@Dashrender said in QoS on Edgerouter Lite:

@Romo said in QoS on Edgerouter Lite:

Just setup a traffic-policy shaper to test:

20% bandwidth for voip guaranteed with a ceiling of 100% bandwidth
30% bandwidth for USERS PC guaranteed with a ceiling of 100% bandwidth
50% bandwidth for ALL others guaranteed with a ceiling of 100% bandwidth

Does this sound reasonable?

if you parse off 50% for those things and they aren't in use, then the bandwidth is just being wasted... I know scott has mentioned that doing this is generally bad in the past because of the waste of resources.

You don't read clearly. He's talking minimum guarantee at 20/30/50 and max possible when available at 100 for all.

@Pete-S said in Packet loss when connected to L2TP/IPsec VPn:

@Romo said in Packet loss when connected to L2TP/IPsec VPn:

This same issue is happening today once again, VPN is connecting properly but I can't properly reach anything properly on the local lan or the internet.

You should just buy a new edge router to exclude any hardware issues.

Valid option. The cost is minimal compared to the time you are spending.

@jaredbusch said in Ubiquiti ER3 to ER4 Upgrade?:

@scottalanmiller said in Ubiquiti ER3 to ER4 Upgrade?:

@mroth911 said in ubiquiti Er3 to 4 Upgrade?:

Can I just back up my er3 and upload it to the 4

I believe so.

I have never tried, but it should handle it because it only bring the /config folder in, and nothing in the hardware of the 3 vs 4 is all that different.

To clarify, I have migrated from ERL to ER4 a couple times. But I manually migrate. I don’t try to restore the old config.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!

As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.

Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:

jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...

@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?

Yes.

@jaredbusch said in EdgeRouter "Smart" QoS issue:

@fuznutz04 said in EdgeRouter "Smart" QoS issue:

@jaredbusch said in EdgeRouter "Smart" QoS issue:

@fuznutz04 said in EdgeRouter "Smart" QoS issue:

The ER-Lite boxes have a "Smart" QoS wizard. The way I've always understood it, it works as follows:

You fill in the line speeds of the service you are actually paying for.

Example:0_1516985914606_QoS.png

The above screenshot is from my home, so the speed in the boxes doesn't line up with the rest of the details here, it's just and example.

So if you pay for 100/10, that's what you put in the boxes. I do this at the office, at home, and other clients. However, I ran into a situation where using the Smart QoS wizard, actually really limits the DL speed.

I did a speed test with the QoS setting ON, and got the proper UL speed, but was limited to 50-60 DL speed. As soon as I removed QoS, I got the proper speed of 100 DL and 10 UL.

Has anyone experience this before on the Edge Routers? Perhaps @JaredBusch ?

This is normal and expected because traffic policies and the smart queue policies both force traffic to not be offloaded.

The CPU in the ERL cannot process traffic faster than ~60mbps without the offload functionality.

Well alright then. Simple explanation. I’ve never run into this, because we have such slow speeds around here. So this would be an example where I could upgrade to the next model. Perhaps the ER4? I haven’t read the spec sheets yet on them.

Correct using a different model is what is required to obtain better speeds in this situation.

The ERX will perform better because it has a better CPU than the ERL. But it has less memory which leads to other problems.

The ER4 is light years ahead of the ERL by comparison due to the newer CPU.

OK great. Looks like I'll need to start recommending these now. First, I want to get one for myself at my office. Did you manage to get your hands on one yet?

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares.

Woops, that's crazy but definitely there is an issue with DNS

huh?

If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com.

User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.

@eddiejennings said in Configuration naming conventions: ERL, ASA, etc:

For my Edge Router Lite, I'm considering whether or not I want to create address groups for single hosts. My reasoning for "yes" would be I'd configure an IP address in one place (the address group), and then multiple configuration aspects can reference that address group. If the IP address of the host in question changes, then I only have to update one thing.

I'm curious to know if you folks do the same for your devices. I know ASA's have objects, which function similarly to the idea of an address group.

Sonicwall are Address Objects and there are groups as well. So yeah I do that.

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@dbeato said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

So what is the DNS Server on that Server?

Same as all of the other servers that could resolve DNS. The issue was forgetting to reconfigure the source NAT rule.

Makes sense now!

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

No one hasd figured this information out yet?

Sadly not yet, at least not that my Google-fu has allowed me to find.

I am a bit amazed because it should only take a mirrored switch port and wireshark to find VLAN tags.

This was my thinking as I was reading the posts. This is /should be pretty easy to figure out.

Seems like the ERL is probably right for you most of the time.

@coliver said:

Do VPN connections get created/torn down with every communication? Or are they persistent until the device disconnects?

Normally neither. They are normally persistent until a certain amount of time, then they tear down when idle. Might be hours or days. That way they don't remain absolutely forever, but normally a very long time.

@JaredBusch said:

You need to upgrade your ERL to firmware 1.8 to get the full traffic analysis capabilities in the GUI.

Which has been done.

Don't ask me.. it's what he told me - so I just walked away and really didn't put any more thought into it.

But his thought was that you can't acquire the AP over wireless.

He has a greenfield setup.

But in thinking more about it... he's going to have to plug into the network no matter what for at least the first AP. After that he should be fine all wireless.

For comparison here is a session going over OpenVPN to another site with an 80/5 cable modem service.

Maxing under 8mbit on average.

C:\iperf3>iperf3 -c 10.202.10.49 -p 9676 -F office2013.iso -t 120 -P 4 - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 113.01-114.01 sec 128 KBytes 1.05 Mbits/sec [ 7] 113.01-114.01 sec 384 KBytes 3.15 Mbits/sec [ 10] 113.01-114.01 sec 256 KBytes 2.10 Mbits/sec [ 13] 113.01-114.01 sec 128 KBytes 1.05 Mbits/sec [SUM] 113.01-114.01 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 114.01-115.00 sec 384 KBytes 3.15 Mbits/sec [ 10] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [ 13] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [SUM] 114.01-115.00 sec 1.12 MBytes 9.45 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 115.00-116.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 115.00-116.00 sec 512 KBytes 4.20 Mbits/sec [ 10] 115.00-116.00 sec 128 KBytes 1.05 Mbits/sec [ 13] 115.00-116.00 sec 0.00 Bytes 0.00 bits/sec [SUM] 115.00-116.00 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 116.00-117.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 116.00-117.00 sec 384 KBytes 3.15 Mbits/sec [ 10] 116.00-117.00 sec 0.00 Bytes 0.00 bits/sec [ 13] 116.00-117.00 sec 0.00 Bytes 0.00 bits/sec [SUM] 116.00-117.00 sec 640 KBytes 5.25 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 117.00-118.01 sec 256 KBytes 2.07 Mbits/sec [ 7] 117.00-118.01 sec 384 KBytes 3.10 Mbits/sec [ 10] 117.00-118.01 sec 128 KBytes 1.03 Mbits/sec [ 13] 117.00-118.01 sec 128 KBytes 1.03 Mbits/sec [SUM] 117.00-118.01 sec 896 KBytes 7.24 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 118.01-119.01 sec 384 KBytes 3.15 Mbits/sec [ 7] 118.01-119.01 sec 384 KBytes 3.15 Mbits/sec [ 10] 118.01-119.01 sec 128 KBytes 1.05 Mbits/sec [ 13] 118.01-119.01 sec 128 KBytes 1.05 Mbits/sec [SUM] 118.01-119.01 sec 1.00 MBytes 8.40 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 119.01-120.01 sec 384 KBytes 3.15 Mbits/sec [ 7] 119.01-120.01 sec 128 KBytes 1.05 Mbits/sec [ 10] 119.01-120.01 sec 128 KBytes 1.05 Mbits/sec [ 13] 119.01-120.01 sec 256 KBytes 2.10 Mbits/sec [SUM] 119.01-120.01 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 4] 0.00-120.01 sec 27.5 MBytes 1.92 Mbits/sec sender Sent 27.5 MByte / 1.39 GByte (1%) of office2013.iso [ 4] 0.00-120.01 sec 27.3 MBytes 1.91 Mbits/sec receiver [ 7] 0.00-120.01 sec 30.1 MBytes 2.11 Mbits/sec sender Sent 30.1 MByte / 1.39 GByte (2%) of office2013.iso [ 7] 0.00-120.01 sec 30.0 MBytes 2.09 Mbits/sec receiver [ 10] 0.00-120.01 sec 25.6 MBytes 1.79 Mbits/sec sender Sent 25.6 MByte / 1.39 GByte (1%) of office2013.iso [ 10] 0.00-120.01 sec 25.5 MBytes 1.78 Mbits/sec receiver [ 13] 0.00-120.01 sec 25.1 MBytes 1.76 Mbits/sec sender Sent 25.1 MByte / 1.39 GByte (1%) of office2013.iso [ 13] 0.00-120.01 sec 24.9 MBytes 1.74 Mbits/sec receiver [SUM] 0.00-120.01 sec 108 MBytes 7.58 Mbits/sec sender [SUM] 0.00-120.01 sec 108 MBytes 7.53 Mbits/sec receiver iperf Done.

@Jason said:

Nevermind. #faceplam. forgot to go into configure mode first..

I may or may not have done that more than once.