Occasional Visitor
Kennocha
Posts: 7
Registered: ‎07-11-2013
Posts: 7
Registered: 07-11-2013

Re: Basic SOHO/Home Config

I had time today to run through this trying it. Here I have directly attached two pc's into port 0, and port 1. Removing the wireless aspects. The devices cannot ping each other, but can ping the routers opposite interface. Really baffled here. A packet capture shoes nothing making it through the edgemax, the captures should be attached in a txt file. Config:
firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name eth0_in {
        default-action accept
        description "Wired network to other networks."
    }
    name eth0_local {
        default-action accept
        description "Wired network to router."
    }
    name eth1_in {
        default-action accept
        description "Wireless network to other networks"
    }
    name eth1_local {
        default-action accept
        description "Wireless network to router."
    }
    name eth2_in {
        default-action drop
        description "Internet to internal networks"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name eth2_local {
        default-action drop
        description "Internet to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            description "ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        firewall {
            in {
                name eth0_in
            }
            local {
                name eth0_local
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.1/24
        firewall {
            in {
                name eth1_in
            }
            local {
                name eth1_local
            }
        }
    }
    ethernet eth2 {
        address dhcp
        firewall {
            in {
                name eth2_in
            }
            local {
                name eth2_local
            }
        }
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name wired-eth0 {
            authoritative disable
            description "Wired Network - Eth1"
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                ntp-server 192.168.1.1
                start 192.168.1.10 {
                    stop 192.168.1.100
                }
                time-server 192.168.1.1
            }
        }
        shared-network-name wireless-eth1 {
            authoritative disable
            description "Wireless Network - Eth2"
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                ntp-server 192.168.2.1
                start 192.168.2.10 {
                    stop 192.168.2.100
                }
                time-server 192.168.2.1
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            system
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            outbound-interface eth2
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth2
        }
        listen-on eth1 {
            outbound-interface eth2
        }
    }
}
system {
    host-name ubnt
    ipv6 {
        disable
    }
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

 

Ubiquiti Employee
UBNT-ancheng
Posts: 6,493
Registered: ‎06-10-2011
Posts: 6493
Kudos: 1975
Solutions: 781
Contributions: 2
Registered: 06-10-2011

Re: Basic SOHO/Home Config

From the capture, it looks like you are testing by pinging 192.168.2.12 from 192.168.1.10? If we look at the relevant packets in the eth1 capture (i.e., the capture on the 192.168.2.12 side), we can see the following:

23:22:42.795655 IP 192.168.1.10 > 192.168.2.12: ICMP echo request, id 1, seq 29, length 40
23:22:46.016492 ARP, Request who-has 192.168.2.12 tell 192.168.2.1, length 28
23:22:46.016582 ARP, Reply 192.168.2.12 is-at d4:3d:7e:4d:e1:10, length 46
23:22:47.477197 IP 192.168.1.10 > 192.168.2.12: ICMP echo request, id 1, seq 30, length 40
23:22:52.505243 IP 192.168.1.10 > 192.168.2.12: ICMP echo request, id 1, seq 31, length 40
23:22:57.477706 IP 192.168.1.10 > 192.168.2.12: ICMP echo request, id 1, seq 32, length 40
...

Since this is captured on the 192.168.2 subnet, it seems to indicate the router did indeed forward the ping request (ICMP echo request) from the 192.168.1 subnet and send it out to the 192.168.2 subnet. However, the 192.168.2.12 host does not seem to be responding to the ping request (even though it is responding to the ARP request from the router). Could you confirm if there isn't a firewall or something on the 192.168.2.12 host that is blocking ICMP pings?

Occasional Visitor
Kennocha
Posts: 7
Registered: ‎07-11-2013
Posts: 7
Registered: 07-11-2013

Re: Basic SOHO/Home Config

I will double check in a bit, but I am near positive there isn't.

 

If they are on the same subnet they can ping each other all day long.

New Member
JPoldo
Posts: 18
Registered: ‎10-19-2009
Posts: 18
Kudos: 1
Solutions: 1
Registered: 10-19-2009

Re: Basic SOHO/Home Config

Thank you Stig for config upload as I was about to return the 3 EdgeMax just purchased.  These are a "bear" to configure vs.. Cisco small biz routers.  I'll have to learn a lot at this forum and knowledgebase to handle it.  Am I forced to keep eth0 at 192.168.1.0/24 because management address is not adjustable?  If I change to 10.x.x.x subnet, management capability is lost. I think eth0 is the only management port.  The console port is useless and a waste because today's laptops don't have serial ports and all our company's networking is done via laptops or netbooks.  More configuration examples would help users considerably because manual is more like a reference guide. 

Ubiquiti Employee
UBNT-stig
Posts: 4,945
Registered: ‎06-09-2011
Posts: 4945
Kudos: 1478
Solutions: 445
Contributions: 14
Registered: 06-09-2011

Re: Basic SOHO/Home Config


JPoldo wrote:

Thank you Stig for config upload as I was about to return the 3 EdgeMax just purchased.  These are a "bear" to configure vs.. Cisco small biz routers.  I'll have to learn a lot at this forum and knowledgebase to handle it.  Am I forced to keep eth0 at 192.168.1.0/24 because management address is not adjustable?  If I change to 10.x.x.x subnet, management capability is lost. I think eth0 is the only management port.  The console port is useless and a waste because today's laptops don't have serial ports and all our company's networking is done via laptops or netbooks.  More configuration examples would help users considerably because manual is more like a reference guide. 


There is nothing that requires any address or address space on any interface.  The main issue is that if you log in via 192.168.0.1 on eth0, then you can't delete that address without losing connectivity.  So you log in from a different interface and delete/add the address you want on eth0.

 

We're sorry you found it so difficult, but we're working on ideas for wizzards and other ways to lessen the learning curve.

Member
Djursland01
Posts: 176
Registered: ‎03-12-2013
Posts: 176
Kudos: 27
Solutions: 3
Registered: 03-12-2013

Re: Basic SOHO/Home Config

 

hello to you all 

 

I have a ERL and have put this basic_soho_config2.tar 2 KB in

I have eht 0 as wired and eht 1 as wirelees and eht 2 as wan

I have a windows home server 2011 at eht 1 and I have a Aircontrol on but can not see outside the network which consists of a lot of Nano Station and rocket etc

 

I need a little help to get aricontroll for monitoring

 

--- airControl 2 server diagnostics snapshot generated on 2013.07.21 12:01:58 ---
Server version : v2.0-BETA7.890.130705.1535
Database verson: [V0.015]
Server up-time : 8 days 8 hours
OS Name : Windows Server 2008 R2
OS Version : 6.1
OS Arch. : amd64
Java version : 1.7.0_21
Java classpath : ac.jar;jogl.jar;gluegen-rt.jar;jsch-0.1.48.jar;commons-codec-1.4.jar;commons-logging-1.1.1.jar;smtpmail.jar;json-simple-1.1.1.jar;

 

Bedst regards Flemming 

aricontrol dump.png
Member
shortcut3d
Posts: 245
Registered: ‎07-17-2013
Posts: 245
Kudos: 38
Solutions: 3
Registered: 07-17-2013

Re: Basic SOHO/Home Config

I came across a thread that stated IPv6 was not handled in the GUI config example, which I followed and have been modifying.

 

I would like to handle basic IPv6 from a firewall standpoint.  I understand the SOHO config simply disables IPv6 and I wanted to add this to my existing config.  Can I simply do this from the CLI:

 

set 'firewall' 'ipv6-receive-redirects' 'disable'
set 'firewall' 'ipv6-src-route' 'disable'
set 'system' ipv6 disable
commit
save
exit
SuperUser
mrjester
Posts: 1,115
Registered: ‎06-14-2012
Posts: 1115
Kudos: 827
Solutions: 79
Contributions: 9
Registered: 06-14-2012

Re: Basic SOHO/Home Config

[ Edited ]

Just need the system ipv6 disable, commit and save.

Contact me @UBNT-Bane
Frequent Visitor
minvey
Posts: 3
Registered: ‎08-14-2013
Posts: 3
Registered: 08-14-2013

Re: Basic SOHO/Home Config

Hi,

I have just started using the ERL with the basic SOHO config from Tim Higgins (http://www.smallnetbuilder.com/lanwan/lanwan-howto/32014-how-to-configure-your-ubiquiti-edgerouter-l...).

Can anyone advise how I can connect the WAN link to a PPTP/L2TP VPN? I have an account with ASTRILL. The purrpose is to enable VPN without having to set up each device.

The GUI only has settings for making the ERL as PPTP VPN Server.

