Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

All LAN ports on same DHCP/DNS

[ Edited ]

Hello all,

I have ETH1 as Internet (WAN) and that works, and by default it puts ETH0 as LAN with DHCP 192.168.1.1/24 and so on. What i need basically is another LAN port to be part of the same LAN as ETH0. How can i do this?

The reason I need this is because i have my switch on ETH7 (SFP) and all clients are behind that.

The wizard only allowed me to set DHCP/DNS on LAN0 but i need LAN0 and 7 basically to be the same.

Ofcourse i also need all traffic between ETH0 and 7 to be open as they both should become the same LAN.

Can anyone please help? 


Thank you.



UniFi solutions for everyone!
Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

Thanks to wifihouse.nl i found out how to do it.

Simply delete the 192.168.1.1/24 address from ETH0 and setup a Bridge:

set interfaces bridge br0
set interfaces ethernet eth0 bridge-group bridge br0
set interfaces ethernet eth7 bridge-group bridge br0
commit
 
after that put the 192.168.1.1/24 back on the br0 (bridge) in the GUI and you can access the GUI through all ETH ports which are part of the bridge, in my case ETH0 and ETH7.


UniFi solutions for everyone!
Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

Actually it seems it is not the most ideal solution as bridge will remove hardware acceleration on NAT it seems. Wondering if there is any alternative from Ubiquiti to do this then?



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

Just setup a dhcp server for eth7.

Go to the services tab and click on the '+ Add DHCP Server' button in the upper left corner.

If you need more help from there, just ask. Thumbsup

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

Then i guess i can use eth1 to connect my laptop and configure all that, right?

And concerning DNS, thats also just enable for ETH7? (local DNS with forwards to external ISPs dns).



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

[ Edited ]

Correct on all counts.

interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 172.16.50.1/24
        description "Local 1"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-address xx.xx.xx.xx {
        }
        local-port xxxx
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address xx.xx.xx.xx
        remote-host xxxxxxx.xxx
        remote-port xxxx
        shared-secret-key-file /config/auth/secret
    }
} service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN1 { authoritative disable subnet 172.16.50.0/24 { default-router 172.16.50.1 dns-server 172.16.50.1 lease 86400 start 172.16.50.151 { stop 172.16.50.200 } static-mapping Avigilon { ip-address 172.16.50.76 mac-address 00:18:85:06:98:33 } } } shared-network-name LAN2 { authoritative disable subnet 192.168.2.0/24 { default-router 192.168.2.1 dns-server 192.168.2.1 lease 86400 start 192.168.2.21 { stop 192.168.2.240 } } } } dns { forwarding { cache-size 150 listen-on eth1 listen-on eth2 } }

 This is a portion of the configuration from my remote network.  It is on an ERL (EdgeRouter Lite) with 2 networks configured.  Each has it's own DHCP server.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

This is the interfaces portion of the configuration for my main networks.  Also on an ERL which is why I stated on your other post that the ER Pro was more than you needed.

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "DMZ SUBNETS"
        duplex auto
        speed auto
        vif 130 {
            address 10.112.130.1/24
            description Public_Servers
            mtu 1500
        }
        vif 160 {
            address 10.112.160.1/24
            description BCF_Guest
            mtu 1500
        }
    }
    ethernet eth2 {
        description "LAN SUBNETS"
        duplex auto
        speed auto
        vif 20 {
            address 10.10.20.1/24
            description BCF_Home
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description BCF_Servers
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description BCF_VOIP
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description BCF_CCTV
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description BCF_Wrls
            mtu 1500
        }
        vif 99 {
            address 10.10.99.1/24
            description BCF_Mgmt
            mtu 1500
        }
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-address xx.xx.xx.xx {
        }
        local-port xxxx
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address xx.xx.xx.xx
        remote-host xxxxxxxxx.xxx
        remote-port xxxx
        shared-secret-key-file /config/auth/secret
    }
}

 

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

Yeah hopefully just to do this i can do that in the GUI, id prefer to do as much as possible in there before touching CLI Man Tongue



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

[ Edited ]

Simple to do in the GUI.

Start on the Dashboard page.  On the right side of the line for eth7, click on the 'Actions' button.  Then click 'Config'.  This will take you to picture-1.

Under Description, give your new network a name.  Then select the bullet for 'Manually define IP address(es)'.  Give the new network an address such as 192.168.7.1/24 and click 'Save'.

You now have a usable network on eth7.

Lan Configuration.png
Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

[ Edited ]

Yeah, though i need that on 192.168.1.x (since all devices in LAN are already on there) so i probably need to change ETH0 to 192.168.2.x or something first and then put ETH7 on 192.168.1.1 range. Man Tongue

I also see you moved internet to ETH0, doesnt the wizard put internet on ETH1 by itself? did you manually change that?

Thx for the info!



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

Now that you have a network, let's setup your DHCP server......

Go to the Services tab.  In the upper left corner, click on the '+ Add DHCP Server' button.  This will take you to picture-2.

First, Give the server a name.  (DHCP Name)  Maybe 'LAN-Port-7'?  You can always delete it and create it again to change the name.

Next, tell it the subnet.  Using the above network example, this would be 192.168.7.0/24.

Pick an addresws for the starting point of your dynamic addresses.  Say, 192.168.7.101.

Next is the last address.  Say, 192.168.7.200.

The router will be 192.168.7.1.  This is the address we defined on the Dashboard tab on the previous post.

DNS1 & DNS2 are how you define your DNS for the host clients on this network.  If you want to use your ER Pro for the DNS, then you will use the same address as you used for the router.  192.168.7.1.

You can supplement or replace this as you choose.  OpenDNS has 4 public addresses that can be used:

208.67.222.222

208.67.220.220

208.67.222.220

208.67.220.222

Google has 8.8.8.8 & 8.8.4.4

Typically you use your router for DNS1 and a supplement (if desired) for DNS2, DNS3, DNS4, etc.  Note that anything after DNS2 has to be done via the CLI.

If you are creating a Guest network, you may choose to omit the router form the DNS settings for that network so the hosts are forced to go to the internet for DNS resolution.

 

DHCP Server Setup.png
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

[ Edited ]

@mbnn wrote:

Yeah, though i need that on 192.168.1.x (since all devices in LAN are already on there) so i probably need to change ETH0 to 192.168.2.x or something first and then put ETH7 on 192.168.1.1 range. Man Tongue

I also see you moved internet to ETH0, doesnt the wizard put internet on ETH1 by itself? did you manually change that?

Thx for the info!


Yes, I moved them to the location which works best for me.

You say all devices on lan are already on 192.168.1.0/24.  Are they setup by static IP or are they getting addresses from your DHCP server?  Just something to think about.

Here is my recomendation for setting up your eth7.  Setup eth2 first with a DHCP server.  Move your computer to eth2.  Log back into the router on the network address for eth2. (192.168.2.1/24?) Change the network settings for eth0.  Give network address 192.168.1.1/24 to eth7.  Note that networks 192.168.1.0/24 & 192.168.2.0/24 (eth2) already have DHCP servers if you used the WAN+2LAN Wizard.  If not, use the instructions above to create the server.

 

Questions?

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

[ Edited ]

Heya, i have about 15 devices with a static IP (Cameras, macmini server, synology etc) the rest is dynamic.

So basically when i get the router tomorrow i will not use the wizard and just configure ETH2 with DHCP on 192.168.2.x or whatever just to configure it then plug in WAN (Internet) on ETH0 and change that to become internet port or something in the GUI and then set ETH7 to the .1 range and enable DHCP on that range. Correct? So no use of wizards?

Cause i also need some ports from WAN > Lan devices open Man Wink



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

[ Edited ]

You have the correct idea.  As I said, if you have any issues, just ask. 

You will need to build a firewall for your WAN interface as there is no default firewall.  Again not difficult from the GUI.  That might be a good area to get your feet wet with the CLI though.  Build the firewall in the GUI, then clean it up in the CLI.  In my opinion, the GUI adds a bunch of un-necessary code that just clutters the configuration.  I don't like code that doesn't have a specific purpose.  I go out of my way to keep my code clean.  It avoids some issues and makes it much easier to troubleshoot if necessary.

The basics of the firewall will be 2 rulesets with 2 rules each and a default action of drop and default logging.

Rule 1

allow established and related traffic

Rule 2

drop invalid packets

See below:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 1 {
            action accept
description "Accept Established and Related" state { established enable related enable } } rule 2 { action drop
description "Drop Invalid State" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 1 { action accept
description "Accept Established and Related" state { established enable related enable } } rule 2 { action drop
description "Drop Invalid State" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable }

 Compare the above WAN_LOCAL to the below WAN_LOCAL to see what I mean about clutter.  Both codes do the exact same thing.

	name WAN_LOCAL {
		default-action drop
		description "Packets from Internet to Router"
		enable-default-log
		}       
		rule 1 {    
			action accept
			description "Allow Established Sessions"
			log disable   
			protocol all
			state {     
				established enable
				invalid disable
				new disable   
				related enable
			}   
		}       
		rule 2 {    
			action drop
			description "Drop Invalid State"
			log disable    
			protocol all
			state {     
				established disable
				invalid enable
				new disable   
				related disable            
			}   
		}   
	}       

 

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

All cool but how does it know what to NAT by default? When you setup the internet interface as 'wan' i guess? then how will it know it needs to serve to ETH7? Will it just know that or?

And opening ports from WAN > ETH7 local devices?



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

That's what routers do.  They route traffic between networks.  Unless there is a firewall setup or something is configured incorrectly, any directly connected network will talk to another directly connected network.  For traffic to talk to a network which is not directly connected, the router needs to know the route.  IE: the gateway address is simply an instruction that says if you don't know where any given address is, then send traffic to this router.

For purposes of mascerade, etc. I still recommend starting with the WAN+2LAN Wizard available in the current firmware.  It makes a great starting point and helps to make sure you don't miss something important.

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

I have the basics working:

- Internet is on ETH0 now with DHCP,
- LAN is on ETH7 (Fiber/SFP) now with it's own DHCP and DNS all working,

I can already browse the net from LAN devices, so thats good and i added port forwards under FIREWALL/NAT: Port forwarding to internal devices (WAN eth0, LAN eth7) and enabled hairpin.

By default it put two firewall rules in there and i have no clue how to make this work.
When i try to go to my external IP from the outside now with a port number behind it, nothing happens so it looks like its not allowing the port forwards to come in to the LAN device as i assigned in port forwarding rules.

Any idea?

(Under firewall policies it has set WAN_IN (interfaces eth0/in) Drop and WAN_LOCAL (eth0/local) Drop.

With Order 1 * Accept and Order 2 * drop. No idea wtf this means.

I just need my port forwards to work from the outside to my lan devices and upnp (but i think i have that set correctly).



UniFi solutions for everyone!
Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

Actually the port forwards seem to work now Man Tongue yay!



UniFi solutions for everyone!
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: All LAN ports on same DHCP/DNS

Sounds like you took my advice and started from the WAN+2LAN Wizard. 

Firewall explaination......

firewall {
    name WAN_IN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            description "Accept established / related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid"
            state {
                invalid enable
            }
        }
    }

name WAN_LOCAL {

 There are two rulesets.  WAN_IN & WAN_LOCAL. 

     WAN_IN is traffic into the router and headed to other ports. 

     WAN_LOCAL is traffic into the router which is actually headed to the router itself.

 

Rule 1:  Allow established / related. 

     This rule allows traffic back into the router which is already established by outbound traffic or is related to outbound traffic.

 

Rule 2:  Drop invalid.

     This rule is used to drop packets which became corrupted along the way.  Not uncommon.  They are automatically resent as part ot the normal tcp/ip protocol.

 

Default action drop.

     This default action drops any traffic which has not matched a defined rule in the ruleset.

 

enable-default-log

     This creates a log of any traffic which did not match the defined rules and was dropped.

 

These are what make your firewall effective and safe.  No traffic which did not start on your network is allowed through the firewall.  The only traffic which is allowed through is traffic which is in response to something you initiated.

Regular Member
Posts: 579
Registered: ‎04-01-2014
Kudos: 129
Solutions: 8

Re: All LAN ports on same DHCP/DNS

[ Edited ]

This is what i have, can you tell me if this is good?

 firewall {
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             state {
                 invalid enable
             }
         }
     }
 }

 

 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
     }
     ethernet eth1 {
         address dhcp
         description eth1
         firewall {
             in {
             }
             local {
             }
         }
     }
     ethernet eth2 {
         address 192.168.4.1/24
         description "Local 2"
     }
     ethernet eth3 {
     }
     ethernet eth4 {
     }
     ethernet eth5 {
     }
     ethernet eth6 {
     }
     ethernet eth7 {
         address 192.168.1.1/24
         description Lan1
     }
     loopback lo {
:
   }
 }

 



UniFi solutions for everyone!