mobilenvidia Posted August 12, 2017 Report Share Posted August 12, 2017 ERLite3 setup for PPPoe via VLAN10 Hoping that the below will help new comers to setup their Edgerouter with custom configuration It has a bit of everything in it to get folk started My broadband is like thus: At roadside (400m from house) is a Draytek Vigor 130 modem in bridge mode Connecting to a Ubiquiti Litebeam AC Gen2 Radio 400m Away another Ubuiti Litebeam AC Gen2 Comes into house and into ERLite-3 The below settings assumes that: eth0 = WAN and has the above Radio's and modems on 192.168.1.x eth1 = LAN 192.168.0.x (DHCP) eth2 = Server 192.168.2.x (DHCP) UPDATE: I've setup VLANs eth1.20 = VOIP eth1.30 = WLAN eth1.32 = Guest Wifi eth1.34 = IoT (Internet of things) eth1.40 = Satellite Receiver PVR The ports corrospond to the port number used, ie eth1.20 uses port 2 on the switch, eth1.30, 32 and 34 use port 3 For ease of tracking which port is used for what function Added Firewall rules that Guest WLAN and IoT devices can't snoop on any other LANs, only internet access allowed All LAN and VLANs have IPv6 enabled All WLAN is handled on the Netgear R7000 running Tomato by shibby I've setup 2x Tagged VLANs for Guest_Wifi and IoT. On Switch I also had to setup port 3 with VLAN 32 and 34 as switched, VLAN 30 is not tagged on switch Port 3 is set to 'General' which allows me to either tag or leave untagged VLANs, all other ports but 1 are set to 'Access' Only other port tagged is port 1 and set to 'Trunk' Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 Initial setup with nasty protection configure #Firewall settings set firewall all-ping enable set firewall broadcast-ping disable set firewall ip-src-route disable set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable commit set firewall group address-group Shodan description 'Shodan and other scanners' set firewall group address-group Shodan address 208.180.20.97 set firewall group address-group Shodan address 198.20.69.74 set firewall group address-group Shodan address 198.20.69.98 set firewall group address-group Shodan address 198.20.70.114 set firewall group address-group Shodan address 198.20.99.130 set firewall group address-group Shodan address 93.120.27.62 set firewall group address-group Shodan address 66.240.236.119 set firewall group address-group Shodan address 71.6.135.131 set firewall group address-group Shodan address 66.240.192.138 set firewall group address-group Shodan address 71.6.167.142 set firewall group address-group Shodan address 82.221.105.6 set firewall group address-group Shodan address 82.221.105.7 set firewall group address-group Shodan address 71.6.165.200 set firewall group address-group Shodan address 188.138.9.50 set firewall group address-group Shodan address 85.25.103.50 set firewall group address-group Shodan address 85.25.43.94 set firewall group address-group Shodan address 71.6.146.185 set firewall group address-group Shodan address 71.6.158.166 set firewall group address-group Shodan address 198.20.87.98 set firewall group address-group Shodan address 66.240.219.146 set firewall group address-group Shodan address 209.126.110.38 set firewall group address-group Shodan address 104.236.198.48 set firewall group address-group Shodan address 184.105.247.196 set firewall group address-group Shodan address 141.212.122.112 set firewall group address-group Shodan address 125.237.220.106 set firewall group address-group Shodan address 192.81.128.37 set firewall group address-group Shodan address 74.82.47.2 set firewall group address-group Shodan address 216.218.206.66 set firewall group address-group Shodan address 37.187.114.171 set firewall group address-group Shodan address 184.105.139.67 set firewall group address-group Shodan address 54.81.158.232 set firewall group address-group Shodan address 141.212.122.144 set firewall group address-group Shodan address 141.212.122.128 set firewall group address-group Shodan address 54.206.70.29 set firewall group network-group BOGONS description 'BOGONS' set firewall group network-group BOGONS network 10.0.0.0/8 set firewall group network-group BOGONS network 100.64.0.0/10 set firewall group network-group BOGONS network 127.0.0.0/8 set firewall group network-group BOGONS network 169.254.0.0/16 set firewall group network-group BOGONS network 172.16.0.0/12 set firewall group network-group BOGONS network 192.0.0.0/24 set firewall group network-group BOGONS network 192.0.2.0/24 set firewall group network-group BOGONS network 192.168.0.0/16 set firewall group network-group BOGONS network 198.18.0.0/15 set firewall group network-group BOGONS network 198.51.100.0/24 set firewall group network-group BOGONS network 203.0.113.0/24 set firewall group network-group BOGONS network 224.0.0.0/3 set firewall group network-group Blocklist description 'Block scanners by CIDR' set firewall group network-group Blocklist network 74.82.47.0/24 set firewall group network-group Blocklist network 184.105.139.0/24 set firewall group network-group Blocklist network 184.105.247.0/24 set firewall group network-group Blocklist network 216.218.206.0/24 set firewall group network-group Blocklist network 185.35.62.0/24 set firewall group network-group Blocklist network 185.35.63.0/24 set firewall group network-group SSH-ATTACKERS description "Known Brute Force SSH Attackers" set firewall group network-group SSH-ATTACKERS network 103.0.0.0/8 set firewall group network-group SSH-ATTACKERS network 104.0.0.0/8 commit Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 #IPv6 rules set firewall ipv6-name WAN6_IN default-action drop set firewall ipv6-name WAN6_IN rule 10 action accept set firewall ipv6-name WAN6_IN rule 10 description 'allow established' set firewall ipv6-name WAN6_IN rule 10 protocol all set firewall ipv6-name WAN6_IN rule 10 state established enable set firewall ipv6-name WAN6_IN rule 10 state related enable set firewall ipv6-name WAN6_IN rule 20 action drop set firewall ipv6-name WAN6_IN rule 20 description 'drop invalid packets' set firewall ipv6-name WAN6_IN rule 20 protocol all set firewall ipv6-name WAN6_IN rule 20 state invalid enable set firewall ipv6-name WAN6_IN rule 30 action accept set firewall ipv6-name WAN6_IN rule 30 description 'allow ICMPv6' set firewall ipv6-name WAN6_IN rule 30 protocol icmpv6 set firewall ipv6-name WAN6_LOCAL default-action drop set firewall ipv6-name WAN6_LOCAL rule 10 action accept set firewall ipv6-name WAN6_LOCAL rule 10 description 'allow established' set firewall ipv6-name WAN6_LOCAL rule 10 protocol all set firewall ipv6-name WAN6_LOCAL rule 10 state established enable set firewall ipv6-name WAN6_LOCAL rule 10 state related enable set firewall ipv6-name WAN6_LOCAL rule 20 action drop set firewall ipv6-name WAN6_LOCAL rule 20 description 'drop invalid packets' set firewall ipv6-name WAN6_LOCAL rule 20 protocol all set firewall ipv6-name WAN6_LOCAL rule 20 state invalid enable set firewall ipv6-name WAN6_LOCAL rule 30 action accept set firewall ipv6-name WAN6_LOCAL rule 30 description 'allow ICMPv6' set firewall ipv6-name WAN6_LOCAL rule 30 protocol icmpv6 set firewall ipv6-name WAN6_LOCAL rule 40 action accept set firewall ipv6-name WAN6_LOCAL rule 40 description 'allow DHCPv6 client/server' set firewall ipv6-name WAN6_LOCAL rule 40 destination port 546 set firewall ipv6-name WAN6_LOCAL rule 40 protocol udp commit #IPv4 rules set firewall name WAN_IN default-action drop set firewall name WAN_IN description 'WAN to internal' set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description 'Allow established/related' set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description 'Drop invalid state' set firewall name WAN_IN rule 20 log enable set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 30 action drop set firewall name WAN_IN rule 30 description 'Drop BOGONS' set firewall name WAN_IN rule 30 log enable set firewall name WAN_IN rule 30 protocol all set firewall name WAN_IN rule 30 source group network-group BOGONS set firewall name WAN_IN rule 40 action drop set firewall name WAN_IN rule 40 description 'Blocklisted CIDRs' set firewall name WAN_IN rule 40 log enable set firewall name WAN_IN rule 40 protocol all set firewall name WAN_IN rule 40 source group network-group Blocklist set firewall name WAN_IN rule 50 action drop set firewall name WAN_IN rule 50 description 'Drop Shodan scanners' set firewall name WAN_IN rule 50 log enable set firewall name WAN_IN rule 50 protocol all set firewall name WAN_IN rule 50 source group address-group Shodan set firewall name WAN_IN rule 60 action drop set firewall name WAN_IN rule 60 description "Deny SSH Attackers" set firewall name WAN_IN rule 60 destination port 22 set firewall name WAN_IN rule 60 log enable set firewall name WAN_IN rule 60 protocol tcp set firewall name WAN_IN rule 60 source group network-group SSH-ATTACKERS commit set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description 'WAN to router' set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description 'Allow established/related' set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' set firewall name WAN_LOCAL rule 20 log enable set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description 'Limit pings' set firewall name WAN_LOCAL rule 30 limit burst 1 set firewall name WAN_LOCAL rule 30 limit rate 50/minute set firewall name WAN_LOCAL rule 30 log enable set firewall name WAN_LOCAL rule 30 protocol icmp set firewall name WAN_LOCAL rule 40 action drop set firewall name WAN_LOCAL rule 40 description 'Drop Shodan scanners' set firewall name WAN_LOCAL rule 40 log enable set firewall name WAN_LOCAL rule 40 protocol all set firewall name WAN_LOCAL rule 40 source group address-group Shodan set firewall name WAN_LOCAL rule 50 action drop set firewall name WAN_LOCAL rule 50 description 'Drop BOGONS' set firewall name WAN_LOCAL rule 50 log enable set firewall name WAN_LOCAL rule 50 protocol all set firewall name WAN_LOCAL rule 50 source group network-group BOGONS set firewall name WAN_LOCAL rule 60 action drop set firewall name WAN_LOCAL rule 60 description 'Blocklisted CIDRs' set firewall name WAN_LOCAL rule 60 log enable set firewall name WAN_LOCAL rule 60 protocol all set firewall name WAN_LOCAL rule 60 source group network-group Blocklist set firewall name WAN_LOCAL rule 70 action accept set firewall name WAN_LOCAL rule 70 description "Allow NAT-T" set firewall name WAN_LOCAL rule 70 destination port 4500 set firewall name WAN_LOCAL rule 70 log enable set firewall name WAN_LOCAL rule 70 protocol udp set firewall name WAN_LOCAL rule 80 action accept set firewall name WAN_LOCAL rule 80 description "Allow ESP" set firewall name WAN_LOCAL rule 80 log enable set firewall name WAN_LOCAL rule 80 protocol 50 set firewall name WAN_LOCAL rule 90 action accept set firewall name WAN_LOCAL rule 90 description "Allow L2TP" set firewall name WAN_LOCAL rule 90 destination port 1701 set firewall name WAN_LOCAL rule 90 log enable set firewall name WAN_LOCAL rule 90 protocol udp set firewall name WAN_LOCAL rule 100 action accept set firewall name WAN_LOCAL rule 100 description "Allow IKE" set firewall name WAN_LOCAL rule 100 destination port 500 set firewall name WAN_LOCAL rule 100 log enable set firewall name WAN_LOCAL rule 100 protocol udp commit #Protect Guest-Wifi and IoT from seeing LAN set firewall group network-group LAN_NETWORKS description "LAN Networks" set firewall group network-group LAN_NETWORKS network 192.168.0.0/24 set firewall group network-group LAN_NETWORKS network 192.168.1.0/24 set firewall group network-group LAN_NETWORKS network 192.168.2.0/24 set firewall group network-group LAN_NETWORKS network 192.168.30.0/24 set firewall group network-group LAN_NETWORKS network 192.168.32.0/24 set firewall group network-group LAN_NETWORKS network 192.168.34.0/24 set firewall name PROTECT_IN default-action accept set firewall name PROTECT_IN rule 10 action accept set firewall name PROTECT_IN rule 10 description "Accept Established/Related" set firewall name PROTECT_IN rule 10 protocol all set firewall name PROTECT_IN rule 10 state established enable set firewall name PROTECT_IN rule 10 state related enable set firewall name PROTECT_IN rule 20 action drop set firewall name PROTECT_IN rule 20 description "Drop LAN_NETWORKS" set firewall name PROTECT_IN rule 20 destination group network-group LAN_NETWORKS set firewall name PROTECT_IN rule 20 protocol all set firewall name PROTECT_LOCAL default-action drop set firewall name PROTECT_LOCAL rule 10 action accept set firewall name PROTECT_LOCAL rule 10 description "Accept DNS" set firewall name PROTECT_LOCAL rule 10 destination port 53 set firewall name PROTECT_LOCAL rule 10 protocol udp set firewall name PROTECT_LOCAL rule 20 action accept set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP" set firewall name PROTECT_LOCAL rule 20 destination port 67 set firewall name PROTECT_LOCAL rule 20 protocol udp commit Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 #set MSS-Clamping set firewall options mss-clamp interface-type pppoe0 set firewall options mss-clamp mss 1452 set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable #eth0, pppoe, ipv6 and port setup set interfaces ethernet eth0 address 192.168.1.1/24 set interfaces ethernet eth0 description 'Internet (PPPoE)' set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 mtu 9000 set interfaces ethernet eth0 speed auto set interfaces ethernet eth0 vif 10 description 'pppoe (VLAN 10)' set interfaces ethernet eth0 vif 10 firewall in ipv6-name WAN6_IN set interfaces ethernet eth0 vif 10 firewall in name WAN_IN set interfaces ethernet eth0 vif 10 firewall local ipv6-name WAN6_LOCAL set interfaces ethernet eth0 vif 10 firewall local name WAN_LOCAL set interfaces ethernet eth0 vif 10 mtu 9000 set interfaces ethernet eth0 vif 10 pppoe 0 default-route none set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 prefix-id ':2' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth0 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id ':0' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 prefix-id ':4' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.20 