Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

New Idea
0 Kudos

IP-MAC binding for EdgeSwitch

Submitted by -
Status: Duplicate

It'd be great to have these switches support IP-MAC bindings to prevent ARP poisoning attacks.  Placed in combination with Dynamic ARP Inspection (DAI) would make for a powerful combo in the next major point release.


We're looking to do a large deployment and the lack of DAI and static bindings is holding us up from doing more EdgeSwitches.

Enable Dynamic ARP Inspection in Edgeswitch

Submitted by -
Status: New Idea

If the Edgeswitch is based on Broadcom's FASTPATH, then it hopefully isn't too hard to add/enable Dynamic ARP Inspection (DAI).


I would be happy with just CLI commands, but it would proably be pretty easy to add it to the WebGUI too.

ER-X (EdgeOS - EdgeRouter) - Support for TACACS

Submitted by -
Status: New Idea

I could see this being really usefull as an 'edge device' for P2P links. However, it would need to support TACACS.


I work for an ISP, and we provide our customers with P2P links at times. In order for us to maintain our management network, we end up providing a Cisco 2950 (or variant) as an edge device which we address on our management network and configure for TACACS. 


If the ER-X could do TACACS, it would be the perfect solution at an astounding price point ($49 router with a $80 bullet)! We would be able to build it out as such:


Core Network<->Bullet Link to CX<->EdgeRouterX<->Customer's Gateway


rather than:


Core Network<->Bullet Link to CX<->Cisco2950<->Customer's Gateway


Let's face it, a 4 port router/switch with VLAN, PoE Passthrough, and TACACS would be a perfect fit for us.



IPv6 Wizard

Submitted by -
Status: New Idea

It would be nice to include an ipv6 wizard with your next EdgeRouter Lite firmware release. I could sell a boatload of these to my customers if I didn’t have to spend forever trying to figure out ipv6 on per installation. Let's face it, it’s a check mark on most SoHo routers now and it would be much appreciated.

Open VPN GUI or wizard would be nice too. EdgeRouter is an excellent Product!


0 Kudos

directed broadcast forwarding (equivalent of IOS 'ip directed-broadcast')

Submitted by -
Status: New Idea

We have an application that uses subnet-directed broadcast for distributing data. We currently use Cisco equipment, with the 'ip directed-broadcast' option enabled, but it appears that EdgeOS has no such option. Given that we can't easily redesign the application (multicast would be the preferred alternative, but too much of our WAN doesn't support it and the folks who designed it aren't interested in changing it) this precludes us from using EdgeRouter for most of our sites. 


Looking around, I see https://community.ubnt.com/t5/EdgeMAX/Multicast-Sonos-Phorus-amp-Play-Fi-Broadcast-255-255-255-255-lt/m-p/1268559#M67208, which is almost what we need. Key differences:


* The packets in question are destined to a subnet broadcast address, not the all-ones address. 

* The broadcasts sent to a given subnet's broadcast address are specific to that subnet, and each subnet receives its own broadcast data. As such, the current implementation (which simply replicates to all interfaces) won't work. The egress interface would need to be chosen based on the input destination address.


It strikes me that some minor modifications to the udp-daemon code to route broadcasts based on the original destination address might make something very close to 'ip directed-broadcast' possible on EdgeOS.

0 Kudos

Firewall Modify for VPN Remote Access

Submitted by -
Status: New Idea

I set up policy based routing with firewall modify use

set interfaces ethernet eth2 firewall in modify AUTO_VPN 

But such rules cannot add to vpn interfaces, like l2tp remote-access.


In my case, I do: 

# iptables-save |grep AUTO_VPN
:AUTO_VPN - [0:0]
-A AUTO_VPN -m comment --comment AUTO_VPN-10 -m set --match-set FORBIDDEN_ZONE dst -j UBNT_WLB_VLB
-A AUTO_VPN -m comment --comment "AUTO_VPN-10000 default-action accept" -j RETURN

# iptables-save > iptables.save 

# vim iptables.save
## add
##  -A VYATTA_FW_IN_HOOK -i l2tp0 -j AUTO_VPN
## after -A VYATTA_FW_IN_HOOK -i eth0 -j AUTO_VPN
## save

# iptables-restore < iptables.save 


I hope such firewall rules available in set vpn pptp/l2tp remote-access, not only for this scenario but also limit vpn remote-access clients behaviors.



EdgeRouter Lite - Memory RAM slot

Submitted by -
Status: Won't Implement



Please add in new bould Lite slot for memory, to exted up to 1-2 GB memory of RAM.


512 MB DDR at the moment is not enough.


This will be great feture !

0 Kudos

Edgerouter ideas

Submitted by - 4 weeks ago
Status: New Idea

On Edgerouter it would be great to have:

1) definiton for NTP&SYSLOG source interface (IP address)

2) ping with source defined address should work with "ip source-validation strict" command

3) lldp-med option (for IP phones to learn voice VLAN trough lldp message)

4) vrf support... i am still waiting next software

5) mac filtering based on mac + wilcard mask (or OUI prefix)

6) support for more than one loopback

System Software Update Option

Submitted by -
Status: New Idea

I would like to see a software update check through the System --> Upgrade System Image section. The router could check say each week to see if there is a new version of either the beta releases or the stable releases. The router could then just display a message on the admin login page for the administrator or email the administrator that a firmware update is avaliable. This would help for people who dont frequent the ubnt.com site or the forums.

It would be nice to select auto download through the router setup menu, however at least notifying the administrator there is an update would be very handy.

Thank you.

SIP ALG per NAT Rule - connection-tracking module sip

Submitted by -
Status: New Idea

Hi Friends,


I have come into a number of occasions whaere it would be a very helpful to be able to apply the SIP header transformations per nat rule instead of system-wide.


Our specific use case is when we want to utilize both SIP trunks (sip module enabled) and SIP endpoints (sip module disabled) behind one EdgeRouter. If we could do this per nat rule, I could disable for the masq rule that the endpoints use and enable it for the manual nat config for the SIP trunk.


The less awesome way may be to be able to enable/disable per interface somehow, but this sounds like it would get confusing and be less effective.





0 Kudos

Add tagged bridge to another bridge-group ( EdgeRouter ER-8 )

Submitted by -
Status: New Idea



Could you please add support of adding bridge vlan subinterface to another bridge (bridge-group) ?


Example, how it should look:


set interfaces bridge br5000
set interfaces bridge br5000 vif 777
set interfaces bridge br6000
set interfaces bridge br5000 vif 777 bridge-group bridge br6000


As a result, we must see at linux cli output following line:


brctl show | grep br6000
br6000		8000.24a43c3c39ee	no		br5000.777

Right now, the only way to achieve same result is via linux cli:


brctl addif br6000 br5000.777


Please, add same functionality to vyatta cli and webUI of EdgeRouter ER-8.



Best regards, Yuri


0 Kudos

Edgeswitch backup and restore configuration gui request

Submitted by -
Status: Implemented

It would be really handy to have a gui option for an easy backup to file and restore config procedure for the edgeswitches.

instead of the ftp method

EdgeRouter: Display status of Static DHCP leases

Submitted by -
Status: New Idea

On the Static MAC/IP Mapping tab please add a column that shows if a particular mapping is online/offline (up or down).

Throttling as an alternative to drop, reject or accept.

Submitted by -
Status: Implemented

Would it be possible to add throttning or QoS as an alternative in the firewalls basic tab and then make it able to throttle certain applications based on state, source, destination or time / date?

Please more wizards...and fix the wizards you have

Submitted by -
Status: New Idea

Here's the review I just posted at Amazon


I bought this because I have AT&T static IP and wanted to make use of it. And I wanted a VPN that would work with Microsoft Windows built in VPN as well as the Apple iPhone built iin VPN. This router does this. And you can even create local username/passwords so no RADIUS server is needed. But you have to know the tricks to do this and Ubiquiti makes this very standard config very hard to figure out. I spent about 8 hours and finally figured it out, so hopefully this will save you boatloads of time.

1) start with the wizard #2. That gets most things set up for you, mainly it sets switch0 to be eth1 thru eht4 and eth0 you connect to the WAN (in this case, the LAN port on my 2wire/att router). I set the IP address to the first static IP address in my range and set the EdgeRouter to use the 2wire att router to route out to the internet using the last static IP that AT&T gave me.
2) NOTE that when they ask for an IP address, you should type in the IP address you want the router to be at, not the base IP address for the network. So if you want your router to be at, then put in for the address, not and hoping to configure the router address somewhere else
3) To have VPN accessible from the outside, you MUST add a new firewall rule (#3) to accept new connections to TCP port 1723 in the WAN_LOCAL firewall rules (this is WAN to the router firewall ... the WAN_IN is the WAN to your internal ports). Without this rule, your VPN will only connect from inside the firewall (sort of useless but good for testing)
4) To configure your VPN, you MUST either use the command line tool, or use the Config tree. I think the Config tree was the easiest to use. You make the changes (it will show your changes in red) and commit them. By drilling down in the VPN menus, you can set local username,password, and the type of VPN you want. I chose PPTP since that works with default VPN clients easily (windows and iphone).

The documentation is really pretty bad. For example, in the tooltips and the manual (which is out of date), if you have a field asking for an IP address, the "tip" you get says "Enter IP address in form" or something like that. So completely not helpful.

So most of the features of the router you can only get via CLI or the Config tree.

Use the System tab to save your work as you configure in case you badly screw up and have to go back.

Once set up, it works like a charm.

They REALLY should have wizards for the most common cases like my case of a home router with one WAN, the rest of the ports on my LAN, and a VPN server. That would have saved a LOT of time. And it should have configured around my choice for router address (see next pgf).

Also, I tried to setup my network with gateway of and the wizard failed with an error message that was pretty lame saying I wasn't allowed to use that address. Addresses must in the range ... to .... Well that's because the wizard sets up a DHCP server for you and doesn't think to do that based on the router address you want to use. So you use the wizard, then change the DHCP range to what you want, then change the router address to what you want. The wizard sets up basic firewalls for you so a useful way to get started.

Tablet-Compatible GUI for Edge Switches and Routers

Submitted by -
Status: New Idea

The existing EdgeOS for EdgeRouters and Edge Switches is not 100% compatible with mobile devices such as iPad.


Example: Menu of Edge Switches with 1.3.0 are unable to scroll down in several menus like the port summary page.


In current era of transition/transformation of computing, it is in my humble opinion, an essential step forward to be ready for the time where administrators, technicians, engineers may be using mobile devices like tablets, iPads to troubleshoot, fix configurations, etc.


Having this build into the development process now will enable UBNT to lead the future.

EdgeRouter PRO 6 Additional Features

Submitted by -
Status: Invalid

Addtional Software Features besides the hardware improvements EX:


  • Gateway Anti-Malware, Intrusion Prevention, Application Intelligence and Control
  • Content Filtering Service
  • Enforced Client Anti-Virus and Anti-Spyware service via 3rd party service
  • Comprehensive Anti-Spam Service



Custom DHCP options in GUI

Submitted by -
Status: New Idea


Don't know if this was mentioned before, but it would be nice to have a place to enter dhcp options in the dhcp server gui.

Active-Standby Failover Router Pair

Submitted by -
Status: Implemented

I've seen this done with two Ciso ASA5510 units and I know it can be done with Linux. Ideally, things like VPN connections would failover as well.

ssh keys by user, not global

Submitted by -
Status: Implemented

As it says, allow login by ssh key by user. Currently, it is a global setting and we'd like to ability to have some users log in via an ssh key (for system services like rancid or monitoring) and passwords (AAA) for regular users.