You can setup your firewall rules on eth4 for security. Blocking anything coming in but allowing LAN access out so you can still connect to the radios.
I can simply firewall (block) all inbound traffic on eth4 except traffic from devices in the bridge (my radios).
Thanks
I upgraded my service and had to install a new cable modem. I can access the internet by connecting a laptop directly to the Ethernet port on the modem so I know that I do have service. When I connect eth0 to the modem I get no internet service on my network. My network has been running stable for a little over 2 years and all I have done is swapped out my cable modem. My router is an EdgeRouter X with v1.9.7+hot fix.3 firmware. Can someone please point me in the right direction? I'm totally lost.
You can also take it 1 step further and also block all LAN access to eth4 but only allow your PC's IP out.
have you assigned the firewall rules to your interfaces?
Something like below.
ethernet eth1 {
address dhcp
description WAN1
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
Redfive, I assume in this case I would need basicly be doing the following below.
set interfaces switch switch0 vif 94 firewall in modify express_vpn_route
the firewall in rule for express_vpn_route is still the one as before that I had posted with the source IP and static route confiuged correct? Or should I be creating another new firewall rule for vtun0 to only allow the 10.94.66.0/24 network in/out?
Also thank you for your response!
You need power cycle your modem after it has been connected to your ERX.
For my clients I usually deploy EdgeRouter Lite 3 port routers. Sadly, over time I have had to replace all of them due to bad memory modules or some just brick (including the one I use for my home). They are cheap enough the customers normally don’t complain when I have had to buy new ones and I have learned to keep spares on hand. But, I’ve never had issues with the power supplies…until now.
In the last 2 weeks 2 different clients reported issues which indicated the routers were dead (I thought). Long story short they both had bad-blinking power supplies. The routers themselves were fine.
No doubt, for the money, the performance and features of the EdgeRouter are awesome. But I’d be willing to pay a few dollars more for routers that don’t require memory module replacements seemingly annually (in my case) and power supplies that don’t literally go on the blink out of nowhere.
Anyway… I love you Ubiquiti. I just hope future improvements can be made on your products to stop me from wondering in the back of my mind if I need to give up on the EdgeRouter stuff and go with another vendor ☹.
That fixed it. Thank you. I thought I had already tried that but apparently I had not. I was powering on the modem before powering the router up.
I know this is the Edgemax section, please read on to understand why I'm posting here. So I host a Unifi controller for 9 sites at my home. 1 of those 9 recently started showing all devices were offline. So I stop by the site to investigate and sure enough internet is up however issuing set-inform on any device does nothing. Open a browser and I can't load any of my internally hosted sites. Unifi or otherwise. So now I'm scratching my head. Check from my mobile on LTE and I can access everything just fine.
Comcast Cable modem is in Bridge mode so I connect modem directly to my laptop and I can access my domain/Unifi controller No problem. Fine. Factory reset the USG and even update to latest firmware via SSH. Nothing. USG refuses to load my site.
Go home and provision a spare USG as a replacement using my Secondary WAN (also Comcast cable) and I notice that the site devices come online within Unifi. What!?
So the issue appears to be with my ER-8 at home and this 1 site. Soon as I plug in Wan2 (which is set as failover) that 1 site goes offline. Unplugging WAN2 allows that site to report in to unifi again...
I haven't changed anything that I can remember in the ER-8. Everything was initially setup using the wizard if that helps.
Anyone have any idea why this 1 site can't connect while I have WAN 2 plugged in?
Hi
Getting error Can not assign network address as IP address
Just wanted to add that on Windows 10, I was able to create a split tunnel by setting up the VPN:
Add-VpnConnection -Name "YourVpnName" -ServerAddress example.com -TunnelType L2tp -EncryptionLevel required -AuthenticationMethod MsChapv2 -SplitTunneling -RememberCredential -L2tpPsk yoursecret
... and then specifying routes with Add-VpnConnectionRoute
Add-VpnConnectionRoute -ConnectionName "YourVpnName" -DestinationPrefix "192.168.0.0/16"
This appears to persist between connections.
Sources:
https://docs.microsoft.com/en-us/powershell/module/vpnclient/Add-VpnConnection?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnectionroute?view=win10-ps
Ok, fixed it.
It seems the ISP didn't give the Usable IP address directly but gave the network address. Had to calculate the usable host and use one of the IPs as WAN iP
I have an iBGP session setup between a UBNT and a Mikrotik. The UBNT is bringing in a couple of full routing tables. I want to pass these along to my ibgp peer. So far I have not been able to do this. Routes show up in the routing table, but a prefix list with a 0.0.0.0/0 permit doesn't appear to re-advertise them to my peer. The Mikrotik peer is able to advertise prefixes to the UBNT.
What am I doing wrong?
Normally , you allow traffic from zone1 -> zone2, and return traffic is automatically allowed (with established/related rule)
So you only need to allow initial packet
I see ftp is involved, this really complicates matters.
http://slacksite.com/other/ftp.html
Note in active mode ,the connection on port 20 is setup from server to client !!
For standard ftp, the ER listens in on port21 conversation, and automatically opens required ports (for active and passive mode)
However, for secure ftp, ER can't, and you have to make messy manual rules yourself. Per flow, you only need to allow initial packet
Double check the VIF's and ip addresses.
Cheers,
jonatha
Ah thanks. I mislead myself by not seeing the firewall rule applied anywhere. Guessing these are applied in the zone policy that was not shown then.
Thanks a lot,16again!
Hi,
All my devices get an IP and they can comunicate together, but I can't get access to internet from my devices.
What am I missing.
My ISP is eth0 and my router is eth1.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_OUT {
default-action accept
description ""
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_OUT
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
vif 101 {
address dhcp
description Hiper
firewall {
in {
name WAN_OUT
}
out {
name WAN_OUT
}
}
}
}
ethernet eth1 {
description Local
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
description Local
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
lan-interface eth3
lan-interface eth4
lan-interface eth5
wan-interface eth0.101
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
static-mapping Switch-UBNT-5p {
ip-address 192.168.1.11
mac-address 78:8a:20:47:eb:49
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on eth1
listen-on eth2
listen-on eth3
listen-on eth4
listen-on eth5
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Copenhagen
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.6.5112725.180809.1227 */
Thanks,
Nenad