Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | ... | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 
882 posts

Ultimate Geek


  #2467022 21-Apr-2020 12:30
Send private message quote this post

michaelmurfy:

 

... this won't be an issue for most people assuming they first set it up using their existing router.

 

 

sorry for this dumb question, but do you do this by sticking a cable into the wan port on the DreamMachine from a lan port on the Edgerouter?





BlinkyBill


3 posts

Wannabe Geek


  #2470820 25-Apr-2020 10:13
Send private message quote this post

Recent ER3-Lite Set up

 

With gratefully received guidance have done this. The speed is fine, getting 5/104/19 through a floor, a wall and about 2.5 metres from the AP. Everything appears to work well. But I've raised FUD in my own mind.

 

Question1: If all the ShieldsUp! tests are totally clean does is mean the front line of defense is OK?  

 

Question2: Firewall - it's running the the basic, baked in rules, I've done nothing. Should I look at additional hardening/checking/something..?

 

 

 

As always, TIA 


 
 
 
 


11 posts

Geek


  #2470880 25-Apr-2020 11:59
Send private message quote this post

michaelmurfy:

 

@axlback I'm not going to provide the full answer as I want you to look for it.

 

Hint - your interface is in the wrong format. I pretty-much provided you the answer in my post.

 

 

 

 

Thanks again @michaelmurfy

 

I eventually got around to sorting this yesterday and now have ipv6 on all appropriate interfaces. What I didn't understand and am still a little unclear on is the difference between (interface) vif (number) and (interface).(number) - is this to do with hierarchy?


mdf

2563 posts

Uber Geek

Trusted
Subscriber

  #2481392 11-May-2020 17:18
Send private message quote this post

I'm following along this tutorial.

 

For some reason, the web interface of my edgerouter lite periodically drops the connection ("Unable to connect to the device. Please check your network connection.") and then sits on the "Please wait while this application loads" screen for ~30-60 seconds. Doesn't obviously have anything to do with CPU load. It didn't seem to happen when I started the tutorial, so something I've done along the way has caused it.

 

Firmware 2.0.8-hotfix.1 (which seems to be the latest version).

 

Any ideas?


Go Hawks!
1011 posts

Uber Geek

Trusted
Subscriber

  #2481431 11-May-2020 18:01
Send private message quote this post

Thanks Michaelmurphy for this guide!

 

I've managed to now get my router going along with IPv6 - however as my DNS servers sit inside my lan (forwarding to the outside world & caching the answers), I'd like to have the DNS server IP addresses sent out - I haven't figured this one out yet.  If anyone has an idea where to start, I'd be grateful (and will share back once I figure it out!)

 

Thanks again


544 posts

Ultimate Geek


  #2481605 12-May-2020 00:20
Send private message quote this post

wazzageek:

 

Thanks Michaelmurphy for this guide!

 

I've managed to now get my router going along with IPv6 - however as my DNS servers sit inside my lan (forwarding to the outside world & caching the answers), I'd like to have the DNS server IP addresses sent out - I haven't figured this one out yet.  If anyone has an idea where to start, I'd be grateful (and will share back once I figure it out!)

 

Thanks again

 

 

There are several places to set DNS servers for different reasons in an Edgerouter config.  The DNS servers that the ER itself will use are set like this:

 

set system name-server 10.0.2.2

 

set system name-server 10.0.2.4

 

Then for IPv4 in your DHCP setup, you tell the ER to send DNS settings with DHCP when requested:

 

set service dhcp-server shared-network-name OUTER subnet 10.0.1.0/24 dns-server 10.0.1.2

 

set service dhcp-server shared-network-name OUTER subnet 10.0.1.0/24 dns-server 10.0.2.4

 

set service dhcp-server shared-network-name OUTER subnet 10.0.1.0/24 domain-name jsw.gen.nz

 

And for IPv6 the DNS servers are sent in router advertisements:

 

set interfaces ethernet eth1 ipv6 router-advert name-server '2406:e001:1:2801::2'

 

set interfaces ethernet eth1 ipv6 router-advert name-server '2406:e001:1:2802::4'

 

And also like DHCPv4, in DHCPv6 replies:

 

set service dhcpv6-server shared-network-name OUTER-v6 subnet '2406:E001:1:2801::/64' domain-search 6.jsw.gen.nz

 

set service dhcpv6-server shared-network-name OUTER-v6 subnet '2406:E001:1:2801::/64' name-server '2406:E001:1:2801::2'

 

set service dhcpv6-server shared-network-name OUTER-v6 subnet '2406:E001:1:2801::/64' name-server '2406:E001:1:2802::4'

 

There are other things that can be sent in DHCP, such as SNTP servers:

 

set service dhcpv6-server shared-network-name OUTER-v6 subnet '2406:E001:1:2801::/64' sntp-server '2406:E001:1:2801::2'

 

set service dhcpv6-server shared-network-name OUTER-v6 subnet '2406:E001:1:2801::/64' sntp-server '2406:E001:1:2802::4'

 

Or your setup for bootp/PXE booting:

 

set service dhcp-server shared-network-name INNER subnet 10.0.2.0/24 bootfile-server 10.0.2.4

 

 

set service dhcp-server shared-network-name INNER subnet 10.0.2.0/24 subnet-parameters 'allow booting;'

 

set service dhcp-server shared-network-name INNER subnet 10.0.2.0/24 subnet-parameters 'allow bootp;'

 

set service dhcp-server shared-network-name INNER subnet 10.0.2.0/24 subnet-parameters 'option log-servers 10.0.2.4;'

 

set service dhcp-server shared-network-name INNER subnet 10.0.2.0/24 subnet-parameters 'if exists user-class and option user-class = "iPXE" {filename "http://pxe.jsw.gen.nz/pxe.cfg";} else {filename "undionly.kpxe";}'

 


132 posts

Master Geek


  #2481662 12-May-2020 09:05
Send private message quote this post

possibly a silly/noob question, but does IPv6 effect upnp2.  Back problem is that since enabling Ipv6 (which to be fair I only ever did cause is seemed like a good idea....) the boys xbox's (2 of them) now show a moderate NAT type, and for some games, it needs to be open.  I can disable IPv6, but thought I would reach out to smarter minds then mine.

 

 

 

Cheers

 

Nic. 

 

 

 

 


 
 
 
 


544 posts

Ultimate Geek


  #2482301 13-May-2020 00:41
Send private message quote this post

nicmair:

 

possibly a silly/noob question, but does IPv6 effect upnp2.  Back problem is that since enabling Ipv6 (which to be fair I only ever did cause is seemed like a good idea....) the boys xbox's (2 of them) now show a moderate NAT type, and for some games, it needs to be open.  I can disable IPv6, but thought I would reach out to smarter minds then mine.

 

Cheers

 

Nic. 

 

 

Personally, I do not allow UPnP on my network as it is a security risk - any software can open a port without you knowing.  I prefer to open any ports I need manually.  With IPv6, NAT is not used and each device has its own global unicast IPv6 address, so there is no problem with multiple different devices wanting to use the same ports.  So I have never actually use UPnP with IPv6 - I presume it does work.  I am not sure exactly what you mean by "now show a moderate NAT type".  You are clearly having some sort of problem connecting.  I am guessing that the connections are slow, which is something that happens when the IPv6 setup has not been configured the same way as the IPv4 setup.  Devices that have a global unicast IPv6 address will prefer to use that over their IPv4 address, so they will try to connect first with IPv6.  Only when IPv6 fails to connect (usually after one or more timeouts and retries) will they try to use IPv4 instead.  So the effect of having no open port in IPv6 when the port is open in IPv4 is that it will take a very long time to connect, sometimes a minute or two.  And sometimes the software has an overall connection timeout that happens before it can even try to use IPv4 instead of IPv6, so it fails to connect at all.

 

I have seen setups where the IPv6 firewall was misconfigured so that outbound connections failed also, not just inbound ones.  The standard setup for both IPv4 and IPv6 should be to "permit all established and related traffic".  What that means is that if an outbound packet that starts a connection is sent through the firewall and that packet is permitted by the firewall, then the firewall should be set up to log that as an existing connection and permit inbound packets that are part of that connection, or are information about that connection (eg ICMPv6 packets).  If you do not have the "related" and "established" rules, connections will not work.  And in IPv6, if you do not allow the mandatory ICMPv6 packets inbound through the firewall, connections will also fail.  This is different to IPv4 where it will work even if you block all ICMPv4 packets.  This latter problem is one that beginner users of IPv6 run up against frequently.

