Highlighted
Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7
Accepted Solution

Routers Blocking Each Other??

I had a Cisco SA520W router in place that died, so till i could get an Edgemax in its place it put a cheap tp-link router in its place. I could remote in, connect to the VPN, and etc everything worked.

Now I have placed the edgemax lite in place at the office and now if the device trying to connect into the office is connected to my network, it cannot access anything on the office network, cannot connect to VPN.  All the other VPN clients connections can connect just fine from their networks they are on, If i disconnect my phone from my network and use cellular, it connects in just fine. If I remove the edgemax lite at the office and replace the tp-link router, I can connect to vpn and etc from my network just fine. 

What is going on any help would be greatly appreciated.

Can anyone also tell me why I cannot connect to the office GUI externally at all?

I am using a Edgemax POE at my house, here is the config, 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group BOGONS {
            description "Invalid WAN Networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
        port-group L2TP/IPSec {
            description "L2TP/IPSec Ports"
            port 500
            port 1701
            port 4500
        }
        port-group Plex {
            description "Port For Plex Server Access"
            port 32400
        }
        port-group QNAP {
            description "Ports Used By QNAP"
            port 8080
            port 443
            port 1723
            port 21
            port 56779-56789
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_In {
        default-action accept
        description "LAN To LAN"
    }
    name LAN_Local {
        default-action accept
        description "LAN To Router"
    }
    name WAN_In {
        default-action drop
        description "Packets From WAN To LAN"
        enable-default-log
        rule 1 {
            action accept
            description "Allow Established/Related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "Drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description QNAP
            destination {
                group {
                    port-group QNAP
                }
            }
            log enable
            protocol tcp_udp
        }
        rule 5 {
            action accept
            description Plex
            destination {
                group {
                    port-group Plex
                }
            }
            log disable
            protocol tcp_udp
        }
    }
    name WAN_Local {
        default-action drop
        description "Packets From WAN To Router"
        enable-default-log
        rule 1 {
            action accept
            description "Allow Established/Related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "Drop BOGON Source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "Rate Limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 10.0.1.1/24
        aging 300
        description Bridge
        firewall {
            in {
                name LAN_In
            }
            local {
                name LAN_Local
            }
        }
        hello-time 2
        max-age 20
        priority 0
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_In
            }
            local {
                name WAN_Local
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description NAS
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "UniFi AP"
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description DirecTV
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Ooma
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        bridge-group {
            bridge br0
        }
        description Switch
        mtu 1500
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    rule 1 {
        description QNAP
        forward-to {
            address 10.0.1.3
        }
        original-port 8080
        protocol tcp_udp
    }
    rule 2 {
        description QNAP
        forward-to {
            address 10.0.1.3
        }
        original-port 443
        protocol tcp_udp
    }
    rule 3 {
        description "Robbies Macbook"
        forward-to {
            address 10.0.1.6
        }
        original-port 5900
        protocol tcp_udp
    }
    rule 4 {
        description "Plex Server"
        forward-to {
            address 10.0.1.3
        }
        original-port 32400
        protocol tcp_udp
    }
    rule 5 {
        description FTP
        forward-to {
            address 10.0.1.3
        }
        original-port 21
        protocol tcp_udp
    }
    rule 6 {
        description OpenVPN
        forward-to {
            address 10.0.1.3
        }
        original-port 1194
        protocol udp
    }
    rule 7 {
        description "Ambers Air"
        forward-to {
            address 10.0.1.7
            port 5900
        }
        original-port 5901
        protocol tcp_udp
    }
    rule 8 {
        description WebDAV
        forward-to {
            address 10.0.1.3
        }
        original-port 8081
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            description "LAN eth1 - eth4"
            subnet 10.0.1.0/24 {
                default-router 10.0.1.1
                dns-server 10.0.1.1
                lease 86400
                ntp-server 10.0.1.1
                start 10.0.1.2 {
                    stop 10.0.1.174
                }
                static-mapping Ambers_MacBook_Air {
                    ip-address 10.0.1.7
                    mac-address 64:76:BA:91:A0:5E
                }
                static-mapping QNAP_NAS {
                    ip-address 10.0.1.3
                    mac-address 00:08:9B:E0:7D:B6
                }
                static-mapping Robbies_MacBook_Pro {
                    ip-address 10.0.1.6
                    mac-address 3c:15:c2:b9:7e:6e
                }
                static-mapping Samsung_ML-1865w {
                    ip-address 10.0.1.20
                    mac-address 00:15:99:93:d6:97
                }
                static-mapping UniFi_AP {
                    ip-address 10.0.1.2
                    mac-address 24:A4:3C:0A:01:9B
                }
                time-server 10.0.1.1
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name “Removed”
                    login “Removed”
                    password “Removed”
                }
            }
        }
        forwarding {
            cache-size 0
            listen-on br0
            system
        }
    }
    gui {
        https-port 443
        listen-address 10.0.1.1
    }
    nat {
        rule 5010 {
            description "Masquerade For Internet"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 10.0.1.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on br0 {
            outbound-interface eth0
        }
    }
}
system {
    host-name EdgeRouter
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user Robbie {
            authentication {
                encrypted-password “Removed”
                plaintext-password “Removed”
            }
            full-name "Robbie Bott"
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.5.0rc1.4675120.140611.1821 */

Accepted Solutions
Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Re: Router Blocking

[ Edited ]

Actually you can you delete the top two posts. I had deleted it but I guess it made it through.

I figured it out the office is on Cox and so am I. In the office config in the "System Gateway" I put the wrong IP. Which would explain why I could not connect but others outside of the Cox network could.

Yes the VPN is being handled by a Synology NAS. Once I put the right System gateway IP in place everything works like a charm. Just trying to figure out how to make the Edgemax take over the VPN at this point. Taking baby steps.Smiley Very Happy

Can I assign two ports for the Edgemax gui to listen on?

Example:

Internally I want it to listen on 443. Internal router IP 10.0.1.1 on br0

Externally I want it to listen on 67845. ISP is DHCP. Using DDNS for static remote access.

 

View solution in original post


All Replies
Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Routers Blocking Each Other??

[ Edited ]

Deleted By User

Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Router Blocking

[ Edited ]

Deleted By User

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Router Blocking

Merged the three threads since they seem to be the same discussion?

The "cannot connect to the GUI externally" part might be due to firewall. For example the posted config for the home router does not have firewall rule in the "WAN_Local" ruleset (for traffic going to the router itself) to allow GUI traffic (destination port 443 etc.).

Could you elaborate on the "VPN" part since the home router config does not show any VPN setup? Is there a dedicated VPN server or something?

Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Re: Router Blocking

[ Edited ]

Actually you can you delete the top two posts. I had deleted it but I guess it made it through.

I figured it out the office is on Cox and so am I. In the office config in the "System Gateway" I put the wrong IP. Which would explain why I could not connect but others outside of the Cox network could.

Yes the VPN is being handled by a Synology NAS. Once I put the right System gateway IP in place everything works like a charm. Just trying to figure out how to make the Edgemax take over the VPN at this point. Taking baby steps.Smiley Very Happy

Can I assign two ports for the Edgemax gui to listen on?

Example:

Internally I want it to listen on 443. Internal router IP 10.0.1.1 on br0

Externally I want it to listen on 67845. ISP is DHCP. Using DDNS for static remote access.

 

Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Re: Router Blocking

@CowboyJed
The WAN_Local is showing in the GUI.
image.jpg
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Router Blocking

I was going off of ancheng's post.  After going back to look, I deleted my post as it was incorrect.

Member
Posts: 279
Registered: ‎11-29-2013
Kudos: 263
Solutions: 7

Re: Router Blocking

Not a problem, thanks for the warning. Better safe than sorry.
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Router Blocking


@RobbieBott wrote:

Can I assign two ports for the Edgemax gui to listen on?

Example:

Internally I want it to listen on 443. Internal router IP 10.0.1.1 on br0

Externally I want it to listen on 67845. ISP is DHCP. Using DDNS for static remote access.

 


You could try using destination NAT to translate the outside address and port.  I've never tried to NAT to the router itself.  Not sure that it will work, but it should be worth trying.  You're not going to be out anything.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Router Blocking

Yeah destination NAT to the router itself will work, but since the WAN is dynamic address (DHCP) it may be problematic (currently the translation address needs to be static). A simpler approach may be to change the Web server (lighttpd) config file to do what you need. Since the file is generated from config, you need to edit the script that generates it, i.e., "/usr/sbin/ubnt-gen-lighty-conf.sh". Add an extra section of the '$SERVER["socket"]' (copy the 0.0.0.0 section and change it to "0.0.0.0:64845"). And then in the WAN_Local ruleset open port 64845 (but not 443). (Note also that 67845 is not a valid port.)