Ubiquiti Edgerouter X en KPN glasvezel internet configuratie met Experiabox V10
5 people like this post
Ik heb een Reggefiber glasvezel aansluiting (in Apeldoorn) met een KPN triple play abonnement, telefoon, TV en internet. Momenteel heb ik een 200/200 abonnement. De door KPN geleverde Experiabox (v10 nu) geeft mij niet de gewenste configuratie mogelijkheden, dat zeg ik toch heel netjes 😉
Na veel lezen en help van andere sites ( tweakers.net / kriegsman.io / pimwiddershoven.nl / netwerkje.com ) tot de volgende goed werkende configuratie gekomen. Ik heb een aparte router en wifi access point omdat ik na jaren modderen met all-in-one routers van Acer, Netgear en TP-Link daar zo zat van was dat ik opzoek ben gegaan naar beter spul. De grote voordelen zijn, de router kan in de meter kast maar het wifi access point kan op een beter plaats zonder dat het wifi signaal verstoord wordt. Uit gekomen bij Ubiquiti: niet gemakkelijker, wel veel beter. Mijn huidige setup ziet er zo uit:
Een Ubiquiti Edgerouter X (amazon.de) de volgende aansluitingen:
Port 0 = NT Glasvezel aansluiting
Port 1 = Lokaal LAN 10.10.10.* via een 8 poort Netgear ProSAFE Gigabit Plus Switch GS108E
Port 2 = Lokaal LAN 10.10.10.* voor IPTV via een 5 poort Netgear ProSAFE Gigabit Plus Switch GS105E
Port 3 = Lokaal LAN 10.10.10.* voor WIFI via een Ubiquiti UniFi AP-AC-PRO
Port 4 = Experia V10 box voor telefonie
De inkomende Vlans zijn 4 = IPTV, 6= internet, 7 = Telefonie. IPTV kan routed en bridged, ik gebruik routed. Uitleg hier. Ik gebruik de Experiabox dus alleen voor telefonie, ook heb ik de WIFI afgezet op de Experiabox (geen vervuiling van het wifi spectrum).
Ik heb bewust voor de iets duurdere 5 en 8 port Netgear switches gekozen omdat deze goed IGMP snooping, nodig voor KPN IPTV, ondersteunen in tegenstelling andere merken die zeggen dat ze het ondersteunen maar bij mij werkte het niet (TP-LINK).
De edgerouter X heeft een configureerbare ingebouwde hardware switch, dat hebben niet alle modellen van Ubiquiti, port 1,2,3 zijn als switch geconfigureerd werken dus als 1 LAN. Ook is hardware offloading aangezet, dit is wel zo goed voor de performance.
De GUI van de Edgerouter is mooi maar inloggen met ssh maakt het opzetten gemakkelijker. Wel even opletten wat je doet bij het configureren en aan welke poort met welk (DHCP) Ip adres je je computer hangt waar meer je via ssh in logt. Mijn interne netwerk heeft de ip range 10.10.10.x /255.255.255.0, als jij wat anders hebt de config aanpassen. Let op! dit is dus geen walk-through-guide maar een weergave van een werkende configuratie.
Als je aan de slag gaat natuurlijk de “set” commands omgeven met:
configure ...commands commit save exit
Zo ziet mijn configuratie er momenteel uit (Ik heb wat instellingen met XXXX gemarkeerd die je moet vervangen met jou data)
Het commentaar met // moet weg gelaten worden
$ show configuration commands set firewall all-ping enable set firewall broadcast-ping disable set firewall ipv6-name WANv6_IN default-action drop set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN' set firewall ipv6-name WANv6_IN enable-default-log set firewall ipv6-name WANv6_IN rule 10 action accept set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions' set firewall ipv6-name WANv6_IN rule 10 state established enable set firewall ipv6-name WANv6_IN rule 10 state related enable set firewall ipv6-name WANv6_IN rule 20 action drop set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state' set firewall ipv6-name WANv6_IN rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL default-action drop set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router' set firewall ipv6-name WANv6_LOCAL enable-default-log set firewall ipv6-name WANv6_LOCAL rule 10 action accept set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions' set firewall ipv6-name WANv6_LOCAL rule 10 state established enable set firewall ipv6-name WANv6_LOCAL rule 10 state related enable set firewall ipv6-name WANv6_LOCAL rule 20 action drop set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state' set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable set firewall ipv6-name WANv6_LOCAL rule 30 action accept set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp' set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp set firewall ipv6-name WANv6_LOCAL rule 40 action accept set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6' set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall name WAN_IN default-action drop set firewall name WAN_IN description 'WAN to Internal' set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description 'Allow established/related' set firewall name WAN_IN rule 10 log enable set firewall name WAN_IN rule 10 protocol all set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state invalid disable set firewall name WAN_IN rule 10 state new disable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description 'Drop invalid state' set firewall name WAN_IN rule 20 log enable set firewall name WAN_IN rule 20 protocol all set firewall name WAN_IN rule 20 state established disable set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 20 state new disable set firewall name WAN_IN rule 20 state related disable set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description 'WAN to router' set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 description 'Allow established/related' set firewall name WAN_LOCAL rule 10 log disable set firewall name WAN_LOCAL rule 10 protocol all set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state invalid disable set firewall name WAN_LOCAL rule 10 state new disable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' set firewall name WAN_LOCAL rule 20 log disable set firewall name WAN_LOCAL rule 20 protocol all set firewall name WAN_LOCAL rule 20 state established disable set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 20 state new disable set firewall name WAN_LOCAL rule 20 state related disable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable // Bridge voor Telefonie set interfaces bridge br0 aging 300 set interfaces bridge br0 bridged-conntrack disable set interfaces bridge br0 hello-time 2 set interfaces bridge br0 max-age 20 set interfaces bridge br0 priority 32768 set interfaces bridge br0 promiscuous disable set interfaces bridge br0 stp false // eth0 is port 0 is een PPPOE voor naar de glasvezel set interfaces ethernet eth0 description 'eth0 - FTU' set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 mtu 1512 set interfaces ethernet eth0 speed auto set interfaces ethernet eth0 vif 4 address dhcp set interfaces ethernet eth0 vif 4 description 'eth0.4 - IPTV' set interfaces ethernet eth0 vif 4 dhcp-options client-option 'send vendor-class-identifier "IPTV_RG";' set interfaces ethernet eth0 vif 4 dhcp-options client-option 'request subnet-mask, routers, rfc3442-classless-static-routes;' set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210 set interfaces ethernet eth0 vif 4 dhcp-options name-server update // IP internet verkeer VLAN 6 aan bridge br0 hangen set interfaces ethernet eth0 vif 6 description 'eth0.6 - Internet' set interfaces ethernet eth0 vif 6 mtu 1508 set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd no-dns set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1' set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48 set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit disable set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WAN_IN set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WAN_LOCAL set interfaces ethernet eth0 vif 6 pppoe 0 idle-timeout 180 set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1500 set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto set interfaces ethernet eth0 vif 6 pppoe 0 password kpn set interfaces ethernet eth0 vif 6 pppoe 0 user-id XX-XX-XX-XX-XX@direct-adsl // TelefonieVLAN 7 aan bridge br0 hangen set interfaces ethernet eth0 vif 7 bridge-group bridge br0 set interfaces ethernet eth0 vif 7 description 'eth0.7 - VOIP' set interfaces