New Idea

snmp for EdgePower

Submitted by - yesterday
Status: New Idea

Would be really useful to be able to monitor battery voltage on an EdgePower with DC PSU.  The system log displays this info every minute.  

 

All you need is to add snmp and some OID's for voltage, temperature, standby, live state, etc.

SECURITY ISSUE: Support iptables -m policy --dir out --pol ipsec

Submitted by - 2 weeks ago
Status: New Idea

The firewall rule "ipsec match-ipsec" command allows matching ipsec traffic inbound-only via "-m policy --dir in --pol ipsec". There does not appear to be any way to filter traffic in the outbound direction.

 

This is a security issue because it means that there is (apparently) no way to prevent outbound IPSec traffic leakage when tunnels have gone down.

 

Current EdgeMax customers may, right now, be unwittingly sending unencrypted traffic which was meant to be encrypted.

 

Unless I am mistaken, this isn't just a feature request, this is an ongoing security threat to Ubiquiti customers.

 

References:

https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting

https://community.ubnt.com/t5/EdgeMAX/How-to-protect-from-ipsec-outbound-leakage/m-p/1865143

 

Ability to configure SSH security parameters

Submitted by - 3 weeks ago
Status: New Idea

Currently EdgeOS still allows HMAC (message authentication code) algorithms that are considered weak and obsolete, including 'hmac-md5'.  Similarly CBC encryption ciphers are still allowed and are also considered weak and obsolete.  While there may be environments where these are required there should be the ability to disable these as appropriate.

 

As a more proper complete request the EdgeOS UI (BUI and CLI) should provide for the ability to configure:

  • Authentication methods
  • Encryption Cipher algorithms
  • Message Authentication Code (HMAC) algorithms

There is limited support for specifically disabling password-encryption but this request seeks more encompassing ability.

 

Send DPI statistics to UniFi controller.

Submitted by -
Status: New Idea

Please allow for DPI data to be sent to the UniFi controller. I do not need to be able to make any changes from UniFi. I would just like to populate DPI statistics.

Share bandwidth evenly per IP address

Submitted by -
Status: New Idea

As mentioned in post https://community.ubnt.com/t5/EdgeMAX/Share-bandwidth-evenly-per-IP-address/m-p/1844147.

 

For example if my total download limit is 1000 kbit/s and I have two hosts on the network (host A and host B).

If host A is downloading a single file and host B is downloading a single file, each host should get 500 kbit/s.

If host A is downloading two files and host B is downloading a single file, each host should get 500 kbit/s, host A will get 250 kbit/s for each file download and host B will get 500 kbit/s for the download.

If only a single host is downloading, it should get the full 1000 kbit/s.

 

It can be easily configured on pfSense: https://www.gridstorm.net/pfsense-traffic-limiting-fair-share/

 

Using tc on Linux, it can be done using the following to limit outgoing traffic on eth0 to 1000 kbit/s and fairly share the allocated 1000 kbit/s per host regardless of number of connections opened by each host:

tc qdisc add dev eth0 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit
tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev eth0 parent 1: protocol ip u32 match u32 0 0 flowid 1:1
tc filter add dev eth0 parent 10: protocol ip handle 10 flow hash keys nfct-dst divisor 1024

 

Essentially it is SFQ queue type with flow classifier set to assign packets to different flows based only on IP address (destination IP address in the above example) rather than source IP + source port + destination IP + destination port. This helps to avoid a single computer opening multiple connections to hog more bandwidth.

 

In comparison to HFQ, this works on subnets larger than /22.

SSL certs from https://letsencrypt.org

Submitted by -
Status: New Idea

I really would liek to see the end of Self-signed certs and implemnetion of https://letsencrypt.org for EdgeOS.

This would be great move in right direction for out of the box SSL.

 

IP address spoofing security = IP Source guard + DHCP Option 82

Submitted by -
Status: New Idea

Can you please add ip source guard feature to edgeswitches? Also DHCP spoofing with DHCP OPTION 82 (DHCP option 82provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources)

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host.

OSPF on EdgeSwitch

Submitted by -
Status: New Idea

Need OSPF on Edgeswitches for use in campus networks...

Redundant power supply on EdgeRouter Pro series

Submitted by -
Status: New Idea

Hi,

EdgeRouter Pro can and are often used as mission-critical routers in networks. It is a nice piece of hardware and the software make it a very viable alternative. It would be great to make the next generation of EdgeRouter Pro series power-redundant, so they can be connected to two power feeds at the same time.

This will help design fully-redundant networks, with both failure tolerance in case of one internal PSU failure as well as redundant and avoid SPoF design from a power perspective.

 

Many thanks and keep up the good work!

EdgeRouter DPI host nicknames

Submitted by -
Status: New Idea

Please enable an option to rename hosts and give them Nicknames when using DPI.

 

I can do this using my Unifi AC LR, but not when using my EdgeRouter x

Intrusion Prevention/Detecton

Submitted by -
Status: New Idea

It would be nice if we had a IDS system for EdgeMax ...

Command Abbreviation

Submitted by -
Status: New Idea

This seems to be something that VyOS already has

 

For example, I would like to be able to run stuff like this:

conf

ed int eth eth1

set add 192.168.1.1/24

PPPoE Server IPV6 support

Submitted by -
Status: New Idea

Support for the  IPv6 related radius attributes in the EdgeMax PPPoE Server service.

 

See also EdgeMAX/PPPoE-server-IPV6

PPPoE uptime

Submitted by -
Status: New Idea

Would be nice to be able to see the PPPoE connection uptime.  My old router running OpenWRT/LEDE firmware had this implemented.  Any word on when we could see this on the EdgeOS platform?

 

New to this forum and I believe I posted in the wrong place originally.

 

HERE is my original post with some progress on a simple PPPoE uptime script.

 

 

GUI for OpenVpn

Submitted by -
Status: New Idea

GUI for simple setup of OpenVpn Server mode would be great. Nothing fancy, just similar to what DD-WRT support today. Ideally, L2TP, PPTP and SSTP with local users support. This will be great for SOHO. 

Support for IPv6-RD with a dynamic IP address

Submitted by - a month ago
Status: New Idea

I'd like to request that the 6rd functionality be extended to operate properly with a dynamic IP address. The current solution is to use a cron script to rewrite the configuration every 5 minutes, which isn't really that great. A forum member suggested some syntax that might work well. The best solution would be to have an ISP with dual-stack support, but that isn't always possible, sadly.

10, 30, 60 minute graphs

Submitted by -
Status: New Idea

For cpu and RAM, and interfaces

IPv6 Support in Management GUI Interface

Submitted by -
Status: New Idea

In 2013, there have been an increase in IPv6 deployments by ISPs globally. In the country where I resides in, all FTTH (Fiber-to-the-Home) ISPs/RSPs have deployed IPv6.

I believe it is becoming more and more important for routers to support IPv6, and likely to be essential in 2014. I would like to strongly suggest and request Ubiquiti team to look into having IPv6 Support in GUI as part of the 2014 roadmap.


EdgeMax Router Lite and POE are great routers in terms of performance and affordability. It is a pity that the shortfalls in GUI is keeping some not-as-savvy (knowledgeable but not good with CLIs) consumers away.

ER-X switch IGMP Snooping

Submitted by -
Status: New Idea

IGMP Snooping would be nice in EdgeMAX (ER-X-SFP) since it's mandotary for many IPTV implementations to work (for example Swedens biggest ISP / IPTV provider, Bredbandsbolaget).

Network Health of edgemax router in Unifi controller

Submitted by -
Status: New Idea

For a lot of customers we use the security gateway for some basic network setup. The main reason we choose for the SGW is because we can easily monitor the connection with a remote hosted unifi controller.

 

Now that the ER-X-SFP is here we would love to use that device to power the AP's at our customers.

Is it possible to add the posibility to register an edgemax router with the unifi controller to show up in the Network Health of the unifi controller. Preferrable with the speedtest function.