Ubiquity EdgeRouter Lite on “Telfort” glass fiber VLAN config and configure VLAN masquerading rules

So, here is my EdgeRouter config, edited a little for security reasons.

I hope this may help you.

Cheers!

 

Short description:

I use glass fiber from my ISP “Telfort” which uses VLAN 34 on eth1.34 (eth1 vif 34, using dhcp from the ISP, even though they always give me the same IP).
This is how my ISP works, so I have to live with that and set it up this way.

This means I do not use eth1 itself, which has been set to nothing, but is not disabled.

I do not use IPv6.

I am not using interface eth2.

I have my home lan on eth0 and my dirty wifi for IoT and guests on eth0.111 (VLAN111)

To add the nat masquerading rules for a new interface, e.g. eth0.111, log in as admin on the CLI and type:

configure

and then add something like (rule 5010, may be 5011, or something, at least not a rule number that you have already in use.)

set service nat rule 5010 description "VLAN NAT for 192.168.111.0/24"
set service nat rule 5010 outbound-interface eth1.34
set service nat rule 5010 type source
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.111.0/24
set service nat rule 5010 type masquerade

Anyway, here is my config. you may want to  change YOUR-ISP-GATEWAY to the ip-address of the next hop, usually known as gateway, of your ISP.

firewall {
 all-ping enable
 broadcast-ping disable
 conntrack-expect-table-size 4096
 conntrack-hash-size 4096
 conntrack-table-size 32768
 conntrack-tcp-loose enable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
 default-action drop
 description "WAN to internal"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "WAN to router"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
}
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 address 192.168.100.254/24
 duplex auto
 speed auto
 vif 111 {
 address 192.168.111.254/24
 description "DIRTY WIFI"
 mtu 1500
 }
 }
 ethernet eth1 {
 description "eth1 - not in use"
 duplex auto
 mtu 1512
 speed auto
 vif 34 {
 address dhcp
 description "eth1.34 - telfort"
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 mtu 1508
 }
 }
 ethernet eth2 {
 disable
 duplex auto
 speed auto
 }
 loopback lo {
 }
}
protocols {
 static {
 route 0.0.0.0/0 {
 next-hop YOUR-ISP-GATEWAY {
 }
 }
 }
}
service {
 dhcp-server {
 disabled false
 shared-network-name LAN {
 authoritative disable
 subnet 192.168.100.0/24 {
 default-router 192.168.100.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name home.lan
 lease 86400
 start 192.168.100.150 {
 stop 192.168.100.250
 }
 }
 }
 shared-network-name VLAN111 {
 authoritative disable
 subnet 192.168.111.0/24 {
 default-router 192.168.111.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name guest.wifi
 lease 86400
 start 192.168.111.150 {
 stop 192.168.111.250
 }
 }
 }
 }
 gui {
 https-port 443
 }
 nat {
 rule 5009 {
 description "Telfort Internet masq LAN"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.100.0/24
 }
 type masquerade
 }
 rule 5010 {
 description "Telfort Internet masq DIRTY"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.111.0/24
 }
 type masquerade
 }
 }
 ssh {
 port 22
 protocol-version v2
 }
 upnp {
 listen-on eth0 {
 outbound-interface eth1.34
 }
 }
}
system {
 domain-name home.lan
 host-name gateway
 ipv6 {
 disable
 }
 login {
 user admin {
 authentication {
 encrypted-password ****************
 plaintext-password ****************
 }
 full-name Someone
 level admin
 }
 }
 name-server 208.67.222.222
 name-server 8.8.8.8
 name-server 8.8.4.4
 ntp {
 server nl.pool.ntp.org {
 }
 }
 options {
 reboot-on-panic true
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone Europe/Amsterdam
}
This entry was posted in cli, Configuration, EdgeRouter, VLAN, wifi. Bookmark the permalink.