Configuring Edgerouter KPN

Conguring a Ubiquiti EdgeRouter Lite for KPN |... https://kriegsman.io/2016/01/conguring-a-ubiquit...
KRIEGSMAN.io
Home Contact
Configuring a Ubiquiti EdgeRouter Lite for KPN
This guide explains how to configure your EdgeRouter Lite

including routed IPTV, VOIP and IPv6 Recent Posts
Configuration is based on the following connection scheme Configuring a Ubiquiti

EdgeRouter Lite for
eth0 = WAN (NTU) KPN
eth1 = LAN/IPTV (Switch w/IGMP snooping)
eth2 = VOIP (Experia Box)
Archives
January 2016
The EdgeRouter Lite is configured by default on eth0. Connect an
Ethernet cable from the Ethernet port of your computer to the port labeled
eth0 on the EdgeRouter Lite.
Social
Configure the Ethernet adapter on your host system with a static IP
address on the 192.168.1.x subnet (e.g., 192.168.1.100).
To Access the routers command line interface. You can use the CLI
button while inside the Web UI or by using an SSH program such as
PuTTY. PuTTY is generally quicker.
Launch an SSH session to 192.168.1.1. Both username and password are

ubnt.
) Setup interface eth1 and configure the DHCP/DNS server
1 configure
2
3 set interfaces ethernet eth1 address
192.168.2.254/24
4 set interfaces ethernet eth1 description "eth1
- LAN"
5 set interfaces ethernet eth1 duplex auto
6 set interfaces ethernet eth1 speed auto
7
1 of 18 07/10/2016 11:00 AM
8 set service dhcp-server disabled false

9 set service dhcp-server hostfile-update disable
10 set service dhcp-server shared-network-name LAN
authoritative enable
subnet 192.168.2.0/24
subnet 192.168.2.0/24 default-router
192.168.2.254
subnet 192.168.2.0/24 dns-server 8.8.8.8
subnet 192.168.2.0/24 dns-server 8.8.4.4
subnet 192.168.2.0/24 lease 86400
subnet 192.168.2.0/24 start 192.168.2.50
subnet 192.168.2.0/24 start 192.168.2.50 stop
192.168.2.200
18
19 set service dns forwarding cache-size 150
20 set service dns forwarding listen-on eth1
21 set service dns forwarding name-server 8.8.8.8
22 set service dns forwarding name-server 8.8.4.4
23 set service dns forwarding options listen-
address=192.168.2.254
24
25 commit
26 save
27 exit
Reconnect the Ethernet cable from the Ethernet port of your computer to
the port labeled eth1 on the EdgeRouter Lite.
Connect an Ethernet cable from the NTU to the port labeled eth0 and
connect an Ethernet cable from the WAN port of the ExperiaBox to the
port labeled eth2.
Reconfigure the Ethernet adapter on your host system with DHCP.
Launch an SSH session to 192.168.2.254. Both username and password

are ubnt.
) Configure firewall
1 configure
2
3 set firewall all-ping enable
4 set firewall broadcast-ping disable
5 set firewall ipv6-receive-redirects disable
6 set firewall ipv6-src-route disable
7 set firewall ip-src-route disable
8 set firewall log-martians enable
9 set firewall receive-redirects disable
10 set firewall send-redirects enable
2 of 18 07/10/2016 11:00 AM
11 set firewall source-validation disable

