New Member
Posts: 10
Registered: ‎06-03-2014

EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hi!

Setting up an EdgeMax Pro and everything is fine so far. Networking, VPN-Access… But…

That's what we try to do

- ToughSwitch Pro which is tagging some port as VLAN 20

- EdgeMax should drop everything that is initially sent *from* VLAN 20 but forward everything *to* VLAN 20

 

Tried different things to no avail, I bet I'm overlooking something… Don't know… So I reverted everyhting and decided to ask… Let's start over…

 

What I currently have:

- Tough Switch VLAN taggigng (20) is active for some ports

- A VLAN 0.20 was added to the Router

 

What next? And thanks in advance :-)

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Probably best if you post a sanitized config. I would suggest taking a look at THIS guide for the proper method.

Thanks,
Mike

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hi Mike,

as I wrote, I reverted everything, except the VLAN-0.20-Setting in ERP.

But, here we go (I removed some parts – static DHCP-Leaes and such stuff)…

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify pppoe-out {
        rule 10 {
            action modify
            modify {
                tcp-mss 1412
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            log disable
            protocol tcp
        }
        rule 3 {
            action accept
            description GRE
            log disable
            protocol 47
        }
        rule 4 {
            action drop
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
        vif 20 {
            address dhcp
            description "Separation"
            mtu 1500
        }
    }
    ethernet eth1 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
                out {
                    modify pppoe-out
                }
            }
            mtu 1492
            name-server auto
            password 
            user-id
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name 
                    login 
                    password 
                }
            }
            interface pppoe0 {
                service dyndns {
                    host-name 
                    login 
                    password 
                    server 
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5001 {
            outbound-interface pppoe0
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact ""
        location 
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name 
    host-name ubnt
    login {
        user x {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            full-name ""
            level admin
        }
        user y {
            authentication {
                encrypted-password 
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone 
}
vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username x {
                    }
                    username y {
                    }
                    username z {
                    }
                }
                mode local
            }
            client-ip-pool {
                start 172.20.44.100
                stop 172.20.44.110
            }
            mtu 1024
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648311.140310.1616 */

 

Regular Member
Posts: 413
Registered: ‎12-25-2013
Kudos: 426
Solutions: 11

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

What do you mean by "drop everything that is initially sent from VLAN 20 but forward everything to VLAN 20"?  Do you want to allow only established/related connections?

Is VLAN 20 destination for traffic or source of it? Public or private? What exactly are you trying to do?

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hi!

Network -> VLAN 20

Devices from outside VLAN 20 should be able to access devices in VLAN 20. But the other direction should be prohibited. Or only be allowed if initiated by devices outside VLAN 20 (as NAT does).

There are sensors attached to these ports. If someone manages it to access the ethernet cable, they shouldn't get access to the network outside VLAN20.

 

Thanks,

    jk

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

[ Edited ]

james_k wrote:Network -> VLAN 20

Devices from outside VLAN 20 should be able to access devices in VLAN 20. But the other direction should be prohibited. Or only be allowed if initiated by devices outside VLAN 20 (as NAT does).

There are sensors attached to these ports. If someone manages it to access the ethernet cable, they shouldn't get access to the network outside VLAN20.


Sorry I realize you said you reverted it. Thanks for the dump of the config. Stig actually wrote a very detailed post about preventing inter VLAN communciation HERE. The same premise can be used for LAN>VLAN, VLAN>VLAN, etc. You can also block interface>interface communcation, say in only one direction or both directions (which could be done that way or another way).

Obviously you will need to adjust are required, but that would be the method to use. I'm not sure the details of your desired subnet, hence why I'm simply pointing out that post. I think it should be detailed enough to figure it out but if you have any questions feel free to respond. Maybe @ mention me so it emails me, in case I miss your response again. It's done like this @UBNT-MikeD 

Thanks,
Mike

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hi @UBNT-MikeD

I tried some things but – sorry to say – this whole stuff sucks. I'm no CLI-guy and it was not my decision to use this hardware, so I have to deal with it… Hopefully we get it to work – somehow.

First… There is some kind of communication – but even with VLAN tagging active it's the same as before. Nothing is blocked, everthing can talk to everything.

Here's the config (and it's VLAN 10 für testing purposes, now)

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group ROUTER_IP {
            address 192.168.1.1
            address 192.168.2.1
            description ""
        }
        network-group VLAN_NETS {
            description ""
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify pppoe-out {
        rule 10 {
            action modify
            modify {
                tcp-mss 1412
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
    name VLAN_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description Router-Comm
            destination {
                group {
                    address-group ROUTER_IP
                }
            }
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description VLAN-Comm
            destination {
                group {
                    address-group ADDRv4_eth0.10
                }
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            log disable
            protocol tcp
        }
        rule 3 {
            action accept
            description GRE
            log disable
            protocol 47
        }
        rule 5 {
            action drop
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
        vif 10 {
            address dhcp
            description "VLAN"
            firewall {
            	in {
            		name VLAN_IN
            		}
            	}
        }
    }
    ethernet eth1 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
                out {
                    modify pppoe-out
                }
            }
            mtu 1492
            name-server auto
            password *************
            user-id ************
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        firewall {
            in {
            }
            local {
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5001 {
            outbound-interface pppoe0
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact "********"
        location ************
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name *************
    host-name Router
    login {
        user ********** {
            authentication {
                encrypted-password ****************
                plaintext-password ""
            }
            full-name "***********"
            level admin
        }
        user ********** {
            authentication {
                encrypted-password *****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone *****************
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648311.140310.1616 */

 

And here is what's configured in the tough switch pro

                               Trunk Ports       [X]      [ ]      [ ]

Enabled   Management  VLAN ID      Comment    Port 1   Port 2   Port 3
    [X]          [X]  1         Management         U        U        U
    [X]          [ ]  10        Separated          T        T        T

 

I don't get it.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 387
Solutions: 40

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

[ Edited ]

Two major issues jump out at me.  The first is that you have the address on vlan10 set to dhcp.  This means that the port is looking for a dhcp server to get an address from.  Unless there is a seperate DHCP server on vlan10, you need to define an address for that network.

Second is with the firewall you created on the vlan interface.  For what you described, just do a simple accept established/related and drop invalid ruleset.  Basically, just copy the WAN_IN ruleset for this interface and name it VLAN_IN.  Nothing will be able to start new traffic from the vlan, but anythng on the vlan can respond to traffic sent to it.

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

I just got a number of notifications this morning. Sorry for the delay. Yes, this is very correct. Ideally you'll want to manually define an IP range for your VLAN (vif) and then have a corresponding DHCP server.

Very good point for the rule, I was over complicating it, which was unnecessary. The good (and I suppose bad for some) thing is that there are so many ways to achieve the same thing. Man Happy

You can add/copy the firewall rule via the config.boot in a text editor too, if you aren't as familiar/comfortable with CLI. Just make sure to use the same formatting.

Best regards,
Mike

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 387
Solutions: 40

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation


@UBNT-MikeD wrote:

Very good point for the rule, I was over complicating it, which was unnecessary. The good (and I suppose bad for some) thing is that there are so many ways to achieve the same thing. Man Happy

Best regards,
Mike


I try hard to keep my code as simple as possible.  No un-neccessary clutter.  I've learned over the years that empty or undefined code can cause issues plus it can really make it much more difficult to troubleshoot issues.

For example the two code sections below.  The first is much easier to see what it is doing even though both have the same result.

state {
    established enable
    related enable
}



---------------------------------------


state {
    established enable
    invalid disable
    new disable
    related enable
}

 

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

[ Edited ]

OK… @UBNT-MikeD and @CowboyJed Let's try… First, we need a new DHCP for the VLAN

I added an IP to vif10

interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description "VLAN"
            firewall {
                in {
                    name VLAN_IN
                }
            }
        }
    }

 

And this is the DHCP

        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.100
                }
            }
        }

 

And I added the new DHCP to the Group ROUTER_IP.

