Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Basic configuration commands to set up an ERL for Google Fiber
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow ICMPv6'
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow ICMPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-name WANv6_OUT default-action accept
set firewall ipv6-name WANv6_OUT description 'WAN outbound traffic'
set firewall ipv6-name WANv6_OUT rule 10 action accept
set firewall ipv6-name WANv6_OUT rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_OUT rule 10 state established enable
set firewall ipv6-name WANv6_OUT rule 10 state related enable
set firewall ipv6-name WANv6_OUT rule 20 action reject
set firewall ipv6-name WANv6_OUT rule 20 description 'Reject invalid state'
set firewall ipv6-name WANv6_OUT rule 20 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name LAN_IN default-action accept
set firewall name LAN_IN description 'LAN to Internal'
set firewall name LAN_IN rule 10 action drop
set firewall name LAN_IN rule 10 description 'drop invalid state'
set firewall name LAN_IN rule 10 state invalid enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to Internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 log disable
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description 'Allow ICMP'
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 protocol icmp
set firewall name WAN_IN rule 20 state established enable
set firewall name WAN_IN rule 20 state related enable
set firewall name WAN_IN rule 100 action drop
set firewall name WAN_IN rule 100 description 'Drop invalid state'
set firewall name WAN_IN rule 100 log enable
set firewall name WAN_IN rule 100 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to Router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Port Forward - Router SSH'
set firewall name WAN_LOCAL rule 20 destination address 192.168.1.1
set firewall name WAN_LOCAL rule 20 destination port 22
set firewall name WAN_LOCAL rule 20 protocol tcp
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Port Forward - Router HTTPS'
set firewall name WAN_LOCAL rule 30 destination address 192.168.1.1
set firewall name WAN_LOCAL rule 30 destination port 443
set firewall name WAN_LOCAL rule 30 protocol tcp
set firewall name WAN_LOCAL rule 100 action drop
set firewall name WAN_LOCAL rule 100 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 100 log enable
set firewall name WAN_LOCAL rule 100 protocol all
set firewall name WAN_LOCAL rule 100 state established disable
set firewall name WAN_LOCAL rule 100 state invalid enable
set firewall name WAN_LOCAL rule 100 state new disable
set firewall name WAN_LOCAL rule 100 state related disable
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT description 'Internal to WAN'
set firewall name WAN_OUT rule 10 action accept
set firewall name WAN_OUT rule 10 description 'Allow established/related'
set firewall name WAN_OUT rule 10 log disable
set firewall name WAN_OUT rule 10 state established enable
set firewall name WAN_OUT rule 10 state related enable
set firewall name WAN_OUT rule 20 action reject
set firewall name WAN_OUT rule 20 description 'Reject invalid state'
set firewall name WAN_OUT rule 20 state invalid enable
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1460
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 description 'Google Fiber Jack'
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 2 address dhcp
set interfaces ethernet eth0 vif 2 description 'Google Fiber WAN'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 prefix-id ':0'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 prefix-id ':1'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 host-address '::1'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 prefix-id ':2'
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 interface eth2.102 service slaac
set interfaces ethernet eth0 vif 2 dhcpv6-pd pd 0 prefix-length /56
set interfaces ethernet eth0 vif 2 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 vif 2 egress-qos '0:3 1:3 2:3 3:3 4:3 5:3 6:3 7:3'
set interfaces ethernet eth0 vif 2 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 2 firewall in name WAN_IN
set interfaces ethernet eth0 vif 2 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 vif 2 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 2 firewall out ipv6-name WANv6_OUT
set interfaces ethernet eth0 vif 2 firewall out name WAN_OUT
set interfaces ethernet eth0 vif 2 mtu 1500
set interfaces ethernet eth1 address 192.168.99.1/24
set interfaces ethernet eth1 description 'Local Config Port'
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 firewall in name LAN_IN
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 address 192.168.1.1/24
set interfaces ethernet eth2 description LAN
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 firewall in name LAN_IN
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth2 vif 102 address 10.0.0.1/24
set interfaces ethernet eth2 vif 102 description 'Guest Network VLAN'
set interfaces ethernet eth2 vif 102 mtu 1500
set interfaces loopback lo
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth2
set port-forward rule 10 description 'Router SSH'
set port-forward rule 10 forward-to address 192.168.1.1
set port-forward rule 10 forward-to port 22
set port-forward rule 10 original-port 2323
set port-forward rule 10 protocol tcp_udp
set port-forward rule 20 description 'Router HTTPS'
set port-forward rule 20 forward-to address 192.168.1.1
set port-forward rule 20 forward-to port 443
set port-forward rule 20 original-port 8080
set port-forward rule 20 protocol tcp_udp
set port-forward wan-interface eth0.2
set service dhcp-server disabled false
set service dhcp-server hostfile-update enable
set service dhcp-server shared-network-name Config authoritative disable
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 default-router 192.168.99.1
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 dns-server 8.8.4.4
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 lease 86400
set service dhcp-server shared-network-name Config subnet 192.168.99.0/24 start 192.168.99.101 stop 192.168.99.254
set service dhcp-server shared-network-name Guest authoritative disable
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 default-router 10.0.0.1
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 dns-server 8.8.4.4
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 domain-name guest.example.com
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 lease 86400
set service dhcp-server shared-network-name Guest subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.199
set service dhcp-server shared-network-name LAN authoritative disable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 8.8.4.4
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name local
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.254
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 500
set service dns forwarding listen-on eth2
set service dns forwarding name-server '2001:4860:4860::8888'
set service dns forwarding name-server '2001:4860:4860::8844'
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5000 description 'Masquerade for WAN'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0.2
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service unms disable
set service upnp2 listen-on eth2
set service upnp2 nat-pmp disable
set service upnp2 secure-mode disable
set service upnp2 wan eth0.2
set system domain-name gateway.example.com
set system host-name ubnt-gateway
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system offload hwnat disable
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system offload ipv6 vlan enable
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy password ''
set system package repository wheezy url 'http://http.us.debian.org/debian'
set system package repository wheezy username ''
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone America/Denver
set system traffic-analysis dpi enable
set system traffic-analysis export enable
comment firewall 'Google Fiber ER-Lite Config'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.