Ubiquiti Edgerouter Tutorial

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Ubiquiti Edgerouter Tutorial

1 | ... | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | ... | 57

4800 posts

Uber Geek
+1 received by user: 3660

#2034738 13-Jun-2018 02:08

Alpha s/w on a productive system?

There's no reason (except for tests in a related environment) to use anything else for a productive system earlier than (bold): pre-Alpha → Alpha → Beta → Release Candidate → Release.

Qui nihil scit, omnia credere debet.
Firewalls do NOT stop dragons.
In effect we have everything to hide from someone, and no idea who someone is.

GeekRay

134 posts

Master Geek
+1 received by user: 12

Trusted

#2039135 17-Jun-2018 15:12

After upgraded to the latest firmware, V1.10.3, I tried to connect through both eth1 and eth2 ports (Fibre comes into eth0). It works through eth1 but not eth2. Configuration is as the pic below.

Yes, I did change my IP address accordingly when switching to different subnet. What could be the problem? Thanks

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2039143 17-Jun-2018 15:44

@GeekRay Have you got a DHCP server listening on the 192.168.2.1/24 range?

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

GeekRay

134 posts

Master Geek
+1 received by user: 12

Trusted

#2039218 17-Jun-2018 19:28

Bang on, Michael. I changed the IP range for 2nd subnet without updating associated DHCP sever.

Thanks for the advice and it's working now.

By the way, is that possible for Plex client app to access Plex serve on different subnet? I did a bit research online but couldn't find much info (not a common case I reckon)

GeekRay

134 posts

Master Geek
+1 received by user: 12

Trusted

#2039221 17-Jun-2018 19:35

Also, regarding hardware offloading, I have three "enabled" under ipv4 but it says "disabled" under "system". Does it mean there is something I need to do there?

System level:

IPv4

Thanks heaps.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2039310 17-Jun-2018 23:13

@GeekRay For Plex it "just works" - it'll detect your Plex server as nearby assuming it is not firewalled off. It is not wise to use the 2nd port of the Edgerouter to extend your network unless if you were wanting to create a guest network or something.

For the likes of hardware offloading it is best to do it in the CLI - "show ubnt offload" to get a proper answer. Don't set it in both places as this is often a double-up caused by Ubiquiti using the same software across all their routers.

Dyson

Shop now for Dyson appliances (affiliate link).

freakngeek

356 posts

Ultimate Geek
+1 received by user: 123

#2040784 19-Jun-2018 22:20

EdgeMAX EdgeRouter software hotfix version v1.10.4 has been released! [ New ] Options 19 hours ago

New firmware release 1.10.4 is available here:

ER-X, ER-X-SFP, and EP-R6: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e50.v1.10.4.5096013.tar
(SHA256:e6e7b2cd78c7783b6a4a401b59de71be204bb75308620f3e0bcc98b69a9b766f)
ERLite-3 and ERPoe-5: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e100.v1.10.4.5095949.tar
(SHA256:d8b5fb424f86ea2b476251f88cf8b5abebea745f2f26216eeb3d08627ff8f892)

ER-8, ERPro-8, and EP-R8: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e200.v1.10.4.5095956.tar
(SHA256:719f80273fc8be8364a6bb3e54e5629bf0d4df3ba63358c47084b607cbcd6e0b)

ER-4, ER-6P and ER-12: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e300.v1.10.4.5095961.tar
(SHA256:5824363ac9704e2aeb66419f2865eed441237354e4bd06c8e28b4ade9e504037)

ER-8-XG: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e1000.v1.10.4.5095951.tar
(SHA256:c700369b9105e6286af2e80317feeb90c9dfe95d03a4015536825893d9f168fa)

!!! IMPORTANT NOTICE for ER-12 users !!!

ER-12 supports only 1.10.4 and 2.0.0-alpha.1 firmwares.

Do not downgrade ER-12 to any older firmware as this will brick ER-12 for good. Firmware compatibility check for ER-12 will be added in upcoming 1.10.5 and 2.0.0-alpha.2 firmwares

Note: The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

[Release Notes v1.10.4]

Changelog

Changes since v1.10.3

New features:

Offloading - Added CLI commands to resize flow table on Octeon-based routes. Discussed hereset system offload ipv4 table-size 65536Prior to 1.10.4 firmware, table-size was hardcoded to 8192 for all platforms. Default table size of 8192 buckets was ok for ER-lite (that has 512Mb of RAM) but totally not ok for ER-Infinity (that has 16GB of RAM). Now admins can tune offload ipv4 table-size to improve forwarding performance.General recommendation is following - if you see that coutner ipv4_create_flow_not_found_replaced_non_expired is constantly growing then it means that table-size is too small for your traffic profile and you are advised to increase it past default 8192 value:
$ show ubnt offload statistics |grep replaced_non_expired ipv4_create_flow_not_found_replaced_non_expired 357345 <------------ !!!! ipv6_create_flow_not_found_replaced_non_expired 0Right now the only limitation for table-size is that it should be power of 2 (8192, 16384, 32768, 65536...)

Enhancements and bug fixes:

PoE - Keep POE status during reset for ER-X-SFP/EP-R6/EP-R8/ER-12 devices
DHCP - Fixed DHCPv6 failure with VIF-0 interface. Discussed here
SSH - Disable weak ARCFOUR ciphers
SSH - Disable SSH port forwarding for operator user
Interface - Fixed bug when SFP interface link was down after upgrade on ER-X-SFP
BGP - Fixed bug when commit failed when setting inactive BGP peer. Discussed here
DNS - Upgraded Dynamic DNS client to support cloudflare API v4. Discussed here
Interface - Fixed random bug when interface stopped passing traffic after changing speed/duplex
Interface - Fixed bug when eth0 speed/duplex could not be changed on ER-Infinity
System - Fixed bug when processes randomly crashed with SIGBUG on ER-X
System - Fixed bug when PoE status was not reset when doing "factory-reset"
System - Fixed bug when "ubnt-util" crashes with SIGFPE if smart-queue rate was less than 1kbps. Discussed here

Updated software components:

none

Known issues:

Bug with corrupted downloads via PPPoE interface is not fixed for ER-8-XG (it is fixed on all other ER models). Workaround - disable PPPoE offloading on ER-8-XG:configure set system offload ipv4 pppoe disable
set system offload ipv6 pppoe disable commit sa

NOTE: We will publish this 1.10.4 firmware in main EdgeMAX forum, download site and UNMS on Monday June 25th 2018

freakngeek

356 posts

Ultimate Geek
+1 received by user: 123

#2045832 29-Jun-2018 07:24

New firmware release 1.10.5 is available here:

ER-X, ER-X-SFP, and EP-R6: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e50.v1.10.5.5098943.tar
(SHA256:9451ffa55f5c15704f11911f100c0f499090365201d56ee65bec1a7b7f369231)
ERLite-3 and ERPoe-5: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e100.v1.10.5.5098915.tar
(SHA256:afed53916429e55cae0e4563ea64a2b0e811517a3a37d66c52565d36a9217870)

ER-8, ERPro-8, and EP-R8: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e200.v1.10.5.5098915.tar
(SHA256:4bf95525ce7abb76874aad732f0e19138457d7b52627609396a07cef5a7db53d)

ER-4, ER-6P and ER-12: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e300.v1.10.5.5098942.tar
(SHA256:cba6e1f776a524a7d56d3366e477bfc14e6589a9553c5552038f9cdce3144563)

ER-8-XG: https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e1000.v1.10.5.5098915.tar
(SHA256:9675be5d66c531beed8ee5ad0cab9bcd2e8ebe799d7832e8e5b9b363accfa339)

[Release Notes v1.10.5]

Changelog

Changes since v1.10.3

New features:

Offloading - Added CLI commands to resize flow table on Octeon-based routes. Discussed hereset system offload ipv4 table-size 65536Prior to 1.10.5 firmware, table-size was hardcoded to 8192 for all platforms. Default table size of 8192 buckets was ok for ER-lite (which has 512Mb of RAM) but totally not ok for ER-Infinity (which has 16GB of RAM). Now admins can tune offload ipv4 table-size to improve forwarding performance. General recommendation is following - if you see that coutner ipv4_create_flow_not_found_replaced_non_expired is constantly growing then it means that table-size is too small for your traffic profile and you are advised to increase it past default 8192 value:
$ show ubnt offload statistics |grep replaced_non_expired ipv4_create_flow_not_found_replaced_non_expired 357345 <------------ !!!! ipv6_create_flow_not_found_replaced_non_expired 0Right now the only limitation for table-size is that it should be power of 2 (8192, 16384, 32768, 65536...)

Enhancements and bug fixes:

PoE - Keep POE status during reset for ER-X-SFP/EP-R6/EP-R8/ER-12 devices
DHCP - Fixed DHCPv6 failure with VIF-0 interface. Discussed here
SSH - Disable weak ARCFOUR ciphers
SSH - Disable SSH port forwarding for operator user
Interface - Fixed bug when SFP interface link was down after upgrade on ER-X-SFP
BGP - Fixed bug when commit failed when setting inactive BGP peer. Discussed here
DNS - Upgraded Dynamic DNS client to support cloudflare API v4. Discussed here
- Following DDNS providers require manual configuration changes:
  - Cloudflare - server www.cloudflare.com should be removed from config:delete service dns dynamic interface eth0 service custom-cloudflare server www.cloudflare.com
  - Namecheap - config entry host-name should not contain second level domain name. For instance for eatmyshorts.bart.com you should remove the bart.com suffix from host-name and leave only eatmyshorts:
    delete service dns dynamic interface eth0 service namecheap host-name eatmyshorts.bart.com set service dns dynamic interface eth0 service namecheap host-name eatmyshorts

Interface - Fixed random bug when interface stopped passing traffic after changing speed/duplex
Interface - Fixed bug when eth0 speed/duplex could not be changed on ER-Infinity
System - Fixed bug when processes randomly crashed with SIGBUG on ER-X
System - Fixed bug when PoE status was not reset when doing "factory-reset"
System - Fixed bug when "ubnt-util" crashes with SIGFPE if smart-queue rate was less than 1kbps. Discussed here
UNMS - downgraded ubnt-udapi bridge to v0.3.13 to get rid of bug when UNMS connection freezed

Updated software components:

none

Known issues:

Bug with corrupted downloads via PPPoE interface is not fixed for ER-8-XG (it is fixed on all other ER models). Workaround - disable PPPoE offloading on ER-8-XG:configure set system offload ipv4 pppoe disable
set system offload ipv6 pppoe disable commit save

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#2048228 3-Jul-2018 12:37

So I seem to be making progress.

I can now receive IPv6 address on my devices (windows and linux)

I can't ping v6 on the internet, i.e. ping -6 google.com fails. but it does resolve the ipv6 address

I'm on 2degrees and looking at the fritz!box it showed a /48 was allocated so trying with that...

set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 enable
edit interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 1
set prefix-length /48

set interface eth2 host-address ::1
set interface eth2 prefix-id :2
set interface eth2 service slaac
set ipv6 address autoconf
top
commit

set protocols static interface-route6 ::/0 next-hop-interface pppoe0
commit
save

edit firewall ipv6-name WAN6_IN
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
top
edit firewall ipv6-name WAN6_LOCAL
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "allow DHCPv6 client/server"
set rule 40 destination port 546
set rule 40 source port 547
set rule 40 protocol udp
top
set interfaces ethernet eth0 vif 10 pppoe 0 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth0 vif 10 pppoe 0 firewall local ipv6-name WAN6_LOCAL
commit
save
exit
reboot now

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2048241 3-Jul-2018 13:02

Here is my configuration snippit for IPv6 on 2degrees (working) - setting "prefix-only" is important on 2degrees also. This configuration is literally taken from my OP.

# show interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd
pd 0 {
interface eth1 {
host-address ::1
no-dns
prefix-id :1
service slaac
}
prefix-length /56
}
prefix-only
rapid-commit enable
[edit]

# show firewall ipv6-name WAN6_IN
default-action drop
rule 10 {
action accept
description "allow established"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "drop invalid packets"
protocol all
state {
invalid enable
}
}
rule 30 {
action accept
description "allow ICMPv6"
protocol icmpv6
}
[edit]

# show firewall ipv6-name WAN6_LOCAL
default-action drop
rule 10 {
action accept
description "allow established"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "drop invalid packets"
protocol all
state {
invalid enable
}
}
rule 30 {
action accept
description "allow ICMPv6"
protocol icmpv6
}
rule 40 {
action accept
description "allow DHCPv6 client/server"
destination {
port 546
}
protocol udp
source {
port 547
}
}
[edit]

BlackHand

135 posts

Master Geek
+1 received by user: 19

#2048559 3-Jul-2018 20:50

I have the exact same settings about but it doesn't work for me, is there anything else I need to do?

New World

Shop on-line at New World now for your groceries (affiliate link).

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#2048617 3-Jul-2018 21:38

@michaelmurfy

I've updated my config to align to your output, but still having issues.

So when I have prefix-length /48 all my devices are given IPv6 addresses but can't reach the outside world. I cant even ping6 google.com from the edgerouter lite.

If I have prefix-length /56 I can ping6 google.com from the edgerouter lite but devices are not provided with a ipv6 address at all.

can you please share the output from or ssh the file to your local device to share it...

[code]cat /config/config.boot[/code[

Of course remove your passwords from user account at the bottom and pppoe password and user-id

The prefix-only for example isn't in OP so I'm wondering if there is other config you've made along the way without noticing?

Also if I run show firewall ipv6-name WAN6_LOCAL or WAN6_IN from the normal command line (not within configure)

the below line is included in the input...

Inactive - Not applied to any interfaces, zones or for content-inspection.

if I try and run the below again i get the warning it's already configured...

set interfaces ethernet eth0 vif 10 pppoe 0 firewall in ipv6-name WAN6_IN

set interfaces ethernet eth0 vif 10 pppoe 0 firewall local ipv6-name WAN6_LOCAL

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2048654 3-Jul-2018 22:23

@BlackHand @mentalinc Here you go - this is very heavily sanitized but I've left the configuration there for my internet connection / firewall / IPv6 settings. Afraid my configuration is far too big (and sensitive) to fully post and you likely don't need to know about my site to site VPN's etc :) - https://files.murfy.nz/config.boot.sanitized.txt

This configuration gives me the following (tested on a Chromebook - same goes for Windows / Linux and any other device on the network):

Sidenote - the no-dns is not needed. I've got that as I run my own resolver on this network. You may want to leave that one out.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2048667 3-Jul-2018 23:42

I also found I had MSS clamping enabled;

This is not needed on 2degrees UFB if you're using a MTU of 1500 on the PPPoE side and a MTU of 1508 on the underlying interface like I have on my configuration. Not sure why I had this enabled in the first place as it would have been limiting things for me so thanks @mentalinc for getting me to dump my configuration and look through it!

BlackHand

135 posts

Master Geek
+1 received by user: 19

#2048692 4-Jul-2018 07:23

What's the benefit/use of ip { enable-proxy-arp }, I couldn't find a proper answer on the ubiquiti forums?

1 | ... | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | ... | 57