12 set firewall syn-cookies enable
13
14 set firewall name WAN_IN default-action drop
15 set firewall name WAN_IN description "WAN to
Internal"
16 set firewall name WAN_IN enable-default-log
17 set firewall name WAN_IN rule 10 action accept
18 set firewall name WAN_IN rule 10 description
"Allow established/related"
19 set firewall name WAN_IN rule 10 log enable
20 set firewall name WAN_IN rule 10 protocol all
21 set firewall name WAN_IN rule 10 state
established enable
22 set firewall name WAN_IN rule 10 state invalid
disable
23 set firewall name WAN_IN rule 10 state new
disable
24 set firewall name WAN_IN rule 10 state related
enable
25
26 set firewall name WAN_IN rule 20 action drop
27 set firewall name WAN_IN rule 20 description
"Drop invalid state"
28 set firewall name WAN_IN rule 20 log enable
29 set firewall name WAN_IN rule 20 protocol all
30 set firewall name WAN_IN rule 20 state
established disable
31 set firewall name WAN_IN rule 20 state invalid
enable
32 set firewall name WAN_IN rule 20 state new
disable
33 set firewall name WAN_IN rule 20 state related
disable
34
35 set firewall name WAN_LOCAL default-action drop
36 set firewall name WAN_LOCAL description "WAN to
router"
37 set firewall name WAN_LOCAL enable-default-log
38 set firewall name WAN_LOCAL rule 10 action
accept
39 set firewall name WAN_LOCAL rule 10 description
"Allow established/related"
40 set firewall name WAN_LOCAL rule 10 log disable
41 set firewall name WAN_LOCAL rule 10 protocol
all
42 set firewall name WAN_LOCAL rule 10 state
established enable
invalid disable
44 set firewall name WAN_LOCAL rule 10 state new
disable
related enable
46
47 set firewall name WAN_LOCAL rule 20 action drop
48 set firewall name WAN_LOCAL rule 20 description
"Drop invalid state"
49 set firewall name WAN_LOCAL rule 20 log disable
50 set firewall name WAN_LOCAL rule 20 protocol
all
3 of 18 07/10/2016 11:00 AM

established disable
invalid enable
53 set firewall name WAN_LOCAL rule 20 state new
disable
related disable
55
56 commit
57 save
58 exit
) Generate the configuration line for user-id, used to set the pppoe
authentication
1 sudo su
2 pppoe_id=$(ifconfig | grep -m 1 eth0 | awk
'{print $5}' | awk -F':' '{print "set
interfaces ethernet eth0 vif 6 pppoe 0 user-id
"$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
3 echo "$pppoe_id"
4 exit
1 configure
2
3 delete interfaces ethernet eth0 address
4
- FTTH"
8 set interfaces ethernet eth0 mtu 1512
9
10 set interfaces ethernet eth0 vif 6 description
"eth0.6 - Internet"
11 set interfaces ethernet eth0 vif 6 mtu 1508
12
13 (YOUR SET LINE FOR USER-ID, received from
previous step)
14 set interfaces ethernet eth0 vif 6 pppoe 0
password kpn
default-route auto
name-server auto
idle-timeout 180
18 set interfaces ethernet eth0 vif 6 pppoe 0 mtu
1500
19
firewall in name WAN_IN
firewall local name WAN_LOCAL
22
4 of 18 07/10/2016 11:00 AM
23 set system name-server 8.8.8.8

24 set system name-server 8.8.4.4
25
26 commit
27 save
28 exit
) Configure hardware offloading for the IPv4 connection
1 configure
2
3 set system offload ipv4 forwarding enable
4 set system offload ipv4 pppoe enable
5 set system offload ipv4 vlan enable
6
7 commit
8 save
9 exit
) Configure NAT to allow the LAN to access the internet
1 configure
2
3 set service nat rule 5010 description "KPN
Internet"
4 set service nat rule 5010 log enable
5 set service nat rule 5010 outbound-interface
pppoe0
6 set service nat rule 5010 protocol all
7 set service nat rule 5010 source address
192.168.2.0/24
8 set service nat rule 5010 type masquerade
9
10 commit
11 save
12 exit
) Enable Traffic inspection (DPI)
1 configure
2
3 set system traffic-analysis dpi enable
4 set system traffic-analysis export enable
5
6 commit
7 save
8 exit
) Add the Debian APT repository (to install tools like nano/iptraf)
5 of 18 07/10/2016 11:00 AM
1 configure
2
3 set system package repository wheezy components
"main contrib non-free"
4 set system package repository wheezy
distribution wheezy
5 set system package repository wheezy url
http://mirror.leaseweb.com/debian
6 set system package repository wheezy-security
components main
distribution wheezy/updates
url http://security.debian.org
9
10 commit
11 save
12 exit
13
14 sudo apt-get update
) Install packages with
1 sudo apt-get install package
) Configure a bridge between WAN and ExperiaBox for VOIP
1 configure
2
3 set interfaces bridge br0
4 set interfaces ethernet eth0 vif 7 bridge-group
bridge br0
"eth0.7 - VOIP"
7
- ExperiaBox"
11 set interfaces ethernet eth2 vif 7 bridge-group
bridge br0
"eth2.7 - ExperiaBox VOIP"
14
15 commit
16 save
17 exit
) Setup routed IPTV
1 configure
6 of 18 07/10/2016 11:00 AM
2
3 set interfaces ethernet eth0 vif 4 address dhcp
"eth0.4 - IPTV"
5 set interfaces ethernet eth0 vif 4 dhcp-options
client-option "send vendor-class-identifier
"IPTV_RG";"
client-option "request subnet-mask, routers,
rfc3442-classless-static-routes;"
default-route no-update
default-route-distance 210
name-server update
10
11 commit
12 save
13 exit
) Modify our DHCP configuration to include IPTV parameters
1 configure
2
3 set service dhcp-server global-parameters
"option vendor-class-identifier code 60 =
string;"
4 set service dhcp-server global-parameters
"option broadcast-address code 28 =
ip-address;"
5
6 commit
7 save
8 exit
) NAT rules are required for the IPTV settop box to connect to the IPTV
platform
) The following commands will return 2 configuration lines required.
1 sudo su
2 r_ip=$(show dhcp client leases | grep router |
awk '{ print $3 }');
3 iptv_static=$(echo "set protocols static route
213.75.112.0/21 next-hop $r_ip")
4 echo -e "$iptv_static"
5 exit
1 configure
2
3 set service nat rule 5000 description IPTV
4 set service nat rule 5000 log disable
7 of 18 07/10/2016 11:00 AM
5 set service nat rule 5000 outbound-interface

eth0.4
6 set service nat rule 5000 protocol all
7 set service nat rule 5000 destination address
213.75.112.0/21
8 set service nat rule 5000 type masquerade
9
10 (YOUR SET LINE FOR STATIC ROUTE, received from
previous step)
11
12 commit
13 save
14 exit
> Setup the IGMP Proxy
1 configure
2
3 set protocols igmp-proxy interface eth0.4
alt-subnet 0.0.0.0/0
4 set protocols igmp-proxy interface eth0.4 role
upstream
5 set protocols igmp-proxy interface eth0.4
threshold 1
6 set protocols igmp-proxy interface eth1
alt-subnet 0.0.0.0/0
7 set protocols igmp-proxy interface eth1 role
downstream
8 set protocols igmp-proxy interface eth1
threshold 1
9
10 commit
11 save
12 exit
) Configure an IPv6 Firewall
1 configure
2
3 set firewall ipv6-name WANv6_IN default-action
drop
4 set firewall ipv6-name WANv6_IN description
"WAN inbound traffic forwarded to LAN"
5 set firewall ipv6-name WANv6_IN enable-
default-log
6
7 set firewall ipv6-name WANv6_IN rule 10 action
accept
8 set firewall ipv6-name WANv6_IN rule 10
description "Allow established/related
sessions"
9 set firewall ipv6-name WANv6_IN rule 10 state
established enable
related enable
11 set firewall ipv6-name WANv6_IN rule 20 action
8 of 18 07/10/2016 11:00 AM
drop
12 set firewall ipv6-name WANv6_IN rule 20
description "Drop invalid state"
invalid enable
14
15 set firewall ipv6-name WANv6_LOCAL default-
action drop
16 set firewall ipv6-name WANv6_LOCAL description
"WAN inbound traffic to the router"
17 set firewall ipv6-name WANv6_LOCAL enable-
default-log
18
19 set firewall ipv6-name WANv6_LOCAL rule 10
action accept
description "Allow established/related
sessions"
state established enable
state related enable
23
action drop
description "Drop invalid state"
26
state invalid enable
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
31
action accept
description "allow dhcpv6"
destination port 546
protocol udp
source port 547
37
38 commit
39 save
40 exit
) Setup IPv6 on the pppoe interface and create a static route over the
pppoe interface
1 configure
2
9 of 18 07/10/2016 11:00 AM
firewall in ipv6-name WANv6_IN

firewall local ipv6-name WANv6_LOCAL
5
6 set interfaces ethernet eth0 vif 6 pppoe 0 ipv6
enable
address autoconf
dup-addr-detect-transmits 1
9
dhcpv6-pd no-dns
dhcpv6-pd pd 0 interface eth1 prefix-id :1
dhcpv6-pd pd 0 interface eth1 service slaac
dhcpv6-pd pd 0 prefix-length /48
dhcpv6-pd rapid-commit disable
15
16 set protocols static interface-route6 ::/0
next-hop-interface pppoe0
17
18 commit
19 save
20 exit
) Setup router-advert and set ipv6 name server
1 configure
2
3 set interfaces ethernet eth1 ipv6 dup-addr-
detect-transmits 1
4 set interfaces ethernet eth1 ipv6 router-advert
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
radvd-options "RDNSS 2001:4860:4860::8888
2001:4860:4860::8844 {};"
11
other-config-flag false
reachable-time 0
retrans-timer 0
10 of 18 07/10/2016 11:00 AM
send-advert true
prefix ::/64 autonomous-flag true
prefix ::/64 on-link-flag true
prefix ::/64 valid-lifetime 2592000
19
20 set system name-server 2001:4860:4860::8888
21 set system name-server 2001:4860:4860::8844
22
23 commit
24 save
25 exit
) Configure hardware offloading for the IPv6 connection
1 configure
2
3 set system offload ipv6 forwarding enable
4 set system offload ipv6 pppoe enable
5
6 commit
7 save
8 exit
) It is possible that after the IPv6 configuration, the default route is

changed or the IGMP proxy stopped. Simple fix to get up and running with
your new configuration.
1 reboot
You should have a working setup!
Here is the full configuration file (/config/config.boot). Before you load the
full configuration on your edgerouter, make sure you replace the following
[MAC] [ROUTER-IP] [NAT-MASK]
1 firewall {
2 all-ping enable
3 broadcast-ping disable
4 ipv6-name WANv6_IN {
5 default-action drop
6 description "WAN inbound traffic
forwarded to LAN"
7 enable-default-log
11 of 18 07/10/2016 11:00 AM
8 rule 10 {
9 action accept
10 description "Allow
established/related sessions"
11 state {
12 established enable
13 related enable
14 }
15 }
16 rule 20 {
17 action drop
18 description "Drop invalid state"
19 state {
20 invalid enable
21 }
22 }
23 }
24 ipv6-name WANv6_LOCAL {
26 description "WAN inbound traffic to the
router"
28 rule 10 {
29 action accept
established/related sessions"
31 state {
33 related enable
34 }
35 }
36 rule 20 {
37 action drop
39 state {
40 invalid enable
41 }
42 }
43 rule 30 {
44 action accept
45 description "Allow IPv6 icmp"
46 protocol ipv6-icmp
47 }
48 rule 40 {
49 action accept
50 description "allow dhcpv6"
51 destination {
52 port 546
53 }
54 protocol udp
55 source {
56 port 547
57 }
58 }
59 }
60 ipv6-receive-redirects disable
61 ipv6-src-route disable
62 ip-src-route disable
63 log-martians enable
64 name WAN_IN {
12 of 18 07/10/2016 11:00 AM
66 description "WAN to Internal"

68 rule 10 {
69 action accept
established/related"
71 log enable
72 protocol all
73 state {
75 invalid disable
76 new disable
77 related enable
78 }
79 }
80 rule 20 {
81 action drop
83 log enable
84 protocol all
85 state {
86 established disable
87 invalid enable
88 new disable
89 related disable
90 }
91 }
92 }
93 name WAN_LOCAL {
95 description "WAN to router"
97 rule 10 {
98 action accept
established/related"
100 log disable
101 protocol all
102 state {
104 invalid disable
105 new disable
106 related enable
107 }
108 }
109 rule 20 {
110 action drop
112 log disable
113 protocol all
114 state {
115 established disable
116 invalid enable
117 new disable
118 related disable
119 }
120 }
121 }
122 options {
123 }
124 receive-redirects disable
13 of 18 07/10/2016 11:00 AM
125 send-redirects enable

126 source-validation disable
127 syn-cookies enable
128 }
129 interfaces {
130 bridge br0 {
131 aging 300
132 bridged-conntrack disable
133 description "br0 - Telefonie"
134 hello-time 2
135 max-age 20
136 priority 32768
137 promiscuous disable
138 stp false
139 }
140 ethernet eth0 {
141 description "eth0 - FTTH"
142 duplex auto
143 mtu 1512
144 speed auto
145 vif 4 {
146 address dhcp
147 description "eth0.4 - IPTV"
148 dhcp-options {
149 client-option "send vendor-
class-identifier "IPTV_RG";"
150 client-option "request
subnet-mask, routers, rfc3442-classless-static-
routes;"
151 default-route no-update
152 default-route-distance 210
153 name-server update
154 }
155 }
156 vif 6 {
157 description "eth0.6 - Internet"
158 mtu 1508
159 pppoe 0 {
160 default-route auto
161 dhcpv6-pd {
162 no-dns
163 pd 0 {
164 interface eth1 {
165 prefix-id :1
166 service slaac
167 }
168 prefix-length /48
169 }
170 rapid-commit disable
171 }
172 firewall {
173 in {
174 ipv6-name WANv6_IN
175 name WAN_IN
176 }
177 local {
178 ipv6-name WANv6_LOCAL
179 name WAN_LOCAL
180 }
181 }
182 idle-timeout 180
14 of 18 07/10/2016 11:00 AM
183 ipv6 {
184 address {
185 autoconf
186 }
187 dup-addr-detect-transmits 1
188 enable {
189 }
190 }
191 mtu 1500
192 name-server auto
193 password kpn
194 user-id [MAC]@internet
195 }
196 }
197 vif 7 {
198 bridge-group {
199 bridge br0
200 }
201 description "eth0.7 - Telefonie"
202 mtu 1500
203 }
204 }
205 ethernet eth1 {
206 address 192.168.2.254/24
207 description "eth1 - LAN"
208 duplex auto
209 ipv6 {
210 dup-addr-detect-transmits 1
211 router-advert {
212 cur-hop-limit 64
213 link-mtu 0
214 managed-flag false
215 max-interval 600
216 name-server
2001:4860:4860::8888
217 name-server
2001:4860:4860::8844
218 other-config-flag false
219 prefix ::/64 {
220 autonomous-flag true
221 on-link-flag true
222 valid-lifetime 2592000
223 }
224 radvd-options "RDNSS
2001:4860:4860::8888 2001:4860:4860::8844 {};"
225 reachable-time 0
226 retrans-timer 0
227 send-advert true
228 }
229 }
230 speed auto
231 }
232 ethernet eth2 {
233 description "eth2 - ExperiaBox"
234 duplex auto
235 speed auto
236 vif 7 {
237 bridge-group {
238 bridge br0
239 }
240 description "eth2.7 - ExperiaBox
15 of 18 07/10/2016 11:00 AM
VOIP"
241 mtu 1500
242 }
243 }
244 loopback lo {
245 }
246 }
247 protocols {
248 igmp-proxy {
249 interface eth0.4 {
250 alt-subnet 0.0.0.0/0
251 role upstream
252 threshold 1
253 }
254 interface eth1 {
255 alt-subnet 0.0.0.0/0
256 role downstream
257 threshold 1
258 }
259 }
260 static {
261 interface-route6 ::/0 {
262 next-hop-interface pppoe0 {
263 }
264 }
265 route 213.75.112.0/21 {
266 next-hop [ROUTER-IP] {
267 }
268 }
269 }
270 }
271 service {
272 dhcp-server {
273 disabled false
274 global-parameters "option vendor-class-
identifier code 60 = string;"
275 global-parameters "option broadcast-
address code 28 = ip-address;"
276 hostfile-update disable
277 shared-network-name LAN {
278 authoritative enable
279 subnet 192.168.2.0/24 {
280 default-router 192.168.2.254
281 dns-server 8.8.8.8
282 dns-server 8.8.4.4
283 lease 86400
284 start 192.168.2.50 {
285 stop 192.168.2.200
286 }
287 }
288 }
289 }
290 dns {
291 forwarding {
292 cache-size 150
293 listen-on eth1
294 name-server 8.8.8.8
296 options listen-
address=192.168.2.254
297 }
16 of 18 07/10/2016 11:00 AM
298 }
299 gui {
300 https-port 443
301 }
302 nat {
303 rule 5000 {
304 description IPTV
305 destination {
306 address 213.75.112.0/21
307 }
308 log disable
309 outbound-interface eth0.4
310 protocol all
311 source {
312 }
313 type masquerade
314 }
315 rule 5010 {
316 description "KPN Internet"
317 log enable
318 outbound-interface pppoe0
319 protocol all
320 source {
321 address 192.168.2.0/24
322 }
323 type masquerade
324 }
325 }
326 ssh {
327 port 22
328 protocol-version v2
329 }
330 }
331 system {
332 host-name ubnt
333 login {
334 user ubnt {
335 authentication {
336 encrypted-password
$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
337 }
338 level admin
339 }
340 }
341 name-server 2001:4860:4860::8888
342 name-server 2001:4860:4860::8844
345 ntp {
346 server 0.ubnt.pool.ntp.org {
347 }
349 }
351 }
353 }
354 }
355 offload {
356 ipv4 {
357 forwarding enable
17 of 18 07/10/2016 11:00 AM
358 pppoe enable

359 vlan enable
360 }
361 ipv6 {
362 forwarding enable
363 pppoe enable
364 }
365 }
366 package {
367 repository wheezy {
368 components "main contrib non-free"
369 distribution wheezy
370 password ""
371 url http://mirror.leaseweb.com
/debian
372 username ""
373 }
374 repository wheezy-security {
375 components main
376 distribution wheezy/updates
377 password ""
378 url http://security.debian.org
379 username ""
380 }
381 }
382 syslog {
383 global {
384 facility all {
385 level notice
386 }
387 facility protocols {
388 level debug
389 }
390 }
391 }
392 time-zone UTC
393 traffic-analysis {
394 dpi enable
395 export enable
396 }
397 }
18 of 18 07/10/2016 11:00 AM

Configuring Edgerouter KPN

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuring Edgerouter KPN

Hochgeladen von

Copyright:

Verfügbare Formate

Conguring a Ubiquiti EdgeRouter Lite for KPN |... https://kriegsman.io/2016/01/conguring-a-ubiquit...

Configuring a Ubiquiti EdgeRouter Lite for KPN

This guide explains how to configure your EdgeRouter Lite

Configuration is based on the following connection scheme Configuring a Ubiquiti

Launch an SSH session to 192.168.1.1. Both username and password are

) Setup interface eth1 and configure the DHCP/DNS server

8 set service dhcp-server disabled false

Reconfigure the Ethernet adapter on your host system with DHCP.

Launch an SSH session to 192.168.2.254. Both username and password

11 set firewall source-validation disable

51 set firewall name WAN_LOCAL rule 20 state

23 set system name-server 8.8.8.8

) Configure hardware offloading for the IPv4 connection

) Configure NAT to allow the LAN to access the internet

) Enable Traffic inspection (DPI)

) Install packages with

1 sudo apt-get install package

) Configure a bridge between WAN and ExperiaBox for VOIP

) Setup routed IPTV

) Modify our DHCP configuration to include IPTV parameters

5 set service nat rule 5000 outbound-interface

> Setup the IGMP Proxy

) Configure an IPv6 Firewall

firewall in ipv6-name WANv6_IN

) Setup router-advert and set ipv6 name server

) Configure hardware offloading for the IPv6 connection

) It is possible that after the IPv6 configuration, the default route is

You should have a working setup!

66 description "WAN to Internal"

125 send-redirects enable

358 pppoe enable

Das könnte Ihnen auch gefallen