Quantcast
Channel: All EdgeRouter posts
Viewing all 60861 articles
Browse latest View live

config.boot file limitations? Rule limitations?

October 8, 2016, 6:10 pm
$
0
0

Say I was creating a DNAT rule, or firewall rule and added 7000 or so lines to it.  Is this beyond what the ER-POE is designed to handle?

 

My specific situation is one of trying to block 7700 DNS servers.  I did it by creating a NAT  group but I havent applied that rule to anything.  I used a current config file and edited it in notepad ++ to add all those lines to the rule that already had 6 entries.  Now the router is stuck at

 [....] Starting EdgeOS router: migrate rl-system configure

 

Did I overwhelm it?

 

This wasnt a seriously implemented production solution.  All the same I'm wondering if there are hard limits or functional limits to the length of rules like that or firewall rules.

 

On my 2800s in my lab, the functional length of an ACL or list has to be less than 30-50 entries or the performance really suffers.

Search

Fix me up edgerouter / lite / poe / x

October 8, 2016, 6:24 pm
$
0
0

Hi all, FYI,

 

We've been struggling with several 'freeze' failures on the:

 

Edgerouter Lite

Edgerouter Poe

 

and recently, Edgerouter X

 

I"m talking about about a dozen devices failing... I have a stack of them at my desk right now. They were all running 1.7.x and above....

 

We are real supporters of the ubnt edgemax product line, but this really needs to be fixed. 

 

From what I have read on the forum the bootloader might be causing these problems. If I may believe the previous posts it's like waiting for a sh*tstorm that is going to happen eventually and most likely after a power failure....

 

I'm not in the mood/possibility to upload new bootloaders to all my client devices. But on the other hand I believe I have no choice. I suspect they will fail eventually...

 

How are they failing ? 

 

Unable to boot. Devices become totally dumb. Reset feature doesn't do anything. All the ligths are responding like explained in the reset tutorial, but nothing really happens. 

 

So you are kinda stuck...

 

How to repair by the official rules (safe option). - ER-Lite , ER-Poe

 

If you are uncomfortable opening up the device you should request an RMA. 

 

 

How to repair by yourself without the official hassle (quick fix and reliable).

 

On the ER-lite and ER-Poe we have noticed corrupted usb devices, the usb device goes corrupt, don't ask me why, but it does happen.

 

Get a new usb stick, use one u can depend on. We are using 4gb sandisk cruzer. (use any reliable usb disk*)

Open up the device and change the stick. (you will need to remove the usb stick from it's case)

 

*What is reliable ? Something U have used before.... (in my opinion anything that u have mounted lots of time without any problems.)

 

Get a console cable and follow this guide.

 

https://help.ubnt.com/hc/en-us/articles/204959514-EdgeMAX-Last-resort-recovery-of-failed-EdgeOS-device

 

I've repaired a lot of Edgerouters thanks to this tutorial. Credits go out to  and Cheers2

Thank god....

 

What about the ER-X ?, We have had several failures of the device going into 'dumb' state or switch mode. This always after a power failure. Same as the other Edgerouters.

 

Unfortunately we were not able to repair them. After trying several serial options we only got jibberish output. As the price is much lower than the ER-Lite or ER-Poe so we seized efforts...( unfortunately we throw them away as decided by the admin Smiley Sad )

 

Maybe this has already been fixed with the 1.9 firmware

 

Any helpful response to this topic are welcome, i'm sure lot's of others have experienced these issues.

Re: help with edgerouter-x L2TP VPN

October 8, 2016, 6:49 pm
$
0
0

Im seeing similar issues. My vpn clients can reach the internet no problem, but for whatever reason can't reach ony of the clients hanging off from switch0 interface. I tried with addresses both within the the same subnet as switch0 as well as a different subnet.

 

Don't worry about not seeing a DHCP lease for the PPTP/IPSEC clients. PPTP does not rely on DHCP, it will manage IPs on its own and these addresses won't be visible on the DHCP leases.

 

but I am also going a bit crazy as which routing table the packets coming from the tunnel are hitting... its weird.

 

ER-X - Secondary Network Via Separate Interface or VLAN?

October 8, 2016, 6:51 pm
$
0
0

I have a device that I'd like to set up on its own isolated network on my ER-X.  Is there any reason to use a VLAN rather than splitting off a port onto a separate interface?  I looked around a bit but couldn't find information regarding performance penalties or other issues one way or the other.

Re: Update to 1.9 broke my l2tp/ipsec

October 8, 2016, 7:52 pm
$
0
0

Thanks for the tip.. Indeed, I was seeing that the incoming packets were basically following the default route out back to the internet (took quite a while to troubleshoot, but adding a raw iptables rule with trace action let me see that the packets were being sent out to eth0

 

iptables -t raw -I  PREROUTING -p icmp -j TRACE

(you can find the traces in /var/log/messages).. and you can delete the trace with this rule:

 

iptables -t raw -D PREROUTING -p icmp -j TRACE

(in my case, I was tracing only ICMP packets to make my life easier)

 

Regardless.. is there any chance of getting this solved in a maintenance release? 

 

Also, I have 6 routing tables as I have different load-balance groups (a general LB group, one which is client-ip-sticky for https and a third one which is active/stand-by for SIP traffic). I basically run 3 times the probes over the same WAN interfaces.. is there an alternative to this?

 

Im my case, this is the output of your command:

 

root@router:/var/log# /usr/sbin/ubnt-add-connected.pl
Connected routes found = 7
Route tables found = 6
Adding routes to table 201
Adding routes to table 202
Adding routes to table 203
Adding routes to table 204
Adding routes to table 205
Adding routes to table 206

load-balance member [Sticky-LB-eth1]
  status = active
  route table 206
    default via 192.168.100.1 dev eth1
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

load-balance member [SIP-eth1]
  status = failover
  route table 204
    default via 192.168.100.1 dev eth1
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

load-balance member [G-eth1]
  status = active
  route table 202
    default via 192.168.100.1 dev eth1
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

load-balance member [SIP-eth0]
  status = active
  route table 203
    default via 190.111.238.1 dev eth0
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

load-balance member [Sticky-LB-eth0]
  status = active
  route table 205
    default via 190.111.238.1 dev eth0
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

load-balance member [G-eth0]
  status = active
  route table 201
    default via 190.111.238.1 dev eth0
    blackhole default  metric 256
    10.255.255.0 dev l2tp0  scope link
    127.0.0.0/8 dev lo  scope link
    190.111.238.0/24 dev eth0  scope link
    192.168.1.0/24 dev switch0  scope link
    192.168.2.10 dev l2tp0  scope link
    192.168.100.0/24 dev eth1  scope link
    192.168.129.0/24 dev eth2.1000  scope link

 

 

 

And I have some static routes defined in the base routing table so that I can reach some devices behind other routers. In this case, would I have to manually create the static routes on the 3 eth0 routing tables? 201, 203 and 205? can we know which one of the three routing tables is taken? would there be a cleaner way to get the l2tp/ipsec tunnel to just terminate its packets on the main routing table instead? (so that I could use dynamic routing protocols instead of static for example?)

 

Thanks!

[ER-X] IPsec VPN Performance

October 8, 2016, 10:04 pm
$
0
0

I've been using ER-X at home for a few weeks. It's my first Edgerouter. Very happy with it so far Hurray

 

With EdgeOS v1.9.0, we know ER-X supports HW crypto. I've seen impressive numbers from earlier tests e.g. this thread in Beta forum. This time around I put it under my own tests and the results excite me.

 

Test setup:

 

Macbook Pro <--->  ER-X <---> iMac

[on WAN side]                             [on LAN side]

 

ER-X was configured as IKEv2 IPsec server. HWNAT, IPsec offload, firewall and NAT were turned on. No QoS applied in either direction. Mackbook Pro was the IKEv2 client on WAN side. For the IPsec tunnel, I used AES-128/SHA1 for ESP and AES-256/SHA256 for IKEv2 keying. The tests used iperf3 (in TCP mode) to send multiple concurrent (i.e. -P option) streams between MBP and iMac. 

 

Here are the results of four concurrent streams:

IPsec-Four-Streams

(Note that the latency between WAN and LAN <5ms. YMMV)

 

The packet sizes are in MSS. Download means transferring from iMac to MBP. Upload means from MBP to iMac.

  

Even though I was told of good numbers before, I was very much suprised to see 377Mbit/s! Not only that but consistently reproducible. As a comparison, a single iperf3 stream at 1460-byte, download and upload were 244Mbit/s and 128Mbit/s respectively.

 

I saw concurrent streams utilized further performance in download direction. But in upload direction it didn't change at all. Looking a bit further, I could see in ER-X processes that in download tests, all four ksoftirqd were working (with one or two near full load) but in upload tests, only one or two ksoftirqd were working  (only one near full load IIRC).

 

I also notice in v1.9.0 both the switch and HW crypto are configured to interrupt in CPU0. I wonder if putting HW crypto on a different CPU will make a difference. Frankly I'm not sure if that's changeable.

Re: ER-X - Secondary Network Via Separate Interface or VLAN?

October 8, 2016, 10:05 pm
$
0
0

Using a new VLAN on switch0 or splitting of a port from the switch is both functional and performance wise the same.

 

Re: Port forward did not work when IP is behind PIA OpenVPN

October 8, 2016, 10:10 pm
$
0
0

The port-forward tab you're using is only for simple setups, when only a single WAN/single IP address is involved.

 

Because of the VPN, you sort of have 2 WAN interfaces.

 

The extra portforward you created has opened up your SYnology on the WAN, not on openVPN link !

Replace the synology portforward to a dNAT rule.  (I'd prefer to convert all port forwards to dNAT

Search

Re: config.boot file limitations? Rule limitations?

October 8, 2016, 10:20 pm
$
0
0

address/network groups can hold that many objects.

 

Why block that much DNS servers?  I'd make a rule to allow the  DNS servers in use, and block port 53 all together

Re: config.boot file limitations? Rule limitations?

October 8, 2016, 10:34 pm
$
0
0

I didnt see a way with a DNAT rule to do that.  Am I missing some of the config?

Re: config.boot file limitations? Rule limitations?

October 8, 2016, 10:57 pm
$
0
0

You can use a NAT rule to redirect any DNS queries to your DNS server of choice.

Re: Port forward did not work when IP is behind PIA OpenVPN

October 8, 2016, 11:31 pm
$
0
0

Can you point me to steps to setup dNAT? Thanks in advance.

Re: Port forward did not work when IP is behind PIA OpenVPN

October 8, 2016, 11:36 pm
$
0
0

Screen Shot 2016-10-09 at 1.34.06 AM.png

 

Is Destination NAT what you are referring to?  I have added the above settings, but I still can't hit my synology drive using the WAN's external IP.

Re: Using Edge Equipment to split a Leased line for 5 Company's - Challenge!!!

October 9, 2016, 12:13 am
$
0
0



 

Correct me if I am wrong...but cant you use an ER product and stack the IP's on one port, then NAT between the subnets? I did thes from a single station private IP on a customers house, then to 3 different customers via buried line as they were all close to each other.  So from the multi 10.60.x.x (eth 1) to multi different 192.x.x.x respectively on 2,3,4.  

 

Wouldnt this be allowed on the public domain as well? Each "user" would get an address then NAT to eth 0 (lets say) and out to the net?  

Re: Using Edge Equipment to split a Leased line for 5 Company's - Challenge!!!

October 9, 2016, 12:49 am
$
0
0
I think your right it can be done like that I was going to do this originally if where on the same page we talking about 1 to 1 Nat from the ER and the creating rules dnat and snat?

But I've been told unless I present there router with a public facing IP they will run in to problems with voip and other applications as they would do Nat on there firewall and then create a double Nat situation :/

And how would you surgest to rate limit the company's?

Thanks Dave Man Happy
Search

Re: ATT IPv6 6rd with Pace 5268AC and ER X: Help needed for 6rd IPv6 setup

October 9, 2016, 1:00 am
$
0
0

I'm missing the following in your config:

set system ipv6

did you set this?

my experience was it's always best to reboot the ER-X after setting this command.

 

what's the output of

show ipv6 forwarding

before and after setting "set system ipv6"?

 

so far I can see the rest of your config looks ok...

EdgePoint

October 9, 2016, 2:40 am
$
0
0

I have an Edgepoint which I want to set-up. I'm running PoE from an injector which goes then to my home wifi router. However my internet connection comes in via a wireless link bridge (PB400 5AC) which I want to power from the Edgepoint router. However in the basic settings internet connection only allows for internet connection to Eth0 or Eth0. If I connect it to Eth5 then I need to seperately PoE the powerbeam, thus running one more shielded Cable to the powerbeam and then connect the. If want to connect it to Eth0 then I will have to bring power seperately to the edgepoint.

 

Any advice

 

Re: config.boot file limitations? Rule limitations?

October 9, 2016, 2:51 am
$
0
0

For allowing and blocking stuff (like DNS), firewall rules are the way to go.

 

Filtering on NAT rules is hardly ever needed.

Re: Port forward did not work when IP is behind PIA OpenVPN

October 9, 2016, 3:05 am
$
0
0

dNAT rule looks fine, as destination  address you could specify VTUN interface address.

 

However, on 2nd reading, I believe synology should still be reachable on port 5000 WAN , not from VTUN.

This means you don't need dNAT , but PBR rule needs an exclusion:

    modify OPENVPN_ROUTE {
        rule 5 {
            action accept
            description "ReturnTrafficPortMappingSynology"
            source {
                address 192.168.2.21/32
                port 5000
            }
	    protocol tcp_udp
        }
    }

Re: config.boot file limitations? Rule limitations?

October 9, 2016, 3:05 am
$
0
0

If you want to enforce a set of DNS servers I think it's much more elegant to use a simple NAT rule to redirect any DNS traffic to the DNS server of your choice, which might be the ruter itself so it will use whatever DNS servers you have configered on the router. The advantage of this is that DNS queries always gives an answer, and an answer from your preferred DNS servers, instead of just dropping the traffic.

 

I'm using this to enforce OpenDNS for a spesific user groups, and to prevent some devices from using public DNS servers. Works very well and is fully transparent.

 

I could not do the same by using firewall rules, but of course I could just block the traffic in the firewall, but in my case that is not what I want to do.

Viewing all 60861 articles
Browse latest View live
Search