 

But… Devices plugged into the tagged ports of the switch are still leasing an IP from the main eth0 DHCP. The VLAN10 DHCP has no active leases :-(

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

[ Edited ]

The client devices' interface (computer NIC, mobile, etc.) needs to be tagged for VLAN ID 10. Just like normal, otherwise they won't pick up IP from VLAN 10 subnet. Or in the case of an AP then the SSID needs to be set to VLAN 10 so devices that connect to it automatically use VLAN 10 (at least that is typical scenario).

I need to test something else but I'll post an example of firewall side shortly..

Best regards,
Mike

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 387
Solutions: 40

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

You need to adjust the settings on your tough switch to assign the vif 10 port to vlan 10.  Port 1 looks good as a trunk port, but both ports 2 & 3 are untagged on vlan1 and tagged on vlan20 (early attachment).  The port you are going to use for vlan 10 needs to be untagged for vlan 10 and (I'm guessing here as I've never used a ToughSwitch) disabled for vlan 1.

@UBNT-MikeD , would you care to help with this part?

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation


@CowboyJed wrote:

You need to adjust the settings on your tough switch to assign the vif 10 port to vlan 10.  Port 1 looks good as a trunk port, but both ports 2 & 3 are untagged on vlan1 and tagged on vlan20 (early attachment).  The port you are going to use for vlan 10 needs to be untagged for vlan 10 and (I'm guessing here as I've never used a ToughSwitch) disabled for vlan 1.

@UBNT-MikeD , would you care to help with this part?


Yes of course. it can be untagged to the port too. I was going by the word tagged.

So, I've attached an image. I have tagged a few ports, but then port 4 I untagged VLAN 10. You can only have 1 untagged VLAN per port (obviously) so first you need to click on symbol for the management VLAN and either tag it (T) or exclude it (E) from that port (in my example, port 4 excludes VLAN 1, the management VLAN). Then I can click on the symbol and get U for untagged on VLAN 10.

Hopefully that made sense. See attached.

Thanks,
Mike

Screenshot from 2014-06-18 11:17:32.png
New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hi UBNT-MikeD

OK… New Port-config on the switch…

TS VLAN conifg

The VLAN10 devices should connect to Port 2, 3 and 4.

This config results in no communication with the router, no DHCP available to those machines.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 387
Solutions: 40

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Your configuration for both the switch and router look correct.  For troubleshooting purposes, let's remove the firewall name VLAN_IN from vif 10 and then repost your current config.  We will look at getting everything talking first and then start controlling traffic from the VLAN.

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

OK… This is the current conf without the VIF10 fw-rule

Still no IP leases for devices connected to the VLAN-Ports

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group ROUTER_IP {
            address 192.168.1.1
            address 192.168.2.1
            address 192.168.10.1
            description ""
        }
        network-group VLAN_NETS {
            description ""
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify pppoe-out {
        rule 10 {
            action modify
            modify {
                tcp-mss 1412
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
    name VLAN_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            destination {
                group {
                    address-group ROUTER_IP
                }
            }
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description VLAN-Comm
            destination {
                group {
                    address-group ADDRv4_eth0.10
                }
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            log disable
            protocol tcp
        }
        rule 3 {
            action accept
            description GRE
            log disable
            protocol 47
        }
        rule 5 {
            action drop
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description "VLAN"
        }
    }
    ethernet eth1 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
                out {
                    modify pppoe-out
                }
            }
            mtu 1492
            name-server auto
            password **************
            user-id *************
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        firewall {
            in {
            }
            local {
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.21 {
                    stop 192.168.1.240
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.100
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5001 {
            outbound-interface pppoe0
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact "***********"
        location *************
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name ************
    host-name Router
    login {
        user *********** {
            authentication {
                encrypted-password *************
                plaintext-password ""
            }
            full-name "***********"
            level admin
        }
        user *********** {
            authentication {
                encrypted-password ************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone **************
}
vpn {
    pptp {
        remote-access {
            authentication {
                local-users {
                    username ************* {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 172.16.44.100
                stop 172.16.44.110
            }
            mtu 1024
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648311.140310.1616 */

 

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 387
Solutions: 40

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

[ Edited ]

I do not see anything which should stop hosts from receiving ip addresses from the dhcp server.  Everything looks as it should.

