Found this and might be helpful to this traffic issue. In a Windows Computer you could use Glasswire on a wim to find out what traffic is going out of it:
https://github.com/zerotier/ZeroTierOne/issues/1174
https://github.com/zerotier/ZeroTierOne/issues/1018
https://github.com/zerotier/ZeroTierOne/issues/867

@FATeknollogee said in UNMS backup question:

@JaredBusch said in UNMS backup question:

If you want to restore an individual unit, that process is already built into the system so what are you trying to get exported?

I'm just asking for info purposes in case of a future restore.

You can download a specific device backup from within UNMS. When you do so, it asks you if you want one for restoring to the same system or a different system (because of the UNMS key negotiation).

@JaredBusch said in EdgeOS 2.0.3 released and available in UNMS:

@dafyre said in EdgeOS 2.0.3 released and available in UNMS:

@JaredBusch said in EdgeOS 2.0.3 released and available in UNMS:

@davide-bonavita said in EdgeOS 2.0.3 released and available in UNMS:

lol it was bugged as fu**
and now "Throughput degradation by 5-10% when comparing with v1.10.9 firmware with older kernel"

Yeah the comments.. I have not been following the beta cycle as I have been too busy.

I did put it on a test router (ERL) with no issues.

Does the 2.0.x series work with ZT? I have an ERX now and was going to try it out.

The ERX doesn't work well with the 2.0.X firmware yet from what I have seen.

But yes. You can put ZT on the 2.X firmware.

Thanks for the heads up. I already have routing and all set up through a VM, so it's not critical, just thought I'd ask.

OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:

firewall { all-ping enable broadcast-ping disable group { network-group LAN { description "Switch LAN" network 192.168.50.0/24 } network-group Upstream { description "Upstream Network" network 10.1.1.0/24 } network-group ZeroTier { description "ZeroTier Network" network 10.147.20.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.1.1.10/24 description "Local Upstream" duplex auto speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.50.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } vlan-aware disable } } zerotier ztklh3kllj { description ZeroTier } } protocols { static { route 0.0.0.0/0 { next-hop 10.1.1.1 { description "Default Gateway" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.50.0/24 { default-router 192.168.50.1 dns-server 192.168.50.1 lease 86400 start 192.168.50.38 { stop 192.168.50.243 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 name-server 10.1.1.1 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description "ZeroTier DNAT" destination { group { network-group ZeroTier } } inbound-interface ztklh3kllj inside-address { address 10.1.1.10 } log disable protocol all type destination } rule 5000 { description "ZeroTier SNAT" log disable outbound-interface ztklh3kllj outside-address { address 10.147.20.1 } protocol all source { group { network-group Upstream } } type source } } ssh { port 22 protocol-version v2 } unms { disable } }

@JaredBusch said in EdgeOS 2 released:

It is now showing up in my UNMS for installation.

5dd53458-79ff-494e-8308-8c98c721e611-image.png

I have had a couple systems on 2.0.1 for a few weeks with no issues.

But it had to be done manually. Showing up in UNMS is new to me.

Upgrading now.

@mroth911 said in locking down network:

so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

Thats the situation at hand.

They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

This is something I want to setup and walk away.. I am just doing this to help them.

Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.

I upgraded to 1.10.7 2 weeks ago. Pulling the trigger on 1.10.8.

Spoke too soon. Seems to be an issue with WinMTR. Running it from CLI on a CentOS box, works like a charm. Go figure.

I updated all the sites that could be rebooted mid work day already.

The rest will happen this evening.

I just updated today, not sure if I see any issues yet.

Did you use the Libreswan or Strongswan setting in your previous post?

@smitherick said in EdgeOS 1.10.0 final is released:

Cheers to UNMS.

Yeah, we are using it now, great stuff.

@krisleslie said in Hitting the limits of the Ubiquiti EdgeRouter:

@jaredbusch My apologies, I meant QoS!

Well then, yes, better QoS performance because better processors.

@gjacobse said in Ubiquiti released EdgeOS 1.9.7:

@scottalanmiller said in Ubiquiti released EdgeOS 1.9.7:

Just got my EdgeRouter for home hooked up after years of it disconnected.

Welcome back to the world of Internet.....

And to good Internet equipment, as well!

@Dashrender said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@Carnival-Boy said in Considering a New VPN:

Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?

ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.

This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

I was leaving that out for simplicity as he's not going to build custom Linux systems for this.

Why? Because a single VM setup as a gateway means that ZT now meets all needs also.

No different than replacing a router, etc.

I've not used it, does it require you to change your IP range or can you keep what you have?

The biggest recommendation is to make it inclusive of your LAN subnet so make life easier. I've not had the time to set it up on my lab yet.

I use ZT in a number of places, but not using the gateway anywhere yet.

Right, so being inclusive means that you did follow Scott's recommendation, only that you bent ZT to the current setup, instead of making a whole new IP setup with this in mind.

Did that solve all of the Windows DNS issues?

I have no idea WTF you are talking about. You are implying and inferring things that are not being discussed here.

@fuznutz04 said in Edge Router lockup:

Yeah, really strange behavior with no evidence to look at.

Time to set logs to go to a remote server.

@bransona said in MS-CHAP on Ubiquiti EdgeRouter:

@scottalanmiller is correct. I have Edgerouter 2.0.9 and it STILL requires PAP in the Windows policy. Under Config Tree, there is no way to make the router use MSCHAP or MSCHAPv2 instead of PAP (cleartext). I went to notify Ubiquiti hoping they can potentially have this included in another firmware release soon, but Ubiquiti Support was apprised of this 5 years ago! https://community.ui.com/questions/Encrypted-Radius-Supported/7857b119-91d8-4365-8c2a-8c21de0937a4

Yup it has been a big issue for a while now on the EdgeSwitches too.

@JaredBusch

Excellent. BTW, the UI for the EdgeSwitch on the latest firmware is pretty nice. A lot nicer than the Dell switches I'm used to configuring in the past.

@dafyre said in EdgeRouter PoE high CPU usage:

@travisdh1 -- Maybe he should start with something simple... like a reboot? (I haven't seen him mention that anywhere).

The entire reason it came back up is that the unit rebooted itself (crashed) at 1300 CDT yesterday.