ER-XのIPv4引きこもり環境も落ち着いたので、そろそろDS-Liteでお外に出してみたいと思います。
しかし、良くわからないことが1つ…。
今後設定を進めていき、純粋にIPv6で外に出ていくIPoE環境を構築する場合、WAN interfaceのIPは自動取得でなければ、Local側にIPv6を広告出来ないのではないか?ということ。
ER-Xの振る舞いがよくわかっていないのですが、下記URLを読むと、そんな感じのことが書いてあります。
How to Implement IPv6 with DHCPv6 and Prefix Delegation
再起動後の再接続の安定性や快適性を考えると、WAN interfaceは固定IPの方が都合が良いのですが、もしこのような制限があるのならば、自動取得に変更する必要があり、今回の作業は無駄が多い。
まあ、EdgeRouter ER-Xのマニュアルではないのですし、悩んでいても先に進めないので、とりあえず固定で話を進めます。
で、外に出すならば、「はじめてのおつかい」くらいの「守り」が必要ですので、とりあえずFirewallですね。
基本的Firewall設定は下記のURLの必要部分をそのまま適用して、あとは環境に合わせて追加すれば良さそうです。
EdgeRouter - Zone-Based Firewall
上記URLは、zone-policyの名前の付け方が微妙でわかりにくいのですが、下記の矢印部分の設定となります。
・Firewall:単体の出入り口(interface)に設定する。(->eth0、eth0<-)
・zone-policy:様々な入り口から出口までを設定する。(eth0->switch0、eth0<-switch0)
玄関の鍵がFirewallで、入室制限のある各部屋までの廊下の守衛さんがzone-policyみたいな感じです。
流れとしては、Firewallを設定し、zone-policyで調整する。となるのですが、よくよく考えると、ブログに記載する情報としては、zone-policyの設定は必要ないですね。
ということで、今回は下記サイトの情報から、必要部分をパクらせて頂きました。
Edgerouter Lite-3でDS-Lite
・Firewall設定
WAN Interface用$ configure
# edit firewall ipv6-name WANv6_IN
# set default-action drop
# set description 'WANv6 to LAN'
# set enable-default-log
# set rule 10 action accept
# set rule 10 description 'Allow established/related'
# set rule 10 state established enable
# set rule 10 state related enable
# set rule 20 action accept
# set rule 20 description 'Allow IPv6 ICMP'
# set rule 20 protocol ipv6-icmp
# set rule 30 action drop
# set rule 30 description 'Drop invalid state'
# set rule 30 state invalid enable
# commit
# top
# edit firewall ipv6-name WANv6_LOCAL
# set default-action drop
# set description 'WANv6 to Router'
# set enable-default-log
# set rule 10 action accept
# set rule 10 description 'Allow established/related'
# set rule 10 state established enable
# set rule 10 state related enable
# set rule 20 action accept
# set rule 20 description 'Allow IPv6 ICMP'
# set rule 20 protocol ipv6-icmp
# set rule 30 action accept
# set rule 30 description 'Allow DHCPv6'
# set rule 30 destination port 546
# set rule 30 protocol udp
# set rule 30 source port 547
# set rule 40 action accept
# set rule 40 description 'Allow DSLite'
# set rule 40 protocol ipip
# set rule 50 action drop
# set rule 50 description 'Drop invalid state'
# set rule 50 state invalid enable
# commit
# top
Tunnel用
# edit firewall name DSLite_IN
# set default-action drop
# set description 'WAN(DSLite) to LAN'
# set rule 10 action accept
# set rule 10 description 'Allow established/related'
# set rule 10 state established enable
# set rule 10 state related enable
# set rule 20 action drop
# set rule 20 description 'Drop invalid state'
# set rule 20 state invalid enable
# commit
# top
# edit firewall name DSLite_LOCAL
# set default-action drop
# set description 'WAN(DSLite) to Router'
# set rule 10 action accept
# set rule 10 description 'Allow established/related'
# set rule 10 state established enable
# set rule 10 state related enable
# set rule 20 action drop
# set rule 20 description 'Drop invalid state'
# set rule 20 state invalid enable
# commit;save
WAN Interfaceのeth0に、Fairewallを適用します。
※edit使うほど入力量が多くない場合、矢印↑で入力履歴を出すと楽です。
# set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
# set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
# commit;save
・DS-Lite設定準備/設定情報収集
お出掛け準備が出来たので、DS-Lite設定に必要な情報収集をはじめます。※情報収集が目的です。万一ゴミが残ると困りますので、saveしません。
# set interfaces ethernet eth0 ipv6 address autoconf
# commit
# exit
10分程度でIPv6が流れてきますので、状況確認と割当IPなどの情報をコピーしておきます。
※該当部分を赤字と青字にしてあります。
$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.24.2/30 u/u WAN
****:***:****:****:****:****:****:***/64 <- 割当られたv6アドレスです。
eth1 - u/u
