12-19-2018 05:56 PM
I'm finding the Hairpin (loopback or reflection) NAT stopped working in my configuration after updating from 1.9.1 to the 1.10.7.
Multiple vlans configured in my setup. After the upgrade, a client on the same vlan as the hairpin NAT resource is not able to access it, but from another vlan the harpin NAT was working.
I re-installed the 1.9.1 firmware and things recovered without any other changes.
Is there any functionality changes in the hairpin NAT that require additional config in this fw release? The most I've done to setup all my rules is check the box to enable hairpin NAT and create all the DNAT rules with "other, +" as the inbound interface.
12-21-2018 01:19 PM
I added snat/masq rules for all the destination addresses and that allowed the configuration to work with the new firmware. Rather annoying.
12-27-2018 08:06 AM
1.10.8 runs unecessary daemons for services that aren't configured; example: https://community.ubnt.com/t5/EdgeRouter/v1-10-8-bug-ldpd-running-without-ldp-configured-or-enabled/...
12-27-2018 02:10 PM
Do you have UNMS enabled? If so - LLDP will start. See 2.0.0-b2 release notes about "set service unms lldp disable"
this is not that. Label Distribution Protocol (LDP) is implemented in ldpd. this has nothing to do with Link-Layer Discovery Protocol (LLDP). also, no, these devices are not talking to UNMS.
12-28-2018 04:23 AM - edited 01-11-2019 03:28 AM
I've returned to 1.10.7. With this 1.10.8 the router (Edgerouter Lite) seems to lose his ipv6 every few days.
Edit: Problem also seems to be present in 1.10.7.
12-28-2018 12:03 PM
Positive report here. 1.10.8 works fine for me with Erlite-3.
The below story tells about a problem that possibly was fixed by 1.10.8 (but it is not possible to prove it).
I recently switched to 100/100 fiber from DOCSIS 100/20. The new ISP was nice enough to bridge a port for free (without taking a monthly fee like some UK ISPs!) in the combined triple-play router/fiber converter (and they promised IPv6 being deployed in 2019).
I had an older firmware version installed, can't remember which. After a few days on fiber, the WAN interface suddenly lost its IP address. It has never happened before, as long as I can recall. Toggling WAN off and on again in the Erlite-3 restored the IP address. There was nothing in the logs that showed what the problem had been. Ran tcpdump to wireshark for DHCP for a day, but couldn't find anything odd.
Now I do have an IPv6 tunnel. Release notes for 1.10.8 says:
[DHCP] - Fix bug when DHCP client failed to restore IPv4 address after interface link flap if IPv6 address was configured on same interface
So I upgraded to 1.10.8 and it hasn't happened again (for about a month). Either it was a coincidence or the above fix in 1.10.8 solved the problem.
12-28-2018 03:32 PM
Could you explain what the new fan stuff is? the notes didn't refrence anything.
- [System] - Add support for new fan HW introduced in new ER-8-XG hardware revision
- [FAN] - Improve fan control on ER-8-XG model (requires bootloader upgrade)
I imagine my er-8-xg isn't one of the new ones but I can provide my SN if that'd help.
is it auto throttling or something else?
12-29-2018 05:23 AM
Updated a new out of box ER-X last night to v1.10.8. Received a "Update Complete.. must Reboot" message then ER-x can not be connected to.
Here is my complete description: https://community.ubnt.com/t5/EdgeRouter/Bricked-Edgerouter-X-updating-to-v1-10-8-Please-help/td-p/2...
Any ideas before I return it?
12-29-2018 06:35 AM
Let's go through the basics. Can you ping the router? If so, then you should be able to open an ssh connection to the router. This means either using a Unix/Linux machine OR using puTTY or installing the Windows Optional Component OpenSSH.
12-29-2018 06:49 AM
Thanks for following up iposner.
See my results in image below for ipconfig
This is with the router connected to my PC and port eth0
This is the same way it was connected when I was in the GUI.
12-29-2018 07:25 AM
Update is working fine for me both for Edgerouter X and Edgerouter Lite.
I wanted to do some offline pentesting and actually found both devices vulnerable.
It is "The Moon" exploit which linksys has a guide of fixing here: https://www.linksys.com/us/support-article?articleNum=136147
However in attempt to manually fix this issue, the router refuses to let me remove http port for gui (maybe that won't even fix the issue?)
Any plans on closing this exploit?
12-29-2018 07:53 AM
How do you know your ER is "vulnerable"? "The Moon" is unique and specific to old Linksys routers and has nothing to do with EdgeRouters.
Scanner software produces reports that should then be used as guidance for further investigation and evaluation. They should not be taken as a golden definitive. In this case you'll need more details from your pentest to understand why it reports the ER as vulnerable, from which you can then investigate further to see if additional action is required or if this is a false-positive.
You would use the native firewall capabilities to protect your router, especially on any external-facing (untrusted) interfaces.
Did you use any of the wizards as a starting point for your configuration? You can (and should) enable a default firewall configuration using those which will protect your router, and you can build upon that configuration further as needed.
12-29-2018 07:54 AM - edited 12-29-2018 08:00 AM
I will reconnect and try this when I get home from work today. I found a forum thread where 3 people bricked their ER-x after the firmware update and they all were able to reconnect after leaving it unplugged for a day. They said it had to "rest" lol.
That thread is here: https://community.ubnt.com/t5/EdgeRouter/EdgeRouter-X-bricked/td-p/1593241