New Router

[SuperQ]

We need a new router for the space, as the old Ubiquiti ER-3 died.

Proposals so far:

Ubiquiti ER-4

Pros:

• Cheap. ($200 + $15 rack bracket)
• Easily available.
• Easy to configure.

Cons:

• Not fully open source

pfSense - Netgate SG-3100?

Pros:

• Fully open source
• Reasonable configuration

Cons:

• More expensive ($350)

Datto

Pros:

• ???

Cons:

• Monthly fees
• Unknown product lines
• Only available via resellers

Cisco ASA

Pros:

• It's Cisco :grin:

Cons:

• It's Cisco :grin:

[marcidy]

2 ER-4's ordered, arriving Thursday the 9th.

[marcidy]

ah fuck I forgot the rack bracket. do we have the old one?

[SuperQ]

I think the bracket is different between the old and new models. The new one is just slightly too big to fit 2 in 1U anyway.

[marcidy]

Routers found and acquired. How do we deploy?

[rizend]

1. Create an admin user with a strong password and add your public key.
2. Get router into a basically working configuration (providing dhcp to 10.20.0.1/23, not giving out ips in the static ip areas unless they've been directly assigned, etc.)
3. Make room for the router in rack and mount it properly if we can.
4. Remove the temporary router.
5. Plug in the cables for the new router.
6. Make sure internet is working inside the space.
7. Restore a backup configuration file if we have one; if not, setup the router appropriately and save the configuration file (probably in this repo).

[SuperQ]

The basic IP config looks like this:

Router 1

set interfaces ethernet eth0 address 10.19.0.2/24
set interfaces ethernet eth0 description 'Monkeybrains'
set interfaces ethernet eth0 vrrp vrrp-group 100 advertise-interval 5
set interfaces ethernet eth0 vrrp vrrp-group 100 preempt false
set interfaces ethernet eth0 vrrp vrrp-group 100 priority 200
set interfaces ethernet eth0 vrrp vrrp-group 100 sync-group noisebridge
set interfaces ethernet eth0 vrrp vrrp-group 100 virtual-address 192.195.83.130/29
set interfaces ethernet eth1 address 10.20.0.2/23
set interfaces ethernet eth1 vrrp vrrp-group 101 advertise-interval 5
set interfaces ethernet eth1 vrrp vrrp-group 101 preempt false
set interfaces ethernet eth1 vrrp vrrp-group 101 priority 200
set interfaces ethernet eth1 vrrp vrrp-group 101 sync-group noisebridge
set interfaces ethernet eth1 vrrp vrrp-group 101 virtual-address 10.20.0.1/23
set protocols static route 0.0.0.0/0 next-hop 192.195.83.129
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 192.195.83.130
set service nat rule 5000 protocol all
set service nat rule 5000 source address 10.20.0.0/23
set service nat rule 5000 type source

Router 2

set interfaces ethernet eth0 address 10.19.0.3/24
set interfaces ethernet eth0 description 'Monkeybrains'
set interfaces ethernet eth0 vrrp vrrp-group 100 advertise-interval 5
set interfaces ethernet eth0 vrrp vrrp-group 100 preempt false
set interfaces ethernet eth0 vrrp vrrp-group 100 priority 100
set interfaces ethernet eth0 vrrp vrrp-group 100 sync-group noisebridge
set interfaces ethernet eth0 vrrp vrrp-group 100 virtual-address 192.195.83.130/29
set interfaces ethernet eth1 address 10.20.0.3/23
set interfaces ethernet eth1 vrrp vrrp-group 101 advertise-interval 5
set interfaces ethernet eth1 vrrp vrrp-group 101 preempt false
set interfaces ethernet eth1 vrrp vrrp-group 101 priority 100
set interfaces ethernet eth1 vrrp vrrp-group 101 sync-group noisebridge
set interfaces ethernet eth1 vrrp vrrp-group 101 virtual-address 10.20.0.1/23
set protocols static route 0.0.0.0/0 next-hop 192.195.83.129
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 192.195.83.130
set service nat rule 5000 protocol all
set service nat rule 5000 source address 10.20.0.0/23
set service nat rule 5000 type source

This should get basic IP routing with router failover working.

Don't forget to commit and save router changes :grin:

[marcidy]

After some discussion, we think keeping only one router connected at a time is best. We aren't sure why we've had two failures. If its power related, we could lose both new ones. And the configuration is simpler if a failover does need to occur.

What do you think?

(due to reasons we haven't gone through full config of the router yet, we'll get there.)

[SuperQ]

If there was a power issue, the switch and or pegasus would have also been damaged.

[marcidy]

@SuperQ and I discussed and we agree to wait a month-ish so r, Charlie, myself and anyone else who wants to can learn / practice deployment to understand the single router config, so we can move to the fail-over config with confidence. I'll open a new issue to track that.

[SuperQ]

Ok, the new ER-4 is in place and working well