eth2 - u/D
eth3 - u/D
eth4 - u/D
lo 127.0.0.1/8 u/u
::1/128
switch0 - u/u LAN
switch0.10 192.168.10.1/24 u/u vlan10
switch0.20 192.168.20.1/24 u/u vlan20
$ show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
K ::/0 [0/1024] via ****::****:****:****:****, eth0, 00:02:00 <- リンクローカルアドレスです。
C ::1/128 via ::, lo, 1d05h52m
C ****:***:****:****::/64 via ::, eth0, 00:01:59
C fe80::/64 via ::, eth1, 01:18:49
・はじめてのおつかい
この段階で、IPv6ならば、ER-Xから外にお出掛け出来る状態になっているはずです。はじめてのおつかい させてみましょう。
※www.google.comのIPを利用させて頂きました。
※Windowsならば「nslookup」、LINUXなら「dig -6」でv6アドレスを調査出来ます。
※Control+C キーで止めます。
$ ping6 2404:6800:400a:80b::2004
PING 2404:6800:400a:80b::2004(2404:6800:400a:80b::2004) 56 data bytes
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=1 ttl=54 time=13.0 ms
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=2 ttl=54 time=10.8 ms
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=3 ttl=54 time=11.3 ms
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=4 ttl=54 time=10.7 ms
^C
当然ですが、ドメイン名では通りません。
$ ping6 www.google.com
ping: www.google.com: Temporary failure in name resolution
名前の解決が行えるよう、IPv6アドレスでDNSを設定してみます。
$ configure
# set system name-server 2001:4860:4860::8888
# commit
再度ドメイン名で確認すると、無事ドメイン名で通るようになります。
※頭がシャープの設定モードでは、回数指定が通ります。
# ping6 -c 5 www.google.com
PING www.google.com(kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004)) 56 data bytes
64 bytes from kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004): icmp_seq=1 ttl=54 time=14.7 ms
64 bytes from kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004): icmp_seq=2 ttl=54 time=10.8 ms
64 bytes from kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004): icmp_seq=3 ttl=54 time=11.1 ms
64 bytes from kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004): icmp_seq=4 ttl=54 time=11.3 ms
64 bytes from kix05s02-in-x04.1e100.net (2404:6800:400a:809::2004): icmp_seq=5 ttl=54 time=10.8 ms
--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4015ms
rtt min/avg/max/mdev = 10.876/11.787/14.713/1.475 ms
ER-Xから得られる情報は揃いましたので、ER-Xを再起動します。
※saveしてありませんので、再起動でこれらの設定は消えます。
# exit
$ reboot
ER-Xの再起動後、取得した情報をもとに設定を行います。
・IPv6静的アドレスの設定
eth0に、IPv6アドレス(赤)を、GWにリンクローカルアドレス(青)を設定します。※show interfacesの赤文字と、show ipv6 routeの青文字です。
# set interfaces ethernet eth0 address ****:***:****:****:****:****:****:***/64
# set protocols static route6 ::/0 next-hop ****::****:****:****:**** interface eth0
# commit;save
この設定は、IPv6アドレスを autoconf で取得した状態を固定で指定しただけです。
しかし、ER-Xの再起動後、アクセス出来るまでの待ち時間(IPを取得するまでの10分程度)が無くなることで、利便性が大きく上がります。
同じように動作するか、IPv6アドレスでpingを飛ばしてみます。
# ping6 -c 3 2404:6800:400a:80b::2004
PING 2404:6800:400a:80b::2004(2404:6800:400a:80b::2004) 56 data bytes
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=1 ttl=54 time=13.8 ms
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=2 ttl=54 time=10.9 ms
64 bytes from 2404:6800:400a:80b::2004: icmp_seq=3 ttl=54 time=11.3 ms
--- 2404:6800:400a:80b::2004 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 10.947/12.039/13.820/1.270 ms
・Tunnelの設定
ER-Xから外へ、IPv6接続が確立しましたので、いよいよDS-Lite用のTunnel設定です。Tunnel設定には、remote-ipに指定するAFTRのv6アドレスが必要になりますが、光コラボレーションサービスの場合、現在下記の情報となっているようです。
NTT東日本エリア
2404:8e00::feed:100
2404:8e00::feed:101
NTT西日本エリア
2404:8e01::feed:100
2404:8e01::feed:101
# edit interfaces ipv6-tunnel v6tun0
# set description DSLite
# set encapsulation ipip6
# set local-ip ****:***:****:****:****:****:****:***
# set remote-ip 2404:8e01::feed:100
# set multicast disable
# set ttl 64
# top
# set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
# commit
トンネルにFirewallを適用します。
# set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
# set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
# commit
MTUの設定は様子を見ながら調整する予定ですので、この場では設定を入れてありませんが、DS-Liteの基本設定は完了しましたので、先程まで飛ばなかったIPv4アドレスでpingを飛ばしてみます。
※set interfaces ipv6-tunnel v6tun0 mtu 1454/1460/1500
# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=12.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=124 time=11.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=124 time=11.5 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
rtt min/avg/max/mdev = 11.259/11.597/12.030/0.333 ms
もちろん、IPv6アドレスには影響せず、問題なく飛びます。
# ping -c 3 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=11.3 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=10.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=57 time=10.9 ms
--- 2001:4860:4860::8888 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 10.654/10.990/11.368/0.305 ms
以上で、DS-Liteの基本設定は完了です。
まだパブリックDNSの設定をER-Xに入れてありませんので、ER-X単体ではドメインネームの名前の解決が行えません。
つまり、ER-X単体で www.google.com などにpingが飛びません。
本来であれば、ER-Xの「system name-server」にパブリックDNSを設定し、各ポートに「dns forwarding」させるか、Systemの設定はせず「forwarding name-server」で転送するのがER-Xらしい設定なのでしょうが、最初に書いた「良くわからないことが1つ…。」の疑問点があるため、DHCPv6-pdの設定を先にする予定です。
名前の解決が出来ない環境のほうが動作確認が楽ですし、パブリックDNSを設定するだけで名前の解決が出来ることは、情報収集時点で既に確認済みですから。
ちなみに、ER-X単体で名前の解決が出来なくても、実際にインターネットに出ていくクライアントPCには問題とはなりません。
ER-XがIPv6通信出来る状態で、DS-Liteのトンネル設定があり、ER-XのLocal側がIPv4で動作出来ていれば、問題なくインターネットに出ていけます。
たとえば、ネットワーク設定を手動で変更する方法(※1)や、DHCPでパブリックDNSを広告する方法(※2)ですね。
※1、クライアントPC側で、IP Addressは自動取得のまま、DNSサーバーに適当なパブリックDNSを手動設定する方法です。
パブリックDNSとしてオススメ出来るサービスは、Googleの「8.8.8.8」「8.8.4.4」、CLOUDFLAREの「1.1.1.1」「1.0.0.1」などがあります。
※2、ER-Xで動作しているDHCPに対し、パブリックDNSを広告させる方法です。
# set subnet 192.168.10.0/24 dns-server 192.168.10.1
(delete service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 dns-server 192.168.1.1)
を
# set subnet 192.168.10.0/24 dns-server 1.1.1.1
(set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 dns-server 1.1.1.1)
へ変更し運用するということで、クライアントPCの設定は変更せず、パブリックDNSを利用可能です。
どちらの方法でも、クライアントPC側はER-Xから外へお出掛け出来ますから、運用上困ることは無いはずですし、一時的ではありますが、うちでもとりあえずDHCPサーバー側の設定を変更し、パブリックDNSを自動取得させて運用する予定です。
これまでのConfigとcommandリストを載せておきます。
※一部伏せ字
$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
port-group PRINT_TCP {
description Printing_TCP
port 80
port 443
port 515
port 8000
port 8080
port 8443
port 9013
port 9100
}
port-group PRINT_UDP {
description Printing_UDP
port 161
port 427
port 47545
}
}
ipv6-name WANv6_IN {
default-action drop
description "WANv6 to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WANv6 to Router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 30 {
action accept
description "Allw DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 40 {
action accept
description "Allow DSLite"
protocol ipip
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DSLite_IN {
default-action drop
description "WAN(DSLite)to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name DSLite_LOCAL {
default-action drop
description "WAN(DSLite)to Router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name guest-in {
default-action accept
description guest-in
rule 10 {
action accept
description printer
destination {
address 192.168.1.7
group {
port-group PRINT_TCP
}
}
log disable
protocol tcp
}
rule 11 {
action accept
description printer
destination {
address 192.168.1.7
group {
port-group PRINT_UDP
}
}
log disable
protocol udp
}
rule 20 {
action drop
description other
destination {
address 192.168.1.0/24
state {
invalid enable
}
}
}
name guest-in {
default-action accept
description guest-in
rule 10 {
action accept
description printer
destination {
address 192.168.1.7
group {
port-group PRINT_TCP
}
}
log disable
protocol tcp
}
rule 11 {
action accept
description printer
destination {
address 192.168.1.7
group {
port-group PRINT_UDP
}
}
log disable
protocol udp
}
rule 20 {
action drop
description other
destination {
address 192.168.1.0/24
}
log disable
protocol all
}
}
name guest-local {
default-action drop
description guest-local
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.24.2/30
address ****************/64
description WAN
duplex auto
firewall {
in {
ipv6-name WANv6_IN
}
local {
ipv6-name WANv6_LOCAL
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
ipv6-tunnel v6tun0 {
description DSLite
encapsulation ipip6
firewall {
in {
name DSLite_IN
}
local {
name DSLite_LOCAL
}
}
local-ip ****************
multicast disable
remote-ip 2404:8e01::feed:100
ttl 64
}
loopback lo {
}
switch switch0 {
description LAN
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
}
}
interface eth2 {
vlan {
pvid 10
}
}
interface eth3 {
vlan {
pvid 10
}
}
interface eth4 {
vlan {
pvid 20
}
}
vlan-aware enable
}
vif 10 {
address 192.168.1.1/24
description vlan10
}
vif 20 {
address 192.168.2.1/24
description vlan20
firewall {
in {
name guest-in
}
local {
name guest-local
}
}
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface v6tun0 {
}
}
route6 ::/0 {
next-hop **************** {
interface eth0
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name vlan10 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.90 {
stop 192.168.1.168
}
static-mapping Canon_C356F {
ip-address 192.168.1.7
mac-address ****************
}
}
}
shared-network-name vlan20 {
authoritative enable
subnet 192.168.2.1/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.90 {
stop 192.168.2.168
}
static-mapping WN-AX1167GR2 {
ip-address 192.168.2.4
mac-address ****************
}
}
}
static-arp disable
use-dnsmasq disable
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
ubnt-discover-server {
disable
}
}
system {
config-management {
commit-revisions 20
}
host-name ******
login {
user **************** {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
user **************** {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level operator
}
}
name-server 127.0.0.1
ntp {
server ntp.nict.jp {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Tokyo
}
$ show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group port-group PRINT_TCP description Printing_TCP
set firewall group port-group PRINT_TCP port 80
set firewall group port-group PRINT_TCP port 443
set firewall group port-group PRINT_TCP port 515
set firewall group port-group PRINT_TCP port 8000
set firewall group port-group PRINT_TCP port 8080
set firewall group port-group PRINT_TCP port 8443
set firewall group port-group PRINT_TCP port 9013
set firewall group port-group PRINT_TCP port 9100
set firewall group port-group PRINT_UDP description Printing_UDP
set firewall group port-group PRINT_UDP port 161
set firewall group port-group PRINT_UDP port 427
set firewall group port-group PRINT_UDP port 47545
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allw DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite)to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable
set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite)to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable
set firewall name guest-in default-action accept
set firewall name guest-in description guest-in
set firewall name guest-in rule 10 action accept
set firewall name guest-in rule 10 description printer
set firewall name guest-in rule 10 destination address 192.168.1.7
set firewall name guest-in rule 10 destination group port-group PRINT_TCP
set firewall name guest-in rule 10 log disable
set firewall name guest-in rule 10 protocol tcp
set firewall name guest-in rule 11 action accept
set firewall name guest-in rule 11 description printer
set firewall name guest-in rule 11 destination address 192.168.1.7
set firewall name guest-in rule 11 destination group port-group PRINT_UDP
set firewall name guest-in rule 11 log disable
set firewall name guest-in rule 11 protocol udp
set firewall name guest-in rule 20 action drop
set firewall name guest-in rule 20 description other
set firewall name guest-in rule 20 destination address 192.168.1.0/24
set firewall name guest-in rule 20 log disable
set firewall name guest-in rule 20 protocol all
set firewall name guest-local default-action drop
set firewall name guest-local description guest-local
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 192.168.24.2/30
set interfaces ethernet eth0 address '****************/64'
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip '****************'
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e01::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 description LAN
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan pvid 10
set interfaces switch switch0 switch-port interface eth2 vlan pvid 10
set interfaces switch switch0 switch-port interface eth3 vlan pvid 10
set interfaces switch switch0 switch-port interface eth4 vlan pvid 20
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 10 address 192.168.1.1/24
set interfaces switch switch0 vif 10 description vlan10
set interfaces switch switch0 vif 20 address 192.168.2.1/24
set interfaces switch switch0 vif 20 description vlan20
set interfaces switch switch0 vif 20 firewall in name guest-in
set interfaces switch switch0 vif 20 firewall local name guest-local
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
set protocols static route6 '::/0' next-hop '****************' interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name vlan10 authoritative enable
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 start 192.168.1.90 stop 192.168.1.168
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F ip-address 192.168.1.7
set service dhcp-server shared-network-name vlan10 subnet 192.168.1.0/24 static-mapping Canon_C356F mac-address '****************'
set service dhcp-server shared-network-name vlan20 authoritative enable
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 default-router 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 lease 86400
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 start 192.168.2.90 stop 192.168.2.168
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 static-mapping WN-AX1167GR2 ip-address 192.168.2.4
set service dhcp-server shared-network-name vlan20 subnet 192.168.2.1/24 static-mapping WN-AX1167GR2 mac-address '****************'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service ubnt-discover-server disable
set system config-management commit-revisions 20
set system host-name ******
set system login user ****** authentication encrypted-password '****************'
set system login user ****** authentication plaintext-password ''
set system login user ****** level admin
set system login user ****** authentication encrypted-password '****************'
set system login user ****** authentication plaintext-password ''
set system login user ****** level operator
set system name-server 127.0.0.1
set system ntp server ntp.nict.jp
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Asia/Tokyo
0 件のコメント:
コメントを投稿