asked on
Ubiquiti Edgerouter X configuration - dual ISP
Hello. I have an Edgerouter-X and I want to configure to allow dual ISP and load balancing (mostly).
It is currently setup in "single" mode. This new connection I now have is much faster; however, all I want to direct all external traffic (established connections) out of eth2 (with the connections being allowed back in) and block all external connections from coming in on eth2 that were not originally requested.
All other traffic that comes in (that wasn't requested internally) would come in eth0.
eth1 is already setup for the internal network so I am not going to change that.
eth0 is the slower internet
eth1 is internal
eth2 is the faster internet
Allow all requests from internal machines to the outside world through eth2 with reply information/packets coming back down eth2 and block everything else coming from outside to eth2.
Here is the current sanitized config. Please let me know your thoughts on how to modify it to do what I need to do. Thanks.
It is currently setup in "single" mode. This new connection I now have is much faster; however, all I want to direct all external traffic (established connections) out of eth2 (with the connections being allowed back in) and block all external connections from coming in on eth2 that were not originally requested.
All other traffic that comes in (that wasn't requested internally) would come in eth0.
eth1 is already setup for the internal network so I am not going to change that.
eth0 is the slower internet
eth1 is internal
eth2 is the faster internet
Allow all requests from internal machines to the outside world through eth2 with reply information/packets coming back down eth2 and block everything else coming from outside to eth2.
Here is the current sanitized config. Please let me know your thoughts on how to modify it to do what I need to do. Thanks.
* Ubiquiti Edgemax Edgerouter XNetworking Hardware-OtherNetworking
Last Comment
Adam D
ASKER
Update:
As I continue to research this topic, it seems "Policy Based Routing" PBR may be the way to go. I can't use Vlans because I need everyone on the same network/subnet. But, I have one machine that should use the slow connection while all other machines can use the fast one.
However; I still want to block/drop any unsolicited packets on eth2 (fast connection).
Thanks.
As I continue to research this topic, it seems "Policy Based Routing" PBR may be the way to go. I can't use Vlans because I need everyone on the same network/subnet. But, I have one machine that should use the slow connection while all other machines can use the fast one.
However; I still want to block/drop any unsolicited packets on eth2 (fast connection).
Thanks.
You should look at the issue two ways.
I gather your first interface, eth0, is where you have rules to allow traffic in, via a port forward
while you want eth2, faster and you want it to be used for external access.
Presumably if eth2 goes down, you want the traffic to flow out eth0 until restored.
eth2 will not allow traffic in, unless you open a rule on that side for inbound traffic.
rour nat rule 5010 sets traffic from inside through eth0.
See if the following helps
https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing#:~:text=Using%20WAN%20Load-Balancing%2C%20traffic%20sessions%20from%20the%20LAN,the%20Wizards%20tab%20to%20configure%20the%20Load-Balancing%20feature.
You could look at how to setup the edgerouter X as a failover setup. deals with eth2 being the preferred path unless it is down.
Commonly the router will maintain state traffic coming in over eth0 into the LAN, will be routed back out to eth0 provided it is there.
See if the following is helpful.
https://youtu.be/2mdXKoRm34c
I gather your first interface, eth0, is where you have rules to allow traffic in, via a port forward
while you want eth2, faster and you want it to be used for external access.
Presumably if eth2 goes down, you want the traffic to flow out eth0 until restored.
eth2 will not allow traffic in, unless you open a rule on that side for inbound traffic.
rour nat rule 5010 sets traffic from inside through eth0.
See if the following helps
https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing#:~:text=Using%20WAN%20Load-Balancing%2C%20traffic%20sessions%20from%20the%20LAN,the%20Wizards%20tab%20to%20configure%20the%20Load-Balancing%20feature.
You could look at how to setup the edgerouter X as a failover setup. deals with eth2 being the preferred path unless it is down.
Commonly the router will maintain state traffic coming in over eth0 into the LAN, will be routed back out to eth0 provided it is there.
See if the following is helpful.
https://youtu.be/2mdXKoRm34c
ASKER
Hi Arnold. Thanks for the reply. Unfortunately I had already read that article and actually already watched that video. The video uses the wizard and that almost works but knocks out my configuration completely. The articles is helpful but is also talking about load balancing based on activity or a weight split.
I need some policy based (it appears) load balancing. Here is the latest config I have created that doesn't work. I think I am right on the edge of what I need, but not quite.
If I enable eth2 then internet stops working but internal continues to work. If I disable eth2, even with this config in place, internet still works. Therefore it must not be flowing like I think it should be flowing when reading the configuration.
Let me know what you think. Thanks. :)
I need some policy based (it appears) load balancing. Here is the latest config I have created that doesn't work. I think I am right on the edge of what I need, but not quite.
If I enable eth2 then internet stops working but internal continues to work. If I disable eth2, even with this config in place, internet still works. Therefore it must not be flowing like I think it should be flowing when reading the configuration.
Let me know what you think. Thanks. :)
firewall {
all-ping enable
broadcast-ping disable
group {
address-group HackAttempts {
description HackAttempts
}
address-group NodePing {
description NodePing
}
network-group INTERNAL_NETWORK {
network 192.168.0.0/16
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify balance {
rule 10 {
description "do NOT load balance lan to lan"
destination {
group {
network-group INTERNAL_NETWORK
}
}
modify {
table main
}
}
rule 20 {
description "send to eth0"
modify {
table main
}
source {
address internal-ip-here
}
}
rule 30 {
description "All others - send to eth2"
modify {
table 50
}
}
}
name LAN_IN {
default-action accept
description "Block"
rule 1 {
action reject
destination {
address !192.168.100.0/24
}
log enable
source {
mac-address mac-here
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action drop
description HackerAttempts
log disable
protocol all
source {
group {
address-group HackAttempts
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action drop
description HackerIPs
log enable
protocol all
source {
group {
address-group HackAttempts
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 130 {
action accept
description "Allow WAN ICMP"
destination {
group {
address-group ADDRv4_eth0
}
}
icmp {
type 8
}
log enable
protocol icmp
source {
group {
address-group NodePing
}
}
}
rule 140 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 150 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
modify balance
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.100.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address dhcp
description MLFast
disable
duplex auto
speed auto
}
ethernet eth3 {
description Local
disable
duplex auto
speed auto
}
ethernet eth4 {
description Local
disable
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward { stuff here
}
protocols {
static {
table 50 {
route 0.0.0.0/0 {
next-hop 192.168.1.10 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.100.0/24 {
default-router 192.168.100.1
dns-server 192.168.100.1
dns-server 8.8.8.8
lease 86400
start 192.168.100.100 {
stop 192.168.100.115
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password *
plaintext-password *
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export disable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
}
}
See if the following helps,
the wan_in should be defined and shared between the group that contains the two interfaces.
https://blog.voina.org/configure-dual-wan-with-edgerouter-poe/#:~:text=EdgeRouter%3A%20Configure%20dual%20WAN%20with%20EdgeRouter%20POE%201,the%20configuration%20mode%20then%20run%20the%20status%20command%3A
See if the following helps
https://lostdomain.org/2018/04/11/doing-dual-isp-load-balancing-with-ubiquiti-edgerouter/
the wan_in should be defined and shared between the group that contains the two interfaces.
https://blog.voina.org/configure-dual-wan-with-edgerouter-poe/#:~:text=EdgeRouter%3A%20Configure%20dual%20WAN%20with%20EdgeRouter%20POE%201,the%20configuration%20mode%20then%20run%20the%20status%20command%3A
See if the following helps
https://lostdomain.org/2018/04/11/doing-dual-isp-load-balancing-with-ubiquiti-edgerouter/
ASKER
Thanks Arnold. I am looking over that information now. Are you saying I should have "WAN_IN" for the firewall in like below?
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
modify balance
WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address dhcp
description Internet
duplex auto
firewall {
in {
modify balance
WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
The interface eth0 and eth2
should become subordinate to
The example uses weight to distribute load.
In your setup, you want outflow via eth2 for LAN traffic, while you have specific traffic you wish to come in over eth0 and leave the same way.
You seem to be treating the two WAN ports once, while you should treat them twice.
One deals with traffic coming in, the other deals with traffic going out.
The link with the wizard example, includes the manual instructions as well...
often, it is best to check the Manufacturer's sample configurations.
should become subordinate to
The example uses weight to distribute load.
In your setup, you want outflow via eth2 for LAN traffic, while you have specific traffic you wish to come in over eth0 and leave the same way.
You seem to be treating the two WAN ports once, while you should treat them twice.
One deals with traffic coming in, the other deals with traffic going out.
The link with the wizard example, includes the manual instructions as well...
often, it is best to check the Manufacturer's sample configurations.
ASKER
Thanks. I did check the sample configurations but none have exactly what I was looking for, that is why I was asking for configuration assistance. If you have or can provide an example that would be great. :) I will continue to research and look at the other samples you sent.
One is to convert your existing setup by adding the eth0 into a loadbalancing group by itself
and transition to this type of handling (presumably you are on-site)
this way you transition the configuration to make it suitable.
Your incoming traffic will then need to handle the path/limit inbound requests to match the interface that it is coming from..
Presumably you are backing up your confgs prior to trying.
and transition to this type of handling (presumably you are on-site)
this way you transition the configuration to make it suitable.
Your incoming traffic will then need to handle the path/limit inbound requests to match the interface that it is coming from..
Presumably you are backing up your confgs prior to trying.
ASKER
Thanks Arnold. Yes, I am on site. Interesting idea and yes I have config backups, especially the one that works! :)
What would be very helpful, if you could, is provide some sample code and or configuration commands that would make this process faster.
I am a Cisco tech and do not fully know the nuances of Ubiquiti. The concepts I understand, the coding I have not yet learned.
If you can provide code examples, especially ones based on my above configuration, I would appreciate it.
Thanks.
What would be very helpful, if you could, is provide some sample code and or configuration commands that would make this process faster.
I am a Cisco tech and do not fully know the nuances of Ubiquiti. The concepts I understand, the coding I have not yet learned.
If you can provide code examples, especially ones based on my above configuration, I would appreciate it.
Thanks.
Same hear, I would think converting the WAN_in to loadbalancer.
How reliant is the business on the incoming traffic?
Currently you have the interface firewall rule.
The link that uses a combination of wizar and code example for dual band AwAn.
Creating a loadbalancer group to which eth0 and eth2 can be assigned.
Along with the testing to adjust roure shoukd one of the WAN feeds goes done.
The links I found, included this one.
Trying to setup the outgoing loadbalancer flow might be the way to go
https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing
You can create the group, and then extend it to see whether you have access out.
How reliant is the business on the incoming traffic?
Currently you have the interface firewall rule.
The link that uses a combination of wizar and code example for dual band AwAn.
Creating a loadbalancer group to which eth0 and eth2 can be assigned.
Along with the testing to adjust roure shoukd one of the WAN feeds goes done.
The links I found, included this one.
Trying to setup the outgoing loadbalancer flow might be the way to go
https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing
You can create the group, and then extend it to see whether you have access out.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hi Adam,
I am looking at doing something similar with an ER-X.
Would you be able to share your final (working!) config?
Thanks,
Alan.
I am looking at doing something similar with an ER-X.
Would you be able to share your final (working!) config?
Thanks,
Alan.
ASKER
Hi Alan. Sure, it is a basic setup. I will have to get the config for you. My main problem here was I have two switches with the ACPro's on one switch and the secondary ER-X on the other. If I had them on the same switch then I probably wouldn't have had this problem. :)
The main thing I did isn't policy based it is just VLAN tagging. In the ACPro I marked the guest wireless as VLAN10, in the switch I looked for the VLAN10 tag and sent that to the port that has ISP2 and the ER-X router sent it out to the ISP2 modem.
I probably won't be able to pull the config until the weekend, but I'll send it over. :)
The main thing I did isn't policy based it is just VLAN tagging. In the ACPro I marked the guest wireless as VLAN10, in the switch I looked for the VLAN10 tag and sent that to the port that has ISP2 and the ER-X router sent it out to the ISP2 modem.
I probably won't be able to pull the config until the weekend, but I'll send it over. :)
all-ping enable
broadcast-ping disable
group {
address-group HackAttempts {
address public IP list goes here of bad IP addresses
description HackAttempts
}
address-group NodePing {
address public IP list goes here of good/allowed IP addresses
description NodePing
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description "Block internal machine"
rule 1 {
action reject
destination {
address !192.168.100.0/24
}
log enable
source {
mac-address xxxx
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action drop
description HackerAttempts
log disable
protocol all
source {
group {
address-group HackAttempts
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action drop
description HackerIPs
log enable
protocol all
source {
group {
address-group HackAttempts
}
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 130 {
action accept
description "Allow WAN ICMP"
destination {
group {
address-group ADDRv4_eth0
}
}
icmp {
type 8
}
log enable
protocol icmp
source {
group {
address-group NodePing
}
}
}
rule 140 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 150 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name LAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.100.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address dhcp
description Internet2
disable
duplex auto
speed auto
}
ethernet eth3 {
description Local
disable
duplex auto
speed auto
}
ethernet eth4 {
description Local
disable
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description "Internal stuff"
forward-to {
address internal address
port xxxx
}
original-port xxxx
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.100.0/24 {
default-router 192.168.100.1
dns-server 192.168.100.1
dns-server 8.8.8.8
lease 86400
start 192.168.100.100 {
stop 192.168.100.115
}
static-mapping EdgeSwitch {
ip-address 192.168.100.x
mac-address xxxx
}
static-mapping Machine {
ip-address 192.168.100.x
mac-address xxxx
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name hostnamegoeshere
login {
user usernamegoeshere {
authentication {
encrypted-password *******
plaintext-password *******
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export disable
}
}