Reply
Emerging Member
Posts: 54
Registered: ‎11-10-2014
Kudos: 20
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@teckdan

I am fairly sure you can disable NAT {masquerade) on the ERX.
However, the other router must allow IP addresses not in its LAN subnet and

you may need a static route in the other router

New Member
Posts: 22
Registered: ‎02-08-2016
Kudos: 11
Solutions: 2

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

Apologies if there are multiple responses. I'm not seeing my replies show up, so making multiple posts...

 

I've attached a log file of the debug output requested for the loss of BGP routes to the AWS VPN. The first session is the correct operation under 1.9.7+hotfix 4. The second session is the same debug output under V1.10.0. Not getting VPN connectivity under V1.10.0.

 

 

 

New Member
Posts: 19
Registered: ‎11-01-2016
Kudos: 2
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

Upgrade ER-X from 1.9.7HF3 to 1.10.0 went fine using GUI, but a couple days later, I found this message in the log.  Aside from the message itself, I haven't seen any issues.  No reboots.

 

kernel: Process 558 (ubnt-util) has crashed (parent 500 (ubnt-daemon) signal 11, code 0, addr 000001f4), coredumps disabled

New Member
Posts: 8
Registered: ‎09-26-2015

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@jea-jea Thanks for your message, I'll look into this option also. Man Happy 

SuperUser
Posts: 3,595
Registered: ‎10-12-2010
Kudos: 1984
Solutions: 28

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

So far I have my (7) ER-XG running without issue and the reboot issue seems to be solved. Also a mix of 20 er-8/er-x-sfp are upgraded aswell. I lost an ERL however I believe its due to a flash issue and will dig deeper when I get a chance.

 

Ubnt Banana

UBRSS, UBWA, UEWA - Ubiquiti Certified Trainer
New Member
Posts: 6
Registered: ‎10-04-2015
Kudos: 1
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

hi @UBNT-afomins

 

here is L2TPv3 on one peer (ERPoE-5).

 

set interfaces l2tpv3 l2tpeth0 destination-port 5xxxx
set interfaces l2tpv3 l2tpeth0 encapsulation udp
set interfaces l2tpv3 l2tpeth0 local-ip 240b:XXXX::XXXX
set interfaces l2tpv3 l2tpeth0 peer-session-id 100
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id 100
set interfaces l2tpv3 l2tpeth0 remote-ip 2001:XXXX::XXXX
set interfaces l2tpv3 l2tpeth0 session-id 200
set interfaces l2tpv3 l2tpeth0 source-port 5xxxx
set interfaces l2tpv3 l2tpeth0 tunnel-id 200

 

 

and here is cat /var/log/vyatta/vyatta-commit.log

 

[ service nat rule 5002 outbound-interface pppoe0 ]
NAT configuration warning: interface pppoe0 does not exist on this system

[ service nat rule 5003 outbound-interface tun0 ]
NAT configuration warning: interface tun0 does not exist on this system

[ service nat rule 5004 outbound-interface v6tun0 ]
NAT configuration warning: interface v6tun0 does not exist on this system

[ system ntp ]
Stopping NTP server: ntpd.
Starting NTP server: ntpd.

[ interfaces ethernet eth0 ipv6 address autoconf ]
Enabling address auto-configuration for eth0

[ interfaces l2tpv3 l2tpeth0 local-ip 240b:XXXX::XXXX ]
Warning! IP address 240b:XXXX::XXXX doesn't exist on this system

[ interfaces l2tpv3 l2tpeth0 ]
RTNETLINK answers: Cannot assign requested address

[ service ssh ]
The SSH service will be started after commit. Check /var/log/messages.

[ vpn ]
Warning: Local address 240b:XXXX::XXXX specified for peer "2001:XXXX::XXXX"
is not configured on any interfaces.
IPsec must be re-started after address
has been configured.

conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.

[ service gui ]
The GUI service will be started after commit. Check /var/log/messages.

[ service dhcp-server ]
Starting DHCP server daemon...

[ service upnp2 ]
The UPNP2 service will be started after commit. Check /var/log/messages.

Commit failed

 

It seems it is related to the process to establish IPsec tunnel using the same IPv6 addresses (it is actually transport mode) that I have been using with L2TPv3 but I cannot tell for sure. These IPv6 addresses were assigned by "interfaces / ethernet / eth0 / ipv6 / address / autoconf" so it might take time for system to detect the address though.

 

 

 

Member
Posts: 128
Registered: ‎01-30-2014
Kudos: 71
Solutions: 2

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!


wrote:

@UBNT-afomins,

 

see attached. Anyways, all devices under UNMS have the same problem, they all publish LAN IPs instead of real external IPs, no way to access the web pages of each device.

 

LAN IPs :10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

 

The ER-X SFP router is behind another router, no choice, because the residential Fibe provider, to my actual knowledge doesn't offer a gateway that allows to pass on the external IP to the ER-X router. I have yet 2 tests to perform. PPPOE passthrough if option is available inside the Fibe router, and the other option is to remove the Fibe router and connect directly into the Fibe-to-Ethernet converter and use PPPOE. I'm not sure that I'm going to succeed.


Are you on Bell Fibe FTTH ?

New Member
Posts: 1
Registered: ‎06-20-2013

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@UBNT-afomins  We have discovered what, for us, is a critical flaw in the 1.10 firmware, and anyone using RIP on an Edgemax device should beware of this.  The 1.10 firmware does not properly parse the RIP split-horizon poison-reverse configuration command.  This results in any router using this configuration to fail after the 1.10 upgrade, as uplink interfaces go unconfigured, leaving the devices unreachable.  Furthermore (though less serious), the router will accept but cannot commit a configuration including RIP split-horizon poison-reverse.  Here are the results of such an attempt:

 set interfaces ethernet eth6 vif 2 ip rip split-horizon poison-reverse
[edit]
# commit
[ interfaces ethernet eth6 vif 2 ip rip split-horizon poison-reverse ]
Params not configured

Commit failed

Here is the output of the vyatta-commit.log file on a router where an upgrade to 1.10 was attempted:

[ policy ]
Starting routing daemon: ripd ripngd ospfd ospf6d bgpd.

[ interfaces ethernet eth6 vif 3 ip rip split-horizon poison-reverse ]
Params not configured

[ interfaces ethernet eth6 vif 2 ip rip split-horizon poison-reverse ]
Params not configured

[ system ntp ]
Stopping NTP server: ntpd.
Starting NTP server: ntpd.

[ system ip arp base-reachable-time 30 ]
sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/2/base_reachable_time_ms: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/3/base_reachable_time_ms: No such file or directory

[ system ip arp stale-time 60 ]
sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/2/gc_stale_time: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/3/gc_stale_time: No such file or directory

[ service ssh ]
The SSH service will be started after commit. Check /var/log/messages.

[ protocols rip passive-interface default ]
Warning: default value is deprecated

[ service dhcp-relay ]
Stopping dhcrelay:  OK
Starting dhcrelay:  OK

Commit failed

So, beware if you use RIP at all, and if you specifically make use of RIP split-horizon poison-reverse *DO NOT UPGRADE TO 1.10*.  1.9.7 does not suffer from this issue.

 

This is trivial to reproduce.  Hoping for a quick fix.

 

Thank you.

Regular Member
Posts: 553
Registered: ‎01-16-2011
Kudos: 355
Solutions: 12

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@awhenry41 Last time I checked around.... 2001 or so, RIP was a pretty bad security risk and a disaster waiting to happen... Any particular reason why you've not moved to a more modern routing protocol?
New Member
Posts: 6
Registered: ‎12-02-2017
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

========================================

Please add "zone-policy" to "show" commands in CLI

========================================

 

~$ show version

Version:      v1.9.7+hotfix.4
Build ID:     5024004
Build on:     10/05/17 04:03
Copyright:    2012-2017 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Lite 3-Port
~$ show zone-policy
Invalid command

~$ show zone-policy zone DMZ
Invalid command

===============================================

 

These commands are present and functional in In VyOs 1.1.8

===============================================

 

~$ show version
Version:      VyOS 1.1.8
Description:  VyOS 1.1.8 (helium)
Copyright:    2017 VyOS maintainers and contributors
Built by:     maintainers@vyos.net
Built on:     Sat Nov 11 13:44:36 UTC 2017
Build ID:     1711111344-b483efc
System type:  x86 64-bit
Boot via:     image
Hypervisor:   KVM
HW model:     Standard PC (i440FX + PIIX, 1996)
HW S/N:       Not Specified
HW UUID:      632559E8-81D3-7544-A4AE-B6C224481355
Uptime:       09:43:04 up 6 min,  1 user,  load average: 0.00, 0.03, 0.04
~$ show zone-policy
-------------------
Name: DMZ

Interfaces: eth1

From Zone:
  name                                    firewall
  ----                                    --------
  LAN                                     LAN_DMZ
  LOCAL                                   LOCAL_DMZ
  WAN                                     WAN_DMZ

-------------------
Name: LAN

Interfaces: eth0

From Zone:
  name                                    firewall
  ----                                    --------
  DMZ                                     DMZ_LAN
  LOCAL                                   LOCAL_LAN
  WAN                                     WAN_LAN

-------------------
Name: LOCAL

Interfaces: local-zone

From Zone:
  name                                    firewall
  ----                                    --------
  DMZ                                     DMZ_LOCAL
  LAN                                     LAN_LOCAL
  WAN                                     WAN_LOCAL

-------------------
Name: WAN

Interfaces: eth2

From Zone:
  name                                    firewall
  ----                                    --------
  DMZ                                     DMZ_WAN
  LAN                                     LAN_WAN
  LOCAL                                   LOCAL_WAN



~$ show zone-policy zone DMZ
-------------------
Name: DMZ

Interfaces: eth1

From Zone:
  name                                    firewall
  ----                                    --------
  LAN                                     LAN_DMZ
  LOCAL                                   LOCAL_DMZ
  WAN                                     WAN_DMZ
Member
Posts: 194
Registered: ‎12-11-2013
Kudos: 220
Solutions: 7

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

[ Edited ]

[ EDIT: This is a reply to @brielle ]

 

Not sure what you're talking about, here but routing protocols have nothing to do with security. Different routing protocols have different strengths, and RIP can be a good lightweight solution when you need something very simple vs. OSPF (which has very high overhead) or BGP (which has limited private AS space and isn't well suited for use as an IGP).

@awhenry41is reporting a bug so that UBNT can track down why it broke and get a fix uploaded before others are impacted. If I'm reading what he posted correctly, it will brick a box when doing an upgrade which is a huge problem for remote sites.

He also seems to have found another bug:

sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/2/base_reachable_time_ms: No such file or directory

Should be referencing:

/proc/sys/net/ipv4/neigh/eth6.2/base_reachable_time_ms

So for some reason the "." is being converted to a "/" when it generates the path for a VLAN interface.

This might be causing problems in other areas, so nice catch.

Regular Member
Posts: 553
Registered: ‎01-16-2011
Kudos: 355
Solutions: 12

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!


wrote:

[ EDIT: This is a reply to @brielle ]

 

Not sure what you're talking about, here but routing protocols have nothing to do with security. Different routing protocols have different strengths, and RIP can be a good lightweight solution when you need something very simple vs. OSPF (which has very high overhead) or BGP (which has limited private AS space and isn't well suited for use as an IGP).

@awhenry41is reporting a bug so that UBNT can track down why it broke and get a fix uploaded before others are impacted. If I'm reading what he posted correctly, it will brick a box when doing an upgrade which is a huge problem for remote sites.


Maybe its because I've been a network admin since the mid 90s, but...  I beg to differ about rotuting protocols having nothing to do with security.  I'll leave it up to your imagination what an unauthenticated routing protocol that has historically been used to cause havoc and on networks when misconfigured or left wide open has to do with security.  And yes, I'm aware of RIPv2 and its md5 auth, just I'm sure you are aware of the dangers of any of the routing protocols when not properly secured even with authentication.

 

Regardless, it was a valid question regardless of what undertones you may have thought I had behind it.

Member
Posts: 121
Registered: ‎12-26-2015
Kudos: 50
Solutions: 3

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!


wrote:

Just upgraded to v1.10.0 on ER-X. Compared to v1.9.1.1, quick observations

 

Not so good:

- DPI loses "ntp" in custom app categories (why..?)


root:~$ /usr/sbin/ubnt-dpi-util search-app time
                    Applications   Category
                    ============   ========
           network-time-protocol - Network-protocols

The name has been changed from "ntp" to "network-time-protocol"

 

New Member
Posts: 2
Registered: ‎07-06-2017

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

[ Edited ]

fail to upgrade ER X

09uj08.png
Regular Member
Posts: 474
Registered: ‎11-19-2012
Kudos: 220
Solutions: 6

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

EP-R6 Managed via openVPN.

 

Upgrading from 1.9.1 broke the vpn which meant I lost access to the router.

 

Fortunately I was able to use your you beaut new ssh-recovery from another router in the same switch domain that I still had management to.. as these routers are thousands of miles away

 

The root cause was that the upgrade reset the clock in the router to January 1, year zero, which meant the SSL certificates were 'not yet valid', which meant the vpn tunnel couldn't come up which meant NTP couldn't be used to make the time valid Man Happy

 

Trap for young players - watch out.

Regular Member
Posts: 474
Registered: ‎11-19-2012
Kudos: 220
Solutions: 6

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

Please also note that upgrading from 1.9.1 to this version on the edgepoint R6 also removed all the physical interfaces from my switch group - I needed to go in a reenable them.

Ubiquiti Employee
Posts: 1,021
Registered: ‎07-20-2015
Kudos: 947
Solutions: 71

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@ryanm

> On the EP-R6, where are VLANS managed on switch0? I can no longer locate those.

> I can no longer locate the GUI function to control VLAN untagging/tagging since the upgrade to 1.10

I don't have EP-R6 at then moment, that's why I can not check what's wring with EP-R6 GUI right now.

  1. What was the previous f/w version where this functionality was present in WebGUI?
  2. Can you please make WebGUI screenshots (in 1.10.0 and in previous good version) showing what exactly is missing.

 

@n0dyjeff
> I've attached a log file of the debug output requested for the loss of BGP routes to the AWS VPN.
> Feb 12 08:17:32 EdgeRouter ubnt-protocols-cfg[1849]: /usr/bin/vtysh-set -c configure terminal -c router bgp 65001 -c neighbor 169.254.12.57 timers 30 30 failed: 10752
Looks like "bgpd" configuration failed. Maybe timer values are incorrect? Please post full BGP configuration.

 

@gpb500
> kernel: Process 558 (ubnt-util) has crashed (parent 500 (ubnt-daemon) signal 11, code 0, addr 000001f4), coredumps disabled
This will soon be fixed. You may ignore this message.

 

@osayb
> set interfaces l2tpv3 l2tpeth0 local-ip 240b:XXXX::XXXX
> [ interfaces l2tpv3 l2tpeth0 ]
> RTNETLINK answers: Cannot assign requested address
> Commit failed
Looks like reason of the failure is that 240b:XXXX::XXXX is not present at the moment when l2tpeth0 and VPN are configured during boot. This is a known issue and we are wokring on it.
Until then you can use following workaround form CLI to resore missing configuration after boot:

configure
load
commit
restart vpn


@awhenry41:
> The 1.10 firmware does not properly parse the RIP split-horizon poison-reverse configuration command.
> set interfaces ethernet eth6 vif 2 ip rip split-horizon poison-reverse
> [edit]
> # commit
> [ interfaces ethernet eth6 vif 2 ip rip split-horizon poison-reverse ]
> Params not configured
>
> Commit failed
We will fix this in next hotfix relase 1.10.1

 

> [ system ip arp base-reachable-time 30 ]
> sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/2/base_reachable_time_ms: No such file or directory
> sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/3/base_reachable_time_ms: No such file or directory
>
> [ system ip arp stale-time 60 ]
> sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/2/gc_stale_time: No such file or directory
> sysctl: cannot stat /proc/sys/net/ipv4/neigh/eth6/3/gc_stale_time: No such file or directory
Looks like base_reachable_time_ms fails for VLAN interfaces. We re fixing this as well.

 

@tpovilaitis
> Please add "zone-policy" to "show" commands in CLI
I create an enhancement request to add "show zone-policy" CLI commands

 

@polz
> Still not enough free space for root file system

Try deleting old coredumps and apt-get cache and the try again:
sudo rm -rf /var/lib/apt/*
sudo rm -rf /var/cache/apt/*
sudo rm -rf /var/core/*
df -h


@doc_karl
> Upgrading from 1.9.1 broke the vpn which meant I lost access to the router.
> The root cause was that the upgrade reset the clock in the router to January 1, year zero, which meant the SSL certificates were 'not yet valid',
This happened because in 1.9.1 there was no functionality that would preserve time between upgrades. This functionality was added only in 1.9.7

 

> upgrading from 1.9.1 to this version on the edgepoint R6 also removed all the physical interfaces from my switch group - I needed to go in a reenable them.
Do physical interfaces disappear from switch group after doing reboot in 1.10.0?

Regular Member
Posts: 474
Registered: ‎11-19-2012
Kudos: 220
Solutions: 6

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

No once I re-add the physical interfaces to the switch group within 1.10 they seem to persist - but during the upgrade process from 1.9.1 they disappeared...

Member
Posts: 116
Registered: ‎10-17-2013
Kudos: 20
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@UBNT-afomins
1.9.7hf4 works fine. That's what I downgraded back to. I just upgraded it again to get you the screenshots.

1.9.7hf4:
197switch0a.png1.9.7hf4 switch0 config
197switch0b.png1.9.7hf4 switch0 vlan config tab

110switch0.png1.10 switch0 config page, no VLAN tab


@UBNT-afominswrote:

@ryanm

> On the EP-R6, where are VLANS managed on switch0? I can no longer locate those.

> I can no longer locate the GUI function to control VLAN untagging/tagging since the upgrade to 1.10

I don't have EP-R6 at then moment, that's why I can not check what's wring with EP-R6 GUI right now.

  1. What was the previous f/w version where this functionality was present in WebGUI?
  2. Can you please make WebGUI screenshots (in 1.10.0 and in previous good version) showing what exactly is missing.

 

 

Ubiquiti Employee
Posts: 1,406
Registered: ‎09-08-2017
Kudos: 560
Solutions: 101

Re: EdgeMAX EdgeRouter software version v1.10.0 has been released!

@teckdan  Hello Dany. In the UNMS team, we are aware that the situation, with showing correct IP address for devices, is not ideal for some more complex network architectures. We are trying to improve the ability of UNMS to recognize the correct IP but we are facing some nontrivial obstacles in the way. One of the features we plan for a near future is to allow our users to set the correct IP manually. 

The current plan is to offer you all IPs detected for the device and you can simply choose the correct one from a list.

Also, I would like to encourage you to share any issues you have with UNMS directly in our section of the forum.

UBNT_Alternate_Logo.png
UNMS Support - If you want to report an issue please use this guide.

Check out our ever-evolving Help Center for answers to many common questions!

Reply