Router:Ubiquiti EdgeRouter Lite
The Ubiquiti EdgeRouter Lite can be used as a router (with a suitable modem) with A&A's services.
This configuration was tested with a UBNT EdgeRouter Lite running v1.9.1 firmware, and a BT ECI FTTC modem.
You'll need
- an ADSL or FTTC modem, or a fibre ONT (for FTTP). A&A's supplied modems & routers can be configured into a bridge mode for this.
Assumptions
- eth0 is plugged directly into the modem or ONT
- eth1 will be used for your LAN
- You're using a Home::1 or similar service with one IPv4 address for WAN.
- Your internal LAN IPv4 range is 192.168.0.0/24, of which you'll use 100 -> 149 for DHCP.
- A&A have allocated you 2001:8b0:db8::/48 and your internal LAN IPv6 range is 2001:8b0:db8:1234::/64. You'll need to change these values in the configuration to match your actual setup.
- You have some familiarity with the EdgeRouter Lite and EdgeOS.
Configuration
Don't just blindly copy & paste this whole configuration!
Pay attention to the comments (lines starting with #) - they give a basic overview of what each section does.
You'll need to change the IPv6 addresses in this configuration to match the ones shown for you on the control pages, and add your username and password.
Depending on the modem you are using, you may also need to make the changes listed in the comments for a lower MTU.
# Network interface configuration # eth0 - the WAN interface # You'll need to reduce the MTU to 1500 if you don't have a modem that allows you to use baby jumbos set interfaces ethernet eth0 description 'Ethernet interface for PPPoE' set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 mtu 1508 set interfaces ethernet eth0 speed auto # eth1 - the LAN interface set interfaces ethernet eth1 description 'Local LAN interface' set interfaces ethernet eth1 address 192.168.0.1/24 set interfaces ethernet eth1 address '2001:8b0:db8:1234::1/64' set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth1 speed auto # IPv6 SLAAC configuration - this will hand out IP addresses to your local LAN set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64 set interfaces ethernet eth1 ipv6 router-advert link-mtu 0 set interfaces ethernet eth1 ipv6 router-advert managed-flag false set interfaces ethernet eth1 ipv6 router-advert max-interval 600 set interfaces ethernet eth1 ipv6 router-advert name-server '2001:8b0:db8:1234::1' set interfaces ethernet eth1 ipv6 router-advert other-config-flag false set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' autonomous-flag true set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' on-link-flag true set interfaces ethernet eth1 ipv6 router-advert prefix '2001:8b0:db8:1234::/64' valid-lifetime 2592000 set interfaces ethernet eth1 ipv6 router-advert reachable-time 0 set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0 set interfaces ethernet eth1 ipv6 router-advert send-advert true # eth2 is unused! set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 speed auto set interfaces loopback lo # PPPoE configuration - this is your connection to A&A # You'll need to reduce the MTU to 1492 if you don't have a modem that allows you to use baby jumbos # You'll also need to add your connection username & password on the user-id and password lines set interfaces ethernet eth0 pppoe 0 default-route force set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth0 pppoe 0 ipv6 enable set interfaces ethernet eth0 pppoe 0 mtu 1500 set interfaces ethernet eth0 pppoe 0 name-server auto set interfaces ethernet eth0 pppoe 0 password 'your password here' set interfaces ethernet eth0 pppoe 0 user-id 'your username here' # Add a default route for IPv6 traffic (this lets you access the internet over IPv6!) set protocols static interface-route6 '::/0' next-hop-interface pppoe0 # A few basic firewall settings set firewall all-ping enable set firewall broadcast-ping disable set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable # Add some firewall groups that'll be useful for creating firewall rules set firewall group ipv6-network-group LAN-v6 ipv6-network '2001:8b0:db8:1234::/64' set firewall group network-group LAN-v4 network 192.168.0.0/24 # internet_in-v6 is for traffic from the internet to the local LAN set firewall ipv6-name internet_in-v6 default-action reject set firewall ipv6-name internet_in-v6 rule 1 description 'Allow incoming ICMP' set firewall ipv6-name internet_in-v6 rule 1 action accept set firewall ipv6-name internet_in-v6 rule 1 protocol icmp set firewall ipv6-name internet_in-v6 rule 9999 description 'Allow return traffic for established and related connections' set firewall ipv6-name internet_in-v6 rule 9999 action accept set firewall ipv6-name internet_in-v6 rule 9999 state established enable set firewall ipv6-name internet_in-v6 rule 9999 state related enable # local-v6 is for traffic from all sources to the router itself set firewall ipv6-name local-v6 default-action reject set firewall ipv6-name local-v6 rule 1 description 'Allow incoming ICMP' set firewall ipv6-name local-v6 rule 1 action accept set firewall ipv6-name local-v6 rule 1 protocol ipv6-icmp set firewall ipv6-name local-v6 rule 2 description 'Allow connections from the LAN' set firewall ipv6-name local-v6 rule 2 action accept set firewall ipv6-name local-v6 rule 2 source group ipv6-network-group LAN-v6 set firewall ipv6-name local-v6 rule 9999 description 'Allow return traffic for established and related connections' set firewall ipv6-name local-v6 rule 9999 action accept set firewall ipv6-name local-v6 rule 9999 state established enable set firewall ipv6-name local-v6 rule 9999 state related enable # internet_in-v4 is for traffic from the internet to the local LAN set firewall name internet_in-v4 default-action reject set firewall name internet_in-v4 rule 1 description 'Allow incoming ICMP' set firewall name internet_in-v4 rule 1 action accept set firewall name internet_in-v4 rule 1 protocol icmp set firewall name internet_in-v4 rule 9999 description 'Allow return traffic for established and related connections' set firewall name internet_in-v4 rule 9999 action accept set firewall name internet_in-v4 rule 9999 state established enable set firewall name internet_in-v4 rule 9999 state related enable # local-v4 is for traffic from all sources to the router itself set firewall name local-v4 default-action reject set firewall name local-v4 rule 1 description 'Allow incoming ICMP' set firewall name local-v4 rule 1 action accept set firewall name local-v4 rule 1 protocol icmp set firewall name local-v4 rule 2 description 'Allow connections from the LAN' set firewall name local-v4 rule 2 action accept set firewall name local-v4 rule 2 source group network-group LAN-v4 set firewall name local-v4 rule 9999 description 'Allow return traffic for established and related connections' set firewall name local-v4 rule 9999 action accept set firewall name local-v4 rule 9999 state established enable set firewall name local-v4 rule 9999 state related enable # Optionally clamp the TCP MSS size to cope with smaller MTUs # These lines are commented out by default, but you'll need to use them if your modem doesn't support baby jumbos # set firewall options mss-clamp interface-type pppoe # set firewall options mss-clamp mss 1452 # Assign firewall rule sets to network interfaces set interfaces ethernet eth1 firewall local ipv6-name local-v6 set interfaces ethernet eth1 firewall local name local-v4 set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name internet_in-v6 set interfaces ethernet eth0 pppoe 0 firewall in name internet_in-v4 set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name local-v6 set interfaces ethernet eth0 pppoe 0 firewall local name local-v4 # Enable internal DHCP set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router 192.168.0.1 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server 192.168.0.1 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease 86400 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.100 stop 192.168.0.149 set service dhcp-server use-dnsmasq disable # Enable internal DNS set service dns forwarding cache-size 150 set service dns forwarding listen-on eth1 # Limit the web GUI to listening on your LAN only set service gui http-port 80 set service gui https-port 443 set service gui listen-address 192.168.0.1 set service gui older-ciphers enable # Limit the SSH server to listening on your LAN only set service ssh listen-address 192.168.0.1 set service ssh listen-address '2001:8b0:db8:1234::1' # Handle NAT for the internet connection set service nat rule 5999 outbound-interface pppoe0 set service nat rule 5999 source address 192.168.0.0/24 set service nat rule 5999 type masquerade # These offload settings are the best compromise from my personal experience # as PPPoE is generally low enough on A&A connections to not need hardware acceleration # If you don't use VLANs internally, you might enable ipv6 pppoe offload and disable ipv6 vlan offload # as you can only have one of those two enabled at once set system offload hwnat disable set system offload ipsec enable set system offload ipv4 forwarding enable set system offload ipv4 pppoe enable set system offload ipv4 vlan enable set system offload ipv6 forwarding enable set system offload ipv6 pppoe disable set system offload ipv6 vlan enable # Set up QoS to keep your internet connection usable when doing lots of traffic # You'll need to adjust the upload rate based on your connection's upload sync rate set traffic-control smart-queue wan-qos upload rate 20mbit set traffic-control smart-queue wan-qos wan-interface pppoe0