Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ) Setup interface eth1 and configure the DHCP/DNS server
- configure
- set interfaces ethernet eth1 address 192.168.1.254/24
- set interfaces ethernet eth1 description "eth1 - LAN"
- set interfaces ethernet eth1 duplex auto
- set interfaces ethernet eth1 speed auto
- set service dhcp-server disabled false
- set service dhcp-server hostfile-update disable
- set service dhcp-server shared-network-name LAN authoritative enable
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.2.254
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.8.8
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.4.4
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.50
- set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.50 stop 192.168.1.200
- set service dns forwarding cache-size 150
- set service dns forwarding listen-on eth1
- set service dns forwarding name-server 8.8.8.8
- set service dns forwarding name-server 8.8.4.4
- set service dns forwarding options listen-address=192.168.1.254
- commit
- save
- exit
- ) Configure firewall
- configure
- set firewall all-ping enable
- set firewall broadcast-ping disable
- set firewall ipv6-receive-redirects disable
- set firewall ipv6-src-route disable
- set firewall ip-src-route disable
- set firewall log-martians enable
- set firewall receive-redirects disable
- set firewall send-redirects enable
- set firewall source-validation disable
- set firewall syn-cookies enable
- set firewall name WAN_IN default-action drop
- set firewall name WAN_IN description "WAN to Internal"
- set firewall name WAN_IN enable-default-log
- set firewall name WAN_IN rule 10 action accept
- set firewall name WAN_IN rule 10 description "Allow established/related"
- set firewall name WAN_IN rule 10 log enable
- set firewall name WAN_IN rule 10 protocol all
- set firewall name WAN_IN rule 10 state established enable
- set firewall name WAN_IN rule 10 state invalid disable
- set firewall name WAN_IN rule 10 state new disable
- set firewall name WAN_IN rule 10 state related enable
- set firewall name WAN_IN rule 20 action drop
- set firewall name WAN_IN rule 20 description "Drop invalid state"
- set firewall name WAN_IN rule 20 log enable
- set firewall name WAN_IN rule 20 protocol all
- set firewall name WAN_IN rule 20 state established disable
- set firewall name WAN_IN rule 20 state invalid enable
- set firewall name WAN_IN rule 20 state new disable
- set firewall name WAN_IN rule 20 state related disable
- set firewall name WAN_LOCAL default-action drop
- set firewall name WAN_LOCAL description "WAN to router"
- set firewall name WAN_LOCAL enable-default-log
- set firewall name WAN_LOCAL rule 10 action accept
- set firewall name WAN_LOCAL rule 10 description "Allow established/related"
- set firewall name WAN_LOCAL rule 10 log disable
- set firewall name WAN_LOCAL rule 10 protocol all
- set firewall name WAN_LOCAL rule 10 state established enable
- set firewall name WAN_LOCAL rule 10 state invalid disable
- set firewall name WAN_LOCAL rule 10 state new disable
- set firewall name WAN_LOCAL rule 10 state related enable
- set firewall name WAN_LOCAL rule 20 action drop
- set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
- set firewall name WAN_LOCAL rule 20 log disable
- set firewall name WAN_LOCAL rule 20 protocol all
- set firewall name WAN_LOCAL rule 20 state established disable
- set firewall name WAN_LOCAL rule 20 state invalid enable
- set firewall name WAN_LOCAL rule 20 state new disable
- set firewall name WAN_LOCAL rule 20 state related disable
- commit
- save
- exit
- ) Generate the configuration line for user-id, used to set the pppoe authentication
- sudo su
- pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
- echo "$pppoe_id"
- exit
- configure
- delete interfaces ethernet eth0 address
- set interfaces ethernet eth0 description "eth0 - FTU"
- set interfaces ethernet eth0 duplex auto
- set interfaces ethernet eth0 speed auto
- set interfaces ethernet eth0 mtu 1512
- set interfaces ethernet eth0 vif 6 description "eth0.6 - Internet"
- set interfaces ethernet eth0 vif 6 mtu 1508
- set interfaces ethernet eth0 vif 6 pppoe 0 password kpn
- set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto
- set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto
- set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180
- set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500
- set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN
- set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL
- set system name-server 8.8.8.8
- set system name-server 8.8.4.4
- commit
- save
- exit
- ) Configure hardware offloading for the IPv4 connection
- configure
- set system offload ipv4 forwarding enable
- set system offload ipv4 pppoe enable
- set system offload ipv4 vlan enable
- commit
- save
- exit
- ) Configure NAT to allow the LAN to access the internet
- configure
- set service nat rule 5010 description "KPN Internet"
- set service nat rule 5010 log enable
- set service nat rule 5010 outbound-interface pppoe0
- set service nat rule 5010 protocol all
- set service nat rule 5010 source address 192.168.2.0/24
- set service nat rule 5010 type masquerade
- commit
- save
- exit
- ) Enable Traffic inspection (DPI)
- configure
- set system traffic-analysis dpi enable
- set system traffic-analysis export enable
- commit
- save
- exit
- ) Add the Debian APT repository (to install tools like nano/iptraf)
- configure
- set system package repository wheezy components "main contrib non-free"
- set system package repository wheezy distribution wheezy
- set system package repository wheezy url http://mirror.leaseweb.com/debian
- set system package repository wheezy-security components main
- set system package repository wheezy-security distribution wheezy/updates
- set system package repository wheezy-security url http://security.debian.org
- commit
- save
- exit
- sudo apt-get update
- sudo apt-get install package
- ) Configure a bridge between Edgerouter and switch for IPTV
- configure
- set interfaces bridge br0
- set interfaces ethernet eth0 vif 4 bridge-group bridge br0
- set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV"
- set interfaces ethernet eth0 vif 4 mtu 1500
- set interfaces ethernet eth4 description "eth4 - IPTV"
- set interfaces ethernet eth4 duplex auto
- set interfaces ethernet eth4 speed auto
- set interfaces ethernet eth4 vif 4 bridge-group bridge br0
- set interfaces ethernet eth4 vif 4 description "eth4.4 - IPTV"
- set interfaces ethernet eth4 vif 4 mtu 1500
- commit
- save
- exit
- ) Setup routed IPTV
- configure
- set interfaces ethernet eth0 vif 4 address dhcp
- set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV"
- set interfaces ethernet eth0 vif 4 dhcp-options client-option "send vendor-class-identifier "IPTV_RG";"
- set interfaces ethernet eth0 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
- set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update
- set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210
- set interfaces ethernet eth0 vif 4 dhcp-options name-server update
- commit
- save
- exit
- ) Modify our DHCP configuration to include IPTV parameters
- configure
- set service dhcp-server global-parameters "option vendor-class-identifier code 60 = string;"
- set service dhcp-server global-parameters "option broadcast-address code 28 = ip-address;"
- commit
- save
- exit
- ) NAT rules are required for the IPTV settop box to connect to the IPTV platform
- ) The following commands will return 2 configuration lines required.
- sudo su
- r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
- iptv_static=$(echo "set protocols static route 213.75.112.0/21 next-hop $r_ip")
- echo -e "$iptv_static"
- exit
- configure
- set service nat rule 5000 description IPTV
- set service nat rule 5000 log disable
- set service nat rule 5000 outbound-interface eth4.4
- set service nat rule 5000 protocol all
- set service nat rule 5000 destination address 213.75.112.0/21
- set service nat rule 5000 type masquerade
- commit
- save
- exit
- > Setup the IGMP Proxy
- configure
- set protocols igmp-proxy interface eth4.4 alt-subnet 0.0.0.0/0
- set protocols igmp-proxy interface eth4.4 role upstream
- set protocols igmp-proxy interface eth4.4 threshold 1
- set protocols igmp-proxy interface eth1 alt-subnet 0.0.0.0/0
- set protocols igmp-proxy interface eth1 role downstream
- set protocols igmp-proxy interface eth1 threshold 1
- commit
- save
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement