16again wrote:Post your ER config.
If the ES does the routing between all internal subnets, I'd simply use an untagged port in correct VLAN on ES, and you don't have work with VLANs on ER
ubnt@ubnt:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 0 {
interface eth1 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
prefix-length /56
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.142.0.1/16
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 10.153.0.1/16
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 10.149.0.0/16 {
default-router 10.149.0.1
dns-server 10.149.0.1
lease 86400
start 10.149.38.102 {
stop 10.149.243.51
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 10.143.0.0/16 {
default-router 10.143.0.1
dns-server 10.143.0.1
lease 86400
start 10.143.38.102 {
stop 10.143.243.51
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
ubnt@ubnt:~$ There is a discrepency in the DHCP Servers currently enabled on the EdgeRouter because I had to reconfigure the ports on the LAN to the ones reserved for the EdgeSwitch and the currently not placed Unifi Switch (I tend to call these service nets since they provide service and not much more). The EdgeRouter's LAN1 is set to 10.142.0.1/16 which is the same subnet as the EdgeSwitch's 0/7 which has the VLAN manually assigned 10.142.0.3/16 (untagged and everything needed so that the ES knows that for anything on 0.0.0.0 to use 10.142.0.3).
dpurgert wrote:The error is pretty simple - you're apparently telling the router that its nexthop for a given target is itself. You need to tell it the IP address of the next device (i.e. your switch, assuming the switch is routing for you too).
As I recall though, the ES cannot do routing for more than like 5 VLANs (it can handle several hundred different VLAN tags -- but it needs something else to do the routing if you need more than 5 VLANs). So you should really be having the ER do all the routing, and then just trunking it across to the switch ... or perhaps I'm misunderstanding your comment about "routing for the 24 locations".
I don't know why I do that so often; you are correct in that I was for some reason putting the router as the next hop when the switch needs to be the next device.
You are correct in your understanding that the switch is currently handling L3 for all 24 ports as each endpoint currently uses "dumb switches" except for 0/7 (VLAN 1121) which has the ER.Now with that said, only VLAN1121 (WAN Uplink), VLAN2000-VLAN2500 are active (+100 for each VLAN so that's technically 7; 1121 is 1 and 2000-2500 are 2-6 plus the default VLAN (VLAN0001) is active but not configured in any way).
As it stands, this is the route table from ER (just added after the config I copied):
Image may be NSFW.
Clik here to view.
Additional Note: Until I can get the ES and ER communicating with each other I removed the ER's connection to the internet and directly connected a Linksys EA9500 to the Arris Modem in case you all note that the ER has no internet connection.
Second Additional Note: It seems the EA9500 learns the route to the modem's configuration as described at http://arris.force.com/consumers/articles/General_FAQs/SB6183-GUI-Access but the ER cannot. I am guessing this is because the ER needs to be specifically told how to get to the address 192.168.100.1.