EdgeRouter Lite DN42 config example
This is the config I'm running on an Ubiquiti EdgeRouter Lite (AS76197). It features:
- dn42 DNS
- "classic" OpenVPN P2P (including the common "comp-lzo" option)
- BGP
- Some traffic-shaping rules for my very slow 3mbit DSL uplink
- 2 internal: One DN42 network (172.22.117.128/25 for me and my servers as well as a NAT 192.168.42.10/24 for my parents, so that they're save from dn42 - that network is NOT announced to dn42).
- Firewall to protect my NAS server and monitoring
firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-name ROUTER_V6 {
default-action drop
rule 1 {
action drop
destination {
port 22
}
protocol tcp
}
}
ipv6-name WAN_IN_V6 {
default-action drop
enable-default-log
rule 3 {
action drop
destination {
port 22
}
protocol tcp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DN42 {
default-action drop
rule 100 {
action drop
destination {
address 172.22.117.181
}
source {
address !172.22.117.128/25
}
}
rule 101 {
action drop
destination {
address 172.22.117.182
}
source {
address !172.22.117.128/25
}
}
rule 102 {
action drop
destination {
address 172.22.117.183
}
source {
address !172.22.117.128/25
}
}
}
name ROUTER_V4 {
default-action accept
rule 2 {
action accept
protocol icmp
}
rule 10 {
action drop
destination {
port 22
}
protocol tcp
}
}
name WAN_IN_V4 {
default-action drop
enable-default-log
rule 1 {
action accept
description "allow established connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
rule 3 {
action drop
destination {
port 22
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
firewall {
in {
name WAN_IN_V4
}
}
pppoe 0 {
default-route auto
firewall {
local {
ipv6-name ROUTER_V6
name ROUTER_V4
}
}
mtu 1492
name-server auto
password 12345678
traffic-policy {
}
user-id [email protected]
}
speed auto
}
ethernet eth1 {
address 172.22.117.254/25
duplex auto
speed auto
traffic-policy {
}
}
ethernet eth2 {
address 192.168.42.1/24
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
local-address 172.22.117.254 {
subnet-mask 255.255.255.128
}
local-port 33121
mode site-to-site
openvpn-option --comp-lzo
protocol udp
remote-address 172.22.117.1
remote-host 5.9.33.163
remote-port 33121
shared-secret-key-file /config/auth/felihome.key
}
}
policy {
prefix-list vpn-in {
rule 10 {
action permit
ge 22
le 28
prefix 172.22.0.0/15
}
}
}
protocols {
bgp 76197 {
neighbor 172.22.117.1 {
description feli-server
peer-group dn42
remote-as 64717
}
network 172.22.117.128/25 {
}
peer-group dn42 {
soft-reconfiguration {
inbound
}
}
}
}
service {
dhcp-server {
disabled false
dynamic-dns-update {
enable true
}
shared-network-name int {
authoritative disable
subnet 172.22.117.128/25 {
default-router 172.22.117.254
dns-server 172.22.117.254
domain-name feli-home.felicitus.org
lease 86400
start 172.22.117.129 {
stop 172.22.117.150
}
static-mapping monitoring {
ip-address 172.22.117.183
mac-address 52:54:00:20:df:46
}
static-mapping nas {
ip-address 172.22.117.181
mac-address e8:39:35:ee:22:7b
}
}
}
shared-network-name nat {
authoritative disable
subnet 192.168.42.0/24 {
default-router 192.168.42.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.42.10 {
stop 192.168.42.100
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 8.8.8.8
name-server 8.8.4.4
options server=/dn42/172.22.0.53
options server=/22.172.in-addr.arpa/172.22.0.53
options server=/23.172.in-addr.arpa/172.22.0.53
options rebind-domain-ok=/dn42/
}
}
nat {
rule 6000 {
outbound-interface pppoe0
type masquerade
}
rule 7000 {
outbound-interface eth2
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface pppoe0
}
listen-on eth2 {
outbound-interface pppoe0
}
}
}
system {
host-name ubnt
login {
user felicitus {
authentication {
encrypted-password errnope
plaintext-password ""
public-keys [email protected] {
key AAAAB3NzaC1yc2EAAAADAQABAAABAQDPTSLjSY/Be1XJ/klAwLiM1pKSvmbdcOgtgDB6nPcHkgX6JZu7g/Kejfuk4qIKL8GYYUQt7DlGY6n2u5rChWE/6KZJzXcUwS3pXk4LZ5KydWp7ihfvyRtUOBgKkRa1zQv+6KCH9WyR++ArwVTP8KSkrmDe6k7NWAjZqOuIJHG/AbEyTBapTJYjObZ0AM7wlwcB+oRM1BfZCP0Y+PIP2eGJS7Pyb32pITNKk3JuFXgAvbj5OeRrwtpZ9S+/7wIpaUVODPzrVmbC7vOXu/2KJ9aY2BmxUsxRbrvWMmWNiuE0YPt/7lUroK4pH3md3lWRcGUS/uYvhug7yG1yB81nyI15
type ssh-rsa
}
}
level admin
}
}
name-server 172.22.117.254
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
traffic-policy {
shaper client-up-s {
bandwidth 30kbit
class 20 {
bandwidth 100%
burst 6k
match TCPACK {
ip {
protocol tcp
}
mark 225
}
priority 5
queue-limit 65
queue-type fair-queue
}
class 30 {
bandwidth 5%
burst 15k
ceiling 20%
match ssh {
ip {
destination {
port 22
}
dscp lowdelay
protocol tcp
}
}
match ssh-ipv6 {
ipv6 {
destination {
port 22
}
protocol tcp
}
}
priority 6
queue-limit 10
queue-type fair-queue
}
default {
bandwidth 95%
burst 15k
ceiling 100%
priority 2
queue-limit 13
queue-type fair-queue
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.3.0.4605130.131011.1754 */