Your advice will be greatly appreciated. Thank you.

Ubiquiti Employee
UBNT-stig
Posts: 4,945
Registered: ‎06-09-2011
Posts: 4945
Kudos: 1478
Solutions: 445
Contributions: 14
Registered: 06-09-2011

Re: Basic SOHO/Home Config

Setting up a pptp client can be as easy as:

configure
set interfaces pptp-client pptpc0 user-id <name>
set interfaces pptp-client pptpc0 password <password>
set interfaces pptp-client pptpc0 require-mppe
set interfaces pptp-client pptpc0 server-ip <pptp server IP>
commit
save
exit

 

Frequent Visitor
minvey
Posts: 3
Registered: ‎08-14-2013
Posts: 3
Registered: 08-14-2013

Re: Basic SOHO/Home Config

Oh, Thank you stig. How can I disable VPN once I do not need it? Sorry, I really don't have CLI or Linux knowledge.
Ubiquiti Employee
UBNT-stig
Posts: 4,945
Registered: ‎06-09-2011
Posts: 4945
Kudos: 1478
Solutions: 445
Contributions: 14
Registered: 06-09-2011

Re: Basic SOHO/Home Config

[ Edited ]

minvey wrote:
Oh, Thank you stig. How can I disable VPN once I do not need it? Sorry, I really don't have CLI or Linux knowledge.

From op mode:

disconnect interface pptpc0

 EDIT: and when you want the VPN connection up again you do:

connect interface pptpc0

 

Frequent Visitor
minvey
Posts: 3
Registered: ‎08-14-2013
Posts: 3
Registered: 08-14-2013

Re: Basic SOHO/Home Config

I was able to get pptpc0 Connected but there doesn't seem to be any traffic. 

Here's a screen cap :

ERL error.jpg

Ubiquiti Employee
UBNT-stig
Posts: 4,945
Registered: ‎06-09-2011
Posts: 4945
Kudos: 1478
Solutions: 445
Contributions: 14
Registered: 06-09-2011

Re: Basic SOHO/Home Config for EdgeRouter PoE 5-port

[ Edited ]

Now that people are starting to get the EdgeRouter PoE 5-port, I thought I'd modify the SOHO example config from the ER-Lite to work on the 5-port.  Since the 5 port has a hardware switch for the last 3 ports, I changed the config such that the WAN is now on eth1 and eth2, eth3 and eth4 are configured in "switch mode".

eth0 - LAN1  192.168.1.1/24

eth1 - WAN dhcp

switch0 - LAN (eth2, eth3, eth4) 192.168.2.1/24

The config has a dhcp server configure on eth0 and switch0.

See this post for step-by-step how to apply the attached config file.

Occasional Visitor
StrangeObject
Posts: 1
Registered: ‎09-13-2013
Posts: 1
Registered: 09-13-2013

Re: Basic SOHO/Home Config

[ Edited ]

I USED THIS http://wiki.ubnt.com/SOHO_Edgemax_Example CONFIG TO SET UP MY EDGEMAX LITE--

I COULD REMOTE ACCESS TILL I SHUT IT OFF --NOW IT IS LOCKED UP WONT RESET, CAN'T ACCESS, NO DATA

ALL WANT IT TO DO IS INTERNET IN FROM CABLE MODEM TO IT AND FROM IT TO ROCKET M. AND ONE TO COMPUTER BASICALLY JUST AS ROUTER

IS THIS PASSABLE? I HAVE HIT A LEARNING CURVE FROM HELL.I'LL PAY SOME ONE FOR A CONFIG(-LOL) IF I CAN GET ACCESS TO IT

Ubiquiti Employee
UBNT-ancheng
Posts: 6,493
Registered: ‎06-10-2011
Posts: 6493
Kudos: 1975
Solutions: 781
Contributions: 2
Registered: 06-10-2011

Re: Basic SOHO/Home Config


StrangeObject wrote:

I COULD REMOTE ACCESS TILL I SHUT IT OFF --NOW IT IS LOCKED UP WONT RESET, CAN'T ACCESS, NO DATA

 

If the reset procedures described here don't work, it may be related to the memory issue discussed before. Please contact support@ubnt.com and we can help you verify and RMA if necessary. Thanks.

New Member
jojocruz24
Posts: 13
Registered: ‎09-25-2013
Posts: 13
Kudos: 7
Registered: 09-25-2013

Re: Basic SOHO/Home Config

Hi,

Can someone please help me modify my config below. I've use the basic config found on the internet and I am using port 0 -WAN- (DHCP), port 1- LAN (192.168.33.1), port 2- LAN2 (192.168.32.1). 

I want to have the WAN side use

IP 125.127.108.5 
SN Mask 255.255.255.0 
Gateway 125.127.108.254
DNS1 124.106.6.2
DNS2 124.106.5.2

If I use a different DNS ( no browsing ).

I want to access the ERL-GUI from WAN Side via TCP port 5555 (http://125.127.108.5:5555) and also on
LAN side via http://192.168.33.1

DNS from LAN side's DHCP should also use the provider ip's  ( DNS1 124.106.6.2, DNS2 124.106.5.2 )


Please, please help.  Thanks.


firewall {

all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
ethernet eth1 {
address 192.168.33.1/24
description LAN
}
ethernet eth2 {
address 192.168.32.1/24
description LAN2
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name LAN {
authoritative disable
subnet 192.168.33.0/24 {
default-router 192.168.33.1
dns-server 192.168.33.1
lease 86400
start 192.168.33.2 {
stop 192.168.33.254
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.32.0/24 {
lease 86400
start 192.168.32.100 {
stop 192.168.32.150
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.0.2.4507738.121107.1250 */

 

 

 

 

Ubiquiti Employee
UBNT-Arthur
Posts: 1,314
Registered: ‎02-04-2013
Posts: 1314
Kudos: 162
Solutions: 141
Registered: 02-04-2013

Re: Basic SOHO/Home Config


jojocruz24 wrote:

Hi,

Can someone please help me modify my config below. I've use the basic config found on the internet and I am using port 0 -WAN- (DHCP), port 1- LAN (192.168.33.1), port 2- LAN2 (192.168.32.1). 

I want to have the WAN side use

IP 125.127.108.5 
SN Mask 255.255.255.0 
Gateway 125.127.108.254
DNS1 124.106.6.2
DNS2 124.106.5.2

If I use a different DNS ( no browsing ).

I want to access the ERL-GUI from WAN Side via TCP port 5555 (http://125.127.108.5:5555) and also on
LAN side via http://192.168.33.1

DNS from LAN side's DHCP should also use the provider ip's  ( DNS1 124.106.6.2, DNS2 124.106.5.2 )

...


Do you get that IP/Gateway/DNS settings from eth0 DHCP or you want to assign them staticly?

 

 

New Member
jojocruz24
Posts: 13
Registered: ‎09-25-2013
Posts: 13
Kudos: 7
Registered: 09-25-2013

Re: Basic SOHO/Home Config

Staticly. Also please help modify config I want to access the ERL-GUI from WAN Side via TCP port 5555 (http://125.127.108.5:5555) and also onLAN side via http://192.168.33.1. DNS from LAN side's DHCP should also use the provider ip's  ( DNS1 124.106.6.2, DNS2 124.106.5.2 )
Ubiquiti Employee
UBNT-Arthur
Posts: 1,314
Registered: ‎02-04-2013
Posts: 1314
Kudos: 162
Solutions: 141
Registered: 02-04-2013

Re: Basic SOHO/Home Config


jojocruz24 wrote:
Staticly. Also please help modify config I want to access the ERL-GUI from WAN Side via TCP port 5555 (http://125.127.108.5:5555) and also onLAN side via http://192.168.33.1. DNS from LAN side's DHCP should also use the provider ip's  ( DNS1 124.106.6.2, DNS2 124.106.5.2 )

Under configuration mode -

ubnt@ERL# delete interfaces ethernet eth0 address dhcp
[edit]
ubnt@ERL# set interfaces ethernet eth0 address 125.127.108.5/24
[edit]
ubnt@ERL# set system gateway-address 125.127.108.254
[edit]
ubnt@ERL# set system name-server 124.106.6.2
[edit]
ubnt@ERL# set system name-server 124.106.5.2
[edit]
ubnt@ERL# set service gui listen-address 125.127.108.5
[edit]
ubnt@ERL# set service gui listen-address 192.168.33.1 
[edit]
ubnt@ERL# set service gui https-port 5555            
[edit]
ubnt@ERL# set service dns forwarding system 
[edit]
ubnt@ERL# commit
[edit]