No expectations at all my side. Pleased to have someone looking at this in the first place.
I will keep on asking Swisscom for their GPL code.
↧
Re: Support for g.fast SPF
↧
Re: Two Edgerouters
I think I understand what you are trying to do but I am not confident enough to be able to advise without question. However, I would like to suggest that you download this tutorial and look at page 56. I believe that deleting rule 10 on ER2 will do what you want to do.
https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti%20Home%20Network.pdf
↧
↧
Re: Two Edgerouters
The basic answer is:
Remove er2 masquerade
Make sure er2 subnets don't overlap er1 subnets
Make sure er1 has static routes for er2 subnets
↧
Re: VPN L2TP: Can I have multiple local-users with different settings?
Hi
It is possible to associate each local user with their own custom IP address (under the username section). Afterwards, you can create firewall rules that match on these source addresses.
Hope that helps!
Ben
↧
OpenVPN - unable to create longer-lasting certrificates
I have been wrestling for hours to get OpenVPN (1.9.7+hotfix4) to create server and client certificates that last longer than one year (working from the instructions at https://help.ubnt.com/hc/en-us/articles/115015971688).
At one point, I think I had this working by exporting "-days 1095" for the DAYS environment variable. But on later tries it never worked, so now I am in doubt if it ever did.
So, how can I create a setup with a bit more longer lasting certificates? What am I doing wrong?
↧
↧
Re: Another port forwarding post
Thanks for the reply! I could've continued with the port forwarding thing :-)
In the mean time I've followed the link you mentioned to the letter but no result. Still getting closed port. I also tested it with my phone via 4g and tested it with incognito chrome tab.
I did not add hairpin cause I'm testing externally, not from whithin my network
here's the config:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description test
destination {
port 8888
}
log enable
protocol tcp_udp
state {
established enable
invalid enable
new enable
related enable
}
}
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 40 {
action accept
description "Remote access"
destination {
port 8081,443,22
}
log enable
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.0.0.1/24
description Local
firewall {
in {
modify balance
}
}
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
}
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description test
forward-to {
address 10.0.0.6
port 80
}
original-port 8888
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.50 {
stop 10.0.0.243
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
https-port 8081
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user tom {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
tom@ubnt:~$ packet_write_wait: Connection to 81.82.224.38 port 22: Broken pipe
bauwt@Toms-MacBook-Pro ~ ssh tom@home.pgnc.eu (-127) ↵ 803 16:22:11
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
tom@home.pgnc.eu's password:
Linux ubnt 3.10.107-UBNT #1 SMP Thu Aug 9 06:45:26 UTC 2018 mips64
Welcome to EdgeOS
Last login: Wed Sep 19 14:32:31 2018
tom@ubnt:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 31 {
action accept
description http
destination {
port 80
}
log disable
protocol tcp
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 40 {
action accept
description "Remote access"
destination {
port 8081,443,22,80
}
log enable
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.0.0.1/24
description Local
firewall {
in {
modify balance
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
lb-local enable
lb-local-metric-change disable
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.50 {
stop 10.0.0.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 8081
older-ciphers enable
}
nat {
rule 1 {
description http80
destination {
port 80
}
inbound-interface eth0
inside-address {
address 10.0.0.4
port 80
}
log disable
protocol tcp
type destination
}
rule 2 {
description http8888
destination {
port 8888
}
inbound-interface eth0
inside-address {
address 10.0.0.4
port 80
}
log disable
protocol tcp
type destination
}
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user tom {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
↧
Re: EdgeRouter no longer forwards port
This is very odd--and I don't know why: the ER-X
refused to port-forward for a whole day. I went on
to other things and tried it a day later [with no other
changes or updates], and it now works perfectly. I
even changed the inbound port, and it still works.
Maybe there's a background daemon that cleans
up something--maybe in a late-night stupor I did
something wrong. But there's not much to goof up
on port-forwarding: you set the port and you use
it to access a device on the LAN; I do it all the time.
I do wish the upgrade / downgrade didn't issue that
bogus error message, but that's minor.
Thanks for all your helpful tips! Dave
↧
Re: OpenVPN - unable to create longer-lasting certrificates
One solution is to set the period in /usr/lib/ssl/openssl.cnf but that doesn't explain why CA.sh doesn't use the DAYS environment variable.
↧
Re: Route based site-to-site vpn edgerouter 8pro x2 not able to establish
Yes..the problem is the a) the tunnel is not being established because fo b) the wrong WAN IP that it is trying to use.
It was my understanding that a route based (vti) vpn would come up automatically...but the same thing with the policy based vpn is that you first need to send traffic to the 'far' end to force it to establish?
I will try to get this working today in my lab environment.
Thank you all for your comments.
↧
↧
Re: Set a static IP for one computer?
wrote: If I set up a DHCP static IP per the User Guide's instructions, how is the client configured? Does the client just see a normal DHCP server (that happens to give it the same IP address every time it renews its lease)?
For my devices (iPads mostly) I have them set to obtain an IP address and DNS information automatically. When the device connects the EdgeRouter detects the MAC address and assigns the statically assigned IP.
↧
BGP announcement fails with smaller inside subnet
Hi all,
I have a small challenge and I hope you can help.
Our ISP in the Netherlands offers failover over 2 different fiber carriers as redundancy. This is done with BGP. Currently we have one router setup with BGP to the ISP and we are announcing the 2 prefixes assigned by the ISP: x.x.x.x/27 & y.y.y.y/29.
The /27 subnet will be splitted down in multiple /30 subnets for our customers in this building.
Now I am facing the problem that everything works fine when the whole /27 is used in the inside but as soon as I split the /27 in smaller subnets on the inside my routes are not announced any more through BGP to our ISP.
I am probably doing something wrong as this is the first time using BGP with UBNT.
Thanks for the help.
See hereby the BGP config:
policy {
prefix-list BGP-SIGNETv4-From {
rule 10 {
action permit
le 24
prefix 0.0.0.0/0
}
}
prefix-list BGP-SIGNETv4-To {
rule 10 {
action permit
prefix x.x.x.x/27
}
rule 20 {
action permit
prefix y.y.y.y/29
}
protocols {
bgp 65010 {
neighbor x.x.x.x {
prefix-list {
export BGP-SIGNETv4-To
import BGP-SIGNETv4-From
}
remote-as xxxxxx
soft-reconfiguration {
inbound
}
update-source x.x.x.x
}
network x.x.x.x/27 {
}
network y.y.y.y/29 {
}
parameters {
router-id x.x.x.x
}
}
BGP neighbor is x.x.x.213, remote AS xxxxx, local AS 65010, external link
BGP version 4, remote router ID x.x.x.x
BGP state = Established, up for 00:01:48
Last read 00:01:48, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
4-Octet ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Received 268 messages, 0 notifications, 0 in queue
Sent 231 messages, 9 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
Update source is x.x.x.x
For address family: IPv4 Unicast
BGP table version 3, neighbor version 3
Index 1, Offset 0, Mask 0x2
Graceful restart: received
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor (both)
Inbound path policy configured
Outbound path policy configured
Incoming update prefix filter list is *BGP-SIGNETv4-From
Outgoing update prefix filter list is *BGP-SIGNETv4-To
1 accepted prefixes
1 announced prefixes
Connections established 10; dropped 9
Local host: x.x.x.213, Local port: 43543
Foreign host: x.x.x.214, Foreign port: 179
Nexthop: x.x.x.213
Nexthop global: fe80::feec:daff:fe45:54d4
Nexthop local: ::
BGP connection: non shared network
Last Reset: 00:01:53, due to BGP Notification sent
Notification Error Message: (Cease/Other Configuration Change.)
[edit]
↧
Is there a way to make the openvpn setup restart and reread its configuration (certs and all)?
Subject says it all. I am trying to set up openvpn, and when I change things, like certs/keys/etc. my test client can't connect so I suspect openvpn is still using old certs. It was able to connect when I first set it up.
↧
Re: ERL Power supplies failing
On testing we see:
"the regulators on your power supplies are shot, they measure ok just looking at them with the meter but as soon as you put them under load and try to draw any current the voltage drops thru the floor."
Q: SO, would a 12v 2.5Amp be a better option when looking to replace these, vs. just getting another 12v 1 AMP?
Q: On the router cli will I find any info leading to a pending failure, is there a command that wil tell me about the power the board is seeing and that it may fail?
Please let us know. I've have 5 power supply failures in the last two months.
Dan
↧
↧
Re: Is there a way to make the openvpn setup restart and reread its configuration (certs and all)?
Sigh. One always finds the answer shortly after having given up on looking.
The command is
reset openvpn interface vtun0
↧
Re: VPN L2TP: Can I have multiple local-users with different settings?
Ha! Thanks! So that means I can probably give up on all the trouble I went through today in getting OpenVPN to work. It does work, by the way, but using L2TP is a better solution for me.
Should these IP addresses be inside or outside the pool?
↧
Re: VPN L2TP: Can I have multiple local-users with different settings?
And I assume the firewall rules will be in the WAN-IN set, right?
↧
Re: ER8Pro dropping SIP packets
Thanks, I've set it to 4 hours.
↧
↧
Re: BGP announcement fails with smaller inside subnet
Your ISP simply blocks your announcements for the /30 networks.
Idea behind this is not increasing number of BGP routes worldwide too much
Add a /27 blackhole route, and advertise that /27 network.
And connect the /30 subnets at will towards your customers
↧
did I make a mistake by buying this ?
Hey All Sorry for wasting everybody's time... now with that out of the way if you have read this far please give me your opinion... I have a Netgear DGN2200v3 that is connected to an ADSL telephone line [south africa for who ever cares..] from there i wanted to connect the internet to the edgemax and then the rest of my network using this magnificent device to secure my network. Stupidly only realizing once unpacking this wonder of routing magic that ALL the wireless devices would be at the mercy of the evil internet ... now in my mind I wanted to take a cable from my netgear to the X and then from the X to my other switch connecting all my networked devices to the protected magic from the X but then that was not to be. So any ideas how I can look less like an idiot and more like a half decent network engineer even though I've been in the biz for almost 20 yrs!!!!! so go ahead all ridicule away... i absolutely deserve it... TLDR [i bought the device for the wrong reason any suggestion on what i can use it for..] and no you can't have it go buy your own ![Man Happy]( "Man Happy")
↧
Re: VPN L2TP: Can I have multiple local-users with different settings?
And finally: how do I undo the steps 16-22 of https://help.ubnt.com/hc/en-us/articles/115015971688
↧