Freedom Internet provides fibre optic (glasvezel) connections on various infrastructures, primarily the KPN network. This post will provides instructions to implementing a Ubiquiti EdgeRouter in combination with this service for IPv4, IPv6 and IPTV.
This instruction will skip multi network (WIFI, DMZ, etc) or separating IPTV into dedicated VLAN. That kind of stuff is unique per environment, but this basic configuration can easily be changed to suit anyone.
The original data was captured from the freedom community site, but customized to personal requirements.
Step 1: Interface Mapping
Configure the EdgeRouter4 with the basic configuration, change to your appropriate parameters, the following configuration was chosen for interface mapping:
- ETH0 : INTERNAL
- ETH2: RJ45 connection to NTU box
- ETH3: SFP connection fibre connection (direct, is an option, but you must arrange optics and such)
If you wish to skip the NTU box and use your own fibre optics, you can arrange the appropriate optics from https://www.fs.com
- 1000BASE-BX BiDi SFP 1310nm-TX/1550nm-RX 10km DOM LC/SC SMF Transceiver Module (link)
- 3m LC UPC to SC UPC Simplex OS2 Single Mode PVC (OFNR) 2.0mm Fiber Optic Patch Cable (link)
- SC/APC to SC/APC Simplex Single Mode Fiber Optic Adapter/Coupler (link)
Step 2: Configure Basics
Configure the EdgeRouter4 with the basic configuration, change to your appropriate parameters, the following configuration was chosen for interface mapping:
set system conntrack expect-table-size 4096 set system conntrack hash-size 32768 set system conntrack table-size 262144 set system contrack modules rtsp enable # Define hardware offloading options for Cavium/EdgeRouter 4 set system offload ipv4 forwarding enable set system offload ipv4 gre enable set system offload ipv4 pppoe enable set system offload ipv4 vlan enable set system offload ipv4 bonding enable set system offload ipv6 forwarding enable set system offload ipv6 bonding enable set system offload ipv6 pppoe enable set system offload ipv6 vlan disable set system ntp server 0.ubnt.pool.ntp.org set system ntp server 1.ubnt.pool.ntp.org set system ntp server 2.ubnt.pool.ntp.org set system ntp server 3.ubnt.pool.ntp.org set system time-zone Europe/Amsterdam # Enable LLDP and advertise to internal ports so switches can see information set service lldp interface eth0 set service lldp management-address 192.168.10.1 # Define SSH and map only to internal port set service ssh listen-address 192.168.10.1 set service ssh port 22 set service ssh protocol-version v2 set system traffic-analysis dpi enable set system analytics-handler send-analytics-report false set system config-management commit-revisions 20 # if you don't use your own DNS, define the provider DNS: set service dns forwarding cache-size 1000 set service dns forwarding listen-on eth0 set system name-server 185.232.98.76 set system name-server 185.93.175.43 set system name-server 2a10:3780:2:52:185:93:175:43 set system name-server 2a10:3780:2:53:185:232:98:76
Step 3: Configure Interfaces
Configure the interfaces, define correct internal IPs and account information:
set interfaces ethernet eth0 description INTERNAL-LAN set interfaces ethernet eth0 address 192.168.10.1/24 set interfaces ethernet eth3 mtu 1512 set interfaces ethernet eth3 description "FREEDOM-WAN" set interfaces ethernet eth3 vif 6 set interfaces ethernet eth3 vif 6 mtu 1508 set interfaces ethernet eth3 vif 6 pppoe 0 default-route auto set interfaces ethernet eth3 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN set interfaces ethernet eth3 vif 6 pppoe 0 firewall in name WAN_IN set interfaces ethernet eth3 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth3 vif 6 pppoe 0 firewall local name WAN_LOCAL set interfaces ethernet eth3 vif 6 pppoe 0 mtu 1500 set interfaces ethernet eth3 vif 6 pppoe 0 name-server auto set interfaces ethernet eth3 vif 6 pppoe 0 password 1234 set interfaces ethernet eth3 vif 6 pppoe 0 user-id fake@freedom.nl set interfaces ethernet eth4 vif 6 pppoe 0 ipv6 address autoconf set interfaces ethernet eth4 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth4 vif 6 pppoe 0 ipv6 enable set interfaces ethernet eth3 vif 4 address dhcp set interfaces ethernet eth3 vif 4 description "FREEDOM-IPTV" set interfaces ethernet eth3 vif 4 dhcp-options client-option "request subnet-mask, routers, rfc3442-classless-static-routes;" set interfaces ethernet eth3 vif 4 dhcp-options client-option "send vendor-class-identifier "IPTV_RG";" set interfaces ethernet eth3 vif 4 dhcp-options default-route no-update set interfaces ethernet eth3 vif 4 dhcp-options default-route-distance 210 set interfaces ethernet eth3 vif 4 dhcp-options name-server update set service nat rule 5100 description "IPv4 NAT to Internet" set service nat rule 5100 