Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Member
Posts: 199
Registered: ‎04-14-2013
Kudos: 78
Solutions: 5

Re: Basic SOHO/Home Config

[ Edited ]

You're right! My rule added exactly the same as the default action seems to be. A CLI issue then in the show command.

 

root@ubnt:/home/ubnt# sudo iptables -t mangle -L pppoe0-out -vn
Chain pppoe0-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  424 26408 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* pppoe0-out-1 */ tcp flags:0x02/0x02 TCPMSS set 1452 
4043K  257M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* pppoe0-out-1000 */ 
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* pppoe0-out-10000 default-action accept */ 
root@ubnt:/home/ubnt# 

 

New Member
Posts: 2
Registered: ‎05-05-2013

Re: Basic SOHO/Home Config

[ Edited ]

Hi

 

I was wondering if it would be possible to set up VPN behind PPPOE ?  In other words:

Eth0 = WAN

WAN is PPPOE (username / password combo as usual)

Eth1 = LAN

Eth2 = LAN (same subnet as Eth1, but different VLAN)

 

Eth1 = normal WAN access

Eth2 = access via PPTP or SSL VPN (e.g StrongVPN, BTGuard, etc etc).  automatic login.

 

 

Thanks!

 

RL

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config


bjck wrote:

You're right! My rule added exactly the same as the default action seems to be. A CLI issue then in the show command.

By the way this issue has been fixed in the v1.2.0alpha2 release. Thanks for reporting it.
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config


rkflum wrote:

I was wondering if it would be possible to set up VPN behind PPPOE ?  In other words:

Eth0 = WAN

WAN is PPPOE (username / password combo as usual)

Eth1 = LAN

Eth2 = LAN (same subnet as Eth1, but different VLAN)

 

Eth1 = normal WAN access

Eth2 = access via PPTP or SSL VPN (e.g StrongVPN, BTGuard, etc etc).  automatic login.

Maybe policy-based routing can be used (the Wiki has more information) to define different routes so that packets from the eth1 subnet use the PPPoE interface and packets from the eth2 subnet use the VPN interface?

New Member
Posts: 2
Registered: ‎05-05-2013

Re: Basic SOHO/Home Config

Hi

Thanks for your reply.

I should clarify my setup a little bit. My internet connection is PPPOE,
and I plug my ISP's modem into eth0. I would set up the ERL to connect WAN
using PPPOE.

As for the VPN, I normally would set up my home computer to connect to the
VPN provider (e.g. StrongVPN) using PPTP or SSL VPN. That still has to be
done over my PPPOE WAN connection. I can only connect on a device basis
and each device has to be set up with the same VPN credentials.

What I want to do is set up the ERL so that it can be the VPN client ,
still connecting through the PPPOE WAN link on eth0, and acting as the
gateway for LAN (or part/VLAN thereof) so that LAN /VLAN devices/clients
also get internet access through the VPN (i.e., the ERL) without having to
be setup themselves.

Thanks!

RL
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config


rkflum wrote:
What I want to do is set up the ERL so that it can be the VPN client ,
still connecting through the PPPOE WAN link on eth0, and acting as the
gateway for LAN (or part/VLAN thereof) so that LAN /VLAN devices/clients
also get internet access through the VPN (i.e., the ERL) without having to
be setup themselves.

Yes, so the policy-based routing approach mentioned above might work?

New Member
Posts: 6
Registered: ‎05-09-2013

Re: Basic SOHO/Home Config

Is the release with this fix available for download?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

If you mean the fix for the "show" command above, it is in the current alpha release. You can participate in the beta program if you want to test it.

New Member
Posts: 16
Registered: ‎01-04-2010

Re: Basic SOHO/Home Config

Hey guys,

 

I am now to the Edge Router and I have been working my way through the forum posts and various examples for a day now. I am getting frustrated at the lack of documentation but hopefully I just haven´t found all the resources yet.

 

There is something really simple I need your feedback on so that I can complete my basic set-up. I have used the basic SOHO configuration as a starting point but had to change the interface eth0 static IP to 192.168.42.1 (I also changed the DHCP server on this inferface). I would now like to log on the web gui on eth0 but access to the web gui is not available on eth0 via that new ip address (which was previously configured as 192.168.1.1 and web gui access worked). I tried deleting the listen-address for 192.168.1.1 and set a new one

delete service gui listen-address 192.168.1.1

set service gui listen-address 192.168.42.1

but this did not work either. Can someone please explain how web gui access logic works, which commands are needed and what I have to do to enable web gui access on eth0 for a specific ip address?

