Skip to content

Instantly share code, notes, and snippets.

@Superbil

Superbil/EdgeOS-Hinet.sh

Forked from stevejenkins/EdgeMax-Google.sh
Last active April 11, 2020 20:50
Show Gist options
  • Save Superbil/24c1b95265e2e9970bc23f715b010061 to your computer and use it in GitHub Desktop.
Save Superbil/24c1b95265e2e9970bc23f715b010061 to your computer and use it in GitHub Desktop.
Download ZIP
IPv4/IPv6 setup script for EdgeOS v1.9 routers to replace Hinet ADSL. #edge
Raw
EdgeOS-Hinet.sh
# EdgeOS v1.9 Hinet Config Script
# by Superbil (https://github.com/superbil)
# Last updated: Sep 25, 2018
# Based on settings & scripts by Jenkins, Atlantisman, TK, and CompTech
# RUN THIS SCRIPT AS ROOT ON YOUR EDGEROUTER
# Script runs best if you copy and paste in sections
#______________________Basic Firewall Setup_______________________________
configure
#Basic firewall for IPv4 and IPv6
edit firewall
edit ipv6-name WAN6_IN
set default-action drop
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "Allow ICMPv6"
set rule 30 log disable
set rule 30 protocol icmpv6
up
edit ipv6-name WAN6_LOCAL
set default-action drop
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "Allow ICMPv6"
set rule 30 log disable
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "Allow DHCPv6"
set rule 40 destination port 546
set rule 40 protocol udp
set rule 40 source port 547
up
edit name LAN_IN
set default-action accept
set description "LAN to Internal"
set enable-default-log
set rule 10 action drop
set rule 10 description "drop invalid state"
set rule 10 state invalid enable
up
edit name WAN_IN
set default-action drop
set description "WAN to Internal"
set enable-default-log
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 log disable
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 log enable
set rule 20 state invalid enable
up
edit name WAN_LOCAL
set default-action drop
set description "WAN to Router"
set enable-default-log
set rule 10 action accept
set rule 10 description "Allow ICMP"
set rule 10 log disable
set rule 10 protocol icmp
set rule 20 action accept
set rule 20 description "Allow established/related"
set rule 20 log disable
set rule 20 state established enable
set rule 20 state related enable
set rule 30 action drop
set rule 30 description "Drop invalid state"
set rule 30 log enable
set rule 30 state invalid enable
up
# Enable MSS Clamping
set options mss-clamp interface-type all
set options mss-clamp mss 1412
# Set Misc Firewall options
set all-ping enable
set broadcast-ping disable
set ipv6-receive-redirects disable
set ipv6-src-route disable
set ip-src-route disable
set log-martians enable
set receive-redirects disable
set send-redirects enable
set source-validation disable
set syn-cookies enable
top
commit
save
#____________________Internet Service Config_____________________
configure
#Setup WAN and VLAN Interfaces w/QoS
set interfaces ethernet eth1 description "Internet"
set interfaces ethernet eth1 vif 2
set interfaces ethernet eth1 vif 2 description "Hinet WAN"
set interfaces ethernet eth1 vif 2 address dhcp
set interfaces ethernet eth1 vif 2 dhcp-options default-route update
set interfaces ethernet eth1 vif 2 dhcp-options default-route-distance 210
set interfaces ethernet eth1 vif 2 dhcp-options name-server no-update
set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 interface eth0 service slaac
set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 prefix-length /64
set interfaces ethernet eth1 vif 2 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth1 vif 2 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth1 vif 2 firewall in name WAN_IN
set interfaces ethernet eth1 vif 2 firewall local ipv6-name WAN6_LOCAL
set interfaces ethernet eth1 vif 2 firewall local name WAN_LOCAL
#Setup LAN
set interfaces ethernet eth0 description "LAN"
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 firewall in name LAN_IN
#Setup Local Config Port
set interfaces ethernet eth2 description "Local Config Port"
set interfaces ethernet eth2 address 192.168.0.1/24
set interfaces ethernet eth2 firewall in name LAN_IN
#Setup Loopback
set interfaces loopback lo
#Setup DHCP on LAN
set service dhcp-server disabled false
set service dhcp-server hostfile-update enable
set service dhcp-server use-dnsmasq disable
set service dhcp-server shared-network-name LAN authoritative disable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.254
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
commit
save
#______________________MGMT & Additional Settings___________________________
configure
#Set GUI options
set gui http-port 80
set gui https-port 443
set gui older-ciphers enable
#Set IPSec offload to enable
set system offload ipsec enable
#Set VLAN offload to enable speeds faster than ~530Mbps up/down
set system offload ipv4 forwarding enable
set system offload ipv6 forwarding enable
set system offload ipv4 vlan enable
set system offload ipv6 vlan enable
#Enable Deep Packet Inspection
set system traffic-analysis dpi enable
set system traffic-analysis export enable
#Set Router Hostname
set system host-name UBNT-Gateway
#Set Time Zone
delete system time-zone
set system time-zone Asia/Taipei
#Set System Name Servers
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
#Set outbound NAT Interface to Google VLAN
edit service nat rule 5000
set description "Masquerade for WAN"
set log disable
set outbound-interface eth1.2
set protocol all
set type masquerade
top
#Auto-create new firewall rules for new port forwards
set port-forward auto-firewall enable
#Allow LAN clients to hit external port forwards
set port-forward hairpin-nat enable
#Pre-set correct interfaces for port forwarding
set port-forward lan-interface eth0
set port-forward wan-interface eth1.2
#Set System DNS and Enable DNS forwarding and cacheing
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
set service dns forwarding cache-size 1000
set service dns forwarding listen-on eth0
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server '2001:4860:4860::8888'
set service dns forwarding name-server '2001:4860:4860::8844'
set service dns forwarding system
#Enable UPnP
edit service upnp2
set listen-on eth0
set nat-pmp disable
set secure-mode disable
set wan eth1.2
top
commit
save
exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment