EdgeOS-Config-Example.md
... ...
@@ -1,3 +1,4 @@
1
+## EdgeRouter Lite DN42 config example
1 2
This is the config I'm running on an Ubiquiti EdgeRouter Lite (AS76197). It features:
2 3
3 4
* dn42 DNS
... ...
@@ -7,3 +8,360 @@ This is the config I'm running on an Ubiquiti EdgeRouter Lite (AS76197). It feat
7 8
* 2 internal: One DN42 network (172.22.117.128/25 for me and my servers as well as a NAT 192.168.42.10/24 for my parents, so that they're save from dn42 - that network is NOT announced to dn42).
8 9
* Firewall to protect my NAS server and monitoring
9 10
11
+```
12
+firewall {
13
+ all-ping enable
14
+ broadcast-ping disable
15
+ conntrack-expect-table-size 4096
16
+ conntrack-hash-size 4096
17
+ conntrack-table-size 32768
18
+ conntrack-tcp-loose enable
19
+ ipv6-name ROUTER_V6 {
20
+ default-action drop
21
+ rule 1 {
22
+ action drop
23
+ destination {
24
+ port 22
25
+ }
26
+ protocol tcp
27
+ }
28
+ }
29
+ ipv6-name WAN_IN_V6 {
30
+ default-action drop
31
+ enable-default-log
32
+ rule 3 {
33
+ action drop
34
+ destination {
35
+ port 22
36
+ }
37
+ protocol tcp
38
+ }
39
+ }
40
+ ipv6-receive-redirects disable
41
+ ipv6-src-route disable
42
+ ip-src-route disable
43
+ log-martians enable
44
+ name DN42 {
45
+ default-action drop
46
+ rule 100 {
47
+ action drop
48
+ destination {
49
+ address 172.22.117.181
50
+ }
51
+ source {
52
+ address !172.22.117.128/25
53
+ }
54
+ }
55
+ rule 101 {
56
+ action drop
57
+ destination {
58
+ address 172.22.117.182
59
+ }
60
+ source {
61
+ address !172.22.117.128/25
62
+ }
63
+ }
64
+ rule 102 {
65
+ action drop
66
+ destination {
67
+ address 172.22.117.183
68
+ }
69
+ source {
70
+ address !172.22.117.128/25
71
+ }
72
+ }
73
+ }
74
+ name ROUTER_V4 {
75
+ default-action accept
76
+ rule 2 {
77
+ action accept
78
+ protocol icmp
79
+ }
80
+ rule 10 {
81
+ action drop
82
+ destination {
83
+ port 22
84
+ }
85
+ protocol tcp
86
+ }
87
+ }
88
+ name WAN_IN_V4 {
89
+ default-action drop
90
+ enable-default-log
91
+ rule 1 {
92
+ action accept
93
+ description "allow established connections"
94
+ protocol all
95
+ state {
96
+ established enable
97
+ related enable
98
+ }
99
+ }
100
+ rule 2 {
101
+ action drop
102
+ state {
103
+ invalid enable
104
+ }
105
+ }
106
+ rule 3 {
107
+ action drop
108
+ destination {
109
+ port 22
110
+ }
111
+ protocol tcp
112
+ }
113
+ }
114
+ receive-redirects disable
115
+ send-redirects enable
116
+ source-validation disable
117
+ syn-cookies enable
118
+}
119
+interfaces {
120
+ ethernet eth0 {
121
+ duplex auto
122
+ firewall {
123
+ in {
124
+ name WAN_IN_V4
125
+ }
126
+ }
127
+ pppoe 0 {
128
+ default-route auto
129
+ firewall {
130
+ local {
131
+ ipv6-name ROUTER_V6
132
+ name ROUTER_V4
133
+ }
134
+ }
135
+ mtu 1492
136
+ name-server auto
137
+ password 12345678
138
+ traffic-policy {
139
+ }
140
+ user-id [email protected]
141
+ }
142
+ speed auto
143
+ }
144
+ ethernet eth1 {
145
+ address 172.22.117.254/25
146
+ duplex auto
147
+ speed auto
148
+ traffic-policy {
149
+ }
150
+ }
151
+ ethernet eth2 {
152
+ address 192.168.42.1/24
153
+ duplex auto
154
+ speed auto
155
+ }
156
+ loopback lo {
157
+ }
158
+ openvpn vtun0 {
159
+ local-address 172.22.117.254 {
160
+ subnet-mask 255.255.255.128
161
+ }
162
+ local-port 33121
163
+ mode site-to-site
164
+ openvpn-option --comp-lzo
165
+ protocol udp
166
+ remote-address 172.22.117.1
167
+ remote-host 5.9.33.163
168
+ remote-port 33121
169
+ shared-secret-key-file /config/auth/felihome.key
170
+ }
171
+}
172
+policy {
173
+ prefix-list vpn-in {
174
+ rule 10 {
175
+ action permit
176
+ ge 22
177
+ le 28
178
+ prefix 172.22.0.0/15
179
+ }
180
+ }
181
+}
182
+protocols {
183
+ bgp 76197 {
184
+ neighbor 172.22.117.1 {
185
+ description feli-server
186
+ peer-group dn42
187
+ remote-as 64717
188
+ }
189
+ network 172.22.117.128/25 {
190
+ }
191
+ peer-group dn42 {
192
+ soft-reconfiguration {
193
+ inbound
194
+ }
195
+ }
196
+ }
197
+}
198
+service {
199
+ dhcp-server {
200
+ disabled false
201
+ dynamic-dns-update {
202
+ enable true
203
+ }
204
+ shared-network-name int {
205
+ authoritative disable
206
+ subnet 172.22.117.128/25 {
207
+ default-router 172.22.117.254
208
+ dns-server 172.22.117.254
209
+ domain-name feli-home.felicitus.org
210
+ lease 86400
211
+ start 172.22.117.129 {
212
+ stop 172.22.117.150
213
+ }
214
+ static-mapping monitoring {
215
+ ip-address 172.22.117.183
216
+ mac-address 52:54:00:20:df:46
217
+ }
218
+ static-mapping nas {
219
+ ip-address 172.22.117.181
220
+ mac-address e8:39:35:ee:22:7b
221
+ }
222
+ }
223
+ }
224
+ shared-network-name nat {
225
+ authoritative disable
226
+ subnet 192.168.42.0/24 {
227
+ default-router 192.168.42.1
228
+ dns-server 8.8.8.8
229
+ dns-server 8.8.4.4
230
+ lease 86400
231
+ start 192.168.42.10 {
232
+ stop 192.168.42.100
233
+ }
234
+ }
235
+ }
236
+ }
237
+ dns {
238
+ forwarding {
239
+ cache-size 150
240
+ listen-on eth1
241
+ listen-on eth2
242
+ name-server 8.8.8.8
243
+ name-server 8.8.4.4
244
+ options server=/dn42/172.22.0.53
245
+ options server=/22.172.in-addr.arpa/172.22.0.53
246
+ options server=/23.172.in-addr.arpa/172.22.0.53
247
+ options rebind-domain-ok=/dn42/
248
+ }
249
+ }
250
+ nat {
251
+ rule 6000 {
252
+ outbound-interface pppoe0
253
+ type masquerade
254
+ }
255
+ rule 7000 {
256
+ outbound-interface eth2
257
+ type masquerade
258
+ }
259
+ }
260
+ ssh {
261
+ port 22
262
+ protocol-version v2
263
+ }
264
+ upnp {
265
+ listen-on eth1 {
266
+ outbound-interface pppoe0
267
+ }
268
+ listen-on eth2 {
269
+ outbound-interface pppoe0
270
+ }
271
+ }
272
+}
273
+system {
274
+ host-name ubnt
275
+ login {
276
+ user felicitus {
277
+ authentication {
278
+ encrypted-password errnope
279
+ plaintext-password ""
280
+ public-keys [email protected] {
281
+ key AAAAB3NzaC1yc2EAAAADAQABAAABAQDPTSLjSY/Be1XJ/klAwLiM1pKSvmbdcOgtgDB6nPcHkgX6JZu7g/Kejfuk4qIKL8GYYUQt7DlGY6n2u5rChWE/6KZJzXcUwS3pXk4LZ5KydWp7ihfvyRtUOBgKkRa1zQv+6KCH9WyR++ArwVTP8KSkrmDe6k7NWAjZqOuIJHG/AbEyTBapTJYjObZ0AM7wlwcB+oRM1BfZCP0Y+PIP2eGJS7Pyb32pITNKk3JuFXgAvbj5OeRrwtpZ9S+/7wIpaUVODPzrVmbC7vOXu/2KJ9aY2BmxUsxRbrvWMmWNiuE0YPt/7lUroK4pH3md3lWRcGUS/uYvhug7yG1yB81nyI15
282
+ type ssh-rsa
283
+ }
284
+ }
285
+ level admin
286
+ }
287
+ }
288
+ name-server 172.22.117.254
289
+ ntp {
290
+ server 0.ubnt.pool.ntp.org {
291
+ }
292
+ server 1.ubnt.pool.ntp.org {
293
+ }
294
+ server 2.ubnt.pool.ntp.org {
295
+ }
296
+ server 3.ubnt.pool.ntp.org {
297
+ }
298
+ }
299
+ syslog {
300
+ global {
301
+ facility all {
302
+ level notice
303
+ }
304
+ facility protocols {
305
+ level debug
306
+ }
307
+ }
308
+ }
309
+ time-zone UTC
310
+}
311
+traffic-policy {
312
+ shaper client-up-s {
313
+ bandwidth 30kbit
314
+ class 20 {
315
+ bandwidth 100%
316
+ burst 6k
317
+ match TCPACK {
318
+ ip {
319
+ protocol tcp
320
+ }
321
+ mark 225
322
+ }
323
+ priority 5
324
+ queue-limit 65
325
+ queue-type fair-queue
326
+ }
327
+ class 30 {
328
+ bandwidth 5%
329
+ burst 15k
330
+ ceiling 20%
331
+ match ssh {
332
+ ip {
333
+ destination {
334
+ port 22
335
+ }
336
+ dscp lowdelay
337
+ protocol tcp
338
+ }
339
+ }
340
+ match ssh-ipv6 {
341
+ ipv6 {
342
+ destination {
343
+ port 22
344
+ }
345
+ protocol tcp
346
+ }
347
+ }
348
+ priority 6
349
+ queue-limit 10
350
+ queue-type fair-queue
351
+ }
352
+ default {
353
+ bandwidth 95%
354
+ burst 15k
355
+ ceiling 100%
356
+ priority 2
357
+ queue-limit 13
358
+ queue-type fair-queue
359
+ }
360
+ }
361
+}
362
+
363
+
364
+/* Warning: Do not remove the following line. */
365
+/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
366
+/* Release version: v1.3.0.4605130.131011.1754 */
367
+```
... ...
\ No newline at end of file