New Idea

SECURITY ISSUE: Support iptables -m policy --dir out --pol ipsec

Submitted by - 2 weeks ago
Status: New Idea

The firewall rule "ipsec match-ipsec" command allows matching ipsec traffic inbound-only via "-m policy --dir in --pol ipsec". There does not appear to be any way to filter traffic in the outbound direction.

 

This is a security issue because it means that there is (apparently) no way to prevent outbound IPSec traffic leakage when tunnels have gone down.

 

Current EdgeMax customers may, right now, be unwittingly sending unencrypted traffic which was meant to be encrypted.

 

Unless I am mistaken, this isn't just a feature request, this is an ongoing security threat to Ubiquiti customers.

 

References:

https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting

https://community.ubnt.com/t5/EdgeMAX/How-to-protect-from-ipsec-outbound-leakage/m-p/1865143

 

Send DPI statistics to UniFi controller.

Submitted by -
Status: New Idea

Please allow for DPI data to be sent to the UniFi controller. I do not need to be able to make any changes from UniFi. I would just like to populate DPI statistics.

Ability to configure SSH security parameters

Submitted by - 3 weeks ago
Status: New Idea

Currently EdgeOS still allows HMAC (message authentication code) algorithms that are considered weak and obsolete, including 'hmac-md5'.  Similarly CBC encryption ciphers are still allowed and are also considered weak and obsolete.  While there may be environments where these are required there should be the ability to disable these as appropriate.

 

As a more proper complete request the EdgeOS UI (BUI and CLI) should provide for the ability to configure:

  • Authentication methods
  • Encryption Cipher algorithms
  • Message Authentication Code (HMAC) algorithms

There is limited support for specifically disabling password-encryption but this request seeks more encompassing ability.

 

Please publish SNMP MIBs

Submitted by -
Status: Accepted

EdgeSwitches currently support/use several standard MIBs, however there are some OIDs that are unique/proprietary to EdgeSwitches and are not defined elsewhere.

 

Observium and others apparently have obtained a set of EdgeSwitch MIBs, included as part of their (3rd-party) monitoring solution distributions but not otherwise available from UBNT directly.  The last count has almost 40 separate MIB files for EdgeSwitches.

 

There are now a pair of UniFi MIBs available and referenced in the release notes for current releases, but there do not seem to be any other MIBs available.

 

It seems most are searching for and using these 3rd-party references, but ideally UBNT should be providing these directly.  Perhaps another section on the product download pages for 'SNMP MIBS" in addition to the existing "Firmware" and "Documentation" sections could be added with this content?

 

SSL certs from https://letsencrypt.org

Submitted by -
Status: New Idea

I really would liek to see the end of Self-signed certs and implemnetion of https://letsencrypt.org for EdgeOS.

This would be great move in right direction for out of the box SSL.

 

Share bandwidth evenly per IP address

Submitted by - a month ago
Status: New Idea

As mentioned in post https://community.ubnt.com/t5/EdgeMAX/Share-bandwidth-evenly-per-IP-address/m-p/1844147.

 

For example if my total download limit is 1000 kbit/s and I have two hosts on the network (host A and host B).

If host A is downloading a single file and host B is downloading a single file, each host should get 500 kbit/s.

If host A is downloading two files and host B is downloading a single file, each host should get 500 kbit/s, host A will get 250 kbit/s for each file download and host B will get 500 kbit/s for the download.

If only a single host is downloading, it should get the full 1000 kbit/s.

 

It can be easily configured on pfSense: https://www.gridstorm.net/pfsense-traffic-limiting-fair-share/

 

Using tc on Linux, it can be done using the following to limit outgoing traffic on eth0 to 1000 kbit/s and fairly share the allocated 1000 kbit/s per host regardless of number of connections opened by each host:

tc qdisc add dev eth0 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit
tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev eth0 parent 1: protocol ip u32 match u32 0 0 flowid 1:1
tc filter add dev eth0 parent 10: protocol ip handle 10 flow hash keys nfct-dst divisor 1024

 

Essentially it is SFQ queue type with flow classifier set to assign packets to different flows based only on IP address (destination IP address in the above example) rather than source IP + source port + destination IP + destination port. This helps to avoid a single computer opening multiple connections to hog more bandwidth.

 

In comparison to HFQ, this works on subnets larger than /22.

IP address spoofing security = IP Source guard + DHCP Option 82

Submitted by -
Status: New Idea

Can you please add ip source guard feature to edgeswitches? Also DHCP spoofing with DHCP OPTION 82 (DHCP option 82provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources)

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host.

Update to OpenVPN 2.4.0 on Edgerouter

Submitted by -
Status: Accepted

Please update the OpenVPN version as the current server only supports TLS 1.0)

 

Thanks

OSPF on EdgeSwitch

Submitted by -
Status: New Idea

Need OSPF on Edgeswitches for use in campus networks...

Edgerouter Centralized Management Console

Submitted by -
Status: Accepted

It would be nice to see something like AirControl or UniFi for managing / viewing multiple edge routers (centralized configuration backups, mass firmware updates, etc). Anything like this in the works? Maybe call it EdgeControl and mimic the functionality of AirControl?

Redundant power supply on EdgeRouter Pro series

Submitted by -
Status: New Idea

Hi,

EdgeRouter Pro can and are often used as mission-critical routers in networks. It is a nice piece of hardware and the software make it a very viable alternative. It would be great to make the next generation of EdgeRouter Pro series power-redundant, so they can be connected to two power feeds at the same time.

This will help design fully-redundant networks, with both failure tolerance in case of one internal PSU failure as well as redundant and avoid SPoF design from a power perspective.

 

Many thanks and keep up the good work!

EdgeRouter DPI host nicknames

Submitted by -
Status: New Idea

Please enable an option to rename hosts and give them Nicknames when using DPI.

 

I can do this using my Unifi AC LR, but not when using my EdgeRouter x

Let's Encrypt for Web UI

Submitted by -
Status: Duplicate

I'd love it if:

 

    1) The router has a valid hostname and

    2) $hostname:{80|443} reaches the device

 

the device would (automatically) reach out and and obtain a Let's Encrypt certificate for the Web UI. (Note: Let's Encrypt is 100% free so it would not cost the operator anything.)

 

DNS mode (manual) would be a handy backup as well

Intrusion Prevention/Detecton

Submitted by -
Status: New Idea

It would be nice if we had a IDS system for EdgeMax ...

Hardware Offloading on ER-X(-SFP)

Submitted by -
Status: Implemented

To increase the throughput add hardware offload support to ER-X(-SFP) for NAT, PPPoE and VLAN. I think the SoC supports this and there is only a driver needed. 

Command Abbreviation

Submitted by -
Status: New Idea

This seems to be something that VyOS already has

 

For example, I would like to be able to run stuff like this:

conf

ed int eth eth1

set add 192.168.1.1/24

PPPoE Server IPV6 support

Submitted by -
Status: New Idea

Support for the  IPv6 related radius attributes in the EdgeMax PPPoE Server service.

 

See also EdgeMAX/PPPoE-server-IPV6

PPPoE uptime

Submitted by -
Status: New Idea

Would be nice to be able to see the PPPoE connection uptime.  My old router running OpenWRT/LEDE firmware had this implemented.  Any word on when we could see this on the EdgeOS platform?

 

New to this forum and I believe I posted in the wrong place originally.

 

HERE is my original post with some progress on a simple PPPoE uptime script.

 

 

Support for IPv6-RD with a dynamic IP address

Submitted by - 4 weeks ago
Status: New Idea

I'd like to request that the 6rd functionality be extended to operate properly with a dynamic IP address. The current solution is to use a cron script to rewrite the configuration every 5 minutes, which isn't really that great. A forum member suggested some syntax that might work well. The best solution would be to have an ISP with dual-stack support, but that isn't always possible, sadly.

GUI for OpenVpn

Submitted by -
Status: New Idea

GUI for simple setup of OpenVpn Server mode would be great. Nothing fancy, just similar to what DD-WRT support today. Ideally, L2TP, PPTP and SSTP with local users support. This will be great for SOHO.