Someone??? Can helpme please.........
↧
Re: Problems with PPTP and pop port 110
↧
Re: Createing a QOS rule to lower priority
Alright I tried the following:
traffic-policy {
shaper Limit_DBox {
bandwidth 35mbit
class 10 {
bandwidth 1%
burst 15k
ceiling 100%
description "Lowest priority"
match ADDR {
ip {
source {
address *.*.*.10/1
}
}
}
priority 1
queue-limit 10
queue-type fair-queue
}
default {
bandwidth 100%
burst 15k
ceiling 100%
priority 7
queue-limit 10
queue-type fair-queue
}
description WAN
}
}But I don't think it's actually doind anything. It's a bit hard to test but I basically have that machine and another machine downloading at the same time from a source I know can max out my internet connection. I would expect the .10 above to come to an almost complete halt, but it doesn't. It acts as any other machine, with both ending up at anywhere from 30%-70% of bandwith, with no apparent priority 
.
Any ideas what I'm doing wrong?
Thanks again! Sounds like this could work but I'm missing something!
↧
↧
Re: EdgeMax unable to block StreamingMedia
You could create a reservation for the device so it always gets a specific IP. Then you can great a SOURCE_GROUP with that. Then you can use that in an ACL. Here is a good example I ran across applying some rules to students and different ones to teachers.
ubnt@ubnt# show service webproxy
listen-address 172.16.3.52 {
}
url-filtering {
squidguard {
rule 1 {
local-block www.youtube.com
local-block www.facebook.com
source-group STUDENTS
}
rule 2 {
local-block match.com
local-block eharmony.com
source-group TEACHERS
}
source-group STUDENTS {
address 172.16.1.0/24
}
source-group TEACHERS {
address 172.16.10.1-172.16.10.20
}
}
}
↧
Re: edgerouter X(FW v1.9) Unifi Controller(v5.2.9) and VLAN
Might need to post your config but a few things to check. Your vlan interfaces are based of your native lan interface? ie... eth1 (lan)... eth1.30 (vlan30) and eth1.40 (vlan40)
Also unrelated but you know you can give your vlans local dns if you add them to the dns forwarding under the services tab. ie... vlan30 dns 192.168.30.1
↧
Re: Bridging an ASDL router to an X-SFP and setting up PPPoE
jndfx22 wrote:The router will automatically create the firewall rules it needs. I would recommend upgrading it to EdgeOS 1.9.0 for best performance/ features.
Great, thanks. Router is all up to date 
I guess the only thing I need to watch is because the router is currently set up for my connection at home, I should connect it to my laptop, log in, backup my config, wipe it, and set it up from scratch again for the new connection. Just need to remember how to do that 
From memory, laptop into eth0 with a static IP set, go through wizard in router and set it up for the new connection on eth0, laptop moved to eth1 and Netcomm plugged into eth0, cross fingers and hope for the best...
↧
↧
Can I backup the config of an EdgeRouter Lite and restore into an EdgeRouter X (POE) for my lab
I found a related post from 2014 which indicated a reasonably successful transfer of settings between the two devices, but I was curious if anyone has given this a try more recently with no surprises?
Thanks in advance!
mike
↧
Re: Can I backup the config of an EdgeRouter Lite and restore into an EdgeRouter X (POE) for my lab
Yes you can, BUT: You will loose eth 3, eth4, and eth5 in the GUI. You would manually have to add the ports in CLI. So far it seems everything else works, and I have done this in production for 3 clients so far that out grew the ER-X. Its been working fine for a few weeks, traffic shaping rules and everything went over fine. I made sure both were on the same firmware (1.9.0) when I did the config swap.
↧
USG to ERL IPSec trouble
This is my first time trying to setup IPSec with one site behind NAT.
I've got a USG at home and an ERL at work behind NAT with a 1:1 port mapping to it.
After a couple of weeks of trial and error and many hours of googling I've got IKE to stand up but can't get any further.
The main issue I had was getting NAT-T to work which I managed to fix by issuing the following command on the USG.
set remote-id NATTED_IP_OF_DESTINATION_SIDE
I'm aware the USG config will get overwritten each time I make a change via the UI so I'm trying to do everything via the CLI for now.
Any help is welcome from the experts out there, I'm out of ideas!
Here is the config of the devices:
USG
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group ESP_ERL WAN IP {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group IKE_ERL WAN IP {
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface pppoe2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer ERL WAN IP {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
remote-id 10.200.185.1
}
connection-type initiate
ike-group IKE_ERL WAN IP
local-address USG WAN IP
vti {
bind vti64
esp-group ESP_ERL WAN IP
}
ERL
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
proposal 1 {
dh-group 5
encryption aes128
hash sha1
}
}
nat-traversal enable
site-to-site {
peer USG WAN IP {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type respond
description USG2ERL
ike-group FOO0
local-address 10.200.185.1
tunnel 1 {
esp-group FOO0
local {
prefix 172.16.20.0/24
}
remote {
prefix 172.16.2.0/24
Errors from the USG
Oct 12 17:05:05 NMDC-USG-01 pluto[19474]: added connection description "peer-ERL-WAN-IP-tunnel-vti"
Oct 12 17:05:06 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: initiating Main Mode
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [XAUTH]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [Dead Peer Detection]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [RFC 3947]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: enabling possible NAT-traversal with method 3
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: Peer ID is ID_IPV4_ADDR: '10.200.185.1'
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: ISAKMP SA established
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
admin@NMDC-USG-01:~$ show vpn ipsec sa detail
------------------------------------------------------------------
Peer IP: ERL-WAN-IP
Peer ID: 10.200.185.1
Local IP: USG-WAN-IP
Local ID: USG-WAN-IP
NAT Traversal: yes
NAT Source Port: 4500
NAT Dest Port: 4500
Tunnel vti:
State: down
Inbound SPI: n/a
Outbound SPI: n/a
Encryption: n/a
Hash: n/a
PFS Group: n/a
Local Net: 0.0.0.0/0
Local Protocol: all
Local Port: all
Remote Net: 0.0.0.0/0
Remote Protocol: all
Remote Port: all
Inbound Bytes: 0.0
Outbound Bytes: 0.0
Active Time (s): 0
Lifetime (s): 3600
------------------------------------------------------------------
Currently it is stuck in an endless loop of initating quick mode and ignoring the payload due to no proposal chosen.
↧
Re: Block Google's Data Saver(Web Acceleration) Protocol
Creating a custom category for QUIC results in blocking other google services even when the data extension is not enabled. this includes simple google searches. Blocking UDP ports 80 and 443 seems to work as expected on an ERPOE, but I see no change on an ERlite. Is it possible that setting a bridge on eth1 and eth2 could affect that? that is really the only differnce I can think of on the test units in my lab. i will try removing the bridge configuration and run some more tests. My guess is that the Data Saver extension points to specific Google servers. Early on Google was testing SPDY protocol to compress data from their servers and it wasn't broadly used except for the web acceleration feature. I may try some extended wireshark captures to see if there is a trend.
↧
↧
Re: [ER-X] random internet dropouts - 1 ER-x + 1 Unifi ACAP-pro
Hi
Thank you for the reply.
I've confirmed that it is either the router or the ISP.
I actually phoned the ISP yesterday to see what they say...
he checked what their equipment was reporting and told me that..strangely.. their fiber optics box reported that a SONOS ZP was connected to the box... not my edgerouter.
So he thought there might be something misconfigured in the router..
He said he could see that the edgerouter had been connected before but not anymore..
I have no idea what could cause this.. for the eth0 to somehow be transparent?
Anyone have an idea what I might try to fix this?
↧
EdgeRouter-X as PPTP VPN server in existing network
I'm having some trouble incorporating an EdgeRouter-X into a client's existing network. I'm not network specialist, so assume I know nothing...
They're currently connecting to internet via a consumer grade DSL modem/router that also acts as their WAP. They need VPN connectivity and I'm trying to set up the ER-X as the VPN server while changing as little as possible on the existing network.
Is this possible? Can the ER-X act solely as a VPN server on an existing network?
Thanks in advance!
↧
Re: Createing a QOS rule to lower priority
Since you're testing on download, the queue should be applied on LAN interface.
set interfaces ethernet eth1 traffic-policy out Limit_DBox
Since it's a download policy, you should filter on destination address, not source.
The sum of all bandwidth percentages should be 100% or less, so set default bandwidth % to lower value
These commands will show what queues are build, and if traffic is hitting them:
sudo tc -s qdisc show dev <LAN-INTERFACE> sudo tc -s class show dev <LAN-INTERFACE> sudo tc -s filter show dev <LAN-INTERFACE>
↧
RADIUS Configuration Problem on edgerouter
I'm trying to set my local logins to be radius authenticated. I have a working freeradius 3 and freeradius 4 server linked to a mysql database and EAP+TLS optionally.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
I'm getting this error when trying to authenticate a user. Is there a vendor specific attribute I should be setting for this? I double checked the radius config from the CLI and its all how I think it should be with the correct IP, port and secret.
↧
↧
Re: Problem accessing website and servers from inside
Created those duplicate DNAT rules and changed the interface to eth0.
But the problem is still there when I try to access the website is still en up on the router interface.
↧
Re: Problems with PPTP and pop port 110
Please show you config.
↧
Re: Problem accessing website and servers from inside
post your current config
↧
Re: L2TP VPN - Multiple connections from same NAT'd location
Is there any information when this will work for windows users?
↧
↧
Re: Problem accessing website and servers from inside
Acctually it works now! I was connected from a VPN when i tested before.
But when i got to the office all worked perfect.
Many thanks for all help!
↧
Re: Need help setting L2TP over IPSEC
Thank you very much
↧
Re: overwhelmed to say the least
With the assumption that the Loadbalanced and Standalone WANs are separate (and pointing to separate LANs) I would have two sets of rules, if for nothing more than long-term sanity -- it's easier to troubleshoot when something goes sideways if you've got a focus point (i.e. the different ruleset names).
set 1 -> "WAN_IN" for the loadbalanced WAN. This can be applied to all WAN interfaces that're part of the loadbalancer.
set 2 -> "OTHERWAN_IN" for the standalone WAN connection.
But then again -- that's me. If you want to just toss everything into "WAN_IN" and call it a day ... it'll work too.
↧