Last active
April 16, 2023 05:26
-
-
Save brianjwagner/aa29c6a986f831ebe867 to your computer and use it in GitHub Desktop.
EdgeRouter Lite Configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name LAN_IN { | |
| default-action accept | |
| description "Wired network to other networks" | |
| } | |
| name LAN_LOCAL { | |
| default-action accept | |
| description "Wired network to router" | |
| } | |
| name WAN_IN { | |
| default-action drop | |
| description "Internet to local internal networks" | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| description "allow established/related" | |
| log disable | |
| protocol all | |
| state { | |
| established enable | |
| invalid disable | |
| new disable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| description "drop invalid" | |
| log enable | |
| protocol all | |
| state { | |
| established disable | |
| invalid enable | |
| new disable | |
| related disable | |
| } | |
| } | |
| rule 3 { | |
| action accept | |
| description "Remote subnet" | |
| destination { | |
| address 169.254.253.0/24 | |
| } | |
| log disable | |
| protocol all | |
| source { | |
| address 172.31.0.0/16 | |
| } | |
| } | |
| rule 4 { | |
| action accept | |
| description "Allow IPSec" | |
| log disable | |
| protocol udp | |
| source { | |
| address XX.XXX.XX.154-XX.XXX.XX.155 | |
| port 500 | |
| } | |
| } | |
| } | |
| name WAN_LOCAL { | |
| default-action drop | |
| description "Internet to router" | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| description "allow established/related" | |
| log disable | |
| protocol all | |
| state { | |
| established enable | |
| invalid disable | |
| new disable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| description "drop invalid" | |
| log enable | |
| protocol all | |
| state { | |
| established disable | |
| invalid enable | |
| new disable | |
| related disable | |
| } | |
| } | |
| } | |
| name WLAN_IN { | |
| default-action accept | |
| description "Wireless network to other networks" | |
| } | |
| name WLAN_LOCAL { | |
| default-action accept | |
| description "Wireless network to router" | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| address dhcp | |
| description WAN | |
| duplex auto | |
| firewall { | |
| in { | |
| } | |
| local { | |
| } | |
| } | |
| speed auto | |
| } | |
| ethernet eth1 { | |
| address 172.16.0.1/24 | |
| description LAN | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth2 { | |
| address 172.16.1.1/24 | |
| description WLAN | |
| duplex auto | |
| speed auto | |
| } | |
| loopback lo { | |
| } | |
| vti vti0 { | |
| address 169.254.253.18/30 | |
| description "VPC tunnel 1" | |
| mtu 1436 | |
| } | |
| vti vti1 { | |
| address 169.254.253.22/30 | |
| description "VPC tunnel 2" | |
| mtu 1436 | |
| } | |
| } | |
| protocols { | |
| bgp 65066 { | |
| neighbor 169.254.253.17 { | |
| remote-as 7224 | |
| soft-reconfiguration { | |
| inbound | |
| } | |
| timers { | |
| holdtime 30 | |
| keepalive 30 | |
| } | |
| } | |
| neighbor 169.254.253.21 { | |
| remote-as 7224 | |
| soft-reconfiguration { | |
| inbound | |
| } | |
| timers { | |
| holdtime 30 | |
| keepalive 30 | |
| } | |
| } | |
| network 0.0.0.0/0 { | |
| } | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| hostfile-update disable | |
| shared-network-name LAN-subnet { | |
| authoritative disable | |
| subnet 172.16.0.0/24 { | |
| default-router 172.16.0.1 | |
| dns-server 172.16.0.1 | |
| lease 86400 | |
| start 172.16.0.10 { | |
| stop 172.16.0.254 | |
| } | |
| } | |
| } | |
| shared-network-name WLAN-subnet { | |
| authoritative disable | |
| subnet 172.16.1.0/24 { | |
| default-router 172.16.1.1 | |
| dns-server 172.16.1.1 | |
| lease 86400 | |
| start 172.16.1.10 { | |
| stop 172.16.1.254 | |
| } | |
| } | |
| } | |
| } | |
| dns { | |
| forwarding { | |
| cache-size 150 | |
| listen-on eth1 | |
| listen-on eth2 | |
| } | |
| } | |
| gui { | |
| https-port 443 | |
| } | |
| nat { | |
| rule 5001 { | |
| description "masquerade for WAN" | |
| log disable | |
| outbound-interface eth0 | |
| protocol all | |
| type masquerade | |
| } | |
| } | |
| } | |
| vpn { | |
| ipsec { | |
| auto-firewall-nat-exclude enable | |
| esp-group AWS { | |
| compression disable | |
| lifetime 3600 | |
| mode tunnel | |
| pfs enable | |
| proposal 1 { | |
| encryption aes128 | |
| hash sha1 | |
| } | |
| } | |
| ike-group AWS { | |
| dead-peer-detection { | |
| action restart | |
| interval 15 | |
| timeout 30 | |
| } | |
| lifetime 28800 | |
| proposal 1 { | |
| dh-group 2 | |
| encryption aes128 | |
| hash sha1 | |
| } | |
| } | |
| ipsec-interfaces { | |
| interface eth0 | |
| } | |
| nat-networks { | |
| allowed-network 0.0.0.0/0 { | |
| } | |
| } | |
| nat-traversal enable | |
| site-to-site { | |
| peer XX.XXX.XX.154 { | |
| authentication { | |
| mode pre-shared-secret | |
| pre-shared-secret **************** | |
| } | |
| description "VPC tunnel 1" | |
| ike-group AWS | |
| local-address XX.XX.XX.30 | |
| vti { | |
| bind vti0 | |
| esp-group AWS | |
| } | |
| } | |
| peer XX.XXX.XX.155 { | |
| authentication { | |
| mode pre-shared-secret | |
| pre-shared-secret **************** | |
| } | |
| description "VPC tunnel 2" | |
| ike-group AWS | |
| local-address XX.XX.XX.30 | |
| vti { | |
| bind vti1 | |
| esp-group AWS | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment