Last active
November 15, 2019 17:05
-
-
Save stevejenkins/59e8d88ae5498d77a44d to your computer and use it in GitHub Desktop.
IPv4/IPv6 setup script for EdgeMax EdgeOS v1.9 routers to replace the Google Fiber Network Box
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # EdgeOS v1.9 Google Fiber Config Script | |
| # by Steve Jenkins (http://www.stevejenkins.com/) | |
| # Last updated: Aug 14, 2016 | |
| # Based on settings & scripts by Atlantisman, TK, and CompTech | |
| # RUN THIS SCRIPT AS ROOT ON YOUR EDGEROUTER | |
| # Script runs best if you copy and paste in sections | |
| #______________________Basic Firewall Setup_______________________________ | |
| configure | |
| #Basic firewall for IPv4 and IPv6 | |
| edit firewall | |
| edit ipv6-name WAN6_IN | |
| set default-action drop | |
| set rule 10 action accept | |
| set rule 10 description "Allow established/related" | |
| set rule 10 state established enable | |
| set rule 10 state related enable | |
| set rule 20 action drop | |
| set rule 20 description "Drop invalid state" | |
| set rule 20 state invalid enable | |
| set rule 30 action accept | |
| set rule 30 description "Allow ICMPv6" | |
| set rule 30 log disable | |
| set rule 30 protocol icmpv6 | |
| up | |
| edit ipv6-name WAN6_LOCAL | |
| set default-action drop | |
| set rule 10 action accept | |
| set rule 10 description "Allow established/related" | |
| set rule 10 state established enable | |
| set rule 10 state related enable | |
| set rule 20 action drop | |
| set rule 20 description "Drop invalid state" | |
| set rule 20 state invalid enable | |
| set rule 30 action accept | |
| set rule 30 description "Allow ICMPv6" | |
| set rule 30 log disable | |
| set rule 30 protocol icmpv6 | |
| set rule 40 action accept | |
| set rule 40 description "Allow DHCPv6" | |
| set rule 40 destination port 546 | |
| set rule 40 protocol udp | |
| set rule 40 source port 547 | |
| up | |
| edit name LAN_IN | |
| set default-action accept | |
| set description "LAN to Internal" | |
| set enable-default-log | |
| set rule 10 action drop | |
| set rule 10 description "drop invalid state" | |
| set rule 10 state invalid enable | |
| up | |
| edit name WAN_IN | |
| set default-action drop | |
| set description "WAN to Internal" | |
| set enable-default-log | |
| set rule 10 action accept | |
| set rule 10 description "Allow established/related" | |
| set rule 10 log disable | |
| set rule 10 state established enable | |
| set rule 10 state related enable | |
| set rule 20 action drop | |
| set rule 20 description "Drop invalid state" | |
| set rule 20 log enable | |
| set rule 20 state invalid enable | |
| up | |
| edit name WAN_LOCAL | |
| set default-action drop | |
| set description "WAN to Router" | |
| set enable-default-log | |
| set rule 10 action accept | |
| set rule 10 description "Allow ICMP" | |
| set rule 10 log disable | |
| set rule 10 protocol icmp | |
| set rule 20 action accept | |
| set rule 20 description "Allow established/related" | |
| set rule 20 log disable | |
| set rule 20 state established enable | |
| set rule 20 state related enable | |
| set rule 30 action drop | |
| set rule 30 description "Drop invalid state" | |
| set rule 30 log enable | |
| set rule 30 state invalid enable | |
| up | |
| # Enable MSS Clamping | |
| set options mss-clamp interface-type all | |
| set options mss-clamp mss 1460 | |
| # Set Misc Firewall options | |
| set all-ping enable | |
| set broadcast-ping disable | |
| set ipv6-receive-redirects disable | |
| set ipv6-src-route disable | |
| set ip-src-route disable | |
| set log-martians enable | |
| set receive-redirects disable | |
| set send-redirects enable | |
| set source-validation disable | |
| set syn-cookies enable | |
| top | |
| commit | |
| save | |
| #____________________Internet Service Config_____________________ | |
| configure | |
| #Setup WAN and VLAN Interfaces w/QoS | |
| set interfaces ethernet eth1 description "Google Fiber Jack" | |
| set interfaces ethernet eth1 vif 2 | |
| set interfaces ethernet eth1 vif 2 description "Google Fiber WAN" | |
| set interfaces ethernet eth1 vif 2 address dhcp | |
| set interfaces ethernet eth1 vif 2 dhcp-options default-route update | |
| set interfaces ethernet eth1 vif 2 dhcp-options default-route-distance 210 | |
| set interfaces ethernet eth1 vif 2 dhcp-options name-server no-update | |
| set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 interface eth0 prefix-id :0 | |
| set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 interface eth0 service slaac | |
| set interfaces ethernet eth1 vif 2 dhcpv6-pd pd 1 prefix-length /56 | |
| set interfaces ethernet eth1 vif 2 dhcpv6-pd rapid-commit enable | |
| set interfaces ethernet eth1 vif 2 egress-qos "0:3" | |
| set interfaces ethernet eth1 vif 2 firewall in ipv6-name WAN6_IN | |
| set interfaces ethernet eth1 vif 2 firewall in name WAN_IN | |
| set interfaces ethernet eth1 vif 2 firewall local ipv6-name WAN6_LOCAL | |
| set interfaces ethernet eth1 vif 2 firewall local name WAN_LOCAL | |
| #Setup LAN | |
| set interfaces ethernet eth0 description "LAN" | |
| set interfaces ethernet eth0 address 192.168.1.1/24 | |
| set interfaces ethernet eth0 ipv6 address autoconf | |
| set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1 | |
| set interfaces ethernet eth0 firewall in name LAN_IN | |
| #Setup Local Config Port | |
| set interfaces ethernet eth2 description "Local Config Port" | |
| set interfaces ethernet eth2 address 192.168.0.1/24 | |
| set interfaces ethernet eth2 firewall in name LAN_IN | |
| #Setup Loopback | |
| set interfaces loopback lo | |
| #Setup DHCP on LAN | |
| set service dhcp-server disabled false | |
| set service dhcp-server hostfile-update enable | |
| set service dhcp-server use-dnsmasq disable | |
| set service dhcp-server shared-network-name LAN authoritative disable | |
| set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.254 | |
| set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1 | |
| set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1 | |
| set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400 | |
| commit | |
| save | |
| #______________________MGMT & Additional Settings___________________________ | |
| configure | |
| #Set GUI options | |
| set gui http-port 80 | |
| set gui https-port 443 | |
| set gui older-ciphers enable | |
| #Set IPSec offload to enable | |
| set system offload ipsec enable | |
| #Set VLAN offload to enable speeds faster than ~530Mbps up/down | |
| set system offload ipv4 forwarding enable | |
| set system offload ipv6 forwarding enable | |
| set system offload ipv4 vlan enable | |
| set system offload ipv6 vlan enable | |
| #Enable Deep Packet Inspection | |
| set system traffic-analysis dpi enable | |
| set system traffic-analysis export enable | |
| #Set Router Hostname | |
| set system host-name UBNT-Gateway | |
| #Set Time Zone | |
| delete system time-zone | |
| set system time-zone America/Denver | |
| #Set System Name Servers | |
| set system name-server 8.8.8.8 | |
| set system name-server 8.8.4.4 | |
| set system name-server '2001:4860:4860::8888' | |
| set system name-server '2001:4860:4860::8844' | |
| #Set outbound NAT Interface to Google VLAN | |
| edit service nat rule 5000 | |
| set description "Masquerade for WAN" | |
| set log disable | |
| set outbound-interface eth1.2 | |
| set protocol all | |
| set type masquerade | |
| top | |
| #Auto-create new firewall rules for new port forwards | |
| set port-forward auto-firewall enable | |
| #Allow LAN clients to hit external port forwards | |
| set port-forward hairpin-nat enable | |
| #Pre-set correct interfaces for port forwarding | |
| set port-forward lan-interface eth0 | |
| set port-forward wan-interface eth1.2 | |
| #Set System DNS and Enable DNS forwarding and cacheing | |
| set system name-server 8.8.8.8 | |
| set system name-server 8.8.4.4 | |
| set system name-server '2001:4860:4860::8888' | |
| set system name-server '2001:4860:4860::8844' | |
| set service dns forwarding cache-size 1000 | |
| set service dns forwarding listen-on eth0 | |
| set service dns forwarding name-server 8.8.8.8 | |
| set service dns forwarding name-server 8.8.4.4 | |
| set service dns forwarding name-server '2001:4860:4860::8888' | |
| set service dns forwarding name-server '2001:4860:4860::8844' | |
| set service dns forwarding system | |
| #Enable UPnP | |
| edit service upnp2 | |
| set listen-on eth0 | |
| set nat-pmp disable | |
| set secure-mode disable | |
| set wan eth1.2 | |
| top | |
| commit | |
| save | |
| exit |
For anyone having this issue, as I did (I tried 1.6, 1.7, and 1.8, ended up sticking with 1.8 with the following steps):
Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
Conflicting subnet ranges: 192.168.1.0/24 overlaps 192.168.1.0/24
DHCP server configuration commit aborted due to error(s).
putty into the router to access the console,
type sudo su
cd /config
rm -rf config.boot
Then,
sftp (using filezilla or something) into the router, navigate to the /config and upload the EdgeMax + Google Fiber config.boot,
rename it to config.boot and reboot the router.
back in console, type:
reboot
If you have the new google fiber jacks as I did, you'll need to power the jack with something like a micro usb phone charger. IT must be 5v DC / 2 Amps (I used a 5vDC / 2.1A). Plug the network cable from the jack in to eth1 and your wireless router (set in AP mode) to eth0. reboot and enjoy!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a straightforward configuration for Google Fibre but with CeturyLink Fibre, it requires a few changes. Specifically, as we are required to perform PPPoE and also must run a smaller mss clamping value as 1460 results don't seem to work, 1452 is the highest value I have been able to set at this time. I am surprised you haven't made any more advanced changes to your firewall rules.I would add the drop invalid packets rule on your _in firewall and also add WAN_out (default Accept) wtih Reject Invalid rule. ... to prevent "NAT leaking. The rule could be Drop, but since it's coming from internal let's be nice and Reject instead.