Link to home
Create AccountLog in
Avatar of Adam D
Adam D

asked on

Ubiquiti Edgerouter X configuration - dual ISP

Hello.  I have an Edgerouter-X and I want to configure to allow dual ISP and load balancing (mostly).

It is currently setup in "single" mode.  This new connection I now have is much faster; however, all I want to direct all external traffic (established connections) out of eth2 (with the connections being allowed back in) and block all external connections from coming in on eth2 that were not originally requested.

All other traffic that comes in (that wasn't requested internally) would come in eth0.  

eth1 is already setup for the internal network so I am not going to change that.

eth0 is the slower internet
eth1 is internal
eth2 is the faster internet

Allow all requests from internal machines to the outside world through eth2 with reply information/packets coming back down eth2 and block everything else coming from outside to eth2.

Here is the current sanitized config.  Please let me know your thoughts on how to modify it to do what I need to do.  Thanks.
Avatar of Adam D
Adam D

ASKER

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group HackAttempts {
            address public IP list goes here of bad IP addresses
            description HackAttempts
        }
        address-group NodePing {
            address public IP list goes here of good/allowed IP addresses
            description NodePing
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Block internal machine"
        rule 1 {
            action reject
            destination {
                address !192.168.100.0/24
            }
            log enable
            source {
                mac-address xxxx
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action drop
            description HackerAttempts
            log disable
            protocol all
            source {
                group {
                    address-group HackAttempts
                }
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action drop
            description HackerIPs
            log enable
            protocol all
            source {
                group {
                    address-group HackAttempts
                }
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 130 {
            action accept
            description "Allow WAN ICMP"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            icmp {
                type 8
            }
            log enable
            protocol icmp
            source {
                group {
                    address-group NodePing
                }
            }
        }
        rule 140 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 150 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.100.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description Internet2
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description "Internal stuff"
        forward-to {
            address internal address
            port xxxx
        }
        original-port xxxx
        protocol tcp_udp
    }
    wan-interface eth0
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 192.168.100.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.115
                }
                static-mapping EdgeSwitch {
                    ip-address 192.168.100.x
                    mac-address xxxx
                }
                static-mapping Machine {
                    ip-address 192.168.100.x
                    mac-address xxxx
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name hostnamegoeshere
    login {
        user usernamegoeshere {
            authentication {
                encrypted-password *******
                plaintext-password *******
            }
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}


Avatar of Adam D

ASKER

Update:

As I continue to research this topic, it seems "Policy Based Routing" PBR may be the way to go.  I can't use Vlans because I need everyone on the same network/subnet.  But, I have one machine that should use the slow connection while all other machines can use the fast one.

However; I still want to block/drop any unsolicited packets on eth2 (fast connection).

Thanks.
Avatar of arnold
You should look at the issue two ways.

I gather your first interface, eth0,  is where you have rules to allow traffic in, via a port forward
while you want eth2, faster and you want it to be used for external access.
Presumably if eth2 goes down, you want the traffic to flow out eth0 until restored.

eth2 will not allow traffic in, unless you open a rule on that side for inbound traffic.


rour nat rule 5010 sets traffic from inside through eth0.

See if the following helps

https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing#:~:text=Using%20WAN%20Load-Balancing%2C%20traffic%20sessions%20from%20the%20LAN,the%20Wizards%20tab%20to%20configure%20the%20Load-Balancing%20feature.

You could look at how to setup the edgerouter X as a failover setup. deals with eth2 being the preferred path unless it is down.

Commonly the router will maintain state traffic coming in over eth0 into the LAN, will be routed back out to eth0 provided it is there.

See if the following is helpful.

https://youtu.be/2mdXKoRm34c
Avatar of Adam D

ASKER

Hi Arnold.  Thanks for the reply.  Unfortunately I had already read that article and actually already watched that video.  The video uses the wizard and that almost works but knocks out my configuration completely.  The articles is helpful but is also talking about load balancing based on activity or a weight split.

I need some policy based (it appears) load balancing.  Here is the latest config I have created that doesn't work.  I think I am right on the edge of what I need, but not quite.

If I enable eth2 then internet stops working but internal continues to work.  If I disable eth2, even with this config in place, internet still works.  Therefore it must not be flowing like I think it should be flowing when reading the configuration.

Let me know what you think.  Thanks. :)

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group HackAttempts {
            description HackAttempts
        }
        address-group NodePing {
            description NodePing
        }
        network-group INTERNAL_NETWORK {
            network 192.168.0.0/16
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify balance {
        rule 10 {
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group INTERNAL_NETWORK
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            description "send to eth0"
            modify {
                table main
            }
            source {
                address internal-ip-here
            }
        }
        rule 30 {
            description "All others - send to eth2"
            modify {
                table 50
            }
        }
    }
    name LAN_IN {
        default-action accept
        description "Block"
        rule 1 {
            action reject
            destination {
                address !192.168.100.0/24
            }
            log enable
            source {
                mac-address mac-here
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action drop
            description HackerAttempts
            log disable
            protocol all
            source {
                group {
                    address-group HackAttempts
                }
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action drop
            description HackerIPs
            log enable
            protocol all
            source {
                group {
                    address-group HackAttempts
                }
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 130 {
            action accept
            description "Allow WAN ICMP"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            icmp {
                type 8
            }
            log enable
            protocol icmp
            source {
                group {
                    address-group NodePing
                }
            }
        }
        rule 140 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 150 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                modify balance
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.100.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description MLFast
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        disable
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward { stuff here
}
protocols {
    static {
        table 50 {
            route 0.0.0.0/0 {
                next-hop 192.168.1.10 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 192.168.100.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.115
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password *
                plaintext-password *
            }
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
    }
}

Open in new window

Avatar of Adam D

ASKER

Thanks Arnold.  I am looking over that information now.  Are you saying I should have "WAN_IN" for the firewall in like below?
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                modify balance
      WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                modify balance
      WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }


Open in new window

The interface eth0 and eth2
should become subordinate to

The example uses weight to distribute load.

In your setup, you want outflow via eth2 for LAN traffic, while you have specific traffic you wish to come in over eth0 and leave the same way.

You seem to be treating the two WAN ports once, while you should treat them twice.
One deals with traffic coming in, the other deals with traffic going out.


The link with the wizard example, includes the manual instructions as well...

often, it is best to check the Manufacturer's sample configurations.
Avatar of Adam D

ASKER

Thanks.  I did check the sample configurations but none have exactly what I was looking for, that is why I was asking for configuration assistance.  If you have or can provide an example that would be great. :)  I will continue to research and look at the other samples you sent.
One is to convert your existing setup by adding the eth0 into a loadbalancing group by itself
and transition to this type of handling (presumably you are on-site)

this way you transition the configuration to make it suitable.

Your incoming traffic will then need to handle the path/limit inbound requests to match the interface that it is coming from..

Presumably you are backing up your confgs prior to trying.
Avatar of Adam D

ASKER

Thanks Arnold.  Yes, I am on site.  Interesting idea and yes I have config backups, especially the one that works! :)

What would be very helpful, if you could, is provide some sample code and or configuration commands that would make this process faster.

I am a Cisco tech and do not fully know the nuances of Ubiquiti.  The concepts I understand, the coding I have not yet learned.

If you can provide code examples, especially ones based on my above configuration, I would appreciate it.

Thanks.
Same hear, I would think converting the WAN_in to loadbalancer.

How reliant is the business on the incoming traffic?

Currently you have the interface firewall rule.

The link that uses a combination of wizar and code example for dual band AwAn.

Creating a loadbalancer group to which eth0 and eth2 can be assigned.

Along with the testing to adjust roure shoukd one of the WAN feeds goes done.

The links I found, included this one.

Trying to setup the outgoing loadbalancer flow might be the way to go

https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing

You can create the group, and then extend it to see whether you have access out.
ASKER CERTIFIED SOLUTION
Avatar of Adam D
Adam D

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hi Adam,

I am looking at doing something similar with an ER-X.

Would you be able to share your final (working!) config?

Thanks,

Alan.
Avatar of Adam D

ASKER

Hi Alan.  Sure, it is a basic setup.  I will have to get the config for you.  My main problem here was I have two switches with the ACPro's on one switch and the secondary ER-X on the other.  If I had them on the same switch then I probably wouldn't have had this problem. :)

The main thing I did isn't policy based it is just VLAN tagging.  In the ACPro I marked the guest wireless as VLAN10, in the switch I looked for the VLAN10 tag and sent that to the port that has ISP2 and the ER-X router sent it out to the ISP2 modem.

I probably won't be able to pull the config until the weekend, but I'll send it over.  :)