It'd be great to have these switches support IP-MAC bindings to prevent ARP poisoning attacks. Placed in combination with Dynamic ARP Inspection (DAI) would make for a powerful combo in the next major point release.
We're looking to do a large deployment and the lack of DAI and static bindings is holding us up from doing more EdgeSwitches.
If the Edgeswitch is based on Broadcom's FASTPATH, then it hopefully isn't too hard to add/enable Dynamic ARP Inspection (DAI).
I would be happy with just CLI commands, but it would proably be pretty easy to add it to the WebGUI too.
I could see this being really usefull as an 'edge device' for P2P links. However, it would need to support TACACS.
I work for an ISP, and we provide our customers with P2P links at times. In order for us to maintain our management network, we end up providing a Cisco 2950 (or variant) as an edge device which we address on our management network and configure for TACACS.
If the ER-X could do TACACS, it would be the perfect solution at an astounding price point ($49 router with a $80 bullet)! We would be able to build it out as such:
Core Network<->Bullet Link to CX<->EdgeRouterX<->Customer's Gateway
Core Network<->Bullet Link to CX<->Cisco2950<->Customer's Gateway
Let's face it, a 4 port router/switch with VLAN, PoE Passthrough, and TACACS would be a perfect fit for us.
It would be nice to include an ipv6 wizard with your next EdgeRouter Lite firmware release. I could sell a boatload of these to my customers if I didn’t have to spend forever trying to figure out ipv6 on per installation. Let's face it, it’s a check mark on most SoHo routers now and it would be much appreciated.
Open VPN GUI or wizard would be nice too. EdgeRouter is an excellent Product!
We have an application that uses subnet-directed broadcast for distributing data. We currently use Cisco equipment, with the 'ip directed-broadcast' option enabled, but it appears that EdgeOS has no such option. Given that we can't easily redesign the application (multicast would be the preferred alternative, but too much of our WAN doesn't support it and the folks who designed it aren't interested in changing it) this precludes us from using EdgeRouter for most of our sites.
Looking around, I see https://community.ubnt.com/t5/EdgeMAX/Multicast-Sonos-Phorus-amp-Play-Fi-Broadcast-255-255-255-255-lt/m-p/1268559#M67208, which is almost what we need. Key differences:
* The packets in question are destined to a subnet broadcast address, not the all-ones address.
* The broadcasts sent to a given subnet's broadcast address are specific to that subnet, and each subnet receives its own broadcast data. As such, the current implementation (which simply replicates to all interfaces) won't work. The egress interface would need to be chosen based on the input destination address.
It strikes me that some minor modifications to the udp-daemon code to route broadcasts based on the original destination address might make something very close to 'ip directed-broadcast' possible on EdgeOS.
I set up policy based routing with firewall modify use
set interfaces ethernet eth2 firewall in modify AUTO_VPN
But such rules cannot add to vpn interfaces, like l2tp remote-access.
In my case, I do:
# iptables-save |grep AUTO_VPN :AUTO_VPN - [0:0] -A AUTO_VPN -m comment --comment AUTO_VPN-10 -m set --match-set FORBIDDEN_ZONE dst -j UBNT_WLB_VLB -A AUTO_VPN -m comment --comment "AUTO_VPN-10000 default-action accept" -j RETURN -A VYATTA_FW_IN_HOOK -i eth2 -j AUTO_VPN -A VYATTA_FW_IN_HOOK -i eth0 -j AUTO_VPN # iptables-save > iptables.save # vim iptables.save ## add ## -A VYATTA_FW_IN_HOOK -i l2tp0 -j AUTO_VPN ## after -A VYATTA_FW_IN_HOOK -i eth0 -j AUTO_VPN ## save # iptables-restore < iptables.save
I hope such firewall rules available in set vpn pptp/l2tp remote-access, not only for this scenario but also limit vpn remote-access clients behaviors.
On Edgerouter it would be great to have:
1) definiton for NTP&SYSLOG source interface (IP address)
2) ping with source defined address should work with "ip source-validation strict" command
3) lldp-med option (for IP phones to learn voice VLAN trough lldp message)
4) vrf support... i am still waiting next software
5) mac filtering based on mac + wilcard mask (or OUI prefix)
6) support for more than one loopback
I would like to see a software update check through the System --> Upgrade System Image section. The router could check say each week to see if there is a new version of either the beta releases or the stable releases. The router could then just display a message on the admin login page for the administrator or email the administrator that a firmware update is avaliable. This would help for people who dont frequent the ubnt.com site or the forums.
It would be nice to select auto download through the router setup menu, however at least notifying the administrator there is an update would be very handy.
I have come into a number of occasions whaere it would be a very helpful to be able to apply the SIP header transformations per nat rule instead of system-wide.
Our specific use case is when we want to utilize both SIP trunks (sip module enabled) and SIP endpoints (sip module disabled) behind one EdgeRouter. If we could do this per nat rule, I could disable for the masq rule that the endpoints use and enable it for the manual nat config for the SIP trunk.
The less awesome way may be to be able to enable/disable per interface somehow, but this sounds like it would get confusing and be less effective.
Could you please add support of adding bridge vlan subinterface to another bridge (bridge-group) ?
Example, how it should look:
set interfaces bridge br5000
set interfaces bridge br5000 vif 777
set interfaces bridge br6000
set interfaces bridge br5000 vif 777 bridge-group bridge br6000
As a result, we must see at linux cli output following line:
brctl show | grep br6000
br6000 8000.24a43c3c39ee no br5000.777
Right now, the only way to achieve same result is via linux cli:
brctl addif br6000 br5000.777
Please, add same functionality to vyatta cli and webUI of EdgeRouter ER-8.
Best regards, Yuri
It would be really handy to have a gui option for an easy backup to file and restore config procedure for the edgeswitches.
instead of the ftp method
Would it be possible to add throttning or QoS as an alternative in the firewalls basic tab and then make it able to throttle certain applications based on state, source, destination or time / date?
Here's the review I just posted at Amazon
I bought this because I have AT&T static IP and wanted to make use of it. And I wanted a VPN that would work with Microsoft Windows built in VPN as well as the Apple iPhone built iin VPN. This router does this. And you can even create local username/passwords so no RADIUS server is needed. But you have to know the tricks to do this and Ubiquiti makes this very standard config very hard to figure out. I spent about 8 hours and finally figured it out, so hopefully this will save you boatloads of time.
1) start with the wizard #2. That gets most things set up for you, mainly it sets switch0 to be eth1 thru eht4 and eth0 you connect to the WAN (in this case, the LAN port on my 2wire/att router). I set the IP address to the first static IP address in my range and set the EdgeRouter to use the 2wire att router to route out to the internet using the last static IP that AT&T gave me.
2) NOTE that when they ask for an IP address, you should type in the IP address you want the router to be at, not the base IP address for the network. So if you want your router to be at 192.168.2.193, then put in 192.168.2.193/24 for the address, not 192.168.2.0/24 and hoping to configure the router address somewhere else
3) To have VPN accessible from the outside, you MUST add a new firewall rule (#3) to accept new connections to TCP port 1723 in the WAN_LOCAL firewall rules (this is WAN to the router firewall ... the WAN_IN is the WAN to your internal ports). Without this rule, your VPN will only connect from inside the firewall (sort of useless but good for testing)
4) To configure your VPN, you MUST either use the command line tool, or use the Config tree. I think the Config tree was the easiest to use. You make the changes (it will show your changes in red) and commit them. By drilling down in the VPN menus, you can set local username,password, and the type of VPN you want. I chose PPTP since that works with default VPN clients easily (windows and iphone).
The documentation is really pretty bad. For example, in the tooltips and the manual (which is out of date), if you have a field asking for an IP address, the "tip" you get says "Enter IP address in form 188.8.131.52/24" or something like that. So completely not helpful.
So most of the features of the router you can only get via CLI or the Config tree.
Use the System tab to save your work as you configure in case you badly screw up and have to go back.
Once set up, it works like a charm.
They REALLY should have wizards for the most common cases like my case of a home router with one WAN, the rest of the ports on my LAN, and a VPN server. That would have saved a LOT of time. And it should have configured around my choice for router address (see next pgf).
Also, I tried to setup my network with gateway of 192.168.1.1 and the wizard failed with an error message that was pretty lame saying I wasn't allowed to use that address. Addresses must in the range ... to .... Well that's because the wizard sets up a DHCP server for you and doesn't think to do that based on the router address you want to use. So you use the wizard, then change the DHCP range to what you want, then change the router address to what you want. The wizard sets up basic firewalls for you so a useful way to get started.
The existing EdgeOS for EdgeRouters and Edge Switches is not 100% compatible with mobile devices such as iPad.
Example: Menu of Edge Switches with 1.3.0 are unable to scroll down in several menus like the port summary page.
In current era of transition/transformation of computing, it is in my humble opinion, an essential step forward to be ready for the time where administrators, technicians, engineers may be using mobile devices like tablets, iPads to troubleshoot, fix configurations, etc.
Having this build into the development process now will enable UBNT to lead the future.
Addtional Software Features besides the hardware improvements EX:
- Gateway Anti-Malware, Intrusion Prevention, Application Intelligence and Control
- Content Filtering Service
- Enforced Client Anti-Virus and Anti-Spyware service via 3rd party service
- Comprehensive Anti-Spam Service
As it says, allow login by ssh key by user. Currently, it is a global setting and we'd like to ability to have some users log in via an ssh key (for system services like rancid or monitoring) and passwords (AAA) for regular users.
- mhammett on: EdgeOS support for Microwave Adaptive Bandwidth
L2TP over IPSec client implementa
- mozerd on: Boot to alternate image using HW reset button
- Dendari on: Cake shaper support
- eryp on: snmp for EdgePower
romiscuous PVLAN Trunk Ports
- neilws2 on: Ability to configure SSH security parameters
- waterside on: Allow custom SNMP parameters via CLI
- ZPrime on: Ethernet AGENT monitoring for UPS graceful shutdown
- EdgeOS Support for BGP-PIC
- BGP-PIC Support
- EdgeOS support for Microwave Adaptive Bandwidth
ion Guide: OpenVPN Client Configurat ion for Privacy
- UPNP forwarding should not superceed UBNT port forwarding
- DHCP Failover for multiple VLANs
Request: Clarify PPPoE password requiremen
ts in Basic Setup wizard�
L2TP over IPSec client implementa
- MAC address Whitelist for Edgerouter
- Boot to alternate image using HW reset button