Reply
New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1
Accepted Solution

Private Internet Access and ERX

[ Edited ]

I am trying to get PIA working on my ER-x.  No big deal right.  So i have an extra router to play with.  I set it up with a basic config and go through the steps here:  LINK  No surprise.  It works as advertised.  So I go to my production system and try the same thing.  

 

The production system has three vlan's and internet is pppoe not dhcp, but otherwise not much different.  doesn't work.  I have been unable to track down the problem. 

 

The vpn connects but no traffic comes back.  I'm at a loss on how to proceed.  My config is attached below.  I appreciate everyone's help tracking down my error.

 

Chris

 

Spoiler
firewall {
 all-ping disable
 broadcast-ping disable
 group {
 address-group Black_List {
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 description banned
 }
 address-group OPENVPN_COMPUTERS {
 address 176.16.0.201
 description "openvpn hosts"
 }
 address-group White_list {
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 address xxx.xxx.xxx.xxx
 description Allowflowin
 }
 network-group PROTECT_NETWORKS {
 description "Protected Networks"
 network 176.16.0.0/24
 network 192.168.2.0/24
 network 10.10.1.0/24
 }
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 modify OPENVPN_ROUTE {
 rule 1 {
 action modify
 description "traffic from Devices to Vtun0"
 modify {
 table 1
 }
 source {
 group {
 address-group OPENVPN_COMPUTERS
 }
 }
 }
 }
 name BLOCK_IN {
 default-action accept
 description ""
 rule 1 {
 action accept
 description "Accept Established/Related"
 log disable
 protocol all
 state {
 established enable
 invalid disable
 new disable
 related enable
 }
 }
 rule 2 {
 action drop
 description "Drop PROTECT_NETWORKS"
 destination {
 group {
 network-group PROTECT_NETWORKS
 }
 }
 log disable
 protocol all
 }
 }
 name BLOCK_LOCA {
 default-action drop
 description ""
 rule 1 {
 action accept
 description "Accept DNS"
 destination {
 port 53
 }
 log disable
 protocol udp
 }
 rule 2 {
 action accept
 description "Accept DHCP"
 destination {
 port 67
 }
 log disable
 protocol udp
 }
 }
 name WAN_IN {
 default-action drop
 description "WAN to internal"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action accept
 description flowin
 disable
 log disable
 protocol all
 source {
 group {
 address-group White_list
 }
 }
 }
 rule 30 {
 action drop
 description Blacklist
 disable
 log disable
 protocol all
 source {
 group {
 address-group Black_List
 }
 }
 }
 rule 40 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "WAN to router"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 options {
 mss-clamp {
 mss 1412
 }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 description "Internet (PPPoE)"
 duplex auto
 pppoe 0 {
 default-route auto
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 mtu 1492
 name-server auto
 password xxxxxxxx
 user-id xxxxxxxx
 }
 speed auto
 }
 ethernet eth1 {
 description Local
 duplex auto
 speed auto
 }
 ethernet eth2 {
 description Local
 disable
 duplex auto
 speed auto
 }
 ethernet eth3 {
 description Local
 disable
 duplex auto
 speed auto
 }
 ethernet eth4 {
 address 10.10.1.1/24
 description "Local MMGT"
 disable
 duplex auto
 poe {
 output off
 }
 speed auto
 }
 loopback lo {
 }
 openvpn vtun0 {
 config-file /config/auth/houston4.ovpn
 description "Private Internet Access VPN"
 }
 switch switch0 {
 address 176.16.0.1/24
 description Local
 firewall {
 in {
 modify OPENVPN_ROUTE
 }
 }
 mtu 1500
 switch-port {
 interface eth1 {
 }
 interface eth2 {
 }
 interface eth3 {
 }
 vlan-aware disable
 }
 vif 2 {
 address 192.168.2.1/24
 description farmvlan
 disable
 mtu 1500
 }
 vif 30 {
 address 192.168.30.1/24
 description Hottovy
 firewall {
 in {
 name BLOCK_IN
 }
 local {
 name BLOCK_LOCA
 }
 }
 mtu 1492
 }
 vif 40 {
 address 192.168.40.1/24
 description Andy
 disable
 firewall {
 in {
 name BLOCK_IN
 }
 local {
 name BLOCK_LOCA
 }
 }
 mtu 1500
 }
 }
}
port-forward {
 auto-firewall enable
 hairpin-nat enable
 lan-interface switch0
 rule 1 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxx
 }
 original-port xxxx
 protocol tcp_udp
 }
 rule 2 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxx
 }
 original-port xxx
 protocol tcp_udp
 }
 rule 3 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxxx
 }
 original-port xxxx
 protocol tcp_udp
 }
 rule 4 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxxx
 }
 original-port xxxx
 protocol tcp_udp
 }
 rule 5 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxxx
 }
 original-port xxxx
 protocol tcp_udp
 }
 rule 6 {
 description xxxx
 forward-to {
 address xxx.xxx.xxx.xxx
 port xxx
 }
 original-port xxx
 protocol tcp_udp
 }
 wan-interface pppoe0
}
protocols {
 static {
 table 1 {
 interface-route 0.0.0.0/0 {
 next-hop-interface vtun0 {
 }
 }
 }
 }
}
service {
 dhcp-server {
 disabled false
 hostfile-update disable
 shared-network-name Andydhcp {
 authoritative disable
 subnet 192.168.40.0/24 {
 default-router 192.168.40.1
 dns-server 192.168.40.1
 dns-server 8.8.8.8
 lease 86400
 start 192.168.40.2 {
 stop 192.168.40.100
 }
 }
 }
 shared-network-name Hottovydhcp {
 authoritative disable
 subnet 192.168.30.0/24 {
 default-router 192.168.30.1
 dns-server 192.168.30.1
 lease 86400
 start 192.168.30.2 {
 stop 192.168.30.100
 }
 }
 }
 shared-network-name LAN {
 authoritative enable
 subnet 176.16.0.0/24 {
 default-router 176.16.0.1
 dns-server 176.16.0.1
 dns-server 8.8.8.8
 lease 86400
 start 176.16.0.2 {
 stop 176.16.0.243
 }
 static-mapping sss {
 ip-address 176.16.0.xx
 mac-address xxx
 }
 static-mapping DgggA {
 ip-address 176.16.0.xxx
 mac-address xxx
 }
 static-mapping xcxc{
 ip-address 176.16.0.xxx
 mac-address xxx
 tftp-server-name 176.16.0.60
 }
 }
 shared-network-name farmdhcp {
 authoritative disable
 subnet 192.168.2.0/24 {
 default-router 192.168.2.1
 dns-server 192.168.2.100
 dns-server 4.4.4.4
 lease 86400
 start 192.168.2.100 {
 stop 192.168.2.250
 }
 }
 }
 static-arp disable
 use-dnsmasq disable
 }
 dns {
 forwarding {
 cache-size 150
 listen-on switch0
 listen-on switch0.2
 listen-on switch0.30
 listen-on eth4
 listen-on switch0.40
 }
 }
 gui {
 http-port 80
 https-port 443
 listen-address 176.16.0.1
 older-ciphers disable
 }
 nat {
 rule 5000 {
 description PIA
 log disable
 outbound-interface vtun0
 source {
 group {
 address-group OPENVPN_COMPUTERS
 }
 }
 type masquerade
 }
 
 rule 5010 {
 description "masquerade for WAN"
 outbound-interface pppoe0
 type masquerade
 }
 }
 ssh {
 listen-address 176.16.0.1
 port 22
 protocol-version v2
 }
 ubnt-discover {
 disable
 }
 unms {
 connection wss://xxx.xxx.xxx.xxx
 }
}
system {
 conntrack {
 expect-table-size 2048
 hash-size 32768
 modules {
 sip {
 disable
 }
 }
 table-size 262144
 }
 host-name ERX-xxx
 login {
 user xxx {
 authentication {
 encrypted-password xxx
 }
 level admin
 }
 }
 ntp {
 server 0.ubnt.pool.ntp.org {
 }
 server 1.ubnt.pool.ntp.org {
 }
 server 2.ubnt.pool.ntp.org {
 }
 server 3.ubnt.pool.ntp.org {
 }
 }
 offload {
 hwnat enable
 ipsec enable
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone UTC
 traffic-analysis {
 custom-category Netflix {
 name Netflix
 }
 custom-category Social {
 name Instagram
 name Snapchat
 name Facebook
 }
 dpi disable
 export disable
 }
}
traffic-control {
}

 

 


Accepted Solutions
SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

Try by adding this that directive

Spoiler
route-nopull

In the ovpn config. file.

Cheers,

jonatha

View solution in original post


All Replies
Senior Member
Posts: 3,594
Registered: ‎11-26-2013
Kudos: 1963
Solutions: 110

Re: Private Internet Access and ERX

PPPoE... could be an MTU problem.

Need Ubiquiti Config Videos? https://www.youtube.com/williehowe
New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

like described here? https://community.ubnt.com/t5/EdgeRouter/ERpoe5-openvpn-site-to-site-MTU-on-vtun0-not-settable/td-p/...

I did
set interfaces openvpn vtun0 openvpn-option '--tun-mtu 1492'

No change. my guess is it in the nat somewhere.

Side note:

Youtube star responded to my post. Made my day.
SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

So, with a tcpdump on the vtun0, you see outgoing traffic, but no returning traffic ? Eg, if you issue
sudo tcpdump -ni vtun0 host 8.8.8.8 and icmp
And then from the host 172.16.0.201, you ping 8.8.8.8 ?
Cheers,
jonatha

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

[ Edited ]

here is the result of the tcp dump

 

 

Spoiler
tech@ERX-Macksville:~$ sudo tcpdump -ni vtun0 host 8.8.8.8 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtun0, link-type RAW (Raw IP), capture size 262144 bytes                                                                                                            ngth 8
21:28:43.542559 IP 10.34.10.10 > 8.8.8.8: ICMP echo request, id 1, seq 19, lengt                                                                                                             h 40
21:28:48.340488 IP 10.34.10.10 > 8.8.8.8: ICMP echo request, id 1, seq 20, lengt                                                                                                             h 40
21:28:53.339660 IP 10.34.10.10 > 8.8.8.8: ICMP echo request, id 1, seq 21, lengt                                                                                                             h 40
21:28:54.021468 IP 192.168.30.5 > 8.8.8.8: ICMP echo request, id 5212, seq 0, le                                                                                                             ngth 8
21:28:58.341395 IP 10.34.10.10 > 8.8.8.8: ICMP echo request, id 1, seq 22, length 40

and this is what i got from 201
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

 

SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

I'd make the following modify

Spoiler
configure
edit firewall modify OPENVPN_ROUTE
rename rule 1 to rule 10
set rule 20 action modify
set rule 20 modify table main
commit;save

From the router itself, are you able to ping the openvpn gateway

Spoiler
sudo ping -c 2 10.34.10.x

Or 8.8.8.8

Spoiler
sudo ping -I vtun0 8.8.8.8 -c 2

Cheers,

jonatha

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

[ Edited ]

made the suggested changes... didn't solve problem

 

here is the ruslts of pings

 

 

Spoiler
tech@ERX-Macksville:~$ sudo ping -c 2 10.34.10.10
PING 10.34.10.10 (10.34.10.10) 56(84) bytes of data.

--- 10.34.10.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms

tech@ERX-Macksville:~$ sudo ping -I vtun0 8.8.8.8 -c 2
PING 8.8.8.8 (8.8.8.8) from 10.25.10.10 vtun0: 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

 

 

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

output from GUI Dashboard

 

Capturegui.PNG

SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

In the first tcpdump, the vtun0's address seems 10.34.10.10, then from the ping directly from the router, 10.25.10.10, and in the gui 10.71.10.6 ... and 34 Mbps of traffic on the vtun0, what's going on  Man Happy ?

Anyway the ping from the router itself to 8.8.8.8, using the vtun0 as source-interface, should work ...

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

[ Edited ]

Ya.  I noticed that also.   I have no intrnet with it connected so everytime i reconnect i get a new ip.  as far as the traffic.  i have no idea.  With only one machine on that interface and not even able to connect its wierd.  

 

i did another tcpdump but didn't limit the host.  got gobs of this...

 

Spoiler
22:59:22.121664 IP 10.65.10.6 > 205.251.150.186: ip-proto-17
22:59:22.122296 IP 10.65.10.6.50497 > 205.251.150.186.1198: UDP, bad length 1533                                                                                                              > 1464
22:59:22.122347 IP 10.65.10.6 > 205.251.150.186: ip-proto-17
22:59:22.122894 IP 10.65.10.6.50497 > 205.251.150.186.1198: UDP, bad length 1533                                                                                                              > 1464
22:59:22.122938 IP 10.65.10.6 > 205.251.150.186: ip-proto-17
22:59:22.123474 IP 10.65.10.6.50497 > 205.251.150.186.1198: UDP, bad length 1533                                                                                                              > 1464
22:59:22.123523 IP 10.65.10.6 > 205.251.150.186: ip-proto-17
22:59:22.124172 IP 10.65.10.6.50497 > 205.251.150.186.1198: UDP, length 1117
^C
3110 packets captured
3140 packets received by filter
11 packets dropped by kernel

 Looks like i'm back to adjusting the mtu.  I tried 

 openvpn-option "--tun-mtu 1412"

 but it looks like it is not limiting at all.  

SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

Is there the directive route-nopull in the oven configuration file ?

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

Nope  

 

client
dev-type tun
proto udp
remote us-houston.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
ca /config/auth/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /config/auth/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/auth/crl.pem
tun-mtu 1412
SuperUser
Posts: 8,179
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Private Internet Access and ERX

Try by adding this that directive

Spoiler
route-nopull

In the ovpn config. file.

Cheers,

jonatha

New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

[ Edited ]

Much thanks to Jonathan (redfive) for his help in solving this problem. 

 

Ok…. Step by step what I did.    Modified from https://community.ubnt.com/t5/EdgeRouter/Private-Internet-Access-Open-VPN-Step-by-Step-Configuration...

 

1. Create a group of computers that will be in the Openvpn PIA vpn

 

set firewall group address-group OPENVPN_COMPUTERS address 176.16.0.201
set firewall group address-group OPENVPN_COMPUTERS description ‘openvpn hosts’

2.  Modify Firewall

 

set firewall modify OPENVPN_ROUTE rule 1 action modify
set firewall modify OPENVPN_ROUTE rule 1 description 'traffic from Devices to vtun0'
set firewall modify OPENVPN_ROUTE rule 1 modify table 1
set firewall modify OPENVPN_ROUTE rule 1 source group address-group OPENVPN_COMPUTERS

3.  Apply rule to my switch interface and wan interface

 

set interfaces switch switch0 firewall in modify OPENVPN_ROUTE
set interfaces ethernet eth0 pppoe 0 firewall in modify OPENVPN_ROUTE

 

4.  Add Nat Rule

 

set service nat rule 5001 description openvpn
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 protocol all
set service nat rule 5001 source group address-group OPENVPN_COMPUTERS
set service nat rule 5001 type masquerade

5. Set Static route

 

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

6. Configure openvpn file

 

client
dev-type tun
proto udp
remote us-houston.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
ca /config/auth/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /config/auth/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/auth/crl.pem
tun-mtu 1412
route-nopull

6. Upload config files

     Moved files houston4.ovpn, ca.crt, and crl.pem to /config/auth on ERX

 

7. Make vtun0 interface

 

set interfaces openvpn vtun0 config-file /config/auth/houston4.ovpn
set interfaces openvpn vtun0 description 'Private Internet Access VPN'

 

The key to solving my problems were

     1.  adding route-nopull to the .ovpn file

     2. adding tun-mtu 1412 to the .ovpn file (because my wan is pppoe)

 

Thanks again for all the help.  If anyone see's places where i have made mistakes or can improve this let me know.  

 

Chris

 

 

 

New Member
Posts: 15
Registered: ‎01-02-2015
Kudos: 1

Re: Private Internet Access and ERX

Would there be any way you could post a sanitized copy of your config? I've been beating my head trying to get this to work. I can see traffic going out, nothing coming back in. My WAN is a pppoe connection as well.

If you could post your config, that would be awesome. If not, could you PM me with a sanitized copy? Thanks.

Router: ER-4
Switch: US-24-250W / US-16-150W / (3) US-8-150W / (3) US-8-60W / (2) US-8
AP: (3) UAP-AC-LR / (3) UAP-AC-PRO / (2) UAP-AC-IW / (1) UAP-IW-HD
Highlighted
New Member
Posts: 30
Registered: ‎01-05-2017
Kudos: 1
Solutions: 1

Re: Private Internet Access and ERX

here is my config.  Luck

 

CR

 

Spoiler
firewall {
    all-ping disable
    broadcast-ping disable
    group {
        address-group Black_List {
            address xxx.xxx.xxx.xxx
            address xxx.xxx.xxx.xxx
            description banned
        }
        address-group OPENVPN_COMPUTERS {
            address xxx.xxx.xxx.xxx
            address xxx.xxx.xxx.xxx
            description "openvpn hosts"
        }
        address-group White_list {
            address xxx.xxx.xxx.xxx
            address xxx.xxx.xxx.xxx
            address xxx.xxx.xxx.xxx
            address xxx.xxx.xxx.xxx
            description Allowflowin
        }
        network-group PROTECT_NETWORKS {
            description "Protected Networks"
            network 176.16.0.0/24
            network 192.168.2.0/24
            network 10.10.1.0/24
            network 10.10.10.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 10 {
            action modify
            description "traffic from Devices to Vtun0"
            modify {
                table 1
            }
            source {
                group {
                    address-group OPENVPN_COMPUTERS
                }
            }
        }
        rule 20 {
            action modify
            modify {
                table main
            }
        }
    }
    name BLOCK_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Accept Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop PROTECT_NETWORKS"
            destination {
                group {
                    network-group PROTECT_NETWORKS
                }
            }
            log disable
            protocol all
        }
    }
    name BLOCK_LOCA {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Accept DNS"
            destination {
                port 53
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description "Accept DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description flowin
            disable
            log disable
            protocol all
            source {
                group {
                    address-group White_list
                }
            }
        }
        rule 30 {
            action drop
            description Blacklist
            disable
            log disable
            protocol all
            source {
                group {
                    address-group Black_List
                }
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1492
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    modify OPENVPN_ROUTE
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id jacobroe@GBTA
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        mtu 1492
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/houston4.ovpn
        description "Private Internet Access VPN"
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        openvpn-option "--tun-mtu 1412"
    }
    switch switch0 {
        address 176.16.0.1/24
        description Local
        firewall {
            in {
                modify OPENVPN_ROUTE
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
        vif 30 {
            address 192.168.30.1/24
            description Hottovy
            firewall {
                in {
                    name BLOCK_IN
                }
                local {
                    name BLOCK_LOCA
                }
            }
            mtu 1412
        }
        vif 50 {
            address 192.168.50.1/24
            description Feedyard
            mtu 1412
        }
        vif 512 {
            address 10.10.10.1/24
            description VOIP
            mtu 1412
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    rule 2 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    rule 3 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    rule 4 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    rule 5 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    rule 6 {
        description xxx
        forward-to {
            address xxx.xxx.xxx.xxx
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    wan-interface pppoe0
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 176.16.0.0/24 {
                default-router 176.16.0.1
                dns-server 176.16.0.216
                dns-server 8.8.8.8
                lease 86400
                start 176.16.0.2 {
                    stop 176.16.0.243
                }
                }
                static-mapping xxx.xxx.xxx.xxx {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping xxx.xxx.xxx.xxx {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping CreekhouseAP {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping DESKTOP-EF26IEA {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping FarmAP {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping xxx {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping xxx {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping PIHOLE {
                    ip-address 176.16.0.216
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping xxx {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping UVC-G3-1043 {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                static-mapping barnbuntu {
                    ip-address xxx.xxx.xxx.xxx
                    mac-address xxx.xxx.xxx.xxx
                }
                tftp-server-name xxx.xxx.xxx.xxx
            }
        }
        shared-network-name VOIP {
            authoritative disable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                dns-server 176.16.0.216
                dns-server 8.8.8.8
                lease 86400
                start 10.10.10.2 {
                    stop 10.10.10.100
                }
                tftp-server-name 176.16.0.60
            }
        }
        shared-network-name feedyard {
            authoritative disable
            subnet 192.168.50.0/24 {
                default-router 192.168.50.1
                dns-server 176.16.0.216
                dns-server 8.8.8.8
                lease 86400
                start 192.168.50.2 {
                    stop 192.168.50.100
                }
            }
        }
        shared-network-name twot {
            authoritative disable
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 176.16.0.216
                dns-server 8.8.8.8
                lease 86400
                start 192.168.30.2 {
                    stop 192.168.30.100
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on switch0.30
            listen-on switch0.50
            listen-on switch0.512
            name-server 176.16.0.216
            name-server 8.8.8.8
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 176.16.0.1
        older-ciphers disable
    }
    lldp {
        interface eth2 {
        }
    }
    nat {
        rule 5000 {
            description PIA
            log disable
            outbound-interface vtun0
            source {
                group {
                    address-group OPENVPN_COMPUTERS
                }
            }
            type masquerade
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        listen-address 176.16.0.1
        port 22
        protocol-version v2
    }
    unms {
        connection wss://xxx.xxx.xxx.xxx
    }
}
system {
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    host-name ERX-Ma
    login {
        user notubnt {
            authentication {
                encrypted-password not telling
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        
        }
        custom-category Social {
      
        }
        dpi disable
        export disable
    }
}
traffic-control {
}
Reply