EdgeRouter config

1. firewall {
2. all-ping enable
3. broadcast-ping disable
4. group {
5. }
6. ipv6-name WANv6_IN {
7. default-action drop
8. rule 10 {
9. action accept
10. description "Allow established/related"
11. state {
12. established enable
13. related enable
14. }
15. }
16. rule 20 {
17. action drop
18. description "Drop invalid state"
19. state {
20. invalid enable
21. }
22. }
23. rule 30 {
24. action accept
25. description "Allow ICMPv6"
26. icmpv6 {
27. type echo-request
28. }
29. protocol ipv6-icmp
30. }
31. }
32. ipv6-name WANv6_LOCAL {
33. default-action drop
34. rule 10 {
35. action accept
36. description "Allow established/related"
37. state {
38. established enable
39. related enable
40. }
41. }
42. rule 20 {
43. action drop
44. description "Drop invalid state"
45. state {
46. invalid enable
47. }
48. }
49. rule 30 {
50. action accept
51. description "Allow ICMPv6"
52. protocol ipv6-icmp
53. }
54. rule 40 {
55. action accept
56. description "Allow DHCPv6"
57. destination {
58. port 546
59. }
60. protocol udp
61. source {
62. port 547
63. }
64. }
65. }
66. ipv6-receive-redirects disable
67. ipv6-src-route disable
68. ip-src-route disable
69. log-martians enable
70. name WAN_IN {
71. default-action drop
72. description "WAN to internal"
73. rule 10 {
74. action accept
75. description "Allow established/related"
76. state {
77. established enable
78. related enable
79. }
80. }
81. rule 20 {
82. action drop
83. description "Drop invalid state"
84. state {
85. invalid enable
86. }
87. }
88. }
89. name WAN_LOCAL {
90. default-action drop
91. description "WAN to router"
92. rule 10 {
93. action accept
94. description "Allow established/related"
95. state {
96. established enable
97. related enable
98. }
99. }
100. rule 20 {
101. action drop
102. description "Drop invalid state"
103. state {
104. invalid enable
105. }
106. }
107. rule 30 {
108. action accept
109. description "Allow ICMP"
110. log disable
111. protocol icmp
112. }
113. }
114. options {
115. mss-clamp {
116. mss 1412
117. }
118. }
119. receive-redirects disable
120. send-redirects enable
121. source-validation disable
122. syn-cookies enable
123. }
124. interfaces {
125. ethernet eth0 {
126. duplex auto
127. mtu 1512
128. speed auto
129. vif 4 {
130. address dhcp
131. description TV
132. dhcp-options {
133. client-option "send vendor-class-identifier "IPTV_RG";"
134. client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
135. default-route no-update
136. default-route-distance 210
137. name-server update
138. }
139. mtu 1500
140. }
141. vif 6 {
142. description "Internet (PPPoE)"
143. mtu 1508
144. pppoe 0 {
145. default-route auto
146. dhcpv6-pd {
147. no-dns
148. pd 0 {
149. interface switch0 {
150. host-address ::1
151. prefix-id :1
152. service slaac
153. }
154. prefix-length /48
155. }
156. rapid-commit enable
157. }
158. firewall {
159. in {
160. ipv6-name WANv6_IN
161. name WAN_IN
162. }
163. local {
164. ipv6-name WANv6_LOCAL
165. name WAN_LOCAL
166. }
167. }
168. ipv6 {
169. address {
170. autoconf
171. }
172. dup-addr-detect-transmits 1
173. enable {
174. }
175. }
176. mtu 1500
177. name-server auto
178. password ppp
179. user-id kpn
180. }
181. }
182. }
183. ethernet eth1 {
184. description Local
185. duplex auto
186. speed auto
187. }
188. ethernet eth2 {
189. description Local
190. duplex auto
191. speed auto
192. }
193. ethernet eth3 {
194. description Local
195. duplex auto
196. speed auto
197. }
198. ethernet eth4 {
199. description Local
200. duplex auto
201. poe {
202. output off
203. }
204. speed auto
205. }
206. loopback lo {
207. }
208. switch switch0 {
209. address 192.168.0.1/24
210. description Local
211. ipv6 {
212. dup-addr-detect-transmits 1
213. router-advert {
214. cur-hop-limit 64
215. link-mtu 0
216. managed-flag false
217. max-interval 600
218. other-config-flag false
219. prefix ::/64 {
220. autonomous-flag true
221. on-link-flag true
222. valid-lifetime 2592000
223. }
224. reachable-time 0
225. retrans-timer 0
226. send-advert true
227. }
228. }
229. mtu 1500
230. switch-port {
231. interface eth1 {
232. }
233. interface eth2 {
234. }
235. interface eth3 {
236. }
237. interface eth4 {
238. }
239. vlan-aware disable
240. }
241. }
242. }
243. port-forward {
244. auto-firewall enable
245. hairpin-nat enable
246. lan-interface switch0
247. wan-interface pppoe0
248. }
249. protocols {
250. igmp-proxy {
251. interface eth0.4 {
252. alt-subnet 0.0.0.0/0
253. role upstream
254. threshold 1
255. }
256. interface eth1 {
257. alt-subnet 0.0.0.0/0
258. role downstream
259. threshold 1
260. }
261. }
262. static {
263. interface-route6 ::/0 {
264. next-hop-interface pppoe0 {
265. }
266. }
267. route 213.75.112.0/21 {
268. next-hop 10.205.196.1 {
269. }
270. }
271. }
272. }
273. service {
274. dhcp-server {
275. disabled false
276. global-parameters "option vendor-class-identifier code 60 = string;"
277. global-parameters "option broadcast-address code 28 = ip-address;"
278. hostfile-update disable
279. shared-network-name LAN {
280. authoritative enable
281. subnet 192.168.0.0/24 {
282. default-router 192.168.0.1
283. dns-server 192.168.0.200
284. lease 86400
285. start 192.168.0.38 {
286. stop 192.168.0.243
287. }
288. }
289. }
290. static-arp disable
291. use-dnsmasq disable
292. }
293. dns {
294. forwarding {
295. cache-size 150
296. listen-on switch0
297. }
298. }
299. gui {
300. http-port 80
301. https-port 443
302. older-ciphers enable
303. }
304. nat {
305. rule 5000 {
306. description TV
307. destination {
308. address 213.75.112.0/21
309. }
310. log disable
311. outbound-interface eth0.4
312. protocol all
313. source {
314. }
315. type masquerade
316. }
317. rule 5010 {
318. description "masquerade for WAN"
319. log disable
320. outbound-interface pppoe0
321. protocol all
322. type masquerade
323. }
324. }
325. snmp {
326. community public {
327. authorization ro
328. }
329. listen-address 0.0.0.0 {
330. port 161
331. }
332. }
333. ssh {
334. port 22
335. protocol-version v2
336. }
337. unms {
338. disable
339. }
340. upnp {
341. }
342. upnp2 {
343. listen-on switch0
344. nat-pmp enable
345. secure-mode enable
346. wan pppoe0
347. }
348. }
349. system {
350. analytics-handler {
351. send-analytics-report false
352. }
353. crash-handler {
354. send-crash-report false
355. }
356. host-name ubnt
357. login {
358. user ubnt {
359. authentication {
360. encrypted-password $5$P1rJggIlzgBzhAiX$kIZOMSSKW7Zlw4le2/6bzpEFxkTAdup5RDku95N.m57
361. }
362. level admin
363. }
364. }
365. ntp {
366. server 0.ubnt.pool.ntp.org {
367. }
368. server 1.ubnt.pool.ntp.org {
369. }
370. server 2.ubnt.pool.ntp.org {
371. }
372. server 3.ubnt.pool.ntp.org {
373. }
374. }
375. offload {
376. hwnat enable
377. ipsec enable
378. }
379. syslog {
380. global {
381. facility all {
382. level notice
383. }
384. facility protocols {
385. level debug
386. }
387. }
388. }
389. time-zone Europe/Amsterdam
390. traffic-analysis {
391. dpi enable
392. export enable
393. }
394. }
395. traffic-control {
396. }
397.  
398.  
399. /* Warning: Do not remove the following line. */
400. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
401. /* Release version: v2.0.9-hotfix.4.5521907.220630.0657 */
402.