Ubiquiti Edgerouter Tutorial

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Ubiquiti Edgerouter Tutorial

1 | ... | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | ... | 56

142 posts

Master Geek

#2319565 18-Sep-2019 07:19

@No4 The only difference between the settings you have listed and mine are that I'm using 1500/1492 MTU size instead of 1508/1500. I'm only running IPV4 so, as per the comments from @fe31nz above, it isn't an issue, however his comments suggest either should work on the Edgerouter. I'm getting full speed (950Mbps/450Mbps) from my fibre so pretty happy.

Sharesies

Affiliate link

Affiliate link: Trade NZ and US shares and funds with Sharesies.

No4

15 posts

Geek

#2320066 19-Sep-2019 07:56

Found the problem - it was more hardware related I think, although I did correct the location of the ipv6 firewall.

Turns out the ethernet cable to the old laptop (running Mint) was dodgy so it had connected via wireless instead. So very old laptop plus wireless at reasonable range was the issue for speedtest. Once I changed the cable, speeds were 80/9 or so, compared to 100/18 for my standard windows 8 pc on the HG659 (I'm only on basic fibre which is 100/20). I then tried my work laptop on the ERX/UAP Lite and got 100/19 wired and 80/18 wireless, so any limitations are not in the config.

On to the next step of commissioning - checking voip. Almost there.

chrislaing

41 posts

Geek

#2327299 30-Sep-2019 20:39

Hello friends,

I am having some (quite odd) problems with my ipsec/L2TP vpn on my ERX (firmware version 1.10).

I have been through literally every post on the topic on the Ubiquiti forums, and I'm wondering if I need to upgrade to 2.x firmware for this to work.

Firstly, the relevant part of my config:

ipsec {
auto-firewall-nat-exclude enable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username <redacted> {
password <redacted>
}
}
mode local
}
client-ip-pool {
start 192.168.100.244
stop 192.168.100.249
}
dns-servers {
server-1 1.1.1.1
server-2 1.0.0.1
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret <redacted>
}
ike-lifetime 3600
}
mtu 1492
outside-address xxx.xxx.xxx.xxx
outside-nexthop xxx.xxx.xxx.xxx
}
}

I am able to connect to the vpn from my Mac, inside my WLAN, when specifying outside-address to be my external ip (set via a cronjob, as is outside-nexthop).

I am unable to connect from my iphone inside my WLAN.

I am unable to connect when I replace outside-address with 0.0.0.0. (This is the recommended solution from the Ubiquiti forums).

I am unable to connect using my dynamic dns (which resolves correctly with nslookup).

I have tried various combinations of specifying/removing nat-traversal, nat-networks, ipsec-interfaces, auto-firewall-nat-exclude.

Any suggestions at all, from anyone, or do I just have to try the 2.x firmware?

As always, many thanks for your help!

dklong

142 posts

Master Geek

#2328765 3-Oct-2019 09:04

@chrislaing

Your config looks pretty good based on my limited knowledge but you don't mention updating your firewall rules as well to allow L2TP/IPSec traffic through? I found the article below and some of it's links quite useful when setting up something similar.

https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server#3

Cheers

chrislaing

41 posts

Geek

#2331561 6-Oct-2019 21:00

Hey, thanks for the link. That article is where I started my long trudge through the Ubiquiti forums.

Firewall should be fine, but I'll nuke it anyway and start from scratch.

It's a funny old problem.

wratterus

1501 posts

Uber Geek

#2333186 9-Oct-2019 09:02

Bit of a basic question here sorry - setting up an ER-X for a Vodafone connection (will be bridged VDSL). Just sorting out firewall & want to setup upnp2 as well- should the WAN interface be set to eth0 or eth0.10?

I know on a pppoe connection with vlan10 the WAN interface needs to be set to pppoe0, but am not sure with a DHCP/IPoE connection. Thanks.

corksta

2340 posts

Uber Geek

Trusted

Subscriber

#2359232 22-Nov-2019 10:48

Apologies this could be a stupid question... I don’t have a PC or Mac at home, only iOS devices. I’m looking at getting an ER-X, can I still set this up through an iPad by connecting it to my existing network first or does it need a direct connection to a computer?

Sony 65" A8F OLED TV | Sony 65" X850F LED TV | Sony 55" X900F LED TV

wratterus

1501 posts

Uber Geek

#2359241 22-Nov-2019 11:05

@corksta you're really going to need a computer to set it up initially.

corksta

2340 posts

Uber Geek

Trusted

Subscriber

#2359252 22-Nov-2019 11:22

I thought that would be the answer, thanks.

Sony 65" A8F OLED TV | Sony 65" X850F LED TV | Sony 55" X900F LED TV

michaelmurfy

/dev/ttys0
11027 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2359262 22-Nov-2019 11:36

@corksta Pick up a cheap Chromebook - I've successfully configured Edgerouters on Chromebooks :)

But I don't see any issues with configuring it from an iPad either - sure, it'll be a challenge, but it should work with those challenges.

Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.

wratterus

1501 posts

Uber Geek

#2359276 22-Nov-2019 11:52

How would one actually do that? Connect a wireless AP to eth0, connect iPad to that and hard set the IP on iPad? I guess that's not really that hard.

Edit - assuming that a lightning/ethernet adapter wasn't handy.

ezero

6 posts

Wannabe Geek

#2369555 6-Dec-2019 12:46

eong:

eong:

Thanks for the tutorial.

I'm using the Edgerouter X with Orcon Fibre. I tried to follow the wizard to setup the eth0.10 interface as Internet, with dhcp. But the router cannot obtain an IP address from ISP. Is it an Orcon specific issue? Or a configuration issue?

Just to confirm that Orcon limit mac address, so you have to copy the mac address from the router they gave to you. It's not the one at the bottom of the router but based on it. You can telnet into it to find it out.

Okay, I dont post on forums that often, forgive me if I violate any rules.

I just switched from 2degrees Fiber to Orcon Fiber today. I backed up my configuration of EdgeMax Router X. Then I updated the firmware to 1.9.10 from 1.9.7. After upgrading I reuploaded my saved backup.

Speaking to Orcon technical support, MAC address spoofing is not really required. I did it anyway :(.. The way you do that is by going in to the CLI and typing in configure, then type

set interfaces ethernet eth0 mac <mac-address-of-your-router-given-by-orcon-see-below-the-router>

example: ubnt@ubnt:~$ set interfaces ethernet eth0 mac 00:00:00:00:00:01

Then you type commit and save.

I still didn't seem to get an IP address. I called the Orcon technical support, and they said they had some issue with IP address conflicts. He cleared all my sessions on their end and it just connected and gave me an IP address.

It is true that you do not have to enter the username and password anywhere. If you do not have the option of IPoE dont worry about it, just use DHCP.

I had todo some other reconfiguration of WAN interfaces as they were listening on pppoe0 interface. Changing WAN masqurading configuration also helped get the internet to my devices. Port forwarding configuration also needed to be adjusted.

The MTU it uses is 1500, it won't let me change to ISP's recommended MTU 1492.

My speedtest gave me speed of 300/300 even tho I am on 700-900/500 Mbps connection / plan. I will connect their provided modem and do another speedtest just to see if its my Edge router thats limiting the speed.

I am also reluctant to update the firmware to 2.x

I hope this info helps others, and I will post screenshots of my configuration.

ezero

6 posts

Wannabe Geek

#2369730 6-Dec-2019 17:31

Managed to fix my speed issue by enabling offloading on hwnat and ipsec. However (as seen in screenshot), it says offload for IPSec module has not been loaded. When I try to load it, it says its already loaded... oh well, maybe as others said - newer version of firmware has addressed this bug.

configure
set system offload hwnat enable
set system offload ipsec enable
commit
save

Here are changes to port forwarding screen.

Here are changes to interfaces under Firewall Policies

And NAT changes configuration for masquerade to eth0.10

Following are the two configs you need for eth0 and eth0.10 vlan 10

This is all that was needed for switching over to Orcon Fiber from 2degrees Fiber. You may not need all these changes as above, but I mucked around with these settings - therefore could not remember if they were original as such.

eong

52 posts

Master Geek

#2369733 6-Dec-2019 17:43

ezero:

Managed to fix my speed issue by enabling offloading on hwnat and ipsec. However (as seen in screenshot), it says offload for IPSec module has not been loaded. When I try to load it, it says its already loaded... oh well, maybe as others said - newer version of firmware has addressed this bug.

configure
set system offload hwnat enable
set system offload ipsec enable
commit
save

Here are changes to port forwarding screen.

Here are changes to interfaces under Firewall Policies

And NAT changes configuration for masquerade to eth0.10

Following are the two configs you need for eth0 and eth0.10 vlan 10

This is all that was needed for switching over to Orcon Fiber from 2degrees Fiber. You may not need all these changes as above, but I mucked around with these settings - therefore could not remember if they were originally as such.

Why do you leave 2degrees and choose Orcon?

I never get full 1Gbps speed when I use Orcon. It was only around 700Mbps at most. The speed connection to overseas service is awful except Australia (400-500Mbps. So I paid the pricy termination fee and switched to 2degrees. I'm happy with the speed of 990Mbps now. And the connection to east coast of America is really fast.

ezero

6 posts

Wannabe Geek

#2369738 6-Dec-2019 17:59

eong:

Why do you leave 2degrees and choose Orcon?

I never get full 1Gbps speed when I use Orcon. It was only around 700Mbps at most. The speed connection to overseas service is awful except Australia (400-500Mbps. So I paid the pricy termination fee and switched to 2degrees. I'm happy with the speed of 990Mbps now. And the connection to east coast of America is really fast.

Yeah good question, I've been with 2degrees for a while now ~2 years. I actually never signed up with 2degrees, they acquired Snap (from Christchurch). They were not really coming to the table with a better upgrade plan for me in this competitive market. Same nonsense, oh these plans are for our "new customers". Although, to answer your question, my parents are with Orcon and my brother and I play FPS game (Ring of Elysium). For some reason my brother (on Orcon) seems to get better latency (~150ms) to Asian servers and me (on 2Degrees) got 300ms+ latency.

Now when I switched over to Orcon, sure enough, my latency has also dropped to ~150ms. I agree with you that overseas bandwidth is always going to be bottleneck and keeping things on topic, my speed tests are averaging 300 Mbps for Sydney.

and domestic speed tests look something like this

So for some, peering (latency) is the selling point and for some its bandwidth. At the end of the day, they are all the same really, when it comes to international peering and bandwidth.

I still cannot explain my gaming latency improvement with Orcon in comparison to 2degrees.

1 | ... | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | ... | 56