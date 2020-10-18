The ER-X set up is:

 

   eth0   WAN

 

   eth1  Main network reticulated via un-managed switches and cat 6

 

   eth2  Recovery interface set to static IP 172.16.1.1 to deal with inadvertent lock-outs

 

   eth3  Spare

 

   eth4  UAP AC Lite with VLAN ID 3 for IoT and 4 for security cameras

 

The problems I'm experiencing are:

 

  1. unable to static map an IP address on the ER-X to VLAN ID 3 on 192.168.30.1/24 or VLAN ID 4 on 192.168.40.1/24

 

  2. the UAP AC Lite IP address on eth4 is killed-off  for dynamic or static IP addressing as soon as VLANs are enabled with Edge OS alerts saying that IP addressing not possible on switched ports

 

Otherwise the system is working fine i.e. stable internet connection and eth 0, 1 & 2 working fine.

 

One thing that I could well have got wrong when configuring the firewall settings was the denial of traffic from VLAN3 & 4 to the main network with the exception of internet access - for which I set the Destination Address as the router 192.168.10.1 and Destination Port 443 when setting https / accept / TCP....are these settings correct?

 

Attached are the current config.boot and I've been using this UI advisory article as my guide:https://help.ui.com/hc/en-us/articles/115012700976

 

I'm getting to the limits of my understanding on this, so any help would be really very much appreciated

 

 

 

Thanks & regards,

 

 

 

Updates:

 

 

 

UI advisory correct URL: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch

 

Config.boot (which I couldn't upload for some reason)

 

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name CamerasNet-in {
        default-action accept
        description ""
        rule 1 {
            action accept
            description https
            destination {
                address 192.168.10.1
                port 443
            }
            log disable
            protocol tcp
        }
        rule 2 {
            action drop
            description other
            destination {
                address 192.168.10.1/24
            }
            log disable
            protocol tcp
        }
    }
    name CamerasNet-local {
        default-action drop
        description ""
    }
    name IoTNet-in {
        default-action accept
        description ""
        rule 1 {
            action accept
            description https
            destination {
                address 192.168.10.1
                port 443
            }
            log disable
            protocol tcp
        }
        rule 2 {
            action drop
            description 0ther
            destination {
                address 192.168.10.1/24
            }
            log disable
            protocol all
        }
    }
    name IoTNet-local {
        default-action drop
        description ""
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1452
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.20/24
        description Internet
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description "Main Net"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 172.16.1.1/24
        description "Recovery Interface"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "Ubiquiti UAP AC Lite"
        duplex auto
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.10.1/24
        description "Main Net - Switch"
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth3 {
            }
            interface eth4 {
                vlan {
                    pvid 1
                    vid 3
                    vid 4
                }
            }
            vlan-aware enable
        }
        vif 3 {
            address 192.168.30.1/24
            description "IoT Net"
            firewall {
                in {
                    name IoTNet-in
                }
                local {
                    name IoTNet-local
                }
            }
            mtu 1500
        }
        vif 4 {
            address 192.168.40.1/24
            description "Cameras Net"
            firewall {
                in {
                    name CamerasNet-in
                }
                local {
                    name CamerasNet-local
                }
            }
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name CamerasNetDHCP {
            authoritative enable
            subnet 192.168.40.0/24 {
                default-router 192.168.40.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name CamerasNet
                lease 86400
                start 192.168.40.100 {
                    stop 192.168.40.250
                }
                unifi-controller 192.168.10.90
            }
        }
        shared-network-name IoTNetDHCP {
            authoritative enable
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name IoTNet
                lease 86400
                start 192.168.30.100 {
                    stop 192.168.30.250
                }
                unifi-controller 192.168.10.90
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN-2 {
            authoritative enable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name MainNet
                lease 86400
                start 192.168.10.100 {
                    stop 192.168.10.250
                }
                unifi-controller 192.168.10.90
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on switch0.3
            listen-on switch0.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 192.168.1.254
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password xxxxxxxxx
            }
            level admin
        }
    }
    name-server 122.56.237.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */
 