afaik, dnsmasq doesn't support DNS-TLS but it should be able to do DNSSEC.
Even if dnsmasq can..... it will take testing to see if version on ER is up to date and options are compiled in
afaik, dnsmasq doesn't support DNS-TLS but it should be able to do DNSSEC.
Even if dnsmasq can..... it will take testing to see if version on ER is up to date and options are compiled in
Greetings,
I'm attempting to block outbound ping replies of "Destination host unreachable" and instead simply show "request timed out" for all of our public ranges, as well as do a small rate-limit on ICMP echo requests. This is on an ER-8-XG running 1.10.9
I have the following firewall config:
name WAN_IN { default-action drop description "ICMP_rate_drop_host" rule 4 { action drop description DROP_HOST_UNREACHABLE icmp { type-name host-unreachable } protocol icmp } rule 5 { action accept description RATE_LIMIT_PING icmp { code 0 type 8 } limit { burst 200 rate 100/second } protocol icmp } rule 10 { action accept description ALLOW_ALL_ELSE } }
And then have the following for the upstream interfaces:
ethernet eth1 { address xxx.xxx.xxx/30 address yyy:yyy:yyy/127 description UPSTREAM_PEER duplex auto firewall { out { name WAN_IN } } speed auto }
However it does not appear to have any affect.
Hi
Welcome to the Community!
There is a mistake in your LAN_NETWORKS network group. It should be 192.168.0.0/16 , not 192.168.0.0/24.
Best regards,
Turns out I had the Lan interface set to eth01 and not the switch0. Works great now. Thanks for the help.
Just installed a new edge router, experiencing DDOS Attacks on port 5060, very new to this Product, Needing to restrict 5060 by specific IP Adresses, not sure how to go about this process. Any sort of assistance would be fantastic, thanks.
Could you post a full sanitized config? Partial configs, particulary with firewall policies, often miss important details that might not be expected.
You show a policy 'ICMP_IN', then identify a policy WAN_IN applied to the 'out' direction of an interface. That isn't very clear.
I have created a IPv6 prefix-list containing among others the following config:
set policy prefix-list6 bogon-prefixes-v6 rule 5 action 'permit' set policy prefix-list6 bogon-prefixes-v6 rule 5 description RFC7526 set policy prefix-list6 bogon-prefixes-v6 rule 5 le '128' set policy prefix-list6 bogon-prefixes-v6 rule 5 prefix '2002::/16'
I have also created a route-map to filter BGP updates with this prefix-list
set policy route-map iBGP-Import rule 12 action permit set policy route-map iBGP-Import rule 12 description 'Drop IPv6 bogons' set policy route-map iBGP-Import rule 12 match ipv6 address prefix-list bogon-prefixes-v6
By enabling and disabling other rules in the prefix-list and the route-map i have found that this rule in the prefix-list is wrongly matching an IPv4 prefix 32.2.128.0/18
I just updated my ERLite-3 from 1.10.9 to 2.0.3 with no problems. IPv6 with prefix delegation works, VLAN tagging works, and my speed tests haven't changed (I'm on gigabit fiber and get 940mbps in both directions). eap_proxy also still works fine for authenticating to my ISP.
Thanks UBNT for continuing to support your older products!
I have updated 3 pcs of ER-X from 1.10.9 to 2.0.3 and one update fail with file system coruption (when hwnat offloading enabled) mentioned in release notes as fixed. It seems that NOT FIXED... we have to RMA the unit and establish the new one
wrote:
The two certificates don't have to be created by the same CA.
.
I thought they did, everything makes much more sense now
My bad, that was a typo of a quick sanitization I did for those config blocks.
See attached for a fully sanitized config
Thanks!
We have a NAT configuration that utilizes a destination net-to-net nat inbound from ETH1 like so:
NAT Net-to-Net destination rule: 10.0.0.0/27 -> 192.168.0.0/27
192.168.0.1/27 is on ETH2
We need this ER-x to additionally masquerade the source IP from 172.16.0.1 to 192.168.0.1 when arriving on ETH1 destined for 10.0.0.0/27, (thus outbound to ETH2)
So, with one source rule and one destination rule this scheme works for about 5 minutes - then stops working.
While I realize this is somewhat unorthodox (we're trying to carefully replace an existing default gw on 192.168.0.0/27), but can anyone think of a reason why this would work for a short time, then fail after a few minutes?
Thanks!
William Middleton
wrote: wrote:
The two certificates don't have to be created by the same CA.
.
I thought they did, everything makes much more sense now
Please note that my statement was for client certificate uses in general. As long as OpenVPN can be configured with a client certificate trust list, it should be doable. I didn't get chance to play with this today but I'll try to make some time next week.
I haven't seen this issue anyhwhere in the boards. I've been having issues getting dhcp leases from my edgerouter, working mostly in the gui and the config tree. Using the CLI i've discovered that the dhcp service cannot be found. Can't start, stop or find the service. I've already tried a factory reset and installed the latest firmware today with no avail
I'm new to the Edger Router X family and trying to setup the home/work network below.
cable modem - edgerouter x (static ip wan) - 3 lans
wan port 0 business class static ip from ISP
lan port 1 - 192.168.?.? (secure work network with domain and email server)
lan port 2 - 10.?.?.? (home network with shared printers, web server and plex server)
lan port 3 - home wireless router (home wireless access, need access to printers on home network)
lan port 4 - unused/furture use.
here my issue/desire?
1. how to setup the edgerouter x to service the domain/email (certs from Certify The Web free ssl ) Port 1
a. domain with web/email ssl certs
b. access the shared printers on lan port 2
c. email server, serves 3 email domains.
1. all domain use single ip address from ISP.
2. exchange 2016 email server requires https
2. home network proves internet access for: Port 2
a. tv
b. shard printers for home/work
c. web server internal all network access to web server plus external (internet) access as well.
d. plex media streaming server internal and external access
3. home wireless access (phones/computers) Port 3.
i woud like to use dns on the router to pass inbound request to the correct network?
i'm not Familiar with firwall rules.
any idea or suggestion would be good.
thank you
Hi
Welcome to the Community! Your WAN_IN Rule 20 destination address is 192.168.178.1/24. Try setting it to the network address 192.168.178.0/24. This also appears in your NAT rule 5010, though a source address is not needed for your masquerade.
Best regards,
Is there an EdgeRouter that will support Gigabit WAN while using Smart QOS?
Hi
I've cleaned up this thread and removed its duplicate.
If I understand correctly, I think what you'd like your end result to be is best achieved by configuring your Fortigate 60D in Transparent Mode.
Best regards,
Ok for testing i setup the router with static ips on ETH0:
192.168.1.100
192.168.1.101
192.168.1.102
192.168.1.103
I remove from switch0 eth1 eth2 eth3 and add ips
ETH1 Static IP 10.0.1.1/24
ETH2 Static IP 10.0.2.1/24
ETH3 Static IP 10.0.3.1/24
ETH4 DHCP 10.0.0.1/24
and try to setup Source NAT (SNAT) for ETH1 but when i plugin my laptop i get no internet?
I attach my config, what goging wrong here?
Greetings Remco