@adamf said in Ubiquiti Edgemax Router:

@jaredbusch said in Ubiquiti Edgemax Router:

@adamf said in Ubiquiti Edgemax Router:

Makes no sense. I have a feeling that something is buggy in the firmware.

What makes no sense is that you think it is firmware.

Just throwing out ideas because it doesn't make logical sense to me. Any thoughts as to what else it could be? Why would the device reply to pings for an hour after reboot, then suddenly stop?

Any chance your ISP is what is blocking you?

@scottalanmiller said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

@jaredbusch said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

The Dream Machine looks interesting, but I'm not inpressed with it also being an 8-port switch.

I have not looked at it yet, but are they fixed switch ports, or assignable? The ER-X is an example of this.

The documentation I've seen doesn't tell me much. It seems like the switch ports create just a plain layer 2 switch. They aren't assignable interfaces like the old EdgeRouter Lite's eth0, 1 and 2.

I believe that to be true.

The old ER Lite were software bridged only and not something you ever wanted to do. Horrible performance killer.

The ER-X and ER-4 have an actual switch chip. You don't have to make each port use it, but it is there.

So you could make eth0 be WAN and eth1 through eth3 be members of switch0

@JaredBusch Might take another look then... My FTTH comes in as a tagged VLAN and it wouldn't pick up a dhcp lease on v2, even after a few reboots but once I downgraded to v1 it picked up the lease from the ISP right away.

@Pete-S within the same model, you can simply backup/restore. but not across models.

@Dashrender said in QoS on Edgerouter Lite:

@Romo said in QoS on Edgerouter Lite:

Just setup a traffic-policy shaper to test:

20% bandwidth for voip guaranteed with a ceiling of 100% bandwidth
30% bandwidth for USERS PC guaranteed with a ceiling of 100% bandwidth
50% bandwidth for ALL others guaranteed with a ceiling of 100% bandwidth

Does this sound reasonable?

if you parse off 50% for those things and they aren't in use, then the bandwidth is just being wasted... I know scott has mentioned that doing this is generally bad in the past because of the waste of resources.

You don't read clearly. He's talking minimum guarantee at 20/30/50 and max possible when available at 100 for all.

@FATeknollogee said in UNMS backup question:

@JaredBusch said in UNMS backup question:

If you want to restore an individual unit, that process is already built into the system so what are you trying to get exported?

I'm just asking for info purposes in case of a future restore.

You can download a specific device backup from within UNMS. When you do so, it asks you if you want one for restoring to the same system or a different system (because of the UNMS key negotiation).

Update: this is what I ended up with.
Route based VPN using this guide as a template.

Master site: 1x ER 12 + 1x ER 4
Sites A, B, C & D :1x ER4 each location
Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

@manxam said in USG to EdgeRouter VPN:

Interesting. The last time that I looked at the GUI (as we typically use CLI for VPN), it didn't give the option of DH group like so :

alt text

Wonder in what version this changed?

It has had it for as long as I recall. At least 1.5.

The CLI has had it 100% of the time since release at version 1.2.0

@JaredBusch said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@scottalanmiller said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@JaredBusch said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@scottalanmiller said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@Pete-S said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@scottalanmiller said in Setup: EdgeRouter 4 + co-lo + infrastructure:

@Pete-S said in Setup: EdgeRouter 4 + co-lo + infrastructure:

Can't edgerouter do
failover?

As in a live/live cluster? That uses VRRP and yes, they can.

https://help.ubnt.com/hc/en-us/articles/204962174-EdgeMAX-Virtual-Router-Redundancy-Protocol-VRRP-

Then that is the way to go.

I would agree.

It is the best thing to do. Sadly I have never had the leisure to actually test it. I have a pair of ERL in colo but they were put in place long before this feature was added.

Yeah, but I have been authorized to make some upgrades that will free up an ERL for us, and we have an ERL in our colo. So maybe I'll ship one out there to do this soon. That would be an awesome project.

Don't think I would try and live test in colo.

http://www.quickmeme.com/img/08/085260da739d5f8723a626ab23a0da4623be9458998bfc91b38c57cdffec16d4.jpg

The problem is this:
On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls.
In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys.
You turn on VPN, say yes to whatever subnets you want in the vpn & save.

On the ER side, I have to create 5 peers to connect to the Meraki side.
Meraki will only expose one connection for a 3rd party S2S & therein lies the problem.
Not all the tunnels connect & there's no good way to fix it.

i'm not going to turn on logging to find out.

@mroth911 said in locking down network:

so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

Thats the situation at hand.

They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

This is something I want to setup and walk away.. I am just doing this to help them.

Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.

@JaredBusch said in Yealink VoIP Phone Powered by Ubiquiti ER-X PoE:

@scottalanmiller said in Yealink VoIP Phone Powered by Ubiquiti ER-X PoE:

Anyone tried this combination? Does the power output on the one PoE port of the UBNT ER-X properly power the PoE input on a Yealink phone? We are specifically looking at the T42S.

The ERX should work if the power injector that you’re passing through is one design for the phone and not the fixed voltage unifi

The ER-X models have warnings in the manual that you need a different power source than the included wall wart if you're going to provide PoE to a device. At that point, just use passthrough from a compatible phone adapter.

@JaredBusch already nailed it.

@jaredbusch said in Ubiquiti ER3 to ER4 Upgrade?:

@scottalanmiller said in Ubiquiti ER3 to ER4 Upgrade?:

@mroth911 said in ubiquiti Er3 to 4 Upgrade?:

Can I just back up my er3 and upload it to the 4

I believe so.

I have never tried, but it should handle it because it only bring the /config folder in, and nothing in the hardware of the 3 vs 4 is all that different.

To clarify, I have migrated from ERL to ER4 a couple times. But I manually migrate. I don’t try to restore the old config.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:

jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...

@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?

Yes.

@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

It worked prior to changing to DH 14 on my iPhone.

I had to add a proposal with DH 14 for Windows 10 to work.

I think I have it figured out.. when I'm back on that network I'll get a screen shot.

Hope to spend the afternoon testing it, have a few other pieces of gear to setup for it.

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

No one hasd figured this information out yet?

Sadly not yet, at least not that my Google-fu has allowed me to find.

I am a bit amazed because it should only take a mirrored switch port and wireshark to find VLAN tags.

This was my thinking as I was reading the posts. This is /should be pretty easy to figure out.

@Dashrender said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@Carnival-Boy said in Considering a New VPN:

Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?

ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.

This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

I was leaving that out for simplicity as he's not going to build custom Linux systems for this.

Why? Because a single VM setup as a gateway means that ZT now meets all needs also.

No different than replacing a router, etc.

I've not used it, does it require you to change your IP range or can you keep what you have?

The biggest recommendation is to make it inclusive of your LAN subnet so make life easier. I've not had the time to set it up on my lab yet.

I use ZT in a number of places, but not using the gateway anywhere yet.

Right, so being inclusive means that you did follow Scott's recommendation, only that you bent ZT to the current setup, instead of making a whole new IP setup with this in mind.

Did that solve all of the Windows DNS issues?

I have no idea WTF you are talking about. You are implying and inferring things that are not being discussed here.

I'm working... which is why I don't have the ability to reply to posts here all day long!

No feedback yet.