Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
New Idea

Global Firewall Policy Options

Submitted by -
Status: New Idea

I know this is currently available in the Vyatta fork.  I'd love to have it implimented here.  Instead of constantly repeating firewall policies for each rule or ruleset (like stateful packet inspections), you could have them set once etc.

0 Kudos

Spam Filtering + Better squid transparent configuration

Submitted by -
Status: New Idea

I was and I am a big fun of the idea "keep it simple".

Coming from linux and bsd based routers-firewalls I would like to see as a feature to an Edgemax router a bit simplier configuration and support of a transparent squid which will be able to handle both http and https configurations. Do to this on a pfSence rotuer-firewall is easy as. On this note also it is also very easy to install and configure spam assasin.

However if this makes the things complicate then I prefer to have my squid with spam assasin elsewhere.

Change source-validation (uRPF, rp_filter) to be interface specific

Submitted by -
Status: New Idea

Currently, to enable rp_filter (Unicast Reverse Path Forwarding) there is only a system-wide option under the firewall configuration section:

set firewall source-validation strict

This all-or-nothing approach is basicly unusable in a non-trivial network (e.g. multiple paths) as applying rp_filter on uplink interfaces would break forwarding.

rp_filter should be a per-interface configuration option, e.g.

set interfaces ethernet eth1 ip source-validation strict
set interfaces ethernet eth1 ipv6 source-validation strict

This could be implimented leaving the global option in place for the firewall, but adding the interface-level configuration as an option (to avoid breaking configurations).

On the kernel side, this would be implimented as:

# Default Values
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# Enable rp_filter for eth1:
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter

This is a pretty quick change that would be VERY helpful for those of us making use of public IP addressing with the ER.

With recent NTP reflection attacks, we really find the use uRPF to be mandatory.  More information on the need for uRPF and BCP38 is available at: http://www.bcp38.info/index.php/Main_Page

 

Time based traffic policy

Submitted by -
Status: New Idea

Time of a day based traffic/QoS policy. 

Checkbox for Authroative DHCP

Submitted by -
Status: New Idea

That all I'm asking for. Just a nice little checkbox on the web GUI for Authorative DHCP. After changing that setting through the CLI, My router was handing out DHCP in under 5 seconds. Beforehand it was handing it out in around a minute. Please? Add that? I don't ask for much. Man Happy

Hardware change for EdgeMax routers - bootable SD cards!

Submitted by -
Status: New Idea

I'd love to see the EdgeMax series of routers have an SD or MicroSD slot for booting from instead of internal flash.

 

Pros:

 - backups of your whole router become really really easy

 - hardware platform can be used for testing other software

 - a larger SD card means you can log more data if need be

 - expands what you can do with the router

 - UBNT doesn't have to support anything but their "approved" SD cards (ship 2 with the router)

 - bad flash problems on the router don't leave you high and dry

 - 4G SD cards are <$5 retail packaged

 

 

What do folks think?

0 Kudos

Custom DPI applications

Submitted by -
Status: New Idea

On some platforms Application and DPI rules can be made manually with regular expreshions where DPI has extracted contented that can be filted.

 

For example during an SSL connection the site will pass down the certificate in a readable form before the encryption is established.. This can be very useful to create rules arround since proxy based blocking of only unencrypted content is usless for sites that use SSL by default now.

 

The same can be said for a number of other handshakes such has SMTP helo message etc that can contain plain text that is easy to match on.

Multicast Support (PIM-SM, SSM, PIM over GRE tunnel)

Submitted by -
Status: New Idea

I would need PIM-SM/SSM support in ERL, and also PIM over GRE tunnel. Is it planned?

Web GUI edit commit confirm save like CLI

Submitted by -
Status: New Idea

On the Web GUI there should be an option to change settings without commiting and saving. Then a separate commit, confirm, and save step so you can safely make changes to a remote router without risking losing access. It would also make changing multiple setting much quicker. One of the few things I prefer the GUI over the CLI for is changing NAT and firewall rules, these are one of the more risky changes and take forever to do many rules beacuase of the time taken to commit each time. If I could create all the rules then do a commit-confirm and confirm/save only if I still have access it would be great.

Support DNSSEC

Submitted by -
Status: New Idea

Most likely the best support and codebase to base it on would be unbound or powerdns-recursor, not dnsmasq.

Add DHCP client option to ignore NTP name servers

Submitted by -
Status: New Idea

Some providers supply NTP servers via DHCP, and those are used by EdgeMax regardless of the NTP configuration. This is the case with my Internet/IPTV/VoIP provider: it uses three VLANs for each service, and it supplies a NTP server via the VoIP VLAN, which is not suitable for reliable time synchonization.

 

This same issue was tackled in this thread. Apparently a solution is in the TODO list, but it has not been implemented yet. My proposal is a new client dhcp-option "ntp-server" with possible settings "update" (default) and "no-update". In this way the DHCP-supplied NTP server could be ignored using

 

  set dhcp-options ntp-server no-update

 

in a similar way as name servers and default route.

 

 

Free UBNT-provided dynamic DNS service built in (EdgeOS and USG)

Submitted by -
Status: New Idea

basically, clone mikrotik's dynamic dns service.  It's a simple check box in the UI and you get a consistent dns record you can access, and add a cname in your own domain to match.  They just call it 'cloud'.  It's based on the hardware serial number so the DDNS name survives factor resets etc etc.

 

it's a really fantastic little add on.

change dynamic DNS address discovery method

Submitted by -
Status: New Idea

Currently (edgeos v1.7), the dynamic dns clients are looking at the WAN address and sending that to the dynamic dns service.  This is ok a lot of the time, but when something is double NAT'd, which is becoming more and more popular, this causes the dynamic dns service to be updated to a private IP address.

 

I'd like to see a src-address based polling, like a STUN server, where the dynamic dns client update would ping a ubnt service to get the actual public IP address to update the dynamic dns service with.

 

This is also a simpler method when multiple WAN interfaces are in use.  pulling in the active public IP address for an update is better than being stuck with a single interface public IP.  I know the current dynamic dns client can be configured with separate sessions per interface which is ok, but even modifying that to reach on on the selected interfaces gateway to update would improve the client.

 

I have to use my own update script sometimes to do dynamic dns.

 

also note, 'tiks cloud dns service does this right.  replacing rb951 units with edgerouters is something I've been working on for a bit but I don't like the 'hack' of a script to do what the system should do 'natively'.

 

Thanks.

Firewall Rule numbering by 10s or 5s

Submitted by -
Status: New Idea

Can we make the GUI update scripts order the firewall and NAT rules by 10s rather than 1s?  I have a large team of technicians that are GUI guys that typically do the basics on my routers.  I also have a small team of engineers that fix the stuff they break. The engineers all use the CLI.  Its very difficult to re-order firewall and nat rules from the CLI.  If the GUI ordered the rules like 10,20,30 rather than 1,2,3, us CLI guys could go insert rules at like 11,12,13 to put them in between 10 and 20.  The next time a firewall was saved or updated in the GUI, of course I would expect 11 to become 20, 12 to become 30, 13 to become 40, but I think this would happen already.

If there is a concern about the number of rules, even spacing them by 5 would be great.

POE Switch with SNMP UPS Monitoring

Submitted by -
Status: New Idea

Was just thinking if this was possible on the Edgeswitch POE line and as far as i can see not Man Sad

 

So my idea was to have the switch shutdown some/all POE devices automatically when it senses power lost from a UPS.

  

I was thinking to shutdown some non-essential stuff during a power outage before the switch gets killed when the UPS batteries fully die (since it cant shutdown itself). This may help saving devices from bricking as well.

 

This could help prolong the battery runtime if not so many POE devices are running and therefore continue providing protection.

 

So for example, it could kill the outside cameras and all but 1 or 2 UAPs inside for people to still have access to the network from wireless devices or be able to make wifi calls if needed.

 

EDIT - Just thought of a security usage there too, say some robbers cut the power outside (and even smash cameras outside), the inside one could capture some data before it gets smashed/powered down as well in the event of a break-in! If the outside POE devices gets shutdown, then the cameras inside could hopefully get all the info the police would need.

Being able to move a static DHCP definition from one DHCP server to another in the GUI

Submitted by -
Status: New Idea

I'm always having to move static DHCP definitions from one interface to a different one.

Would be nice to be able to quickly move the device to a different interface and DHCP server with the GUI.

 

Currently it requires copying the mac address somewhere so you don't forget it. Deleting from the old server along with the name.  Then adding is all back to the new server on the new interface.  

 

In an office environment, this occurs when someone moves to a different location, etc. 

0 Kudos

Centralised SSH key management via AuthorisedKeysCommand

Submitted by -
Status: New Idea
Hi,

I created a mod to incorporate OpenSSH's AuthorizedKeysCommand into router config here:

http://community.ubnt.com/t5/EdgeMAX/Mod-Centralised-SSH-key-management-via-AuthorizedKeysCommand/m-p/1669112#U1669112

This allows the use of a central SSH public key store when logging into an EdgeOS device.

It would be great if this (or a better implementation of it) could make it into the core product.

Info Page without login

Submitted by -
Status: New Idea

Sometimes I want to check some basic stats on my ERL without making any config changes.

 

It would be nice to have the option of a simple stats page that displays some basic information without having to log in. E.g. the DD-WRT Sys Info page https://www.dd-wrt.com/demo/Info.htm

 

DD-WRT lets you choose whether to let that be accessed without login, or whether to require a login first.

Add NTP server

Submitted by -
Status: New Idea

I'd really love to see an NTP server built into the EdgeMax router software. I currently syncronise my router to a Stratum 1 server and would like the ability to create a "local" Stratum 2 server for all client devices.

 

In addition, I'd love the option of a Radius server built into the router to handle 802.1X authentication without having to rely on a Windows server for such a basic task.