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 prefix-id ':3' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.30 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 prefix-id ':6' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.32 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 prefix-id ':7' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.34 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 prefix-id ':5' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.40 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 host-address '::1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 prefix-id ':1' set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth2 service slaac set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 prefix-length /56 set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd rapid-commit enable set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth0 vif 10 pppoe 0 ipv6 enable set interfaces ethernet eth0 vif 10 pppoe 0 mtu 1492 set interfaces ethernet eth0 vif 10 pppoe 0 name-server auto set interfaces ethernet eth0 vif 10 pppoe 0 password YOURPASSWORD set interfaces ethernet eth0 vif 10 pppoe 0 user-id YOURUSERNAME@ISP.COM commit #eth1/2 setup set interfaces ethernet eth1 address 192.168.0.1/24 set interfaces ethernet eth1 description Local set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 mtu 9000 set interfaces ethernet eth1 speed auto set interfaces ethernet eth1 vif 20 address 192.168.20.1/24 set interfaces ethernet eth1 vif 20 description VOIP set interfaces ethernet eth1 vif 20 mtu 1500 set interfaces ethernet eth1 vif 30 address 192.168.30.1/24 set interfaces ethernet eth1 vif 30 description WLAN set interfaces ethernet eth1 vif 30 mtu 9000 set interfaces ethernet eth1 vif 32 address 192.168.32.1/24 set interfaces ethernet eth1 vif 32 description Guest_WLAN set interfaces ethernet eth1 vif 32 mtu 1500 set interfaces ethernet eth1 vif 32 firewall in name PROTECT_IN set interfaces ethernet eth1 vif 32 firewall local name PROTECT_LOCAL set interfaces ethernet eth1 vif 34 address 192.168.34.1/24 set interfaces ethernet eth1 vif 34 description IoT set interfaces ethernet eth1 vif 34 firewall in name PROTECT_IN set interfaces ethernet eth1 vif 34 firewall local name PROTECT_LOCAL set interfaces ethernet eth1 vif 34 mtu 1500 set interfaces ethernet eth1 vif 40 address 192.168.40.1/24 set interfaces ethernet eth1 vif 40 description Satellite set interfaces ethernet eth1 vif 40 mtu 9000 set interfaces ethernet eth2 address 192.168.2.1/24 set interfaces ethernet eth2 description 'Local 2' set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 mtu 9000 set interfaces ethernet eth2 speed auto set interfaces loopback lo commit Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 Port forward, DHCP, DNS setup #Port forward setup set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward lan-interface eth1 set port-forward lan-interface eth2 set port-forward wan-interface pppoe0 set port-forward rule 10 description 'Server Backup' set port-forward rule 10 forward-to address 192.168.0.3 set port-forward rule 10 forward-to port 21 set port-forward rule 10 original-port 8421 set port-forward rule 10 protocol tcp set port-forward rule 20 description VOIP set port-forward rule 20 forward-to address 192.168.20.10 set port-forward rule 20 forward-to port 5060 set port-forward rule 20 original-port 5060 set port-forward rule 20 protocol udp set port-forward rule 30 description SSH set port-forward rule 30 forward-to address 192.168.0.1 set port-forward rule 30 forward-to port 22 set port-forward rule 30 original-port 8422 set port-forward rule 30 protocol tcp set port-forward rule 40 description HTTPS set port-forward rule 40 forward-to address 192.168.0.1 set port-forward rule 40 forward-to port 443 set port-forward rule 40 original-port 8443 set port-forward rule 40 protocol tcp #Next hop setup set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0 set protocols static interface-route6 '::/0' next-hop-interface pppoe0 commit #DHCP setup set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN1 authoritative enable set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 default-router 192.168.0.1 set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 dns-server 192.168.0.1 set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 lease 86400 set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 start 192.168.0.10 stop 192.168.0.90 set service dhcp-server shared-network-name LAN2 authoritative enable set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1 set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1 set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400 set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.10 stop 192.168.2.90 set service dhcp-server use-dnsmasq disable #DNS setup set service dns forwarding cache-size 1000 set service dns forwarding listen-on eth1 set service dns forwarding listen-on eth2 set service dns forwarding system commit Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 #System settings set service gui http-port 80 set service gui https-port 443 set gui older-ciphers enable set service ssh port 22 set service ssh protocol-version v2 set service gui older-ciphers enable #Force LAN DNS requests to Router set service nat rule 4000 description 'Policy DNAT: Force LAN DNS Requests to Router' set service nat rule 4000 inbound-interface eth1 set service nat rule 4000 destination address !192.168.0.1 set service nat rule 4000 destination port 53 set service nat rule 4000 inside-address address 192.168.0.1 set service nat rule 4000 protocol tcp_udp set service nat rule 4000 type destination set service nat rule 4000 log enable #Setting up device access on eth0/WAN input (ie radio's) and WAN Masquerade set service nat rule 5000 description 'Clients on WAN side' set service nat rule 5000 destination address 192.168.1.1/24 set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 source address 192.168.0.1/24 set service nat rule 5000 type masquerade set service nat rule 5010 description 'masquerade for WAN' set service nat rule 5000 source address 192.168.0.1/16 set service nat rule 5010 outbound-interface pppoe0 set service nat rule 5010 type masquerade set service nat rule 5010 protocol all set service nat rule 5010 log disable commit #UPNPv2 setup set service upnp2 listen-on eth1 set service upnp2 listen-on eth1.20 set service upnp2 listen-on eth1.30 set service upnp2 listen-on eth1.40 set service upnp2 listen-on eth2 set service upnp2 nat-pmp enable set service upnp2 secure-mode disable set service upnp2 wan pppoe0 #System settings set system host-name ERLite3 set system login user ohau authentication encrypted-password '$6$dXcZnlcs0p$GCTCPilXWs7XC3SvqJBp2RGZA5t8q.eq3N3S55QLUQVOaE/9Gn7GHVgNfv0XQxYlUyHLtMLqw3UL8Ax9xAvaa0' set system login user ohau level admin set system name-server 208.67.222.222 set system name-server 208.67.220.220 set system name-server '2620:0:ccc::2' set system name-server '2620:0:ccd::2' set system name-server 127.0.0.1 set system time-zone Pacific/Auckland #Offloading settings set system offload hwnat disable set system offload ipsec enable set system offload ipv4 forwarding enable set system offload ipv4 gre enable set system offload ipv4 pppoe enable set system offload ipv4 vlan enable set system offload ipv6 forwarding enable set system offload ipv6 pppoe disable set system offload ipv6 vlan enable set system syslog global facility all level notice set system syslog global facility protocols level debug set system traffic-analysis dpi enable set system traffic-analysis export enable #VPN network set vpn ipsec ipsec-interfaces interface pppoe0 set vpn ipsec nat-traversal enable set vpn ipsec auto-firewall-nat-exclude enable set vpn l2tp remote-access authentication local-users username YOURLOGIN password YOURPASSWORD set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 192.168.0.100 set vpn l2tp remote-access client-ip-pool stop 192.168.0.109 set vpn l2tp remote-access dns-servers server-1 192.168.0.1 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret YOURSECRET set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access outside-address 0.0.0.0 set vpn l2tp remote-access mtu 1492 commit save exit Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 12, 2017 Author Report Share Posted August 12, 2017 If your PPPoE connection doesn't need VLAN10 tagged then some minor mods will sort this in the '#eth0, pppoe, ipv6 and port setup' section Remove 'vif 10 ' text from all the lines, thats it, should work happily DNS servers are OpenDNS both IPv4 and IPv6, ISP DNS servers are ignored All DNS is forced via the router, even if devices are setup otherwise Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted August 18, 2017 Author Report Share Posted August 18, 2017 Updated settings as per changes in 1st post Quote Link to comment Share on other sites More sharing options...
ricktendo64 Posted September 20, 2017 Report Share Posted September 20, 2017 Hey mobilenvidia can you confirm something for me with your ERLite3, put your ear up close to the case where the CPU is located tell me if you can hear a slight hissing sound? I just noticed this sound yesterday and I am wondering if my unit is faulty or if this is normal. https://community.ubnt.com/t5/EdgeMAX/New-Edgerouter-Poe-ERpoe5-slight-quot-hissing-quot-sound/m-p/2070266#M178395 Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted September 21, 2017 Author Report Share Posted September 21, 2017 Yup mine makes a small rattling kinda noise, seems to correspond with data in/out Quote Link to comment Share on other sites More sharing options...
ricktendo64 Posted September 21, 2017 Report Share Posted September 21, 2017 13 hours ago, mobilenvidia said: Yup mine makes a small rattling kinda noise, seems to correspond with data in/out Thank you for confirming. I am trying to get USBJTAG NT support so I soldered some Pin Headers on mine along with a couple Resistors and I thought I had caused a short (but I guess this is normal.) http://www.usbjtag.com/vbforum/showthread.php?t=9499 Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted September 21, 2017 Author Report Share Posted September 21, 2017 Seem to remember a router of old, being quite audible without getting close, wasn't missed when lightning fixed that noise with a black mark all over the case, did also fry my Mobo it was attached to, did miss that alot. Do you use a switch ?, it should make a similar noise ? Quote Link to comment Share on other sites More sharing options...
ricktendo64 Posted September 21, 2017 Report Share Posted September 21, 2017 Yea I use a Netgear GS110TP PoE switch it does not make this noise. Reguarding your "#Force LAN DNS requests to Router" rule, I use this following dns config set interfaces ethernet eth0 dhcp-options name-server no-update edit service dns forwarding set name-server 8.8.8.8 set name-server 8.8.4.4 top set system name-server 127.0.0.1 This prevents me from using a static dns setup on a device on my network (useful for opendns filtering) but I want one device (my Wii-U) to use a custom DNS I tried this edit service dhcp-server shared-network-name LAN subnet 192.168.15.0/24 static-mapping set Wii-U ip-address 192.168.15.25 set Wii-U mac-address ff:ff:ff:ff:ff:ff set Wii-U static-mapping-parameters "option domain-name-servers 168.235.92.108, 81.4.127.20;" But this does not work, I think I need some sort of rule to allow port 53 from this mac or IP (I could PM you my config, its not as extensive as yours only a static map and some dhcp reservations) Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted September 22, 2017 Author Report Share Posted September 22, 2017 The Force DNS stops the folk that set their DNS on their laptops/computers/devices statically Can you set your DNS manually on your Wii ? If you can then don't use the 'Force DNS via router' as above, your Wii should use the DNS it has stored. Devices that have their own DNS IP will by pass the routers You can check this with OpenDNS test page, set the router DNS to OpenDNS, set your laptop static DNS to google, then goto OpenDNS test page = fail The Force DNS works a treat with stopping this. Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted September 22, 2017 Author Report Share Posted September 22, 2017 You could have the Wii on a VLAN and then set the DNS ? Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted September 22, 2017 Author Report Share Posted September 22, 2017 Try this a variation of my other DNS forcing: set service nat rule 4001 description 'Google DNS for 192.168.15.25' set service nat rule 4001 destination address '!192.168.15.25' set service nat rule 4001 destination port 53 set service nat rule 4001 inbound-interface eth1 set service nat rule 4001 inside-address address 8.8.8.8 set service nat rule 4001 log enable set service nat rule 4001 protocol tcp_udp set service nat rule 4001 type destination It seems to work, my laptop no longer used OpenDNS which was forced with the nat rule 4000 above You do need to set your IP as static set service dhcp-server shared-network-name LAN1 subnet 192.168.15.0/24 static-mapping Wii-u ip-address 192.168.15.25 set service dhcp-server shared-network-name LAN1 subnet 192.168.15.0/24 static-mapping Wii-u mac-address 'aa:bb:cc:dd:ee:ff' You only get one DNS server this way though Quote Link to comment Share on other sites More sharing options...
mobilenvidia Posted May 11, 2021 Author Report Share Posted May 11, 2021 ERL3 went up in flames after serving many years faithfully Have moved house and got Fibre setup now enjoying 1000/500Mbps interweb ERL3 would struggle with Gigabit WAN so bought my self a ER4 It runs Gigabit full routing easily, just waiting on an ASUS R-AX3000 WLAN router I'll just run as an AP ISP supplied Technicolor router is rubbish, can't wait to disconnect and have real routing Also got a 16port Dell managed switch, so slowly getting setup again for eventual move back to original House site but back to VDSL RIP ERL3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.