Last active
July 20, 2023 12:53
-
-
Save dabrovnijk/40e1122127c2965b9318fc107e2a96a3 to your computer and use it in GitHub Desktop.
Edgerouter lite, Gavlenet, complete IPv6 settings with VPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Version: v1.10.8 | |
# Build ID: 5142440 | |
# Build on: 11/20/18 16:45 | |
# Copyright: 2012-2018 Ubiquiti Networks, Inc. | |
# HW model: EdgeRouter Lite 3-Port | |
# | |
# Gavlenet Edgerouter lite | |
# | |
# Complete settings with Firewall and VPN | |
# | |
# Read it and change settings as appropriate | |
# | |
# Cut and paste each section, a section ends with 'commit; save' | |
# | |
################# | |
# Firewall part # | |
################# | |
configure | |
set firewall all-ping enable | |
set firewall broadcast-ping disable | |
set firewall ipv6-name WANv6_IN default-action drop | |
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN' | |
set firewall ipv6-name WANv6_IN enable-default-log | |
set firewall ipv6-name WANv6_IN rule 10 action accept | |
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions' | |
set firewall ipv6-name WANv6_IN rule 10 state established enable | |
set firewall ipv6-name WANv6_IN rule 10 state related enable | |
set firewall ipv6-name WANv6_IN rule 20 action drop | |
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state' | |
set firewall ipv6-name WANv6_IN rule 20 state invalid enable | |
set firewall ipv6-name WANv6_IN rule 30 action accept | |
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp' | |
set firewall ipv6-name WANv6_IN rule 30 log disable | |
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6 | |
set firewall ipv6-name WANv6_LOCAL default-action drop | |
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router' | |
set firewall ipv6-name WANv6_LOCAL enable-default-log | |
set firewall ipv6-name WANv6_LOCAL rule 10 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions' | |
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable | |
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable | |
set firewall ipv6-name WANv6_LOCAL rule 20 action drop | |
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state' | |
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable | |
set firewall ipv6-name WANv6_LOCAL rule 30 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp' | |
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp | |
set firewall ipv6-name WANv6_LOCAL rule 40 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6' | |
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 | |
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp | |
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 | |
set firewall ipv6-receive-redirects disable | |
set firewall ipv6-src-route disable | |
set firewall ip-src-route disable | |
set firewall log-martians enable | |
set firewall name WAN_IN default-action drop | |
set firewall name WAN_IN description 'WAN to internal' | |
set firewall name WAN_IN rule 10 action accept | |
set firewall name WAN_IN rule 10 description 'Allow established/related' | |
set firewall name WAN_IN rule 10 state established enable | |
set firewall name WAN_IN rule 10 state related enable | |
set firewall name WAN_IN rule 20 action drop | |
set firewall name WAN_IN rule 20 description 'Drop invalid state' | |
set firewall name WAN_IN rule 20 state invalid enable | |
set firewall name WAN_LOCAL default-action drop | |
set firewall name WAN_LOCAL description 'WAN to router' | |
set firewall name WAN_LOCAL rule 10 action accept | |
set firewall name WAN_LOCAL rule 10 description 'Allow established/related' | |
set firewall name WAN_LOCAL rule 10 state established enable | |
set firewall name WAN_LOCAL rule 10 state related enable | |
set firewall name WAN_LOCAL rule 20 action drop | |
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' | |
set firewall name WAN_LOCAL rule 20 state invalid enable | |
set firewall name WAN_LOCAL rule 40 action accept | |
set firewall name WAN_LOCAL rule 40 description ike | |
set firewall name WAN_LOCAL rule 40 destination port 500 | |
set firewall name WAN_LOCAL rule 40 log disable | |
set firewall name WAN_LOCAL rule 40 protocol udp | |
set firewall name WAN_LOCAL rule 50 action accept | |
set firewall name WAN_LOCAL rule 50 description esp | |
set firewall name WAN_LOCAL rule 50 log disable | |
set firewall name WAN_LOCAL rule 50 protocol esp | |
set firewall name WAN_LOCAL rule 60 action accept | |
set firewall name WAN_LOCAL rule 60 description nat-t | |
set firewall name WAN_LOCAL rule 60 destination port 4500 | |
set firewall name WAN_LOCAL rule 60 log disable | |
set firewall name WAN_LOCAL rule 60 protocol udp | |
set firewall name WAN_LOCAL rule 70 action accept | |
set firewall name WAN_LOCAL rule 70 description l2tp | |
set firewall name WAN_LOCAL rule 70 destination port 1701 | |
set firewall name WAN_LOCAL rule 70 ipsec match-ipsec | |
set firewall name WAN_LOCAL rule 70 log disable | |
set firewall name WAN_LOCAL rule 70 protocol udp | |
set firewall receive-redirects disable | |
set firewall send-redirects enable | |
set firewall source-validation disable | |
set firewall syn-cookies enable | |
commit; save | |
################## | |
# Interface part # | |
################## | |
set interfaces ethernet eth0 address dhcp | |
set interfaces ethernet eth0 description Internet | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1' | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns | |
delete interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1' | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1' | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 no-dns | |
delete interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id ':2' | |
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /56 | |
set interfaces ethernet eth0 dhcpv6-pd prefix-only | |
set interfaces ethernet eth0 dhcpv6-pd rapid-commit disable | |
set interfaces ethernet eth0 duplex auto | |
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN | |
set interfaces ethernet eth0 firewall in name WAN_IN | |
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL | |
set interfaces ethernet eth0 firewall local name WAN_LOCAL | |
set interfaces ethernet eth0 speed auto | |
set interfaces ethernet eth1 address 192.168.1.1/24 | |
set interfaces ethernet eth1 description Local | |
set interfaces ethernet eth1 duplex auto | |
set interfaces ethernet eth1 speed auto | |
set interfaces ethernet eth2 address 192.168.2.1/24 | |
set interfaces ethernet eth2 description 'Local 2' | |
set interfaces ethernet eth2 duplex auto | |
set interfaces ethernet eth2 speed auto | |
set interfaces loopback lo | |
commit; save | |
############################ | |
# DHCP (IPv4) and DNS part # | |
############################ | |
set service dhcp-server disabled false | |
set service dhcp-server hostfile-update disable | |
set service dhcp-server shared-network-name LAN1 authoritative enable | |
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1 | |
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.1 | |
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name LOCAL.EXAMPLE.COM | |
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400 | |
delete service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start | |
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199 | |
set service dhcp-server shared-network-name LAN2 authoritative enable | |
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1 | |
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1 | |
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 domain-name LOCAL.EXAMPLE.COM | |
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400 | |
delete service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start | |
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.100 stop 192.168.2.199 | |
set service dhcp-server static-arp disable | |
set service dhcp-server use-dnsmasq enable | |
# | |
# DNS and dnsmasq dhcpv6 slaac | |
set service dns forwarding cache-size 4000 | |
set service dns forwarding listen-on eth1 | |
set service dns forwarding listen-on eth2 | |
set service dns forwarding options bind-dynamic | |
set service dns forwarding options enable-ra | |
set service dns forwarding options 'dhcp-range=set:lan1v6,::100,::1ff,constructor:eth1,slaac,ra-names,259200' | |
set service dns forwarding options 'dhcp-option=tag:lan1v6,option6:dns-server,[fe80::]' | |
# | |
# Change below one line | |
set service dns forwarding options 'dhcp-option=tag:lan1v6,option6:domain-search,LOCAL.EXAMPLE.COM' | |
set service dns forwarding options 'dhcp-range=set:lan2v6,::100,::1ff,constructor:eth2,slaac,ra-names,259200' | |
set service dns forwarding options 'dhcp-option=tag:lan2v6,option6:dns-server,[fe80::]' | |
# | |
# Change below one line | |
set service dns forwarding options 'dhcp-option=tag:lan2v6,option6:domain-search,LOCAL.EXAMPLE.COM' | |
commit; save | |
########################### | |
# Other 'random' settings # | |
########################### | |
set service gui http-port 80 | |
set service gui https-port 443 | |
set service gui older-ciphers enable | |
set service nat rule 5010 description 'masquerade for WAN' | |
set service nat rule 5010 outbound-interface eth0 | |
set service nat rule 5010 type masquerade | |
set service ssh port 22 | |
set service ssh protocol-version v2 | |
set system ntp server 0.ubnt.pool.ntp.org | |
set system ntp server 1.ubnt.pool.ntp.org | |
set system ntp server 2.ubnt.pool.ntp.org | |
set system ntp server 3.ubnt.pool.ntp.org | |
set system offload hwnat disable | |
set system offload ipsec enable | |
set system offload ipv4 forwarding enable | |
set system offload ipv4 gre enable | |
set system offload ipv4 vlan enable | |
set system offload ipv6 forwarding enable | |
set system syslog global facility all level notice | |
set system syslog global facility protocols level debug | |
# | |
# Change below, 2 lines | |
set system domain-name LOCAL.EXAMPLE.COM | |
set system gateway-address WAN.ISP.GATEWAY.IP | |
set system host-name rt | |
set system name-server 127.0.0.1 | |
# | |
# This line will change your clock on the router | |
set system time-zone Europe/Stockholm | |
commit; save | |
### start of repository segments ### | |
# Adding repository, remove # before the lines for your appropriate version. | |
# do not use both of the following two segments | |
## segement 1 of 2 | |
## uncomment and use this below for V 1.x.x | |
#set system package repository wheezy components 'main contrib non-free' | |
#set system package repository wheezy distribution wheezy | |
#set system package repository wheezy password '' | |
#set system package repository wheezy url 'http://http.us.debian.org/debian' | |
#set system package repository wheezy username '' | |
#commit; save | |
## segement 2 of 2 | |
## uncomment and use this below for V 2.x.x | |
#set system package repository wheezy components 'main contrib non-free' | |
#set system package repository wheezy distribution stretch | |
#set system package repository wheezy password '' | |
#set system package repository wheezy url 'http://http.us.debian.org/debian' | |
#set system package repository wheezy username '' | |
#commit; save | |
### end of repository segments ### | |
####### | |
# VPN # | |
####### | |
# This will need the firewall settings above | |
set vpn ipsec auto-firewall-nat-exclude disable | |
set vpn ipsec ipsec-interfaces interface eth0 | |
# | |
# Change below 'MYHOMEVPN' and 'YOURSTRONGANDREMEMBAREDSFVBLEPASSWORD' | |
set vpn l2tp remote-access authentication local-users username MYHOMEVPN password YOURSTRONGANDREMEMBAREDSFVBLEPASSWORD | |
set vpn l2tp remote-access authentication mode local | |
set vpn l2tp remote-access client-ip-pool start 192.168.1.240 | |
set vpn l2tp remote-access client-ip-pool stop 192.168.1.249 | |
set vpn l2tp remote-access dhcp-interface eth0 | |
set vpn l2tp remote-access dns-servers server-1 192.168.1.1 | |
set vpn l2tp remote-access dns-servers server-2 8.8.8.8 | |
set vpn l2tp remote-access idle 1800 | |
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret | |
# | |
# Change below 'PRESHAREDKEY' | |
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret PRESHAREDKEY | |
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 | |
set vpn l2tp remote-access ipsec-settings lifetime 3600 | |
commit; save |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment