Jump to content
LaptopVideo2Go Forums
Sign in to follow this  
mobilenvidia

Edgerouter ERLite-3 Experiences

Recommended Posts

mobilenvidia

ERLite3 setup for PPPoe via VLAN10 

Hoping that the below will help new comers to setup their Edgerouter with custom configuration
It has a bit of everything in it to get folk started

My broadband is like thus:
At roadside (400m from house) is a Draytek Vigor 130 modem in bridge mode
Connecting to a Ubiquiti Litebeam AC Gen2 Radio
400m Away another Ubuiti Litebeam AC Gen2
Comes into house and into ERLite-3

The below settings assumes that:
eth0 = WAN and has the above Radio's and modems on 192.168.1.x
eth1 = LAN 192.168.0.x (DHCP)
eth2 = Server 192.168.2.x (DHCP)

UPDATE:

I've setup VLANs
eth1.20 = VOIP
eth1.30 = WLAN
eth1.32 = Guest Wifi
eth1.34 = IoT (Internet of things)
eth1.40 = Satellite Receiver PVR

The ports corrospond to the port number used, ie eth1.20 uses port 2 on the switch, eth1.30, 32 and 34 use port 3 
For ease of tracking which port is used for what function

Added Firewall rules that Guest WLAN and IoT devices can't snoop on any other LANs, only internet access allowed

All LAN and VLANs have IPv6 enabled

All WLAN is handled on the Netgear R7000 running Tomato by shibby
I've setup 2x Tagged VLANs for Guest_Wifi and IoT.
On Switch I also had to setup port 3 with VLAN 32 and 34 as switched, VLAN 30 is not tagged on switch
Port 3 is set to 'General' which allows me to either tag or leave untagged VLANs, all other ports but 1 are set to 'Access'
Only other port tagged is port 1 and set to 'Trunk'

Share this post


Link to post
Share on other sites
mobilenvidia

Initial setup with nasty protection

configure

#Firewall settings
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
commit

set firewall group address-group Shodan description 'Shodan and other scanners'
set firewall group address-group Shodan address 208.180.20.97
set firewall group address-group Shodan address 198.20.69.74
set firewall group address-group Shodan address 198.20.69.98
set firewall group address-group Shodan address 198.20.70.114
set firewall group address-group Shodan address 198.20.99.130
set firewall group address-group Shodan address 93.120.27.62
set firewall group address-group Shodan address 66.240.236.119
set firewall group address-group Shodan address 71.6.135.131
set firewall group address-group Shodan address 66.240.192.138
set firewall group address-group Shodan address 71.6.167.142
set firewall group address-group Shodan address 82.221.105.6
set firewall group address-group Shodan address 82.221.105.7
set firewall group address-group Shodan address 71.6.165.200
set firewall group address-group Shodan address 188.138.9.50
set firewall group address-group Shodan address 85.25.103.50
set firewall group address-group Shodan address 85.25.43.94
set firewall group address-group Shodan address 71.6.146.185
set firewall group address-group Shodan address 71.6.158.166
set firewall group address-group Shodan address 198.20.87.98
set firewall group address-group Shodan address 66.240.219.146
set firewall group address-group Shodan address 209.126.110.38
set firewall group address-group Shodan address 104.236.198.48
set firewall group address-group Shodan address 184.105.247.196
set firewall group address-group Shodan address 141.212.122.112
set firewall group address-group Shodan address 125.237.220.106
set firewall group address-group Shodan address 192.81.128.37
set firewall group address-group Shodan address 74.82.47.2
set firewall group address-group Shodan address 216.218.206.66
set firewall group address-group Shodan address 37.187.114.171
set firewall group address-group Shodan address 184.105.139.67
set firewall group address-group Shodan address 54.81.158.232
set firewall group address-group Shodan address 141.212.122.144
set firewall group address-group Shodan address 141.212.122.128
set firewall group address-group Shodan address 54.206.70.29

set firewall group network-group BOGONS description 'BOGONS'
set firewall group network-group BOGONS network 10.0.0.0/8
set firewall group network-group BOGONS network 100.64.0.0/10
set firewall group network-group BOGONS network 127.0.0.0/8
set firewall group network-group BOGONS network 169.254.0.0/16
set firewall group network-group BOGONS network 172.16.0.0/12
set firewall group network-group BOGONS network 192.0.0.0/24
set firewall group network-group BOGONS network 192.0.2.0/24
set firewall group network-group BOGONS network 192.168.0.0/16
set firewall group network-group BOGONS network 198.18.0.0/15
set firewall group network-group BOGONS network 198.51.100.0/24
set firewall group network-group BOGONS network 203.0.113.0/24
set firewall group network-group BOGONS network 224.0.0.0/3

set firewall group network-group Blocklist description 'Block scanners by CIDR'
set firewall group network-group Blocklist network 74.82.47.0/24
set firewall group network-group Blocklist network 184.105.139.0/24
set firewall group network-group Blocklist network 184.105.247.0/24
set firewall group network-group Blocklist network 216.218.206.0/24
set firewall group network-group Blocklist network 185.35.62.0/24
set firewall group network-group Blocklist network 185.35.63.0/24

set firewall group network-group SSH-ATTACKERS description "Known Brute Force SSH Attackers"
set firewall group network-group SSH-ATTACKERS network 103.0.0.0/8
set firewall group network-group SSH-ATTACKERS network 104.0.0.0/8
commit

 

Share this post


Link to post
Share on other sites
mobilenvidia
#IPv6 rules
set firewall ipv6-name WAN6_IN default-action drop
set firewall ipv6-name WAN6_IN rule 10 action accept
set firewall ipv6-name WAN6_IN rule 10 description 'allow established'
set firewall ipv6-name WAN6_IN rule 10 protocol all
set firewall ipv6-name WAN6_IN rule 10 state established enable
set firewall ipv6-name WAN6_IN rule 10 state related enable
set firewall ipv6-name WAN6_IN rule 20 action drop
set firewall ipv6-name WAN6_IN rule 20 description 'drop invalid packets'
set firewall ipv6-name WAN6_IN rule 20 protocol all
set firewall ipv6-name WAN6_IN rule 20 state invalid enable
set firewall ipv6-name WAN6_IN rule 30 action accept
set firewall ipv6-name WAN6_IN rule 30 description 'allow ICMPv6'
set firewall ipv6-name WAN6_IN rule 30 protocol icmpv6

set firewall ipv6-name WAN6_LOCAL default-action drop
set firewall ipv6-name WAN6_LOCAL rule 10 action accept
set firewall ipv6-name WAN6_LOCAL rule 10 description 'allow established'
set firewall ipv6-name WAN6_LOCAL rule 10 protocol all
set firewall ipv6-name WAN6_LOCAL rule 10 state established enable
set firewall ipv6-name WAN6_LOCAL rule 10 state related enable
set firewall ipv6-name WAN6_LOCAL rule 20 action drop
set firewall ipv6-name WAN6_LOCAL rule 20 description 'drop invalid packets'
set firewall ipv6-name WAN6_LOCAL rule 20 protocol all
set firewall ipv6-name WAN6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WAN6_LOCAL rule 30 action accept
set firewall ipv6-name WAN6_LOCAL rule 30 description 'allow ICMPv6'
set firewall ipv6-name WAN6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 40 action accept
set firewall ipv6-name WAN6_LOCAL rule 40 description 'allow DHCPv6 client/server'
set firewall ipv6-name WAN6_LOCAL rule 40 destination port 546
set firewall ipv6-name WAN6_LOCAL rule 40 protocol udp
commit

#IPv4 rules
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 log enable
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 30 action drop
set firewall name WAN_IN rule 30 description 'Drop BOGONS'
set firewall name WAN_IN rule 30 log enable
set firewall name WAN_IN rule 30 protocol all
set firewall name WAN_IN rule 30 source group network-group BOGONS
set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 description 'Blocklisted CIDRs'
set firewall name WAN_IN rule 40 log enable
set firewall name WAN_IN rule 40 protocol all
set firewall name WAN_IN rule 40 source group network-group Blocklist
set firewall name WAN_IN rule 50 action drop
set firewall name WAN_IN rule 50 description 'Drop Shodan scanners'
set firewall name WAN_IN rule 50 log enable
set firewall name WAN_IN rule 50 protocol all
set firewall name WAN_IN rule 50 source group address-group Shodan
set firewall name WAN_IN rule 60 action drop
set firewall name WAN_IN rule 60 description "Deny SSH Attackers"
set firewall name WAN_IN rule 60 destination port 22
set firewall name WAN_IN rule 60 log enable
set firewall name WAN_IN rule 60 protocol tcp
set firewall name WAN_IN rule 60 source group network-group SSH-ATTACKERS
commit

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 log enable
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Limit pings'
set firewall name WAN_LOCAL rule 30 limit burst 1
set firewall name WAN_LOCAL rule 30 limit rate 50/minute
set firewall name WAN_LOCAL rule 30 log enable
set firewall name WAN_LOCAL rule 30 protocol icmp
set firewall name WAN_LOCAL rule 40 action drop
set firewall name WAN_LOCAL rule 40 description 'Drop Shodan scanners'
set firewall name WAN_LOCAL rule 40 log enable
set firewall name WAN_LOCAL rule 40 protocol all
set firewall name WAN_LOCAL rule 40 source group address-group Shodan
set firewall name WAN_LOCAL rule 50 action drop
set firewall name WAN_LOCAL rule 50 description 'Drop BOGONS'
set firewall name WAN_LOCAL rule 50 log enable
set firewall name WAN_LOCAL rule 50 protocol all
set firewall name WAN_LOCAL rule 50 source group network-group BOGONS
set firewall name WAN_LOCAL rule 60 action drop
set firewall name WAN_LOCAL rule 60 description 'Blocklisted CIDRs'
set firewall name WAN_LOCAL rule 60 log enable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source group network-group Blocklist
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description "Allow NAT-T"
set firewall name WAN_LOCAL rule 70 destination port 4500
set firewall name WAN_LOCAL rule 70 log enable
set firewall name WAN_LOCAL rule 70 protocol udp
set firewall name WAN_LOCAL rule 80 action accept
set firewall name WAN_LOCAL rule 80 description "Allow ESP"
set firewall name WAN_LOCAL rule 80 log enable
set firewall name WAN_LOCAL rule 80 protocol 50
set firewall name WAN_LOCAL rule 90 action accept
set firewall name WAN_LOCAL rule 90 description "Allow L2TP"
set firewall name WAN_LOCAL rule 90 destination port 1701
set firewall name WAN_LOCAL rule 90 log enable
set firewall name WAN_LOCAL rule 90 protocol udp
set firewall name WAN_LOCAL rule 100 action accept
set firewall name WAN_LOCAL rule 100 description "Allow IKE"
set firewall name WAN_LOCAL rule 100 destination port 500
set firewall name WAN_LOCAL rule 100 log enable
set firewall name WAN_LOCAL rule 100 protocol udp
commit

#Protect Guest-Wifi and IoT from seeing LAN
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/24
set firewall group network-group LAN_NETWORKS network 192.168.1.0/24
set firewall group network-group LAN_NETWORKS network 192.168.2.0/24
set firewall group network-group LAN_NETWORKS network 192.168.30.0/24
set firewall group network-group LAN_NETWORKS network 192.168.32.0/24
set firewall group network-group LAN_NETWORKS network 192.168.34.0/24

set firewall name PROTECT_IN default-action accept
set firewall name PROTECT_IN rule 10 action accept
set firewall name PROTECT_IN rule 10 description "Accept Established/Related"
set firewall name PROTECT_IN rule 10 protocol all
set firewall name PROTECT_IN rule 10 state established enable
set firewall name PROTECT_IN rule 10 state related enable
set firewall name PROTECT_IN rule 20 action drop
set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS"
set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name PROTECT_IN rule 20 protocol all

set firewall name PROTECT_LOCAL default-action drop
set firewall name PROTECT_LOCAL rule 10 action accept
set firewall name PROTECT_LOCAL rule 10 description "Accept DNS"
set firewall name PROTECT_LOCAL rule 10 destination port 53
set firewall name PROTECT_LOCAL rule 10 protocol udp
set firewall name PROTECT_LOCAL rule 20 action accept
set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP"
set firewall name PROTECT_LOCAL rule 20 destination port 67
set firewall name PROTECT_LOCAL rule 20 protocol udp
commit

 

Share this post


Link to post
Share on other sites
mobilenvidia
#set MSS-Clamping
set firewall options mss-clamp interface-type pppoe0
set firewall options mss-clamp mss 1452
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

#eth0, pppoe, ipv6 and port setup
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 description 'Internet (PPPoE)'
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 mtu 9000
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 10 description 'pppoe (VLAN 10)'
set interfaces ethernet eth0 vif 10 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth0 vif 10 firewall in name WAN_IN
set interfaces ethernet eth0 vif 10 firewall local ipv6-name WAN6_LOCAL
set interfaces ethernet eth0 vif 10 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 10 mtu 9000
set interfaces ethernet eth0 vif 10 pppoe 0 default-route none
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 prefix-id ':2'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id ':0'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 prefix-id ':4'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 prefix-id ':3'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 prefix-id ':6'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 prefix-id ':7'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 prefix-id ':5'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 prefix-id ':1'
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 prefix-length /56
set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 10 pppoe 0 mtu 1492
set interfaces ethernet eth0 vif 10 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 10 pppoe 0 password YOURPASSWORD
set interfaces ethernet eth0 vif 10 pppoe 0 user-id YOURUSERNAME@ISP.COM
commit

#eth1/2 setup
set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 mtu 9000
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth1 vif 20 address 192.168.20.1/24
set interfaces ethernet eth1 vif 20 description VOIP
set interfaces ethernet eth1 vif 20 mtu 1500
set interfaces ethernet eth1 vif 30 address 192.168.30.1/24
set interfaces ethernet eth1 vif 30 description WLAN
set interfaces ethernet eth1 vif 30 mtu 9000
set interfaces ethernet eth1 vif 32 address 192.168.32.1/24
set interfaces ethernet eth1 vif 32 description Guest_WLAN
set interfaces ethernet eth1 vif 32 mtu 1500
set interfaces ethernet eth1 vif 32 firewall in name PROTECT_IN
set interfaces ethernet eth1 vif 32 firewall local name PROTECT_LOCAL
set interfaces ethernet eth1 vif 34 address 192.168.34.1/24
set interfaces ethernet eth1 vif 34 description IoT
set interfaces ethernet eth1 vif 34 firewall in name PROTECT_IN
set interfaces ethernet eth1 vif 34 firewall local name PROTECT_LOCAL
set interfaces ethernet eth1 vif 34 mtu 1500
set interfaces ethernet eth1 vif 40 address 192.168.40.1/24
set interfaces ethernet eth1 vif 40 description Satellite
set interfaces ethernet eth1 vif 40 mtu 9000

set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description 'Local 2'
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 mtu 9000
set interfaces ethernet eth2 speed auto
set interfaces loopback lo
commit

 

Share this post


Link to post
Share on other sites
mobilenvidia

Port forward, DHCP, DNS setup

#Port forward setup
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward lan-interface eth2
set port-forward wan-interface pppoe0
set port-forward rule 10 description 'Server Backup'
set port-forward rule 10 forward-to address 192.168.0.3
set port-forward rule 10 forward-to port 21
set port-forward rule 10 original-port 8421
set port-forward rule 10 protocol tcp
set port-forward rule 20 description VOIP
set port-forward rule 20 forward-to address 192.168.20.10
set port-forward rule 20 forward-to port 5060
set port-forward rule 20 original-port 5060
set port-forward rule 20 protocol udp
set port-forward rule 30 description SSH
set port-forward rule 30 forward-to address 192.168.0.1
set port-forward rule 30 forward-to port 22
set port-forward rule 30 original-port 8422
set port-forward rule 30 protocol tcp
set port-forward rule 40 description HTTPS
set port-forward rule 40 forward-to address 192.168.0.1
set port-forward rule 40 forward-to port 443
set port-forward rule 40 original-port 8443
set port-forward rule 40 protocol tcp

#Next hop setup
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static interface-route6 '::/0' next-hop-interface pppoe0
commit

#DHCP setup
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 default-router 192.168.0.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 dns-server 192.168.0.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 start 192.168.0.10 stop 192.168.0.90
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.10 stop 192.168.2.90
set service dhcp-server use-dnsmasq disable

#DNS setup
set service dns forwarding cache-size 1000
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding system
commit

 

Share this post


Link to post
Share on other sites
mobilenvidia
#System settings
set service gui http-port 80
set service gui https-port 443
set gui older-ciphers enable
set service ssh port 22
set service ssh protocol-version v2
set service gui older-ciphers enable

#Force LAN DNS requests to Router
set service nat rule 4000 description 'Policy DNAT: Force LAN DNS Requests to Router'
set service nat rule 4000 inbound-interface eth1
set service nat rule 4000 destination address !192.168.0.1
set service nat rule 4000 destination port 53
set service nat rule 4000 inside-address address 192.168.0.1
set service nat rule 4000 protocol tcp_udp
set service nat rule 4000 type destination
set service nat rule 4000 log enable

#Setting up device access on eth0/WAN input (ie radio's) and WAN Masquerade
set service nat rule 5000 description 'Clients on WAN side'
set service nat rule 5000 destination address 192.168.1.1/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 source address 192.168.0.1/24
set service nat rule 5000 type masquerade
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5000 source address 192.168.0.1/16
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
set service nat rule 5010 log disable
commit 

#UPNPv2 setup
set service upnp2 listen-on eth1
set service upnp2 listen-on eth1.20
set service upnp2 listen-on eth1.30
set service upnp2 listen-on eth1.40
set service upnp2 listen-on eth2
set service upnp2 nat-pmp enable
set service upnp2 secure-mode disable
set service upnp2 wan pppoe0

#System settings
set system host-name ERLite3
set system login user ohau authentication encrypted-password '$6$dXcZnlcs0p$GCTCPilXWs7XC3SvqJBp2RGZA5t8q.eq3N3S55QLUQVOaE/9Gn7GHVgNfv0XQxYlUyHLtMLqw3UL8Ax9xAvaa0'
set system login user ohau level admin
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-server '2620:0:ccc::2'
set system name-server '2620:0:ccd::2'
set system name-server 127.0.0.1
set system time-zone Pacific/Auckland

#Offloading settings
set system offload hwnat disable
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 gre enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe disable
set system offload ipv6 vlan enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system traffic-analysis dpi enable
set system traffic-analysis export enable

#VPN network
set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable
set vpn l2tp remote-access authentication local-users username YOURLOGIN password YOURPASSWORD
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.0.100
set vpn l2tp remote-access client-ip-pool stop 192.168.0.109
set vpn l2tp remote-access dns-servers server-1 192.168.0.1
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret YOURSECRET
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access outside-address 0.0.0.0
set vpn l2tp remote-access mtu 1492

commit
save
exit

 

Share this post


Link to post
Share on other sites
mobilenvidia

If your PPPoE connection doesn't need VLAN10 tagged then some minor mods will sort this in the '#eth0, pppoe, ipv6 and port setup' section
Remove 'vif 10 ' text from all the lines, thats it, should work happily

DNS servers are OpenDNS both IPv4 and IPv6, ISP DNS servers are ignored
All DNS is forced via the router, even if devices are setup otherwise

Share this post


Link to post
Share on other sites
mobilenvidia

Updated settings as per changes in 1st post

Share this post


Link to post
Share on other sites
ricktendo64

Hey mobilenvidia can you confirm something for me with your ERLite3, put your ear up close to the case where the CPU is located tell me if you can hear a slight hissing sound?

I just noticed this sound yesterday and I am wondering if my unit is faulty or if this is normal.

https://community.ubnt.com/t5/EdgeMAX/New-Edgerouter-Poe-ERpoe5-slight-quot-hissing-quot-sound/m-p/2070266#M178395

Share this post


Link to post
Share on other sites
mobilenvidia

Yup mine makes a small rattling kinda noise, seems to correspond with data in/out

Share this post


Link to post
Share on other sites
ricktendo64
13 hours ago, mobilenvidia said:

Yup mine makes a small rattling kinda noise, seems to correspond with data in/out

Thank you for confirming. I am trying to get USBJTAG NT support so I soldered some Pin Headers on mine along with a couple Resistors and I thought I had caused a short (but I guess this is normal.)

http://www.usbjtag.com/vbforum/showthread.php?t=9499

Share this post


Link to post
Share on other sites
mobilenvidia

Seem to remember a router of old, being quite audible without getting close, wasn't missed when lightning fixed that noise with a black mark all over the case, did also fry my Mobo it was attached to, did miss that alot.

Do you use a switch ?, it should make a similar noise ?

Share this post


Link to post
Share on other sites
ricktendo64

Yea I use a Netgear GS110TP PoE switch it does not make this noise.

 

Reguarding your "#Force LAN DNS requests to Router" rule, I use this following dns config

set interfaces ethernet eth0 dhcp-options name-server no-update
edit service dns forwarding
set name-server 8.8.8.8
set name-server 8.8.4.4
top
set system name-server 127.0.0.1

This prevents me from using a static dns setup on a device on my network (useful for opendns filtering) but I want one device (my Wii-U) to use a custom DNS I tried this

edit service dhcp-server shared-network-name LAN subnet 192.168.15.0/24 static-mapping
set Wii-U ip-address 192.168.15.25
set Wii-U mac-address ff:ff:ff:ff:ff:ff
set Wii-U static-mapping-parameters "option domain-name-servers 168.235.92.108, 81.4.127.20;"

But this does not work, I think I need some sort of rule to allow port 53 from this mac or IP (I could PM you my config, its not as extensive as yours only a static map and some dhcp reservations)

Share this post


Link to post
Share on other sites
mobilenvidia

The Force DNS stops the folk that set their DNS on their laptops/computers/devices statically

Can you set your DNS manually on your Wii ?
If you can then don't use the 'Force DNS via router' as above, your Wii should use the DNS it has stored.
Devices that have their own DNS IP will by pass the routers

You can check this with OpenDNS test page, set the router DNS to OpenDNS, set your laptop static DNS to google, then goto OpenDNS test page = fail
The Force DNS works a treat with stopping this.

Share this post


Link to post
Share on other sites
mobilenvidia

You could have the Wii on a VLAN and then set the DNS ?

Share this post


Link to post
Share on other sites
mobilenvidia

Try this a variation of my other DNS forcing:

set service nat rule 4001 description 'Google DNS for 192.168.15.25'
set service nat rule 4001 destination address '!192.168.15.25'
set service nat rule 4001 destination port 53
set service nat rule 4001 inbound-interface eth1
set service nat rule 4001 inside-address address 8.8.8.8
set service nat rule 4001 log enable
set service nat rule 4001 protocol tcp_udp
set service nat rule 4001 type destination

It seems to work, my laptop no longer used OpenDNS which was forced with the nat rule 4000 above
You do need to set your IP as static

set service dhcp-server shared-network-name LAN1 subnet 192.168.15.0/24 static-mapping Wii-u ip-address 192.168.15.25
set service dhcp-server shared-network-name LAN1 subnet 192.168.15.0/24 static-mapping Wii-u mac-address 'aa:bb:cc:dd:ee:ff'

You only get one DNS server this way though

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  



×