The firewall policy should be applied to the vif 50, not on the wan interface . What exactly are your needs ?
↧
Re: Route traffic to 4G
↧
Re: Help with routing
How is R2 connected to R1 (what IP, etc)? Unless you have a requirement for the 2nd router, you could simply connect your 2nd switch into a different port on R1 and simplify things.
↧
↧
Re: Route traffic to 4G
To be able to control on the 172.16.50.0/24 network what traffic is allowed and not allowed back into the other networks.
For example I want to block ICMP. But I might want to allow access to a media server on 172.16.10.3 (ports 3400 only)....
Thats why I thought I needed a f/w policy for guest.
↧
Write Darkstat log to /var/log/darkstat
So I've been toying around, and trying to get darkstat.db on tmpfs rather than the onboard flash.
tmpfs is essentially ramdrive, right?
For some reason though, darkstat service isn't, or is unable, to create the darkstat.db in /var/log/darkstat/ when launched from a startup script.
If I manually run the script, after startup, darkstat.db does get generated.
I can't figure it out.
/config/scripts/post-config.d/startdark.sh
#!/bin/bash echo $(date +"%h %e %T") 'running startdark.sh' >> /var/log/startdark.log sudo service darkstat stop |& tee -a /var/log/startdark.log sudo mkdir /var/log/darkstat |& tee -a /var/log/startdark.log sudo chmod -R 777 /var/log/darkstat |& tee -a /var/log/startdark.log sudo chown -R nobody:nogroup /var/log/darkstat |& tee -a /var/log/startdark.log sleep 10 |& tee -a /var/log/startdark.log sudo service darkstat start |& tee -a /var/log/startdark.log exit 0 |& tee -a /var/log/startdark.log
Trying to output to a log file to see if there's any errors.
/var/log/startdark.log
Feb 24 12:45:15 running startdark.sh Stopping darkstat network daemon : darkstat... not running. Starting darkstat network daemon : darkstat done. .
I've tried different owners and perms on the /var/log/darkstat folder, but nothing seems to work.
ubnt@edgerouter:~$ ls -al /var/log/darkstat total 0 drwxrwxrwx 2 nobody nogroup 40 Feb 24 12:45 . drwxr-xr-x 12 root root 400 Feb 24 12:45 ..
ubnt@edgerouter:~$ ls -al /var/log/darkstat total 0 drwxrwxrwx 2 root root 40 Feb 24 12:53 . drwxr-xr-x 12 root root 400 Feb 24 12:53 ..
ubnt@edgerouter:~$ sudo /config/scripts/post-config.d/startdark.sh Stopping darkstat network daemon : darkstat... stopped. . mkdir: can't create directory '/var/log/darkstat': File exists Starting darkstat network daemon : darkstat done. . ubnt@edgerouter:~$ ls -al /var/log/darkstat total 8 drwxrwxrwx 2 root root 60 Feb 24 12:55 . drwxr-xr-x 12 root root 400 Feb 24 12:53 .. -rwxrwxrwx 1 root nogroup 6156 Feb 24 12:55 darkstat.db
Also, the monthly script that renames the db seemingly fails to rename the db.
Manually running script from SSH is successful though.
I know scripts are running, as they are writing to log files in /var/log
/config/scripts/darkstatsmonthly.sh
#!/bin/bash echo $(date +"%h %e %T") 'running darkstatsmonthly.sh' >> /var/log/dakstatsmonthly.log sudo service darkstat stop |& tee -a /var/log/dakstatsmonthly.log sudo mv /var/log/darkstat/darkstat.db /var/log/darkstat/darkstat.$(date +"%m_%d_%Y").db |& tee -a /var/log/dakstatsmonthly.log sleep 10 |& tee -a /var/log/dakstatsmonthly.log sudo service darkstat start |& tee -a /var/log/dakstatsmonthly.log exit
/config/scripts/darkstatsrestart.sh
#!/bin/bash echo $(date +"%h %e %T") 'running darkstatsrestart.sh' >> /var/log/dakstatsrestart.log sudo service darkstat restart |& tee -a /var/log/dakstatsrestart.log exit
So, scripts run from SSH are successful.
Same scripts run from schedule are unable to mv db file, and starting darkstat from script causes db to not get created.
task-scheduler {
task dailydarkstat {
crontab-spec "0 0 * * *"
executable {
path /config/scripts/darkstatsrestart.sh
}
}
task monthlydarkstat {
crontab-spec "0 0 1 * *"
executable {
path /config/scripts/darkstatsmonthly.sh
}
}
Any thoughts?
↧
Re: I want to put an Edge Router and an Edge Switch in my lab
Thank you for this comprehensive answer!
It appears that the ER-X is the way to go, as it’s performance seems to be better than the ER-Light, especially with encrypted loads.
I understand what a serial console port is for, but what exactly would I be missing without a serial console port on the ER-X other than the conveniences of getting into the router out of band if I’m locked out of SSH? Is there a specific feature that I would be missing if I went with the ER-X because it’s lacking a console port?
The router would mostly be used for lab purposes, but I may repurpose it in the future for a relative or something like this.
Thank you again.
↧
↧
Re: Help with OSPF
Strange - I must be missing something. I have both Site B and Site C with OSPF enabled. switch0 interface added, no authentication, redistribute connected and static selected, normal area 0.0.0.0 with the local networks defined in the area. Yet, nothing seems to be happening. I even tried specifying the ip of the router as the Router ID.
Is there anywhere that I can see potential ospf errors?
Do I have to have 'Announce Default route' enabled on one of the sites for ospf to work?
I should be able to do this using the switch0 interface added to OSPF interfaces only, right?
Thank you.
↧
Re: Edgerouter Lite 3 High CPU Usage
That looks very likely, thanks!
↧
Re: Are there open or documented dyanmic DNS protocols?
wrote:
I am currently looking at among others NoIP (one of the provides prominently documenting their protocol) and integrating that into my existing change-ip-at-registrar-via-their-api.py code.
I honestly can't figure out what you are trying to do here. FWIW EdgeOS supports NoIP as one of the many options already (If your provider supports NoIP then you can simply use that configuration). The docs I referenced list these. You can even create a custom solution that does not specifically match one of those existing already.
DDNS is a generic term and not itself a specific service. EdgeOS doesn't have its own "protocol" for this - it leverages the APIs provided and supported by the various services already.
↧
Re: Help with routing
r1 192.168.100.1
r2 192.168.100.2
↧
↧
Re: Edge Router Lite Newbie IpV6
Unless someone here already knows what Zen do, then yes.
For example, do they use prefix delegation, what size prefix do they send, or do they just give you a single /64 subnet ? You could contact Zen support and ask them what they provide to the CPE.
↧
Re: Disable a physical port via GUI
Hi,
Does anyone have any ideas of how to physcally disable an Eth port from the routing engine. The GUI disable does nothing?
Thnaks in advance 
↧
Re: Some VLAN considerations
Hello
Right : I want to separate the admin interface from the rest.
I'm going to do what u ask and i'll post it here after. Don't worry if I make some time to answer 
Kids at home !
Regards
Charles
↧
Re: Are there open or documented dyanmic DNS protocols?
wrote: I think you are confusing the two. EdgeOS is not providing any form of "notification" itself.
DDNS is a generic "dynamic DNS" - it is not any one particular solution. EdgeOS works with many APIs already and provides an option for you to use any custom API that is not one of those pre-defined.
EdgeOS configuration gives you the ability to use whatever API or service you want. Yes ddclient is underneath but that shouldn't really be relevant. There are many options for custom API usage with EdgeOS and there are even some already documented in this forum that should be readily found with some searching.
Really - Take a look at the KB articles I referenced since they should provide some insight on doing exactly what you are looking to do. You don't need to look to invent the wheel here.
Let me start with the fact that I really appreciate the help you are providing, I really do.
I believe however that there is some misunderstanding about my problem.
- I know that DDNS is a generic term. DDNS service providers have various protocols to send them updates.
- EdgeOS implements (via ddclient, but as you mention it is not relevant) several of these protocols and provides a brdge to these services.
- my DNS provider does not implement any DDNS protocols
- my DNS provider implements a proprietary (and documented) REST API
- my externa IP chnges from time to time
These facts give me two possible solutions to have a fixed name (external.example.com if example.com is my domain) when the IP is not stable:
- using a DDNS service such as dyndns, noip or others - I would then directly set this up on my EdgeRouter. For some reasons (including that I do not want to rely on an external service such as this one) this is not the solution I want to use
- writing my own code which will
- check is the external IP chnaged
- update my DNS registrar with that information
Today I have the solution 2 working. What I do not like in that solution is that point 2.1 (checking is the external IP changed) is done via regular calls to an external service (namely ipify (https://www.ipify.org/)).
The fact that the EdgeRouter can detect the IP change and send it to a DDNS provider would be useful: I would have him send this information to me and not to a preestablished DDNS service. I just need to know what is being sent so that I can make use of it in my code.
Now, if you think that I am reinventing the wheel or making a mistake I would be genuinly interested in how you would do that, taken the constrtaints at the top of this comment (seriously - I may be completely missing something as I have not worked with dynamic DNS services so far (despite 25+ years of IT and dev)).
And BTW I read the links you provided with great care, it is just that they do not answer my problem.
EDIT: to my comment that I just need to know what is being sent so that I can make use of it in my code. , I found descriptions of the protocols used for some DDNS providers, will use it in my code. This said if yo uhave a more straightforward soluttion, I will take it with joy.
↧
↧
Re: Disable a physical port via GUI
Always best to post your config
I would guess that eth3 is part of switch0 - remove it from the switch0 interface and it should stop passing traffic. When you have these ports as members of the switch0 interface, I don't think you can configure them directly anymore because they are no longer independent interfaces.
edit: this is also why you don't see traffic counters incrementing on these ports - they are really a part of switch0, for which you should be seeing the traffic go through.
↧
How to block internet, but allow Dropbox?
So I've learned in the Unifi section, that the USG isn't able to do this. Is the EdgeMAX router able to block the internet, but allow Dropbox to a VLAN?
In short, I'm trying to create a dedicated VLAN for some workbench computers that will have its own Wifi network (ie. the "guest" network). Would I be able to configure an EdgeMAX router to block the internet for this VLAN but still allow Dropbox to work? (Also it would be nice to allow Avast and Teamviewer to work).
↧
Re: Prefer BGP route over connected route?
Bump. Anyone?
↧
Re: Installed wrong OS package 'Illegal instruction'
Hard reset worked, after being able to browse in the gui again I restored a backup. Thanks a lot!
↧
↧
Re: Route traffic to 4G
Currently, unless some kind of 'Guest policy' maybe on AP's (if there) you shoud be able to access all the VLAN's, from the 172.16.50.0/27 network, since the firewall policy isn't correctly applied, you should use something like
configure set firewall name Guest_In rule 20 action accept set firewall name Guest_In rule 20 destination address 172.16.10.3 set firewall name Guest_In rule 20 destination port 3400 set firewall name Guest_In rule 20 protocol tcp_udp set firewall name WAN3_IN default-action drop set firewall name WAN3_IN rule 10 action accept set firewall name WAN3_IN rule 10 state established enable set firewall name WAN3_IN rule 10 state related enable set firewall name WAN3_LOCAL default-action drop set firewall name WAN3_LOCAL rule 10 action accept set firewall name WAN3_LOCAL rule 10 state established enable set firewall name WAN3_LOCAL rule 10 state related enable set interfaces ethernet eth0 firewall in name WAN3_IN set interfaces ethernet eth0 firewall local name WAN3_LOCAL set interfaces ethernet eth3 vif 50 firewall in name Guest_In set interfaces ethernet eth3 vif 50 firewall local name Guest_Local commit
You want access that host using its private ip address (172.16.10.3), or using your FQDN/public ip address, from the guest network ? In the second case, a DNAT rule is needed.
↧
Re: Are there open or documented dyanmic DNS protocols?
Could you simply replace ddclient with your own program named ddclient? Since EdgeOS is invoking ddclient when it thinks the IP address has changed, it would instead invoke your program which would then do what it's doing now via timer. I would think that you could easily determine the IP address assigned to the WAN port from inside your program (unless your WAN port is a private IP address and packets are SNAT'ed by some other piece of equipment between the EdgeOS router and the internet), and all you really need is the router to trigger your program.
Just some thoughts.
↧
Re: Help with routing
Start with setting static routes for your networks on each router:
On R1, you need a route for 192.168.2.0/24 through 192.168.100.2
On R2, you need a route for 192.168.1.0/24 through 192.168.100.1
↧