Not sure if anyone is experience with Ubiquiti Edgerouters…
The ISP has provided me 2 public IP’s. For this example, I have Public IP “A” and Public IP “B” assigned to eth0 with Proxy ARP enabled.
ETH1 has LAN subnet A and ETH2 has LAN subnet B. I want LAN subnet A to use Public IP A… LAN subnet B to use Public IP B.
LAN subnet A NAT settings is using masquerade. Working fine, Public IP A comes up using “whatismyip”
Created SNAT rule for LAN subnet B with translation IP of Public IP B, outbound port is eth0. Move this rule ABOVE the masquerade rule. As soon as I do that, LAN subnet B loses internet connectivity.
I know I’m doing this right because I have another edgerouter to test with. When I do this on a DSL line that I have with the same ISP, which I have 2 static IP’s to use. This works perfectly fine. But does not work on this new fiber connection.
I tried calling the ISP, no help at all. However they did make a comment they could only see 1 public IP of mine. Not the other. Another thing to note about this ISP. In the past, they required me to provide the MAC address of a device I wanted the public IP assigned to, it had to be 2 separate devices, could not get them to assign both IPs to the same MAC. However they don’t require this anymore. I’ve called multiple times to verify this.
I’m starting to wonder if this is even possible now? Why would this work perfectly fine on a DSL line and not on this fiber circuit?
could be network auth issue. where they wanted you to provide two separate mac addresses before then depending on your ER model, use two ports. i know the ERL has only 3 so thats a little more difficult. i have an ERX and it has 5 ports.
Same gateway for both IPs and are statically assigned.
Here is the router configs along with routing table interface on eth0 listing both IPs.
You probably noticed the firewall rule I created to allow icmp. For testing I was pinging both IPs externally. I was only getting a reply from x.98… NOT x.99
:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
address-group RemoteUniFiSites {
address x.x.x.218
address x.x.x.73
address x.x.x.179
description "Remote Sites With Unifi"
}
network-group corp_network {
description ""
network 172.16.20.0/24
network 172.16.17.0/24
}
network-group lan_networks {
network 172.16.20.0/24
network 172.16.16.0/23
network 172.18.10.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name ETH1 {
default-action accept
description ""
rule 1 {
action accept
description Established,Related
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Unifi Controller Communication"
destination {
port 8080
}
log disable
protocol tcp
}
rule 30 {
action accept
description "Unifi STUN"
destination {
port 3478
}
log disable
protocol udp
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
log disable
protocol icmp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address x.x.x.98/24
address x.x.x.97/24
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
ip {
enable-proxy-arp
}
speed auto
}
ethernet eth1 {
address 172.16.20.254/24
description "Wifi MGMT"
duplex auto
firewall {
out {
name ETH1
}
}
speed auto
vif 16 {
address 172.16.17.254/23
description Wifi
mtu 1500
}
}
ethernet eth2 {
address 172.18.10.254/24
description eth2
duplex auto
ip {
}
speed auto
}
ethernet eth3 {
description eth3
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative disable
subnet 172.18.10.0/24 {
default-router 172.18.10.254
dns-server 1.1.1.1
dns-server 9.9.9.9
lease 86400
start 172.18.10.50 {
stop 172.18.10.100
}
}
}
shared-network-name Wifi {
authoritative disable
subnet 172.16.16.0/23 {
default-router 172.16.17.254
dns-server 9.9.9.9
dns-server 1.1.1.1
lease 86400
start 172.16.16.15 {
stop 172.16.17.200
}
}
}
shared-network-name Wifi_MGMT {
authoritative disable
subnet 172.16.20.0/24 {
default-router 172.16.20.254
dns-server 9.9.9.9
dns-server 1.1.1.1
lease 86400
start 172.16.20.20 {
stop 172.16.20.200
}
unifi-controller 172.16.20.10
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description WAN2
log disable
outbound-interface eth0
outside-address {
address x.x.x.97
}
protocol all
source {
address 172.18.10.0/24
}
type source
}
rule 5001 {
description "masquerade for WAN"
log disable
outbound-interface eth0
protocol all
source {
group {
}
}
type masquerade
}
rule 5002 {
description "Hairpin Unifi Controller"
destination {
address 172.16.20.10
port 8080
}
log disable
outbound-interface eth1
outside-address {
}
protocol tcp
source {
address 172.16.20.0/24
}
type masquerade
}
rule 5003 {
description "Hairpin Unifi STUN"
destination {
address 172.16.20.10
port 3478
}
log disable
outbound-interface eth1
outside-address {
}
protocol udp
source {
address 172.16.20.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
gateway-address x.x.x.1
host-name RTR
}
name-server 9.9.9.9
name-server 1.1.1.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi disable
export disable
}
}
RTR:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [1/0] via x.x.x.1, eth0
C *> 127.0.0.0/8 is directly connected, lo
C *> 172.16.16.0/23 is directly connected, eth1.16
C *> 172.16.20.0/24 is directly connected, eth1
C *> 172.18.10.0/24 is directly connected, eth2
C *> x.x.x.0/24 is directly connected, eth0
C x.x.x.0/24 is directly connected, eth0
RTR:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether f0:9f:c2:1b:c9:8f brd ff:ff:ff:ff:ff:ff
inet x.x.x.98/24 brd x.x.x.255 scope global eth0
valid_lft forever preferred_lft forever
inet x.x.x.97/24 brd x.x.x.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 scope link
valid_lft forever preferred_lft forever
Description: Internet
RX: bytes packets errors dropped overrun mcast
137946228378 129153490 0 0 0 0
TX: bytes packets errors dropped carrier collisions
21637682845 69476476 0 0 0 0
RTR:~$ show interfaces ethernet eth2
eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether f0:9f:c2:1b:c9:91 brd ff:ff:ff:ff:ff:ff
inet 172.18.10.254/24 brd 172.18.10.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 scope link
valid_lft forever preferred_lft forever
Description: eth2
RX: bytes packets errors dropped overrun mcast
9580196 90573 0 0 0 768
TX: bytes packets errors dropped carrier collisions
443367061 326715 0 0 0 0
I’m looking at my config right now and I’m realizing that I cannot ping the additional WAN IP addresses. In my case, the additional addresses are all used for port forwarding/dnat which they work fine for (I disabled the dnat rule to test the ping), but it’s curious that the WAN interface won’t respond to all of its addresses.
Have you tried adding a complimentary dnat rule? Maybe it needs that to work?
I’d experiment more on my end, but the unit is remote. I can’t afford to lock myself out of it.
Understandable with not wanting to lock your self out
I can try creating a DNAT rule and see if that helps at all.
Also to note, I have a ERPOE-5 hooked up to a DSL circuit, doing the exact same setup. It works exactly how I want it. And I can also ping both WAN IPs remotely.
Which is making me question how the ISP handles nodes on their network.