Reply
Highlighted
New Member
Posts: 10
Registered: a week ago
Solutions: 1
Accepted Solution

Error with Multiple IPs

Trying to configure multiple Static IPs. 

192.174.24.104

192.174.24.105

192.174.24.106

With a subnet of 255.255.255.248

The addresses are assigned via pppoe.

 

I've validated the JSON and it's valid. But getting the following error:

 

configuration commit error. Error message: { "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "6e789f0c0b32bc897baf20c4e6" , "SET" : { "error" : { "interfaces ethernet eth0 address 192.174.24.104/29" : "Can not assign network address as IP address\n\n￿0\nValue validation failed\n"} , "failure" : "1" , "success" : "1"}}

 

This is my config:

 

{

    "interfaces": {

        "ethernet": {

            "eth0": {

                "address": [

                    "192.174.24.104/29",

                    "192.174.24.105/29",

                    "192.174.24.106/29"

                ]

            }

        }

    },

    "service": {

        "nat": {

            "rule": {

                "1000": {

                    "description": "HTTP/HTTPS .105",

                    "destination": {

                        "address": "192.174.24.105",

                        "port": "80,443"

                    },

                    "inbound-interface": "eth0",

                    "inside-address": {

                        "address": "10.0.1.139"

                    },

                    "protocol": "tcp",

                    "type": "destination"

                }

            }

        }

    },

    "firewall": {

        "name": {

            "WAN_IN": {

                "rule": {

                    "1000": {

                        "action": "accept",

                        "description": "HTTP/HTTPS .105",

                        "destination": {

                            "address": "10.0.1.139",

                            "port": "80,443"

                        },

                        "protocol": "tcp",

                        "log": "enable"

                    }

                }

            }

        }

    }

}

 

Chat just said the JSON was invalid despite the fact multiple JSON validators said it was valid. 

 

Any help would be appreciated. Been pulling my hair out over this for several days now. 


Accepted Solutions
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

I had to add this to my config and it worked great. 

 

"vpn": {
    "l2tp": {
      "remote-access": {
        "outside-address": "x.x.x.x"
      }
    }
  },

Thanks! Let's close this thread.

View solution in original post


All Replies
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

@UBNT-MikeD I followed this thread and tried other pieces involved in there with no luck. Any suggestions as to what I'm missing?

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Pro-Multiple-WAN-IPS-mapped-to-various-int...

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

Your commit error states it's trying to set a network address as an IP address belonging to the interface, which is not possible.

192.174.24.104/29 (255.255.255.248) includes the following IP range:
192.174.24.104 - 192.174.24.111

.104 is the network address

.111 is the broadcast address
^ These two addresses are reserved and are not able to be assigned to an interface.

Take out the .104 address in the JSON file and you should be fine.

 

 

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

@UBNT-jaffe Hmmm...... Super interesting, because when I remove the config, that's the IP that PPPoE assigns me for all traffic to go through and from there basic port forwarding and stuff works.

 

They are also saying that my subnet mask is 255.255.255.248. 

 

I just removed the .104 from the config file. I got an error around ports 80,443 not being valid, but also taking those down to just port 80 it provisions without errors. However, 192.174.24.105 is not pingable from the outside and does not take me to the internal port of 80 on the .139 machine. Is this an issue with my ISP then?

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

Oh I missed you mentioning PPPoE in your initial post... that's odd, I think they're basically routing you a static /29 via your PPPoE connection, and your PPPoE address is "in" that subnet. I found a similar dated post involving this with ER's here:
https://community.ubnt.com/t5/EdgeRouter/Help-ER-POE-Setting-up-WAN-IP-Addresses/m-p/832244#M30428

Can you SSH to your USG and post the output of:
show interfaces
show ip route
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

show interfaces

 

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         192.174.24.105/29                 u/u  WAN                         
             192.174.24.106/29                
eth1         -                                 A/D                              
eth2         10.0.1.1/24                       u/u  LAN                         
eth3         -                                 A/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
pppoe0       192.174.24.104                    u/u                              
vti0         10.255.254.1/32                   u/u 

 

 

show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] is directly connected, pppoe0
C>* 10.0.1.0/24 is directly connected, eth2
S>* 10.0.10.0/24 [30/0] is directly connected, vti0
C>* 10.255.254.1/32 is directly connected, vti0
C>* 127.0.0.0/8 is directly connected, lo
C>  192.132.5.1/32 is directly connected, pppoe0
C>* 192.174.24.104/29 is directly connected, eth0

So looking at that other post, I need to configure DMZ then? I will explore that in a bit and give that a shot. 

 

I also just called me ISP. They did give me mis information. .104 should be the primary router then .105-.110 is all usable IPs (even though they told me my 3 statics would be .104-.106.) 

New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

I should also add there is no "modem/router" supplied by the ISP. The fiber is converted at the ONT to ethernet and straight into the USG in which is handling the PPPoE authentication. 

 

Essentially. All general traffic can use whatever IP (I don't really care here). I'm just trying to route traffic from different external IPs to various internal IPs. 

 

Example:

.105 port 80 and 443 should go to .139

.106 port 80 and 443 should go to .200

etc..... This is the type of routing I'm trying to do. 

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

Add a rule to WAN_LOCAL to allow any/any ICMP and see if you can ping .105 from the outside.... You can further test if it's arriving at your firewall by typing:
sudo tcpdump -npi eth0 host 192.174.24.105 and icmp

If it's not arriving, there's a routing problem upstream.
You can also test your port forwards by typing:
show nat statistics

And see if the counter on your rule 1000 is going up when trying to access .105 over TCP port 80.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

[ Edited ]

So, pinging .105 prior to a firewall change is unsuccessful (request timeout). I added the rule and pinging .105 is successful. 

 

However, running the `sudo tcpdump -npi eth0 host 192.174.24.105 and icmp` command followed by the ping from an external computer returns:

0 packets captured

0 packets received by filter

0 packets dropped by kernel

 

And using show nat statistics after several attempts at a port 80 request return no increases in counts. (It's at 0). 

 

But the ping not working, then changing the firewall and it starts working is making me think it's hitting the USG.

 

Thanks for working through this with me. Much appreciated.

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

huh... maybe try running the tcpdump on the PPPoE interface. I would expect to see it on eth0 since it's the parent interface for pppoe0.
The fact that it started responding after adding the firewall pretty much confirms it's the USG so routing should OK to that IP.

Maybe try changing the "inbound-interface": "eth0" to "inbound-interface": "pppoe0" in your NAT rule and see if that makes a difference.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

YAS!!!!!!!!! That was the right combo! Thanks a bunch!!!!!!!!!!!!!!!!!!!!

 

Now the VPN connection doesn't work from the original .104 and a simple switch to .105 doesn't fix it. I'm going to look into what I need to modify in the NAT/firewall to get it to work. However, If you have any hints to point me in the right direction I'll take them. Otherwise, consider this thread solved. 

 

THANKS!

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

Go ahead and post your VPN config as well as the SA status: (attach it as a .txt file) -- SSH to the USG and type:
configure
show vpn | no-more
exit
show vpn ipsec sa
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

show vpn | no-more

 ipsec {
     auto-firewall-nat-exclude enable
     esp-group ESP0 {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group IKE0 {
         dead-peer-detection {
             action restart
             interval 20
             timeout 120
         }
         key-exchange ikev1
         lifetime 28800
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha1
         }
     }
     ipsec-interfaces {
         interface pppoe0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer 24.9.112.168 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret secretwashere
             }
             connection-type initiate
             ike-group IKE0
             local-address 192.174.24.104
             vti {
                 bind vti0
                 esp-group ESP0
             }
         }
     }
 }
 l2tp {
     remote-access {
         authentication {
             mode radius
             radius-server 10.0.1.1 {
                 key mykeywashere
                 port 1812
             }
             require mschap-v2
         }
         client-ip-pool {
             start 10.0.5.1
             stop 10.0.5.254
         }
         dns-servers {
             server-1 10.0.1.1
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret mysecretwashere
             }
             ike-lifetime 3600
         }
         outside-address 0.0.0.0
     }
 }
[edit]

show vpn ipsec sa

peer-24.9.112.168-tunnel-vti: #4, ESTABLISHED, IKEv1, f2c79bb9ec63f15e:514015f4b1848258
  local  '192.174.24.104' @ 192.174.24.104
  remote '24.9.112.168' @ 24.9.112.168
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 79s ago, reauth in 27919s
  peer-24.9.112.168-tunnel-vti: #3, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048
    installed 79 ago, rekeying in 2517s, expires in 3522s
    in  cd9cddb4,      0 bytes,     0 packets
    out cba9d870,      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0

 

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Error with Multiple IPs

You might want to edit your post and redact the public IP and/or PSK just so people can't attempt to hijack your VPN.

In any case, the phase 1 looks up, the phase 2 doesn't seem to be passing any traffic (0 bytes)... Are you attempting to send traffic from either side of the tunnel across? Did the VPN work prior to making any changes to the firewall/nat config?
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

I wasn't specifically at the time of running that. But yes, prior to the NAT and firewall changes, it was working where I could at least ping the USG on the other site as well as VPN in remotley from macbooks and iPhones. 

New Member
Posts: 10
Registered: a week ago
Solutions: 1

Re: Error with Multiple IPs

I had to add this to my config and it worked great. 

 

"vpn": {
    "l2tp": {
      "remote-access": {
        "outside-address": "x.x.x.x"
      }
    }
  },

Thanks! Let's close this thread.

Reply