Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
New Idea

Hardware Offloading on ER-X(-SFP)

Submitted by -
Status: Implemented

To increase the throughput add hardware offload support to ER-X(-SFP) for NAT, PPPoE and VLAN. I think the SoC supports this and there is only a driver needed. 

QOS/Shaping GUI

Submitted by -
Status: Implemented

Would be nice to see some sort of GUI for the QOS and shaping.

Wizards for VPN, Firewall, NAT, etc

Submitted by -
Status: Implemented

Right now, there is a basic Setup wizard. What are required is basically Wizards to setup Site-2-Site VPN and also RemoteAccess VPN, this can be just a script that will basically just assume there is no VPN,etc in place at the moment. But it should also take care of Firewall,MTU, MSS,etc... 

Prohibit use of unwanted DNS servers, crazy default behavior!

Submitted by -
Status: Implemented

I just learned the EdgeMax software auto-adds my ISP's DNS servers to the resolv.conf file EVEN IF i have specified my own OPENDNS servers. Check your resolv.conf file.  SURPRISE!!!  Unwanted DNS servers!

agd@curtain:/etc$ cat resolv.conf
nameserver 208.67.222.222  # OPEN DNS Server 1
nameserver 208.67.220.220  # OPEN DNS Server 2
nameserver 24.247.24.53 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl
nameserver 66.189.0.100 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl
nameserver 24.178.162.3 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl

Here is a thread and "working as designed" configmation from UBNT.  I doubt many people know this is happening as it is not desired behavior for many of us.  If we specify DNS servers to use, that means we probably don't want to use other ones!

Please add a GUI and/or CLI option to prohibit use of upstream DHCP DNS settings.

http://community.ubnt.com/t5/EdgeMAX/Resisting-DNS-Hijacking/m-p/669579

Please address ASAP UBNT.

Thanks!

Update Strongswan to Version 5.x, change to charon instead of pluto and enable eap-mschapv2 auth

Submitted by -
Status: Implemented

Forumdiscussion

+ ikev2 is better for mobile devices

+ ikev2 / eap-mschapv2 works out of the box with Windows, Windows Phone 8.1

+ Strongswan App on Linux, IOS and Android can be used

 

 

MPLS Support in EdgeRouter

Submitted by -
Status: Implemented

Will be fantastic to enjoy MPLS in EdgeRouter products.
I think lot of people refuse to implement EdgeRouter in network core, because of this and choose Mikrotik.

easy way to turn an existing DHCP lease into a static assignment in the GUI

Submitted by -
Status: Implemented

I was looking at the GUI today to see what IP addresses some of my devices were given. When looking at the leases in the GUI, it would very useful to see a device that should have a static IP address and be able to click on it (or some other GUI affordance) to convert it to a static assignment. 

By doing this, the GUI would pre-fill out the MAC address so I don't have to copy and paste it. The GUI would pre-fill out the device name. The GUI would pre-fill out the IP address that is already assigned (well this part might not work since you don't want to statically allocate an address from the dynamic pool).

Anyway, this would be a useful, helpful feature.

 

Thanks

Greg

6RD / DHCPv6-PD support

Submitted by -
Status: Implemented

A large number of ISPs deliver IPv6 access via 6RD / DHCPv6-PD.

I really would like support for both these protocols.

12-port EdgeSwitch

Submitted by -
Status: Implemented

I would like to see a 12 port EdgeSwitch (250W/125W range). Sometimes 24 ports is over kill, and 8 ports doesn't leave enough room for expansion.

IKEv2

Submitted by -
Status: Implemented

I would like to see IKEv2 implemented among the other VPN options.  It is a built-in client in Windows 7/8, and strongswan also came out with a very capable client for Android.

http://wiki.strongswan.org/projects/strongswan/wiki/Windows7

http://wiki.strongswan.org/projects/strongswan/wiki/Win7MultipleConfig

http://wiki.strongswan.org/projects/1/wiki/EapTls

Since Strongswan 4.5.2 was incorporated, it should provide robust configuration options.  Additionally, IKEv2 configured for remote access, should easily run alongside existing site-site and IKEv1 based RA settings.

Firewall/NAT - Group handling compared to Cisco

Submitted by -
Status: Implemented

There are a couple of issues I have with the way EdgeOS handles groups. My company uses both EdgeRouters and Cisco ASA devices. Cisco seems way more advanced in group handling compared to EdgeOS. You can specify single host devices, subnets and ranges. Whenever something in the network changes, be it subnets, host IPs or whatever, I almost never touch the firewall / NAT rules manually on Cisco devices. The only thing I do is modifying a subnet object or a host object - rules where these object are used, will be updated automatically. Sometimes I edit a rule and simply add or remove a new/old object with very few clicks because Cisco allows multiple selections. EdgeOS is different and groups in EdgeOS are not quite the same as network objects in Cisco environments.

 

 

First and foremost there is nothing like a single host object in EdgeOS. Address groups are .. well groups and can't be entered as translation target in a nat rule or similar even if the adress group contains only a single IP. As soon as a server is moved in the network, one would have to modify each and every rule where the server is used - manually, because the translation address is an IP, not a variable like a Cisco host object.

 

Second is that it's not allowed to select multiple groups (e.g. network groups). It's a single drop down list and as soon as a rule has to match more than one group, the rule has to be copied and modified to match every network group. Cisco can have several network groups in one rule. Yes, I could create a big network group containing all subnets in the other groups, but then it's unwanted redundancy again. As soon as one subnet changes, one would have to modify both the original network group and every other group where this subnet is being used. Nesting groups could be a solution, like a parent group containing several network groups - one change would be adopted by all groups where this specific sub-group is used.

 

Third: When doing a DNAT with subnets (e.g. 192.168.2.0/24 to 192.168.1.0/24) I can't select a network group as translation target as discussed above. But I can't even use a network group (with a single subnet in it) as destination match either. EdgeOS tells me to explicetly use destination subnets when translation to another subnet. Again, hardcoded IP addresses/subnets contrary to Cisco simply using a subnet object.

 

 

Most of the time it's no big deal to do the changes manually. But there is always the risk of a typo or simply missed rules. When firewall and nat rules are configured with subnet and host objects like Cisco does, then it's just a matter to change this object ONCE. In EdgeOS you might have to touch each and every rule as "groups" aren't allowed or can't be used in some situations.

 

 

Even though Cisco isn't beyond all doubt either, there's a lot Ubiquiti can learn of.

 

To use EdgeRouters in my company was my idea because they are a affordable and highly reliable. My colleagues at our headquarters were suspicous when I introduced them to the ER. The HQ uses Cisco only (money doesn't matter) but they were quite impressed of the capabilities of this nice piece of hardware and started to use it in small applications as well. Anyways, the GUI seems underwhelming and lacks lots of advanced functions that make things easier to handle. Unfortunately the above issues can't be solved via CLI either, same restrictions.

Well, at least Ubiquiti added the group names to the NAT overview since v1.7 or v1.8 I think, in v1.6 nothing was shown in the rule header when a group was used and that was a real pain in the ..... with lots of NAT rules without any source/destination shown..

 

Maybe Ubiquiti reconsiders the groups and gets some inspiration from my request.

 

 

Routing to IPSec vpn

Submitted by -
Status: Implemented

The major problem that we've encountered with these devices is the impossibility of routing several subnets or even default route to ipsec vpn. I suppose it wouldn't be too difficult to create a virtual interface similar to "tun" lets say "st" which could be bound by user to specific ipsec vpn and then static routes could be configured to it, e.g.:

"set protocols static interface-route 0.0.0.0/0 next-hop-interface st0" or

"set protocols static route 0.0.0.0/0 next-hop x.x.x.x" where x.x.x.x is an address from subnet configured on st0 interface

 

enhanced uPnP support

Submitted by -
Status: Implemented

Based on the post here, enchance the uPnP support.

1) Provide in the CLI the ability to see the current mapping  activitated by uPnP and the device that configured those rules.

2)Provide the ability to reset all the uPnP rules and/or selectively delete them

3)Provide an option for the router to automatically delete them on reboot or retain.

 

Nice to have would be all this in the GUI as well as turning on / off uPnP in the GUI.

I would also recommending adding a warning when activating uPnP that it provides a security risk and it is not recommended.  

DynDNS GUI

Submitted by -
Status: Implemented

Allow DYnDNS configuration form the GUI.

The CLI setup for DynDNS is simple enough. But it seems simple enough that it could be included it in the GUI for those uneasy about CLI.

 

NAT rule creation option to "Create an associated 'accept' Firewall rule"

Submitted by -
Status: Implemented

It would be great if there was an option when creating a NAT rule to select an option (checkbox perhaps and the ability to choose protocol or a default to tcp) that, with the saving of the NAT rule, create a basic associated firewall rule in the cases where someone simply wants to open port 80 to the public they dont have to create both NAT and Firewall rule.

If one has something more complex in mind... don't check the box, or modify the associated firewall rule after it is created.

Example:
Create a standard NAT rule:
Destination port: 80
Translation: to 192.168.1.10
port 80

One would check the "create an associated 'accept' firewall rule"
The option to type in the protocol would appear (or be editable when the box is checked) and save the NAT rule which would create the associated firewall rule below:

Destination: address 192.168.1.10
port 80
protocol: tcp
Action: accept 

 

GUI for VPN clinet

Submitted by -
Status: Implemented

Would be nice to be able to set up a site-to-site (IPSEC or OPENVPN) vpn within the GUI.

New PortFowarding wizard changes should appear in the Firewall and Nat pages under the security tab.

Submitted by -
Status: Implemented

I think it is unconvenient that firewall and NAT rules created by the port fowarding wizard do not appear in the associated GUI pages.

PPPoE offload

Submitted by -
Status: Implemented

Currently PPPoE throughput maxes out at ~220Mbps, at that point the router becoming not responsive due to high cpu load.

With more ISPs pushing out gigabit fiber plans on PPPoE and lack of consumer/prosumer grade routers beeing able to route that I think this feature could be a great selling point for the ERL.

 

Change the initial "confirm" acknowledgement at commit-confirm

Submitted by -
Status: Implemented

This has come up a few times now, particularly with junior admins who are unfamilliar with the behavior.  A typical commit-confirm scenario resembles:

admin@route# commit-confirm
commit-confirm will automatically reboot in 10 minutes unless confirmed
Proceed? [confirm]


So far, every single new admin I've ever trained assumes that acknowledging the [confirm] prompt satisfies the requirement to prevent a reboot.  Ten minutes later, the router reboots.  Not only do we then eat an unanticipated outage, but the change is gone.  Spanky then comes to me looking confused and says "I don't know why it didn't work, I even confirmed it!!"

All I can do is bury my face in my hands and sigh.

Can we change "Proceed? [confirm]" to something more like "Proceed? "[yes]" to make this less confusing?