Skip to content

Instantly share code, notes, and snippets.

@Ruben-E
Last active August 6, 2024 05:43
Show Gist options
  • Save Ruben-E/abb9a4a872a7c4ffff058ae291ef2627 to your computer and use it in GitHub Desktop.
Save Ruben-E/abb9a4a872a7c4ffff058ae291ef2627 to your computer and use it in GitHub Desktop.
Configure EdgeRouter X for KPN fiber / glasvezel

Setup interface eth1 and configure the DHCP/DNS server

configure
 
set interfaces ethernet eth1 address 192.168.2.254/24
set interfaces ethernet eth1 description "eth1 - LAN"
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
 
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router 192.168.2.254
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 1.1.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50 stop 192.168.2.200
 
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding options listen-address=192.168.2.254
 
commit
save
exit

Configure firewall

configure
 
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
 
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "WAN to Internal"
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow established/related"
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 10 protocol all
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state related enable
 
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 log enable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 state established disable
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 20 state new disable
set firewall name WAN_IN rule 20 state related disable
 
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "WAN to router"
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description "Allow established/related"
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 protocol all
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state invalid disable
set firewall name WAN_LOCAL rule 10 state new disable
set firewall name WAN_LOCAL rule 10 state related enable
 
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol all
set firewall name WAN_LOCAL rule 20 state established disable
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 20 state new disable
set firewall name WAN_LOCAL rule 20 state related disable
 
commit
save
exit

Generate the configuration line for user-id, used to set the pppoe authentication

sudo su
pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
echo "$pppoe_id"
exit

configure
 
delete interfaces ethernet eth0 address
 
set interfaces ethernet eth0 description "eth0 - FTU"
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 mtu 1512
 
set interfaces ethernet eth0 vif 6 description "eth0.6 - Internet"
set interfaces ethernet eth0 vif 6 mtu 1508
 
(YOUR SET LINE FOR USER-ID, received from previous step)
set interfaces ethernet eth0 vif 6 pppoe 0 password kpn
set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto
set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180
set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500
 
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL
 
set system name-server 8.8.8.8
set system name-server 8.8.4.4
 
commit
save
exit
 

Configure hardware offloading for the IPv4 connection (I think you need to enable offloading manually)

configure
 
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
 
commit
save
exit

Configure NAT to allow the LAN to access the internet

configure
 
set service nat rule 5010 description "KPN Internet"
set service nat rule 5010 log enable
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.2.0/24
set service nat rule 5010 type masquerade
 
commit
save
exit

Enable Traffic inspection (DPI)

configure
 
set system traffic-analysis dpi enable
set system traffic-analysis export enable
 
commit
save
exit

Setup routed IPTV

configure
 
set interfaces ethernet eth0 vif 4 address dhcp
set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "send vendor-class-identifier "IPTV_RG";"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update
set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 4 dhcp-options name-server update
 
commit
save
exit

Modify our DHCP configuration to include IPTV parameters

configure
 
set service dhcp-server global-parameters "option vendor-class-identifier code 60 = string;"
set service dhcp-server global-parameters "option broadcast-address code 28 = ip-address;"
 
commit
save
exit

NAT rules are required for the IPTV settop box to connect to the IPTV platform The following commands will return 2 configuration lines required.

sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 213.75.112.0/21 next-hop $r_ip")
echo -e "$iptv_static"
exit

NAT rules are required for the IPTV settop box to connect to the IPTV platform The following commands will return 2 configuration lines required.

configure
 
set service nat rule 5000 description IPTV
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth4.4
set service nat rule 5000 protocol all
set service nat rule 5000 destination address 213.75.112.0/21
set service nat rule 5000 type masquerade

(YOUR SET LINE FOR STATIC ROUTE, received from previous step)
 
commit
save
exit

Setup the IGMP Proxy

configure
 
set protocols igmp-proxy interface eth4.4 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth4.4 role upstream
set protocols igmp-proxy interface eth4.4 threshold 1
set protocols igmp-proxy interface eth1 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth1 role downstream
set protocols igmp-proxy interface eth1 threshold 1
 
commit
save
exit

Configure an IPv6 Firewall

configure
 
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description "WAN inbound traffic forwarded to LAN"
set firewall ipv6-name WANv6_IN enable-default-log
 
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
 
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description "WAN inbound traffic to the router"
set firewall ipv6-name WANv6_LOCAL enable-default-log
 
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable 
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
 
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid state"
 
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow IPv6 icmp"
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
 
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description "allow dhcpv6"
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
 
commit
save
exit

Setup IPv6 on the pppoe interface and create a static route over the pppoe interface

configure
 
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL
 
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1
 
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd no-dns
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit disable
 
set protocols static interface-route6 ::/0 next-hop-interface pppoe0
 
commit
save
exit

Setup router-advert and set ipv6 name server

configure
 
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0
set interfaces ethernet eth1 ipv6 router-advert managed-flag false
set interfaces ethernet eth1 ipv6 router-advert max-interval 600
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8888
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8844
set interfaces ethernet eth1 ipv6 router-advert radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
 
set interfaces ethernet eth1 ipv6 router-advert other-config-flag false
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth1 ipv6 router-advert send-advert true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
 
set system name-server 2001:4860:4860::8888
set system name-server 2001:4860:4860::8844
 
commit
save
exit

Configure hardware offloading for the IPv6 connection

configure
 
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable
 
commit
save
exit

It is possible that after the IPv6 configuration, the default route is changed or the IGMP proxy stopped. Simple fix to get up and running with your new configuration.

reboot
Copy link

ghost commented Sep 15, 2021

Interessant! Ik heb even gekeken naar de rules m.b.t. IPv6.

set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow IPv6 icmp"
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp

Deze maak je ook aan voor WANv6_IN zie ik hier. Dit is dan wel beperkt tot een Echo request naar LAN, terwijl echo incoming in principe niet heel belangrijk is. Daarnaast zijn packet-too-big en parameter-problem niet opgenomen en wel belangrijk. RFC: https://datatracker.ietf.org/doc/html/rfc4890

De types op basis van het voorbeeld in de RFC die opgenomen kunnen worden in WANv6_LOCAL en WANv6_IN:

echo-request
parameter-problem
time-exceeded
packet-too-big
destination-unreachable

De standaard ICMPv6 rule kan dan weg richting de router, omdat we het dan beperken tot de types hierboven.
delete firewall ipv6-name WANv6_LOCAL rule 30

@Porthos-development
Copy link

Mocht je nog tegen een issue aanlopen sinds 15-10-2021 zag ik dat er een aapassing was geweest waardoor mijn Edgerouter X veel meer geheugen verbruikt. Tevens gaf de GUI aan dat er een config reload was geweest waardoor de GUI een refresh nodig had. Dit was elke 5 min.

eth0 is mijn WAN interface richting mijn NTU.

Nu blijkt dat ik in mijn config de task scheduler(elke 5min) het volgende had staan:
cat /config/scripts/tvroute.sh

#!/bin/vbash

# configured static route target
CUR_IP=$(cat /config/config.boot | grep 213.75.112.0/21 -A1 | grep next-hop | awk '{ print $2}');

# static route target
NEW_IP=$(cat /var/run/dhclient_eth0.4_lease | grep router | awk -F= '{print $2}' | tr -d \');

if [ "$CUR_IP" = "$NEW_IP" ]; then
   echo Addresses the same
   exit 1;
fi

source /opt/vyatta/etc/functions/script-template

configure
delete protocols static route 213.75.112.0/21 next-hop $CUR_IP
set protocols static route 213.75.112.0/21 next-hop $NEW_IP
commit
save
exit

restart igmp-proxy

na uitzoeken blijkt dat er geen nieuwe route meer binnen komt. Dit heb ik opgelost door:

