前回、名前の解決は DHCPv6-PD で…みたいなこと書きましたけど、動作確認中に良くわからない状態になりました。
予定では、system dns や forwarding の働きも含め、名前の解決はすべて DHCPv6-PD に担当させる(config的に)シンプルな構成を考えていたのですが、期待通りの動作をしてくれません。
radvd.conf に設定に沿った情報が渡らないと言うか、設定が反映されないというか、エラーは吐かないのですが、まともに稼働してくれない。
$ /etc/init.d/radvd restart
したり、
$ release dhcpv6-pd interface eth0
$ delete dhcpv6-pd duid
$ renew dhcpv6-pd interface eth0
などと繰り返してみても、いつまで待っても ifconfig にグローバルなIPv6は降ってこない。
コレ、どうやら EdgeOS 「v2.0.0」 のバグっぽいですね。
せっかくの日曜日に、既に6時間以上ハマって疲れました。
このあたりの原因を特定するのはまだまだ時間が掛かりそうなので、DHCPv6-PDに関する設定はもう少し時間を掛けることにします。
しかし、ネットを快適に使う上で、名前の解決はとても重要ですし、期待通りの動作をしないサービスがあることがわかりましたので、前回の「名前の解決方法の例」を実際に設定し、ちゃんと動作するか確認しておきます。
まず、パターン1:DHCPサーバーでパブリック(グローバル)DNSを指定し、ローカルPCに広告する方法。
現在の設定として、192.168.*.1 が指定してありますので、一旦こちらを削除し、今回は「1.1.1.1」「1.0.0.1」を指定します。
$ cconfigure
# edit service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24
# delete dns-server 192.168.1.1
# set dns-server 1.1.1.1
# set dns-server 1.0.0.1
# top
# edit service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24
# selete dns-server 192.168.2.1
# set dns-server 1.1.1.1
# set dns-server 1.0.0.1
# commit
# top
ローカルPCに、DNS指定が広告されていることを確認します。
>ipconfig /renew
>ipconfig /all OK
DNS サーバー. . . . . . . . : 1.1.1.1
1.0.0.1
問題ないようですので、pingで名前の解決が行われているか確認します。
>ping www.google.com OK
www.google.com [172.217.161.196]に ping を送信しています 32 バイトのデータ:
172.217.161.196 からの応答: バイト数 =32 時間 =11ms TTL=57
172.217.161.196 からの応答: バイト数 =32 時間 =13ms TTL=57
172.217.161.196 からの応答: バイト数 =32 時間 =11ms TTL=57
172.217.161.196 からの応答: バイト数 =32 時間 =11ms TTL=57
172.217.161.196 の ping 統計:
パケット数: 送信 = 4、受信 = 4、損失 = 0 (0% の損失)、
ラウンド トリップの概算時間 (ミリ秒):
最小 = 11ms、最大 = 13ms、平均 = 11ms
今更気付いたのですが、ER-Xの時刻が大きくズレていました。
現在の設定では、ER-X自体が名前の解決を行えない状態ですから当然ですね。
ntpもちゃんと動作するか確認しておきます。
※現在の設定を一旦削除し、パブリックDNSを設定します。
# delrete system name-server 127.0.0.1
# set system name-server 2606:4700:4700::1111
# commit
# exit
$ sudo ntpdate -u ntp.nict.jp OK
10 Mar 20:02:26 ntpdate[5905]: adjust time server 133.243.238.244 offset -0.001084 sec
これで、ER-XとクライアントPCの双方で名前の解決が行えることが確認出来ました。
この設定で良い方は、ここでsaveすれば作業完了です。
今回は動作確認が目的ですので、リブートして今回行った設定を全てクリアします。
※saveせず作業していた理由です
$ reboot
次に、パターン2:DNS Forwardの設定を行い、パブリックDNSのキャッシュをER-Xが持つ方法。
とりあえずDNS Forwardの設定を行います。
※ER-XからWAN側はIPv6で、Local側はIPv4で指定することをオススメします。
$ configure
# edit service dns forwarding
# set cache-size 5000
# set listen-on switch0.10
# set listen-on switch0.20
# set listen-on lo
# set name-server 2606:4700:4700::1111
# set name-server 2606:4700:4700::1001
# set options strict-order
# commit
# top
ER-Xと、ローカルPCでDNS指定が広告され、名前の解決が行えることを確認します。
・ER-X
# ping -c3 www.google.com OK
64 bytes from kix06s05-in-f4.1e100.net (172.217.161.228): icmp_req=1 ttl=58 time=13.4 ms
・VLAN10
>ipconfig /renew
>ipconfig /all OK
DNS サーバー. . . . . . . . : 192.168.1.1
>ping www.google.com OK
216.58.197.4 からの応答: バイト数 =32 時間 =10ms TTL=57
・VLAN20
>ipconfig /renew
>ipconfig /all OK
DNS サーバー. . . . . . . . : 192.168.2.1
>ping www.google.com NG
ping 要求ではホスト www.google.com が見つかりませんでした。
あれ?