 

In addition, I noticed that with the basic SOHO configuration, traffic between eth0 and eth1 is not separated. I can ping ip addresses connected on eth1 when I am connected to eth0 and vice versa. How do I have to change the Firewall rules to separate the interfaces completely?

 

Last but not least, I need to have a certain port on a certain server on eth1 accessible from the WAN interface eth2. Do I have to enable port forwarding on eth2 to make this happen? Please point me to an example I can play with.

 

Thanks a lot in advance!

 

Alex

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

Could you post your current configuration so that people can take a look?

New Member
Posts: 16
Registered: ‎01-04-2010

Re: Basic SOHO/Home Config

firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
group {
network-group BOGONS {
description "Invalid WAN networks"
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description "Wired network to other networks."
}
name LAN_LOCAL {
default-action accept
description "Wired network to router."
}
name WAN_IN {
default-action drop
description "Internet to internal networks"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet to router"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 4 {
action accept
description "rate limit ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
}
name WLAN_IN {
default-action accept
description "Wireless network to other networks"
}
name WLAN_LOCAL {
default-action accept
description "Wireless network to router."
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.42.1/24
description LAN1
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
}
ethernet eth1 {
address 192.168.2.1/24
description LAN2
firewall {
in {
name WLAN_IN
}
local {
name WLAN_LOCAL
}
}
}
ethernet eth2 {
address dhcp
description WAN
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name wired-eth0 {
authoritative disable
subnet 192.168.42.0/24 {
default-router 192.168.42.1
dns-server 192.168.42.1
lease 86400
start 192.168.42.250 {
stop 192.168.42.254
}
}
}
shared-network-name wireless-eth1 {
authoritative enable
description "Wireless Network - Eth1"
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
ntp-server 192.168.2.1
start 192.168.2.10 {
stop 192.168.2.100
}
time-server 192.168.2.1
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
system
}
}
gui {
https-port 443
listen-address 192.168.1.1
listen-address 192.168.2.1
}
nat {
rule 5010 {
description "WAN MASQ"
log disable
outbound-interface eth2
protocol all
type masquerade
}
}
ssh {
listen-address 192.168.1.1
listen-address 192.168.2.1
port 22
protocol-version v2
}
upnp {
listen-on eth0 {
outbound-interface eth2
}
listen-on eth1 {
outbound-interface eth2
}
}
}
system {
host-name EIM-Router-1
ipv6 {
disable
}
login {
banner {
post-login "Welcome to EdgeMAX"
pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
}
user Admin {
authentication {
encrypted-password $6$9uxcyTZy/IXZ3p6$zfwMbYQ0kt5nKAQvr2f0quD.f5uzdaoT9JGZK1fx2yaWpb/BAyGwXjYhV18YGJoKcuI9bGMJtPy3X6EouxAXe1
plaintext-password ""
}
full-name "EIM Admin"
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
package {
repository squeeze {
components "main contrib non-free"
distribution squeeze
password ""
url http://ftp.us.debian.org/debian/
username ""
}
repository squeeze-updates {
components "main contrib"
distribution squeeze/updates
password ""
url http://security.debian.org/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.0.2.4507738.121107.1250 */

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

(Reposting LXD's config with correct indentation and using the "Insert Code" function.)

 

firewall {
    all-ping enable
        broadcast-ping disable
        conntrack-expect-table-size 4096
        conntrack-hash-size 4096
        conntrack-table-size 32768
        conntrack-tcp-loose enable
        group {
            network-group BOGONS {
                description "Invalid WAN networks"
                    network 10.0.0.0/8
                    network 100.64.0.0/10
                    network 127.0.0.0/8
                    network 169.254.0.0/16
                    network 172.16.0.0/12
                    network 192.0.0.0/24
                    network 192.0.2.0/24
                    network 192.168.0.0/16
                    network 198.18.0.0/15
                    network 198.51.100.0/24
                    network 203.0.113.0/24
                    network 224.0.0.0/3
            }
        }
    ipv6-receive-redirects disable
        ipv6-src-route disable
        ip-src-route disable
        log-martians enable
        name LAN_IN {
            default-action accept
                description "Wired network to other networks."
        }
    name LAN_LOCAL {
        default-action accept
            description "Wired network to router."
    }
    name WAN_IN {
        default-action drop
            description "Internet to internal networks"
            enable-default-log
            rule 1 {
                action accept
                    description "allow established/related"
                    log disable
                    state {
                        established enable
                            related enable
                    }
            }
        rule 2 {
            action drop
                description "drop invalid"
                log enable
                state {
                    invalid enable
                }
        }
        rule 3 {
            action drop
                description "drop BOGON source"
                log enable
                protocol all
                source {
                    group {
                        network-group BOGONS
                    }
                }
        }
    }
    name WAN_LOCAL {
        default-action drop
            description "Internet to router"
            enable-default-log
            rule 1 {
                action accept
                    description "allow established/related"
                    log disable
                    state {
                        established enable
                            related enable
                    }
            }
        rule 2 {
            action drop
                description "drop invalid"
                log enable
                state {
                    invalid enable
                }
        }
        rule 3 {
            action drop
                description "drop BOGON source"
                log enable
                protocol all
                source {
                    group {
                        network-group BOGONS
                    }
                }
        }
        rule 4 {
            action accept
                description "rate limit ICMP 50/m"
                limit {
                    burst 1
                        rate 50/minute
                }
            log enable
                protocol icmp
        }
    }
    name WLAN_IN {
        default-action accept
            description "Wireless network to other networks"
    }
    name WLAN_LOCAL {
        default-action accept
            description "Wireless network to router."
    }
    receive-redirects disable
        send-redirects enable
        source-validation disable
        syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.42.1/24
            description LAN1
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
            }
    }
    ethernet eth1 {
        address 192.168.2.1/24
            description LAN2
            firewall {
                in {
                    name WLAN_IN
                }
                local {
                    name WLAN_LOCAL
                }
            }
    }
    ethernet eth2 {
        address dhcp
            description WAN
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
            shared-network-name wired-eth0 {
                authoritative disable
                    subnet 192.168.42.0/24 {
                        default-router 192.168.42.1
                            dns-server 192.168.42.1
                            lease 86400
                            start 192.168.42.250 {
                                stop 192.168.42.254
                            }
                    }
            }
        shared-network-name wireless-eth1 {
            authoritative enable
                description "Wireless Network - Eth1"
                subnet 192.168.2.0/24 {
                    default-router 192.168.2.1
                        dns-server 192.168.2.1
                        lease 86400
                        ntp-server 192.168.2.1
                        start 192.168.2.10 {
                            stop 192.168.2.100
                        }
                    time-server 192.168.2.1
                }
        }
    }
    dns {
        forwarding {
            cache-size 150
                listen-on eth0
                listen-on eth1
                system
        }
    }
    gui {
        https-port 443
            listen-address 192.168.1.1
            listen-address 192.168.2.1
    }
    nat {
        rule 5010 {
            description "WAN MASQ"
                log disable
                outbound-interface eth2
                protocol all
                type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
            listen-address 192.168.2.1
            port 22
            protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth2
        }
        listen-on eth1 {
            outbound-interface eth2
        }
    }
}
system {
    host-name EIM-Router-1
        ipv6 {
            disable
        }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
                pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user Admin {
            authentication {
                encrypted-password $6$9uxcyTZy/IXZ3p6$zfwMbYQ0kt5nKAQvr2f0quD.f5uzdaoT9JGZK1fx2yaWpb/BAyGwXjYhV18YGJoKcuI9bGMJtPy3X6EouxAXe1
                    plaintext-password ""
            }
            full-name "EIM Admin"
                level admin
        }
    }
    name-server 8.8.8.8
        name-server 8.8.4.4
        ntp {
            server 0.ubnt.pool.ntp.org {
            }
            server 1.ubnt.pool.ntp.org {
            }
            server 2.ubnt.pool.ntp.org {
            }
            server 3.ubnt.pool.ntp.org {
            }
        }
    package {
        repository squeeze {
            components "main contrib non-free"
                distribution squeeze
                password ""
                url http://ftp.us.debian.org/debian/
                username ""
        }
        repository squeeze-updates {
            components "main contrib"
                distribution squeeze/updates
                password ""
                url http://security.debian.org/
                username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.0.2.4507738.121107.1250 */

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

 

service {
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    } 

Looks like the GUI listen address does not include 192.168.42.1? When you say the delete/set did not work, what is the error you got and/or what happens after the delete/set? The Wiki also has some basic information about using the CLI.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3059
Solutions: 945
Contributions: 16

Re: Basic SOHO/Home Config


LXD wrote:

 

In addition, I noticed that with the basic SOHO configuration, traffic between eth0 and eth1 is not separated. I can ping ip addresses connected on eth1 when I am connected to eth0 and vice versa. How do I have to change the Firewall rules to separate the interfaces completely?

This should should help: How to keep public and private LANs separate

 

 

Last but not least, I need to have a certain port on a certain server on eth1 accessible from the WAN interface eth2. Do I have to enable port forwarding on eth2 to make this happen? Please point me to an example I can play with.

See:EdgeMAX port forwarding.

EdgeMAX Router Software Development
New Member
Posts: 16
Registered: ‎01-04-2010

Re: Basic SOHO/Home Config

Hi, the config I posted is the version before I deleted/set the listen-address. When I did this, I could not log on the gui anymore on either eth0 or eth1. I submitted the commands while I was logged on via eth1. Does it make a difference on which interface you are connected when changing the gui listen settings? Do I have to power cycle the router manually after such changes?

 

What are the commands to enable/disable web gui access on an interface and assign an ip address?

What if no listen addresses are assigned at all?

 

Sorry but the CLI documentation I reviewed does not speak to this at all.

 

Based on the config I posted, what commands would you use to change the listen address for eth0?

Alex

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config

No power cycle is not needed for the config change.

 

If the listen-address is not set, then it will allow access on all interfaces. So it might be simpler to not set it and make sure the Web UI access works first. Then you can set the listen-address to restrict the access.

New Member
Posts: 16
Registered: ‎01-04-2010

Re: Basic SOHO/Home Config

[ Edited ]

Any chance to get a comprehensive reply since no documentation is provided for this? Is it possible to set a listen-address for a specific interface only?

 

Revision:

I tried this again as suggested:

configure

delete service gui listen-address 192.168.1.1

set service gui listen-address 192.168.42.1

commit

 

After the commit, the rooter reboots, but I can´t connect to the gui anymore so I also can´t submit a save to change the boot configuration.

 

I am making those changes via the CLI editor which is accessible from the webgui. I am using a MacBook Pro.

 

Alex

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5401
Solutions: 1656
Contributions: 2

Re: Basic SOHO/Home Config


LXD wrote:

I tried this again as suggested:

configure

delete service gui listen-address 192.168.1.1

set service gui listen-address 192.168.42.1

commit

 

After the commit, the rooter reboots, but I can´t connect to the gui anymore so I also can´t submit a save to change the boot configuration.

 

I am making those changes via the CLI editor which is accessible from the webgui.

 

Ok so you are making this change through the CLI window in the GUI. I just tried this and it looks like there is actually a problem with this. The CLI in the GUI is still part of the GUI session. When a change to the GUI service is made there, it restarts the Web server, which terminates the GUI session (including the CLI within it). This causes problem such that the config change is not saved and the Web server is not started either.

 

We will need to look into this problem (changing the GUI setting from a GUI session). For now, one alternative is to use for example SSH to access the CLI and change the GUI settings. Another is to manually edit the config file to change the listen-address, load the file from the GUI, and reboot.

Regular Member
Posts: 333
Registered: ‎03-31-2013
Kudos: 213
Solutions: 20

Re: Basic SOHO/Home Config

I believe you should either remove (or disable) rule 3 from WAN_LOCAL or remove network 192.168.0.0/16 from the BOGONS network-group in the firewall.


Marcos
New Member
Posts: 16
Registered: ‎01-04-2010

Re: Basic SOHO/Home Config

Hey guys, 

 

I have one more question regarding the config I posted. I don´t seem to be able to ping the WAN port of my router from the WAN side. It is not returning any ping echos. How can I enable this?

 

Thanks Alex

Reply