Basic configuration commands to set up an ERL for Google Fiber
set firewall all-ping enable | |
set firewall broadcast-ping disable | |
set firewall ipv6-name WANv6_IN default-action drop | |
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN' | |
set firewall ipv6-name WANv6_IN rule 10 action accept | |
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related' | |
set firewall ipv6-name WANv6_IN rule 10 state established enable | |
set firewall ipv6-name WANv6_IN rule 10 state related enable | |
set firewall ipv6-name WANv6_IN rule 20 action drop | |
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state' | |
set firewall ipv6-name WANv6_IN rule 20 state invalid enable | |
set firewall ipv6-name WANv6_IN rule 30 action accept | |
set firewall ipv6-name WANv6_IN rule 30 description 'Allow ICMPv6' | |
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6 | |
set firewall ipv6-name WANv6_LOCAL default-action drop | |
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router' | |
set firewall ipv6-name WANv6_LOCAL rule 10 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related' | |
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable | |
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable | |
set firewall ipv6-name WANv6_LOCAL rule 20 action drop | |
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state' | |
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable | |
set firewall ipv6-name WANv6_LOCAL rule 30 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow ICMPv6' | |
set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6 | |
set firewall ipv6-name WANv6_LOCAL rule 40 action accept | |
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6' | |
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 | |
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp | |
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 | |
set firewall ipv6-name WANv6_OUT default-action accept | |
set firewall ipv6-name WANv6_OUT description 'WAN outbound traffic' | |
set firewall ipv6-name WANv6_OUT rule 10 action accept | |
set firewall ipv6-name WANv6_OUT rule 10 description 'Allow established/related' | |
set firewall ipv6-name WANv6_OUT rule 10 state established enable | |
set firewall ipv6-name WANv6_OUT rule 10 state related enable | |
set firewall ipv6-name WANv6_OUT rule 20 action reject | |
set firewall ipv6-name WANv6_OUT rule 20 description 'Reject invalid state' | |
set firewall ipv6-name WANv6_OUT rule 20 state invalid enable | |
set firewall ipv6-receive-redirects disable | |
set firewall ipv6-src-route disable | |
set firewall ip-src-route disable | |
set firewall log-martians enable | |
set firewall name LAN_IN default-action accept | |
set firewall name LAN_IN description 'LAN to Internal' | |
set firewall name LAN_IN rule 10 action drop | |
set firewall name LAN_IN rule 10 description 'drop invalid state' | |
set firewall name LAN_IN rule 10 state invalid enable | |
set firewall name WAN_IN default-action drop | |
set firewall name WAN_IN description 'WAN to Internal' | |
set firewall name WAN_IN rule 10 action accept | |
set firewall name WAN_IN rule 10 description 'Allow established/related' | |
set firewall name WAN_IN rule 10 log disable | |
set firewall name WAN_IN rule 10 state established enable | |
set firewall name WAN_IN rule 10 state invalid disable | |
set firewall name WAN_IN rule 10 state new disable | |
set firewall name WAN_IN rule 10 state related enable | |
set firewall name WAN_IN rule 20 action accept | |
set firewall name WAN_IN rule 20 description 'Allow ICMP' | |
set firewall name WAN_IN rule 20 log disable | |
set firewall name WAN_IN rule 20 protocol icmp | |
set firewall name WAN_IN rule 20 state established enable | |
set firewall name WAN_IN rule 20 state related enable | |
set firewall name WAN_IN rule 100 action drop | |
set firewall name WAN_IN rule 100 description 'Drop invalid state' | |
set firewall name WAN_IN rule 100 log enable | |
set firewall name WAN_IN rule 100 state invalid enable | |
set firewall name WAN_LOCAL default-action drop | |
set firewall name WAN_LOCAL description 'WAN to Router' | |
set firewall name WAN_LOCAL rule 10 action accept | |
set firewall name WAN_LOCAL rule 10 description 'Allow established/related' | |
set firewall name WAN_LOCAL rule 10 log disable | |
set firewall name WAN_LOCAL rule 10 state established enable | |
set firewall name WAN_LOCAL rule 10 state related enable | |
set firewall name WAN_LOCAL rule 20 action accept | |
set firewall name WAN_LOCAL rule 20 description 'Port Forward - Router SSH' | |
set firewall name WAN_LOCAL rule 20 destination address 192.168.1.1 | |
set firewall name WAN_LOCAL rule 20 destination port 22 | |
set firewall name WAN_LOCAL rule 20 protocol tcp | |
set firewall name WAN_LOCAL rule 30 action accept | |
set firewall name WAN_LOCAL rule 30 description 'Port Forward - Router HTTPS' | |
set firewall name WAN_LOCAL rule 30 destination address 192.168.1.1 | |
set firewall name WAN_LOCAL rule 30 destination port 443 | |
set firewall name WAN_LOCAL rule 30 protocol tcp | |
set firewall name WAN_LOCAL rule 100 action drop | |
set firewall name WAN_LOCAL rule 100 description 'Drop invalid state' | |
set firewall name WAN_LOCAL rule 100 log enable | |
set firewall name WAN_LOCAL rule 100 protocol all | |
set firewall name WAN_LOCAL rule 100 state established disable | |
set firewall name WAN_LOCAL rule 100 state invalid enable | |
set firewall name WAN_LOCAL rule 100 state new disable | |
set firewall name WAN_LOCAL rule 100 state related disable | |
set firewall name WAN_OUT default-action accept | |
set firewall name WAN_OUT description 'Internal to WAN' | |
set firewall name WAN_OUT rule 10 action accept | |
set firewall name WAN_OUT rule 10 description 'Allow established/related' | |
set firewall name WAN_OUT rule 10 log disable | |
set firewall name WAN_OUT rule 10 state established enable | |
set firewall name WAN_OUT rule 10 state related enable | |
set firewall name WAN_OUT rule 20 action reject | |
set firewall name WAN_OUT rule 20 description 'Reject invalid state' | |
set firewall name WAN_OUT rule 20 state invalid enable | |
set firewall options mss-clamp interface-type all | |
set firewall options mss-clamp mss 1460 | |
set firewall receive-redirects disable | |
set firewall send-redirects enable | |
set firewall source-validation disable | |
set firewall syn-cookies enable | |
set interfaces ethernet eth0 description 'Google Fiber Jack' | |
set interfaces ethernet eth0 duplex auto | |
set interfaces ethernet eth0 speed auto | |
set interfaces ethernet eth0 vif 2 address dhcp | |
set interfaces ethernet eth0 vif 2 description 'Google Fiber WAN' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 host-address '::1' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 prefix-id ':0' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 service slaac | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 host-address '::1' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 prefix-id ':1' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 service slaac | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 host-address '::1' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 prefix-id ':2' | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 service slaac | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 prefix-length /56 | |
set interfaces ethernet eth0 vif 2 dhcpv6-pd rapid-commit enable | |
set interfaces ethernet eth0 vif 2 egress-qos '0:3 1:3 2:3 3:3 4:3 5:3 6:3 7:3' | |
set interfaces ethernet eth0 vif 2 firewall in ipv6-name WANv6_IN | |
set interfaces ethernet eth0 vif 2 firewall in name WAN_IN | |
set interfaces ethernet eth0 vif 2 firewall local ipv6-name WANv6_LOCAL | |
set interfaces ethernet eth0 vif 2 firewall local name WAN_LOCAL | |
set interfaces ethernet eth0 vif 2 firewall out ipv6-name WANv6_OUT | |
set interfaces ethernet eth0 vif 2 firewall out name WAN_OUT | |
set interfaces ethernet eth0 vif 2 mtu 1500 | |
set interfaces ethernet eth1 address 192.168.99.1/24 | |
set interfaces ethernet eth1 description 'Local Config Port' | |
set interfaces ethernet eth1 duplex auto | |
set interfaces ethernet eth1 firewall in name LAN_IN | |
set interfaces ethernet eth1 speed auto | |
set interfaces ethernet eth2 address 192.168.1.1/24 | |
set interfaces ethernet eth2 description LAN | |
set interfaces ethernet eth2 duplex auto | |
set interfaces ethernet eth2 firewall in name LAN_IN | |
set interfaces ethernet eth2 speed auto | |
set interfaces ethernet eth2 vif 102 address 10.0.0.1/24 | |
set interfaces ethernet eth2 vif 102 description 'Guest Network VLAN' | |
set interfaces ethernet eth2 vif 102 mtu 1500 | |
set interfaces loopback lo | |
set port-forward auto-firewall enable | |
set port-forward hairpin-nat enable | |
set port-forward lan-interface eth2 | |
set port-forward rule 10 description 'Router SSH' | |
set port-forward rule 10 forward-to address 192.168.1.1 | |
set port-forward rule 10 forward-to port 22 | |
set port-forward rule 10 original-port 2323 | |
set port-forward rule 10 protocol tcp_udp | |
set port-forward rule 20 description 'Router HTTPS' | |
set port-forward rule 20 forward-to address 192.168.1.1 | |
set port-forward rule 20 forward-to port 443 | |
set port-forward rule 20 original-port 8080 | |
set port-forward rule 20 protocol tcp_udp | |
set port-forward wan-interface eth0.2 | |
set service dhcp-server disabled false | |
set service dhcp-server hostfile-update enable | |
set service dhcp-server shared-network-name Config authoritative disable | |
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 default-router 192.168.99.1 | |
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 dns-server 8.8.8.8 | |
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 dns-server 8.8.4.4 | |
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 lease 86400 | |
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 start 192.168.99.101 stop 192.168.99.254 | |
set service dhcp-server shared-network-name Guest authoritative disable | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 default-router 10.0.0.1 | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 dns-server 8.8.8.8 | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 dns-server 8.8.4.4 | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 domain-name guest.example.com | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 lease 86400 | |
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.199 | |
set service dhcp-server shared-network-name LAN authoritative disable | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1 | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.8.8 | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.4.4 | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name local | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400 | |
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.254 | |
set service dhcp-server use-dnsmasq disable | |
set service dns forwarding cache-size 500 | |
set service dns forwarding listen-on eth2 | |
set service dns forwarding name-server '2001:4860:4860::8888' | |
set service dns forwarding name-server '2001:4860:4860::8844' | |
set service dns forwarding name-server 8.8.8.8 | |
set service dns forwarding name-server 8.8.4.4 | |
set service gui http-port 80 | |
set service gui https-port 443 | |
set service gui older-ciphers enable | |
set service nat rule 5000 description 'Masquerade for WAN' | |
set service nat rule 5000 log disable | |
set service nat rule 5000 outbound-interface eth0.2 | |
set service nat rule 5000 protocol all | |
set service nat rule 5000 type masquerade | |
set service ssh port 22 | |
set service ssh protocol-version v2 | |
set service unms disable | |
set service upnp2 listen-on eth2 | |
set service upnp2 nat-pmp disable | |
set service upnp2 secure-mode disable | |
set service upnp2 wan eth0.2 | |
set system domain-name gateway.example.com | |
set system host-name ubnt-gateway | |
set system name-server '2001:4860:4860::8888' | |
set system name-server '2001:4860:4860::8844' | |
set system name-server 8.8.8.8 | |
set system name-server 8.8.4.4 | |
set system ntp server 0.ubnt.pool.ntp.org | |
set system ntp server 1.ubnt.pool.ntp.org | |
set system ntp server 2.ubnt.pool.ntp.org | |
set system offload hwnat disable | |
set system offload ipsec enable | |
set system offload ipv4 forwarding enable | |
set system offload ipv4 vlan enable | |
set system offload ipv6 forwarding enable | |
set system offload ipv6 vlan enable | |
set system package repository wheezy components 'main contrib non-free' | |
set system package repository wheezy distribution wheezy | |
set system package repository wheezy password '' | |
set system package repository wheezy url 'http://http.us.debian.org/debian' | |
set system package repository wheezy username '' | |
set system syslog global facility all level notice | |
set system syslog global facility protocols level debug | |
set system time-zone America/Denver | |
set system traffic-analysis dpi enable | |
set system traffic-analysis export enable | |
comment firewall 'Google Fiber ER-Lite Config' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment