Issue with EdgeRouter Lite/ Verizon FiOS
-
At one of our client sites, we are having issues pinging the static public IP of our EdgeRouter on Verizon FiOS. I can ping the public IP from an internal source, but nothing externally. Has anyone had any experience related to this, either from an EdgeRouter or FiOS?
-
We can ping Verizon's gateway which I assume is in the building but cannot ping past it to the gear on our premise. Can't figure out if it isnVerizon or the EdgeRouter.
-
This may seem trivial but we are having diagnostic issues with a SIP trunk provider and believe that this inspire of a larger issue.
-
Is ICMP allowed on the firewall of the edgerouter for the wan port?
-
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
-
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp' -
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
-
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
-
@NetworkNerd said:
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
Yes it does. I have also ensured that ports are open and forwarded to the PBX.
-
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
Yes it does. I have also ensured that ports are open and forwarded to the PBX.
If this is Asterisk (which I am guessing it may be), what happens in the CLI for inbound calls?
-
This is a bit off topic, but on topic at the same time.....how many users would you comfortably put behind this router?
-
@Hubtech said:
This is a bit off topic, but on topic at the same time.....how many users would you comfortably put behind this router?
I have these routers all over the place. The largest single office is 35 users with a total of say 150 devices (counting the semi-public wifi). The router at that facility has 8 Site to site OpenVPN connections. 1 site to site IPSEC connection. 2 Open VPN servers (one is for users, one is for phones). They have a 10/10 mbit AT&T fiber.
The unit never breaks a sweat. I could easily triple the workload IMO.
-
ok good deal.
-
@NetworkNerd said:
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
Yes it does. I have also ensured that ports are open and forwarded to the PBX.
If this is Asterisk (which I am guessing it may be), what happens in the CLI for inbound calls?
Sadly, FortiVoice, so unable to get in via CLI
-
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'no single ticks on all of that, but yes that is right..
Here is the sanitized firewall config on my ERL in our colo space. It has my PBX in a Flash system behind it.
Last login: Mon Oct 13 12:47:42 2014 from win8jar64 jbusch@erl:~$ show configuration commands firewall set firewall all-ping enable set firewall broadcast-ping disable set firewall group address-group FSL_Addresses address XXX.XXX.XXX.XXX/29 set firewall group address-group FSL_Addresses description 'Forklifts of St Louis IP Information' set firewall group network-group BundyAddresses description 'Bundy User IP Blocks' set firewall group network-group BundyAddresses network XXX.XXX.XXX.XXX/16 set firewall group port-group PBXPorts description 'Ports used by the PBX' set firewall group port-group PBXPorts port 4569 set firewall group port-group PBXPorts port 5060 set firewall group port-group PBXPorts port 10000-20000 set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall name LAN_IN default-action accept set firewall name LAN_IN description 'Internal network to Internet' set firewall name LAN_LOCAL default-action accept set firewall name LAN_LOCAL description 'Internal network to router' set firewall name WAN_IN default-action drop set firewall name WAN_IN description 'Internet to internal networks' set firewall name WAN_IN rule 1 action accept set firewall name WAN_IN rule 1 description 'Accept established and Related' set firewall name WAN_IN rule 1 log disable set firewall name WAN_IN rule 1 protocol all set firewall name WAN_IN rule 1 state established enable set firewall name WAN_IN rule 1 state related enable set firewall name WAN_IN rule 2 action drop set firewall name WAN_IN rule 2 description 'Drop Invlid' set firewall name WAN_IN rule 2 log enable set firewall name WAN_IN rule 2 protocol all set firewall name WAN_IN rule 2 state invalid enable set firewall name WAN_IN rule 3 action accept set firewall name WAN_IN rule 3 description 'Accept New for PBX from Bundy Emp' set firewall name WAN_IN rule 3 destination group port-group PBXPorts set firewall name WAN_IN rule 3 log enable set firewall name WAN_IN rule 3 protocol udp set firewall name WAN_IN rule 3 source group network-group BundyAddresses set firewall name WAN_IN rule 3 state new enable set firewall name WAN_IN rule 4 action accept set firewall name WAN_IN rule 4 description 'Accept New for PBX from FSL' set firewall name WAN_IN rule 4 destination group port-group PBXPorts set firewall name WAN_IN rule 4 log enable set firewall name WAN_IN rule 4 protocol udp set firewall name WAN_IN rule 4 source group address-group FSL_Addresses set firewall name WAN_IN rule 4 state established disable set firewall name WAN_IN rule 4 state invalid disable set firewall name WAN_IN rule 4 state new enable set firewall name WAN_IN rule 4 state related disable set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description 'Internet to router' set firewall name WAN_LOCAL rule 1 action accept set firewall name WAN_LOCAL rule 1 description 'Accept Established and Related' set firewall name WAN_LOCAL rule 1 log disable set firewall name WAN_LOCAL rule 1 protocol all set firewall name WAN_LOCAL rule 1 state established enable set firewall name WAN_LOCAL rule 1 state related enable set firewall name WAN_LOCAL rule 2 action drop set firewall name WAN_LOCAL rule 2 description 'Drop Invlaid' set firewall name WAN_LOCAL rule 2 log enable set firewall name WAN_LOCAL rule 2 protocol all set firewall name WAN_LOCAL rule 2 state invalid enable set firewall name WAN_LOCAL rule 5 action accept set firewall name WAN_LOCAL rule 5 description 'Accept Rate Limited Ping' set firewall name WAN_LOCAL rule 5 limit burst 1 set firewall name WAN_LOCAL rule 5 limit rate 50/minute set firewall name WAN_LOCAL rule 5 log enable set firewall name WAN_LOCAL rule 5 protocol icmp set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable jbusch@erl:~$ -
@thecreativeone91 said:
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
Also, just FYI, when using my MBP it can ping too fast and this rate limiter will show time outs. I set this to 62/minute and the timeouts went away.
-
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
Yes it does. I have also ensured that ports are open and forwarded to the PBX.
If this is Asterisk (which I am guessing it may be), what happens in the CLI for inbound calls?
Sadly, FortiVoice, so unable to get in via CLI
So the PBX is internal not hosted. It's just the SIP Trunk that is having issues?
-
@thecreativeone91 said:
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@NetworkNerd said:
@FiyaFly said:
@thecreativeone91 said:
@FiyaFly said:
@thecreativeone91 We ran a set of commands to ensure that the router would respond to pings:
configure
set firewall all-ping enable
commit
saveIs there additional steps needed?
From what I read that only enables the OS to respond it doesn't open of the firewall ACL.
http://community.ubnt.com/t5/EdgeMAX/bug-in-firewall-all-ping-option/td-p/735073
From what I read the code is something like this
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'description' 'ICMP 50/m'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'limit' 'rate' '50/minute'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'WAN_LOCAL' 'rule' '5' 'protocol' 'icmp'Okay, I see. You're right. Adding a rule to that set in the UI and we are now seeing pings to the Edge Router. However, we are still having issues getting inbound calls to our PBX (They time out) and cannot register a softphone internally onto a hosted system (backup plan)
Any other ideas for that part, then?
Does the SIP trunk show registered when you look at the PBX despite the behavior you mention here?
Yes it does. I have also ensured that ports are open and forwarded to the PBX.
If this is Asterisk (which I am guessing it may be), what happens in the CLI for inbound calls?
Sadly, FortiVoice, so unable to get in via CLI
So the PBX is internal not hosted. It's just the SIP Trunk that is having issues?
Yes and yes.
-
well to find out if it is a SIP trunk provider issue or not you could setup another extension on NTGs PBX then use that as the SIP Trunk peer on theirs for testing. If that works you know it's an issue with the trunk provider.
-
