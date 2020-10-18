The ER-X set up is:
eth0 WAN
eth1 Main network reticulated via un-managed switches and cat 6
eth2 Recovery interface set to static IP 172.16.1.1 to deal with inadvertent lock-outs
eth3 Spare
eth4 UAP AC Lite with VLAN ID 3 for IoT and 4 for security cameras
The problems I'm experiencing are:
1. unable to static map an IP address on the ER-X to VLAN ID 3 on 192.168.30.1/24 or VLAN ID 4 on 192.168.40.1/24
2. the UAP AC Lite IP address on eth4 is killed-off for dynamic or static IP addressing as soon as VLANs are enabled with Edge OS alerts saying that IP addressing not possible on switched ports
Otherwise the system is working fine i.e. stable internet connection and eth 0, 1 & 2 working fine.
One thing that I could well have got wrong when configuring the firewall settings was the denial of traffic from VLAN3 & 4 to the main network with the exception of internet access - for which I set the Destination Address as the router 192.168.10.1 and Destination Port 443 when setting https / accept / TCP....are these settings correct?
Attached are the current config.boot and I've been using this UI advisory article as my guide:https://help.ui.com/hc/en-us/articles/115012700976
I'm getting to the limits of my understanding on this, so any help would be really very much appreciated
Thanks & regards,
Updates:
UI advisory correct URL: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch
Config.boot (which I couldn't upload for some reason)
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name CamerasNet-in {
default-action accept
description ""
rule 1 {
action accept
description https
destination {
address 192.168.10.1
port 443
}
log disable
protocol tcp
}
rule 2 {
action drop
description other
destination {
address 192.168.10.1/24
}
log disable
protocol tcp
}
}
name CamerasNet-local {
default-action drop
description ""
}
name IoTNet-in {
default-action accept
description ""
rule 1 {
action accept
description https
destination {
address 192.168.10.1
port 443
}
log disable
protocol tcp
}
rule 2 {
action drop
description 0ther
destination {
address 192.168.10.1/24
}
log disable
protocol all
}
}
name IoTNet-local {
default-action drop
description ""
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.20/24
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description "Main Net"
duplex auto
speed auto
}
ethernet eth2 {
address 172.16.1.1/24
description "Recovery Interface"
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description "Ubiquiti UAP AC Lite"
duplex auto
poe {
output pthru
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.10.1/24
description "Main Net - Switch"
mtu 1500
switch-port {
interface eth1 {
}
interface eth3 {
}
interface eth4 {
vlan {
pvid 1
vid 3
vid 4
}
}
vlan-aware enable
}
vif 3 {
address 192.168.30.1/24
description "IoT Net"
firewall {
in {
name IoTNet-in
}
local {
name IoTNet-local
}
}
mtu 1500
}
vif 4 {
address 192.168.40.1/24
description "Cameras Net"
firewall {
in {
name CamerasNet-in
}
local {
name CamerasNet-local
}
}
mtu 1500
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name CamerasNetDHCP {
authoritative enable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 122.56.237.1
dns-server 8.8.8.8
domain-name CamerasNet
lease 86400
start 192.168.40.100 {
stop 192.168.40.250
}
unifi-controller 192.168.10.90
}
}
shared-network-name IoTNetDHCP {
authoritative enable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 122.56.237.1
dns-server 8.8.8.8
domain-name IoTNet
lease 86400
start 192.168.30.100 {
stop 192.168.30.250
}
unifi-controller 192.168.10.90
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name LAN-2 {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 122.56.237.1
dns-server 8.8.8.8
domain-name MainNet
lease 86400
start 192.168.10.100 {
stop 192.168.10.250
}
unifi-controller 192.168.10.90
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on switch0.3
listen-on switch0.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 192.168.1.254
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password xxxxxxxxx
}
level admin
}
}
name-server 122.56.237.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */