So, here is my EdgeRouter config, edited a little for security reasons.
I hope this may help you.
Cheers!
Short description:
I use glass fiber from my ISP “Telfort” which uses VLAN 34 on eth1.34 (eth1 vif 34, using dhcp from the ISP, even though they always give me the same IP).
This is how my ISP works, so I have to live with that and set it up this way.
This means I do not use eth1 itself, which has been set to nothing, but is not disabled.
I do not use IPv6.
I am not using interface eth2.
I have my home lan on eth0 and my dirty wifi for IoT and guests on eth0.111 (VLAN111)
To add the nat masquerading rules for a new interface, e.g. eth0.111, log in as admin on the CLI and type:
configure
and then add something like (rule 5010, may be 5011, or something, at least not a rule number that you have already in use.)
set service nat rule 5010 description "VLAN NAT for 192.168.111.0/24" set service nat rule 5010 outbound-interface eth1.34 set service nat rule 5010 type source set service nat rule 5010 protocol all set service nat rule 5010 source address 192.168.111.0/24 set service nat rule 5010 type masquerade
Anyway, here is my config. you may want to change YOUR-ISP-GATEWAY to the ip-address of the next hop, usually known as gateway, of your ISP.
firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.100.254/24
duplex auto
speed auto
vif 111 {
address 192.168.111.254/24
description "DIRTY WIFI"
mtu 1500
}
}
ethernet eth1 {
description "eth1 - not in use"
duplex auto
mtu 1512
speed auto
vif 34 {
address dhcp
description "eth1.34 - telfort"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1508
}
}
ethernet eth2 {
disable
duplex auto
speed auto
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop YOUR-ISP-GATEWAY {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name LAN {
authoritative disable
subnet 192.168.100.0/24 {
default-router 192.168.100.254
dns-server 8.8.8.8
dns-server 8.8.4.4
domain-name home.lan
lease 86400
start 192.168.100.150 {
stop 192.168.100.250
}
}
}
shared-network-name VLAN111 {
authoritative disable
subnet 192.168.111.0/24 {
default-router 192.168.111.254
dns-server 8.8.8.8
dns-server 8.8.4.4
domain-name guest.wifi
lease 86400
start 192.168.111.150 {
stop 192.168.111.250
}
}
}
}
gui {
https-port 443
}
nat {
rule 5009 {
description "Telfort Internet masq LAN"
log enable
outbound-interface eth1.34
protocol all
source {
address 192.168.100.0/24
}
type masquerade
}
rule 5010 {
description "Telfort Internet masq DIRTY"
log enable
outbound-interface eth1.34
protocol all
source {
address 192.168.111.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth0 {
outbound-interface eth1.34
}
}
}
system {
domain-name home.lan
host-name gateway
ipv6 {
disable
}
login {
user admin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name Someone
level admin
}
}
name-server 208.67.222.222
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server nl.pool.ntp.org {
}
}
options {
reboot-on-panic true
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Amsterdam
}