I know this is currently available in the Vyatta fork. I'd love to have it implimented here. Instead of constantly repeating firewall policies for each rule or ruleset (like stateful packet inspections), you could have them set once etc.
I was and I am a big fun of the idea "keep it simple".
Coming from linux and bsd based routers-firewalls I would like to see as a feature to an Edgemax router a bit simplier configuration and support of a transparent squid which will be able to handle both http and https configurations. Do to this on a pfSence rotuer-firewall is easy as. On this note also it is also very easy to install and configure spam assasin.
However if this makes the things complicate then I prefer to have my squid with spam assasin elsewhere.
Currently, to enable rp_filter (Unicast Reverse Path Forwarding) there is only a system-wide option under the firewall configuration section:
set firewall source-validation strict
This all-or-nothing approach is basicly unusable in a non-trivial network (e.g. multiple paths) as applying rp_filter on uplink interfaces would break forwarding.
rp_filter should be a per-interface configuration option, e.g.
set interfaces ethernet eth1 ip source-validation strict
set interfaces ethernet eth1 ipv6 source-validation strict
This could be implimented leaving the global option in place for the firewall, but adding the interface-level configuration as an option (to avoid breaking configurations).
On the kernel side, this would be implimented as:
# Default Values
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# Enable rp_filter for eth1:
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
This is a pretty quick change that would be VERY helpful for those of us making use of public IP addressing with the ER.
With recent NTP reflection attacks, we really find the use uRPF to be mandatory. More information on the need for uRPF and BCP38 is available at: http://www.bcp38.info/index.php/Main_Page
That all I'm asking for. Just a nice little checkbox on the web GUI for Authorative DHCP. After changing that setting through the CLI, My router was handing out DHCP in under 5 seconds. Beforehand it was handing it out in around a minute. Please? Add that? I don't ask for much.
I'd love to see the EdgeMax series of routers have an SD or MicroSD slot for booting from instead of internal flash.
- backups of your whole router become really really easy
- hardware platform can be used for testing other software
- a larger SD card means you can log more data if need be
- expands what you can do with the router
- UBNT doesn't have to support anything but their "approved" SD cards (ship 2 with the router)
- bad flash problems on the router don't leave you high and dry
- 4G SD cards are <$5 retail packaged
What do folks think?
On some platforms Application and DPI rules can be made manually with regular expreshions where DPI has extracted contented that can be filted.
For example during an SSL connection the site will pass down the certificate in a readable form before the encryption is established.. This can be very useful to create rules arround since proxy based blocking of only unencrypted content is usless for sites that use SSL by default now.
The same can be said for a number of other handshakes such has SMTP helo message etc that can contain plain text that is easy to match on.
On the Web GUI there should be an option to change settings without commiting and saving. Then a separate commit, confirm, and save step so you can safely make changes to a remote router without risking losing access. It would also make changing multiple setting much quicker. One of the few things I prefer the GUI over the CLI for is changing NAT and firewall rules, these are one of the more risky changes and take forever to do many rules beacuase of the time taken to commit each time. If I could create all the rules then do a commit-confirm and confirm/save only if I still have access it would be great.
Some providers supply NTP servers via DHCP, and those are used by EdgeMax regardless of the NTP configuration. This is the case with my Internet/IPTV/VoIP provider: it uses three VLANs for each service, and it supplies a NTP server via the VoIP VLAN, which is not suitable for reliable time synchonization.
This same issue was tackled in this thread. Apparently a solution is in the TODO list, but it has not been implemented yet. My proposal is a new client dhcp-option "ntp-server" with possible settings "update" (default) and "no-update". In this way the DHCP-supplied NTP server could be ignored using
set dhcp-options ntp-server no-update
in a similar way as name servers and default route.
basically, clone mikrotik's dynamic dns service. It's a simple check box in the UI and you get a consistent dns record you can access, and add a cname in your own domain to match. They just call it 'cloud'. It's based on the hardware serial number so the DDNS name survives factor resets etc etc.
it's a really fantastic little add on.
Currently (edgeos v1.7), the dynamic dns clients are looking at the WAN address and sending that to the dynamic dns service. This is ok a lot of the time, but when something is double NAT'd, which is becoming more and more popular, this causes the dynamic dns service to be updated to a private IP address.
I'd like to see a src-address based polling, like a STUN server, where the dynamic dns client update would ping a ubnt service to get the actual public IP address to update the dynamic dns service with.
This is also a simpler method when multiple WAN interfaces are in use. pulling in the active public IP address for an update is better than being stuck with a single interface public IP. I know the current dynamic dns client can be configured with separate sessions per interface which is ok, but even modifying that to reach on on the selected interfaces gateway to update would improve the client.
I have to use my own update script sometimes to do dynamic dns.
also note, 'tiks cloud dns service does this right. replacing rb951 units with edgerouters is something I've been working on for a bit but I don't like the 'hack' of a script to do what the system should do 'natively'.
Can we make the GUI update scripts order the firewall and NAT rules by 10s rather than 1s? I have a large team of technicians that are GUI guys that typically do the basics on my routers. I also have a small team of engineers that fix the stuff they break. The engineers all use the CLI. Its very difficult to re-order firewall and nat rules from the CLI. If the GUI ordered the rules like 10,20,30 rather than 1,2,3, us CLI guys could go insert rules at like 11,12,13 to put them in between 10 and 20. The next time a firewall was saved or updated in the GUI, of course I would expect 11 to become 20, 12 to become 30, 13 to become 40, but I think this would happen already.
If there is a concern about the number of rules, even spacing them by 5 would be great.
Was just thinking if this was possible on the Edgeswitch POE line and as far as i can see not
So my idea was to have the switch shutdown some/all POE devices automatically when it senses power lost from a UPS.
I was thinking to shutdown some non-essential stuff during a power outage before the switch gets killed when the UPS batteries fully die (since it cant shutdown itself). This may help saving devices from bricking as well.
This could help prolong the battery runtime if not so many POE devices are running and therefore continue providing protection.
So for example, it could kill the outside cameras and all but 1 or 2 UAPs inside for people to still have access to the network from wireless devices or be able to make wifi calls if needed.
EDIT - Just thought of a security usage there too, say some robbers cut the power outside (and even smash cameras outside), the inside one could capture some data before it gets smashed/powered down as well in the event of a break-in! If the outside POE devices gets shutdown, then the cameras inside could hopefully get all the info the police would need.
I'm always having to move static DHCP definitions from one interface to a different one.
Would be nice to be able to quickly move the device to a different interface and DHCP server with the GUI.
Currently it requires copying the mac address somewhere so you don't forget it. Deleting from the old server along with the name. Then adding is all back to the new server on the new interface.
In an office environment, this occurs when someone moves to a different location, etc.
I created a mod to incorporate OpenSSH's AuthorizedKeysCommand into router config here:
This allows the use of a central SSH public key store when logging into an EdgeOS device.
It would be great if this (or a better implementation of it) could make it into the core product.
Sometimes I want to check some basic stats on my ERL without making any config changes.
It would be nice to have the option of a simple stats page that displays some basic information without having to log in. E.g. the DD-WRT Sys Info page https://www.dd-wrt.com/demo/Info.htm
DD-WRT lets you choose whether to let that be accessed without login, or whether to require a login first.
I'd really love to see an NTP server built into the EdgeMax router software. I currently syncronise my router to a Stratum 1 server and would like the ability to create a "local" Stratum 2 server for all client devices.
In addition, I'd love the option of a Radius server built into the router to handle 802.1X authentication without having to rely on a Windows server for such a basic task.
- mhammett on: EdgeOS support for Microwave Adaptive Bandwidth
L2TP over IPSec client implementa
- mozerd on: Boot to alternate image using HW reset button
- Dendari on: Cake shaper support
- eryp on: snmp for EdgePower
romiscuous PVLAN Trunk Ports
- neilws2 on: Ability to configure SSH security parameters
- waterside on: Allow custom SNMP parameters via CLI
- ZPrime on: Ethernet AGENT monitoring for UPS graceful shutdown
- EdgeOS Support for BGP-PIC
- BGP-PIC Support
- EdgeOS support for Microwave Adaptive Bandwidth
ion Guide: OpenVPN Client Configurat ion for Privacy
- UPNP forwarding should not superceed UBNT port forwarding
- DHCP Failover for multiple VLANs
Request: Clarify PPPoE password requiremen
ts in Basic Setup wizard�
L2TP over IPSec client implementa
- MAC address Whitelist for Edgerouter
- Boot to alternate image using HW reset button