public:erj

General Config

Commit ephemeral configuration; save configuration to survive restart

commit
save

Set password

set system login user ubnt authentication plaintext-password <myNewPassword>

Destroy configuration and restore defaults

sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
reboot

Disable GUI old ciphers, unms, and ubnt-discovery; halt gui and ssh

set service gui older-ciphers disable
set service unms disable
set service ubnt-discover disable
set service ubnt-discover-server disable
delete service gui
delete service ssh

Set upstream NTP server

set system ntp server ntp.example.com

Review, clear default interface addresses and PoE

show interfaces ethernet
set interfaces ethernet eth9 poe output off
delete interfaces ethernet eth0 address
delete interfaces ethernet eth1 address dhcp

Activate DHCP client on an interface for use as WAN

set interfaces ethernet eth0 address dhcp
release dhcp interface eth0
renew dhcp interface eth0

Re-enable a disabled interface

delete interfaces ethernet eth0 disable

Global Settings

reference help.uisp.com

set system offload hwnat enable
set system host-name myRouter
set system domain-name example.com
set system domain-search example.net
set system analytics-handler send-analytics-report false
set system crash-handler send-crash-report false

VLAN Segmentation with IPv4

reference vanwerkhoven.org

Review, assign LAN interfaces to switch0

show interfaces switch switch0 switch-port
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4

Review, delete existing 802.1Q VLANs; create new ones

show interfaces switch switch0 vif
delete interfaces switch switch0 vif

set interfaces switch switch0 vif 1 address 192.168.0.1/24
set interfaces switch switch0 vif 1 description LAN

set interfaces switch switch0 vif 10 address 172.16.0.1/24
set interfaces switch switch0 vif 10 description Guest

set interfaces switch switch0 vif 20 address 10.0.0.1/24
set interfaces switch switch0 vif 20 description IoT

Enable 802.1Q VLANs

set interfaces switch switch0 switch-port vlan-aware enable

Apply VLANs to interface for 802.1Q-aware WAP and switch

set interfaces switch switch0 switch-port interface eth1 vlan pvid 1
set interfaces switch switch0 switch-port interface eth1 vlan vid 10
set interfaces switch switch0 switch-port interface eth1 vlan vid 20

set interfaces switch switch0 switch-port interface eth2 vlan pvid 1
set interfaces switch switch0 switch-port interface eth2 vlan vid 10
set interfaces switch switch0 switch-port interface eth2 vlan vid 20

an interface may have many VIDs, but only one PVID

Apply a VLAN to each interface for use by client devices

set interfaces switch switch0 switch-port interface eth3 vlan pvid 1
set interfaces switch switch0 switch-port interface eth4 vlan pvid 10
set interfaces switch switch0 switch-port interface eth5 vlan pvid 20
...

Review, delete existing DHCP service; create new pools

show dhcp statistics
delete service dhcp-server

set service dhcp-server shared-network-name vlan1 authoritative enable
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 default-router 192.168.0.1
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 dns-server 203.0.113.113
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 dns-server 203.0.113.114
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 lease 86400
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 start 192.168.0.100 stop 192.168.0.200
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 domain-name example.com

set service dhcp-server shared-network-name vlan10 authoritative enable
set service dhcp-server shared-network-name vlan10 subnet 172.16.0.0/24 default-router 172.16.0.1
set service dhcp-server shared-network-name vlan10 subnet 172.16.0.0/24 dns-server 172.16.0.1
set service dhcp-server shared-network-name vlan10 subnet 172.16.0.0/24 lease 86400
set service dhcp-server shared-network-name vlan10 subnet 172.16.0.0/24 start 172.16.0.100 stop 172.16.0.200
set service dhcp-server shared-network-name vlan10 subnet 172.16.0.0/24 domain-name lan

set service dhcp-server shared-network-name vlan20 authoritative enable
set service dhcp-server shared-network-name vlan20 subnet 10.0.0.0/24 default-router 10.0.0.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.0.0/24 dns-server 10.0.0.1
set service dhcp-server shared-network-name vlan20 subnet 10.0.0.0/24 lease 86400
set service dhcp-server shared-network-name vlan20 subnet 10.0.0.0/24 start 10.0.0.100 stop 10.0.0.200
set service dhcp-server shared-network-name vlan20 subnet 10.0.0.0/24 domain-name lan

Review, enable DHCP service; show a pool

show service dhcp-server
set service dhcp-server disabled false
show dhcp leases pool vlan1

Map a MAC to specific IP (static assignment)

set system static-host-mapping host-name myserver inet 192.168.0.42
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 static-mapping myserver ip-address 192.168.0.42
set service dhcp-server shared-network-name vlan1 subnet 192.168.0.0/24 static-mapping myserver mac-address 00:00:5E:00:53:01

Create, review NAT service

set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
set service nat rule 5010 log disable

show service nat

Establish port forwarding (requires appropriate firewall rules)

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward lan-interface switch0.1

set port-forward rule 10 description 'SSH'
set port-forward rule 10 forward-to address 192.168.0.42
set port-forward rule 10 forward-to port 22
set port-forward rule 10 original-port 22
set port-forward rule 10 protocol tcp

Create IPv4 Zone-based Firewall

reference help.ui.com, lazyadmin.nl, kings-guard.com, help.uisp.com forshee.me

Review zones and the firewalls applied to them; delete all zones

show zone-policy zone

delete zone-policy zone

Define inter-zone firewall policies and their rules

set firewall name FW_ACCEPT default-action accept
set firewall name FW_ACCEPT rule 10 action reject
set firewall name FW_ACCEPT rule 10 description 'Reject invalid'
set firewall name FW_ACCEPT rule 10 log disable
set firewall name FW_ACCEPT rule 10 state invalid enable


set firewall name FW_EST default-action drop
set firewall name FW_EST rule 10 action accept
set firewall name FW_EST rule 10 description 'All established'
set firewall name FW_EST rule 10 log disable
set firewall name FW_EST rule 10 state established enable


set firewall name FW_GUEST_TO_LAN default-action drop
set firewall name FW_GUEST_TO_LAN rule 10 action accept
set firewall name FW_GUEST_TO_LAN rule 10 description 'All established'
set firewall name FW_GUEST_TO_LAN rule 10 log disable
set firewall name FW_GUEST_TO_LAN rule 10 state established enable

set firewall name FW_GUEST_TO_LAN rule 20 action accept
set firewall name FW_GUEST_TO_LAN rule 20 description 'myprinter jetdirect'
set firewall name FW_GUEST_TO_LAN rule 20 log disable
set firewall name FW_GUEST_TO_LAN rule 20 state new enable
set firewall name FW_GUEST_TO_LAN rule 20 destination address 192.168.0.55
set firewall name FW_GUEST_TO_LAN rule 20 protocol tcp
set firewall name FW_GUEST_TO_LAN rule 20 destination port 9100


set firewall name FW_WAN_TO_LAN default-action drop
set firewall name FW_WAN_TO_LAN rule 10 action accept
set firewall name FW_WAN_TO_LAN rule 10 description 'All established'
set firewall name FW_WAN_TO_LAN rule 10 log disable
set firewall name FW_WAN_TO_LAN rule 10 state established enable

set firewall name FW_WAN_TO_LAN rule 20 action accept
set firewall name FW_WAN_TO_LAN rule 20 description 'myserver http/s'
set firewall name FW_WAN_TO_LAN rule 20 log disable
set firewall name FW_WAN_TO_LAN rule 20 state new enable
set firewall name FW_WAN_TO_LAN rule 20 destination address 192.168.0.42
set firewall name FW_WAN_TO_LAN rule 20 protocol tcp
set firewall name FW_WAN_TO_LAN rule 20 destination port 80,443

set firewall name FW_WAN_TO_LAN rule 30 action accept
set firewall name FW_WAN_TO_LAN rule 30 description 'myserver ssh'
set firewall name FW_WAN_TO_LAN rule 30 log disable
set firewall name FW_WAN_TO_LAN rule 30 state new enable
set firewall name FW_WAN_TO_LAN rule 30 destination address 192.168.0.42
set firewall name FW_WAN_TO_LAN rule 30 protocol tcp
set firewall name FW_WAN_TO_LAN rule 30 destination port 22


set firewall name FW_ROUTER_NMP default-action drop
set firewall name FW_ROUTER_NMP rule 10 action accept
set firewall name FW_ROUTER_NMP rule 10 description 'Router dns'
set firewall name FW_ROUTER_NMP rule 10 log disable
set firewall name FW_ROUTER_NMP rule 10 protocol udp
set firewall name FW_ROUTER_NMP rule 10 destination port 53

set firewall name FW_ROUTER_NMP rule 20 action accept
set firewall name FW_ROUTER_NMP rule 20 description 'Router dhcp'
set firewall name FW_ROUTER_NMP rule 20 log disable
set firewall name FW_ROUTER_NMP rule 20 protocol udp
set firewall name FW_ROUTER_NMP rule 20 destination port 67,68

set firewall name FW_ROUTER_NMP rule 30 action accept
set firewall name FW_ROUTER_NMP rule 30 description 'All established'
set firewall name FW_ROUTER_NMP rule 30 log disable
set firewall name FW_ROUTER_NMP rule 30 state established enable

TCP requires SYN (state new) and ACK (state established) rules!

Review firewall policies; delete one

show firewall name

delete firewall name FW_OOPSIE

Define the zones and apply firewall policies to inter-zone traffic flows

set zone-policy zone GUEST interface switch0.10
set zone-policy zone GUEST default-action drop
set zone-policy zone GUEST from LAN firewall name FW_EST
set zone-policy zone GUEST from LOCAL firewall name FW_ACCEPT
set zone-policy zone GUEST from WAN firewall name FW_EST

set zone-policy zone IOT interface switch0.20
set zone-policy zone IOT default-action drop
set zone-policy zone IOT from LAN firewall name FW_EST
set zone-policy zone IOT from LOCAL firewall name FW_ACCEPT

set zone-policy zone LAN interface switch0.1
set zone-policy zone LAN default-action drop
set zone-policy zone LAN from GUEST firewall name FW_GUEST_TO_LAN
set zone-policy zone LAN from IOT firewall name FW_EST
set zone-policy zone LAN from LOCAL firewall name FW_ACCEPT
set zone-policy zone LAN from WAN firewall name FW_WAN_TO_LAN

set zone-policy zone LOCAL local-zone
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL from GUEST firewall name FW_ROUTER_NMP
set zone-policy zone LOCAL from IOT firewall name FW_ROUTER_NMP
set zone-policy zone LOCAL from LAN firewall name FW_ACCEPT
set zone-policy zone LOCAL from WAN firewall name FW_EST

set zone-policy zone WAN interface eth0
set zone-policy zone WAN default-action reject
set zone-policy zone WAN from GUEST firewall name FW_ACCEPT
set zone-policy zone WAN from LAN firewall name FW_ACCEPT
set zone-policy zone WAN from LOCAL firewall name FW_ACCEPT

the zone's default-action renders commented directives unnecessary

nmap detects drop as “filtered,” and reject as “closed”

Review zones and the firewall policies applied to them

show zone-policy zone

Miscellaneous global directives to consider

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

Add IPv6 Firewalls

Define inter-zone firewall policies and their rules reference b-9.cc

set firewall ipv6-name FW_ACCEPT_6 default-action accept
set firewall ipv6-name FW_ACCEPT_6 rule 10 action reject
set firewall ipv6-name FW_ACCEPT_6 rule 10 description 'Reject invalid'
set firewall ipv6-name FW_ACCEPT_6 rule 10 log disable
set firewall ipv6-name FW_ACCEPT_6 rule 10 state invalid enable


set firewall ipv6-name FW_EST_6 default-action drop
set firewall ipv6-name FW_EST_6 rule 10 action accept
set firewall ipv6-name FW_EST_6 rule 10 description 'All established'
set firewall ipv6-name FW_EST_6 rule 10 log disable
set firewall ipv6-name FW_EST_6 rule 10 state established enable


set firewall ipv6-name FW_ROUTER_NMP_6 default-action drop
set firewall ipv6-name FW_ROUTER_NMP_6 rule 10 action accept
set firewall ipv6-name FW_ROUTER_NMP_6 rule 10 description 'All established'
set firewall ipv6-name FW_ROUTER_NMP_6 rule 10 log disable
set firewall ipv6-name FW_ROUTER_NMP_6 rule 10 state established enable

set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 action accept
set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 description 'DHCPv6'
set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 log disable
set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 destination port 546
set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 protocol udp
set firewall ipv6-name FW_ROUTER_NMP_6 rule 20 source port 547

set firewall ipv6-name FW_ROUTER_NMP_6 rule 30 action accept
set firewall ipv6-name FW_ROUTER_NMP_6 rule 30 description 'IPv6 icmp'
set firewall ipv6-name FW_ROUTER_NMP_6 rule 30 log disable
set firewall ipv6-name FW_ROUTER_NMP_6 rule 30 protocol ipv6-icmp


set firewall ipv6-name FW_WAN_TO_LOCAL_6 default-action drop
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 10 action accept
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 10 description 'All established'
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 10 log disable
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 10 state established enable

set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 action accept
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 description 'DHCPv6'
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 log disable
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 destination port 546
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 protocol udp
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 20 source port 547

set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 30 action accept
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 30 description 'IPv6 icmp'
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 30 log disable
set firewall ipv6-name FW_WAN_TO_LOCAL_6 rule 30 protocol ipv6-icmp


set firewall ipv6-name FW_WAN_TO_LAN_6 default-action drop
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 10 action accept
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 10 description 'All established'
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 10 log disable
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 10 state established enable

set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 action accept
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 description 'myserver http/s'
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 log disable
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 state new enable
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 destination address 2001:DB8::42
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 protocol tcp
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 20 destination port 80,443

set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 action accept
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 description 'myserver ssh'
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 log disable
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 state new enable
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 destination address 2001:DB8::42
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 protocol tcp
set firewall ipv6-name FW_WAN_TO_LAN_6 rule 30 destination port 22

Add Single IPv6 VLAN

Apply firewall policies to inter-zone traffic flows

set zone-policy zone LAN from LOCAL firewall ipv6-name FW_ACCEPT_6
set zone-policy zone LAN from WAN firewall ipv6-name FW_WAN_TO_LAN_6

set zone-policy zone LOCAL from LAN firewall ipv6-name FW_ACCEPT_6
set zone-policy zone LOCAL from WAN firewall ipv6-name FW_WAN_TO_LOCAL_6

set zone-policy zone WAN from LAN firewall ipv6-name FW_ACCEPT_6
set zone-policy zone WAN from LOCAL firewall ipv6-name FW_ACCEPT_6

Activate DHCPv6-PD /64 provisioning and advertisement

reference community.ui.com

set interfaces ethernet eth0 dhcpv6-pd pd 0
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.1
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 64

set interfaces switch switch0 vif 1 ipv6 router-advert prefix ::/64
set interfaces switch switch0 vif 1 ipv6 router-advert managed-flag true 
set interfaces switch switch0 vif 1 ipv6 router-advert name-server 2001:DB8::1111

Add Multiple IPv6 VLANs

Note: /60 contains between 0 and E (inclusive) in hexadecimal, or 0 and 14 (inclusive) in decimal prefix-ids.

Issue prefix delegation request with /60 prefix-length hint

set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-only (??)

Renew DHCPv6-PD lease

renew dhcpv6-pd interface eth0

Assign first four prefixes to their respective VLANs

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.10 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.10 service dhcpv6-stateful
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.10 prefix-id :0

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.20 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.20 service dhcpv6-stateful
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.20 prefix-id :1

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.30 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.30 service dhcpv6-stateful
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0.30 prefix-id :2

Advertise DHCPv6 services

set interfaces switch switch0 vif 10 ipv6 router-advert prefix ::/64
set interfaces switch switch0 vif 10 ipv6 router-advert managed-flag true 
set interfaces switch switch0 vif 10 ipv6 router-advert name-server 2001:DB8::1111

set interfaces switch switch0 vif 20 ipv6 router-advert prefix ::/64
set interfaces switch switch0 vif 20 ipv6 router-advert managed-flag true 
set interfaces switch switch0 vif 20 ipv6 router-advert name-server 2001:DB8::1111

set interfaces switch switch0 vif 30 ipv6 router-advert prefix ::/64
set interfaces switch switch0 vif 30 ipv6 router-advert managed-flag true 
set interfaces switch switch0 vif 30 ipv6 router-advert name-server 2001:DB8::1111