New Member
Posts: 10
Registered: ‎05-31-2012

Handoff to Another Router for Internet Access

EdgeMax Setup

ETH0: 10.12.1.1/24

Default Gateway 10.12.1.254/24 (Firewall)

ETH1: 10.12.100.1/24

Clients on the 10.12.1.0/24 subnet are being NATed by EdgeMax ETH0 interface instead of being redirected.  Connections on firewall show from 10.12.1.1 instead of client IP (ie 10.12.1.71).

Subnets that are being routed from parts of the network are functioning fine only subnet effect is the local 10.12.1.0/24.

How can I accomplish a router-on-a-stick for the 10.12.1.0/24 subnet so packets are just handed off to the firewall withouth being altered.

NOTE:  No NAT or firewall rules are set on any interfaces.  Only the default firewall rules appear..

all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable

This is an internal router for all internal subnets and I don't want it to perform any firewall function just pass traffic from router to router.

My previous setup was a ZeroShell router and it functioned as described.

Hopefully someone can help so I don't keep banging my head on my desk!

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3143
Solutions: 945
Contributions: 16

Re: Handoff to Another Router for Internet Access

Post your configuration.

EdgeMAX Router Software Development
New Member
Posts: 10
Registered: ‎05-31-2012

Re: Handoff to Another Router for Internet Access

Here is my config.  I have starred out all my public IPs.

 

firewall {

    all-ping enable

    broadcast-ping disable

    ipv6-receive-redirects disable

    ipv6-src-route disable

    ip-src-route disable

    log-martians enable

    receive-redirects disable

    send-redirects enable

    source-validation disable

    syn-cookies enable

}

interfaces {

    ethernet eth0 {

        address 10.12.1.1/24

        description LAN

        duplex auto

        firewall {

            out {

            }

        }

        ip {

        }

        speed auto

    }

    ethernet eth1 {

        address 10.12.100.1/24

        description "Wireless WAN"

        duplex auto

        ip {

            ospf {

                authentication {

                    md5 {

                        key-id 1 {

                            md5-key ****************

                        }

                    }

                }

                cost 1

                dead-interval 40

                hello-interval 10

                priority 1

                retransmit-interval 5

                transmit-delay 1

            }

        }

        speed auto

    }

    ethernet eth2 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth3 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth4 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth5 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth6 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth6 {

        disable

        duplex auto

        speed auto

    }

    ethernet eth7 {

        disable

        duplex auto

        speed auto

    }

    loopback lo {

    }

    openvpn vtun0 {

        description "PD VPN"

        ip {

            ospf {

                authentication {

                    md5 {

                        key-id 1 {

                            md5-key ****************

                        }

                    }

                }

                cost 2

                dead-interval 40

                hello-interval 10

                priority 1

                retransmit-interval 5

                transmit-delay 1

            }

        }

        local-address 10.0.3.1 {

        }

        local-port 1194

        mode site-to-site

        openvpn-option --comp-lzo

        remote-address 10.0.3.2

        remote-host *.*.*.*

        remote-port 1194

        shared-secret-key-file /config/auth/pd-secret

    }

    openvpn vtun1 {

        description "CC VPN"

        ip {

            ospf {

                authentication {

                    md5 {

                        key-id 1 {

                            md5-key ****************

                        }

                    }

                }

                cost 2

                dead-interval 40

                hello-interval 10

                priority 1

                retransmit-interval 5

                transmit-delay 1

            }

        }

        local-address 10.0.4.1 {

        }

        local-port 1195

        mode site-to-site

        openvpn-option --comp-lzo

        remote-address 10.0.4.2

        remote-host *.*.*.*

        remote-port 1195

        shared-secret-key-file /config/auth/cc-secret

    }

    openvpn vtun2 {

        description "FD1 VPN"

        ip {

            ospf {

                authentication {

                    md5 {

                        key-id 1 {

                            md5-key ****************

                        }

                    }

                }

                cost 2

                dead-interval 40

                hello-interval 10

                priority 1

                retransmit-interval 5

                transmit-delay 1

            }

        }

        local-address 10.0.6.1 {

        }

        local-port 1196

        mode site-to-site

        openvpn-option --comp-lzo

        remote-address 10.0.6.2

        remote-host *.*.*.*

        remote-port 1196

        shared-secret-key-file /config/auth/fd1-secret

    }

}

port-forward {

    auto-firewall enable

    hairpin-nat enable

    lan-interface eth0

    wan-interface eth1

}

protocols {

    ospf {

        area 10.0.0.0 {

            area-type {

                stub {

                }

            }

            authentication md5

            network 10.0.0.0/8

        }

        default-information {

            originate {

                metric-type 2

            }

        }

        parameters {

            abr-type cisco

            router-id 0.0.0.0

        }

    }

    static {

        route 10.1.35.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.1.70.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.1.88.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.1.92.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.1.125.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.5.5.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.8.4.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

        route 10.12.1.0/24 {

            next-hop 10.12.0.254 {

                distance 1

            }

        }

        route 10.12.7.0/24 {

            next-hop 10.12.1.251 {

                distance 1

            }

        }

        route 10.12.8.0/24 {

            next-hop 10.12.1.251 {

                distance 1

            }

        }

        route 10.12.9.0/24 {

            next-hop 10.12.100.9 {

                distance 1

            }

        }

        route 10.12.10.0/24 {

            next-hop 10.12.100.10 {

                distance 1

            }

        }

        route 10.12.101.0/24 {

            next-hop 10.12.1.13 {

                distance 1

            }

        }

        route 10.12.102.0/24 {

            next-hop 10.12.100.91 {

                distance 1

            }

        }

        route 10.12.103.0/24 {

            next-hop 10.12.100.91 {

                distance 1

            }

        }

        route 10.40.1.0/24 {

            next-hop 10.12.1.4 {

                distance 1

            }

        }

    }

}

service {

    gui {

        https-port 443

    }

    nat {

    }

    snmp {

        community FVITGet {

            authorization ro

        }

        contact IT

        location "Town Hall"

    }

    ssh {

        port 22

        protocol-version v2

    }

}

system {

    domain-name fuquay-varina.org

    gateway-address 10.12.1.254

    host-name FVTH-WANRouter

    login {

        user admin {

            authentication {

                encrypted-password ****************

                plaintext-password ****************

            }

            full-name Administrator

            level admin

        }

    }

    name-server 10.12.1.21

    name-server 10.12.1.22

    ntp {

        server 0.ubnt.pool.ntp.org {

        }

        server 1.ubnt.pool.ntp.org {

        }

        server 2.ubnt.pool.ntp.org {

        }

        server 3.ubnt.pool.ntp.org {

        }

    }

    syslog {

        global {

            facility all {

                level notice

            }

            facility protocols {

                level debug

            }

        }

    }

    time-zone America/New_York

}

New Member
Posts: 10
Registered: ‎05-31-2012

Re: Handoff to Another Router for Internet Access

As I was posting this I found the harpin-nat value enabled.  I didn't realize this was enabled by default.  I set auto-firewall and issue remained.  I disabled the harpin-nat feature and routes started performing as expected.  Do i need to leave the auto-firewall disabled?

Highlighted
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Handoff to Another Router for Internet Access

[ Edited ]

@tofvit wrote:

As I was posting this I found the harpin-nat value enabled.  I didn't realize this was enabled by default.  I set auto-firewall and issue remained.  I disabled the harpin-nat feature and routes started performing as expected.  Do i need to leave the auto-firewall disabled?


I would, as you don't want a firewall in the first place.  For that matter, I recommend cleaning up your config anyway.  No reason to leave an empty default firewall with no rules.

configure
delete firewall
commit
save

 And again with interfaces ethernet eth0.  Your current code:

interfaces {

    ethernet eth0 {

        address 10.12.1.1/24

        description LAN

        duplex auto

        firewall {

            out {

            }

        }

        ip {

        }

 To clean this up:

configure
delete interfaces ethernet eth0 firewall
delete interfaces ethernet eth0 ip commit save

 Leaving you with this:

interfaces {

    ethernet eth0 {

        address 10.12.1.1/24

        description LAN

        duplex auto

        speed auto

    }

And

configure
delete port-forward
commit
save

 To get rid of this:

port-forward {

    auto-firewall enable

    hairpin-nat enable

    lan-interface eth0

    wan-interface eth1

}

 Really, it's just some basic housekeeping.