Last active
August 8, 2022 19:56
-
-
Save TotalLag/a35deaf482429dc259df42db3be74a83 to your computer and use it in GitHub Desktop.
My config commands on a UBNT EdgeRouter 5 PoE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| group { | |
| address-group Chromecast { | |
| address 239.255.255.250 | |
| description "Use /32" | |
| } | |
| address-group Private-RFC-Ranges { | |
| address 10.0.0.0/8 | |
| address 172.16.0.0/12 | |
| address 192.168.0.0/16 | |
| description "RFC 1918 Private Ranges" | |
| } | |
| ipv6-address-group IPv6-FE80 { | |
| description "fe80::/10 (aka Link-Local) Network" | |
| ipv6-address fe80::/10 | |
| } | |
| } | |
| ipv6-name WANv6_IN { | |
| default-action drop | |
| description "WAN inbound traffic forwarded to LAN" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related sessions" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name WANv6_LOCAL { | |
| default-action drop | |
| description "WAN inbound traffic to the router" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related sessions" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow IPv6 icmp" | |
| protocol ipv6-icmp | |
| } | |
| rule 40 { | |
| action accept | |
| description "allow dhcpv6" | |
| destination { | |
| port 546 | |
| } | |
| protocol udp | |
| source { | |
| port 547 | |
| } | |
| } | |
| } | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name LAN_IN { | |
| default-action accept | |
| description "packets from lan to internet" | |
| rule 1 { | |
| action accept | |
| description chromecast | |
| destination { | |
| address 192.168.1.16 | |
| } | |
| log enable | |
| protocol all | |
| source { | |
| address 192.168.1.214 | |
| } | |
| } | |
| } | |
| name LAN_LOCAL { | |
| default-action accept | |
| description "packets from lan to the router" | |
| } | |
| name WAN_IN { | |
| default-action drop | |
| description "packets from Internet to LAN" | |
| rule 20 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 30 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name WAN_LOCAL { | |
| default-action drop | |
| description "packets from Internet to the router" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow SSH" | |
| destination { | |
| port 2255 | |
| } | |
| log disable | |
| protocol tcp | |
| state { | |
| established disable | |
| invalid disable | |
| new enable | |
| related disable | |
| } | |
| } | |
| } | |
| options { | |
| mss-clamp { | |
| interface-type all | |
| mss 1452 | |
| } | |
| mss-clamp6 { | |
| mss 1452 | |
| } | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| address dhcp | |
| description Internet | |
| dhcp-options { | |
| default-route update | |
| default-route-distance 210 | |
| name-server no-update | |
| } | |
| dhcpv6-pd { | |
| no-dns | |
| pd 0 { | |
| interface switch0 { | |
| host-address ::1 | |
| prefix-id :1 | |
| service dhcpv6-stateless | |
| } | |
| prefix-length 60 | |
| } | |
| rapid-commit enable | |
| } | |
| duplex auto | |
| firewall { | |
| in { | |
| ipv6-name WANv6_IN | |
| name WAN_IN | |
| } | |
| local { | |
| ipv6-name WANv6_LOCAL | |
| name WAN_LOCAL | |
| } | |
| } | |
| speed auto | |
| } | |
| ethernet eth1 { | |
| description Local | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth2 { | |
| description Local | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth3 { | |
| description Local | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth4 { | |
| description Local | |
| duplex auto | |
| poe { | |
| output off | |
| } | |
| speed auto | |
| } | |
| loopback lo { | |
| } | |
| switch switch0 { | |
| address 192.168.1.1/24 | |
| description Local | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| local { | |
| name LAN_LOCAL | |
| } | |
| out { | |
| } | |
| } | |
| ipv6 { | |
| dup-addr-detect-transmits 1 | |
| router-advert { | |
| cur-hop-limit 64 | |
| link-mtu 0 | |
| managed-flag false | |
| max-interval 600 | |
| other-config-flag false | |
| prefix ::/64 { | |
| autonomous-flag true | |
| on-link-flag true | |
| valid-lifetime 2592000 | |
| } | |
| reachable-time 0 | |
| retrans-timer 0 | |
| send-advert true | |
| } | |
| } | |
| mtu 1500 | |
| switch-port { | |
| interface eth1 { | |
| } | |
| interface eth2 { | |
| } | |
| interface eth3 { | |
| vlan { | |
| vid 100 | |
| } | |
| } | |
| interface eth4 { | |
| } | |
| vlan-aware disable | |
| } | |
| vif 100 { | |
| address 10.0.100.1/24 | |
| description SERVER | |
| mtu 1500 | |
| } | |
| vif 200 { | |
| address 10.0.200.1/24 | |
| description CoreOS | |
| mtu 1500 | |
| } | |
| } | |
| } | |
| port-forward { | |
| auto-firewall enable | |
| hairpin-nat enable | |
| lan-interface switch0 | |
| rule 1 { | |
| description TC | |
| forward-to { | |
| address 10.0.100.11 | |
| port 17472 | |
| } | |
| original-port 17472 | |
| protocol tcp | |
| } | |
| rule 2 { | |
| description Spider-KVM | |
| forward-to { | |
| address 192.168.1.101 | |
| port 443 | |
| } | |
| original-port 8443 | |
| protocol tcp | |
| } | |
| rule 3 { | |
| description "Unifi Inform" | |
| forward-to { | |
| address 10.0.200.5 | |
| port 8080 | |
| } | |
| original-port 8080 | |
| protocol tcp | |
| } | |
| rule 4 { | |
| description OpenVPN | |
| forward-to { | |
| address 10.0.100.227 | |
| port 1194 | |
| } | |
| original-port 443 | |
| protocol udp | |
| } | |
| wan-interface eth0 | |
| } | |
| protocols { | |
| static { | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| hostfile-update disable | |
| shared-network-name CoreOS { | |
| authoritative disable | |
| subnet 10.0.200.0/24 { | |
| default-router 10.0.200.1 | |
| dns-server 192.168.1.1 | |
| domain-name core.local | |
| lease 3600 | |
| start 10.0.200.11 { | |
| stop 10.0.200.255 | |
| } | |
| static-mapping CoreOS { | |
| ip-address 10.0.200.44 | |
| mac-address 5a:3a:64:a9:24:e8 | |
| } | |
| } | |
| } | |
| shared-network-name LAN { | |
| authoritative enable | |
| subnet 192.168.1.0/24 { | |
| default-router 192.168.1.1 | |
| dns-server 192.168.1.1 | |
| domain-name phan.local | |
| lease 3600 | |
| start 192.168.1.100 { | |
| stop 192.168.1.255 | |
| } | |
| static-mapping Chris-Chromecast { | |
| ip-address 192.168.1.16 | |
| mac-address a4:77:33:45:5f:de | |
| } | |
| static-mapping ESXi { | |
| ip-address 192.168.1.42 | |
| mac-address 78:2b:cb:41:c7:19 | |
| } | |
| static-mapping Honeywell { | |
| ip-address 192.168.1.13 | |
| mac-address 00:d0:2d:63:70:16 | |
| } | |
| static-mapping MFC-7360N { | |
| ip-address 192.168.1.11 | |
| mac-address 64:66:b3:75:62:c5 | |
| } | |
| static-mapping Miner { | |
| ip-address 192.168.1.43 | |
| mac-address 10:7b:44:1b:4c:08 | |
| } | |
| static-mapping Ooma { | |
| ip-address 192.168.1.15 | |
| mac-address 00:18:61:0f:0a:81 | |
| } | |
| static-mapping RT-N66U-5328 { | |
| ip-address 192.168.1.10 | |
| mac-address e0:3f:49:05:53:28 | |
| } | |
| static-mapping Spider-KVM { | |
| ip-address 192.168.1.101 | |
| mac-address 00:80:a3:8e:51:ce | |
| } | |
| static-mapping TP-Link { | |
| ip-address 192.168.1.14 | |
| mac-address c0:4a:00:56:35:66 | |
| } | |
| static-mapping UAC-PRO { | |
| ip-address 192.168.1.12 | |
| mac-address 80:2a:a8:80:48:ab | |
| } | |
| static-mapping UAC-PRO2 { | |
| ip-address 192.168.1.17 | |
| mac-address 78:8a:20:d6:b5:38 | |
| } | |
| } | |
| } | |
| shared-network-name SERVER { | |
| authoritative disable | |
| subnet 10.0.100.0/24 { | |
| default-router 10.0.100.1 | |
| dns-server 192.168.1.1 | |
| domain-name tam.local | |
| lease 120 | |
| start 10.0.100.11 { | |
| stop 10.0.100.255 | |
| } | |
| static-mapping TANIUM { | |
| ip-address 10.0.100.102 | |
| mac-address 6E:80:4A:68:96:E1 | |
| } | |
| static-mapping tanium-next { | |
| ip-address 10.0.100.101 | |
| mac-address aa:86:0c:83:29:72 | |
| } | |
| static-mapping tms1 { | |
| ip-address 10.0.100.13 | |
| mac-address 46:b0:96:3a:eb:99 | |
| } | |
| static-mapping ts1 { | |
| ip-address 10.0.100.11 | |
| mac-address 96:2e:1c:56:ca:44 | |
| } | |
| static-mapping ts2 { | |
| ip-address 10.0.100.12 | |
| mac-address ca:38:b3:21:4b:d4 | |
| } | |
| } | |
| } | |
| static-arp disable | |
| use-dnsmasq enable | |
| } | |
| dns { | |
| dynamic { | |
| interface eth0 { | |
| service dyndns { | |
| host-name **************** | |
| login **************** | |
| password **************** | |
| server updates.dnsomatic.com | |
| } | |
| web https://canihazip.com/s | |
| } | |
| } | |
| forwarding { | |
| cache-size 600 | |
| listen-on switch0 | |
| listen-on switch0.100 | |
| listen-on switch0.200 | |
| listen-on zt3jntj7oi | |
| name-server 45.90.30.227 | |
| name-server 45.90.28.227 | |
| options domain-needed | |
| options strict-order | |
| options expand-hosts | |
| system | |
| } | |
| } | |
| gui { | |
| http-port 8080 | |
| https-port 2053 | |
| older-ciphers enable | |
| } | |
| nat { | |
| rule 1 { | |
| description "DNS Redirect" | |
| destination { | |
| address !192.168.1.1 | |
| port 53 | |
| } | |
| inbound-interface switch0 | |
| inside-address { | |
| address 192.168.1.1 | |
| } | |
| log disable | |
| protocol udp | |
| source { | |
| } | |
| type destination | |
| } | |
| rule 2 { | |
| description UAP-PRO | |
| destination { | |
| address 192.168.1.1 | |
| port 8080 | |
| } | |
| inbound-interface switch0 | |
| inside-address { | |
| address 10.0.200.5 | |
| } | |
| log disable | |
| protocol tcp | |
| source { | |
| group { | |
| } | |
| } | |
| type destination | |
| } | |
| rule 3 { | |
| description "DNS Redirect VLAN100" | |
| destination { | |
| address !192.168.1.1 | |
| port 53 | |
| } | |
| inbound-interface switch0.100 | |
| inside-address { | |
| address 192.168.1.1 | |
| } | |
| log disable | |
| protocol udp | |
| source { | |
| } | |
| type destination | |
| } | |
| rule 4 { | |
| description "DNS Redirect VLAN200" | |
| destination { | |
| address !192.168.1.1 | |
| port 53 | |
| } | |
| inbound-interface switch0.200 | |
| inside-address { | |
| address 192.168.1.1 | |
| } | |
| log disable | |
| protocol udp | |
| source { | |
| } | |
| type destination | |
| } | |
| rule 5 { | |
| description "Tanium LAN" | |
| destination { | |
| address 192.168.1.1 | |
| port 17472,443 | |
| } | |
| inbound-interface switch0 | |
| inside-address { | |
| address 10.0.100.11 | |
| } | |
| log disable | |
| protocol tcp | |
| source { | |
| group { | |
| } | |
| } | |
| type destination | |
| } | |
| rule 6 { | |
| description "Tanium VLAN100" | |
| destination { | |
| address 192.168.1.1 | |
| port 17472,443 | |
| } | |
| inbound-interface switch0.100 | |
| inside-address { | |
| address 10.0.100.11 | |
| } | |
| log disable | |
| protocol tcp | |
| source { | |
| group { | |
| } | |
| } | |
| type destination | |
| } | |
| rule 7 { | |
| description "Tanium VLAN200" | |
| destination { | |
| address 192.168.1.1 | |
| port 17472,443 | |
| } | |
| inbound-interface switch0.200 | |
| inside-address { | |
| address 10.0.100.11 | |
| } | |
| log disable | |
| protocol tcp | |
| source { | |
| group { | |
| } | |
| } | |
| type destination | |
| } | |
| rule 5010 { | |
| description "masquerade for WAN" | |
| outbound-interface eth0 | |
| type masquerade | |
| } | |
| rule 5011 { | |
| description "masquerade for VLAN100" | |
| log disable | |
| outbound-interface switch0.100 | |
| protocol all | |
| type masquerade | |
| } | |
| rule 5012 { | |
| description "masquerade for VLAN200" | |
| log disable | |
| outbound-interface switch0.200 | |
| protocol all | |
| type masquerade | |
| } | |
| } | |
| ssh { | |
| port 2255 | |
| protocol-version v2 | |
| } | |
| unms { | |
| disable | |
| } | |
| } | |
| system { | |
| domain-name phan.local | |
| host-name **************** | |
| ip { | |
| override-hostname-ip 192.168.1.1 | |
| } | |
| login { | |
| user admin { | |
| authentication { | |
| encrypted-password **************** | |
| plaintext-password **************** | |
| } | |
| level admin | |
| } | |
| } | |
| name-server 127.0.0.1 | |
| ntp { | |
| server 0.ubnt.pool.ntp.org { | |
| } | |
| server 1.ubnt.pool.ntp.org { | |
| } | |
| server 2.ubnt.pool.ntp.org { | |
| } | |
| server 3.ubnt.pool.ntp.org { | |
| } | |
| } | |
| offload { | |
| hwnat enable | |
| } | |
| static-host-mapping { | |
| } | |
| syslog { | |
| global { | |
| facility all { | |
| level notice | |
| } | |
| facility protocols { | |
| level debug | |
| } | |
| } | |
| } | |
| time-zone America/Chicago | |
| traffic-analysis { | |
| custom-category Game-Menu { | |
| name SSL/TLS | |
| } | |
| custom-category Steam-Download { | |
| name "Valve Steam" | |
| } | |
| custom-category Windows-Update { | |
| name "Microsoft Windows Update" | |
| } | |
| dpi enable | |
| export enable | |
| } | |
| } | |
| traffic-control { | |
| advanced-queue { | |
| branch { | |
| queue 100 { | |
| bandwidth 6mbit | |
| description Upload | |
| parent 1 | |
| priority 1 | |
| } | |
| queue 200 { | |
| bandwidth 54mbit | |
| description Download | |
| parent 1 | |
| priority 0 | |
| } | |
| } | |
| filters { | |
| match 100 { | |
| attach-to 1 | |
| description "WAN upload" | |
| ip { | |
| source { | |
| address 192.168.1.1/24 | |
| } | |
| } | |
| target 100 | |
| } | |
| match 199 { | |
| attach-to 100 | |
| description Default | |
| target 199 | |
| } | |
| match 200 { | |
| attach-to 1 | |
| description "WAN download" | |
| ip { | |
| destination { | |
| address 192.168.1.1/24 | |
| } | |
| } | |
| target 200 | |
| } | |
| match 211 { | |
| attach-to 200 | |
| description ICMP | |
| ip { | |
| protocol 1 | |
| } | |
| target 210 | |
| } | |
| match 212 { | |
| attach-to 200 | |
| description DNS | |
| ip { | |
| source { | |
| port 53 | |
| } | |
| } | |
| target 210 | |
| } | |
| match 220 { | |
| application { | |
| category Voice-over-IP | |
| } | |
| attach-to 200 | |
| description VoIP | |
| target 220 | |
| } | |
| match 230 { | |
| application { | |
| category Games | |
| } | |
| attach-to 200 | |
| description Gaming | |
| ip { | |
| destination { | |
| port !80 | |
| } | |
| source { | |
| port !50000-60999 | |
| } | |
| } | |
| target 230 | |
| } | |
| match 240 { | |
| application { | |
| category Web | |
| } | |
| attach-to 200 | |
| description HTTP/HTTPS | |
| ip { | |
| source { | |
| port 443 | |
| } | |
| } | |
| target 240 | |
| } | |
| match 241 { | |
| application { | |
| category Web | |
| } | |
| attach-to 200 | |
| description HTTP/HTTPS | |
| ip { | |
| source { | |
| port 80 | |
| } | |
| } | |
| target 240 | |
| } | |
| match 242 { | |
| application { | |
| custom-category Game-Menu | |
| } | |
| attach-to 200 | |
| description "WiiU Browser" | |
| target 240 | |
| } | |
| match 250 { | |
| application { | |
| category P2P | |
| } | |
| attach-to 200 | |
| description P2P | |
| target 250 | |
| } | |
| match 251 { | |
| application { | |
| category File-Transfer | |
| } | |
| attach-to 200 | |
| description "File Transfers" | |
| target 250 | |
| } | |
| match 252 { | |
| application { | |
| custom-category Steam-Download | |
| } | |
| attach-to 200 | |
| description "Steam Downloads" | |
| target 250 | |
| } | |
| match 254 { | |
| application { | |
| category Games | |
| } | |
| attach-to 200 | |
| description "Blizzard Downloads" | |
| ip { | |
| source { | |
| port "1119, 1120, 3724, 4000, 6112, 6113, 6114" | |
| } | |
| } | |
| target 250 | |
| } | |
| match 255 { | |
| attach-to 200 | |
| description SSH | |
| ip { | |
| source { | |
| port 2255 | |
| } | |
| } | |
| target 250 | |
| } | |
| match 260 { | |
| application { | |
| category Streaming-Media | |
| } | |
| attach-to 200 | |
| description Streaming | |
| target 260 | |
| } | |
| match 299 { | |
| attach-to 200 | |
| description Default | |
| target 299 | |
| } | |
| } | |
| leaf { | |
| queue 199 { | |
| bandwidth 7mbit | |
| description default | |
| parent 100 | |
| queue-type FQCODEL_UP | |
| } | |
| queue 210 { | |
| bandwidth 128kbit | |
| description "ICMP and DNS" | |
| parent 200 | |
| priority 0 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 220 { | |
| bandwidth 2mbit | |
| ceiling 10mbit | |
| description "Ooma RTP+SIP" | |
| parent 200 | |
| priority 1 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 230 { | |
| bandwidth 2mbit | |
| ceiling 10mbit | |
| description Gaming | |
| parent 200 | |
| priority 2 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 240 { | |
| bandwidth 10mbit | |
| burst { | |
| burst-rate 100mbit | |
| burst-size 1mb | |
| } | |
| ceiling 94mbit | |
| description HTTP/HTTPS | |
| parent 200 | |
| priority 3 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 250 { | |
| bandwidth 1mbit | |
| burst { | |
| burst-rate 100mbit | |
| burst-size 1mb | |
| } | |
| ceiling 94mbit | |
| description "File Transfers" | |
| parent 200 | |
| priority 7 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 260 { | |
| bandwidth 10mbit | |
| burst { | |
| burst-rate 100mbit | |
| burst-size 1mb | |
| } | |
| ceiling 94mbit | |
| description Streaming | |
| parent 200 | |
| priority 5 | |
| queue-type FQCODEL_DOWN | |
| } | |
| queue 299 { | |
| bandwidth 10mbit | |
| burst { | |
| burst-rate 100mbit | |
| burst-size 1mb | |
| } | |
| ceiling 94mbit | |
| description default | |
| parent 200 | |
| priority 6 | |
| queue-type FQCODEL_DOWN | |
| } | |
| } | |
| queue-type { | |
| fq-codel FQCODEL_DOWN { | |
| ecn enable | |
| flows 1024 | |
| interval 100ms | |
| limit 10240 | |
| quantum 8000 | |
| target 5ms | |
| } | |
| fq-codel FQCODEL_UP { | |
| ecn enable | |
| flows 1024 | |
| interval 100ms | |
| limit 10240 | |
| quantum 300 | |
| target 5ms | |
| } | |
| } | |
| root { | |
| queue 1 { | |
| attach-to global | |
| bandwidth 60mbit | |
| } | |
| } | |
| } | |
| smart-queue QoS_Up { | |
| upload { | |
| ecn disable | |
| flows 1024 | |
| fq-quantum 1514 | |
| htb-quantum 800 | |
| limit 1514 | |
| rate 6.5mbit | |
| } | |
| wan-interface eth0 | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment