Renamed EdgeOS Config Example to /howto/EdgeOS Config Example

-# EdgeRouter Lite DN42 config example

-This is the config I (Felicitus) am running on an Ubiquiti EdgeRouter Lite (AS76197).

-

-## Features

-

-* dn42 DNS

-* "classic" OpenVPN P2P (including the common "comp-lzo" option)

-* BGP

-* Some traffic-shaping rules for my very slow 3mbit DSL uplink

-* 2 internal: One DN42 network (172.22.117.128/25 for me and my servers as well as a NAT 192.168.42.10/24 for my parents, so that they're save from dn42 - that network is NOT announced to dn42).

-* Firewall to protect my NAS server and monitoring

-

-## Upcoming

-

-* AICCU integration (SIXXS), probably not possible with the config, so ```apt-get install aiccu``` should do the trick

-* dn42 IPv6 routing (probably)

-

-Ask me if you want to know if I have implemented those items already.

-

-

-# Configuration

-

-```

-firewall {

- all-ping enable

- broadcast-ping disable

- conntrack-expect-table-size 4096

- conntrack-hash-size 4096

- conntrack-table-size 32768

- conntrack-tcp-loose enable

- ipv6-name ROUTER_V6 {

- default-action drop

- rule 1 {

- action drop

- destination {

- port 22

- }

- protocol tcp

- }

- }

- ipv6-name WAN_IN_V6 {

- default-action drop

- enable-default-log

- rule 3 {

- action drop

- destination {

- port 22

- }

- protocol tcp

- }

- }

- ipv6-receive-redirects disable

- ipv6-src-route disable

- ip-src-route disable

- log-martians enable

- name DN42 {

- default-action drop

- rule 100 {

- action drop

- destination {

- address 172.22.117.181

- }

- source {

- address !172.22.117.128/25

- }

- }

- rule 101 {

- action drop

- destination {

- address 172.22.117.182

- }

- source {

- address !172.22.117.128/25

- }

- }

- rule 102 {

- action drop

- destination {

- address 172.22.117.183

- }

- source {

- address !172.22.117.128/25

- }

- }

- }

- name ROUTER_V4 {

- default-action accept

- rule 2 {

- action accept

- protocol icmp

- }

- rule 10 {

- action drop

- destination {

- port 22

- }

- protocol tcp

- }

- }

- name WAN_IN_V4 {

- default-action drop

- enable-default-log

- rule 1 {

- action accept

- description "allow established connections"

- protocol all

- state {

- established enable

- related enable

- }

- }

- rule 2 {

- action drop

- state {

- invalid enable

- }

- }

- rule 3 {

- action drop

- destination {

- port 22

- }

- protocol tcp

- }

- }

- receive-redirects disable

- send-redirects enable

- source-validation disable

- syn-cookies enable

-}

-interfaces {

- ethernet eth0 {

- duplex auto

- firewall {

- in {

- name WAN_IN_V4

- }

- }

- pppoe 0 {

- default-route auto

- firewall {

- local {

- ipv6-name ROUTER_V6

- name ROUTER_V4

- }

- }

- mtu 1492

- name-server auto

- password 12345678

- traffic-policy {

- }

- user-id [email protected]

- }

- speed auto

- }

- ethernet eth1 {

- address 172.22.117.254/25

- duplex auto

- speed auto

- traffic-policy {

- }

- }

- ethernet eth2 {

- address 192.168.42.1/24

- duplex auto

- speed auto

- }

- loopback lo {

- }

- openvpn vtun0 {

- local-address 172.22.117.254 {

- subnet-mask 255.255.255.128

- }

- local-port 33121

- mode site-to-site

- openvpn-option --comp-lzo

- protocol udp

- remote-address 172.22.117.1

- remote-host 5.9.33.163

- remote-port 33121

- shared-secret-key-file /config/auth/felihome.key

- }

-}

-policy {

- prefix-list vpn-in {

- rule 10 {

- action permit

- ge 22

- le 28

- prefix 172.22.0.0/15

- }

- }

-}

-protocols {

- bgp 76197 {

- neighbor 172.22.117.1 {

- description feli-server

- peer-group dn42

- remote-as 64717

- }

- network 172.22.117.128/25 {

- }

- peer-group dn42 {

- soft-reconfiguration {

- inbound

- }

- }

- }

-}

-service {

- dhcp-server {

- disabled false

- dynamic-dns-update {

- enable true

- }

- shared-network-name int {

- authoritative disable

- subnet 172.22.117.128/25 {

- default-router 172.22.117.254

- dns-server 172.22.117.254

- domain-name feli-home.felicitus.org

- lease 86400

- start 172.22.117.129 {

- stop 172.22.117.150

- }

- static-mapping monitoring {

- ip-address 172.22.117.183

- mac-address 52:54:00:20:df:46

- }

- static-mapping nas {

- ip-address 172.22.117.181

- mac-address e8:39:35:ee:22:7b

- }

- }

- }

- shared-network-name nat {

- authoritative disable

- subnet 192.168.42.0/24 {

- default-router 192.168.42.1

- dns-server 8.8.8.8

- dns-server 8.8.4.4

- lease 86400

- start 192.168.42.10 {

- stop 192.168.42.100

- }

- }

- }

- }

- dns {

- forwarding {

- cache-size 150

- listen-on eth1

- listen-on eth2

- name-server 8.8.8.8

- name-server 8.8.4.4

- options server=/dn42/172.22.0.53

- options server=/22.172.in-addr.arpa/172.22.0.53

- options server=/23.172.in-addr.arpa/172.22.0.53

- options rebind-domain-ok=/dn42/

- }

- }

- nat {

- rule 6000 {

- outbound-interface pppoe0

- type masquerade

- }

- rule 7000 {

- outbound-interface eth2

- type masquerade

- }

- }

- ssh {

- port 22

- protocol-version v2

- }

- upnp {

- listen-on eth1 {

- outbound-interface pppoe0

- }

- listen-on eth2 {

- outbound-interface pppoe0

- }

- }

-}

-system {

- host-name ubnt

- login {

- user felicitus {

- authentication {

- encrypted-password errnope

- plaintext-password ""

- public-keys [email protected] {

- key AAAAB3NzaC1yc2EAAAADAQABAAABAQDPTSLjSY/Be1XJ/klAwLiM1pKSvmbdcOgtgDB6nPcHkgX6JZu7g/Kejfuk4qIKL8GYYUQt7DlGY6n2u5rChWE/6KZJzXcUwS3pXk4LZ5KydWp7ihfvyRtUOBgKkRa1zQv+6KCH9WyR++ArwVTP8KSkrmDe6k7NWAjZqOuIJHG/AbEyTBapTJYjObZ0AM7wlwcB+oRM1BfZCP0Y+PIP2eGJS7Pyb32pITNKk3JuFXgAvbj5OeRrwtpZ9S+/7wIpaUVODPzrVmbC7vOXu/2KJ9aY2BmxUsxRbrvWMmWNiuE0YPt/7lUroK4pH3md3lWRcGUS/uYvhug7yG1yB81nyI15

- type ssh-rsa

- }

- }

- level admin

- }

- }

- name-server 172.22.117.254

- ntp {

- server 0.ubnt.pool.ntp.org {

- }

- server 1.ubnt.pool.ntp.org {

- }

- server 2.ubnt.pool.ntp.org {

- }

- server 3.ubnt.pool.ntp.org {

- }

- }

- syslog {

- global {

- facility all {

- level notice

- }

- facility protocols {

- level debug

- }

- }

- }

- time-zone UTC

-}

-traffic-policy {

- shaper client-up-s {

- bandwidth 30kbit

- class 20 {

- bandwidth 100%

- burst 6k

- match TCPACK {

- ip {

- protocol tcp

- }

- mark 225

- }

- priority 5

- queue-limit 65

- queue-type fair-queue

- }

- class 30 {

- bandwidth 5%

- burst 15k

- ceiling 20%

- match ssh {

- ip {

- destination {

- port 22

- }

- dscp lowdelay

- protocol tcp

- }

- }

- match ssh-ipv6 {

- ipv6 {

- destination {

- port 22

- }

- protocol tcp

- }

- }

- priority 6

- queue-limit 10

- queue-type fair-queue

- }

- default {

- bandwidth 95%

- burst 15k

- ceiling 100%

- priority 2

- queue-limit 13

- queue-type fair-queue

- }

- }

-}

-

-

-/* Warning: Do not remove the following line. */

-/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */

-/* Release version: v1.3.0.4605130.131011.1754 */

-```