As this is multicast, try setting up IGMP proxy:
https://help.ubnt.com/hc/en-us/articles/204961854-EdgeRouter-IGMP-Proxy
↧
Re: ER-X How to Create a static route for multicast IP address of 234.46.30.7
↧
Re: VPN Help
Please, no info to configure this command at startup
sudo openvpn --config /config/openvpn.ovpn
thank you
↧
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
All internal hosts are Ubuntu 18.04 (without firewall enabled).
I do not understand "gateway on hosts not able to be pinned", but recall I can not ping 192.168.110.254 (eth1 IP) from any 192.168.100.0/24 host (but these hosts can ping 192.168.100.254 -- so I know they can get to the router)
I do not understand "gateway on hosts not able to be pinned", but recall I can not ping 192.168.110.254 (eth1 IP) from any 192.168.100.0/24 host (but these hosts can ping 192.168.100.254 -- so I know they can get to the router)
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
If a host isn't pingable, check the DG setting on that host, it should point to ER IP address.
While trying to ping 192.168.100.x from 192.168.110.y host, run sniffer on ER to see where packets end up
sudo tcpdump -i eth1 -n -v host 192.168.100.x
sudo tcpdump -i eth0 -n -v host 192.168.100.x
As you have all linux host, use similar command on hosts.
As you even can't ping 192.168.100.254 (=the ER) , check the 192.168110.y host local route table. Maybe it has invalid route for 192.168.100.0/24
↧
Help in configuring EdgeRouter inter VLAN communication
The main network is on Eth1 and then there are VLANs for everything else. Currently no VLAN can access the server on eth1 and the guest network can't find or manually access the printers. What is wrong with my setup? Most of it was setup using the GUI interface, I have tried redoing many things and follow the Ubiquity tutorials (like the guest network for printers), but it's still not working. Can anyone figure out why? I would really like to not to have to factory reset again, I've done it multiple times, but the network is being used heavily daily now and I'm trying to fix these 2 bugs.
firewall {
all-ping enable
broadcast-ping disable
group {
address-group LAN_Networks {
address 10.1.1.0/24
address 10.2.2.0/24
address 10.3.3.0/24
address 10.10.10.0/24
description "Local LAN"
}
address-group Printers {
address 10.10.10.11
address 10.3.3.12
address 10.1.1.48
description Printers
}
port-group OMV {
description "Server Port Forwarding"
port 8181
}
port-group Printer_Ports {
description "Printer Ports"
port 80
port 443
port 9100
port 515
port 161
port 162
port 631
port 9200
port 9700
port 5353
}
}
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name GUEST_IN {
default-action accept
description " guest to lan/wan"
rule 1 {
action drop
description "drop guest to lan"
destination {
group {
address-group LAN_Networks
}
}
log disable
protocol all
}
rule 2 {
action accept
description Printing
destination {
group {
address-group Printers
port-group Printer_Ports
}
}
log disable
protocol tcp_udp
}
}
name GUEST_LOCAL {
default-action drop
description "guest to router"
rule 1 {
action accept
description "allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 2 {
action accept
description "allow DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
name VLan_in {
default-action accept
description "Inter-vlan communication"
rule 1 {
action accept
description Server_Local_Connect
destination {
address 10.1.1.10
group {
port-group OMV
}
}
log disable
protocol all
source {
group {
address-group LAN_Networks
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "Server Forwarding"
destination {
address 10.1.1.10
group {
port-group OMV
}
}
log disable
protocol tcp_udp
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 0 {
interface eth1 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
prefix-length /48
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.1.1.1/24
description Local
duplex auto
firewall {
in {
name VLan_in
}
out {
}
}
speed auto
vif 20 {
address 10.3.3.1/24
description Children
}
vif 50 {
address 10.10.10.1/24
description IoT
}
vif 60 {
address 10.2.2.1/24
description Games
}
vif 90 {
address 10.0.0.1/24
description Guest
firewall {
in {
name GUEST_IN
}
local {
name GUEST_LOCAL
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth1.20
lan-interface eth1.50
lan-interface eth1.60
lan-interface eth1.90
rule 1 {
description Server
forward-to {
address 10.1.1.10
port 8181
}
original-port 8181
protocol tcp_udp
}
wan-interface eth0
}
protocols {
igmp-proxy {
interface eth0 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth1.20 {
role downstream
threshold 1
}
interface eth1.50 {
role downstream
threshold 1
}
interface eth1.60 {
role downstream
threshold 1
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Games {
authoritative enable
subnet 10.2.2.0/24 {
default-router 10.2.2.1
dns-server 156.154.70.2
dns-server 156.154.71.2
domain-name XXXXXXX
lease 86400
start 10.2.2.2 {
stop 10.2.2.10
}
unifi-controller 10.1.1.10
}
}
shared-network-name IoT {
authoritative enable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 156.154.70.2
dns-server 156.154.71.2
domain-name IoT
lease 86400
start 10.10.10.10 {
stop 10.10.10.100
}
static-mapping EPSON40D09B {
ip-address 10.10.10.11
mac-address XX:XX:XX:XX:XX:XX
}
static-mapping Smartthings {
ip-address 10.10.10.2
mac-address XX:XX:XX:XX:XX:XX
}
unifi-controller 10.1.1.10
}
}
shared-network-name LAN {
authoritative enable
subnet 10.1.1.0/24 {
default-router 10.1.1.1
dns-server 176.103.130.131
dns-server 1.0.0.1
domain-name XXXXXXX
lease 86400
start 10.1.1.2 {
stop 10.1.1.200
}
static-mapping Switch {
ip-address 10.1.1.3
mac-address XX:XX:XX:XX:XX:XX
}
static-mapping server {
ip-address 10.1.1.10
mac-address XX:XX:XX:XX:XX:XX
}
unifi-controller 10.1.1.10
}
}
shared-network-name Children {
authoritative enable
subnet 10.3.3.0/24 {
default-router 10.3.3.1
dns-server 208.67.222.222
dns-server 208.67.220.220
domain-name Madi
lease 86400
start 10.3.3.10 {
stop 10.3.3.50
}
unifi-controller 10.1.1.10
}
}
shared-network-name WiFi {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 156.154.70.4
dns-server 156.154.71.4
domain-name Guest
lease 86400
start 10.0.0.2 {
stop 10.0.0.254
}
unifi-controller 10.1.1.10
}
}
static-arp disable
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service dyndns {
host-name all.dnsomatic.com
login ****************
password ****************
server updates.dnsomatic.com
}
}
}
forwarding {
cache-size 300
listen-on eth1
listen-on eth1.50
listen-on eth1.60
listen-on eth1.20
listen-on eth1.90
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
mdns {
repeater {
interface eth1
interface eth1.20
interface eth1.50
interface eth1.60
}
}
nat {
rule 5000 {
description internet
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
snmp {
community XXXXXXX {
authorization ro
}
contact Haka
location "The Room"
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name XXXXXXX
host-name XXXXXXX
login {
user ********* {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
traffic-control {
smart-queue Guest {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 3mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 20mbit
}
wan-interface eth1.90
}
smart-queue QOS {
download {
burst 10mb
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 72.02mbit
}
upload {
burst 100kb
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 5.7mbit
}
wan-interface eth0
}
}
↧
↧
Re: EdgeRouter OpenVPN client
Sorry, I'm not good at English.
ERL can act as both a server and an OpenVPN client. And you can also let the traffic through the tunnel. Or let the traffic through the WAN clients, it is our choice... If I understand You correctly...
ERL can act as both a server and an OpenVPN client. And you can also let the traffic through the tunnel. Or let the traffic through the WAN clients, it is our choice... If I understand You correctly...
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
The complication:
From the ER-12 commandline I can ping into both 192.168.110.0/24 and 192,168.100.0/24 hosts.
From hosts in 192.168.110.0/24 I can ping other hosts in 192.168.110.2/24, 192.168.110.254, 192.168.99.1 (eth8), and my public IP address, BUT i can not ping 192.168.100.254; nor can I ping any other host on 192.168.100.0/24. (Destination Host Unreachable error).
You may want to check if the host on 192.168.100.0/24 has reverse route to 192.168.110.0/24, or it won't reply to request coming from 192.168.110.0/24.
↧
Re: Module ftdi_sio ER4
I tryed to prepare my ER4 for compiling this modules from the GPL source.
The missing piece is the "Module.symvers", any chance to get or extract this?
If I rebuild the entire Kernel, does the new "Module.symvers" match to the actual Kernel or do I need to replace the entire Kernel with the new one?
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
From host 192.168.100.2 I can not get a response from the ER-12 for interface eth1 (192.168.110.254)
host 192.168.100.2> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.254 0.0.0.0 UG 0 0 0 brmntg
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 brmntg
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 vdata
192.168.120.0 0.0.0.0 255.255.255.0 U 0 0 0 vvoip
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.130.0 0.0.0.0 255.255.255.0 U 0 0 0 vguest
192.168.140.0 0.0.0.0 255.255.255.0 U 0 0 0 vapp
ping 192.168.100.254 works fine
ping 192.168.110.254 fails -- Destination Host Unreachable
Does the below tcpdump help?
on ER-12 tcpdump -i eth0 -n -v host 192.168.110.254 see no packets (?)
tcpdump -i eth1 -n -v host 192.168.110.254 sees:
07:56:01.806005 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
07:56:02.811053 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
07:56:03.835045 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
07:56:05.837730 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
07:56:06.842997 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
07:56:07.866975 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.110.254 tell 192.168.110.0, length 46
↧
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
Seems like your 192.168.100.2 host already has lots of those networks local attached. (VMWARE bridge interfaces ??)
Then it won't route those packets to the ER
ARP requests being sourced from 192.168.100.0 is weird too.
That's a subnet address, and shouldn't be in use
↧
Re: Map Static IP outside DHCP range?
Thanks to all for the quick responses. Yeah, the OP wants to map the static IP outside the DHCP range by assigning an IP other than that given by the EdgeMax DHCP server. So, thanks for the clarifying comments.
Good to know it is a best practice that makes the router's life easier rather than a whim. I do wish I'd asked a couple of years ago.
↧
Edgerouter: Why bridge?
I’ve purchased the Edgerouter 6p and studying it’s setup before it arrives.
I’ll be using it with a EdgeSwitch.
I’m confused about the use of bridging router ports.
Why would one bridge ports?
I thought that the function of the router was to route between ports anyway.
If I have 2 separate networks that I need to communicate with each other, doesn’t the router already do this? (I.e. route them together)
or am I misunderstanding something?
Tim
↧
[ER-POE5] - Url resolves to an IPv6 IP while I have no IPv6 address on the router
Hello
Lately I have problems with resolving Google domains like fonts.googleapis.com. Given that alot of websites use this for hosting fonts my experience is not so great when browsing websites.
I figured out the probable cause of not resolving this domain but I don't know how to fix it.
When I curl a stylesheet on fonts.googleapis.com I see that it resolves to an IPv6 IP, but my router does not get an IPv6 from my cable provided router (Ubee modem). This is fine for me, I tried to get IPv6 working once within my LAN but my provider Ziggo (Netherlands) is quite silent on the details so I gave this up. I have a dual connection on both IPv4 and IPv6 on my Ubee modem.
But how come my EdgeRouter is resolving this domain to an IPv6 address?
My DNS providers configured on the router are
1) local one on the LAN running an a NAS which forwards to cloudflares 1.1.1.1
2) provided by my ISP, 84.116.46.21
Both are not IPv6.
Included are my config and a screenshot from the router with the curl command.
Many thanks!
Maarten
↧
↧
Re: Edgerouter: Why bridge?
Hi Tim
You will use the bridge function on the router if you want multiple ports on the router to behave like a switch.
So without bridging:
- Eth0 : Internet
- Eth1: LAN1 (192.168.1.0/24)
- Eth2: LAN2 (192.168.2.0/24)
...
With briding
- Eth0: Internet
- Switch0: LAN1 (192.168.1.0/24)
- Eth1
- Eth2
This means that with briding you will be able to connect devices to Eth1 and Eth2 and they will be on the same LAN.
Since you will have a seperate switch my guess is you will not need to bridge ports.
- Maarten
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
OK.
Good and Bad.
If I remove the bridge that carried the 192.168.110.0/24 subnet (vlan 110) then everything works.
So that makes the question. How can I:
Connect nic on host PC to trunk line with multiple vlans (100, 110)
Make vlan 100 only accessable to the host (management vlan)
Make vlan 110 only accessable to lxd containers (this was the bridge that was causing the routing errors)
Below is my original netplan file. If I comment out all the vdata and brdata sections than from the host PC I can ping to/from everywhere, but then how do I access vdata (110) in my lxd containers?
P.S. Thank you for all the time / help so far
network:
version: 2
renderer: networkd
ethernets:
lan:
match:
macaddress: 00:e0:4c:68:99:fd
set-name: lan
dhcp4: no
vlans:
vmngt:
id: 100
link: lan
addresses: [ 192.168.100.0/24 ]
vdata:
id: 110
link: lan
addresses: [ 192.168.110.0/24 ]
bridges:
brmntg:
interfaces: [ vmngt ]
addresses: [ 192.168.100.2/24 ]
gateway4: 192.168.100.254
nameservers:
addresses: [ 192.168.110.20 ]
search: [ rosses.net ]
parameters:
stp: false
forward-delay: 0
brdata:
interfaces: [ vdata ]
gateway4: 192.168.110.254
nameservers:
addresses: [ 192.168.110.20 ]
search: [ rosses.net ]
parameters:
stp: false
forward-delay: 0
↧
Edgerouter X - Cant connect At all
Morning All
i bought a Edge router X last thursday 23-5-19. All was going well had internet until i had a powercut. And now i just can't login to the Web interface at all. i have held the reset button in until the eth4 port shows green and plugged Eth0 into my PC with a static IP of 192.168.1.5 and opened the Web browser 192.168.1.1 and just simply can not connect to it. i have tried to ping 192.168.1.1 and says no connection.
Any ideas?
Regrads john
↧
Re: L2TP server on edge router not working
Hello,
I configured the same L2TP vpn.
I have no connection.
in router i run: sudo swanctl --log
I'm trying connect from two devices, but can't.
sudo swanctl --log is empty.
i run in router terminal:
sudo tcpdump -ni eth0 port 1701 or port 4500 or port 500
response:
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:57:57.303455 IP 213.101.xx.xx.500 > 81.7.xx.xx.500: isakmp: phase 1 I ident
09:57:58.303108 IP 213.101.xx.xx.500 > 81.7.xx.xx.500: isakmp: phase 1 I ident
09:57:59.304103 IP 213.101.xx.xx.500 > 81.7.xx.xx.500: isakmp: phase 1 I ident
How can i debug this problem?
↧
↧
Re: [ER-POE5] - Url resolves to an IPv6 IP while I have no IPv6 address on the router
You don't need to be accessing DNS via IPv6 to get an IPv6 response (an AAAA record). curl is presumably asking for both the A and AAAA records, and picking the AAAA in preference.
Usually the "happy eyeballs" algorithm would ensure that IPv6 isn't used if it's not available, but maybe this isn't implemented in the version of curl on the Edgerouter.
You can force curl to use IPv4 only by adding --ipv4.
If you're having problems accessing fonts.googleapis.com from behind your router, I suspect it's a different problem.
↧
Re: IPv6 setting : what wrong
kpfleming is correct, you need more subnets. A single /64 is not sufficient if you want to put your own router behind the ISP's box.
In this case, the ISP's router expects the entire /64 to be available on the link between itself and your ER4 (it is sending an NS, expecting a direct response from ....:150). So the path back to your client cannot work in this configuration.
↧
Re: ER-12 not routing between interfaces 0-7 (removed from switch)
You can have all those bridged vlans on your hosts.
But don't assign local IP addresses to your bridge interfaces on the host. This way the host will use its default gateway, and the ER will take care of routing between VLANs
↧