Created
September 25, 2015 20:19
-
-
Save lstoll/d05f11d2c9c08a1e8bf5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumes eth0 is internet, switch0 is normal internal network, and switch0.52 is a DMZ | |
| # Firewall | |
| lstoll@corerouter# set interfaces ethernet eth0 firewall in ipv6-name wan6_in | |
| lstoll@corerouter# set interfaces ethernet eth0 firewall local ipv6-name wan6_local | |
| lstoll@corerouter# set firewall ipv6-name wan6_in default-action drop | |
| lstoll@corerouter# set firewall ipv6-name wan6_in description "WAN IPv6 to internal networks" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in enable-default-log | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 action accept | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 description "Allow established/related sessions" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 state established enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 state related enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 20 action drop | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 description "Drop invalid state" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 10 description "Allow established/related sessions" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 20 description "Drop invalid state" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 20 state invalid enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 30 action accept | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 30 description "Allow IPv6 icmp" | |
| lstoll@corerouter# set firewall ipv6-name wan6_in rule 30 protocol ipv6-icmp | |
| lstoll@corerouter# set firewall ipv6-name wan6_local | |
| lstoll@corerouter# set firewall ipv6-name wan6_local default-action drop | |
| lstoll@corerouter# set firewall ipv6-name wan6_local description "WAN IPv6 to router" | |
| lstoll@corerouter# set firewall ipv6-name wan6_local enable-default-log | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 10 action accept | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 10 description "Allow established/related sessions" | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 10 state established enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 10 state related enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 20 action drop | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 20 description "Drop Invalid state" | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 20 state invalid enable | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 30 action accept | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 30 description "Allow IPv6 icmp" | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 30 protocol ipv6-icmp | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 40 action accept | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 40 description "Allow dhcpv6" | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 40 destination port 546 | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 40 protocol udp | |
| lstoll@corerouter# set firewall ipv6-name wan6_local rule 40 source port 547 | |
| # Getting addresses from the ISP | |
| lstoll@corerouter# set interfaces ethernet eth0 dhcpv6-pd pd 1 interface sw | |
| lstoll@corerouter# set interfaces ethernet eth0 dhcpv6-pd pd 1 interface switch0 service slaac | |
| lstoll@corerouter# set interfaces ethernet eth0 dhcpv6-pd pd 1 interface switch0.52 service slaac | |
| lstoll@corerouter# set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert cur-hop-limit 64 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert link-mtu 0 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert managed-flag false | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert max-interval 600 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert other-config-flag false | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert prefix ::/56 autonomous-flag true | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert prefix ::/56 on-link-flag true | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert prefix ::/56 valid-lifetime 2592000 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert reachable-time 0 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert retrans-timer 0 | |
| lstoll@corerouter# set interfaces ethernet eth0 ipv6 router-advert send-advert true | |
| # If your hardware supports it | |
| lstoll@corerouter# set system offload ipv6 forwarding enable | |
| Error: platform does not support IPv6 forwarding offload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment