-
-
Save crmcmullen/a50124a1bea9e57b24ed0ce892b54e3f to your computer and use it in GitHub Desktop.
firewall { | |
all-ping enable | |
broadcast-ping disable | |
ipv6-receive-redirects disable | |
ipv6-src-route disable | |
ip-src-route disable | |
log-martians enable | |
name WAN_IN { | |
default-action drop | |
description "WAN to internal" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
name WAN_LOCAL { | |
default-action drop | |
description "WAN to router" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
options { | |
mss-clamp { | |
interface-type pppoe | |
mss 1452 | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation disable | |
syn-cookies enable | |
} | |
interfaces { | |
ethernet eth0 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth1 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth2 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth3 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth4 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth5 { | |
speed auto | |
duplex auto | |
vif 201 { | |
description "CenturyLink WAN (PPPoE)" | |
pppoe 5 { | |
default-route auto | |
firewall { | |
in { | |
name WAN_IN | |
} | |
local { | |
name WAN_LOCAL | |
} | |
} | |
mtu 1492 | |
name-server auto | |
password ******** | |
user-id [email protected] | |
} | |
} | |
} | |
loopback lo { | |
} | |
switch switch0 { | |
address 192.168.1.1/24 | |
description Local | |
switch-port { | |
interface eth1 | |
interface eth2 | |
interface eth3 | |
interface eth4 | |
} | |
} | |
} | |
port-forward { | |
auto-firewall enable | |
hairpin-nat enable | |
lan-interface switch0 | |
wan-interface eth5.201 | |
} | |
service { | |
dhcp-server { | |
disabled false | |
hostfile-update disable | |
shared-network-name LAN { | |
authoritative enable | |
subnet 192.168.1.0/24 { | |
default-router 192.168.1.1 | |
dns-server 192.168.1.1 | |
lease 86400 | |
start 192.168.1.140 { | |
stop 192.168.1.240 | |
} | |
} | |
} | |
} | |
dns { | |
forwarding { | |
cache-size 500 | |
listen-on switch0 | |
name-server 8.8.8.8 | |
name-server 8.8.4.4 | |
} | |
} | |
gui { | |
http-port 80 | |
https-port 443 | |
older-ciphers enable | |
} | |
nat { | |
rule 5010 { | |
outbound-interface pppoe5 | |
type masquerade | |
description "masquerade for WAN" | |
} | |
} | |
ssh { | |
port 22 | |
protocol-version v2 | |
} | |
upnp2 { | |
listen-on switch0 | |
nat-pmp disable | |
secure-mode enable | |
wan eth5.201 | |
} | |
} | |
system { | |
host-name MyHome-Router | |
login { | |
user ubnt { | |
authentication { | |
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66. | |
plaintext-password "" | |
} | |
full-name "UBNT Admin" | |
level admin | |
} | |
} | |
name-server 8.8.8.8 | |
name-server 8.8.4.4 | |
ntp { | |
server 0.us.pool.ntp.org { | |
} | |
server 1.us.pool.ntp.org { | |
} | |
server 2.us.pool.ntp.org { | |
} | |
server 3.us.pool.ntp.org { | |
} | |
} | |
offload { | |
hwnat enable | |
ipsec enable | |
} | |
syslog { | |
global { | |
facility all { | |
level notice | |
} | |
facility protocols { | |
level debug | |
} | |
} | |
} | |
time-zone America/Boise | |
traffic-analysis { | |
dpi enable | |
export enable | |
} | |
} |
Can you please share the SFP you are using with CenturyLink?
Reading online sounds like you need a GPON SFP but I'd love to get the same SFP you have to make sure it will work.
This is the SFP that I purchased at the time.
This may well save my weekend. A couple questions if you’re willing:
I’ll be using the EdgeRouter X - no SFP, but I’m assuming changes should be trivial. To clarify the question and response above, though - I think @gattimassimo was asking about skipping the ONT by using a fiber SFP. Since you linked to an Ethernet SFP, I’m guessing that’s not what you’re doing (I’m not even sure that’s possible?) but I’d love to find out otherwise. If I am correct here, is there a benefit to using the SFP version of the EdgeRouter (I could still exchange.)?
Second, you don’t appear to be offloading PPPOE. Is there a reason? Seems like that’s a meaty process that would benefit from coming off the software as well.
Anything else I should look out for? Thanks!
First, I was cobbling together instructions from multiple sources to arrive at my solution and the PPPOE config is from the example I was using. And second the line that was brought to my tech closet in my house was terminated with an ethernet connector, so that's what I had to work with. 😏
The only real added benefit to the SFP version of the EdgeRouter is that using it frees up a port on your switch. Otherwise you could totally configure one of the ethernet ports as your inbound WAN. In fact I did that until my SFP arrived and then I reconfigured to use that and free up an ethernet port on the switch.
What you're all seeing here is the final configuration I put in place, which i've been running without a problem since I published this. The secret sauce is to remember to enable hardware NAT.
@jeffkirsch
Looking at the documentation here, it looks like since this is a MediaTek-based device, the "hwnat enable" in this config block should enable hardware offloading for Bridging, DPI, NAT, VLANs, GRE, & PPPoE. I may be missing something though.
My EdgeRouter X SFP should be coming this week so I hope to get it set up using this. I already bought the SFP for ethernet from the link above, so crossing my fingers everything works as expected! Thanks for sharing!
Edit: It worked! After initially upgrading the firmware, I did get some warnings after loading this config.boot file. I also had to manually run both commands to enable hardware offloading, but in the end, it worked. Now I am just waiting on my PoE injector to get here, since I mistakenly thought the ER-X-SFP's passive 24V PoE supported the power needs of the UniFi 6 Lite.
This config.boot file will get you off the ground with your EdgeRouter X SFP and CenturyLink fiber. It uses the eth5 SFP port as inbound WAN and saves eth0 port as a config port or dual WAN port. I didn't enable ipv6 as it's not necessary for CenturyLink Fiber but could certainly be enabled. The key to getting maximum bandwidth through your router is to make sure to enable hardware NAT (hwnat).
With this config.boot file you will NOT need the CenturyLink modem at all. The router will perform the PPPoE authentication for you. You will just need to make sure to get those credentials from the installation technician.