Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Highlighted
New Member
Posts: 4
Registered: 3 weeks ago

ER-8 config.boot attempt

So a little background I have Centurylink FTTH 1gb symetric for internet and have been reading guides on how to get my ER-8 up and running with 2 UAP-AC-PROs. I have a functional configuration right now but, it's very basic. It's really just the wizard for pppoe and vlan tagging the wan traffic. I am having trouble segmenting my network and getting port forwarding to work properly. Could someone take a look and see where the mistake in my config are?

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow ICMP"
            log enable
            protocol icmp
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "Allow IGMP"
            log enable
            protocol igmp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
            log enable
			protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
	}
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Port Forward - Router SSH"
            log enable
			destination {
                address 192.168.1.1
                port 22
            }
            protocol tcp
        }
        rule 30 {
            action accept
            description "Port Forward - Router HTTPS"
			log enable
            destination {
                address 192.168.1.1
                port 443
            }
            protocol tcp
        }
        rule 40 {
            action accept
            description "Allow ICMP"
            log enable
            protocol icmp
        }
		rule 50 {
            action accept
            description "Port Forward - Plex"
			log enable
            destination {
                address 192.168.2.201
                port 32400
            }
            protocol tcp
        }
        rule 100 {
            action drop
            description "Drop invalid state"
			log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
	name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
			log enable
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1460
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        speed auto
        vif 201 {
            description "Centurylink 1G FTTH"
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
					out {
                    name WAN_OUT
					}
                }
                mtu 1492
                name-server auto
                password 
                user-id 
            }
        }
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description LAN
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
		vif 302 {
            address 172.16.0.1/24
            description "Guest Network VLAN"
            mtu 1500
        }
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Server Home"
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth3 {
		address 192.168.3.1/24
		description "IoT"
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth4 {
		address 192.168.4.1/24
		description "Media Devices"
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth5 {
		address 192.168.5.1/24
		description "Quarantine w/ Internet"
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth6 {
		address 192.168.6.1/24
		description "UNUSED"
        duplex auto
		firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth7 {
        address 192.168.99.1/24
        description "Local Config Port"
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
rule 10 {
        description "Router SSH"
        forward-to {
            address 192.168.1.1
            port 22
        }
        original-port 2222
        protocol tcp_udp
    }
    rule 20 {
        description "Router HTTPS"
        forward-to {
            address 192.168.1.1
            port 443
        }
        original-port 8080
        protocol tcp_udp
    }
	rule 30 {
		description "Plex Remote Access"
		forward-to {
			address 192.168.2.201
			port 32400
		}
		original-port 32400
		protocol tcp_udp
	}
    wan-interface eth0.201
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
				dns-server 8.8.8.8
                dns-server 8.8.4.4
				lease 86400
                start 192.168.1.10 {
                    stop 192.168.1.254
                }
            }
        }
        shared-network-name GUEST {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 172.16.0.10 {
                    stop 172.16.0.254
                }
            }
        }
		shared-network-name CONFIG {
            authoritative disable
            subnet 192.168.99.0/24 {
                default-router 192.168.99.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.99.101 {
                    stop 192.168.99.254
                }
            }
        }
        shared-network-name SERVER {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
				dns-server 8.8.8.8
                dns-server 8.8.4.4
				lease 86400
                start 192.168.2.10 {
                    stop 192.168.2.254
                }
                static-mapping pve0 {
                    ip-address 192.168.2.200
                    mac-address 1c:c1:de:06:48:a4
                }
				static-mapping prime {
                    ip-address 192.168.2.201
                    mac-address f2:ba:7f:97:1a:c2
                }
				static-mapping bumblebee {
                    ip-address 192.168.2.203
                    mac-address 7a:be:8f:23:90:89
                }
                static-mapping wheeljack {
                    ip-address 192.168.2.202
                    mac-address 96:a1:85:cc:c7:df
                }               
                static-mapping pve1 {
                    ip-address 192.168.2.210
                    mac-address d8:9d:67:79:01:ac
                }
                
            }
        }
		shared-network-name IOT {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.3.10 {
                    stop 192.168.3.254
                }
            }
        }
		shared-network-name MEDIA {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.4.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.4.10 {
                    stop 192.168.4.254
                }
            }
        }
		shared-network-name QUARANTINE {
            authoritative disable
            subnet 192.168.5.0/24 {
                default-router 192.168.5.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.5.10 {
                    stop 192.168.5.254
                }
            }
        }
		use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 500
			listen-on eth1
            listen-on eth2
			listen-on eth3
			listen-on eth4
			listen-on eth5
			listen-on eth6
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
			log enable
            outbound-interface pppoe0
			protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on eth1
		listen-on eth2
		listen-on eth3
		listen-on eth4
        nat-pmp disable
        secure-mode enable
        wan pppoe0
    }
}
system {
    host-name CYBERTRON
    login {
        user someone {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            full-name ""
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password 
            }
            level admin
        }
    }
 	name-server 8.8.8.8
    name-server 8.8.4.4
	ntp {
        server time1.google.com {
        }
        server time2.google.com {
        }
        server time3.google.com {
        }
        server time4.google.com {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
	traffic-analysis {
        dpi disable
        export enable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.1.4977353.170426.0429 */

Thanks in advance for your help!

Established Member
Posts: 1,137
Registered: ‎08-06-2015
Kudos: 449
Solutions: 58

Re: ER-8 config.boot attempt

Specifically what types of problems are you experiencing?  You haven't provided any details on the issues you are seeing.

 

IE: specifically what are you trying to accomplish, what are you configuring to do this, and what are you seeing as the results?

 

New Member
Posts: 4
Registered: 3 weeks ago

Re: ER-8 config.boot attempt

waterside the issues I am having problems with are port forwards and upnp don't seem to work. Also, I was looking for suggestions on what to change/fix on my config. I have reused someone elses configuration file. It was for an ERL not an ER-8. and had to change settings since he was using a different ISP. As this is my first attempt at a semi-custom configuration I assumed there would be glaring errors.
SuperUser
Posts: 18,390
Registered: ‎09-17-2013
Kudos: 4594
Solutions: 1286

Re: ER-8 config.boot attempt

Checking your port forwards:

 

These are outright wrong.  Remove them.  

rule 10 {
        description "Router SSH"
        forward-to {
            address 192.168.1.1
            port 22
        }
        original-port 2222
        protocol tcp_udp
    }
    rule 20 {
        description "Router HTTPS"
        forward-to {
            address 192.168.1.1
            port 443
        }
        original-port 8080
        protocol tcp_udp
    }

If you want to remotely access the router, ssh with key-based auth ONLY is okay (but you need a WAN_LOCAL firewall rule), remote access to the web UI should only really be allowed via a VPN.

 

The plex can't be reached because you've not set its interface as a LAN Interface:

port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    ethernet eth2 {
        address 192.168.2.1/24

Adding 'eth2' to your list of LAN interfaces in the port forward should sort that out. 

 

 

This is entirely unnecessary

	name WAN_OUT {
        default-action accept
        description "Internal to WAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action reject
            description "Reject invalid state"
			log enable
            state {
                invalid enable
            }
        }
    }

 

I don't see a LAN_IN firewall anywhere... 

New Member
Posts: 4
Registered: 3 weeks ago

Re: ER-8 config.boot attempt

I simplified my config to troubleshoot my issue.

Auto firewall on Hairpin On

Tried port 2222 eth0 -> eth1 dest 192.168.1.1 port 22 

Tried port 2222 eth0.201 -> eth1 dest 192.168.1.1 port 22 

Tried port 2222 pppoe0  -> eth1 dest 192.168.1.1 port 22 

 

Auto firewall on Hairpin Off

Tried port 2222 eth0 -> eth1 dest 192.168.1.1 port 22 

Tried port 2222 eth0.201 -> eth1 dest 192.168.1.1 port 22 

Tried port 2222 pppoe0  -> eth1 dest 192.168.1.1 port 22 

 

Config only thing changed between attempts was port fowarding

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Accept Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    options {
        mss-clamp {
            interface-type pppoe
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        speed auto
        vif 201 {
            description "Internet (PPPoE)"
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                }
                mtu 1492
                name-server auto
                password 
                user-id 
            }
        }
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth5 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth6 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth7 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description SSH
        forward-to {
            address 192.168.1.1
            port 22
        }
        original-port 2222
        protocol tcp_udp
    }
    wan-interface pppoe0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping bumblebee {
                    ip-address 192.168.1.203
                    mac-address 7a:be:8f:23:90:89
                }
                static-mapping prime {
                    ip-address 192.168.1.201
                    mac-address f2:ba:7f:97:1a:c2
                }
                static-mapping pve0 {
                    ip-address 192.168.1.200
                    mac-address 1c:c1:de:06:48:a4
                }
                static-mapping pve1 {
                    ip-address 192.168.1.210
                    mac-address d8:9d:67:79:01:ac
                }
                static-mapping wheeljack {
                    ip-address 192.168.1.202
                    mac-address 96:a1:85:cc:c7:df
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    host-name ubnt
    login {
        user  {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            full-name ""
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password 
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.1.4977353.170426.0429 */

I don't know how the pppoe service wit a vlan effects port forwarding. Any help would be really great.

Reply