Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


AndyT

58 posts

Master Geek


#278466 18-Oct-2020 12:41
Send private message

The ER-X set up is:

 

   eth0   WAN

 

   eth1  Main network reticulated via un-managed switches and cat 6

 

   eth2  Recovery interface set to static IP 172.16.1.1 to deal with inadvertent lock-outs

 

   eth3  Spare

 

   eth4  UAP AC Lite with VLAN ID 3 for IoT and 4 for security cameras

 

The problems I'm experiencing are:

 

  1. unable to static map an IP address on the ER-X to VLAN ID 3 on 192.168.30.1/24 or VLAN ID 4 on 192.168.40.1/24

 

  2. the UAP AC Lite IP address on eth4 is killed-off  for dynamic or static IP addressing as soon as VLANs are enabled with Edge OS alerts saying that IP addressing not possible on switched ports

 

Otherwise the system is working fine i.e. stable internet connection and eth 0, 1 & 2 working fine.

 

One thing that I could well have got wrong when configuring the firewall settings was the denial of traffic from VLAN3 & 4 to the main network with the exception of internet access - for which I set the Destination Address as the router 192.168.10.1 and Destination Port 443 when setting https / accept / TCP....are these settings correct?

 

Attached are the current config.boot and I've been using this UI advisory article as my guide:https://help.ui.com/hc/en-us/articles/115012700976

 

I'm getting to the limits of my understanding on this, so any help would be really very much appreciated

 

 

 

Thanks & regards,

 

 

 

Updates:

 

 

 

UI advisory correct URL: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch

 

Config.boot (which I couldn't upload for some reason)

 

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name CamerasNet-in {
        default-action accept
        description ""
        rule 1 {
            action accept
            description https
            destination {
                address 192.168.10.1
                port 443
            }
            log disable
            protocol tcp
        }
        rule 2 {
            action drop
            description other
            destination {
                address 192.168.10.1/24
            }
            log disable
            protocol tcp
        }
    }
    name CamerasNet-local {
        default-action drop
        description ""
    }
    name IoTNet-in {
        default-action accept
        description ""
        rule 1 {
            action accept
            description https
            destination {
                address 192.168.10.1
                port 443
            }
            log disable
            protocol tcp
        }
        rule 2 {
            action drop
            description 0ther
            destination {
                address 192.168.10.1/24
            }
            log disable
            protocol all
        }
    }
    name IoTNet-local {
        default-action drop
        description ""
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1452
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.20/24
        description Internet
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description "Main Net"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 172.16.1.1/24
        description "Recovery Interface"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "Ubiquiti UAP AC Lite"
        duplex auto
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.10.1/24
        description "Main Net - Switch"
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth3 {
            }
            interface eth4 {
                vlan {
                    pvid 1
                    vid 3
                    vid 4
                }
            }
            vlan-aware enable
        }
        vif 3 {
            address 192.168.30.1/24
            description "IoT Net"
            firewall {
                in {
                    name IoTNet-in
                }
                local {
                    name IoTNet-local
                }
            }
            mtu 1500
        }
        vif 4 {
            address 192.168.40.1/24
            description "Cameras Net"
            firewall {
                in {
                    name CamerasNet-in
                }
                local {
                    name CamerasNet-local
                }
            }
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name CamerasNetDHCP {
            authoritative enable
            subnet 192.168.40.0/24 {
                default-router 192.168.40.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name CamerasNet
                lease 86400
                start 192.168.40.100 {
                    stop 192.168.40.250
                }
                unifi-controller 192.168.10.90
            }
        }
        shared-network-name IoTNetDHCP {
            authoritative enable
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name IoTNet
                lease 86400
                start 192.168.30.100 {
                    stop 192.168.30.250
                }
                unifi-controller 192.168.10.90
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN-2 {
            authoritative enable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 122.56.237.1
                dns-server 8.8.8.8
                domain-name MainNet
                lease 86400
                start 192.168.10.100 {
                    stop 192.168.10.250
                }
                unifi-controller 192.168.10.90
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on switch0.3
            listen-on switch0.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 192.168.1.254
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password xxxxxxxxx
            }
            level admin
        }
    }
    name-server 122.56.237.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */
 


Create new topic
AndyT

58 posts

Master Geek


  #2587218 18-Oct-2020 19:43
Send private message quote this post

Resolved!

 

On audit of config.boot, I removed the "1" pvid value from eth4 VLAN interface and all is now well.

 

 


Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.