Skip to content

Instantly share code, notes, and snippets.

@dabrovnijk
Last active July 20, 2023 12:53
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dabrovnijk/40e1122127c2965b9318fc107e2a96a3 to your computer and use it in GitHub Desktop.
Save dabrovnijk/40e1122127c2965b9318fc107e2a96a3 to your computer and use it in GitHub Desktop.
Edgerouter lite, Gavlenet, complete IPv6 settings with VPN
# Version: v1.10.8
# Build ID: 5142440
# Build on: 11/20/18 16:45
# Copyright: 2012-2018 Ubiquiti Networks, Inc.
# HW model: EdgeRouter Lite 3-Port
#
# Gavlenet Edgerouter lite
#
# Complete settings with Firewall and VPN
#
# Read it and change settings as appropriate
#
# Cut and paste each section, a section ends with 'commit; save'
#
#################
# Firewall part #
#################
configure
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_IN rule 30 log disable
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ike
set firewall name WAN_LOCAL rule 40 destination port 500
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description esp
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol esp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description nat-t
set firewall name WAN_LOCAL rule 60 destination port 4500
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description l2tp
set firewall name WAN_LOCAL rule 70 destination port 1701
set firewall name WAN_LOCAL rule 70 ipsec match-ipsec
set firewall name WAN_LOCAL rule 70 log disable
set firewall name WAN_LOCAL rule 70 protocol udp
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
commit; save
##################
# Interface part #
##################
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns
delete interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 no-dns
delete interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id ':2'
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /56
set interfaces ethernet eth0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 dhcpv6-pd rapid-commit disable
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description 'Local 2'
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces loopback lo
commit; save
############################
# DHCP (IPv4) and DNS part #
############################
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name LOCAL.EXAMPLE.COM
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
delete service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 domain-name LOCAL.EXAMPLE.COM
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
delete service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.100 stop 192.168.2.199
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
#
# DNS and dnsmasq dhcpv6 slaac
set service dns forwarding cache-size 4000
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding options bind-dynamic
set service dns forwarding options enable-ra
set service dns forwarding options 'dhcp-range=set:lan1v6,::100,::1ff,constructor:eth1,slaac,ra-names,259200'
set service dns forwarding options 'dhcp-option=tag:lan1v6,option6:dns-server,[fe80::]'
#
# Change below one line
set service dns forwarding options 'dhcp-option=tag:lan1v6,option6:domain-search,LOCAL.EXAMPLE.COM'
set service dns forwarding options 'dhcp-range=set:lan2v6,::100,::1ff,constructor:eth2,slaac,ra-names,259200'
set service dns forwarding options 'dhcp-option=tag:lan2v6,option6:dns-server,[fe80::]'
#
# Change below one line
set service dns forwarding options 'dhcp-option=tag:lan2v6,option6:domain-search,LOCAL.EXAMPLE.COM'
commit; save
###########################
# Other 'random' settings #
###########################
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system offload hwnat disable
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 gre enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
#
# Change below, 2 lines
set system domain-name LOCAL.EXAMPLE.COM
set system gateway-address WAN.ISP.GATEWAY.IP
set system host-name rt
set system name-server 127.0.0.1
#
# This line will change your clock on the router
set system time-zone Europe/Stockholm
commit; save
### start of repository segments ###
# Adding repository, remove # before the lines for your appropriate version.
# do not use both of the following two segments
## segement 1 of 2
## uncomment and use this below for V 1.x.x
#set system package repository wheezy components 'main contrib non-free'
#set system package repository wheezy distribution wheezy
#set system package repository wheezy password ''
#set system package repository wheezy url 'http://http.us.debian.org/debian'
#set system package repository wheezy username ''
#commit; save
## segement 2 of 2
## uncomment and use this below for V 2.x.x
#set system package repository wheezy components 'main contrib non-free'
#set system package repository wheezy distribution stretch
#set system package repository wheezy password ''
#set system package repository wheezy url 'http://http.us.debian.org/debian'
#set system package repository wheezy username ''
#commit; save
### end of repository segments ###
#######
# VPN #
#######
# This will need the firewall settings above
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth0
#
# Change below 'MYHOMEVPN' and 'YOURSTRONGANDREMEMBAREDSFVBLEPASSWORD'
set vpn l2tp remote-access authentication local-users username MYHOMEVPN password YOURSTRONGANDREMEMBAREDSFVBLEPASSWORD
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.240
set vpn l2tp remote-access client-ip-pool stop 192.168.1.249
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
#
# Change below 'PRESHAREDKEY'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret PRESHAREDKEY
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings lifetime 3600
commit; save
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment