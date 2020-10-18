The ER-X set up is:

eth0 WAN

eth1 Main network reticulated via un-managed switches and cat 6

eth2 Recovery interface set to static IP 172.16.1.1 to deal with inadvertent lock-outs

eth3 Spare

eth4 UAP AC Lite with VLAN ID 3 for IoT and 4 for security cameras

The problems I'm experiencing are:

1. unable to static map an IP address on the ER-X to VLAN ID 3 on 192.168.30.1/24 or VLAN ID 4 on 192.168.40.1/24

2. the UAP AC Lite IP address on eth4 is killed-off for dynamic or static IP addressing as soon as VLANs are enabled with Edge OS alerts saying that IP addressing not possible on switched ports

Otherwise the system is working fine i.e. stable internet connection and eth 0, 1 & 2 working fine.

One thing that I could well have got wrong when configuring the firewall settings was the denial of traffic from VLAN3 & 4 to the main network with the exception of internet access - for which I set the Destination Address as the router 192.168.10.1 and Destination Port 443 when setting https / accept / TCP....are these settings correct?

Attached are the current config.boot and I've been using this UI advisory article as my guide:https://help.ui.com/hc/en-us/articles/115012700976

I'm getting to the limits of my understanding on this, so any help would be really very much appreciated

Thanks & regards,

Updates:

UI advisory correct URL: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch

Config.boot (which I couldn't upload for some reason)

firewall {

all-ping enable

broadcast-ping disable

ipv6-name WANv6_IN {

default-action drop

description "WAN inbound traffic forwarded to LAN"

enable-default-log

rule 10 {

action accept

description "Allow established/related sessions"

state {

established enable

related enable

}

}

rule 20 {

action drop

description "Drop invalid state"

state {

invalid enable

}

}

}

ipv6-name WANv6_LOCAL {

default-action drop

description "WAN inbound traffic to the router"

enable-default-log

rule 10 {

action accept

description "Allow established/related sessions"

state {

established enable

related enable

}

}

rule 20 {

action drop

description "Drop invalid state"

state {

invalid enable

}

}

rule 30 {

action accept

description "Allow IPv6 icmp"

protocol ipv6-icmp

}

rule 40 {

action accept

description "allow dhcpv6"

destination {

port 546

}

protocol udp

source {

port 547

}

}

}

ipv6-receive-redirects disable

ipv6-src-route disable

ip-src-route disable

log-martians enable

name CamerasNet-in {

default-action accept

description ""

rule 1 {

action accept

description https

destination {

address 192.168.10.1

port 443

}

log disable

protocol tcp

}

rule 2 {

action drop

description other

destination {

address 192.168.10.1/24

}

log disable

protocol tcp

}

}

name CamerasNet-local {

default-action drop

description ""

}

name IoTNet-in {

default-action accept

description ""

rule 1 {

action accept

description https

destination {

address 192.168.10.1

port 443

}

log disable

protocol tcp

}

rule 2 {

action drop

description 0ther

destination {

address 192.168.10.1/24

}

log disable

protocol all

}

}

name IoTNet-local {

default-action drop

description ""

}

name WAN_IN {

default-action drop

description "WAN to internal"

rule 10 {

action accept

description "Allow established/related"

state {

established enable

related enable

}

}

rule 20 {

action drop

description "Drop invalid state"

state {

invalid enable

}

}

}

name WAN_LOCAL {

default-action drop

description "WAN to router"

rule 10 {

action accept

description "Allow established/related"

state {

established enable

related enable

}

}

rule 20 {

action drop

description "Drop invalid state"

state {

invalid enable

}

}

}

options {

mss-clamp {

interface-type all

mss 1452

}

}

receive-redirects disable

send-redirects enable

source-validation disable

syn-cookies enable

}

interfaces {

ethernet eth0 {

address 192.168.1.20/24

description Internet

duplex auto

firewall {

in {

ipv6-name WANv6_IN

name WAN_IN

}

local {

ipv6-name WANv6_LOCAL

name WAN_LOCAL

}

}

speed auto

}

ethernet eth1 {

description "Main Net"

duplex auto

speed auto

}

ethernet eth2 {

address 172.16.1.1/24

description "Recovery Interface"

duplex auto

speed auto

}

ethernet eth3 {

description Local

duplex auto

speed auto

}

ethernet eth4 {

description "Ubiquiti UAP AC Lite"

duplex auto

poe {

output pthru

}

speed auto

}

loopback lo {

}

switch switch0 {

address 192.168.10.1/24

description "Main Net - Switch"

mtu 1500

switch-port {

interface eth1 {

}

interface eth3 {

}

interface eth4 {

vlan {

pvid 1

vid 3

vid 4

}

}

vlan-aware enable

}

vif 3 {

address 192.168.30.1/24

description "IoT Net"

firewall {

in {

name IoTNet-in

}

local {

name IoTNet-local

}

}

mtu 1500

}

vif 4 {

address 192.168.40.1/24

description "Cameras Net"

firewall {

in {

name CamerasNet-in

}

local {

name CamerasNet-local

}

}

mtu 1500

}

}

}

service {

dhcp-server {

disabled false

hostfile-update disable

shared-network-name CamerasNetDHCP {

authoritative enable

subnet 192.168.40.0/24 {

default-router 192.168.40.1

dns-server 122.56.237.1

dns-server 8.8.8.8

domain-name CamerasNet

lease 86400

start 192.168.40.100 {

stop 192.168.40.250

}

unifi-controller 192.168.10.90

}

}

shared-network-name IoTNetDHCP {

authoritative enable

subnet 192.168.30.0/24 {

default-router 192.168.30.1

dns-server 122.56.237.1

dns-server 8.8.8.8

domain-name IoTNet

lease 86400

start 192.168.30.100 {

stop 192.168.30.250

}

unifi-controller 192.168.10.90

}

}

shared-network-name LAN {

authoritative enable

subnet 192.168.1.0/24 {

default-router 192.168.1.1

dns-server 192.168.1.1

lease 86400

start 192.168.1.38 {

stop 192.168.1.243

}

}

}

shared-network-name LAN-2 {

authoritative enable

subnet 192.168.10.0/24 {

default-router 192.168.10.1

dns-server 122.56.237.1

dns-server 8.8.8.8

domain-name MainNet

lease 86400

start 192.168.10.100 {

stop 192.168.10.250

}

unifi-controller 192.168.10.90

}

}

static-arp disable

use-dnsmasq disable

}

dns {

forwarding {

cache-size 150

listen-on switch0

listen-on switch0.3

listen-on switch0.4

}

}

gui {

http-port 80

https-port 443

older-ciphers enable

}

nat {

rule 5010 {

description "masquerade for WAN"

outbound-interface eth0

type masquerade

}

}

ssh {

port 22

protocol-version v2

}

}

system {

gateway-address 192.168.1.254

host-name ubnt

login {

user ubnt {

authentication {

encrypted-password xxxxxxxxx

}

level admin

}

}

name-server 122.56.237.1

ntp {

server 0.ubnt.pool.ntp.org {

}

server 1.ubnt.pool.ntp.org {

}

server 2.ubnt.pool.ntp.org {

}

server 3.ubnt.pool.ntp.org {

}

}

offload {

hwnat enable

ipsec enable

}

syslog {

global {

facility all {

level notice

}

facility protocols {

level debug

}

}

}

time-zone UTC

}





/* Warning: Do not remove the following line. */

/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */

/* Release version: v1.10.11.5274269.200221.1028 */

