
protocol tcp
source {
port 1559-1700
}
}
rule 3200 {
action accept
description "SFTP ports"
destination {
port 1559-1700
}
log enable
protocol tcp_udpfrom WAN to LAN
name WAN-LAN {
default-action drop
description "WAN to LAN"
enable-default-log
rule 10 {
action accept
description "Established/Related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid"
log enable
state {
invalid enable
}
}
rule 30 {
action accept
description "SFTP ports"
destination {
port 1559-1700
}
log enable
protocol tcp_udp
}
rule 35 {
action accept
description "SFTP ports"
log enable
protocol tcp_udp
source {
port 1559-1700
}
extra:
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description "Sftp"
forward-to {
address 10.0.0.108
port 1559-1700
}
original-port 1559-1700
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}interfaces {
ethernet eth0 {
address dhcp
description "WAN-ISP"
duplex auto
speed auto
}please help Image may be NSFW.
Clik here to view.
↧
OSPF opaque-lsa - yea or nay
Our core routers are CentOS 7 boxes running BGP and OSPF while all of our other routers are various EdgeRouter models.
We recently added a new site and started seeing some OSPF oddness. (Log file below)
It looks like the EdgeRouters have opaque-lsa enabled by default while OSPF on the CentOS servers have it disabled by default.
So it makes sense that I'm seeing "Opaque capability mismatch?" in the OSPF log file.
Googling I found this thread: https://community.ubnt.com/t5/EdgeRouter/OSPF-Why-is-opaque-lsa-enabled/m-p/2123558
After reading about opaque-lsa, superficially at least, it seems like having opaque-les enabled is a good thing. However I believe the mismatch between the EdgeRouters and the CentOS servers is causing problems.
So big picture questions first:
- Should opaque-lsa be enabled everywhere or nowhere?
- What are the pros & cons of having it enabled or disabled?
- Am I correct that having some routers with it enabled while others have it disabled will cause problems?
Tactical question:
- Is there a way to disable opaque-lsa on EdgeRouters that will persist after a reboot? (I can't find it.)
Some details:
Quaaga OSPF on the CentOS servers is: 0.99.22.4
The EdgeRouters are running 1.10.4
OSPF log file from a CentOS server.
2018/09/16 16:18:36 OSPF: LSA[Type10:1.0.0.12]: Opaque capability mismatch? 2018/09/16 16:18:46 OSPF: LSA[Type10:1.0.0.1]: Opaque capability mismatch? 2018/09/16 16:18:46 OSPF: LSA[Type10:1.0.0.1]: Opaque capability mismatch? 2018/09/16 16:21:16 OSPF: LSA[Type10:1.0.0.6]: Opaque capability mismatch? 2018/09/16 16:21:16 OSPF: LSA[Type10:1.0.0.6]: Opaque capability mismatch? 2018/09/16 16:23:36 OSPF: LSA[Type10:1.0.0.10]: Opaque capability mismatch? 2018/09/16 16:23:36 OSPF: LSA[Type10:1.0.0.10]: Opaque capability mismatch? 2018/09/16 16:26:16 OSPF: LSA[Type10:1.0.0.10]: Opaque capability mismatch? 2018/09/16 16:26:16 OSPF: LSA[Type10:1.0.0.10]: Opaque capability mismatch? 2018/09/16 16:26:26 OSPF: LSA[Type10:1.0.0.6]: Opaque capability mismatch? 2018/09/16 16:26:26 OSPF: LSA[Type10:1.0.0.6]: Opaque capability mismatch? 2018/09/16 16:27:26 OSPF: LSA[Type10:1.0.0.8]: Opaque capability mismatch? 2018/09/16 16:27:26 OSPF: LSA[Type10:1.0.0.8]: Opaque capability mismatch? 2018/09/16 16:32:36 OSPF: LSA[Type10:1.0.0.1]: Opaque capability mismatch? 2018/09/16 16:32:36 OSPF: LSA[Type10:1.0.0.1]: Opaque capability mismatch? 2018/09/16 16:37:34 OSPF: nsm_change_state(10.6.0.2, Full -> Deleted): scheduling new router-LSA origination 2018/09/16 16:37:34 OSPF: DR-Election[1st]: Backup 10.0.15.3 2018/09/16 16:37:34 OSPF: DR-Election[1st]: DR 10.0.15.7 2018/09/16 16:37:34 OSPF: DR-Election[2nd]: Backup 10.0.15.3 2018/09/16 16:37:34 OSPF: DR-Election[2nd]: DR 10.0.15.7 2018/09/16 16:37:34 OSPF: ospfTrapIfStateChange trap sent: 10.0.15.3 now Backup 2018/09/16 16:37:34 OSPF: interface 10.0.15.3 [8] join AllDRouters Multicast group. 2018/09/16 16:37:35 OSPF: nsm_change_state(10.6.0.3, Full -> Deleted): scheduling new router-LSA origination 2018/09/16 16:37:35 OSPF: DR-Election[1st]: Backup 10.0.15.3 2018/09/16 16:37:35 OSPF: DR-Election[1st]: DR 10.0.15.3 2018/09/16 16:37:35 OSPF: DR-Election[2nd]: Backup 0.0.0.0 2018/09/16 16:37:35 OSPF: DR-Election[2nd]: DR 10.0.15.3 2018/09/16 16:37:35 OSPF: ospfTrapIfStateChange trap sent: 10.0.15.3 now DR 2018/09/16 16:38:36 OSPF: LSA[Type10:1.0.0.8]: Opaque capability mismatch? 2018/09/16 16:38:49 OSPF: Link State Update: Unknown Neighbor 10.6.0.3 on int: enp13s0f0:10.0.15.3 2018/09/16 16:38:49 OSPF: Link State Update: Unknown Neighbor 10.6.0.2 on int: enp13s0f0:10.0.15.3
↧
Re: VPN Issues - can anyone here help?
Thats what I thought but their cert is signed by godaddy and I've already got the godaddy root & intermediate ca certs loaded.
That's whats puzzling me - I can't see any reason it won't work, but it doesnt!
Thanks for the idea though, good to know I'm not going totally nuts!
Jim
↧
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
Assuming here that you have multiple routes at SITE A that can reach the SITE B destination IPs, or perhaps just a single summary route. There's always going to be a priority assigned in that scenario and it seems that .226/27 is winning.
The proposed solution is to apply a next-hop-interface static route at SITE A that forces traffic destined for SITE B (157.x.x.229/32) to go out the 12.x.x.229/27 interface. The inverse would also need to exist such that SITE B traffic destined for SITE A (12.x.x.229/32) would need to take next-hop-interface of 157.x.x.229/27.
Once that's in place, the IKE's should actually flow along the desired x.x.x.229/27 paths to establish the tunnel.
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
I'm not sure what you are saying. The local-address command I posted is used in both route-based and policy-based configurations. I'm using policy-based with 5 IPs on the WAN interface, and I use local-address to specify which IP to use for each IPSEC peer configurations.
It's not clear to me what problem you are trying to solve at the moment. Is it the fact that your tunnels don't come up? Or, is it the fact that they are not using the WAN IP you want them to use.
You wrote, "My first objective is to get the site-to-site connection before I even bother with the routes." Note that the IPSEC tunnel won't come up until you pass "interesting traffic" so I'm not sure your plan to get the tunnel working before setting up the routing is possible.
Maybe it would be easier for you to get a simple policy-based IPSEC vpn working, then add VTI after you have that working.
↧
Re: NAT Reflection between eth1 and eth3
Still getting ERR_CONNECTION_REFUSED, could this be a firewall issue as well?
↧
Re: Update using CLI
Hi
We also have an article on upgrading EdgeOS here. It is possible to update the firmware from a local file (uploaded earlier), remote server or directly from the UBNT download page.
Ben
↧
↧
Re: ER-X SFP Site-to-Site IPSEC through PPPoE, No traffic
Hi
It appears that phase 2 (ESP) is not establishing correctly. Can you also attach the pfSense settings so that we can compare the VPN configs?
The 'Automatic NAT/Firewall' feature will automatically open the necessary ports and allow the relevant IPsec traffic through the firewall.
To verify the firewall and NAT rules, please run:
sudo iptables -L -v -n
sudo iptables -t nat -L -v -n
Ben
↧
Re: VPN Issues - can anyone here help?
Well, you have the trust chain broken / incomplete. Either you're missing the correct CA or you have it incorrectly installed.
Post the cert for in question here for inspection (it's safe, it's the public portion).
↧
Re: A simple question
Yes eth4 will get an IP 192.168.3.100 or whatever is free.
Yes eth0, eth4 and the radio will go into the switch together.
Yes for managed switch only. You do not want something else on DHCP and taking the address meant for eth0.
No do not reconfigure or use switch0 on the ERX
↧