log disable set service nat rule 5100 outbound-interface pppoe0 set service nat rule 5100 protocol all set service nat rule 5100 type masquerade set service nat rule 5010 description "IPTV - 185.24.175.0/24" set service nat rule 5010 destination address 185.24.175.0/24 set service nat rule 5010 log disable set service nat rule 5010 outbound-interface eth4.4 set service nat rule 5010 protocol all set service nat rule 5010 type masquerade set service nat rule 5011 description "IPTV - 185.41.48.0/24" set service nat rule 5011 destination address 185.41.48.0/24 set service nat rule 5011 log disable set service nat rule 5011 outbound-interface eth4.4 set service nat rule 5011 protocol all set service nat rule 5011 type masquerade set service nat rule 5012 description "IPTV - 10.10.0.97/32" set service nat rule 5012 destination address 10.10.0.97/32 set service nat rule 5012 log disable set service nat rule 5012 outbound-interface eth4.4 set service nat rule 5012 protocol all set service nat rule 5012 type masquerade set protocols igmp-proxy interface eth3.4 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth3.4 role upstream set protocols igmp-proxy interface eth3.4 threshold 1 set protocols igmp-proxy interface eth0 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth0 role downstream set protocols igmp-proxy interface eth0 threshold 1
Step 4: Define Firewall
Configure the firewall definitions
# ================================================================================= # DEFINE BOGONS # ================================================================================= set firewall group network-group NETWORK-BOGON description NETWORK-BOGON set firewall group network-group NETWORK-BOGON network 0.0.0.0/8 set firewall group network-group NETWORK-BOGON network 100.64.0.0/10 set firewall group network-group NETWORK-BOGON network 127.0.0.0/8 set firewall group network-group NETWORK-BOGON network 169.254.0.0/16 set firewall group network-group NETWORK-BOGON network 172.16.0.0/12 set firewall group network-group NETWORK-BOGON network 192.0.0.0/24 set firewall group network-group NETWORK-BOGON network 192.0.2.0/24 set firewall group network-group NETWORK-BOGON network 192.168.0.0/16 set firewall group network-group NETWORK-BOGON network 198.18.0.0/15 set firewall group network-group NETWORK-BOGON network 198.51.100.0/24 set firewall group network-group NETWORK-BOGON network 203.0.113.0/24 set firewall group network-group NETWORK-BOGON network 224.0.0.0/3 # ================================================================================= # WAN_LOCAL # ================================================================================= set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description “packets Internet to router” set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description “allow established session to the router” set firewall name WAN_LOCAL rule 10 log disable set firewall name WAN_LOCAL rule 10 protocol all set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description “drop invalid state” set firewall name WAN_LOCAL rule 20 log enable set firewall name WAN_LOCAL rule 20 protocol all set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 30 action drop set firewall name WAN_LOCAL rule 30 description “drop bogons” set firewall name WAN_LOCAL rule 30 log enable set firewall name WAN_LOCAL rule 30 protocol all set firewall name WAN_LOCAL rule 30 source group network-group NETWORK-BOGON set firewall name WAN_LOCAL rule 91 action drop set firewall name WAN_LOCAL rule 91 description “Blacklisted protocols – TCP” set firewall name WAN_LOCAL rule 91 log enable set firewall name WAN_LOCAL rule 91 protocol tcp set firewall name WAN_LOCAL rule 91 destination port 23,137,139,389,445 set firewall name WAN_LOCAL rule 92 action drop set firewall name WAN_LOCAL rule 92 description “Blacklisted protocols – UDP” set firewall name WAN_LOCAL rule 92 log enable set firewall name WAN_LOCAL rule 92 protocol udp set firewall name WAN_LOCAL rule 92 destination port 137,139,389,445 set firewall name WAN_LOCAL rule 100 action accept set firewall name WAN_LOCAL rule 100 description “icmp to the router: echo-request” set firewall name WAN_LOCAL rule 100 log disable set firewall name WAN_LOCAL rule 100 protocol icmp set firewall name WAN_LOCAL rule 100 icmp type-name echo-request set firewall name WAN_LOCAL rule 100 limit rate 50/minute set firewall name WAN_LOCAL rule 101 action accept set firewall name WAN_LOCAL rule 101 description “icmp to the router: echo-reply” set firewall name WAN_LOCAL rule 101 log disable set firewall name WAN_LOCAL rule 101 protocol icmp set firewall name WAN_LOCAL rule 101 icmp type-name echo-reply set firewall name WAN_LOCAL rule 101 limit rate 50/minute set firewall name WAN_LOCAL rule 102 action accept set firewall name WAN_LOCAL rule 102 description “icmp to the router: host-unreachable” set firewall name WAN_LOCAL rule 102 log disable set firewall name WAN_LOCAL rule 102 protocol icmp set firewall name WAN_LOCAL rule 102 icmp type-name host-unreachable set firewall name WAN_LOCAL rule 102 limit rate 50/minute set firewall name WAN_LOCAL rule 103 action accept set firewall name WAN_LOCAL rule 103 description “icmp to the router: fragmentation-needed” set firewall name WAN_LOCAL rule 103 log disable set firewall name WAN_LOCAL rule 103 protocol icmp set firewall name WAN_LOCAL rule 103 icmp type-name fragmentation-needed set firewall name WAN_LOCAL rule 103 limit rate 50/minute set firewall name WAN_LOCAL rule 104 action accept set firewall name WAN_LOCAL rule 104 description “icmp to the router: time-exceeded” set firewall name WAN_LOCAL rule 104 log disable set firewall name WAN_LOCAL rule 104 protocol icmp set firewall name WAN_LOCAL rule 104 icmp type-name time-exceeded set firewall name WAN_LOCAL rule 104 limit rate 50/minute # ================================================================================= # WAN_IN # ================================================================================= set firewall name WAN_IN default-action drop set firewall name WAN_IN description “packets Internet to router” set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description “allow established session to the router” set firewall name WAN_IN rule 10 log disable set firewall name WAN_IN rule 10 protocol all set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description “drop invalid state” set firewall name WAN_IN rule 20 log enable set firewall name WAN_IN rule 20 protocol all set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 30 action drop set firewall name WAN_IN rule 30 description “drop bogons” set firewall name WAN_IN rule 30 log enable set firewall name WAN_IN rule 30 protocol all set firewall name WAN_IN rule 30 source group network-group NETWORK-BOGON set firewall name WAN_IN rule 91 action drop set firewall name WAN_IN rule 91 description “Blacklisted protocols – TCP” set firewall name WAN_IN rule 91 log enable set firewall name WAN_IN rule 91 protocol tcp set firewall name WAN_IN rule 91 destination port 23,137,139,389,445 set firewall name WAN_IN rule 92 action drop set firewall name WAN_IN rule 92 description “Blacklisted protocols – UDP” set firewall name WAN_IN rule 92 log enable set firewall name WAN_IN rule 92 protocol udp set firewall name WAN_IN rule 92 destination port 137,139,389,445 set firewall name WAN_IN rule 100 action accept set firewall name WAN_IN rule 100 description “icmp to the any: echo-request” set firewall name WAN_IN rule 100 log disable set firewall name WAN_IN rule 100 protocol icmp set firewall name WAN_IN rule 100 icmp type-name echo-request set firewall name WAN_IN rule 100 limit rate 50/minute set firewall name WAN_IN rule 101 action accept set firewall name WAN_IN rule 101 description “icmp to the any: echo-reply” set firewall name WAN_IN rule 101 log disable set firewall name WAN_IN rule 101 protocol icmp set firewall name WAN_IN rule 101 icmp type-name echo-reply set firewall name WAN_IN rule 101 limit rate 50/minute set firewall name WAN_IN rule 102 action accept set firewall name WAN_IN rule 102 description “icmp to the any: host-unreachable” set firewall name WAN_IN rule 102 log disable set firewall name WAN_IN rule 102 protocol icmp set firewall name WAN_IN rule 102 icmp type-name host-unreachable set firewall name WAN_IN rule 102 limit rate 50/minute set firewall name WAN_IN rule 103 action accept set firewall name WAN_IN rule 103 description “icmp to the any: fragmentation-needed” set firewall name WAN_IN rule 103 log disable set firewall name WAN_IN rule 103 protocol icmp set firewall name WAN_IN rule 103 icmp type-name fragmentation-needed set firewall name WAN_IN rule 103 limit rate 50/minute set firewall name WAN_IN rule 104 action accept set firewall name WAN_IN rule 104 description “icmp to the any: time-exceeded” set firewall name WAN_IN rule 104 log disable set firewall name WAN_IN rule 104 protocol icmp set firewall name WAN_IN rule 104 icmp type-name time-exceeded set firewall name WAN_IN rule 104 limit rate 50/minute # ================================================================================= # WANv6_LOCAL # ================================================================================= set firewall ipv6-name WANv6_LOCAL default-action drop set firewall ipv6-name WANv6_LOCAL description ‘WAN inbound traffic to the router’ set firewall ipv6-name WANv6_LOCAL enable-default-log set firewall ipv6-name WANv6_LOCAL rule 10 action accept set firewall ipv6-name WANv6_LOCAL rule 10 description “allow established session to the router” set firewall ipv6-name WANv6_LOCAL rule 10 log disable set firewall ipv6-name WANv6_LOCAL rule 10 protocol all set firewall ipv6-name WANv6_LOCAL rule 10 state established enable set firewall ipv6-name WANv6_LOCAL rule 10 state related enable set firewall ipv6-name WANv6_LOCAL rule 20 action drop set firewall ipv6-name WANv6_LOCAL rule 20 description “drop invalid state” set firewall ipv6-name WANv6_LOCAL rule 20 log enable set firewall ipv6-name WANv6_LOCAL rule 20 protocol all set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL rule 30 action accept set firewall ipv6-name WANv6_LOCAL rule 30 description ‘Allow IPv6 icmp’ set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp set firewall ipv6-name WANv6_LOCAL rule 30 limit rate 100/minute set firewall ipv6-name WANv6_LOCAL rule 40 action accept set firewall ipv6-name WANv6_LOCAL rule 40 description “Allow DHCPv6” set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 # ================================================================================= # WANv6_IN # ================================================================================= set firewall ipv6-name WANv6_IN default-action drop set firewall ipv6-name WANv6_IN description ‘WAN inbound traffic forwarded to LAN’ set firewall ipv6-name WANv6_IN enable-default-log set firewall ipv6-name WANv6_IN rule 10 action accept set firewall ipv6-name WANv6_IN rule 10 description ‘Allow established/related sessions’ set firewall ipv6-name WANv6_IN rule 10 state established enable set firewall ipv6-name WANv6_IN rule 10 state related enable set firewall ipv6-name WANv6_IN rule 20 action drop set firewall ipv6-name WANv6_IN rule 20 description ‘Drop invalid state’ set firewall ipv6-name WANv6_IN rule 20 protocol all set firewall ipv6-name WANv6_IN rule 20 state invalid enable
Step 5: Attach Firewall to Interfaces
Configure the interfaces, define correct internal IPs and account information:
set interfaces ethernet eth3 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN set interfaces ethernet eth3 vif 6 pppoe 0 firewall in name WAN_IN set interfaces ethernet eth3 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth3 vif 6 pppoe 0 firewall local name WAN_LOCAL
Step 6: Blacklisting
It is possible to also blacklist specific countries or malicious IP’s. You can use a script like https://github.com/amarcu5/EdgeOS-Blacklist to ban specific malicous users. From this list you can also add ipranges defined in https://www.ipdeny.com, e.g. https://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone. Following the instructions you can edit /config/scripts/post-config.d/update-blacklist.shand define various lists:
BLACKLIST=(
"https://www.spamhaus.org/drop/drop.txt"
"https://www.spamhaus.org/drop/edrop.txt"
"https://www.spamhaus.org/drop/dropv6.txt"
"https://www.ipdeny.com/ipblocks/data/aggregated/af-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/af-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/dz-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/dz-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/by-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/by-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/ru-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/sy-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/sy-aggregated.zone"
"https://www.ipdeny.com/ipblocks/data/aggregated/ua-aggregated.zone"
"https://www.ipdeny.com/ipv6/ipaddresses/aggregated/ua-aggregated.zone"
etc etc etc
)
Step 7: IPv4 Additional Subnet
Freedom also provides the option of purchasing an additional IPv4 /29 subnet for consumption and allocation of other services. Fairly easy to configure this. Create an additional VLAN, this one will get the first IP address of the allocated subnet (gateway).
set interfaces ethernet eth2 vif 31 description DMZ set interfaces ethernet eth2 vif 31 address 3.136.53.145/29
Like before define a DMZ_IN and DMZ_LOCAL firewall, could be fairly simple i.e. only allow ICMP.
set interfaces ethernet eth2 vif 31 firewall in name DMZ_IN set interfaces ethernet eth2 vif 31 firewall local name DMZ_LOCAL
If you want to allow services to your DMZ e.g. SMTP create additional firewall rules in your inbound ruleset of the ppp interface, for example
set firewall name WAN_IN rule 300 action accept set firewall name WAN_IN rule 300 description SMTP set firewall name WAN_IN rule 300 destination group address-group DMZ-SMTP-SERVERS set firewall name WAN_IN rule 300 destination group port-group SMTP-SERVERS set firewall name WAN_IN rule 300 log disable set firewall name WAN_IN rule 300 protocol tcp
Don’t forget to restart your ppp connection to have this working, seems Freedom requires a reset of this connection in order for functionality to work.