This guide explains how to configure your EdgeRouter Lite including routed IPTV, VOIP and IPv6
Configuration is based on the following connection scheme
- eth0 = WAN (NTU)
- eth1 = LAN/IPTV (Switch w/IGMP snooping)
- eth2 = VOIP (Experia Box)
The EdgeRouter Lite is configured by default on eth0. Connect an Ethernet cable from the Ethernet port of your computer to the port labeled eth0 on the EdgeRouter Lite.
Configure the Ethernet adapter on your host system with a static IP address on the 192.168.1.x subnet (e.g., 192.168.1.100).
To Access the router’s command line interface. You can use the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker.
Launch an SSH session to 192.168.1.1. Both username and password are ubnt.
) Setup interface eth1 and configure the DHCP/DNS server
configure
set interfaces ethernet eth1 address 192.168.2.254/24
set interfaces ethernet eth1 description "eth1 - LAN"
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router 192.168.2.254
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.4.4
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50 stop 192.168.2.200
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding options listen-address=192.168.2.254
commit
save
exit
Reconnect the Ethernet cable from the Ethernet port of your computer to the port labeled eth1 on the EdgeRouter Lite.
Connect an Ethernet cable from the NTU to the port labeled eth0 and connect an Ethernet cable from the WAN port of the ExperiaBox to the port labeled eth2.
Reconfigure the Ethernet adapter on your host system with DHCP.
Launch an SSH session to 192.168.2.254. Both username and password are ubnt.
) Configure firewall
configure
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "WAN to Internal"
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow established/related"
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 10 protocol all
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 log enable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 state established disable
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 20 state new disable
set firewall name WAN_IN rule 20 state related disable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "WAN to router"
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description "Allow established/related"
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 protocol all
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state invalid disable
set firewall name WAN_LOCAL rule 10 state new disable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol all
set firewall name WAN_LOCAL rule 20 state established disable
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 20 state new disable
set firewall name WAN_LOCAL rule 20 state related disable
commit
save
exit
) Generate the configuration line for user-id, used to set the pppoe authentication
sudo su
pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
echo "$pppoe_id"
exit
configure
delete interfaces ethernet eth0 address
set interfaces ethernet eth0 description "eth0 - FTTH"
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 mtu 1512
set interfaces ethernet eth0 vif 6 description "eth0.6 - Internet"
set interfaces ethernet eth0 vif 6 mtu 1508
(YOUR SET LINE FOR USER-ID, received from previous step)
set interfaces ethernet eth0 vif 6 pppoe 0 password kpn
set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto
set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180
set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL
set system name-server 8.8.8.8
set system name-server 8.8.4.4
commit
save
exit
) Configure hardware offloading for the IPv4 connection
configure
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
commit
save
exit
) Configure NAT to allow the LAN to access the internet
configure
set service nat rule 5010 description "KPN Internet"
set service nat rule 5010 log enable
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.2.0/24
set service nat rule 5010 type masquerade
commit
save
exit
) Enable Traffic inspection (DPI)
configure
set system traffic-analysis dpi enable
set system traffic-analysis export enable
commit
save
exit
) Add the Debian APT repository (to install tools like nano/iptraf)
configure
set system package repository wheezy components "main contrib non-free"
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://mirror.leaseweb.com/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit
sudo apt-get update
) Install packages with
sudo apt-get install package
) Configure a bridge between WAN and ExperiaBox for VOIP
configure
set interfaces bridge br0
set interfaces ethernet eth0 vif 7 bridge-group bridge br0
set interfaces ethernet eth0 vif 7 description "eth0.7 - VOIP"
set interfaces ethernet eth0 vif 7 mtu 1500
set interfaces ethernet eth2 description "eth2 - ExperiaBox"
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth2 vif 7 bridge-group bridge br0
set interfaces ethernet eth2 vif 7 description "eth2.7 - ExperiaBox VOIP"
set interfaces ethernet eth2 vif 7 mtu 1500
commit
save
exit
) Setup routed IPTV
configure
set interfaces ethernet eth0 vif 4 address dhcp
set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "send vendor-class-identifier "IPTV_RG";"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update
set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 4 dhcp-options name-server update
commit
save
exit
) Modify our DHCP configuration to include IPTV parameters
configure
set service dhcp-server global-parameters "option vendor-class-identifier code 60 = string;"
set service dhcp-server global-parameters "option broadcast-address code 28 = ip-address;"
commit
save
exit
) NAT rules are required for the IPTV settop box to connect to the IPTV platform
) The following commands will return 2 configuration lines required.
sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 213.75.112.0/21 next-hop $r_ip")
echo -e "$iptv_static"
exit
configure
set service nat rule 5000 description IPTV
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0.4
set service nat rule 5000 protocol all
set service nat rule 5000 destination address 213.75.112.0/21
set service nat rule 5000 type masquerade
(YOUR SET LINE FOR STATIC ROUTE, received from previous step)
commit
save
exit
> Setup the IGMP Proxy
configure
set protocols igmp-proxy interface eth0.4 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth0.4 role upstream
set protocols igmp-proxy interface eth0.4 threshold 1
set protocols igmp-proxy interface eth1 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth1 role downstream
set protocols igmp-proxy interface eth1 threshold 1
commit
save
exit
) Configure an IPv6 Firewall
configure
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description "WAN inbound traffic forwarded to LAN"
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description "WAN inbound traffic to the router"
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow IPv6 icmp"
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description "allow dhcpv6"
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
commit
save
exit
) Setup IPv6 on the pppoe interface and create a static route over the pppoe interface
configure
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd no-dns
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit disable
set protocols static interface-route6 ::/0 next-hop-interface pppoe0
commit
save
exit
) Setup router-advert and set ipv6 name server
configure
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0
set interfaces ethernet eth1 ipv6 router-advert managed-flag false
set interfaces ethernet eth1 ipv6 router-advert max-interval 600
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8888
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8844
set interfaces ethernet eth1 ipv6 router-advert radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
set interfaces ethernet eth1 ipv6 router-advert other-config-flag false
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth1 ipv6 router-advert send-advert true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
set system name-server 2001:4860:4860::8888
set system name-server 2001:4860:4860::8844
commit
save
exit
) Configure hardware offloading for the IPv6 connection
configure
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable
commit
save
exit
) It is possible that after the IPv6 configuration, the default route is changed or the IGMP proxy stopped. Simple fix to get up and running with your new configuration.
reboot
You should have a working setup!
Here is the full configuration file (/config/config.boot). Before you load the full configuration on your edgerouter, make sure you replace the following
[MAC] – [ROUTER-IP] – [NAT-MASK]
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to Internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
options {
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br0 {
aging 300
bridged-conntrack disable
description "br0 - Telefonie"
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
description "eth0 - FTTH"
duplex auto
mtu 1512
speed auto
vif 4 {
address dhcp
description "eth0.4 - IPTV"
dhcp-options {
client-option "send vendor-class-identifier "IPTV_RG";"
client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
default-route no-update
default-route-distance 210
name-server update
}
}
vif 6 {
description "eth0.6 - Internet"
mtu 1508
pppoe 0 {
default-route auto
dhcpv6-pd {
no-dns
pd 0 {
interface eth1 {
prefix-id :1
service slaac
}
prefix-length /48
}
rapid-commit disable
}
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
idle-timeout 180
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
enable {
}
}
mtu 1500
name-server auto
password kpn
user-id [MAC]@internet
}
}
vif 7 {
bridge-group {
bridge br0
}
description "eth0.7 - Telefonie"
mtu 1500
}
}
ethernet eth1 {
address 192.168.2.254/24
description "eth1 - LAN"
duplex auto
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
}
ethernet eth2 {
description "eth2 - ExperiaBox"
duplex auto
speed auto
vif 7 {
bridge-group {
bridge br0
}
description "eth2.7 - ExperiaBox VOIP"
mtu 1500
}
}
loopback lo {
}
}
protocols {
igmp-proxy {
interface eth0.4 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
}
static {
interface-route6 ::/0 {
next-hop-interface pppoe0 {
}
}
route 213.75.112.0/21 {
next-hop [ROUTER-IP] {
}
}
}
}
service {
dhcp-server {
disabled false
global-parameters "option vendor-class-identifier code 60 = string;"
global-parameters "option broadcast-address code 28 = ip-address;"
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.254
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.2.50 {
stop 192.168.2.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 8.8.8.8
name-server 8.8.4.4
options listen-address=192.168.2.254
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description IPTV
destination {
address 213.75.112.0/21
}
log disable
outbound-interface eth0.4
protocol all
source {
}
type masquerade
}
rule 5010 {
description "KPN Internet"
log enable
outbound-interface pppoe0
protocol all
source {
address 192.168.2.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ""
url http://mirror.leaseweb.com/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ""
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}