New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1
Accepted Solution

EdgeRouter Lite - VLANs with UniFi internet access

Greetings,


I have small setup in my company - I have Linksys router with address 192.168.0.1 which grants internet access and DHCP to computers in network 192.168.0.0/24. I also bought Edge Router (LITE) to employ some basic vlan separation in order my UniFi serve two different LANs 192.168.0.0/24 and 192.168.100.0/24 (VLAN100) - I can successfully connect to either of my UniFi Wireless SSID with correct addresses being assigned from each DHCP but VLAN100 has no internet access (it should have one via Linksys router). PCs in 192.168.100.0/24 can successfully ping 192.168.0.1 but it seems that my Linksys won't pass the 192.168.100.* to the internet. I have already put a static route the Linksys router. Do I need some additional configuration i.e. some additional NAT or port mapping?


Internet ----- (Public IP) Linksys (192.168.0.1) ------LAN1------- (192.168.0.254) Edge Router (VLAN100 192.168.100.1) ----- LAN2

PCs in VLAN100 use 192.168.100.1 as default router, EdgeOS has 192.168.0.1 configured as default static route and DNS 8.8.8.8.

Kr,

Tomasz


Accepted Solutions
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

What are the wireless devices you are logged into the wireless with?  If windows based, how is the windows firewall configured?  Will it accept ping?  Most of my Win7 machines will not reply to a ping request, but my sbs 2011 will.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: EdgeRouter Lite - VLANs with UniFi internet access

You should post your router configuration so that people can take a look.

Regular Member
Posts: 569
Registered: ‎04-18-2013
Kudos: 338
Solutions: 45

Re: EdgeRouter Lite - VLANs with UniFi internet access

It sounds like you need a masquerade rule on the ERL to masq the traffic using the ERL address.  Post your config and we should be able to help you out.

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

Please let me know if this is enough (I had edited some account data):

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.254/24
        duplex auto
        firewall {
            in {
            }
        }
        speed auto
        vif 100 {
            address 192.168.100.1/24
            firewall {
                in {
                }
            }
            mtu 1500
        }
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name VLAN100 {
            authoritative disable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.100.10 {
                    stop 192.168.100.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth0.100
        }
    }
    gui {
        https-port 443
    }
    nat {
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 192.168.0.1
    host-name router
    login {
        user *** {
            authentication {
                encrypted-password ***
                plaintext-password ""
            }
            full-name "***"
            level admin
        }
        user *** {
            authentication {
                encrypted-password ***
                plaintext-password ""
            }
            full-name ***
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648309.140310.1607 */

I would also be grateful if you could guide me through webqui rather than cli. Thanks!

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: EdgeRouter Lite - VLANs with UniFi internet access

The linksys doesn't have a route to 192.168.100.0/24 so either you need to add a startic route on the linksys or you need NAT (unfortunately that will make it double NAT).

EdgeMAX Router Software Development
New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

Linksys has the static route - I can ping my 192.168.100.* addresses from it, and the PCs in 192.168.100.0/24 can ping it back. I have manually added it to my routing table.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: EdgeRouter Lite - VLANs with UniFi internet access

Is this linksys setup to NAT every subnet or just 192.168.0.0/24

EdgeMAX Router Software Development
New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

Well... I think that's the problem... because it's basic setup and it had never been used to serve the Internet to other networks I guess it does not NAT the VLAN100. I need to check how to add second network to my NAT and I guess I'll be done.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

What model of Linksys router?

I also did not see a static route on the ERL for 0.0.0.0/0

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

I don't know why is not in the config I had put earlier, but I can see 0.0.0.0/0 static route in WebGUI on my ERL - when I go to the toolbox and ping i.e. google.com it pings successfully.

I have WRT54G old router but I also have Lancom DSL/I-1611 Office if the Linksys won't do.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

I'm familiar with the Linksys.  It's one of the routers I used to use before I got my ERLs.  Not familiar with the Lancom.  The WRT54G is definately not made for handling subnets.

Do you have any reason not to replace it with the ERL?

The basic idea is that you would use the ERL for your internet connection, your wireless connectiion, and then for connection to one of the switchports in the WRT54G.  You would no longer use the WAN port on the WRT54G.  It would just be used as a switch.

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

@CowboyJed - replacing old router with ERL is an option I take into account and probably it will be the least painfull thing to do, I just wanted to know just out of curiosity if there is a way to access the Internet from behind a second router without being double-NAT'd. As suggested earlier - it is possible but I would need to adjust the NAT on the first router to accept the VLAN100 subnet.

BTW. Can ERL do IPsec VPN for site2site or client2site via application i.e. Shrew?

Emerging Member
Posts: 56
Registered: ‎07-29-2013
Kudos: 76
Solutions: 4

Re: EdgeRouter Lite - VLANs with UniFi internet access

You might get away by fooling the linksys router and let it see LAN1 and LAN2 as a single big subnet.

That is configure on the linksys for LAN1 = 192.168.0.1/23

Configure on the ERL for LAN1 = 192.168.0.254/24

Configure on the ERL for LAN2 = 192.168.1.1/24

Though I won't recommend such a setup, double NATting is a better approach and won't hurt you as long as communication originates from the LAN side.

Even better put the ERL as your internet router Man Happy

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

Yes the ERL can do IPsec VPN.

Regular Member
Posts: 413
Registered: ‎12-25-2013
Kudos: 419
Solutions: 11

Re: EdgeRouter Lite - VLANs with UniFi internet access

I second the idea of replacing Linksys, what is the point of getting ERL when you are still using that?

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: EdgeRouter Lite - VLANs with UniFi internet access

Using two routers is a really really bad idea. You introduce all kinds of issues. Dump the linksys because you now have a real business class router.
New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

Ok, so I'm trying to replace my current router with EdgeRouterLite - the config stayed the same with one exception - I configured eth2 as my WAN and put NAT/WAN_IN/WAN_LOCAL rules according to some simple tutorial. LAN and VLAN100 can access the internet - VLAN100 can ping LAN, however LAN cannot ping hosts in VLAN100. Do I need some additional rule? When I do tracert 192.168.100.* from any host in LAN (192.168.0.0/24) I can see that it goes to ERL but ERL routes it to the Internet (default route 0.0.0.0/0) instead to the connected route (port eth0.100). Port on my switch is configured as GENERAL and both VLAN100 and default vlan is configured to be untagged. To be honest I do not know if the problem is ERL configuration or switch configuration.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

Post both with make and model of switch.  Sanitize config as needed to protect passwords, etc.  We will take a look.

Regular Member
Posts: 569
Registered: ‎04-18-2013
Kudos: 338
Solutions: 45

Re: EdgeRouter Lite - VLANs with UniFi internet access


@tsztokma wrote:

 Port on my switch is configured as GENERAL and both VLAN100 and default vlan is configured to be untagged. 


This is not possible.  A port can only be untagged in a single VLAN.  On many low-end managed switches, when you set untagged 100, untagged 1 automatically goes away.  In order for this to work, what you are probably looking for is untagged 1 and tagged 100, then set your unifi to have the guest SSID as tagged 100. (the default ssid would be untagged, IE, vlan 1)

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

[ Edited ]

You are correct - my bad - ports are tagged, nevertheless the problem is not that UniFi doesn't serve the LAN and VLAN100 addresses on separate SSIDs - it does! Problem is that from my *main* LAN I cannot access computers on VLAN100 but at the same time computers in VLAN100 can access PCs in LAN.

Here's config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description ""
        rule 1 {
            action accept
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description ""
        rule 1 {
            action accept
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.254/24
        duplex auto
        firewall {
            in {
            }
            local {
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address *.*.*.*/29
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
        vif 100 {
            address 192.168.100.254/24
            description ***
            mtu 1500
        }
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name ** {
            authoritative enable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.254
                dns-server 192.168.0.9
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.200
                }
                unifi-controller 192.168.0.9
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
            listen-on eth2.10
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description WAN
            log disable
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address *.*.*.*
    host-name R1
    login {
        user ** {
            authentication {
                encrypted-password **
                plaintext-password **
            }
            full-name **
            level admin
        }
        user ** {
            authentication {
                encrypted-password **
                plaintext-password **
            }
            full-name **
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

Switch model is TP-LINK TL-SG2424 - ERL eth0 is connected to Port Mode Access (Default Vlan 1), eth2 with VLAN100 is connected to Port Mode General (Default Vlan 1 and VLAN100 - both TAG), Unifi AP is connected to Port Mode General (Default Vlan 1 and VLAN100 - both TAG). The effect is this - when I log into Guest WIFI - I get DHCP lease from ERL i.e. 192.168.100.100 (that is correct) - I have access to the Internet and I can ping my unifi controller (or even access webadmin with address 192.168.0.9 or ever RDP to it). HOWEVER form my UNIFI controller (Windows 2008 R2) I cannot ping 192.168.100.100 or any host in VLAN100 at the same time.