New Member
Posts: 2
Registered: ‎08-23-2018

Edgerouter 4 VLAN problem

[ Edited ]

Hi.

Pretty new to this routers and this comminity, so I apologize if information provided isn't enough or the way you're used to here.

 

 

This week I finally got better internet connections here, and to get things working good, I decided to use two ER-4's.

My scope here is a bit unusual;  I purchased a pretty big lot of Aruba equipment a while ago, but unfortunately only one of the controllers got the licenses needed installed (NOT willing to pay for more as this is overkill anyway), so all wireless is controlled by one controller.

Wireless is installed in four buildings, and at the moment, two "virtual AP" profiles is used, providing four SSID's on four different VLANs.

Internet is connected in two of the buildings, and I've installed a Edgerouter 4 in each of those buildings.

All "infrastructure" (+ lots more at the moment) is connected to VLAN 1, and I'm able to reach everything on VLAN 1 without any problems at all.

 

Problem:
I want of course to use both internet connections, and primary I want connection 1 to house 1, and connection 2 to house 2.

Call them router 1 and router 2...

Router 1 is located in the same rack as the Aruba controller and is working all good (even though I have only tested VLAN 1 and VLAN 40 on it.)

Router 2 is located on house 2 and it's set up with DHCP on VLAN 30 and VLAN 50.

VLAN 40 is also added to the router, but not running DHCP for that VLAN on that router.

 

If the virtual AP profiles in building 2 is set up using VLAN 30 or 50, clients do not get an IP address. (Manual IP does not work either.)
If the virtual AP profiles in building 2 is set up using VLAN 40, they get an IP address (router 1 is running DHCP for VLAN 40) and things are working "good".

 

I am not able to ping the IP addresses for the VLANs on router 2 (the regular VLAN 1 interface is working fine).

 

Also, even though I believe this isn't a good solution, I thought it should work as a temporary solution; setting gateway IP to router 2's VLAN 1 IP in the VLAN 40 DHCP-scope does not give internet connectivity.

 

 

So...

I don't think the problem lies in either the switches or Aruba controller (switches are also Aruba), I'm able to ping their VLAN interfaces just fine.

I'm able to ping router 1 at the VLAN IP addresses set up for it.

Switches is at the moment set up without restrictions..

 

 

 

Does anyone here have a suggestion on what I could do here?

 

 

Router 1:

 

Spoiler

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address xxx.xxx.xxx.xxx/28
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.3/24
description Local
duplex auto
speed auto
vif 30 {
address 192.168.30.3/24
description VLAN30
mtu 1500
}
}
ethernet eth2 {
address 192.168.3.1/24
description "Local 2"
duplex auto
speed auto
vif 40 {
address 192.168.40.1/24
description VLAN40
mtu 1500
}
vif 50 {
address 192.168.50.2/24
description VLAN50
mtu 1500
}
}
ethernet eth3 {
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description HS3_web
forward-to {
address 192.168.1.16
port 82
}
original-port 82
protocol tcp_udp
}
rule 2 {
description HSTouch
forward-to {
address 192.168.1.16
port 10200
}
original-port 10200
protocol tcp_udp
}
rule 3 {
description RDP
forward-to {
address 192.168.1.16
port 3389
}
original-port 3389
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
route 192.168.50.0/24 {
next-hop 192.168.1.2 {
disable
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.3
dns-server 192.168.1.3
dns-server 8.8.8.8
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
static-mapping DC_NIC1 {
ip-address 192.168.1.16
mac-address 00:25:90:64:E4:FD
}
static-mapping DC_NIC2 {
ip-address 192.168.1.35
mac-address 00:25:90:64:E4:FC
}
static-mapping Phoscom {
ip-address 192.168.1.68
mac-address B8:27:EB:E8:A8:76
}
static-mapping Supermicro {
ip-address 192.168.1.15
mac-address 00:25:90:6E:62:E2
}
static-mapping foscam {
ip-address 192.168.1.21
mac-address E8:AB:FA:66:9FMan Very Happy5
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 86400
start 192.168.3.38 {
stop 192.168.3.243
}
}
}
shared-network-name VLAN40 {
authoritative disable
subnet 192.168.40.0/24 {
default-router 192.168.1.2
dns-server 193.75.75.75
dns-server 193.75.75.193
lease 86400
start 192.168.40.70 {
stop 192.168.40.190
}
}
}
shared-network-name VLAN50 {
authoritative disable
disable
subnet 192.168.50.0/24 {
default-router 192.168.50.2
dns-server 193.75.75.193
dns-server 193.75.75.75
lease 86400
start 192.168.50.50 {
stop 192.168.50.250
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
gateway-address xxx.xxx.xxx.xxx
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 193.75.75.75
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Oslo
traffic-analysis {
dpi enable
export enable
}
}

 

 

 

 

 

Router 2:

f

Spoiler
irewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.10.160.13/24
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.2/24
description Local
duplex auto
speed auto
vif 30 {
address 192.168.30.1/24
description VLAN30
mtu 1500
}
vif 40 {
address 192.168.40.2/24
description VLAN40
mtu 1500
}
vif 50 {
address 192.168.50.1/24
description VLAN50
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
shared-network-name VLAN30 {
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 193.75.75.75
dns-server 193.75.75.193
start 192.168.30.50 {
stop 192.168.30.150
}
}
}
shared-network-name VLAN50 {
subnet 192.168.50.0/24 {
default-router 192.168.50.1
dns-server 193.75.75.75
dns-server 193.75.75.193
start 192.168.50.50 {
stop 192.168.50.140
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 10.10.160.1
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 193.75.75.75
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}