EdgeRouter X - Ubiquiti - (ER X)

Version:	  v2.0.6
Build ID:	 5208541
Build on:	 07/08/19 05:08
Copyright:	2012-2018 Ubiquiti Networks, Inc.
HW model:	 EdgeRouter X 5-Port
The system currently has the following image(s) installed:
v2.0.6.5208541.190708.0508	 (running image) (default boot)
v2.0.3.5189349.190502.1345

show system boot-image

daca iti zice ca trebuie sa faci update:

add system boot-image

(are you sure: y[enter]

Dupa ce face update

sudo reboot


si dupa reboot

configure
set system offload ipsec enable
commit;save; exit

dupa

show ubnt offload

daca nici asa nu merge ipsec, da paste la configuratie

show configuration commands | no-more

The system currently has the following boot image installed:
Current boot version: e50_002_4c817
Current boot md5sum : 152b37ac18d23006c1787ed8920c1ea2

Nu cere update.

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description xxx
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description xxx
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description xxx
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description xxx
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 address 192.168.1.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set port-forward auto-firewall enable
set port-forward hairpin-nat disable
set port-forward rule 1 description Nas
set port-forward rule 1 forward-to address xxxx
set port-forward rule 1 forward-to port xxx
set port-forward rule 1 original-port xxx
set port-forward rule 1 protocol tcp_udp
set port-forward rule 2 description Unifi
set port-forward rule 2 forward-to address xxxxx
set port-forward rule 2 forward-to port xxx
set port-forward rule 2 original-port xxx
set port-forward rule 2 protocol tcp_udp
set port-forward rule 3 description Remote
set port-forward rule 3 forward-to address xxxx
set port-forward rule 3 forward-to port xxx
set port-forward rule 3 original-port xxx
set port-forward rule 3 protocol tcp_udp
set port-forward wan-interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router xxx
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service gui http-port xxxx
set service gui https-port xxx
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service unms disable
set system host-name ubnt
set system login user xxxauthentication encrypted-password '$xxxx7'
set system login user daniel level admin
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system offload hwnat enable
set system offload ipsec enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Europe/Bucharest

Edited by petman, 10 November 2019 - 18:55.

Pe rand:
1. vad firewall pt ivp6 dar nu vad niciun ipv6.
2. Oricum, la firewall-ul pt ipv6 ar trebui adaugat:

configure
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable
commit; save; exit

3. ipsec e enabled in configuratia ta

4. dhcp - telekom? daca da, parca ei nu ofereau ipv6 pt persoane fizice (asta tangential la punctele de mai sus)

5. ar trebui sa lasi hairpin enabled (daca folosesti port forward din GUI - e mai usor comparativ cu dnat - cu drawback-urile de rigoare din cand in cand)
deci

configure
set port-forward hairpin-nat enable
commit; save; exit

Iarasi, vad port-forward dar e setata doar interfata WAN (eth0) - daca vei seta pana la urma port forward (vad ca ai incercat) sa nu uiti ca interfata ta LAN va fi switch0 nu eth1-2-3 - iti merge port forward?
deci

configure
set port-forward lan-interface switch0
commit; save; exit

BBL
Ma duc sa dau cu stampila

PS

configure
delete system ntp server 0.ubnt.pool.ntp.org
delete system ntp server 1.ubnt.pool.ntp.org
delete system ntp server 2.ubnt.pool.ntp.org
delete system ntp server 3.ubnt.pool.ntp.org
set system ntp server 0.ro.pool.ntp.org
set system ntp server 1.ro.pool.ntp.org
set system ntp server 2.ro.pool.ntp.org
set system name-server 1.1.1.1
set system name-server 9.9.9.9
commit; save; exit

la:

set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router xxx

de ce ai ascuns default? ar trebui sa fie o adresa locala pt ca ai masquarade enabled cred ca 192.168.1.1
Iarasi, la serverul de dhcp nu e definit pool-ul si dns-urile clientilor
asadar:

configure
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 1.1.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 9.9.9.9
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.0.200
comit; save; exit

iarasi:
ai setat

set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0

dar niciun name-server pt forwarding

configure
delete service dns forwarding cache-size 150
set service dns forwarding cache-size 1000
set service dns forwarding listen-on switch0
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 9.9.9.9
commit; save; exit

1+2. n-am ipv6 - cred ca e default activ
3. e enabled dar ai vazut ce returneaza cand cer status
4. nu, IP fix de la UPC (connect box e pus in modul modem)
5. merge port fwd din extern fara probleme. Am NAS+ 1 AP (prin controlerul de pe nas (xpelogy) si un desktop care sunt vizibile din extern.
Hairpin e pentru a putea avea access din reteaua interna la un ip extern fwdat la un device din reteaua interna - o explicatie mai tampita n-am putut gasi ) ?

Multe chestii nu le-am setat - sunt lasate default (din pacate uneori nu-mi mai ajunge timpul sa le fac pe toate).

Edited by petman, 10 November 2019 - 19:44.

ogo, on 10 noiembrie 2019 - 12:51, said:

Facusi, acum e totul in regula. Ms.

@JohnnyUSA

nici eu nu stiu de ce naiba am revenit la asus. Cred ca imi place sa mai schimb. Ma mananca sa iau si eu un Edge. Totusi am cheltuit si eu destul. Iar de BF deja am pe lista un produs de peste 1.000 lei (capac de wc cu bideu )) )

@ogo: de amorul artei, crezi ca as putea sa alimentez MK PoE din Edge?
Edge parca se alimenteaza la 12V. Am inteles ca trebuie sa schimb adaptorul cu ceva mai potent.

sincer n-am incercat, dar teoretic ti-ar trebuie un 24 passiv poe in er-x si sa-l duci in mkr - teoretic ar trebui sa mearga, ca er-x ia 5w iar hap ac2 vreo 16 min (Max power consumption without attachments)  21 max (Max power consumption).
Ideea e ca trebuie sa alimentezi si er-x-ul tot prin poe nu prin sursa lui. Din asta scazi aia 5W pt er-x si vezi daca va fi stabil mrk.
N-am niciun er-x la indemana sa testez

Asta de exemplu:
POE-24-12W-G (ca sa-l alimentezi) sau POE-24-24W-G si pt mkr.
iti trebuie adaptor pe 2 perechi nu pe 4.

Edited by ogo, 10 November 2019 - 23:02.

Dar de ce zici ca trebuie edge alimentat prin poe? Eu am văzut un clip în care edge era alimentat prin sursa lui și apoi alimenta poe un ap (bine, ap-ul nu era de la alt producator).
Tipul de pe YouTube succes și el ca teoretic trebuie un alimentator mai puternic.

Pt ca AP-ul ala consuma mai putin ca un hap ac2 iar sursa interna face fata. Er-X duce, de exemplu, un unifi ap lite fara probleme (ala consuma max 7w).

da, am inteles ce zici. Acum am cautat pe site-ul lor: https://www.ui.com/e...x/edgerouter-x/
Ca si specificatii pentru PoE out: *Requires 24V passive PoE or a 12W minimum power adapter (not included).
Dar acum nu imi este clar ce inseamna 12W:
- 12W inseamna 1A la 12V
- 24W inseamna 0.5A la 24V

Totusi, cred ca avand la specificatii "24V Passive PoE" ma gandesc ca trebuie un aplimentaotr de 24V insa de ce mergea acel AP la 12? Doar nu ridica si tensiunea . Si avand in vedere ca MK necesita 18-28V PoE cred ca mi-am raspuns, nu? trebuie teoretic alimentat Edge la 24V prin jack (min 0.5 A) sau PoE direct....nu?

N-am idee daca se poate si prin jack (daca gasesti un power brick mai puternic) dar sigur prin poe merge.
Nu prea "imi plac" chestiile astea non-standard (i.e. passive poe) si ma feresc in a le utiliza.
Stick to the standard: 802.3af/at/bt

joystick, on 11 noiembrie 2019 - 09:40, said:

Totusi, merita sa te complici? De unde alimentezi viitorul ER-X banuiesc ca mai ai o priza libera.
Iei un "MikroTik Gigabit PoE injector" (RBGPOE) se gasesc si pe la vreo 15 lei daca te chinui putin, il infingi in ER-X, vii in el cu cablul de la MikroTik, vii in adaptor cu alimentatorul original de la MikroTik si ai rezolvat problema.

Nu, am mai multe prize. Ideea era sa ma joc cu ceva, nicidecum sa fac ceva cu adevarat util .

Sa vedem ce aduce BF anul asta...

petman, on 10 noiembrie 2019 - 19:42, said:

Inseamna ca nu ai dat paste la toata configuratia

show configuration

si pui <code> cand dai paste.

hairpin NAT sau NAT loopback sau NAT reflection: (explicatia de pe wiki e cea mai simpla de inteles):

Quote

HOW TO

Blocare/filtrare BOGONSIPV4

Configuratia sa aplica pentru orice Edgerouter (Cavium sau Mediatek based).
Configuratia pleaca de la premisa ca toate celelalte reguli de firewall au fost deja setate (daca s-a folosit quick-setup regulile standard de firewall sunt deja in vigoare).
Nu este scopul acestui how to sa explice ce sunt alea BOGONS/Martians, internetul este clarificator pe acest subiect. Pentru o conspectare amanuntita se poate incepe cu RFC1918/RFC5735/RFC6598
Configuratia este valida pentru cel mai recente firmware stable atat din 1.X cat si din 2.0.X train, si anume: v1.10.10 respectiv 2.0.6 - teoretic acopera inclusiv firmware-urile mai vechi down to cel putin to 1.8.0 (2016).

De ce?
Pentru ca (cel putin in cazul RDS) "apar" pe interfata WAN (internet) subnet-uri (ipv4) care n-ar trebui sa fie routate in internet. BOGONS-urile sunt "scapari" ce n-ar trebui sa apara dar, din pacate, teoria e teorie iar realitatea poate fi total diferita.
Aceeasi situatie exista si in cazul ipv6 (exista BOGONS ipv6, dar acest tutorial trateaza doar ipv4).

Tutorialul pleaca de la premisa ca se va folosi CLI (teoretic se poate si cu ajutorul GUI-ului dar e ceva "mai complicat" de explicat cu "click-urile").

Asadar
Se va crea un grup de firewall unde se vor defini subnet-urile ce vor face parte din acest grup (conform RFC-urilor de mai sus):

configure
set firewall group network-group BOGONS description 'Martians & UFOs'

###se vor adauga in acest grup clasele de ip ce n-ar trebui sa vina din WAN (internet)###

set firewall group network-group BOGONS network 0.0.0.0/8
set firewall group network-group BOGONS network 10.0.0.0/8
set firewall group network-group BOGONS network 100.64.0.0/10
set firewall group network-group BOGONS network 127.0.0.0/8
set firewall group network-group BOGONS network 169.254.0.0/16
set firewall group network-group BOGONS network 172.16.0.0/12
set firewall group network-group BOGONS network 192.0.0.0/24
set firewall group network-group BOGONS network 192.0.2.0/24
set firewall group network-group BOGONS network 192.168.0.0/16
set firewall group network-group BOGONS network 198.18.0.0/15
set firewall group network-group BOGONS network 198.51.100.0/24
set firewall group network-group BOGONS network 203.0.113.0/24
set firewall group network-group BOGONS network 224.0.0.0/4
set firewall group network-group BOGONS network 240.0.0.0/4

###se aplica configuratia, se salveaza, se iese din configuration mode##

commit; save; exit

se adauga in WAN_LOCAL (chain-ul LOCAL conform EdgeOS) - chain-ul care "controleaza" traficul destinat direct router-ului [de ex ssh la router, sau accesul acestuia via interfata web-based], cunoscut ca INPUT in terminologia clasica iptables); mentionez ca daca s-a folosit quick-setup-ul numele chain-ului este WAN_LOCAL (cum am mentionat) daca s-a optat pentru o denumire personalizata, ar fi bine a se verifice numele exact al chain-ului) o noua regula DROP (de preferat reguli REJECT) (a se verifica sa nu existe nr regulii, deobicei in configuratia standard sunt doar 2 reguli: regula 10 si regula 20 - voi reveni alta data de ce e indicat a se folosi reguli numerotate cel putin din 10 in 10) cu nr. 100

(accesam din nou modul configure, ca verificare apare # in loc de $ in linia de comanda)

configure
set firewall name WAN_LOCAL rule 100 action drop
set firewall name WAN_LOCAL rule 100 description 'Drop BOGON source'
set firewall name WAN_LOCAL rule 100 log enable
set firewall name WAN_LOCAL rule 100 source group network-group BOGONS
commit; save; exit

se aplica regula pe interfata WAN (in cazul conexiunilor pppoe interfata WAN este sesiunea pppoe nu interfata fizica -oricare ar fi: ea eth0/1/2/x- unde e conectat cablul)
(plec de la premisa ca exista o singura conexiune ppppoe activa)
ATENTIE: conexiunea pppoe din exemplul de mai jos este activa pe interfata eth0 (cablul ce vine dinspre RDS (ont/switch/etc) este conectat fizic la interfata eth0. Schimbati conform setup-ului fizic pe care il aveti definit daca aveti cablul in alta interfata.

configure
set interfaces ethernet eth0 pppoe 0 firewall local name WAN_LOCAL
commit; save; exit

se verifica la 2-3 zile log-urile cu

show log all |grep WAN_LOCAL

si veti avea ceva de genul:

Nov 11 23:16:41 gw-001-main kernel: [WAN_LOCAL-100-D]IN=pppoe0 OUT= MAC= SRC=10.0.0.17 DST=5.14.xxx.xxx LEN=44	  
				  TOS=0x00 PREC=0x00 TTL=239 ID=32726 PROTO=TCP SPT=43818 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0

- s-a incercat accesarea router-ului pe portul 1433, protocol TCP de la IP-ul 10.0.0.17 -

Sper sa fie de folos si nu ezitati daca aveti nelamuriri.

Succes!

Edited by Tyby, 12 November 2019 - 18:15.