Anyone else have any ideas?  My configuration is identical other than my domain controller hands out the address leases via dhcp-relay.  I guess I do have MTU 1500 defined as well as a description.  I wouldn't think those would make a difference.

This is my working config for my interfaces:

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "DMZ SUBNETS"
        duplex auto
        speed auto
        vif 130 {
            address 10.112.130.1/24
            description Public_Servers
            mtu 1500
        }
        vif 160 {
            address 10.112.160.1/24
            description BCF_Guest
            mtu 1500
        }
    }
    ethernet eth2 {
        description "LAN SUBNETS"
        duplex auto
        speed auto
        vif 20 {
            address 10.10.20.1/24
            description BCF_Home
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description BCF_Servers
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description BCF_VOIP
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description BCF_CCTV
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description BCF_Wrls
            mtu 1500
        }
        vif 99 {
            address 10.10.99.1/24
            description BCF_Mgmt
            mtu 1500
        }
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-address xx.xx.xx.xx {
        }
        local-port xxxx
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address xx.xx.xx.xx
        remote-host xxxxxxxxx.xxx
        remote-port xxxx
        shared-secret-key-file /config/auth/secret
    }
}
 

 

Ubiquiti Employee
Posts: 9,516
Registered: ‎01-28-2013
Kudos: 16683
Solutions: 608
Contributions: 20

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation

Hmmm, James, sorry for delay. I'm going to subscribe to this thread so I get notified on every post. Or you try typing my name, but instead, first put @ so like @UBNT-MikeD. It's easiest to go to M or Mi then click on my name. That will "page" me like the "bat symbol". Man Wink

Anyway, I'm about to test out a similar configuration without the firewall rule in place first. TOUGHSwitch 1.3. The only difference is that I only have ERL and ER-POE, but that doesn't matter, they funciton the same. 

Oh, what port goes between your ER (or ERP) and TS8-Pro? Is it 1(the Trunk port)? 

First, I'll post the relevant config info below. Firewall LAN_x rules that are in place are currenty set to accept by default, so I shouldn't need to list them..

 

Interface:

    ethernet eth1 {
        address 172.16.0.1/24
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
            out {
                name LAN_OUT
            }
        }
        vif 2 {
            address 192.168.1.1/24
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
                out {
                    name LAN_OUT
                }
            }
        }
        vif 10 {
            address 10.0.42.1/28
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
                out {
                    name LAN_OUT
                }
            }
        }
    }

 DHCP:

    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN_172.16.0.0-24 {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 172.16.0.1
                lease 86400
                start 172.16.0.2 {
                    stop 172.16.0.254
                }
            }
        }
        shared-network-name MainWLAN_192.168.1.0-24 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.2 {
                    stop 192.168.1.254
                }
            }
        }
        shared-network-name PrivWLAN_10.0.42.0-28 {
            authoritative disable
            subnet 10.0.42.0/28 {
                default-router 10.0.42.1
                dns-server 10.0.42.1
                lease 86400
                start 10.0.42.2 {
                    stop 10.0.42.14
                }
            }
        }
    }

 I'll post a quick video of this test momentarily...

Thanks,
Mike

New Member
Posts: 10
Registered: ‎06-03-2014

Re: EdgeMax Pro, ToughSwitch VLAN-Tagging and Separation


Oh, what port goes between your ER (or ERP) and TS8-Pro? Is it 1(the Trunk port)? 

 

Yep. Port 1