This guide explains how to configure your EdgeRouter Lite including routed IPTV, VOIP and IPv6
Configuration is based on the following connection scheme
- eth0 = WAN (NTU)
- eth1 = LAN/IPTV (Switch w/IGMP snooping)
- eth2 = VOIP (Experia Box)
The EdgeRouter Lite is configured by default on eth0. Connect an Ethernet cable from the Ethernet port of your computer to the port labeled eth0 on the EdgeRouter Lite.
Configure the Ethernet adapter on your host system with a static IP address on the 192.168.1.x subnet (e.g., 192.168.1.100).
To Access the router’s command line interface. You can use the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker.
Launch an SSH session to 192.168.1.1. Both username and password are ubnt.
) Setup interface eth1 and configure the DHCP/DNS server
configure set interfaces ethernet eth1 address 192.168.2.254/24 set interfaces ethernet eth1 description "eth1 - LAN" set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router 192.168.2.254 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.8.8 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 8.8.4.4 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease 86400 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.50 stop 192.168.2.200 set service dns forwarding cache-size 150 set service dns forwarding listen-on eth1 set service dns forwarding name-server 8.8.8.8 set service dns forwarding name-server 8.8.4.4 set service dns forwarding options listen-address=192.168.2.254 commit save exit
Reconnect the Ethernet cable from the Ethernet port of your computer to the port labeled eth1 on the EdgeRouter Lite.
Connect an Ethernet cable from the NTU to the port labeled eth0 and connect an Ethernet cable from the WAN port of the ExperiaBox to the port labeled eth2.
Reconfigure the Ethernet adapter on your host system with DHCP.
Launch an SSH session to 192.168.2.254. Both username and password are ubnt.
) Configure firewall
configure set firewall all-ping enable set firewall broadcast-ping disable set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable set firewall name WAN_IN default-action drop set firewall name WAN_IN description "WAN to Internal" set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description "Allow established/related" set firewall name WAN_IN rule 10 log enable set firewall name WAN_IN rule 10 protocol all set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state invalid disable set firewall name WAN_IN rule 10 state new disable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description "Drop invalid state" set firewall name WAN_IN rule 20 log enable set firewall name WAN_IN rule 20 protocol all set firewall name WAN_IN rule 20 state established disable set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 20 state new disable set firewall name WAN_IN rule 20 state related disable set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description "WAN to router" set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description "Allow established/related" set firewall name WAN_LOCAL rule 10 log disable set firewall name WAN_LOCAL rule 10 protocol all set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state invalid disable set firewall name WAN_LOCAL rule 10 state new disable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description "Drop invalid state" set firewall name WAN_LOCAL rule 20 log disable set firewall name WAN_LOCAL rule 20 protocol all set firewall name WAN_LOCAL rule 20 state established disable set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 20 state new disable set firewall name WAN_LOCAL rule 20 state related disable commit save exit
) Generate the configuration line for user-id, used to set the pppoe authentication
sudo su
pppoe_id=$(ifconfig | grep -m 1 eth0 | awk '{print $5}' | awk -F':' '{print "set interfaces ethernet eth0 vif 6 pppoe 0 user-id "$1"-"$2"-"$3"-"$4"-"$5"-"$6"@internet"}')
echo "$pppoe_id"
exit
configure delete interfaces ethernet eth0 address set interfaces ethernet eth0 description "eth0 - FTTH" set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto set interfaces ethernet eth0 mtu 1512 set interfaces ethernet eth0 vif 6 description "eth0.6 - Internet" set interfaces ethernet eth0 vif 6 mtu 1508 (YOUR SET LINE FOR USER-ID, received from previous step) set interfaces ethernet eth0 vif 6 pppoe 0 password kpn set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180 set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500 set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL set system name-server 8.8.8.8 set system name-server 8.8.4.4 commit save exit
) Configure hardware offloading for the IPv4 connection
configure set system offload ipv4 forwarding enable set system offload ipv4 pppoe enable set system offload ipv4 vlan enable commit save exit
) Configure NAT to allow the LAN to access the internet
configure set service nat rule 5010 description "KPN Internet" set service nat rule 5010 log enable set service nat rule 5010 outbound-interface pppoe0 set service nat rule 5010 protocol all set service nat rule 5010 source address 192.168.2.0/24 set service nat rule 5010 type masquerade commit save exit
) Enable Traffic inspection (DPI)
configure set system traffic-analysis dpi enable set system traffic-analysis export enable commit save exit
) Add the Debian APT repository (to install tools like nano/iptraf)
configure set system package repository wheezy components "main contrib non-free" set system package repository wheezy distribution wheezy set system package repository wheezy url http://mirror.leaseweb.com/debian set system package repository wheezy-security components main set system package repository wheezy-security distribution wheezy/updates set system package repository wheezy-security url http://security.debian.org commit save exit sudo apt-get update
) Install packages with
sudo apt-get install package
) Configure a bridge between WAN and ExperiaBox for VOIP
configure set interfaces bridge br0 set interfaces ethernet eth0 vif 7 bridge-group bridge br0 set interfaces ethernet eth0 vif 7 description "eth0.7 - VOIP" set interfaces ethernet eth0 vif 7 mtu 1500 set interfaces ethernet eth2 description "eth2 - ExperiaBox" set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 speed auto set interfaces ethernet eth2 vif 7 bridge-group bridge br0 set interfaces ethernet eth2 vif 7 description "eth2.7 - ExperiaBox VOIP" set interfaces ethernet eth2 vif 7 mtu 1500 commit save exit
) Setup routed IPTV
configure set interfaces ethernet eth0 vif 4 address dhcp set interfaces ethernet eth0 vif 4 description "eth0.4 - IPTV" set interfaces ethernet eth0 vif 4 dhcp-options client-option "send vendor-class-identifier "IPTV_RG";" set interfaces ethernet eth0 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;" set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210 set interfaces ethernet eth0 vif 4 dhcp-options name-server update commit save exit
) Modify our DHCP configuration to include IPTV parameters
configure set service dhcp-server global-parameters "option vendor-class-identifier code 60 = string;" set service dhcp-server global-parameters "option broadcast-address code 28 = ip-address;" commit save exit
) NAT rules are required for the IPTV settop box to connect to the IPTV platform
) The following commands will return 2 configuration lines required.
sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 213.75.112.0/21 next-hop $r_ip")
echo -e "$iptv_static"
exit
configure set service nat rule 5000 description IPTV set service nat rule 5000 log disable set service nat rule 5000 outbound-interface eth0.4 set service nat rule 5000 protocol all set service nat rule 5000 destination address 213.75.112.0/21 set service nat rule 5000 type masquerade (YOUR SET LINE FOR STATIC ROUTE, received from previous step) commit save exit
> Setup the IGMP Proxy
configure set protocols igmp-proxy interface eth0.4 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth0.4 role upstream set protocols igmp-proxy interface eth0.4 threshold 1 set protocols igmp-proxy interface eth1 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth1 role downstream set protocols igmp-proxy interface eth1 threshold 1 commit save exit
) Configure an IPv6 Firewall
configure set firewall ipv6-name WANv6_IN default-action drop set firewall ipv6-name WANv6_IN description "WAN inbound traffic forwarded to LAN" set firewall ipv6-name WANv6_IN enable-default-log set firewall ipv6-name WANv6_IN rule 10 action accept set firewall ipv6-name WANv6_IN rule 10 description "Allow established/related sessions" set firewall ipv6-name WANv6_IN rule 10 state established enable set firewall ipv6-name WANv6_IN rule 10 state related enable set firewall ipv6-name WANv6_IN rule 20 action drop set firewall ipv6-name WANv6_IN rule 20 description "Drop invalid state" set firewall ipv6-name WANv6_IN rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL default-action drop set firewall ipv6-name WANv6_LOCAL description "WAN inbound traffic to the router" set firewall ipv6-name WANv6_LOCAL enable-default-log set firewall ipv6-name WANv6_LOCAL rule 10 action accept set firewall ipv6-name WANv6_LOCAL rule 10 description "Allow established/related sessions" set firewall ipv6-name WANv6_LOCAL rule 10 state established enable set firewall ipv6-name WANv6_LOCAL rule 10 state related enable set firewall ipv6-name WANv6_LOCAL rule 20 action drop set firewall ipv6-name WANv6_LOCAL rule 20 description "Drop invalid state" set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL rule 30 action accept set firewall ipv6-name WANv6_LOCAL rule 30 description "Allow IPv6 icmp" set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp set firewall ipv6-name WANv6_LOCAL rule 40 action accept set firewall ipv6-name WANv6_LOCAL rule 40 description "allow dhcpv6" set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 commit save exit
) Setup IPv6 on the pppoe interface and create a static route over the pppoe interface
configure set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd no-dns set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id :1 set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48 set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit disable set protocols static interface-route6 ::/0 next-hop-interface pppoe0 commit save exit
) Setup router-advert and set ipv6 name server
configure
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0
set interfaces ethernet eth1 ipv6 router-advert managed-flag false
set interfaces ethernet eth1 ipv6 router-advert max-interval 600
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8888
set interfaces ethernet eth1 ipv6 router-advert name-server 2001:4860:4860::8844
set interfaces ethernet eth1 ipv6 router-advert radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
set interfaces ethernet eth1 ipv6 router-advert other-config-flag false
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth1 ipv6 router-advert send-advert true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
set system name-server 2001:4860:4860::8888
set system name-server 2001:4860:4860::8844
commit
save
exit
) Configure hardware offloading for the IPv6 connection
configure set system offload ipv6 forwarding enable set system offload ipv6 pppoe enable commit save exit
) It is possible that after the IPv6 configuration, the default route is changed or the IGMP proxy stopped. Simple fix to get up and running with your new configuration.
reboot
You should have a working setup!
Here is the full configuration file (/config/config.boot). Before you load the full configuration on your edgerouter, make sure you replace the following
[MAC] – [ROUTER-IP] – [NAT-MASK]
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to Internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
options {
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br0 {
aging 300
bridged-conntrack disable
description "br0 - Telefonie"
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
description "eth0 - FTTH"
duplex auto
mtu 1512
speed auto
vif 4 {
address dhcp
description "eth0.4 - IPTV"
dhcp-options {
client-option "send vendor-class-identifier "IPTV_RG";"
client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
default-route no-update
default-route-distance 210
name-server update
}
}
vif 6 {
description "eth0.6 - Internet"
mtu 1508
pppoe 0 {
default-route auto
dhcpv6-pd {
no-dns
pd 0 {
interface eth1 {
prefix-id :1
service slaac
}
prefix-length /48
}
rapid-commit disable
}
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
idle-timeout 180
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
enable {
}
}
mtu 1500
name-server auto
password kpn
user-id [MAC]@internet
}
}
vif 7 {
bridge-group {
bridge br0
}
description "eth0.7 - Telefonie"
mtu 1500
}
}
ethernet eth1 {
address 192.168.2.254/24
description "eth1 - LAN"
duplex auto
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
radvd-options "RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
}
ethernet eth2 {
description "eth2 - ExperiaBox"
duplex auto
speed auto
vif 7 {
bridge-group {
bridge br0
}
description "eth2.7 - ExperiaBox VOIP"
mtu 1500
}
}
loopback lo {
}
}
protocols {
igmp-proxy {
interface eth0.4 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
}
static {
interface-route6 ::/0 {
next-hop-interface pppoe0 {
}
}
route 213.75.112.0/21 {
next-hop [ROUTER-IP] {
}
}
}
}
service {
dhcp-server {
disabled false
global-parameters "option vendor-class-identifier code 60 = string;"
global-parameters "option broadcast-address code 28 = ip-address;"
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.254
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.2.50 {
stop 192.168.2.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 8.8.8.8
name-server 8.8.4.4
options listen-address=192.168.2.254
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description IPTV
destination {
address 213.75.112.0/21
}
log disable
outbound-interface eth0.4
protocol all
source {
}
type masquerade
}
rule 5010 {
description "KPN Internet"
log enable
outbound-interface pppoe0
protocol all
source {
address 192.168.2.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
}
level admin
}
}
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ""
url http://mirror.leaseweb.com/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ""
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}