-
-
Save crmcmullen/a50124a1bea9e57b24ed0ce892b54e3f to your computer and use it in GitHub Desktop.
firewall { | |
all-ping enable | |
broadcast-ping disable | |
ipv6-receive-redirects disable | |
ipv6-src-route disable | |
ip-src-route disable | |
log-martians enable | |
name WAN_IN { | |
default-action drop | |
description "WAN to internal" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
name WAN_LOCAL { | |
default-action drop | |
description "WAN to router" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
options { | |
mss-clamp { | |
interface-type pppoe | |
mss 1452 | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation disable | |
syn-cookies enable | |
} | |
interfaces { | |
ethernet eth0 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth1 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth2 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth3 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth4 { | |
description Local | |
duplex auto | |
speed auto | |
} | |
ethernet eth5 { | |
speed auto | |
duplex auto | |
vif 201 { | |
description "CenturyLink WAN (PPPoE)" | |
pppoe 5 { | |
default-route auto | |
firewall { | |
in { | |
name WAN_IN | |
} | |
local { | |
name WAN_LOCAL | |
} | |
} | |
mtu 1492 | |
name-server auto | |
password ******** | |
user-id [email protected] | |
} | |
} | |
} | |
loopback lo { | |
} | |
switch switch0 { | |
address 192.168.1.1/24 | |
description Local | |
switch-port { | |
interface eth1 | |
interface eth2 | |
interface eth3 | |
interface eth4 | |
} | |
} | |
} | |
port-forward { | |
auto-firewall enable | |
hairpin-nat enable | |
lan-interface switch0 | |
wan-interface eth5.201 | |
} | |
service { | |
dhcp-server { | |
disabled false | |
hostfile-update disable | |
shared-network-name LAN { | |
authoritative enable | |
subnet 192.168.1.0/24 { | |
default-router 192.168.1.1 | |
dns-server 192.168.1.1 | |
lease 86400 | |
start 192.168.1.140 { | |
stop 192.168.1.240 | |
} | |
} | |
} | |
} | |
dns { | |
forwarding { | |
cache-size 500 | |
listen-on switch0 | |
name-server 8.8.8.8 | |
name-server 8.8.4.4 | |
} | |
} | |
gui { | |
http-port 80 | |
https-port 443 | |
older-ciphers enable | |
} | |
nat { | |
rule 5010 { | |
outbound-interface pppoe5 | |
type masquerade | |
description "masquerade for WAN" | |
} | |
} | |
ssh { | |
port 22 | |
protocol-version v2 | |
} | |
upnp2 { | |
listen-on switch0 | |
nat-pmp disable | |
secure-mode enable | |
wan eth5.201 | |
} | |
} | |
system { | |
host-name MyHome-Router | |
login { | |
user ubnt { | |
authentication { | |
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66. | |
plaintext-password "" | |
} | |
full-name "UBNT Admin" | |
level admin | |
} | |
} | |
name-server 8.8.8.8 | |
name-server 8.8.4.4 | |
ntp { | |
server 0.us.pool.ntp.org { | |
} | |
server 1.us.pool.ntp.org { | |
} | |
server 2.us.pool.ntp.org { | |
} | |
server 3.us.pool.ntp.org { | |
} | |
} | |
offload { | |
hwnat enable | |
ipsec enable | |
} | |
syslog { | |
global { | |
facility all { | |
level notice | |
} | |
facility protocols { | |
level debug | |
} | |
} | |
} | |
time-zone America/Boise | |
traffic-analysis { | |
dpi enable | |
export enable | |
} | |
} |
First, I was cobbling together instructions from multiple sources to arrive at my solution and the PPPOE config is from the example I was using. And second the line that was brought to my tech closet in my house was terminated with an ethernet connector, so that's what I had to work with. 😏
The only real added benefit to the SFP version of the EdgeRouter is that using it frees up a port on your switch. Otherwise you could totally configure one of the ethernet ports as your inbound WAN. In fact I did that until my SFP arrived and then I reconfigured to use that and free up an ethernet port on the switch.
What you're all seeing here is the final configuration I put in place, which i've been running without a problem since I published this. The secret sauce is to remember to enable hardware NAT.
@jeffkirsch
Looking at the documentation here, it looks like since this is a MediaTek-based device, the "hwnat enable" in this config block should enable hardware offloading for Bridging, DPI, NAT, VLANs, GRE, & PPPoE. I may be missing something though.
My EdgeRouter X SFP should be coming this week so I hope to get it set up using this. I already bought the SFP for ethernet from the link above, so crossing my fingers everything works as expected! Thanks for sharing!
Edit: It worked! After initially upgrading the firmware, I did get some warnings after loading this config.boot file. I also had to manually run both commands to enable hardware offloading, but in the end, it worked. Now I am just waiting on my PoE injector to get here, since I mistakenly thought the ER-X-SFP's passive 24V PoE supported the power needs of the UniFi 6 Lite.
This may well save my weekend. A couple questions if you’re willing:
I’ll be using the EdgeRouter X - no SFP, but I’m assuming changes should be trivial. To clarify the question and response above, though - I think @gattimassimo was asking about skipping the ONT by using a fiber SFP. Since you linked to an Ethernet SFP, I’m guessing that’s not what you’re doing (I’m not even sure that’s possible?) but I’d love to find out otherwise. If I am correct here, is there a benefit to using the SFP version of the EdgeRouter (I could still exchange.)?
Second, you don’t appear to be offloading PPPOE. Is there a reason? Seems like that’s a meaty process that would benefit from coming off the software as well.
Anything else I should look out for? Thanks!