Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




121 posts

Master Geek

Lifetime subscriber

#265753 9-Feb-2020 14:34
Send private message

I've been running an Edgerouter Lite for some time with no issues, so thought its time to do some tinkering. Have 3x UniFi AP-AC-Pro with original CloudKey and using UniFi Controller

 

Would like to setup 3 VLANS - 1 standard using Vorco's DNS (my ISP), 1x family with this free family DNS filter https://cleanbrowsing.org/filters#family  and VLAN30 to move all my IoT onto and keep separate from the network. 

 

Then have 2 (or possibly 3) wifi networks - ie standard, family, and IOT so that each VLAN has a separate wifi SSID that then routes to the correct VLAN. 

 

Have managed to setup the 3x VLANs and 2x wifi so far (left IOT for now). Setup the Cleanbrowsing family DNS on "family"/VLAN20, connect to that wifi on my iPhone, but it says no internet connection. However I can browse to web pages. I tired the DNS Leak Test but its still showing my ISP DNS (103.*.*.*) and the IP on my phne is 169.254.115.***

 

I've also noticed internet speed as slowed down substantially on my main wifi network and PC on ethernet. Disabled VLAN20 and the kids wifi and its back up to normal speed? 

 

I can post my config file in the next post - note I had 2x VPN's setup by the company who installed & manages my Home Theatre/Control4 system so that will show in the config file too. As such, I would prefer not to start from scratch but can do as last resort.

 

Hopefully its something obvious I've missed? My experience/skill level with ER is very slow, I've tried reading all the relevant posts on Geekzone and the Ubiquity Community support page but still struggling. Is there perhaps a limitation of the ERR-Lite preventing me from taking this route? 

 

Thanks in advance for any assistance, and for you patience :)


Create new topic


121 posts

Master Geek

Lifetime subscriber

  #2415073 9-Feb-2020 14:36
Send private message

Here's my Dashboard, and config (hopefully the right info in the correct format?)

 

 

 

Click to see full size

 

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Torrent {
        default-action accept
        description Torrent
        rule 1 {
            action accept
            description 45100
            destination {
            }
            log disable
            p2p {
                all
            }
            protocol tcp_udp
            source {
                address 192.168.10.72
                port 45100
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action accept
        description "WAN to internal"
        rule 10 {
            action accept
            description "PPTP Allow"
            destination {
                port 1723
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 20 {
            action accept
            description GRE
            log disable
            protocol gre
        }
        rule 30 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "PPTP Allow"
            destination {
                port 1723
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Allow GRE"
            log disable
            protocol 47
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        firewall {
            out {
                name Torrent
            }
        }
        speed auto
        vif 10 {
            description "Internet (PPPoE)"
            firewall {
                in {
                    name WAN_IN
                }
            }
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                    out {
                        name Torrent
                    }
                }
                mtu 1492
                name-server auto
                password ****************
                user-id **@**.vorco.net.nz
            }
        }
        vif 20 {
            description "VLAN20 Family"
            firewall {
                local {
                    name WAN_LOCAL
                }
            }
        }
        vif 30 {
            description "VLAN30 IoT"
            disable
            mtu 1500
        }
    }
    ethernet eth1 {
        address 192.168.10.1/24
        description Local
        duplex auto
        firewall {
            local {
                name Torrent
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface eth1
    lan-interface eth0.20
    rule 1 {
        description torrent
        forward-to {
            address 192.168.10.72
            port 45100
        }
        original-port 45100
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 103.14.68.2
                dns-server 103.14.68.3
                domain-name **.nextav.co.nz
                lease 86400
                start 192.168.10.20 {
                    stop 192.168.10.100
                }
                unifi-controller 192.168.10.253
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface pppoe0 {
                service dyndns {
                    host-name **.nextav.co.nz
                    login ***
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on pppoe0
            listen-on eth0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
    upnp {
        listen-on eth1 {
            outbound-interface pppoe0
        }
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    host-name *****
    login {
        user admin {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
        user *** {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "** **"
            level admin
        }
        user ** {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name ***
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Pacific/Auckland
}
vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username *** {
                        password ****************
                    }
                    username *** {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.11.100
                stop 192.168.11.110
            }
            mtu 1492
        }
    }
}


1164 posts

Uber Geek

Lifetime subscriber

  #2415121 9-Feb-2020 15:17
Send private message

To start with, your vlan is on the wrong interface. It should be on either eth1 or eth2 as eth0 is your WAN interface

 

It has no IP address and no DHCP configuration for that vlan/subnet either, so it's never going to get an address

 

Is your AP capable of vlan tagging? Do you have a switch capable of vlan tagging? Without either of these things you're not going to be successful with this endeavour


 
 
 
 




121 posts

Master Geek

Lifetime subscriber

  #2415167 9-Feb-2020 15:59
Send private message

dfnt:

 

To start with, your vlan is on the wrong interface. It should be on either eth1 or eth2 as eth0 is your WAN interface

 

It has no IP address and no DHCP configuration for that vlan/subnet either, so it's never going to get an address

 

 

 

 

Cool, thanks for pointing that out. I think I've sorted that out by deleting VLAN20 then recreating under eth1, assigning it a subnet, then sorting DHCP as per 2 screenshots below?

 

Click to see full size

 

Click to see full size

 

 

 

dfnt:

 

Is your AP capable of vlan tagging? Do you have a switch capable of vlan tagging? Without either of these things you're not going to be successful with this endeavour

 

 

I have a Unifi CloudKey and using the Unifi managment system for the Unifi AP's via that. It has an option to use a VLAN, so I have used the VLAN ID of 20 for the "skullduggery_kids" network

 

Click to see full size

 

 

 

Having done all this, I can now connect to the skullduggery_kids wifi, and it assigns an IP of 192.168.20.20 - albeit it takes ages to assign? But then I cant reach any webpages, so I must be missing something with DHCP or configured that incorrectly? 

 

Thanks, appreciate the help. 


1164 posts

Uber Geek

Lifetime subscriber

  #2415209 9-Feb-2020 16:12
Send private message

Excellent :)

 

Yep, you just need to make the dhcp server authoritative for that subnet.

 

SSH to your EdgeRouter, or you can do it in the config tree view

 

configure

 

set service dhcp-server shared-network-name FAMILY authoritative enable

 

commit

 

save

 

If your kids are smart enough, they can manually change their DNS server to whatever they like.

 

You can create a NAT rule which will redirect any DNS query within that VLAN's subnet to the clean browsing DNS servers

 

 

 

 


2502 posts

Uber Geek

Lifetime subscriber

  #2415213 9-Feb-2020 16:18
Send private message

Router address should 192.168.20.1





Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+. UAP, UAP AC Pro, UAP AC Pro Mesh, Apple TV 4, Apple TV 4K, iPad Air 1, iPhone 6s, VodaTV Gen 2. If it doesn't move then it's data cabled.




121 posts

Master Geek

Lifetime subscriber

  #2415257 9-Feb-2020 16:52
Send private message

dfnt:

 

Excellent :)

 

Yep, you just need to make the dhcp server authoritative for that subnet.

 

If your kids are smart enough, they can manually change their DNS server to whatever they like.

 

You can create a NAT rule which will redirect any DNS query within that VLAN's subnet to the clean browsing DNS servers

 

 

He's only 9 but probably not far off being able to do that :O  I figured I'd get the basics working first, then move onto create a suitable NAT rule.

 

OK, ran those commands via SSH, but still cant load any internet pages? So then I tried changing the router address as below?

 

 

 

Spyware:

 

Router address should 192.168.20.1

 

 

When I updated the router to 192.168.20.1, I got the following error;

 

 

 

 

Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.20.0/24<br />Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.20.1/24 Conflicting subnet ranges: 192.168.20.1/24 overlaps 192.168.20.0/24 Conflicting subnet ranges: 192.168.20.0/24 overlaps 192.168.20.1/24 DHCP server configuration commit aborted due to error(s).

 

service dhcp-server

 

 

 




121 posts

Master Geek

Lifetime subscriber

  #2415263 9-Feb-2020 17:02
Send private message

doh, solved it - a mess of my own making. 

 

Had to go back into the DHCP Server detail for the Family network and re-enter the range start & stop after I'd deleted and recreated the DHCP server for that Family network. 

 

DNS Leak test is getting stuck on the "Waiting for Results" page on my phone but not on my PC. Fix one thing, break another.......

 

Thanks for all your help. Now onto creating that NAT rule. once I confirm the Cleanbrowser DNS is working as intended. 

 

Cheers


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.