Thank you for answer.
I will try this configuration.
↧
Re: Firewall modify rule question
↧
Re: UDP port 5060 no longer working in port-forward
Is this a sip helper thingy? I always disable it, as I don't like its so called "help"
set system conntrack modules sip disable
↧
↧
Re: Blocking ICMP host-unreachable
Start using WAN_LOCAL rulesets! Now, the ER is exposed, it will reply with ICMP unreachable for every non-listening port.
And make sure to allow BGP on WAN_LOCAL
↧
Re: Muti-WAN PBR question
Hi, first question, you mean I just configured load-balance group and add all WAN interface, no need to enable lb-local or lb-local-metric-change. I tried it, yes.
Second question, I don't know the specific configuration method.
Configured one load-balance group and set switch0 firewall modify lb-group use the group? Can you tell me the details?
↧
Re: Can't access GUi on Edge Router Lite, "Lighttpd" errors
Just for information, I noticed that the official download page for firmware was updated yesterday (5/31) with new firmware version 2.0.3. I updated to this firmware using the same method as before (running "add system image <URL>" and rebooting. The problem still exists ☹
Not feeling too good about this.... I have somewhat extensive experience with Cisco, Fortinet, and other vendor's command lines, so I'm not completely dead in the water without the GUI, but if there are firmware problems serious enough to cause a nonfunctional HTTP service, what other problems might exist, or could in the future?......
↧
↧
Re: BGP route-map wrongly matches prefix
Also please consider that with BGP you can advertise IPv6 prefixes over IPv4 sessions and vice-versa. Are you sure that's not what is happening to add to the confusion?
↧
Re: BGP route-map wrongly matches prefix
I am sure that is not what is happening. I am tagging matching prefixes with a community. So that rule has to match and i can check the prefix for that community.
Not being able to turn of IPv4 prefix exchange over an IPv6 BGP session is a bug in itself but not related to this issue.
↧
Re: EdgeRouter X - Multiple IP Network
Hi RokaKen,
I will thank you very much for your feedback!
Interested lessons to learn 
All test passed 
i'm thinking all the settings are right now.
With kind regards,
Remco
↧
Re: Muti-WAN PBR question
kb for LB setup:
https://help.ubnt.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing
To create an unused group, all it takes is:
6. Create a Load-Balance group that includes the two WAN interfaces. set load-balance group G interface eth0 set load-balance group G interface eth1
#and make sure LB group doesn't alter routing tables:
set load-balance group G lb-local disable set load-balance group G lb-local-metric-change disable
↧
↧
Re: Can't access GUi on Edge Router Lite, "Lighttpd" errors
So by putting part of the error message listed in my original post on Google, I get exactly 2 results on this entire site. One link is to this post, and the other is to the post regarding the release of firmware 2.0.0: https://community.ubnt.com/t5/EdgeRouter/EdgeMAX-EdgeRouter-software-version-v2-0-0-has-been-released/td-p/2622433/page/7
In it, a forum mod posts the following:
@ildicoeu> Lighthttpd will not come up when upgrading to 2.0> 2019-01-08 01:01:34: (plugin.c.229) dlopen() failed for: /usr/lib/lighttpd/mod_websocket.so /usr/lib/lighttpd/mod_websocket.so: cannot open shared object file: No such file or directory The mod_websocket.so was substituted with mod_wstunnel.so in lighttpd v1.4.46 as described here There should be no reference of "mod_websocket" in /etc/lighttpd/lighttpd.conf. Please show output of following shell command: sudo cat /etc/lighttpd/lighttpd.conf
But I can find no response to this in the rest of that thread. I apologize if I missed it, seeing as the thread is 30 pages long.....
In any case, here is the output of that command the mod listed to run (sudo cat /etc/lighttpd/lighttpd.conf)
server.modules = (
"mod_access",
"mod_alias",
"mod_redirect",
"mod_fastcgi",
"mod_rewrite",
"mod_openssl",
"mod_wstunnel",
)
server.document-root = "/var/www/htdocs"
server.upload-dirs = ( "/tmp" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.tag = "Server"
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
" index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".py" )
server.dir-listing = "disable"
include "mime.conf"
include "conf-enabled/10-ssl.conf"
include "conf-enabled/15-fastcgi-python.conf"
wstunnel.ping-interval = 30
$HTTP["url"] =~ "^/ws/stats" {
wstunnel.server = ( "" => ( ( "socket" => "/tmp/ubnt.socket.statsd" ) ) )
wstunnel.frame-type = "text"
server.max-read-idle = 600
server.stream-request-body = 2
server.stream-response-body = 2
}
$HTTP["url"] =~ "^/ws/cli" {
wstunnel.server = ( "" => ( ( "socket" => "/tmp/ubnt.socket.cli") ) )
wstunnel.frame-type = "binary"
server.max-read-idle = 600
server.stream-request-body = 2
server.stream-response-body = 2
}Ideas?????
↧
Edgerouter PPPoe Public IP Passthrough
I have a customer that has 2 PPPoe fibre connections with a /29 subnet attached to each.
Currently, these are connected via switches to a HA pair on firewalls. My main issue is that when it does a HA failover, the PPPoe connections drops, and they have to be re-established.
I want to put a ER-4 on each connection in front of the HA firewalls to do the PPPoE connection, and have the first public IP on the LAN side of the ER. I can they put the one of the other IPs onto the HA firewalls.
Can anyone point me in the right direction for this?
I've looked at the article below, but it doesn't give enough information to set this up with a PPPoe connection;
I haven't bought these yet, but would appreciate some assitance before I do to ensure this is possible.
Thanks
↧
Re: Rise Broadband told me I can't use my Edgerouter4 with their service
Rise uses UBNT MAC internally so your device get their Private IP range.
The fix is to change the ETHx port's MAC connected to Rise to your computer's or old routers's MAC
Once done & rebooted, the service will work.
↧
Re: EdgeMAX EdgeRouter software version v2.0.3 has been released!
↧
↧
Re: DHCP not being renewed automatically on WAN
The IPs are public dynamic addresses assigned via DHCP. All modems are in bridge mode.
↧
Re: Muti-WAN PBR question
Firet question, create an unused lb-group, yes, very useful. Second question, need more config
↧
Re: Emerging Threats Blacklist
Hi. Trying to diagnose a situation here, where IPs and ranges which are listed in the Blacklist don't appear to be blocked.
I have an EdgeRouter-X and have added the scripts, black lists, etc. and the supporting rules for the firewall. I also have a web server behind the firewall with port forwarding rules. This works, as the web server is accessible from the Internet, as designed. However, the web server is logging accesses from IP addresses which apepar in the banned list, so I'm trying to diagnose why this would be.
Here are the config statement specific to the IPV4 firewall rules.
name wan-dmz-4 {
default-action drop
rule 1 {
action drop
protocol all
source {
group {
network-group Nets4-BlackList
}
}
}
}
name wan-lan-4 {
default-action drop
rule 1 {
action drop
protocol all
source {
group {
network-group Nets4-BlackList
}
}
}
}
name wan-self-4 {
default-action drop
rule 1 {
action drop
protocol all
source {
group {
network-group Nets4-BlackList
}
}
}
}So those appear to be in there correctly. I also have the following in the LocalBlackList.txt file:
add Nets4-BlackList 178.19.0.0/16 add Nets4-BlackList 178.19.108.0/16 add Nets4-BlackList 178.19.108.0/24 add Nets4-BlackList 178.19.108.0/8 add Nets4-BlackList 178.19.108.178
If I grep the fw rules file, I see it present:
# grep 178.19.0 fw-IPSET-4.txt add Nets4-BlackList 108.178.19.0/24
On the web server machine, grepping the access log:
178.19.108.178 - - [01/Jun/2019:08:11:02 -0400] "POST / HTTP/1.1\n" 400 226
I'm not understanding why 178.19.108.178 isn't blocked at the firewall with add Nets4-BlackList 108.178.19.0/24. Can someone help me understand why this IP is getting through the firewall?
↧
Re: EdgeMAX EdgeRouter software version v2.0.3 has been released!
The release notes include this statement:
[IPv6] - Fix regression in v2.0.0 when radvd did not work correctly when multiple router-advert were configured. Discussed here
I can't follow the 'here' link as I don't have access to the beta forum, so I'm reporting here that this is *not* fixed on my router. I upgraded to 2.0.3, and as in previous releases 'journalctl -u radvd' shows that radvd was started (and then stopped) multiple times, until systemd gave up trying to start it. /etc/radvd.conf is present and has the proper contents, and the journal shows that radvd reported 'syntax ok' when it parsed the file. Issuing a 'systemtl start radvd' results in radvd running properly, and RAs are sent out on my LANs.
It appears that radvd is being restarted as each LAN is added to /etc/radvd.conf, and because I have so many (6) systemd decides that radvd is being restarted too quickly and it must be failing, even though it's not.
I used 'systemctl edit radvd.service' to set "StartLimitIntervalSec=0' to disable start-limit checking completely, and now when I reboot the router radvd is running as it should be. I assume this is the exact scenario which was supposed to be addressed in 2.0.3 based on the line from the release notes, but I can't be certain... in any case, whatever fix was put in place was not sufficient.
↧
↧
Re: Rise Broadband told me I can't use my Edgerouter4 with their service
That took care of it! Thanks for your help!
↧
mDNS traffic coming from Edge Router but why?
I am currently running an Edge Router Lite on v2.0.3 and notice every 5 minutes 6 muliticast packets (224.0.0.251:5353) which looks like mDNS seems to be generated from the Edge Router. The curious thing is that on that network only sits the internal interface of the Edge Router and the WAN interface of a pfsense router.
There is no mDNS traffic coming from the pfsense router. Any idea why the Edge Router is generating mDNS traffic (which is being dropped by the pfsense router)?
UBNT discovery is turned off, no VLANs have been defined on the edge router.
Anyone know how I can stop it generating this mDNS traffic (assuming thats what it is)?
Thanks
↧
Re: EdgeMAX EdgeRouter software version v2.0.3 has been released!
wrote: The release notes include this statement:
[IPv6] - Fix regression in v2.0.0 when radvd did not work correctly when multiple router-advert were configured. Discussed here
I can't follow the 'here' link as I don't have access to the beta forum, so I'm reporting here that this is *not* fixed on my router.
The issue referenced was actually a different one, but the fix for that appears to have perhaps introduced a new problem. Your feedback is very helpful to identify the difference as well as identify a possible mitigation. Thank you for the detail.
Yes, /etc/radvd.conf will get re-generated for each interface with router advertisements configured so you'll see radvd get restarted repeatedly. That has always been the case, but the difference now with 2.x is that 'systemd' is in the mix. Since systemd is actually being used to restart radvd it shouldn't count against restart rate or limits but apparently it does (I'll leave my opinions on systemd aside here)
↧