Configuring a Ubiquiti EdgeRouter to automatically update static route for KPN IPTV platform [updated]

This guide explains how to automatically update the static route for KPN IPTV platform

) Install script to automatically update static route (updated to work correctly with firmware 1.9.1)

sudo vbash -c 'cat > /config/scripts/tvroute.sh' << EOF
#!/bin/vbash
 
# configured static route target
CUR_IP=\$(cat /config/config.boot | grep 213.75.112.0/21 -A1 | grep next-hop | awk '{ print \$2}');
 
# static route target
NEW_IP=\$(cat /var/run/dhclient_eth0.4_lease | grep new_routers | awk -F= '{print \$2}' | tr -d \');
 
if [ "\$CUR_IP" = "\$NEW_IP" ]; then
   echo Addresses the same
   exit 1;
fi
 
source /opt/vyatta/etc/functions/script-template
 
configure
delete protocols static route 213.75.112.0/21 next-hop \$CUR_IP
set protocols static route 213.75.112.0/21 next-hop \$NEW_IP
commit
save
exit
 
restart igmp-proxy
EOF

 

) Make the script executable

sudo chmod +x /config/scripts/tvroute.sh

 

) Add the script to the task scheduler to automatically check/update the static route

configure
set system task-scheduler task updateIPTVroute executable path /config/scripts/tvroute.sh
set system task-scheduler task updateIPTVroute interval 5m
commit
save
exit

 

Now wait 5 minutes or run the script manually

Configuring a Ubiquiti EdgeRouter Lite for KPN

This guide explains how to configure your EdgeRouter Lite including routed IPTV, VOIP and IPv6

Configuration is based on the following connection scheme

  • eth0 = WAN (NTU)
  • eth1 = LAN/IPTV (Switch w/IGMP snooping)
  • eth2 = VOIP (Experia Box)

 

The EdgeRouter Lite is configured by default on eth0. Connect an Ethernet cable from the Ethernet port of your computer to the port labeled eth0 on the EdgeRouter Lite.

Configure the Ethernet adapter on your host system with a static IP address on the 192.168.1.x subnet (e.g., 192.168.1.100).

To Access the router’s command line interface. You can use the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker.

Launch an SSH session to 192.168.1.1. Both username and password are ubnt.

) Setup interface eth1 and configure the DHCP/DNS server

configure

set interfaces ethernet eth1 address 192.168.2.254/24
set interfaces ethernet eth1 description "eth1 - LAN"
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto

set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router 192.168.2.254
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.4.4
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50
set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50 stop 192.168.2.200

set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding options listen-address=192.168.2.254

commit
save
exit

 

Reconnect the Ethernet cable from the Ethernet port of your computer to the port labeled eth1 on the EdgeRouter Lite.
Connect an Ethernet cable from the NTU to the port labeled eth0 and connect an Ethernet cable from the WAN port of the ExperiaBox to the port labeled eth2.

Reconfigure the Ethernet adapter on your host system with DHCP.

Launch an SSH session to 192.168.2.254. Both username and password are ubnt.

) Configure firewall

configure

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "WAN to Internal"
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description "Allow established/related"
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 10 protocol all
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state invalid disable
set firewall name WAN_IN rule 10 state new disable
set firewall name WAN_IN rule 10 state related enable

set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description "Drop invalid state"
set firewall name WAN_IN rule 20 log enable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 state established disable
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 20 state new disable
set firewall name WAN_IN rule 20 state related disable

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "WAN to router"
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description "Allow established/related"
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 protocol all
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state invalid disable
set firewall name WAN_LOCAL rule 10 state new disable
set firewall name WAN_LOCAL rule 10 state related enable

set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description "Drop invalid state"
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol all
set firewall name WAN_LOCAL rule 20 state established disable
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 20 state new disable
set firewall name WAN_LOCAL rule 20 state related disable

commit
save
exit

 

) Generate the configuration line for user-id, used to set the pppoe authentication

sudo su
pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
echo "$pppoe_id"
exit

 

configure

delete interfaces ethernet eth0 address

set interfaces ethernet eth0 description "eth0 - FTTH"
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 mtu 1512

set interfaces ethernet eth0 vif 6 description "eth0.6 - Internet"
set interfaces ethernet eth0 vif 6 mtu 1508

(YOUR SET LINE FOR USER-ID, received from previous step)
set interfaces ethernet eth0 vif 6 pppoe 0 password kpn
set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto
set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180
set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500

set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL

set system name-server 8.8.8.8
set system name-server 8.8.4.4

commit
save
exit

 

) Configure hardware offloading for the IPv4 connection

configure

set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable

commit
save
exit

 

) Configure NAT to allow the LAN to access the internet

configure

set service nat rule 5010 description "KPN Internet"
set service nat rule 5010 log enable
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.2.0/24
set service nat rule 5010 type masquerade

commit
save
exit

 

) Enable Traffic inspection (DPI)

configure

set system traffic-analysis dpi enable
set system traffic-analysis export enable

commit
save
exit

 

) Add the Debian APT repository (to install tools like nano/iptraf)

configure

set system package repository wheezy components "main contrib non-free"
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://mirror.leaseweb.com/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org

commit
save
exit

sudo apt-get update

 

) Install packages with

sudo apt-get install package

 

) Configure a bridge between WAN and ExperiaBox for VOIP

configure

set interfaces bridge br0
set interfaces ethernet eth0 vif 7 bridge-group bridge br0
set interfaces ethernet eth0 vif 7 description "eth0.7 - VOIP"
set interfaces ethernet eth0 vif 7 mtu 1500

set interfaces ethernet eth2 description "eth2 - ExperiaBox"
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth2 vif 7 bridge-group bridge br0
set interfaces ethernet eth2 vif 7 description "eth2.7 - ExperiaBox VOIP"
set interfaces ethernet eth2 vif 7 mtu 1500

commit
save
exit

 

) Setup routed IPTV

configure

set interfaces ethernet eth0 vif 4 address dhcp
set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "send vendor-class-identifier &quot;IPTV_RG&quot;;"
set interfaces ethernet eth0 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update
set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 4 dhcp-options name-server update

commit
save
exit

 

) Modify our DHCP configuration to include IPTV parameters

configure

set service dhcp-server global-parameters "option vendor-class-identifier code 60 = string;"
set service dhcp-server global-parameters "option broadcast-address code 28 = ip-address;"

commit
save
exit

 

) NAT rules are required for the IPTV settop box to connect to the IPTV platform
) The following commands will return 2 configuration lines required.

sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 213.75.112.0/21 next-hop $r_ip")
echo -e "$iptv_static"
exit

 

configure

set service nat rule 5000 description IPTV
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0.4
set service nat rule 5000 protocol all
set service nat rule 5000 destination address 213.75.112.0/21
set service nat rule 5000 type masquerade

(YOUR SET LINE FOR STATIC ROUTE, received from previous step)

commit
save
exit

 

> Setup the IGMP Proxy

configure

set protocols igmp-proxy interface eth0.4 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth0.4 role upstream
set protocols igmp-proxy interface eth0.4 threshold 1
set protocols igmp-proxy interface eth1 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth1 role downstream
set protocols igmp-proxy interface eth1 threshold 1

commit
save
exit

 

) Configure an IPv6 Firewall

configure

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description "WAN inbound traffic forwarded to LAN"
set firewall ipv6-name WANv6_IN enable-default-log

set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state"
set firewall ipv6-name WANv6_IN rule 20 state invalid enable

set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description "WAN inbound traffic to the router"
set firewall ipv6-name WANv6_LOCAL enable-default-log

set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established/related sessions"
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable 
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable

set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid state"

set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow IPv6 icmp"
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp

set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description "allow dhcpv6"
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

commit
save
exit

 

) Setup IPv6 on the pppoe interface and create a static route over the pppoe interface

configure

set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL

set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd no-dns
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit disable

set protocols static interface-route6 ::/0 next-hop-interface pppoe0

commit
save
exit

 

) Setup router-advert and set ipv6 name server

configure

set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0
set interfaces ethernet eth1 ipv6 router-advert managed-flag false
set interfaces ethernet eth1 ipv6 router-advert max-interval 600
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8888
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8844
set interfaces ethernet eth1 ipv6 router-advert radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"

set interfaces ethernet eth1 ipv6 router-advert other-config-flag false
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth1 ipv6 router-advert send-advert true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 valid-lifetime 2592000

set system name-server 2001:4860:4860::8888
set system name-server 2001:4860:4860::8844

commit
save
exit

 

) Configure hardware offloading for the IPv6 connection

configure

set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable

commit
save
exit

 

) It is possible that after the IPv6 configuration, the default route is changed or the IGMP proxy stopped. Simple fix to get up and running with your new configuration.

reboot

 

You should have a working setup!

 

 

Here is the full configuration file (/config/config.boot). Before you load the full configuration on your edgerouter, make sure you replace the following
[MAC] – [ROUTER-IP] – [NAT-MASK]

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to Internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    options {
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        aging 300
        bridged-conntrack disable
        description "br0 - Telefonie"
        hello-time 2
        max-age 20
        priority 32768
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        description "eth0 - FTTH"
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "eth0.4 - IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier &quot;IPTV_RG&quot;;"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
        }
        vif 6 {
            description "eth0.6 - Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit disable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password kpn
                user-id [MAC]@internet
            }
        }
        vif 7 {
            bridge-group {
                bridge br0
            }
            description "eth0.7 - Telefonie"
            mtu 1500
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "eth1 - LAN"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2001:4860:4860::8888
                name-server 2001:4860:4860::8844
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
    }
    ethernet eth2 {
        description "eth2 - ExperiaBox"
        duplex auto
        speed auto
        vif 7 {
            bridge-group {
                bridge br0
            }
            description "eth2.7 - ExperiaBox VOIP"
            mtu 1500
        }
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
        route 213.75.112.0/21 {
            next-hop [ROUTER-IP] {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.2.50 {
                    stop 192.168.2.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 8.8.8.8
            name-server 8.8.4.4
            options listen-address=192.168.2.254
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
            }
            type masquerade
        }
        rule 5010 {
            description "KPN Internet"
            log enable
            outbound-interface pppoe0
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    name-server 2001:4860:4860::8888
    name-server 2001:4860:4860::8844
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe enable
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://mirror.leaseweb.com/debian
            username ""
        }
        repository wheezy-security {
            components main
            distribution wheezy/updates
            password ""
            url http://security.debian.org
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}