Skip to content

Instantly share code, notes, and snippets.

@mskutta

mskutta/EdgeRouter_Lite_Commands_for_Comcast.sh

Last active July 3, 2018 15:16
Show Gist options
  • Save mskutta/ae4eb61e19efe2e37f6b to your computer and use it in GitHub Desktop.
Save mskutta/ae4eb61e19efe2e37f6b to your computer and use it in GitHub Desktop.
Download ZIP
EdgeRouter Lite Commands for Comcast ( v1.7.0)
Raw
EdgeRouter_Lite_Commands_for_Comcast.sh
# ISP: Comcast
# Router: Ubiquiti EdgeMax Router Lite
# EdgeOS System Image: v1.7.0
# WAN Interface: eth1
# LAN Interface: eth0 (mgmt)
# VLAN Interface: eth0.2 (video)
# VLAN Interface: eth0.3 (voip)
# VLAN Interface: eth0.4 (local)
# VLAN Interface: eth0.5 (guest)
configure
# IPv4 Firewall
# TODO: Add script to create WAN_IN
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow established/related"
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 state invalid enable
# TODO: Add script to create WAN_LOCAL
# VLANS 1 - 5 https://help.ubnt.com/hc/en-us/articles/204959444-EdgeMAX-InterVLAN-Walkthrough-with-ERLite-3-using-Sample-Enterprise-Topology
set interfaces ethernet eth0 vif 2 address 192.168.2.1/24
set interfaces ethernet eth0 vif 3 address 192.168.3.1/24
set interfaces ethernet eth0 vif 4 address 192.168.4.1/24
set interfaces ethernet eth0 vif 5 address 192.168.5.1/24
set interfaces ethernet eth1 address dhcp
set service dhcp-server shared-network-name vlan1 description "vlan1-dhcp-pool"
set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 domain-name mgmt.skutta.local
set service dhcp-server shared-network-name vlan1 subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.254
set service dhcp-server shared-network-name vlan2 description "vlan2-dhcp-pool"
set service dhcp-server shared-network-name vlan2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name vlan2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name vlan2 subnet 192.168.2.0/24 domain-name video.skutta.local
set service dhcp-server shared-network-name vlan2 subnet 192.168.2.0/24 start 192.168.2.11 stop 192.168.2.254
set service dhcp-server shared-network-name vlan3 description "vlan3-dhcp-pool"
set service dhcp-server shared-network-name vlan3 subnet 192.168.3.0/24 default-router 192.168.3.1
set service dhcp-server shared-network-name vlan3 subnet 192.168.3.0/24 dns-server 192.168.3.1
set service dhcp-server shared-network-name vlan3 subnet 192.168.3.0/24 domain-name voip.skutta.local
set service dhcp-server shared-network-name vlan3 subnet 192.168.3.0/24 start 192.168.3.100 stop 192.168.3.254
set service dhcp-server shared-network-name vlan4 description "vlan4-dhcp-pool"
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 default-router 192.168.4.1
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 dns-server 192.168.4.1
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 domain-name skutta.local
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 start 192.168.4.11 stop 192.168.4.200
set service dhcp-server shared-network-name vlan5 description "vlan5-dhcp-pool"
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 default-router 192.168.5.1
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 dns-server 192.168.5.1
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 domain-name guest.skutta.local
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 start 192.168.5.11 stop 192.168.5.254
set service dns forwarding listen-on eth0
set service dns forwarding listen-on eth0.2
set service dns forwarding listen-on eth0.3
set service dns forwarding listen-on eth0.4
set service dns forwarding listen-on eth0.5
set service nat rule 5010 description "masquerade from all LANs to eth1 WAN"
set service nat rule 5010 source address 192.168.0.0/16
set service nat rule 5010 type masquerade
set service nat rule 5010 outbound-interface eth1
set service nat rule 5010 protocol all
set service nat rule 5010 log disable
commit
save
# Configure IPv6 Firewall https://medium.com/@nurblieh/ipv6-on-the-edgerouter-lite-c95e3cc8d49d#.7fvy20cqh
# WAN -> LAN Clients
set firewall ipv6-name IPV6WAN_IN description 'IPV6WAN to internal'
set firewall ipv6-name IPV6WAN_IN default-action drop
set firewall ipv6-name IPV6WAN_IN rule 10 action accept
set firewall ipv6-name IPV6WAN_IN rule 10 state established enable
set firewall ipv6-name IPV6WAN_IN rule 10 state related enable
set firewall ipv6-name IPV6WAN_IN rule 10 log disable
set firewall ipv6-name IPV6WAN_IN rule 10 description 'Allow established/related'
set firewall ipv6-name IPV6WAN_IN rule 20 action drop
set firewall ipv6-name IPV6WAN_IN rule 20 state invalid enable
set firewall ipv6-name IPV6WAN_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name IPV6WAN_IN rule 30 action accept
set firewall ipv6-name IPV6WAN_IN rule 30 description 'Allow ICMPv6'
set firewall ipv6-name IPV6WAN_IN rule 30 log disable
set firewall ipv6-name IPV6WAN_IN rule 30 protocol icmpv6
set interfaces ethernet eth1 firewall in ipv6-name IPV6WAN_IN
# WAN -> Router
set firewall ipv6-name IPV6WAN_LOCAL description 'IPV6WAN to local'
set firewall ipv6-name IPV6WAN_LOCAL default-action drop
set firewall ipv6-name IPV6WAN_LOCAL rule 10 action accept
set firewall ipv6-name IPV6WAN_LOCAL rule 10 description "allow established"
set firewall ipv6-name IPV6WAN_LOCAL rule 10 protocol all
set firewall ipv6-name IPV6WAN_LOCAL rule 10 state established enable
set firewall ipv6-name IPV6WAN_LOCAL rule 10 state related enable
set firewall ipv6-name IPV6WAN_LOCAL rule 10 log disable
set firewall ipv6-name IPV6WAN_LOCAL rule 20 action drop
set firewall ipv6-name IPV6WAN_LOCAL rule 20 description "drop invalid packets"
set firewall ipv6-name IPV6WAN_LOCAL rule 20 protocol all
set firewall ipv6-name IPV6WAN_LOCAL rule 20 state invalid enable
set firewall ipv6-name IPV6WAN_LOCAL rule 30 action accept
set firewall ipv6-name IPV6WAN_LOCAL rule 30 description "allow ICMPv6"
set firewall ipv6-name IPV6WAN_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name IPV6WAN_LOCAL rule 30 log disable
set firewall ipv6-name IPV6WAN_LOCAL rule 40 action accept
set firewall ipv6-name IPV6WAN_LOCAL rule 40 description "allow DHCPv6 client/server"
set firewall ipv6-name IPV6WAN_LOCAL rule 40 destination port 546
set firewall ipv6-name IPV6WAN_LOCAL rule 40 source port 547
set firewall ipv6-name IPV6WAN_LOCAL rule 40 protocol udp
set firewall ipv6-name IPV6WAN_LOCAL rule 40 log disable
set interfaces ethernet eth1 firewall local IPV6WAN_LOCAL
commit
save
# Enable IPv6 https://techsmix.net/ubiquti-edgemax-lite/
set interfaces ethernet eth1 dhcpv6-pd pd 0
set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth1 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 prefix-id :1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.2
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.2 host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.2 prefix-id :2
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.2 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.3
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.3 host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.3 prefix-id :3
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.3 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.4
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.4 host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.4 prefix-id :4
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.4 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.5
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.5 host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.5 prefix-id :5
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0.5 service slaac
set interfaces ethernet eth0 ipv6 router-advert prefix ::/64
commit
save
# Set up L2TP over IPsec VPN server
# https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server
# https://www.youtube.com/watch?v=3Q_n78MD0-I
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <password>
set vpn l2tp remote-access client-ip-pool start 192.168.4.201
set vpn l2tp remote-access client-ip-pool stop 192.168.4.210
set vpn l2tp remote-access dns-servers server-1 192.168.4.1
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access dhcp-interface eth1
set vpn l2tp remote-access mtu 1492
commit
save
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment