API tools faq
paste
Advertisement
Guest User

edgerouter lite - kpn + iptv

a guest
Jan 13th, 2016
559
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.79 KB | None | 0 0
raw download clone embed print report
  1. Search/Replace in inital config:
  2. -----------------------------------------------------------------------------
  3. [MAC] with mac address of eth0 (example: 0a-1b-2c-3d-4e-6f)
  4.  
  5.  
  6.  
  7. Search/Replace in config after WAN is online to configure IPTV:
  8. -----------------------------------------------------------------------------
  9. [ROUTER-IP] with router ip address of eth0.4 (get with command: show dhcp client leases)
  10. [NAT-MASK] with network/mask of eth0.4 (get with command: show dhcp client leases)
  11. - calculate network/mask based on router ip + netmask (example: if router ip = 10.244.64.1 and netmask 255.255.192.0, network/mask = 10.244.64.0/18)
  12. - ipcalc tool @ http://jodies.de/ipcalc
  13.  
  14.  
  15.  
  16. Initlal Configuration file (/config/config.boot) without IPTV:
  17. -----------------------------------------------------------------------------
  18.  
  19. firewall {
  20. all-ping enable
  21. broadcast-ping disable
  22. group {
  23. network-group LocalNetworks {
  24. description ""
  25. network 10.0.0.0/8
  26. network 172.16.0.0/12
  27. network 192.168.0.0/16
  28. }
  29. port-group UnwantedPorts {
  30. description ""
  31. port smtp
  32. port 67-68
  33. port 135-139
  34. port 213
  35. port 389
  36. port 445
  37. port 464
  38. port 593
  39. }
  40. }
  41. ipv6-receive-redirects disable
  42. ipv6-src-route disable
  43. ip-src-route disable
  44. log-martians enable
  45. name WAN_IN {
  46. default-action drop
  47. description "WAN to Internal"
  48. enable-default-log
  49. rule 1 {
  50. action accept
  51. description "Allow established/related"
  52. log enable
  53. protocol all
  54. state {
  55. established enable
  56. invalid disable
  57. new disable
  58. related enable
  59. }
  60. }
  61. rule 2 {
  62. action drop
  63. description "Drop invalid state"
  64. log enable
  65. protocol all
  66. state {
  67. established disable
  68. invalid enable
  69. new disable
  70. related disable
  71. }
  72. }
  73. }
  74. name WAN_LOCAL {
  75. default-action drop
  76. description "WAN to router"
  77. enable-default-log
  78. rule 1 {
  79. action accept
  80. description "Allow established/related"
  81. log disable
  82. protocol all
  83. state {
  84. established enable
  85. invalid disable
  86. new disable
  87. related enable
  88. }
  89. }
  90. rule 2 {
  91. action drop
  92. description "Drop invalid state"
  93. log disable
  94. protocol all
  95. state {
  96. established disable
  97. invalid enable
  98. new disable
  99. related disable
  100. }
  101. }
  102. }
  103. name WAN_OUT {
  104. default-action accept
  105. enable-default-log
  106. rule 1 {
  107. action drop
  108. description "Block unwanted outgoing traffic"
  109. destination {
  110. group {
  111. port-group UnwantedPorts
  112. }
  113. }
  114. log enable
  115. protocol tcp_udp
  116. }
  117. rule 2 {
  118. action drop
  119. description "Block private IP-spaces from entering WAN"
  120. destination {
  121. group {
  122. network-group LocalNetworks
  123. }
  124. }
  125. log enable
  126. protocol all
  127. }
  128. }
  129. options {
  130. mss-clamp {
  131. interface-type pppoe
  132. mss 1412
  133. }
  134. }
  135. receive-redirects disable
  136. send-redirects enable
  137. source-validation disable
  138. syn-cookies enable
  139. }
  140. interfaces {
  141. bridge br0 {
  142. aging 300
  143. bridged-conntrack disable
  144. description "br0 - Telefonie"
  145. hello-time 2
  146. max-age 20
  147. priority 32768
  148. promiscuous disable
  149. stp false
  150. }
  151. ethernet eth0 {
  152. description "eth0 - FTTH"
  153. duplex auto
  154. mtu 1500
  155. speed auto
  156. vif 4 {
  157. address dhcp
  158. description "eth0.4 - IPTV"
  159. dhcp-options {
  160. client-option "send vendor-class-identifier "IPTV_RG";"
  161. client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
  162. default-route update
  163. default-route-distance 210
  164. name-server update
  165. }
  166. }
  167. vif 6 {
  168. description "eth0.6 - Internet"
  169. firewall {
  170. }
  171. pppoe 0 {
  172. default-route auto
  173. firewall {
  174. in {
  175. name WAN_IN
  176. }
  177. local {
  178. name WAN_LOCAL
  179. }
  180. out {
  181. name WAN_OUT
  182. }
  183. }
  184. idle-timeout 180
  185. mtu 1492
  186. name-server auto
  187. password kpn
  188. user-id [MAC]@internet
  189. }
  190. }
  191. vif 7 {
  192. bridge-group {
  193. bridge br0
  194. }
  195. description "eth0.7 - Telefonie"
  196. }
  197. }
  198. ethernet eth1 {
  199. address 192.168.2.254/24
  200. description "eth1 - LAN"
  201. duplex auto
  202. speed auto
  203. }
  204. ethernet eth2 {
  205. bridge-group {
  206. bridge br0
  207. }
  208. description "eth2 - ExperiaBox"
  209. duplex auto
  210. speed auto
  211. }
  212. loopback lo {
  213. }
  214. }
  215. service {
  216. dhcp-server {
  217. disabled false
  218. global-parameters "option vendor-class-identifier code 60 = string;"
  219. global-parameters "option broadcast-address code 28 = ip-address;"
  220. hostfile-update disable
  221. shared-network-name LAN {
  222. authoritative enable
  223. subnet 192.168.2.0/24 {
  224. default-router 192.168.2.254
  225. dns-server 8.8.8.8
  226. dns-server 8.8.4.4
  227. lease 86400
  228. start 192.168.2.50 {
  229. stop 192.168.2.200
  230. }
  231. subnet-parameters "option vendor-class-identifier "IPTV_RG";"
  232. subnet-parameters "option broadcast-address 192.168.2.255;"
  233. }
  234. }
  235. }
  236. dns {
  237. forwarding {
  238. cache-size 150
  239. listen-on eth1
  240. name-server 8.8.8.8
  241. name-server 8.8.4.4
  242. options listen-address=192.168.2.254
  243. }
  244. }
  245. gui {
  246. https-port 443
  247. }
  248. nat {
  249. rule 5002 {
  250. description "KPN Internet"
  251. log enable
  252. outbound-interface pppoe0
  253. protocol all
  254. source {
  255. address 192.168.2.0/24
  256. }
  257. type masquerade
  258. }
  259. }
  260. ssh {
  261. port 22
  262. protocol-version v2
  263. }
  264. }
  265. system {
  266. host-name ubnt
  267. login {
  268. user ubnt {
  269. authentication {
  270. encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
  271. }
  272. level admin
  273. }
  274. }
  275. ntp {
  276. server 0.ubnt.pool.ntp.org {
  277. }
  278. server 1.ubnt.pool.ntp.org {
  279. }
  280. server 2.ubnt.pool.ntp.org {
  281. }
  282. server 3.ubnt.pool.ntp.org {
  283. }
  284. }
  285. offload {
  286. ipv4 {
  287. forwarding enable
  288. pppoe enable
  289. vlan enable
  290. }
  291. }
  292. package {
  293. repository wheezy {
  294. components "main contrib non-free"
  295. distribution wheezy
  296. password ""
  297. url http://mirror.leaseweb.com/debian
  298. username ""
  299. }
  300. repository wheezy-security {
  301. components main
  302. distribution wheezy/updates
  303. password ""
  304. url http://security.debian.org
  305. username ""
  306. }
  307. }
  308. syslog {
  309. global {
  310. facility all {
  311. level notice
  312. }
  313. facility protocols {
  314. level debug
  315. }
  316. }
  317. }
  318. time-zone UTC
  319. traffic-analysis {
  320. dpi enable
  321. export enable
  322. }
  323. }
  324.  
  325.  
  326. /* Warning: Do not remove the following line. */
  327. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  328. /* Release version: v1.7.0.4783374.150622.1534 */
  329.  
  330.  
  331.  
  332.  
  333.  
  334.  
  335.  
  336. Configuration file (/config/config.boot) including IPTV:
  337. -----------------------------------------------------------------------------
  338.  
  339. firewall {
  340. all-ping enable
  341. broadcast-ping disable
  342. group {
  343. network-group LocalNetworks {
  344. description ""
  345. network 10.0.0.0/8
  346. network 172.16.0.0/12
  347. network 192.168.0.0/16
  348. }
  349. port-group UnwantedPorts {
  350. description ""
  351. port smtp
  352. port 67-68
  353. port 135-139
  354. port 213
  355. port 389
  356. port 445
  357. port 464
  358. port 593
  359. }
  360. }
  361. ipv6-receive-redirects disable
  362. ipv6-src-route disable
  363. ip-src-route disable
  364. log-martians enable
  365. name WAN_IN {
  366. default-action drop
  367. description "WAN to Internal"
  368. enable-default-log
  369. rule 1 {
  370. action accept
  371. description "Allow established/related"
  372. log enable
  373. protocol all
  374. state {
  375. established enable
  376. invalid disable
  377. new disable
  378. related enable
  379. }
  380. }
  381. rule 2 {
  382. action drop
  383. description "Drop invalid state"
  384. log enable
  385. protocol all
  386. state {
  387. established disable
  388. invalid enable
  389. new disable
  390. related disable
  391. }
  392. }
  393. }
  394. name WAN_LOCAL {
  395. default-action drop
  396. description "WAN to router"
  397. enable-default-log
  398. rule 1 {
  399. action accept
  400. description "Allow established/related"
  401. log disable
  402. protocol all
  403. state {
  404. established enable
  405. invalid disable
  406. new disable
  407. related enable
  408. }
  409. }
  410. rule 2 {
  411. action drop
  412. description "Drop invalid state"
  413. log disable
  414. protocol all
  415. state {
  416. established disable
  417. invalid enable
  418. new disable
  419. related disable
  420. }
  421. }
  422. }
  423. name WAN_OUT {
  424. default-action accept
  425. enable-default-log
  426. rule 1 {
  427. action drop
  428. description "Block unwanted outgoing traffic"
  429. destination {
  430. group {
  431. port-group UnwantedPorts
  432. }
  433. }
  434. log enable
  435. protocol tcp_udp
  436. }
  437. rule 2 {
  438. action drop
  439. description "Block private IP-spaces from entering WAN"
  440. destination {
  441. group {
  442. network-group LocalNetworks
  443. }
  444. }
  445. log enable
  446. protocol all
  447. }
  448. }
  449. options {
  450. mss-clamp {
  451. interface-type pppoe
  452. mss 1412
  453. }
  454. }
  455. receive-redirects disable
  456. send-redirects enable
  457. source-validation disable
  458. syn-cookies enable
  459. }
  460. interfaces {
  461. bridge br0 {
  462. aging 300
  463. bridged-conntrack disable
  464. description "br0 - Telefonie"
  465. hello-time 2
  466. max-age 20
  467. priority 32768
  468. promiscuous disable
  469. stp false
  470. }
  471. ethernet eth0 {
  472. description "eth0 - FTTH"
  473. duplex auto
  474. mtu 1500
  475. speed auto
  476. vif 4 {
  477. address dhcp
  478. description "eth0.4 - IPTV"
  479. dhcp-options {
  480. client-option "send vendor-class-identifier "IPTV_RG";"
  481. client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
  482. default-route update
  483. default-route-distance 210
  484. name-server update
  485. }
  486. }
  487. vif 6 {
  488. description "eth0.6 - Internet"
  489. firewall {
  490. }
  491. pppoe 0 {
  492. default-route auto
  493. firewall {
  494. in {
  495. name WAN_IN
  496. }
  497. local {
  498. name WAN_LOCAL
  499. }
  500. out {
  501. name WAN_OUT
  502. }
  503. }
  504. idle-timeout 180
  505. mtu 1492
  506. name-server auto
  507. password kpn
  508. user-id [MAC]@internet
  509. }
  510. }
  511. vif 7 {
  512. bridge-group {
  513. bridge br0
  514. }
  515. description "eth0.7 - Telefonie"
  516. }
  517. }
  518. ethernet eth1 {
  519. address 192.168.2.254/24
  520. description "eth1 - LAN"
  521. duplex auto
  522. speed auto
  523. }
  524. ethernet eth2 {
  525. bridge-group {
  526. bridge br0
  527. }
  528. description "eth2 - ExperiaBox"
  529. duplex auto
  530. speed auto
  531. }
  532. loopback lo {
  533. }
  534. }
  535. protocols {
  536. igmp-proxy {
  537. interface eth0.4 {
  538. alt-subnet 0.0.0.0/0
  539. role upstream
  540. threshold 1
  541. }
  542. interface eth1 {
  543. alt-subnet 0.0.0.0/0
  544. role downstream
  545. threshold 1
  546. }
  547. }
  548. static {
  549. route 213.75.112.0/21 {
  550. next-hop [ROUTER-IP] {
  551. }
  552. }
  553. }
  554. }
  555. service {
  556. dhcp-server {
  557. disabled false
  558. global-parameters "option vendor-class-identifier code 60 = string;"
  559. global-parameters "option broadcast-address code 28 = ip-address;"
  560. hostfile-update disable
  561. shared-network-name LAN {
  562. authoritative enable
  563. subnet 192.168.2.0/24 {
  564. default-router 192.168.2.254
  565. dns-server 8.8.8.8
  566. dns-server 8.8.4.4
  567. lease 86400
  568. start 192.168.2.50 {
  569. stop 192.168.2.200
  570. }
  571. subnet-parameters "option vendor-class-identifier "IPTV_RG";"
  572. subnet-parameters "option broadcast-address 192.168.2.255;"
  573. }
  574. }
  575. }
  576. dns {
  577. forwarding {
  578. cache-size 150
  579. listen-on eth1
  580. name-server 8.8.8.8
  581. name-server 8.8.4.4
  582. options listen-address=192.168.2.254
  583. }
  584. }
  585. gui {
  586. https-port 443
  587. }
  588. nat {
  589. rule 5000 {
  590. description IPTV
  591. destination {
  592. address [NAT-MASK]
  593. }
  594. log disable
  595. outbound-interface eth0.4
  596. protocol all
  597. source {
  598. }
  599. type masquerade
  600. }
  601. rule 5001 {
  602. description IPTV
  603. destination {
  604. address 213.75.112.0/21
  605. }
  606. log disable
  607. outbound-interface eth0.4
  608. protocol all
  609. source {
  610. }
  611. type masquerade
  612. }
  613. rule 5002 {
  614. description "KPN Internet"
  615. log enable
  616. outbound-interface pppoe0
  617. protocol all
  618. source {
  619. address 192.168.2.0/24
  620. }
  621. type masquerade
  622. }
  623. }
  624. ssh {
  625. port 22
  626. protocol-version v2
  627. }
  628. }
  629. system {
  630. host-name ubnt
  631. login {
  632. user ubnt {
  633. authentication {
  634. encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
  635. }
  636. level admin
  637. }
  638. }
  639. ntp {
  640. server 0.ubnt.pool.ntp.org {
  641. }
  642. server 1.ubnt.pool.ntp.org {
  643. }
  644. server 2.ubnt.pool.ntp.org {
  645. }
  646. server 3.ubnt.pool.ntp.org {
  647. }
  648. }
  649. offload {
  650. ipv4 {
  651. forwarding enable
  652. pppoe enable
  653. vlan enable
  654. }
  655. }
  656. package {
  657. repository wheezy {
  658. components "main contrib non-free"
  659. distribution wheezy
  660. password ""
  661. url http://mirror.leaseweb.com/debian
  662. username ""
  663. }
  664. repository wheezy-security {
  665. components main
  666. distribution wheezy/updates
  667. password ""
  668. url http://security.debian.org
  669. username ""
  670. }
  671. }
  672. syslog {
  673. global {
  674. facility all {
  675. level notice
  676. }
  677. facility protocols {
  678. level debug
  679. }
  680. }
  681. }
  682. time-zone UTC
  683. traffic-analysis {
  684. dpi enable
  685. export enable
  686. }
  687. }
  688.  
  689.  
  690. /* Warning: Do not remove the following line. */
  691. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  692. /* Release version: v1.7.0.4783374.150622.1534 */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!