Edgerouter Internet Connection Issues

Dumb question, the default-gateway is the correct one, on all devices ?
Cheers,
jonatha

Hi,

Yes all state the router as the default gateway at 192.168.1.1.

Have tried using both static and dynamically obtained IP addresses, ipconfig release/renew/flushdns commands and also disabled the client firewalls, to no effect

Can you post the config ?

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address xx.xx.xx.xx/xx
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            name-server 8.8.8.8
            name-server 8.8.4.4
            name-server 1.1.1.1
            options strict-order
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address xx.xx.xx.xx
    host-name ubnt
    login {
        user xxx {
            authentication {
                encrypted-password xx
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha1
            }
        }
        site-to-site {
            peer y.y.y.y {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxx
                }
                connection-type initiate
                description xxx
                ike-group FOO0
                ikev2-reauth inherit
                local-address xx.xx.xx.xx
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.1.0/24
                    }
                    remote {
                        prefix y.y.y.y/yy
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.8.5142440.181120.1645 */

Just to add - we've set the windows server to act as the DHCP server for eth1 and the LAN in lieu of the router, to avoid any internal conflicts.

Cheers,

If on the wan interface, you have a static ip address (and you have been provided also of the ip address of the gateway/next-hop, declared in the system-gateway address filed), you can remove the dhcp-options from the wan interface, that said, the config seems pretty simple ... From eth2, all is working correctly ? The remote-prefix, in the vpn config, is a different network ?
Cheers,
jonatha

That’s right, the Edgerouter is connected to a lease line on eth0 which has a static ip address and gateway address, and which has been provided by our ISP.

There’s nothing plugged into eth2 at the moment, only the eth1 port is being used for our internal LAN.

The VPN config connects to one of our other sites, and this connection also works fine (for the clients on the LAN that are able to get internet access)

It’s just certain clients on the LAN that we’re unable to get internet access for, and are struggling to figure out why

Are you using 1.1 subnet? If yes, where's the DHCP Pool?

Hi all,

Any thoughts on this?

We’re having endless connectivity issues at the moment.

Thanks in advance,

There are a few things you can try to debug this:

On the problematic machine

1. Do a traceroute from one of the problem machines and see if it correctly tries to go through your router:

tracert -d 8.8.8.8

2. Check the arp cache on a problem machine to make sure that the router's IP appears with it's correct internal MAC address

arp -a 192.168.1.1

On the router

3. You can also check the reverse, to make sure your router sees the proper MAC address of your machine

sudo arp 192.168.1.123

4. Do a tcpdump on the router to look at the low level traffic to/from one of your problem machines

sudo tcpdump host 192.168.1.123

Not knowing how the Windows DHCP server is set to support DNS, the first thing I see in your Edge Router configuration is this:

name-server 127.0.0.1

Under the System Tab (lower left of the Dashboard), change the Name server to 8.8.8.8.

Y-ASK

Ok all,

So ran the tests on one of the PC's that was unable to get internet access today (the ethernet adaptor shows a yellow exclamation mark and a "No Internet Access" sign in the taskbar:

Ping the router:

Ping the server:

Ping public dns:

Run tracert:

IP config details (i've tried inputting this as a static ip address as well as using the auto obtain options):

ARP details checked and confirmed to be correct to router.

Trying tcpdump on the router via CLI gives me:

I've tried updating drivers, using the standard cmd commands (release/renew/netsh int reset etc), to no avail. I've also tried changing the name server from 127.0.0.1 to 8.8.8.8 as suggested, however still no dice.

Thanks again and in advance for everyone's help.

Kind regards,

Can you connect one of the non-working pc to eth2, and see if the issue still persists ?
Cheers,
jonatha

Hi - internet works if we connect directly into eth2.

Does that mean there's a setup issue with eth1?

The TTL you are getting when pinging 192.168.1.1 from the computer is suspicions.

I would expect to see 64 instead of 254, since that is the default I have seen used in EdgeOS.

On the router, ping yourself

ping localhost

to check what TTL you are getting there.

If you are not getting a 254 TTL there as well, then it means your computer is getting ping replies from somebody else, not your EdgeRouter.

Regarding tcpdump, if that is all you are getting, it means you computer is not sending anything towards your EdgeOS gateway.

Just to be sure, leave a "ping -t 8.8.8.8" running from your computer while you are running the tcpdump on the router.

Pinging localhost from the router gives me a TTL of 64.

Have rerun the tcpdump test with active ping running on the affected PC and the message is the same

This means the problem is not caused by the EdgeRouter and you need to recheck your network setup.

Do you have some Cisco device laying around? It looks like TTL 254 is usually used by them.

Do you have any VLANs set up on your switch? Or maybe the switch management interface itself is set up as 192.168.1.1 and it's only visible from some ports.

You can also try swapping the cabling between a problem computer and one that works.