La Fibre
Datacenter et équipements réseaux => Routeurs => Ubiquiti => Discussion démarrée par: julien250889 le 29 août 2022 à 11:09:30
-
Bonjour à tous,
C'est mon premier post sur ce site donc n'hésitez pas à me dire si je ne post pas au bon endroit ou s'il vous manque des infos.
Volià pour l'entreprise de 30 salariés de mes parents, j'ai mis un edge router 12p derrière une connexion prioritaire fibre Orange pro avec DMZ vers le routeur et en backup une connexion 4G chez free sur un routeur Huawei en mode bridge.
cela tourne plus ou moins bien depuis environ 2 ans mais j'ai quand même deux problèmes :
- le premier problème c'est un problème de performance sur le lien fibre orange, derrière la livebox je tourne a bien 800MB alors que derrière le routeur je dépasse rarement les 200... j'utilise le même câble qui relie le routeur que celui pour faire mon test directement derrière la livebox
- le 2ème problème c'est que le failover ne se fait pas automatiquement, lorsque je perds la fibre, je dois redémarer le EdgeRouter pour que celui-ci passe sur la 4G par contre le retour sur la fibre lorsque qu'elle est de nouveau opérationnelle se fait bien tout seul sans problème...
Je suis loin d'être expert réseau, mon truc c'est plutôt la messagerie Exchange st la téléphonie Teams ;)
Je post la config dans le message suivant car on ne peut pas faire des messages de plus de 2000 caractères...
Je vous remercie tous d'avance pour votre aide :)
-
firewall {
all-ping enable
broadcast-ping disable
group {
network-group LAN_NET {
network 192.168.10.0/24
network 192.168.1.0/24
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 100 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth8
}
}
modify {
table main
}
}
rule 110 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth9
}
}
modify {
table main
}
}
rule 140 {
action modify
modify {
lb-group G
}
}
}
name CamerasAlarmePortier-in {
default-action accept
description ""
rule 10 {
action accept
description "Allow CamerasAlaramePortier to LAN Syslog"
destination {
group {
network-group LAN_NET
}
port 514
}
log disable
protocol tcp_udp
}
rule 20 {
action accept
description "Allow Cameras to LAN IP Video 4005 UDP"
destination {
group {
network-group LAN_NET
}
port 4005
}
log disable
protocol udp
source {
address 192.168.40.6
}
}
rule 30 {
action accept
description "Allow Cameras to LAN IP Video 8112 UDP"
destination {
group {
network-group LAN_NET
}
port 8112
}
log disable
protocol udp
source {
address 192.168.40.6
}
}
rule 40 {
action drop
description "Drop CamerasAlarmePortier to LAN"
destination {
group {
network-group LAN_NET
}
}
log disable
protocol all
state {
established disable
invalid disable
new enable
related disable
}
}
}
name CamerasAlarmePortier-local {
default-action drop
description ""
rule 1 {
action accept
description "Allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 2 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
name DMZ-in {
default-action accept
description ""
rule 1 {
action drop
description "Drop DMZ to LAN"
destination {
group {
network-group LAN_NET
}
}
log disable
protocol all
state {
established disable
invalid disable
new enable
related disable
}
}
}
name DMZ-local {
default-action drop
description ""
rule 1 {
action accept
description "Allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 2 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow Skyged to printer atelier"
destination {
address 192.168.10.4
port 9100
}
log disable
protocol tcp
source {
address xx.xx.xxx.157
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WifiGuest-In {
default-action accept
description ""
rule 1 {
action drop
description "Drop Guest to LAN"
destination {
group {
network-group LAN_NET
}
}
log disable
protocol all
}
}
name WifiGuest-local {
default-action drop
description ""
rule 1 {
action accept
description "Allow DNS"
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 2 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth1 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth5 {
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth6 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth7 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth8 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth9 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth10 {
disable
duplex auto
speed auto
}
ethernet eth11 {
disable
duplex auto
speed auto
}
switch switch0 {
description Local
firewall {
in {
modify balance
}
}
mtu 1500
switch-port {
interface eth0 {
vlan {
pvid 1
vid 10
}
}
interface eth1 {
vlan {
pvid 1
vid 10
vid 20
}
}
interface eth2 {
vlan {
pvid 40
}
}
interface eth3 {
vlan {
pvid 1
vid 30
vid 10
}
}
interface eth4 {
vlan {
pvid 1
vid 30
vid 10
}
}
interface eth5 {
vlan {
pvid 1
vid 30
vid 10
}
}
interface eth6 {
vlan {
pvid 1
}
}
interface eth7 {
vlan {
pvid 1
vid 10
vid 30
}
}
vlan-aware enable
}
vif 1 {
address 192.168.1.1/24
description MGMT
firewall {
in {
modify balance
}
}
}
vif 10 {
address 192.168.10.1/24
description LAN
firewall {
in {
modify balance
}
}
}
vif 20 {
address 192.168.20.1/24
description DMZ
firewall {
in {
modify balance
name DMZ-in
}
local {
name DMZ-local
}
out {
}
}
mtu 1500
}
vif 30 {
address 192.168.30.1/24
description GuestWifi
firewall {
in {
modify balance
name WifiGuest-In
}
local {
name WifiGuest-local
}
out {
}
}
mtu 1500
}
vif 40 {
address 192.168.40.1/24
description CamerasAlarmePortier
firewall {
in {
modify balance
name CamerasAlarmePortier-in
}
local {
name CamerasAlarmePortier-local
}
out {
}
}
mtu 1500
}
}
}
-
load-balance {
group G {
exclude-local-dns disable
flush-on-active enable
gateway-update-interval 20
interface eth8 {
weight 50
}
interface eth9 {
failover-only
route-test {
initial-delay 1
interval 10
type {
ping {
target 1.1.1.1
}
}
}
weight 50
}
lb-local disable
lb-local-metric-change enable
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0.10
lan-interface switch0.20
lan-interface switch0.40
rule 1 {
description "SSH web2"
forward-to {
address 192.168.20.16
port 2225
}
original-port 2225
protocol tcp
}
rule 2 {
description "Video Cameras"
forward-to {
address 192.168.40.7
port 37777
}
original-port 37777
protocol tcp
}
rule 3 {
description "Web Cameras"
forward-to {
address 192.168.40.7
port 8080
}
original-port 8080
protocol tcp
}
rule 4 {
description "Alarme intrusion"
forward-to {
address 192.168.40.8
port 10000
}
original-port 10000
protocol tcp
}
rule 5 {
description "SSH web3"
forward-to {
address 192.168.20.206
port 2226
}
original-port 2226
protocol tcp
}
rule 6 {
description "SQL web1"
forward-to {
address 192.168.20.206
port 3000
}
original-port 3000
protocol tcp
}
rule 7 {
description "Plesk web2"
forward-to {
address 192.168.20.16
port 8443
}
original-port 8443
protocol tcp
}
rule 8 {
description "Plesk web2"
forward-to {
address 192.168.20.16
port 80
}
original-port 80
protocol tcp
}
rule 9 {
description "Plesk web2"
forward-to {
address 192.168.20.16
port 443
}
original-port 443
protocol tcp
}
wan-interface eth8
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name CamerasAlarmePortier {
authoritative enable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 192.168.40.1
domain-name CamerasAlarmePortier
lease 86400
start 192.168.40.10 {
stop 192.168.40.200
}
}
}
shared-network-name DMZ {
authoritative enable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.20.1
domain-name DMZ
lease 86400
start 192.168.20.10 {
stop 192.168.20.200
}
}
}
shared-network-name LAN_LOCAL {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name lol.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
shared-network-name MGMT {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name lol.local
lease 86400
start 192.168.1.10 {
stop 192.168.1.20
}
unifi-controller 192.168.10.200
}
}
shared-network-name WifiGuest {
authoritative enable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
domain-name WifiGuest
lease 86400
start 192.168.30.10 {
stop 192.168.30.200
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 10000
listen-on switch0
listen-on switch0.10
listen-on switch0.20
listen-on switch0.30
listen-on switch0.40
listen-on switch0.1
options address=/staging.plop.com/192.168.20.16
options address=/integration.plop.com/192.168.20.16
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 4 {
description "Hairpin SSH web2"
destination {
address xxx.xxx.xx.189
port 2225
}
inbound-interface switch0.10
inside-address {
address 192.168.20.16
port 2225
}
log disable
protocol tcp
type destination
}
rule 5 {
description "Hairpin RTCP Caméras"
destination {
address xxx.xxx.xx.189
port 37777
}
inbound-interface switch0.10
inside-address {
address 192.168.40.7
port 37777
}
log disable
protocol tcp
type destination
}
rule 6 {
description "Hairpin RTCP Caméras From Guest wifi"
destination {
address xxx.xxx.xx.189
port 37777
}
inbound-interface switch0.30
inside-address {
address 192.168.40.7
port 37777
}
log disable
protocol tcp
type destination
}
rule 7 {
description "Hairpin HTTP web3"
destination {
address xxx.xxx.xx.189
port 3000
}
inbound-interface switch0.10
inside-address {
address 192.168.20.206
port 3000
}
log disable
protocol tcp
type destination
}
rule 8 {
description "Hairpin SSH web3"
destination {
address xxx.xxx.xx.189
port 2226
}
inbound-interface switch0.10
inside-address {
address 192.168.20.206
port 2226
}
log disable
protocol tcp
type destination
}
rule 10 {
description "Hairpin Plesk web2"
destination {
address xxx.xxx.xx.189
port 8443
}
inbound-interface switch0.10
inside-address {
address 192.168.20.16
port 8443
}
log disable
protocol tcp
type destination
}
rule 11 {
description "Skyged imprimante atelier"
destination {
address 192.169.1.10
port 10010
}
inbound-interface eth8
inside-address {
address 192.168.10.4
port 9100
}
log disable
protocol tcp
type destination
}
rule 5016 {
description "masquerade for WAN"
outbound-interface eth8
type masquerade
}
rule 5018 {
description "masquerade for WAN 2"
outbound-interface eth9
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
analytics-handler {
send-analytics-report true
}
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
crash-handler {
send-crash-report true
}
domain-name lol.local
host-name router-12
login {
user xxxxxx {
authentication {
encrypted-password xxxxx
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
bonding enable
disable-flow-flushing-upon-fib-changes
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
vlan disable
}
}
static-host-mapping {
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi disable
export disable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.4.5521907.220630.0658 */
-
Bonjour tout le monde,
Je remonte le sujet si vous avez besoin de plus d'infos, n'hésitez pas à me demander ;)
Merci encore pour votre aide
-
Avez-vous vous-meme essaye de decomposer et de valider la config par morceaux ?
Se prendre en bloc des centaines de lignes de config dissuade probablement pas mal de gens de venir jeter un oeil au probleme.