IPv4/IPv6 setup script for EdgeMax EdgeOS v1.9 routers to replace the Google Fiber Network Box

EdgeMax-Google.sh

# EdgeOS v1.9 Google Fiber Config Script
# by Steve Jenkins (http://www.stevejenkins.com/)
# Last updated: Aug 14, 2016
# Based on settings & scripts by Atlantisman, TK, and CompTech

# RUN THIS SCRIPT AS ROOT ON YOUR EDGEROUTER
# Script runs best if you copy and paste in sections

#______________________Basic Firewall Setup_______________________________
configure

#Basic firewall for IPv4 and IPv6
edit firewall

edit ipv6-name WAN6_IN
set default-action drop
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "Allow ICMPv6"
set rule 30 log disable
set rule 30 protocol icmpv6
up

edit ipv6-name WAN6_LOCAL
set default-action drop
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "Allow ICMPv6"
set rule 30 log disable
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "Allow DHCPv6"
set rule 40 destination port 546
set rule 40 protocol udp
set rule 40 source port 547
up

edit name LAN_IN
set default-action accept
set description "LAN to Internal"
set enable-default-log
set rule 10 action drop
set rule 10 description "drop invalid state"
set rule 10 state invalid enable
up

edit name WAN_IN
set default-action drop
set description "WAN to Internal"
set enable-default-log
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 log disable
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 log enable
set rule 20 state invalid enable
up

edit name WAN_LOCAL
set default-action drop
set description "WAN to Router"
set enable-default-log
set rule 10 action accept
set rule 10 description "Allow ICMP"
set rule 10 log disable
set rule 10 protocol icmp
set rule 20 action accept
set rule 20 description "Allow established/related"
set rule 20 log disable
set rule 20 state established enable
set rule 20 state related enable
set rule 30 action drop
set rule 30 description "Drop invalid state"
set rule 30 log enable
set rule 30 state invalid enable
up

# Enable MSS Clamping
set options mss-clamp interface-type all
set options mss-clamp mss 1460

# Set Misc Firewall options
set all-ping enable
set broadcast-ping disable
set ipv6-receive-redirects disable
set ipv6-src-route disable
set ip-src-route disable
set log-martians enable
set receive-redirects disable
set send-redirects enable
set source-validation disable
set syn-cookies enable
top

commit
save

#____________________Internet Service Config_____________________
configure

#Setup WAN and VLAN Interfaces w/QoS
set interfaces ethernet eth1 description "Google Fiber Jack"
set interfaces ethernet eth1 vif 2
set interfaces ethernet eth1 vif 2 description "Google Fiber WAN"
set interfaces ethernet eth1 vif 2 address dhcp
set interfaces ethernet eth1 vif 2 dhcp-options default-route update
set interfaces ethernet eth1 vif 2 dhcp-options default-route-distance 210
set interfaces ethernet eth1 vif 2 dhcp-options name-server no-update
set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 interface eth0 prefix-id :0
set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 interface eth0 service slaac
set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 prefix-length /56
set interfaces ethernet eth1 vif 2 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth1 vif 2 egress-qos "0:3"
set interfaces ethernet eth1 vif 2 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth1 vif 2 firewall in name WAN_IN
set interfaces ethernet eth1 vif 2 firewall local ipv6-name WAN6_LOCAL
set interfaces ethernet eth1 vif 2 firewall local name WAN_LOCAL

#Setup LAN
set interfaces ethernet eth0 description "LAN"
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 firewall in name LAN_IN

#Setup Local Config Port
set interfaces ethernet eth2 description "Local Config Port"
set interfaces ethernet eth2 address 192.168.0.1/24
set interfaces ethernet eth2 firewall in name LAN_IN

#Setup Loopback
set interfaces loopback lo

#Setup DHCP on LAN
set service dhcp-server disabled false
set service dhcp-server hostfile-update enable
set service dhcp-server use-dnsmasq disable
set service dhcp-server shared-network-name LAN authoritative disable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.254
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400

commit
save

#______________________MGMT & Additional Settings___________________________
configure

#Set GUI options
set gui http-port 80
set gui https-port 443
set gui older-ciphers enable

#Set IPSec offload to enable
set system offload ipsec enable

#Set VLAN offload to enable speeds faster than ~530Mbps up/down
set system offload ipv4 forwarding enable
set system offload ipv6 forwarding enable
set system offload ipv4 vlan enable
set system offload ipv6 vlan enable

#Enable Deep Packet Inspection
set system traffic-analysis dpi enable
set system traffic-analysis export enable

#Set Router Hostname
set system host-name UBNT-Gateway

#Set Time Zone
delete system time-zone
set system time-zone America/Denver

#Set System Name Servers
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'

#Set outbound NAT Interface to Google VLAN
edit service nat rule 5000
set description "Masquerade for WAN"
set log disable
set outbound-interface eth1.2
set protocol all
set type masquerade
top

#Auto-create new firewall rules for new port forwards
set port-forward auto-firewall enable

#Allow LAN clients to hit external port forwards
set port-forward hairpin-nat enable

#Pre-set correct interfaces for port forwarding
set port-forward lan-interface eth0
set port-forward wan-interface eth1.2

#Set System DNS and Enable DNS forwarding and cacheing
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
set service dns forwarding cache-size 1000
set service dns forwarding listen-on eth0
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server '2001:4860:4860::8888'
set service dns forwarding name-server '2001:4860:4860::8844'
set service dns forwarding system

#Enable UPnP
edit service upnp2
set listen-on eth0
set nat-pmp disable
set secure-mode disable
set wan eth1.2
top

commit
save
exit

Is "LAN1" in line 38 a typo? I believe it should be LAN.

I ran into the same problem as one of the commenters on your blog:

...
Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
DHCP server configuration commit aborted due to error(s).
Commit failed
...

I tried your suggestion of a hardware reset, but I still got the same error. Ultimately, I ended up loading your config file. This also required a hardware reset before it worked (and oddly both the load and commit commands from your instructions resulted in command not found in the ssh terminal window). This is on an ERLite-3/v1.7.0 .

This is a straightforward configuration for Google Fibre but with CeturyLink Fibre, it requires a few changes. Specifically, as we are required to perform PPPoE and also must run a smaller mss clamping value as 1460 results don't seem to work, 1452 is the highest value I have been able to set at this time. I am surprised you haven't made any more advanced changes to your firewall rules.I would add the drop invalid packets rule on your _in firewall and also add WAN_out (default Accept) wtih Reject Invalid rule. ... to prevent "NAT leaking. The rule could be Drop, but since it's coming from internal let's be nice and Reject instead.

For anyone having this issue, as I did (I tried 1.6, 1.7, and 1.8, ended up sticking with 1.8 with the following steps):

Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
DHCP server configuration commit aborted due to error(s).

putty into the router to access the console,
type sudo su
cd /config
rm -rf config.boot

Then,
sftp (using filezilla or something) into the router, navigate to the /config and upload the EdgeMax + Google Fiber config.boot,
rename it to config.boot and reboot the router.

back in console, type:
reboot

If you have the new google fiber jacks as I did, you'll need to power the jack with something like a micro usb phone charger. IT must be 5v DC / 2 Amps (I used a 5vDC / 2.1A). Plug the network cable from the jack in to eth1 and your wireless router (set in AP mode) to eth0. reboot and enjoy!