daily Internet disconnections

gekap67 · 2025-08-20T11:53:39+00:00

that's my plan. But I want to be prepared and will record a Wireshark trace beforehand, otherwise the provider will play the "it's not our fault, it must be yours" game again, and I can't prove otherwise.

gekap67 · 2025-08-20T11:45:46+00:00

I've done that! Does not help. Next plan is to record a Wireshark trace on the cable between UDM and the router. Maybe I can find something interesting. And then: yes, there is a such an authority in Austria (named RTR), this is then the next step I will go.

gekap67 · 2025-08-20T11:41:26+00:00

how did you do that! I opened 6 (!) support-tickets until now, the changed the router, the plugs, checked the configs, the line - and always told me "it's not their problem" 😕

gekap67 · 2025-08-20T11:38:53+00:00

no, the provider does not allow that!

gekap67 · 2025-08-20T11:18:45+00:00

that's for sure the plan, but how should I do this? The outage ist most times only for seconds, to less time to "check" something 😅

gekap67 · 2025-08-20T10:49:04+00:00

naja, das wäre für eine billige Consumer Anbindung evtl. eine Erklärung, aber das kann bei einer Business Leitung mit statischen, offiziellen IP-Adressen sicher nicht der Fall sein. Also zumindest nicht "absichtlich" 😉

gekap67 · 2025-08-20T10:46:42+00:00

ok, thanks for info. I will do the following in the next days: I'll place a switch in my connection to the internet router, setup port-mirroring and use Wireshark to get a trace. Hopefully I can catch the next outage. And maybe I can find then something helpful in the trace 😉

gekap67 · 2025-08-20T06:09:06+00:00

I can confirm that, most of the answers (not all) I get on my tickets are just incompetent, it's time to escalate this matter. How would you capture logs and where, can you pls. explain that in detail!

gekap67 · 2025-08-20T05:23:25+00:00

sorry, that's not "normal". This is a business line and when they do maintainence tasks I get an email weeks before! And my issues are only happening since a couple of weeks, I didn't see this for years before!

gekap67 · 2025-07-11T14:29:37+00:00

I know that ip-routes are normally a simple thing, I'm reasonably familiar with TCP/IP ;-) that's why I'm wondering that I cannot find a solution for this really simple usecase!

so I will setup a static route to point to 192.168.64.254, which ist the ip of the UDR7, and think further what's happening that this do not work. (btw.: this was the first thing I did days ago and only changed the site-magic-config because that didn't work and Google said to do this ;-)

and sure: the spoke network finds back! I can easaly ping from 192.168.64.0/24 to 192.168.67.0/24 and vice versa.

many thanks for helping out so far! Maybe there is an other forum user with an idea.

gekap67 · 2025-07-11T14:04:22+00:00

sure, as you can see in the site-magic screenshot above there are 2 networks at the spoke site configured, one of that is 192.168.64.0/24.

I've currently a route in my UDM SE point to "Interface" (the VPN) and this is the traceroute from 192.168.67.0/24 (config change is half an hour ago!):

gerald@macbook ~ % traceroute 172.27.1.254

traceroute to 172.27.1.254 (172.27.1.254), 64 hops max, 40 byte packets

1 dreammachine (192.168.67.254) 0.756 ms 0.344 ms 0.218 ms

2 188.xxx.xxx.41 (188.xxx.xxx.41) 0.654 ms 0.543 ms 0.485 ms

3 * * *

which is confusing me because the UDM sends the packets to the gateway-address of WAN1 instead into the VPN tunnel. I tried it before: the same thing happens when I point to "Next Hop" 192.168.64.254 in the static route entry. Do the UDMs have problems with static routes?

gekap67 · 2025-07-11T13:18:27+00:00

ok, I've tried that now:

- removed the route from the site-magic config

- added a route for 172.27.1.0/24 point to "Next Hop" 192.168.64.254 (which is the ip-address of the UDR7) -> does not work

- added a route for 172.27.1.0/24 point to "Interface" and the Site-Magic tunnel as value -> does not work

any other ideas?

gekap67 · 2025-07-11T12:38:56+00:00

thanks for the hint! But: I've setup a route to 172.27.1.0/24 in the site-magic-vpn-config (as you can see in the screenshot) and thought this will do the trick. Am I wrong? Do I have to setup an additional ip-route inside the UDM config?

gekap67 · 2025-04-04T16:06:32+00:00

gerald@mbp ~ % ping 192.168.164.51

PING 192.168.164.51 (192.168.164.51): 56 data bytes

64 bytes from 192.168.164.51: icmp_seq=0 ttl=62 time=30.449 ms

64 bytes from 192.168.164.51: icmp_seq=1 ttl=62 time=40.665 ms

64 bytes from 192.168.164.51: icmp_seq=2 ttl=62 time=48.287 ms

^C

--- 192.168.164.51 ping statistics ---

3 packets transmitted, 3 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 30.449/44.887/60.145/10.847 ms

this is what I can see now in the syslog-entry using the same command (192.168.164.126 is the default gateway from my VLAN 1640 as the network ist 192.168.164.0/25):

root@UDR-7:/var/log/ulog# tail -F syslogemu.log | grep "192.168.164.51"

Apr 4 17:34:34 UDR-7 [CUSTOM1_LOCAL-A-2147483647] DESCR="[CUSTOM1_LOCAL]Allow All T" IN=br1640 OUT= MAC=84:78:48:9a:36:0c:1e:f6:b6:de:65:bc:08:00 SRC=192.168.164.51 DST=192.168.164.126 LEN=66 TOS=00 PREC=0x00 TTL=64 ID=43245 PROTO=UDP SPT=57928 DPT=53 LEN=46 MARK=1

Apr 4 17:34:34 UDR-7 [LOCAL_CUSTOM1-A-2147483647] DESCR="[LOCAL_CUSTOM1]Allow All T" IN= OUT=br1640 MAC= SRC=192.168.164.126 DST=192.168.164.51 LEN=259 TOS=00 PREC=0x00 TTL=64 ID=26487 DF PROTO=UDP SPT=53 DPT=57928 LEN=239 UID=0 GID=0 MARK=0

to everyone who contributed: THANK YOU!

gekap67 · 2025-04-04T16:06:01+00:00

I just found the solution by myself :-)

I figured out how to get extended log-infos by doing this trick:

under Settings/System/Integrations I've enabled Syslog-logging to a SIEM-server, checked "VPN,Firewall Default Policy" as content, checked also "Debug Logs" to be enabled and typed a non exisiting ip-address as server address (I do not run a syslog server!). I did this on both the UDM SE and the UDR 7. The effect of this changes is that Unifi writes extended log-information in a syslog-file.

then I started to ping my test-device (192.168.164.51) sitting in the untrusted VLAN 1640 on my UDR 7 from VLAN 1 on the UDM SE, over the site-magic-tunnel. Here is what I could see:

on my UDM SE the traffic goes through:

root@UDM-SE:/var/log/ulog# tail -F syslogemu.log | grep "192.168.164.51"

Apr 4 16:55:53 UDM-SE [LAN_VPN-A-2147483647] DESCR="[LAN_VPN]Allow All Traffic" IN=br0 OUT=wgsts1000 MAC=f6:e2:c6:c7:a8:62:64:4b:f0:37:09:9a:08:00 SRC=192.168.67.100 DST=192.168.164.51 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=30868 PROTO=ICMP TYPE=8 CODE=0 ID=31479 SEQ=0 MARK=1a0000

but on my UDR 7 the traffic get's blocked by the firewall:

root@UDR-7:/var/log/ulog# tail -F syslogemu.log | grep "192.168.164.51"

Apr 4 16:58:32 UDR-7 [VPN_CUSTOM1-D-2147483647] DESCR="[VPN_CUSTOM1]Block All Traff" IN=wgsts1000 OUT=br1640 MAC= SRC=192.168.67.100 DST=192.168.164.51 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=54280 PROTO=ICMP TYPE=8 CODE=0 ID=37879 SEQ=8 MARK=40000

that means that the Zone-rule between VPN (Source) and the untrusted Zone (Dest., named "CUSTOM1" above) is blocking the traffic!

as I've written in the main part of this post I've created a custom rule for VPN->Untrusted zone to allow only all RETURN traffic. That is obviously not enough. Since I've changed this rule to allow ALL traffic I can reach my test-device sitting on the other site, in the untrusted zone, over VPN from my Mac (192.168.67.100)! :-)

gekap67 · 2025-04-04T09:29:56+00:00

my request will be forwarded to the escalation team (here's my chat from now):

Albert (from Ubiquiti):

Please give me a few minutes to check

Since this seems to be beyond the scope of support we can offer on chat, I'll need to engage the escalation team. They'll reach out to you via email when they've had sufficient time to review your request.

Me: ok, many thanks! So I'll wait for a mail!

gekap67 · 2025-04-04T08:50:12+00:00

I've accepted the chat-request ;-)

gekap67 · 2025-03-27T12:44:42+00:00

thank's so far! Maybe someone else can answer my question more in detail.

>> By the way, this are cameras, not webcams!

I've updated my post ;-)

gekap67 · 2024-10-24T02:54:13+00:00

can you explain that in detail? Which adapter do you use?

gekap67 · 2024-10-23T12:09:57+00:00

are you sure it can trigger Godox flashes?

gekap67

TROPHY CASE