Door de huidige code
NEW_IP=$(cat /var/run/dhclient_eth0.4_lease | grep router | awk -F= '{print $2}' | tr -d \');

Te vervangen door onderstaande code
NEW_IP=$(cat /var/run/dhclient_eth0.4_lease | grep new_dhcp_server_identifier | awk -F= '{print $2}' | tr -d \');

@pinkmoon84
Copy link

pinkmoon84 commented Jan 5, 2022

@Allroundhosting bedoel je dat er aan de kant van KPN een wijziging heeft plaatsgevonden? Hier enkele maanden regelmatig dat het internet eruit klapt, soft reset nodig om de boel weer draaiende te krijgen (edge router lite + unifi switches).

@3JL
Copy link

3JL commented Jan 12, 2022

FYI - to enable resolving local hostnames, I had to add the router IP to the name servers listed under switch 0, see below.
I think there must be a more elegant way... But this did the trick for me for now. Best!

set interfaces switch switch0 vif 1 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 vif 1 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 vif 1 ipv6 router-advert link-mtu 0      
set interfaces switch switch0 vif 1 ipv6 router-advert managed-flag false
set interfaces switch switch0 vif 1 ipv6 router-advert max-interval 600  
set interfaces switch switch0 vif 1 ipv6 router-advert name-server <fill in router-ip>
set interfaces switch switch0 vif 1 ipv6 router-advert name-server 2001:4860:4860::8888
set interfaces switch switch0 vif 1 ipv6 router-advert name-server 2001:4860:4860::8844
set interfaces switch switch0 vif 1 ipv6 router-advert other-config-flag false         
set interfaces switch switch0 vif 1 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces switch switch0 vif 1 ipv6 router-advert prefix ::/64 on-link-flag true   
set interfaces switch switch0 vif 1 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
set interfaces switch switch0 vif 1 ipv6 router-advert reachable-time 0                   
set interfaces switch switch0 vif 1 ipv6 router-advert retrans-timer 0 
set interfaces switch switch0 vif 1 ipv6 router-advert send-advert true
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.1 host-address ::1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.1 prefix-id :1    
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.1 no-dns      
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.1 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.2 host-address ::1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.2 prefix-id :2  
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.2 service slaac

@nikagersonlohman
Copy link

De volgende regels kloppen niet meer:
pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
en
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');

Voor de eerste heb ik het mac-adres met de hand eruit gehaald (volgende regel in de ifconfig output van eth0).

Voor de tweede heb ik de regel elders in deze thread gebruikt:
r_ip=$(cat /var/run/dhclient_eth0.4_lease | grep new_dhcp_server_identifier | awk -F= '{print $2}' | tr -d \');

@ricardosilva86
Copy link

hey bro, thx a lot for this... it will save me a lot of time. QQ: the TV still doesn't work with EdgeRouterX?

@Ruben-E
Copy link
Author

Ruben-E commented Mar 31, 2023

Np! I don't know tbh. I dont have television included anymore for a while and also not using the edgerouter anymore. Switched to a custom built router with OPNsense

@mirno
Copy link

mirno commented Jun 29, 2023

Thank you Ruben ! This helped a lot!

I thought the EdgeRouterX didn't support the hardware offloading:

config_user824@ubnt# set system offload ipv4 forwarding enable 
Error: platform does not support IPv4 forwarding offload

From this section:

configure
 
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
 
commit
save
exit

I simply configured following:

configure

set system offload hwnat enable
set system offload ipsec enable

commit ; save

From: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading


Still new with ubiquiti hardware so I need to figure out a lot first. Access point was automatically integrated whenever using the app without manual config. I thought I needed to change some settings in the Edge router X.

I was thinking of making some ansible-playbooks with different configuration files for certain settings. The thing is this ETH0 configuration will not work when changing provider for example.

Last point:
Anyone else having difficulties when using the app / network application ? I cannot find my devices using these applications. I suspected the FW settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment