I've tried this and its seems still not working, from the apps side, its working if all the OP ruleset disabled. I guess I should try again with different ruleset
update:
its working now if I put in restricted_lan_in at first rule, thanks
update:
its working now if I put in restricted_lan_in at first rule, thanks
@guykuo First, thank you for writing this up!! It was incredibly helpful. I was able to follow your tutorial to set things up, had to change the camera LAN IP block but managed to fix up everything. I even got the OpenVPN setup work with my iphone client.
I had a ASUS router OpenVPN setup before. I normally VPN back home to check on the cameras and use my home ISP to check Internet contents that are blocked at some part of the world. With your EdgeRouter X OpenVPN setup, I was able to do the same - but with some challenges. Checking my LAN cameras was ok, a bit slower than the ASUS setup. But connecting to outside Internet timed out most of the time, and unreliably slow when it worked. EdgeRouter X CPU was barely 15% busy most of the time. Where would you recommend me to troubleshoot this?
I had a ASUS router OpenVPN setup before. I normally VPN back home to check on the cameras and use my home ISP to check Internet contents that are blocked at some part of the world. With your EdgeRouter X OpenVPN setup, I was able to do the same - but with some challenges. Checking my LAN cameras was ok, a bit slower than the ASUS setup. But connecting to outside Internet timed out most of the time, and unreliably slow when it worked. EdgeRouter X CPU was barely 15% busy most of the time. Where would you recommend me to troubleshoot this?
I think I found a fix. I changed the OpenVPN port (both server and client) from 443 to 1194, per instruction here: EdgeRouter - OpenVPN Server . I guess it has to do with browser on my iphone visiting web sites (https on port 443) and created a conflict. But my VPN knowledge is limited. However everything worked perfectly and very fast after I made the change!
The firmware versioning is very confusing
From the firmware page:
www.ui.com
You can see that smaller-numbered version has a most recent update date.
But the higher number version is older. So, which one we go with? any ideas? Thanks!
From the firmware page:
Software Downloads - Ubiquiti
Browse downloads by product and explore popular and new Ubiquiti applications.
You can see that smaller-numbered version has a most recent update date.
But the higher number version is older. So, which one we go with? any ideas? Thanks!
| EdgeRouter ER-X/ER-X-SFP/EP-R6: Firmware v1.10.11 | Firmware | 2020-03-11 | |
| EdgeRouter ER-X/ER-X-SFP/EP-R6/ER-10X: Firmware v2.0.8-hotfix.1 | Firmware | 2020-03-10 | |
AP514
Pulling my weight
Will this setup work with the ER4 using router on a stick and setup with Vlans instead of Physical Lans ?
AP514
Pulling my weight
Kudos to @guykuo for taking the time to document all of this and providing this opportunity to learn. I have a bit of a novice question about a portion of this:
1.) If the NVR has POE ethernet ports, would it make sense to make use of those, and let the NVR assign 10.x.x.x IP addresses on its own using DCHP? Or, as the diagram implies, plug the cameras (and NVR) into a POE switch, so static IP’s can be manually set on each camera? (I was under impression I could set static IP’s to cameras directly connected to the NVR, but I guess that’s not the case being it’s a subnet controlled by the NVR.) If I go the direct connection route, would I need to tweak the configuration described in this thread to get it to work? (This is an Amcrest NV5208e.)
2.) If one wanted to use the limited LAN 3 for an IoT network, to keep this design simple and clean, I assume one would simply purchase a separate AP with a different SSID from what is being used on the Main LAN 1 and connect that to the LAN 3 ethernet port?
1.) If the NVR has POE ethernet ports, would it make sense to make use of those, and let the NVR assign 10.x.x.x IP addresses on its own using DCHP? Or, as the diagram implies, plug the cameras (and NVR) into a POE switch, so static IP’s can be manually set on each camera? (I was under impression I could set static IP’s to cameras directly connected to the NVR, but I guess that’s not the case being it’s a subnet controlled by the NVR.) If I go the direct connection route, would I need to tweak the configuration described in this thread to get it to work? (This is an Amcrest NV5208e.)
2.) If one wanted to use the limited LAN 3 for an IoT network, to keep this design simple and clean, I assume one would simply purchase a separate AP with a different SSID from what is being used on the Main LAN 1 and connect that to the LAN 3 ethernet port?
1) The separated POE ports do provide an additional layer of network security. I personally like to connect cams to the POE backplane of the NVR, as the NVR handles all connectivity & settings (eg 10.x.x.) range, including some (local/temporary) port forwards in case one must connect to a POE Cam. There is nothing wrong by connecting your cams to a standalone POE Switch, but then you have to incalculate the bandwidth consumption from that POE switch to the LAN (uplink) port of your NVR. It's like having bought an NVR with 16 lane highway bandwidth on its private POE ports, and you're using a single lane ramp to enter the queue.
2) No experience with AP's and how SSID's can be linked, but from my experience with (for example) ASUS routers: if you are able to instruct a "guest wifi", you can put your IOT gear in that wifi, on ASUS you can even tick: do not allow inter-client access on that wifi. That makes it even more secure
Hope this helps!
CC
Thanks for the step by step write up, this is great.
I had a question about the using the guest Vlan, my terminology and understanding may be somewhat limited. I'm using a TP-Link EAP245 v3 AP for my wifi which can handle the guest Vlan ID 1003 from the ER-X. (Setup: ATT Gateway > ER-X > 16 port switch > TP-link AP). Am I able to use a dumb switch or do I have to have a smart switch / 802.1Q capable switch to pass tagged Vlan ID in the headers to work with my AP?
My best understanding from researching is that dumb switches are hit or miss on passing the Vlan ID, some will some won't. Some switches have 802.1p which is QoS but I assume would be the same issue if they don't support 802.1q.
If someone can expound on this or provide a suggestion that would be great.
Thanks!
I had a question about the using the guest Vlan, my terminology and understanding may be somewhat limited. I'm using a TP-Link EAP245 v3 AP for my wifi which can handle the guest Vlan ID 1003 from the ER-X. (Setup: ATT Gateway > ER-X > 16 port switch > TP-link AP). Am I able to use a dumb switch or do I have to have a smart switch / 802.1Q capable switch to pass tagged Vlan ID in the headers to work with my AP?
My best understanding from researching is that dumb switches are hit or miss on passing the Vlan ID, some will some won't. Some switches have 802.1p which is QoS but I assume would be the same issue if they don't support 802.1q.
If someone can expound on this or provide a suggestion that would be great.
Thanks!
CloudNoThanks
n3wb
@guykuo this is amazing work! Thank you so much for providing your config, and the detailed documentation! This is something that I've wanted to do for ages, but simply haven't had the time to fully educate myself on the matter. Your config file is what gave me the courage to embark on a roll-your-own home security system!
I was up and running within an hour. I have my main computers that need to talk to one another on LAN1, cameras and NVRPC on LAN2, my AP and VOIP on LAN4.
I'd like to separate all my gaming systems from LAN1 and place them on LAN3 so they can access the internet but not anything else on that LAN. However LAN3 seems to be configured to be restricted (by design) in a fashion that my XBOX gets "strict" NAT.
QUESTION: what would be the easiest approach to allowing gaming systems (plural) to operate efficiently on LAN3?
a) UPnP2 (wizard or manual)
b) port forwarding specific ports to specific IPs
c) firewall rules in conjunction with DNAT rules
I've tried all of the above with limited success. I was steered toward option c) by other users, but that resulted in "strict" NAT. I'm guessing there are rules elsewhere that are superseding my efforts at port forwarding?
Would you have to time to address this? I imagine the desire for a separate gaming LAN would be common one, so you'd likely be helping more than just me.
I was up and running within an hour. I have my main computers that need to talk to one another on LAN1, cameras and NVRPC on LAN2, my AP and VOIP on LAN4.
I'd like to separate all my gaming systems from LAN1 and place them on LAN3 so they can access the internet but not anything else on that LAN. However LAN3 seems to be configured to be restricted (by design) in a fashion that my XBOX gets "strict" NAT.
QUESTION: what would be the easiest approach to allowing gaming systems (plural) to operate efficiently on LAN3?
a) UPnP2 (wizard or manual)
b) port forwarding specific ports to specific IPs
c) firewall rules in conjunction with DNAT rules
I've tried all of the above with limited success. I was steered toward option c) by other users, but that resulted in "strict" NAT. I'm guessing there are rules elsewhere that are superseding my efforts at port forwarding?
Would you have to time to address this? I imagine the desire for a separate gaming LAN would be common one, so you'd likely be helping more than just me.
I don't have any gaming machines on my network. So, I can't test the following.
Basically, you must enable UPNP2 if you are using multiple Xbox's. Simple port forwarding would work with a single machine, but apparently not multiple. BTW. Do not also have UPNP running simultaneously with UPNP2.
First, Remove the port forwarding rules and other changes you made attempting to get the Xboxes running.
The following should turn on UPNP2 service on LAN3 (which is eth3 in my config)
Also, adds a rule denying usage of the default port 3074 so each Xbox is forced to use different ports for connection.
Via the configuration text entry, enter the following. (You don't have to type in the empty lines. They are just for readability)
configure
set service upnp2 listen-on eth3
set service upnp2 wan eth0
set service upnp2 acl rule 10 action deny
set service upnp2 acl rule 10 description "deny 3074 default port"
set service upnp2 acl rule 10 external-port 3074
set service upnp2 acl rule 10 local-port 0-65535
set service upnp2 acl rule 10 subnet 192.168.93.0/24
commit
save
exit
You may need to power cycle the edgerouter and xboxes to get them all playing nice with the new setup
Caveat: This opens LAN3 IOT devices to UPNP traffic. So, security on that subnet is pretty compromised if you have IOT devices.
You may instead want your gaming machines on LAN4, separate from IOT devices. In that case, change the above config commands to listen on eth4 and subnet for the acl rule subnet would be 192.168.94.0/24
Basically, you must enable UPNP2 if you are using multiple Xbox's. Simple port forwarding would work with a single machine, but apparently not multiple. BTW. Do not also have UPNP running simultaneously with UPNP2.
First, Remove the port forwarding rules and other changes you made attempting to get the Xboxes running.
The following should turn on UPNP2 service on LAN3 (which is eth3 in my config)
Also, adds a rule denying usage of the default port 3074 so each Xbox is forced to use different ports for connection.
Via the configuration text entry, enter the following. (You don't have to type in the empty lines. They are just for readability)
configure
set service upnp2 listen-on eth3
set service upnp2 wan eth0
set service upnp2 acl rule 10 action deny
set service upnp2 acl rule 10 description "deny 3074 default port"
set service upnp2 acl rule 10 external-port 3074
set service upnp2 acl rule 10 local-port 0-65535
set service upnp2 acl rule 10 subnet 192.168.93.0/24
commit
save
exit
You may need to power cycle the edgerouter and xboxes to get them all playing nice with the new setup
Caveat: This opens LAN3 IOT devices to UPNP traffic. So, security on that subnet is pretty compromised if you have IOT devices.
You may instead want your gaming machines on LAN4, separate from IOT devices. In that case, change the above config commands to listen on eth4 and subnet for the acl rule subnet would be 192.168.94.0/24
CloudNoThanks
n3wb
Thanks for the quick reply! I already place my IOT devices on LAN4, so no worries--they'll remain there and LAN3 will be just for UPnP gaming systems.
I like to understand what I'm doing--essentially here you're just using the console to enable UPnP2, and adding a rule forbidding the use of port 3074--forcing XBOXes to choose a different port. I've got that right?
I've deleted all my old port-forwards and DNAT attempts. Successfully changed my configuration as above, but I still end up with moderate NAT after restarting the router, and pulling the power on my XBOX to clear it's cache and rebooting.
Do I require additional rules higher up that allow UPnP UDP port 1900 and NAT-PMP UPD port 5351 to communicate on eth3? I read elsewhere that someone had to do that in conjunction with UPnP2 to get XBOX to "open" NAT, but didn't know where exactly to put those rules within your custom configuration.
I'd previously set my XBOX to use port 56834 instead of 3074--which I think is what the rule would have accomplished automatically...
Last edited:
You correctly understand the config changes made re UPNP2.
I'm surprised that one would also need the additional port rules, but you would put accept rules for those ports from eth3 in the restrict_LANs_In rules, right after the Prevent Access of Protected LANS rule.
I'm surprised that one would also need the additional port rules, but you would put accept rules for those ports from eth3 in the restrict_LANs_In rules, right after the Prevent Access of Protected LANS rule.
CloudNoThanks
n3wb
Hmmmm. I'm guessing the syntax of my rules isn't correct? I'm still getting the "UPnP unsuccessful" message on XBOX and moderate NAT...
Code:
rule 40 {
action accept
description "J UPnP2 upd 1900"
destination {
address 192.168.93.82
port 1900
}
log disable
protocol udp
source {
group {
address-group NETv4_eth3
}
}
}
rule 50 {
action accept
description "J NAT-SMP udp 5351"
destination {
address 192.168.93.82
port 5351
}
log disable
protocol udp
source {
group {
address-group NETv4_eth3
}
}
}192.168.93.82 is the source, not destination
Also, might need to double check regular UPNP is not also active.
delete service upnp
commit
save
Also, might need to double check regular UPNP is not also active.
delete service upnp
commit
save
CloudNoThanks
n3wb
I reversed the rules and still no luck. I ensured there was no upnp service active.
I actually ended up deleting the UPnP2 service, deleting all my firewall/DNAT rules and just went with bog-standard port forwarding. This enabled "open" NAT on my XBOX.
Thanks for the help! I guess whenever I get around to playing my other consoles I'll set up port forwards for them as well.
Sorry to hear it didn't work. Without actual xboxes here, I'm afraid I won't be of much further help with that.
ICUSANDMAN
n3wb
My gosh thank you so much for taking the time and effort to put all of this together. I want to get started on this right now! I have my system already installed and I have it wired in physically, but want to isolate each LAN like you have them isolated. However, one of my questions is I have the Edge Router X and it is being powered by the POE In piece. I think the reason I initially set it up like this was that my ubiquiti Long Range AP is in the ceiling. I am using the POE out to give it power.
How would you recommend getting around this? I am completely open to buying some hardware if needed. What I was thinking would be to power the Edge Router with standard AC 12V plug in. Then get a POE switch for LAN1 and that would then power the ubiquiti AP that is in the ceiling. What would be your suggestions?