 

Also, due to the bug that seems to be present in all the implementations of PPPoE that I have encountered, if you do not have the maximum packet sizes configured properly, large IPv6 packets will be dropped both inbound and outbound over the PPPoE connection to your ISP.  The problem here is that IPv6 does not permit fragmentation of packets when a packet meets an interface where the packet is larger than the maximum size the interface can send.  So if you are able to send IPv6 packets larger than your PPPoE connection can handle, they will be dropped.  IPv6 requires that when a packet is dropped because it is too large, an ICMPv6 reply is sent back to the sender telling the sender what happened.  But all the PPPoE software I have seen does not do this and just silently drops over long packets.  This breaks IPv6, and is a serious bug.  The common symptom of this problem is that connections to Facebook's front page fail when IPv6 is enabled, as that page requires full size packets to work.  Or if you are lucky and your browser retries with an IPv4 connection, it will take a minute or so for Facebook to connect correctly.  In IPv4, if the PPPoE interface is configured with too small a maximum packet size, the packets just get fragmented into two packets and sent on, so all that happens is a slight slow down of the traffic with long packets.  In IPv6, if the PPPoE maximum packet size is too small, the protocol is broken and things go wrong whenever long packets are sent in either direction.  The normal maximum packet size (including headers) is 1500 bytes.  In IPv4 that allows a maximum data size (with the headers subtracted) of 1492 bytes (8 byte overhead for the headers).  But PPPoE adds its own headers on top of the existing headers - I think it is an extra 6 bytes.  So if your network is using a maximum packet size of 1500 (and it would be very rare that it would not be), then if the PPPoE interface is set to a maximum packet size of 1500 also, any packets in the range 1493-1500 will be too big for the PPPoE interface.  So the PPPoE interface really needs to be set to a maximum packet size of 1506.  And on top of that, PPPoE connections to ISPs usually are also using VLAN 10, so you have another 2 bytes of overhead for the VLAN header.  So then the PPPoE interface needs to have a maximum packet size of 1508 bytes.  Fortunately in NZ, the ISPs and network providers like Chorus understand this and allow the extra 8 bytes on the PPPoE connection.  Unfortunately, not all routers will do > 1500 bytes on PPPoE connections, and even with the ones that do, they do not necessarily try to use a 1508 byte size unless specifically told to do so.  Edgerouters can do > 1500 bytes on PPPoE connections, but need to be told to do it.  Their PPPoE interfaces will default to 1500 bytes unless the maximum size is specified to be something else.


132 posts

Master Geek


  #2482553 13-May-2020 09:54
Send private message quote this post

fe31nz:

 

nicmair:

 

possibly a silly/noob question, but does IPv6 effect upnp2.  Back problem is that since enabling Ipv6 (which to be fair I only ever did cause is seemed like a good idea....) the boys xbox's (2 of them) now show a moderate NAT type, and for some games, it needs to be open.  I can disable IPv6, but thought I would reach out to smarter minds then mine.

 

Cheers

 

Nic. 

 

 

Personally, I do not allow UPnP on my network as it is a security risk - any software can open a port without you knowing.  I prefer to open any ports I need manually.  With IPv6, NAT is not used and each device has its own global unicast IPv6 address, so there is no problem with multiple different devices wanting to use the same ports.  So I have never actually use UPnP with IPv6 - I presume it does work.  I am not sure exactly what you mean by "now show a moderate NAT type".  You are clearly having some sort of problem connecting.  I am guessing that the connections are slow, which is something that happens when the IPv6 setup has not been configured the same way as the IPv4 setup.  Devices that have a global unicast IPv6 address will prefer to use that over their IPv4 address, so they will try to connect first with IPv6.  Only when IPv6 fails to connect (usually after one or more timeouts and retries) will they try to use IPv4 instead.  So the effect of having no open port in IPv6 when the port is open in IPv4 is that it will take a very long time to connect, sometimes a minute or two.  And sometimes the software has an overall connection timeout that happens before it can even try to use IPv4 instead of IPv6, so it fails to connect at all.

 

I have seen setups where the IPv6 firewall was misconfigured so that outbound connections failed also, not just inbound ones.  The standard setup for both IPv4 and IPv6 should be to "permit all established and related traffic".  What that means is that if an outbound packet that starts a connection is sent through the firewall and that packet is permitted by the firewall, then the firewall should be set up to log that as an existing connection and permit inbound packets that are part of that connection, or are information about that connection (eg ICMPv6 packets).  If you do not have the "related" and "established" rules, connections will not work.  And in IPv6, if you do not allow the mandatory ICMPv6 packets inbound through the firewall, connections will also fail.  This is different to IPv4 where it will work even if you block all ICMPv4 packets.  This latter problem is one that beginner users of IPv6 run up against frequently.

 

Also, due to the bug that seems to be present in all the implementations of PPPoE that I have encountered, if you do not have the maximum packet sizes configured properly, large IPv6 packets will be dropped both inbound and outbound over the PPPoE connection to your ISP.  The problem here is that IPv6 does not permit fragmentation of packets when a packet meets an interface where the packet is larger than the maximum size the interface can send.  So if you are able to send IPv6 packets larger than your PPPoE connection can handle, they will be dropped.  IPv6 requires that when a packet is dropped because it is too large, an ICMPv6 reply is sent back to the sender telling the sender what happened.  But all the PPPoE software I have seen does not do this and just silently drops over long packets.  This breaks IPv6, and is a serious bug.  The common symptom of this problem is that connections to Facebook's front page fail when IPv6 is enabled, as that page requires full size packets to work.  Or if you are lucky and your browser retries with an IPv4 connection, it will take a minute or so for Facebook to connect correctly.  In IPv4, if the PPPoE interface is configured with too small a maximum packet size, the packets just get fragmented into two packets and sent on, so all that happens is a slight slow down of the traffic with long packets.  In IPv6, if the PPPoE maximum packet size is too small, the protocol is broken and things go wrong whenever long packets are sent in either direction.  The normal maximum packet size (including headers) is 1500 bytes.  In IPv4 that allows a maximum data size (with the headers subtracted) of 1492 bytes (8 byte overhead for the headers).  But PPPoE adds its own headers on top of the existing headers - I think it is an extra 6 bytes.  So if your network is using a maximum packet size of 1500 (and it would be very rare that it would not be), then if the PPPoE interface is set to a maximum packet size of 1500 also, any packets in the range 1493-1500 will be too big for the PPPoE interface.  So the PPPoE interface really needs to be set to a maximum packet size of 1506.  And on top of that, PPPoE connections to ISPs usually are also using VLAN 10, so you have another 2 bytes of overhead for the VLAN header.  So then the PPPoE interface needs to have a maximum packet size of 1508 bytes.  Fortunately in NZ, the ISPs and network providers like Chorus understand this and allow the extra 8 bytes on the PPPoE connection.  Unfortunately, not all routers will do > 1500 bytes on PPPoE connections, and even with the ones that do, they do not necessarily try to use a 1508 byte size unless specifically told to do so.  Edgerouters can do > 1500 bytes on PPPoE connections, but need to be told to do it.  Their PPPoE interfaces will default to 1500 bytes unless the maximum size is specified to be something else.

 

 

 

 

Thank you so much for the detailed reply, I'm sure not just me found this insightful!

 

 

 

In answering your question, the Xbox has a pretty simply network configuration page, you can't really change much, and once the setting are applied and you test the NAT type, the Xbox will tell you what it see's that NAT type as, (I think, restricted, moderate and open are the options).  Restricted and Moderate will cause some games to not work, so unless you can get the Xbox to see an open NAT type (by making network/router config changes), these games will not work, and large voluminous noises emanate from teenagers.

 

I suspect you are correct in that my IPv6 implementation was the cause, as during mucking around yesterday, I managed to killed the PPPoE interface and it would not connect, so I had to do a full reset and reconfiguration of the EdgeRouter X, at which time I did not configure IPv6, and the Xboxes both now report an Open Nat Type and I no longer am getting large voluminous noises emanating from teenagers.

 

 

 

Once lock down is over and the teenagers aren't so reliant in the Internet, I will have another crack at IPv6.

 

 

 

  


1 post

Wannabe Geek


  #2489760 22-May-2020 18:18
Send private message quote this post

Hi Michael,

 

Thank you for putting together this guide - I used it as a template when configuring my Edgerouter4.

 

I have configured mine with eth1 and eth2 bonded and connected to port-channel on my 2960X (ROAT). Everything works great so far, VLANs and HW offloading all working perfectly. Only managing 600mbps down - but this is actually not bad for where I live. I have never gotten close to 1000 with any of the routers I have played around with.

 

Really a great little unit with tons of features. One that I plan on using professionally too. We are a Fortigate shop but this really is a compelling alternative for customers who are not a fan of the high ticket prices and licensing involved.

 

Ta!


mdf

2563 posts

Uber Geek

Trusted
Subscriber

  #2497049 2-Jun-2020 20:48
Send private message quote this post

When I make changes in the config tree of the EdgeRouter GUI, it very helpfully shows me a preview of the CLI commands it will run ("commit" may be the correct verb?).

 

Is there any way of showing what CLI commands were run, after the event? If - and this is purely hypothetical you understand - I was futzing around in the GUI or Wizard sections and did something, is there any way of showing what commands were actually run?


1 | ... | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.