なるほど、パターン1の外部へ直接問い合わせる場合には制限は無いが、ER-Xに問い合わせを行う場合、VLAN20側のFirewall設定が影響を受けるようですね。
今回は動作確認が目的ですので、このまま作業を進めますが、実際の運用では、パターン1+DHCPv6で設定するほうがシンプルで管理が楽になるかもしれません。
しかし、VPN系使う場合はDNS Forward Optionで listen-address 設定が必要になるでしょうから、やはり環境次第かな。
とりあえず、名前の解決に必要となる「192.168.2.1」の「DNSポート(53)」を開けてみます。
※現在default action=Dropのみのguest-localに下記の設定を追加します。
# edit firewall name guest-local
# set rule 10 action accept
# set rule 10 description 'Allow DNS'
# set rule 10 destination port 53
# set rule 10 protocol udp
# set rule 10 source address 192.168.2.0/24
# set rule 10 destination address 192.168.2.1
# set rule 20 action drop
# set rule 20 description Other
# set rule 20 protocol all
# commit
# top
# exit
VLAN20側のクライアントPCより再確認したところ、期待通りの動作を確認出来ました。
・VLAN20
>ipconfig /renew
>ipconfig /all OK
DNS サーバー. . . . . . . . : 192.168.2.1
>ping www.google.com OK
216.58.197.4 からの応答: バイト数 =32 時間 =11ms TTL=57
実際に名前の解決が行えることが確認出来ましたが、念のために DNS forward が期待通りの動作をしているか確認します。
$ show dns forwarding nameservers OK
-----------------------------------------------
Nameservers configured for DNS forwarding
-----------------------------------------------
2606:4700:4700::1111 available via 'statically configured'
2606:4700:4700::1001 available via 'statically configured'
$ show dns forwarding statistics OK
----------------
Cache statistics
----------------
Cache size: 5000
Queries forwarded: 108
Queries answered locally: 7
Total DNS entries inserted into cache: 269
DNS entries removed from cache before expiry: 0
---------------------
Nameserver statistics
---------------------
Server: 2606:4700:4700::1001
Queries sent: 94
Queries retried or failed: 14
Server: 2606:4700:4700::1111
Queries sent: 14
Queries retried or failed: 0
system name-serverにパブリックDNSを設定しなければ同期出来なかったntpサーバーの時刻同期も確認しておきます。
$ sudo ntpdate -u ntp.nict.jp OK
10 Mar 21:34:09 ntpdate[2466]: adjust time server 133.243.238.244 offset -0.000755 sec
DNS Forwardingに関しては、キャッシュサイズの設定を含め様子見をする予定です。
このため、いくつか設定を追加し、DNS Forwardで暫く運用(放置)します。
・GUIとSSHのアクセス制限(Local側からのみ許可)
$ cconfigure
# set service gui listen-address 192.168.1.1
# set service ssh listen-address 192.168.1.1
# commit
・hwnatオフロードの設定
# set system offload hwnat
$ show ubnt offload OK
IPSec offload module: not loaded
HWNAT offload module: loaded
Traffic Analysis :
export : disabled
dpi : disabled
version : 1.422
・DS-LiteトンネルのMTU設定
※excite MEC光のDS-Liteでは、1460が安定しているようです。
# set interfaces ipv6-tunnel v6tun0 mtu 1460
ここで一旦saveします。
# save
# exit
$ reboot
以上で、ER-X(v2.0.0)の名前の解決に関する「パターン1」「パターン2」の動作確認は完了です。
色々と調べてみると、EdgeOS(v2.0.0)は随分評判が悪いようです。
しかし、うちの環境で期待通りの動作をしてくれないのは、今の所DHCPv6だけですし、現在最新のv1.10.9系は PlatformOS が古い(Wheezy:Debian7) 。
出来れば、v2.系(Stretch:Debian9)を使いたい気持ちがあるので、暫くForamを眺めてみようと思います。
EdgeMAX EdgeRouter software version v2.0.0 has been released!
これまでのConfigとcommandリストを載せておきます。
一応期待通りの動作はしていますが、ミスなどがあれば教えてください。
※一部伏せ字
$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
port-group PRINT_TCP {
description Printing_TCP
port 80
port 443
port 515
port 8000
port 8080
port 8443
port 9013
port 9100
}
port-group PRINT_UDP {
description Printing_UDP
port 161
port 427
port 47545
}
}
ipv6-name WANv6_IN {
default-action drop
description "WANv6 to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WANv6 to Router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action accept
description "Allw DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 40 {
action accept
description "Allow DSLite"
protocol ipip
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DSLite_IN {
default-action drop
description "WAN(DSLite)to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name DSLite_LOCAL {
default-action drop
description "WAN(DSLite)to Router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name guest-in {
default-action accept
description guest-in
rule 10 {
action accept
description "Allow Printer tcp"
destination {
address 192.168.1.7
group {
port-group PRINT_TCP
}
}
protocol tcp
}
rule 11 {
action accept
description "Allow Printer udp"
destination {
address 192.168.1.7
group {
port-group PRINT_UDP
}
}
protocol udp
}
rule 20 {
action drop
description Other
destination {
address 192.168.1.0/24
}
protocol all
}
}
name guest-local {
default-action drop
description guest-local
rule 10 {
action accept
description "Allow DNS"
destination {
address 192.168.2.1
port 53
}
log disable
protocol udp
source {
address 192.168.2.0/24
}
}
rule 20 {
action drop
description Other
log disable
protocol all
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.24.2/30
address ****:****:****:****:****:****:****:****/64
description WAN
duplex auto
firewall {
in {
ipv6-name WANv6_IN
}
local {
ipv6-name WANv6_LOCAL
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
ipv6-tunnel v6tun0 {
description DSLite
encapsulation ipip6
firewall {
in {
name DSLite_IN
}
local {
name DSLite_LOCAL
}
}
local-ip ****:****:****:****:****:****:****:****
mtu 1460
multicast disable
remote-ip 2404:8e01::feed:100
ttl 64
}
loopback lo {
}
switch switch0 {
description LAN
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
}
}
interface eth2 {
vlan {
pvid 10
}
}
interface eth3 {
vlan {
pvid 10
}
}
interface eth4 {
vlan {
pvid 20
}
}
vlan-aware enable
}
vif 10 {
address 192.168.1.1/24
description vlan10
}
vif 20 {
address 192.168.2.1/24
description vlan20
firewall {
in {
name guest-in
}
local {
name guest-local
}
}
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface v6tun0 {
}
}
route6 ::/0 {
next-hop fe80::****:****:****:**** {
interface eth0
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name vlan10 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.90 {
stop 192.168.1.168
}
static-mapping Canon_C356F {
ip-address 192.168.1.7
mac-address **:**:**:**:**:**
}
static-mapping PC0001 {
ip-address 192.168.1.9
mac-address **:**:**:**:**:**
}
}
}
shared-network-name vlan20 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.90 {
stop 192.168.2.168
}
static-mapping ThinkPad_X201s {
ip-address 192.168.2.13
mac-address **:**:**:**:**:**
}
static-mapping ThinkPad_X201s_Wi-Fi {
ip-address 192.168.2.15
mac-address **:**:**:**:**:**
}
static-mapping WN-AX1167GR2 {
ip-address 192.168.2.4
mac-address **:**:**:**:**:**
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 5000
listen-on switch0.10
listen-on switch0.20
listen-on lo
name-server 2606:4700:4700::1111
name-server 2606:4700:4700::1001
options strict-order
}
}
gui {
http-port 80
https-port 443
listen-address 192.168.1.1
older-ciphers enable
}
ssh {
listen-address 192.168.1.1
port 22
protocol-version v2
}
ubnt-discover {
disable
}
ubnt-discover-server {
disable
}
unms {
disable
}
}
system {
config-management {
commit-revisions 20
}
host-name GW-Router
login {
user ********** {
authentication {
encrypted-password ********************
plaintext-password ********************
}
level admin
}
user ********** {
authentication {
encrypted-password ********************
plaintext-password ********************
}
level operator
}
}
name-server 127.0.0.1
ntp {
server ntp.nict.jp {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Tokyo
}
$ show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group port-group PRINT_TCP description Printing_TCP
set firewall group port-group PRINT_TCP port 80
set firewall group port-group PRINT_TCP port 443
set firewall group port-group PRINT_TCP port 515
set firewall group port-group PRINT_TCP port 8000
set firewall group port-group PRINT_TCP port 8080
set firewall group port-group PRINT_TCP port 8443
set firewall group port-group PRINT_TCP port 9013
set firewall group port-group PRINT_TCP port 9100
set firewall group port-group PRINT_UDP description Printing_UDP
set firewall group port-group PRINT_UDP port 161
set firewall group port-group PRINT_UDP port 427
set firewall group port-group PRINT_UDP port 47545
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allw DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite)to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable
set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite)to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable
set firewall name guest-in default-action accept
set firewall name guest-in description guest-in
set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description 'Allow Printer tcp'
set firewall name guest-in rule 10 destination address 192.168.1.7
set firewall name guest-in rule 10 destination group port-group PRINT_TCP
set firewall name guest-in rule 10 protocol tcp
set firewall name guest-in rule 11 action accept
set firewall name guest-in rule 11 description 'Allow Printer udp'
set firewall name guest-in rule 11 destination address 192.168.1.7
set firewall name guest-in rule 11 destination group port-group PRINT_UDP
set firewall name guest-in rule 11 protocol udp
set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description Other
set firewall name guest-in rule 20 destination address 192.168.1.0/24
set firewall name guest-in rule 20 protocol all
set firewall name guest-local default-action drop
set firewall name guest-local description guest-local
set firewall name guest-local rule 10 action accept
set firewall name guest-local rule 10 description 'Allow DNS'
set firewall name guest-local rule 10 destination address 192.168.2.1
set firewall name guest-local rule 10 destination port 53
set firewall name guest-local rule 10 protocol udp
set firewall name guest-local rule 10 source address 192.168.2.0/24
set firewall name guest-local rule 20 action drop
set firewall name guest-local rule 20 description Other
set firewall name guest-local rule 20 protocol all
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 192.168.24.2/30
set interfaces ethernet eth0 address '****:****:****:****:****:****:****:****/64'
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip '****:****:****:****:****:****:****:****'
set interfaces ipv6-tunnel v6tun0 mtu 1460
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e01::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 description LAN
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan pvid 10
set interfaces switch switch0 switch-port interface eth2 vlan pvid 10
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 20
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 10 address 192.168.1.1/24
set interfaces switch switch0 vif 10 description vlan10
set interfaces switch switch0 vif 20 address 192.168.2.1/24
:
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip '****:****:****:****:****:****:****:****'
set interfaces ipv6-tunnel v6tun0 mtu 1460
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e01::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 description LAN
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan pvid 10
set interfaces switch switch0 switch-port interface eth2 vlan pvid 10
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 20
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 10 address 192.168.1.1/24
set interfaces switch switch0 vif 10 description vlan10
set interfaces switch switch0 vif 20 address 192.168.2.1/24
set interfaces switch switch0 vif 20 description vlan20
set interfaces switch switch0 vif 20 firewall in name guest-in
set interfaces switch switch0 vif 20 firewall local name guest-local
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
set protocols static route6 '::/0' next-hop 'fe80::****:****:****:****' interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name vlan10 authoritative enable
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 start 192.168.1.90 stop 192.168.1.168
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F ip-address 192.168.1.7
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping PC0001 ip-address 192.168.1.9
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping PC0001 mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 authoritative disable
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 start 192.168.2.90 stop 192.168.2.168
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s ip-address 192.168.2.13
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s_Wi-Fi ip-address 192.168.2.15
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s_Wi-Fi mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping WN-AX1167GR2 ip-address 192.168.2.4
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping WN-AX1167GR2 mac-address '**:**:**:**:**:**'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 5000
set service dns forwarding listen-on switch0.10
set service dns forwarding listen-on switch0.20
set service dns forwarding listen-on lo
set service dns forwarding name-server '2606:4700:4700::1111'
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding options strict-order
set service gui http-port 80
set service gui https-port 443
set service gui listen-address 192.168.1.1
set service gui older-ciphers enable
set service ssh listen-address 192.168.1.1
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service ubnt-discover-server disable
set service unms disable
set system config-management commit-revisions 20
set system host-name GW-Router
set system login user ********** authentication encrypted-password '********************'
set system login user ********** authentication plaintext-password ''
set system login user ********** level admin
set system login user ********** authentication encrypted-password '********************'
set system login user ********** authentication plaintext-password ''
set system login user ********** level operator
set system name-server 127.0.0.1
set system ntp server ntp.nict.jp
set system offload hwnat enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Asia/Tokyo
>ipconfig /renew
>ipconfig /all OK
DNS サーバー. . . . . . . . : 192.168.2.1
>ping www.google.com OK
216.58.197.4 からの応答: バイト数 =32 時間 =11ms TTL=57
実際に名前の解決が行えることが確認出来ましたが、念のために DNS forward が期待通りの動作をしているか確認します。
$ show dns forwarding nameservers OK
-----------------------------------------------
Nameservers configured for DNS forwarding
-----------------------------------------------
2606:4700:4700::1111 available via 'statically configured'
2606:4700:4700::1001 available via 'statically configured'
$ show dns forwarding statistics OK
----------------
Cache statistics
----------------
Cache size: 5000
Queries forwarded: 108
Queries answered locally: 7
Total DNS entries inserted into cache: 269
DNS entries removed from cache before expiry: 0
---------------------
Nameserver statistics
---------------------
Server: 2606:4700:4700::1001
Queries sent: 94
Queries retried or failed: 14
Server: 2606:4700:4700::1111
Queries sent: 14
Queries retried or failed: 0
system name-serverにパブリックDNSを設定しなければ同期出来なかったntpサーバーの時刻同期も確認しておきます。
$ sudo ntpdate -u ntp.nict.jp OK
10 Mar 21:34:09 ntpdate[2466]: adjust time server 133.243.238.244 offset -0.000755 sec
DNS Forwardingに関しては、キャッシュサイズの設定を含め様子見をする予定です。
このため、いくつか設定を追加し、DNS Forwardで暫く運用(放置)します。
・GUIとSSHのアクセス制限(Local側からのみ許可)
$ cconfigure
# set service gui listen-address 192.168.1.1
# set service ssh listen-address 192.168.1.1
# commit
・hwnatオフロードの設定
# set system offload hwnat
$ show ubnt offload OK
IPSec offload module: not loaded
HWNAT offload module: loaded
Traffic Analysis :
export : disabled
dpi : disabled
version : 1.422
・DS-LiteトンネルのMTU設定
※excite MEC光のDS-Liteでは、1460が安定しているようです。
# set interfaces ipv6-tunnel v6tun0 mtu 1460
ここで一旦saveします。
# save
# exit
$ reboot
以上で、ER-X(v2.0.0)の名前の解決に関する「パターン1」「パターン2」の動作確認は完了です。
色々と調べてみると、EdgeOS(v2.0.0)は随分評判が悪いようです。
しかし、うちの環境で期待通りの動作をしてくれないのは、今の所DHCPv6だけですし、現在最新のv1.10.9系は PlatformOS が古い(Wheezy:Debian7) 。
出来れば、v2.系(Stretch:Debian9)を使いたい気持ちがあるので、暫くForamを眺めてみようと思います。
EdgeMAX EdgeRouter software version v2.0.0 has been released!
これまでのConfigとcommandリストを載せておきます。
一応期待通りの動作はしていますが、ミスなどがあれば教えてください。
※一部伏せ字
$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
port-group PRINT_TCP {
description Printing_TCP
port 80
port 443
port 515
port 8000
port 8080
port 8443
port 9013
port 9100
}
port-group PRINT_UDP {
description Printing_UDP
port 161
port 427
port 47545
}
}
ipv6-name WANv6_IN {
default-action drop
description "WANv6 to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WANv6 to Router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action accept
description "Allw DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 40 {
action accept
description "Allow DSLite"
protocol ipip
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DSLite_IN {
default-action drop
description "WAN(DSLite)to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name DSLite_LOCAL {
default-action drop
description "WAN(DSLite)to Router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name guest-in {
default-action accept
description guest-in
rule 10 {
action accept
description "Allow Printer tcp"
destination {
address 192.168.1.7
group {
port-group PRINT_TCP
}
}
protocol tcp
}
rule 11 {
action accept
description "Allow Printer udp"
destination {
address 192.168.1.7
group {
port-group PRINT_UDP
}
}
protocol udp
}
rule 20 {
action drop
description Other
destination {
address 192.168.1.0/24
}
protocol all
}
}
name guest-local {
default-action drop
description guest-local
rule 10 {
action accept
description "Allow DNS"
destination {
address 192.168.2.1
port 53
}
log disable
protocol udp
source {
address 192.168.2.0/24
}
}
rule 20 {
action drop
description Other
log disable
protocol all
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.24.2/30
address ****:****:****:****:****:****:****:****/64
description WAN
duplex auto
firewall {
in {
ipv6-name WANv6_IN
}
local {
ipv6-name WANv6_LOCAL
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
ipv6-tunnel v6tun0 {
description DSLite
encapsulation ipip6
firewall {
in {
name DSLite_IN
}
local {
name DSLite_LOCAL
}
}
local-ip ****:****:****:****:****:****:****:****
mtu 1460
multicast disable
remote-ip 2404:8e01::feed:100
ttl 64
}
loopback lo {
}
switch switch0 {
description LAN
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
}
}
interface eth2 {
vlan {
pvid 10
}
}
interface eth3 {
vlan {
pvid 10
}
}
interface eth4 {
vlan {
pvid 20
}
}
vlan-aware enable
}
vif 10 {
address 192.168.1.1/24
description vlan10
}
vif 20 {
address 192.168.2.1/24
description vlan20
firewall {
in {
name guest-in
}
local {
name guest-local
}
}
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface v6tun0 {
}
}
route6 ::/0 {
next-hop fe80::****:****:****:**** {
interface eth0
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name vlan10 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.90 {
stop 192.168.1.168
}
static-mapping Canon_C356F {
ip-address 192.168.1.7
mac-address **:**:**:**:**:**
}
static-mapping PC0001 {
ip-address 192.168.1.9
mac-address **:**:**:**:**:**
}
}
}
shared-network-name vlan20 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.90 {
stop 192.168.2.168
}
static-mapping ThinkPad_X201s {
ip-address 192.168.2.13
mac-address **:**:**:**:**:**
}
static-mapping ThinkPad_X201s_Wi-Fi {
ip-address 192.168.2.15
mac-address **:**:**:**:**:**
}
static-mapping WN-AX1167GR2 {
ip-address 192.168.2.4
mac-address **:**:**:**:**:**
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 5000
listen-on switch0.10
listen-on switch0.20
listen-on lo
name-server 2606:4700:4700::1111
name-server 2606:4700:4700::1001
options strict-order
}
}
gui {
http-port 80
https-port 443
listen-address 192.168.1.1
older-ciphers enable
}
ssh {
listen-address 192.168.1.1
port 22
protocol-version v2
}
ubnt-discover {
disable
}
ubnt-discover-server {
disable
}
unms {
disable
}
}
system {
config-management {
commit-revisions 20
}
host-name GW-Router
login {
user ********** {
authentication {
encrypted-password ********************
plaintext-password ********************
}
level admin
}
user ********** {
authentication {
encrypted-password ********************
plaintext-password ********************
}
level operator
}
}
name-server 127.0.0.1
ntp {
server ntp.nict.jp {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Tokyo
}
$ show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group port-group PRINT_TCP description Printing_TCP
set firewall group port-group PRINT_TCP port 80
set firewall group port-group PRINT_TCP port 443
set firewall group port-group PRINT_TCP port 515
set firewall group port-group PRINT_TCP port 8000
set firewall group port-group PRINT_TCP port 8080
set firewall group port-group PRINT_TCP port 8443
set firewall group port-group PRINT_TCP port 9013
set firewall group port-group PRINT_TCP port 9100
set firewall group port-group PRINT_UDP description Printing_UDP
set firewall group port-group PRINT_UDP port 161
set firewall group port-group PRINT_UDP port 427
set firewall group port-group PRINT_UDP port 47545
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allw DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite)to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable
set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite)to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable
set firewall name guest-in default-action accept
set firewall name guest-in description guest-in
set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description 'Allow Printer tcp'
set firewall name guest-in rule 10 destination address 192.168.1.7
set firewall name guest-in rule 10 destination group port-group PRINT_TCP
set firewall name guest-in rule 10 protocol tcp
set firewall name guest-in rule 11 action accept
set firewall name guest-in rule 11 description 'Allow Printer udp'
set firewall name guest-in rule 11 destination address 192.168.1.7
set firewall name guest-in rule 11 destination group port-group PRINT_UDP
set firewall name guest-in rule 11 protocol udp
set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description Other
set firewall name guest-in rule 20 destination address 192.168.1.0/24
set firewall name guest-in rule 20 protocol all
set firewall name guest-local default-action drop
set firewall name guest-local description guest-local
set firewall name guest-local rule 10 action accept
set firewall name guest-local rule 10 description 'Allow DNS'
set firewall name guest-local rule 10 destination address 192.168.2.1
set firewall name guest-local rule 10 destination port 53
set firewall name guest-local rule 10 protocol udp
set firewall name guest-local rule 10 source address 192.168.2.0/24
set firewall name guest-local rule 20 action drop
set firewall name guest-local rule 20 description Other
set firewall name guest-local rule 20 protocol all
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 192.168.24.2/30
set interfaces ethernet eth0 address '****:****:****:****:****:****:****:****/64'
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip '****:****:****:****:****:****:****:****'
set interfaces ipv6-tunnel v6tun0 mtu 1460
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e01::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 description LAN
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan pvid 10
set interfaces switch switch0 switch-port interface eth2 vlan pvid 10
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 20
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 10 address 192.168.1.1/24
set interfaces switch switch0 vif 10 description vlan10
set interfaces switch switch0 vif 20 address 192.168.2.1/24
:
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip '****:****:****:****:****:****:****:****'
set interfaces ipv6-tunnel v6tun0 mtu 1460
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e01::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 description LAN
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan pvid 10
set interfaces switch switch0 switch-port interface eth2 vlan pvid 10
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 20
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 10 address 192.168.1.1/24
set interfaces switch switch0 vif 10 description vlan10
set interfaces switch switch0 vif 20 address 192.168.2.1/24
set interfaces switch switch0 vif 20 description vlan20
set interfaces switch switch0 vif 20 firewall in name guest-in
set interfaces switch switch0 vif 20 firewall local name guest-local
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
set protocols static route6 '::/0' next-hop 'fe80::****:****:****:****' interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name vlan10 authoritative enable
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 start 192.168.1.90 stop 192.168.1.168
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F ip-address 192.168.1.7
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping PC0001 ip-address 192.168.1.9
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping PC0001 mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 authoritative disable
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 start 192.168.2.90 stop 192.168.2.168
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s ip-address 192.168.2.13
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s_Wi-Fi ip-address 192.168.2.15
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping ThinkPad_X201s_Wi-Fi mac-address '**:**:**:**:**:**'
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping WN-AX1167GR2 ip-address 192.168.2.4
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.0/24 static-mapping WN-AX1167GR2 mac-address '**:**:**:**:**:**'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 5000
set service dns forwarding listen-on switch0.10
set service dns forwarding listen-on switch0.20
set service dns forwarding listen-on lo
set service dns forwarding name-server '2606:4700:4700::1111'
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding options strict-order
set service gui http-port 80
set service gui https-port 443
set service gui listen-address 192.168.1.1
set service gui older-ciphers enable
set service ssh listen-address 192.168.1.1
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service ubnt-discover-server disable
set service unms disable
set system config-management commit-revisions 20
set system host-name GW-Router
set system login user ********** authentication encrypted-password '********************'
set system login user ********** authentication plaintext-password ''
set system login user ********** level admin
set system login user ********** authentication encrypted-password '********************'
set system login user ********** authentication plaintext-password ''
set system login user ********** level operator
set system name-server 127.0.0.1
set system ntp server ntp.nict.jp
set system offload hwnat enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Asia/Tokyo
0 件のコメント:
コメントを投稿