-
-
Save loesak/9468501edb8b76f159ec592fa740fb24 to your computer and use it in GitHub Desktop.
Example configuration for Ubiquiti EdgeRouter Lite 3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # EdgeRouter Lite 3 configuration example based on the walkthroughs starting | |
| # with | |
| # http://www.forshee.me/2016/03/01/ubiquiti-edgerouter-lite-setup-part-1-the-basics.html. | |
| # | |
| # Demonstrates a network setup utilizing VLANs, a zone-based firewall, and | |
| # an OpenVPN server. The network has VLANs to segregate home and home-office | |
| # network traffic, plus a management VLAN for "smart" networking equipment. | |
| # The office VLAN has administrative access to web and SSH interfaces on the | |
| # router and the management VLAN whereas the home network does not. | |
| # | |
| # This configuration is for DEMONSTRATION PURPOSES ONLY. It is untested so | |
| # there is absolutely no gaurantee that it is complete, secure, or even | |
| # functional. | |
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| ipv6-name allow-all-6 { | |
| default-action accept | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name allow-est-drop-inv-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| } | |
| ipv6-name homelan-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| # why is this not DHCPv6? | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| # why is there no HTTP/HTTPS? | |
| } | |
| ipv6-name local-WAN-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| rule 400 { | |
| action accept | |
| description "Allow NTP" | |
| destination { | |
| port 123 | |
| } | |
| protocol udp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| description "Allow DHCPv6" | |
| destination { | |
| port 547 | |
| } | |
| protocol udp | |
| source { | |
| port 546 | |
| } | |
| } | |
| } | |
| #can you explain the mgmt vlan? what type of devices are running on it? is this the managed switch? | |
| ipv6-name mgmt-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| # why is this not DHCPv6? | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| # why is there no http/https? | |
| } | |
| ipv6-name officelan-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| # why is https port 9443 and not 443? | |
| rule 200 { | |
| action accept | |
| description "Allow HTTP/HTTPS" | |
| destination { | |
| port 80,9443 | |
| } | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| # is this only here to allow SSH connections to outside your network (not SSH between VLANS)? | |
| rule 800 { | |
| action accept | |
| description "Allow SSH" | |
| destination { | |
| port 22 | |
| } | |
| protocol tcp | |
| } | |
| # why is there no DHCPv6 here? | |
| } | |
| ipv6-name officelan-mgmt-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| rule 200 { | |
| action accept | |
| description "Allow HTTP/HTTPS" | |
| destination { | |
| port 80,443 | |
| } | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| description "Allow SSH" | |
| destination { | |
| port 22 | |
| } | |
| protocol tcp | |
| } | |
| } | |
| ipv6-name WAN-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| # why are incoming icmp requests allowed? | |
| rule 100 { | |
| action accept | |
| protocol ipv6-icmp | |
| } | |
| # why are incoming dchp requests allowed? | |
| rule 700 { | |
| action accept | |
| description "Allow DHCPv6" | |
| destination { | |
| port 546 | |
| } | |
| protocol udp | |
| source { | |
| port 547 | |
| } | |
| } | |
| } | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name allow-all { | |
| default-action accept | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name allow-est-drop-inv { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| # why no icmp like in the ipv6 version? | |
| } | |
| name homelan-local { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol icmp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| # why no http/https? | |
| } | |
| name local-WAN { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol icmp | |
| } | |
| rule 400 { | |
| action accept | |
| description "Allow NTP" | |
| destination { | |
| port 123 | |
| } | |
| protocol udp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| } | |
| name mgmt-local { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol icmp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| # why no http/https? | |
| } | |
| name officelan-local { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol icmp | |
| } | |
| # why port 9443 vs 443 | |
| rule 200 { | |
| action accept | |
| description "Allow HTTP/HTTPS" | |
| destination { | |
| port 80,9443 | |
| } | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| description "Allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| description "Allow DHCP" | |
| destination { | |
| port 67,68 | |
| } | |
| protocol udp | |
| } | |
| rule 800 { | |
| action accept | |
| description "Allow SSH" | |
| destination { | |
| port 22 | |
| } | |
| protocol tcp | |
| } | |
| } | |
| name officelan-mgmt { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 100 { | |
| action accept | |
| protocol icmp | |
| } | |
| rule 200 { | |
| action accept | |
| description "Allow HTTP/HTTPS" | |
| destination { | |
| port 80,443 | |
| } | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| description "Allow SSH" | |
| destination { | |
| port 22 | |
| } | |
| protocol tcp | |
| } | |
| } | |
| name WAN-local { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| # this does not have same rules for dhcp and icmp as does ipv6 version | |
| rule 50 { | |
| action accept | |
| description "Allow OpenVPN connections" | |
| destination { | |
| port 443 | |
| } | |
| protocol tcp | |
| } | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| address dhcp | |
| description Internet | |
| # can you educate me on whats going on here? | |
| dhcpv6-pd { | |
| pd 1 { | |
| interface eth2.1 { | |
| host-address ::1 | |
| prefix-id 1 | |
| service slaac | |
| } | |
| interface eth2.2 { | |
| host-address ::1 | |
| prefix-id 2 | |
| service slaac | |
| } | |
| interface eth2.3 { | |
| host-address ::1 | |
| prefix-id 3 | |
| service slaac | |
| } | |
| prefix-length /56 | |
| } | |
| rapid-commit enable | |
| } | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth1 { | |
| disable | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth2 { | |
| description LANs | |
| duplex auto | |
| speed auto | |
| vif 1 { | |
| address 192.168.101.1/24 | |
| description "Management VLAN" | |
| ipv6 { | |
| address { | |
| autoconf | |
| } | |
| dup-addr-detect-transmits 1 | |
| } | |
| } | |
| vif 2 { | |
| address 192.168.102.1/24 | |
| description "Home VLAN" | |
| ipv6 { | |
| address { | |
| autoconf | |
| } | |
| dup-addr-detect-transmits 1 | |
| } | |
| } | |
| vif 3 { | |
| address 192.168.103.1/24 | |
| description "Office VLAN" | |
| ipv6 { | |
| address { | |
| autoconf | |
| } | |
| dup-addr-detect-transmits 1 | |
| } | |
| } | |
| } | |
| loopback lo { | |
| } | |
| openvpn vtun0 { | |
| description OpenVPN | |
| local-port 443 | |
| mode server | |
| openvpn-option "--tls-auth /config/auth/openvpn/ta.key 0" | |
| protocol tcp-passive | |
| server { | |
| push-route 192.168.103.0/24 | |
| subnet 192.168.200.0/24 | |
| topology subnet | |
| } | |
| tls { | |
| ca-cert-file /config/auth/openvpn/cacert.pem | |
| cert-file /config/auth/openvpn/host.pem | |
| dh-file /config/auth/openvpn/dhp.pem | |
| key-file /config/auth/openvpn/host.key | |
| } | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| hostfile-update enable | |
| shared-network-name home-vlan { | |
| authoritative enable | |
| subnet 192.168.102.0/24 { | |
| default-router 192.168.102.1 | |
| dns-server 192.168.102.1 | |
| lease 86400 | |
| start 192.168.102.150 { | |
| stop 192.168.102.254 | |
| } | |
| } | |
| } | |
| shared-network-name mgmt { | |
| authoritative enable | |
| subnet 192.168.101.0/24 { | |
| default-router 192.168.101.1 | |
| dns-server 192.168.101.1 | |
| lease 86400 | |
| start 192.168.101.150 { | |
| stop 192.168.101.254 | |
| } | |
| } | |
| } | |
| shared-network-name office-vlan { | |
| authoritative enable | |
| subnet 192.168.103.0/24 { | |
| default-router 192.168.103.1 | |
| dns-server 192.168.103.1 | |
| lease 86400 | |
| start 192.168.103.150 { | |
| stop 192.168.103.254 | |
| } | |
| } | |
| } | |
| use-dnsmasq disable | |
| } | |
| dns { | |
| dynamic { | |
| interface eth0 { | |
| service dyndns { | |
| host-name all.dnsomatic.com | |
| login xxxx | |
| password xxxx | |
| server updates.dnsomatic.com | |
| } | |
| } | |
| } | |
| forwarding { | |
| cache-size 150 | |
| listen-on eth2.1 | |
| listen-on eth2.2 | |
| listen-on eth2.3 | |
| system | |
| } | |
| } | |
| gui { | |
| http-port 80 | |
| https-port 9443 | |
| older-ciphers disable | |
| } | |
| nat { | |
| rule 1000 { | |
| description "Port forward for OpenVPN" | |
| destination { | |
| port 80 | |
| } | |
| inbound-interface eth0 | |
| inside-address { | |
| port 443 | |
| } | |
| protocol tcp | |
| type destination | |
| } | |
| rule 5010 { | |
| description "masquerade for WAN" | |
| outbound-interface eth0 | |
| type masquerade | |
| } | |
| } | |
| ssh { | |
| port 22 | |
| protocol-version v2 | |
| } | |
| } | |
| system { | |
| domain-name xxxx | |
| host-name xxxx | |
| login { | |
| user xxxx { | |
| authentication { | |
| encrypted-password xxxx | |
| plaintext-password "" | |
| public-keys xxxx { | |
| key xxxx | |
| type ssh-rsa | |
| } | |
| } | |
| level admin | |
| } | |
| } | |
| name-server 8.8.8.8 | |
| name-server 8.8.4.4 | |
| name-server 2001:4860:4860::8888 | |
| name-server 2001:4860:4860::8844 | |
| ntp { | |
| server 0.ubnt.pool.ntp.org { | |
| } | |
| server 1.ubnt.pool.ntp.org { | |
| } | |
| server 2.ubnt.pool.ntp.org { | |
| } | |
| server 3.ubnt.pool.ntp.org { | |
| } | |
| } | |
| offload { | |
| hwnat disable | |
| ipv4 { | |
| forwarding enable | |
| vlan enable | |
| } | |
| ipv6 { | |
| forwarding enable | |
| vlan enable | |
| } | |
| } | |
| syslog { | |
| global { | |
| facility all { | |
| level notice | |
| } | |
| facility protocols { | |
| level debug | |
| } | |
| } | |
| } | |
| time-zone America/Chicago | |
| } | |
| zone-policy { | |
| zone homelan { | |
| default-action drop | |
| from local { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from WAN { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| #can a zone reference a non-virtual interface? like eth1? | |
| interface eth2.2 | |
| } | |
| zone local { | |
| default-action drop | |
| from homelan { | |
| firewall { | |
| ipv6-name homelan-local-6 | |
| name homelan-local | |
| } | |
| } | |
| from mgmt { | |
| firewall { | |
| ipv6-name mgmt-local-6 | |
| name mgmt-local | |
| } | |
| } | |
| from officelan { | |
| firewall { | |
| ipv6-name officelan-local-6 | |
| name officelan-local | |
| } | |
| } | |
| from vpn { | |
| firewall { | |
| ipv6-name officelan-local-6 | |
| name officelan-local | |
| } | |
| } | |
| from WAN { | |
| firewall { | |
| ipv6-name WAN-local-6 | |
| name WAN-local | |
| } | |
| } | |
| local-zone | |
| } | |
| zone mgmt { | |
| default-action drop | |
| from local { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from officelan { | |
| firewall { | |
| ipv6-name officelan-mgmt-6 | |
| name officelan-mgmt | |
| } | |
| } | |
| from vpn { | |
| firewall { | |
| ipv6-name officelan-mgmt-6 | |
| name officelan-mgmt | |
| } | |
| } | |
| from WAN { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| interface eth2.1 | |
| } | |
| zone officelan { | |
| default-action drop | |
| from local { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from mgmt { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| from vpn { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from WAN { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| interface eth2.3 | |
| } | |
| zone vpn { | |
| default-action drop | |
| from local { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from mgmt { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| from officelan { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from WAN { | |
| firewall { | |
| ipv6-name allow-est-drop-inv-6 | |
| name allow-est-drop-inv | |
| } | |
| } | |
| interface vtun0 | |
| } | |
| zone WAN { | |
| default-action drop | |
| from homelan { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from local { | |
| firewall { | |
| ipv6-name local-WAN-6 | |
| name local-WAN | |
| } | |
| } | |
| from mgmt { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from officelan { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| from vpn { | |
| firewall { | |
| ipv6-name allow-all-6 | |
| name allow-all | |
| } | |
| } | |
| #where did this interface get created? | |
| interface eth0.2 | |
| } | |
| } | |
| /* Warning: Do not remove the following line. */ | |
| /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ | |
| /* Release version: v1.9.0.4901118.160804.1131 */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment