Quantcast
Channel: All EdgeRouter posts
Viewing all 60861 articles
Browse latest View live

Re: Struggling with ER firewall for network segregation

May 31, 2019, 2:45 pm
$
0
0

Thanks, Blake!

 

I corrected that error and it seems to be correctly blocking access to all LAN, however there is still no WAN access.

 

Further digging has uncovered that it's my PiHole that my guest network doesn't seem to be able to communicate with, despite the rule to allow DNS traffic locally.

 

AHA! PROBLEM SOLVED!

 

As I was looking through my firewall rules once I realized it was my PiHole that was not providing DNS, if I manually changed my DNS to Cloudflare, e.g., I had internet again. So there was a communication issue with the PiHole.

 

Which is when I realized that the firewall rule I set for DNS was for LOCAL traffic, but my DHCP server was configured to issue the PiHole's IP address as DNS instead of my router's IP.

 

To correct this (for anyone else who might have this issue):

  • I changed my guest DHCP server to use 192.168.6.1 for DNS so it would contact my router for DNS
  • My router's system name servers were already set to my PiHole's IP
  • I changed the firewall rule on WIFI_GUEST_LOCAL for DNS to be port 53 only to 192.168.6.1 and removed the PiHole address group (since we were now going to ask the EdgeRouter to forward the traffic to the DNS servers it is configured with)
  • Finally, made sure that under Services -> DNS that ER was set to forward DNS traffic to VLAN 6 and VLAN 7

 

Now my guest and IOT networks have internet connectivity and they still use my PiHole for DNS by way of the ER, and their local traffic is blocked to their own network.

 

Thanks again for helping me get there, Blake!

Search

Re: Blocking ICMP host-unreachable

May 31, 2019, 2:56 pm
$
0
0

That's much better (thank you), and answers some questions I would have had.

 

The naming 'WAN_IN' is a little misleading since it is applied in the "out" direction of your two WAN ports but otherwise looks OK to start.

 

From external, you likely are seeing 'host unreachable' being sent by your router (ICMP Type 3 Codes 0, 1, 4, 5 would originate at a router).  Traffic sourced at an ER can't be filtered using firewall rules (at least not using traditional interface ACLs).  The first step would be to capture a few packets that are getting through that you are trying to block, preferably at an external host but a tcpdump on the ER should work as well.  This would confirm the source of the 'host uncreachable' to be your ER.

 

I suspect your intent is to protect against probes/scans.  

  1. You'd ideally need a separate firewall between your two WAN ports and the respective upstream providers to do this reliably.
  2. While far beyond overkill here, you may be able to use a zone-based firewall configuration that will allow you to filter traffic sourced at the ER, but you'd need to add all interfaces to zones, even if just to have a single 'allow all' rule for all directional zone-pairings.
  3. You could perhaps create iptables rules directly (IE: not part of your EdgeOS configuration) which might be the best option if you really want to do this.  You'd need to add a script to /config/scripts/post-config.d to apply those on boot.

There was a similar post not too long ago seeking to do similar.

 

Moving to the rate-limiting - you ideally want to do this on the inbound direction with ICMP Type 8 Code 0 (echo request).  For the outbound direction instead you would want ICMP Type 0 Code 0 (echo reply).  This is assuming you are similarly looking to protect against probes/scans from external (WAN/upstream side)

 

 

Re: Blocking ICMP host-unreachable

May 31, 2019, 3:11 pm
$
0
0

Hi Waterside,

 

Yes, the idea is that I want to protect against probes/scans.The source of the host-unreachable replies is the ER, I have confirmed that externally.

 

That's interesting that the ER essentially cant create a "router-protect" rule, as that's really what this is (as I'm used to doing with JunOS). Definitely would prefer to simply have this up and working.

 

One thing to note, is that this for some reason works on ONE router (the one I posted the config of here) however it does not work on two other routers. Identical configs and firmware, just changed IP addresses.

 

Would the zone based configuration you think add much overhead?

Re: Windows 10 will not connect to L2TP IPSec VPN

May 31, 2019, 3:47 pm
$
0
0
 wrote:

"I recommend to disconnect your other client sessions when testing the Windows client."  I have to confess i don't know what you mean.  I dont have any other devices (iphone, android etc) connected to the vpn at this time.  Is that what you meant?

You can connect with multiple devices at the same time, but they have to be coming from different locations.

 

One thing i have been a little confused about is that I set a preshared key for the VPN during the setup process for the edge router according to the instruction in the Ubiquiti article i linked in my first post.  However,  I never get asked to enter that key anywhere in the windows VPN connection setup or VPN connection process where i enter the username and password.  Is there something missing related to the pre-shared key?

 

There are two options when adding the L2TP VPN settings to the Windows client:

  • L2TP/IPsec with certificate
  • L2TP/IPsec with pre-shared key

The second option needs to be selected here and will show a 'Pre-shared key' box in addition to the username + password. Looking at your last logs, I suspect that the 'certificate' option was selected.

 

-Ben

OK i made an error in an earlier statement.  I did have the preshared key entered for the Android and the iOS device.  I did not provide it to my remote guy in another state for his attempt.  I'm fixing that now and will psot the log when he tries again.  I would still like to stress that my ios device hotspot is connected only to LTE and providing WIFI only to the laptop, which then tries to connect to the remote(through the WAN) VPN server on the ERX.  But I'll post the logs from the next attempt from one state over.

 

Re: UDP port 5060 no longer working in port-forward

May 31, 2019, 3:58 pm
$
0
0

Update - I had another EdgeRouter 8 I could use and swapped it for the non-working one.  I applied (nearly) the same config and guess what - that other router is now working fine with VoIP and allowing it in!  The only difference in the configs are the IP addresses - no changes to the firewall rules, port-forward rules, etc above.  The "old" router which is now in production is also running an older version of the code - v1.9.7+hotfix.4

 

So that confirms what I thought was the case all along - I don't think this is a config issue.

 

Back to my original question: why would the edgerouter issue ICMP udp port 5060 unreachable?

 

Re: Help With Multiple WAN IP Intermittent in my edgerouter pro

May 31, 2019, 4:50 pm
$
0
0

hi ..sorry for the mind boggling post,I have an Edgerouter pro and the firmware version is 1.10.9 with 2 load balanced WAN connections all (all are fiber connections). The first WAN is configured as pppoe and the 2nd WAN is configured as Static(3 usable Public IP) the problem is the 2nd WAN is intermittent.

ERPOE-5 usb fan powered by poe?

May 31, 2019, 5:25 pm
$
0
0

Hey I’m ready to get rid of a bunch of wall warts and upgrade my ER Lite to a ERPOE-5 so I can power 2 AP Lite access points. I’m worried about the termperature issues though as it will be in my entertainment system with the front closed the majority of the time. I’ve seen people use USB powered fans to cool the device and increase air flow but wouldn’t that just mean you have to have more wires and a brick to power them? The whole point of POE is to cut down on power supplies and wires.  

 

Is it possible to use a POE to USB adapter to run the fan with something like this? 

 

Thanks for any input or ideas!

 

C731D614-4DB3-4659-A6D9-48A2F2B5EA14.jpeg

Re: ER-4 Boot loop after upgrading to 2.0.3 - tftp rescue not working

May 31, 2019, 6:48 pm
Search

Re: EdgeRouter Gigabit WAN with Smart QOS

May 31, 2019, 7:02 pm

Re: DHCP not being renewed automatically on WAN

May 31, 2019, 7:09 pm
$
0
0
Tell more about the ISP. Do they serve public ip's? Is it P2P links? (/32) firmware? config?

Re: EdgeMAX EdgeRouter software version v2.0.3 has been released!

May 31, 2019, 7:47 pm
$
0
0

It would be nice if we could fix this:

Jun  1 02:16:10 ubnt kernel: net_ratelimit: 205 callbacks suppressed
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0
Jun  1 02:16:10 ubnt kernel: protocol 0800 is buggy, dev switch0

Router:

Version:      v2.0.3
Build ID:     5189356
Build on:     05/02/19 14:20
Copyright:    2012-2018 Ubiquiti Networks, Inc.
HW model:     EdgeRouter 12
HW S/N:       0418D6A0E43B
Uptime:       02:21:48 up 1 day,  6:46,  1 user,  load average: 0.04, 0.08, 0.08

(This happened on 2.0.1 as well)

Offload:

smyers@ubnt:/config/scripts$ show ubnt offload

IP offload module   : loaded
IPv4
  forwarding: enabled
  vlan      : enabled
  pppoe     : disabled
  gre       : disabled
  bonding   : disabled
IPv6
  forwarding: enabled
  vlan      : enabled
  pppoe     : disabled
  bonding   : disabled

IPSec offload module: loaded

Traffic Analysis    :
  export    : disabled
  dpi       : disabled
    version       : 1.480

Kernel Source: (net/core/dev.c)

void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
{
	struct packet_type *ptype;
	struct sk_buff *skb2 = NULL;
	struct packet_type *pt_prev = NULL;
	struct list_head *ptype_list = &ptype_all;

	rcu_read_lock();
again:
	list_for_each_entry_rcu(ptype, ptype_list, list) {
		/* Never send packets back to the socket
		 * they originated from - MvS (miquels@drinkel.ow.org)
		 */
		if (skb_loop_sk(ptype, skb))
			continue;

		if (pt_prev) {
			deliver_skb(skb2, pt_prev, skb->dev);
			pt_prev = ptype;
			continue;
		}

		/* need to clone skb, done only once */
		skb2 = skb_clone(skb, GFP_ATOMIC);
		if (!skb2)
			goto out_unlock;

		net_timestamp_set(skb2);

		/* skb->nh should be correctly
		 * set by sender, so that the second statement is
		 * just protection against buggy protocols.
		 */
		skb_reset_mac_header(skb2);	if (skb_network_header(skb2) < skb2->data ||
		    skb_network_header(skb2) > skb_tail_pointer(skb2)) {
			net_crit_ratelimited("protocol %04x is buggy, dev %s\n",
					     ntohs(skb2->protocol),
					     dev->name);
			skb_reset_network_header(skb2);
		}

		skb2->transport_header = skb2->network_header;
		skb2->pkt_type = PACKET_OUTGOING;
		pt_prev = ptype;
	}

	if (ptype_list == &ptype_all) {
		ptype_list = &dev->ptype_all;
		goto again;
	}
out_unlock:
	if (pt_prev)
		pt_prev->func(skb2, skb->dev, pt_prev, skb->dev);
	rcu_read_unlock();
}

(I have found this problem going back to  ~2015)

Re: ER-X using Lets Encrypt Certificate for OpenVPN

May 31, 2019, 8:05 pm
$
0
0

Hello,

What you mentioned is why I raise this Question. I had quite some experience in Enterprise CA, as well as the functionality of Certificate template and purpose...

But this is the first time for me to use Letsencrypt.....

 

 

And admitted that I didn't do my homework (checking) before asking. While now I'm believe it is not possible.

Re: Can't access GUi on Edge Router Lite, "Lighttpd" errors

May 31, 2019, 8:40 pm
$
0
0 
user@ERL# sudo ls /var/log
apt              charon.log       dhcpd.status     fsck             lighttpd         mgetty           squid            ubnt-daemon.log  vyatta
btmp             dhcp6c.log       dmesg            lastlog          messages         ntpstats         squid3           user             wtmp

"lighttpd" is a folder, and inside are 2 files, "error.log" and "ubnt-rtr-ui.log". Here is the output of error.log:

 

user@ERL# sudo cat /var/log/lighttpd/error.log
2019-05-31 04:01:08: (server.c.1423) server started (lighttpd/1.4.49)

The ubnt-rtr-ui.log file is empty.

Group interfaces

May 31, 2019, 8:41 pm
$
0
0

Hi, friends. I have a ER-12 configured as 3 ways balancer with 1 failover interface. Anyway to group WAN interfaces for UNMS traffic shaping on all 3 balanced interfaces? 

LAN cannot access WAN

May 31, 2019, 8:44 pm
$
0
0

I am setting this up from scratch here is my configuration I cannot get in WAN and nothing is standing out what I did incorrectly:

 

Thank You!!

 

ubnt@ubnt:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description WAN_OUT
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.190.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
ubnt@ubnt:~$
Search

Muti-WAN PBR question

May 31, 2019, 9:25 pm
$
0
0

Hello! My device is ER-X, firmware is 1.10.9

I have two question.

1.Then ER-X default route is WAN1, external access WAN1 is working, but access WAN2 no working. How can I configured the ER-X to achieve WAN2 external access?

2.In internal network, I configured the ER-X to let the UCK-G2 route WAN2 through policy routing, and I configured the ER-X port forwarding to allow WAN1 to forward to UCK-G2. but port-forward no working. How can I configured the ER-X to achieve WAN1 external access UCK-G2?

Firewall modify rule question

May 31, 2019, 9:44 pm
$
0
0

Hello, Hello! My device is ER-X, firmware is 1.10.9.

I configured the ER-X firewall modify. The rules are as follows.

 

1 destination ADDRv4_pppoe1 accept
2 destination ADDRv4_pppoe2 accept
3 destination ADDRv4_switch0 accept
11 source ADDRv4_group1 modify table 1
12 source ADDRv4_group2 modify table 2
20 drop

 

I configured static route and address group, the rule is working.

But I change "modify table" to "modify lb-group",the rule no working.

Only delete drop rules to working.

I don't understand modify rule order, the packet match rule action "modify" is over firewall or continue match next rule?

Re: EdgeMAX EdgeRouter software version v2.0.3 has been released!

May 31, 2019, 10:46 pm
$
0
0

I just back from lunch and the first thing realized is ERX down unexpectedly. 

 

Wowo.. it seems unstable now after upgrade to 2.0.3

 

I using ER-X for a month. This never happened when using 1.10.9

Re: Firewall modify rule question

May 31, 2019, 11:44 pm
$
0
0

Processing of firewall modify ruleset in did raise some eyebrows over here.

 

Processing continues on some matching rules !

Understandable for setting DSCP or marking a packet.

 

Weirdest thing:

Processing of ruleset stops on matching "modify table x"  rule......

but continues on matching "modify LB-Group" rule

 

If you have multiple modify LB-Group statements, add accept rules in between:

 

On match 1 action modify LB_Group 1

On match 1 action accept  (extra inserted rule)

On match 2 action modify LB_Group 2

On match 2 action accept (extra inserted rule)

 

Re: Muti-WAN PBR question

May 31, 2019, 11:51 pm
$
0
0

Try adding an load-balance group for both WANs, even if you do not use it in firewall modify rules.

(no need to enable LB-local or  lb-local-metric-change,  so route table stays as it is now)

 

Merely the presence of LB group makes dNAT rules sort of more clever: they will automatically be answered on correct interface

Same (probably) goes for WAN traffic destined for ER itself

Viewing all 60861 articles
Browse latest View live
Search