ethernet eth0 vif 7 mtu 1500 // Eth1 is voor mijn normale internet verkeer naar lokaal lan set interfaces ethernet eth1 description 'eth1 - LAN' set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto // Eth2 is voor IPTV set interfaces ethernet eth2 description 'eth2 - IPTV' set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 mtu 1500 set interfaces ethernet eth2 speed auto //Eth3 is voor mijn WIFI access point, deze kan ook in de switch die aan poort eth1 hangt, werkt ook set interfaces ethernet eth3 duplex auto set interfaces ethernet eth3 speed auto //Eth4 gaat naar experiabox voor telefonie set interfaces ethernet eth4 description 'eth4 - ExperiaBox' set interfaces ethernet eth4 duplex auto set interfaces ethernet eth4 speed auto set interfaces ethernet eth4 vif 7 bridge-group bridge br0 set interfaces ethernet eth4 vif 7 description 'eth4.7 - ExperiaBox VOIP' set interfaces ethernet eth4 vif 7 mtu 1500 // Combineer Eth1 / eth2 / eth3 in 1 switch en geef die het interne router IP. set interfaces loopback lo set interfaces switch switch0 address 10.10.10.4/24 set interfaces switch switch0 mtu 1500 set interfaces switch switch0 switch-port interface eth1 set interfaces switch switch0 switch-port interface eth2 set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port vlan-aware disable // Nog een poort forward, niet nodig om het eea de gang te krijgen set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward lan-interface switch0 set port-forward rule 1 description rest-https set port-forward rule 1 forward-to address 10.10.10.3 set port-forward rule 1 forward-to port 3101 set port-forward rule 1 original-port 3101 set port-forward rule 1 protocol tcp set port-forward wan-interface pppoe0 //Disable quick leave is nodig anders hapert IPTV zender wisselen set protocols igmp-proxy disable-quickleave set protocols igmp-proxy interface eth0.4 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth0.4 role upstream set protocols igmp-proxy interface eth0.4 threshold 1 set protocols igmp-proxy interface eth2 alt-subnet 0.0.0.0/0 set protocols igmp-proxy interface eth2 role downstream set protocols igmp-proxy interface eth2 threshold 1 // Routes opzetten voor IPTV set protocols static interface-route6 '::/0' next-hop-interface pppoe0 set protocols static route 213.75.112.0/21 next-hop 10.228.208.1 // DHCP server aanzetten set service dhcp-server disabled false set service dhcp-server global-parameters 'option vendor-class-identifier code 60 = string;' set service dhcp-server global-parameters 'option broadcast-address code 28 = ip-address;' set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet 10.10.10.0/24 default-router 10.10.10.4 // Ik gebruik googles DNS servers 8.8.8.8 en 4.4.4.4 set service dhcp-server shared-network-name LAN subnet 10.10.10.0/24 dns-server 8.8.8.8 set service dhcp-server shared-network-name LAN subnet 10.10.10.0/24 dns-server 8.8.4.4 set service dhcp-server shared-network-name LAN subnet 10.10.10.0/24 lease 86400 set service dhcp-server shared-network-name LAN subnet 10.10.10.0/24 start 10.10.10.100 stop 10.10.10.200 set service dhcp-server static-arp disable set service dhcp-server use-dnsmasq disable // Ik gebruik dynamic DNS NOIP. Niet nodig als je niet weet wat dit is. set service dns dynamic interface eth0 service noip host-name XXX.XXX.nl set service dns dynamic interface eth0 service noip login XXXUsernaam set service dns dynamic interface eth0 service noip password XXXPassword // DNS forwarding opzetten set service dns forwarding cache-size 150 set service dns forwarding listen-on switch0 set service dns forwarding name-server 8.8.8.8 set service dns forwarding name-server 8.8.4.4 set service dns forwarding options listen-address=10.10.10.4 // Edgerouter gui alleen van 10.10.10.4 te benaderen set service gui http-port 80 set service gui https-port 443 set service gui listen-address 10.10.10.4 set service gui older-ciphers enable // Wat NAT rule op IPTV en internet verkeer door te laten set service nat rule 5000 description IPTV set service nat rule 5000 destination address 10.16.0.0/16 set service nat rule 5000 log disable set service nat rule 5000 outbound-interface eth0.4 set service nat rule 5000 protocol all set service nat rule 5000 type masquerade set service nat rule 5001 description IPTV set service nat rule 5001 destination address 213.75.112.0/21 set service nat rule 5001 log disable set service nat rule 5001 outbound-interface eth0.4 set service nat rule 5001 protocol all set service nat rule 5001 type masquerade set service nat rule 5010 description 'KPN Internet' set service nat rule 5010 log enable set service nat rule 5010 outbound-interface pppoe0 set service nat rule 5010 protocol all set service nat rule 5010 source address 10.10.10.4/24 set service nat rule 5010 type masquerade // ssh port open zetten voor command line set service ssh port 22 set service ssh protocol-version v2 set service ubnt-discover disable // upnp alleen via switch0 (10.10.10.4) te benaderen set service upnp listen-on switch0 outbound-interface pppoe0 set system host-name XXX // User login op Edgerouter opzetten set system login user ubnt authentication encrypted-password 'XXXXXXXXXXXXXXXXXXXXXXXXXXX' set system login user XXX authentication plaintext-password '' set system login user XXX full-name '' set system login user XXX level admin // Googles DNS servers set system name-server 8.8.8.8 set system name-server 8.8.4.4 // NTP protocol opzetten set system ntp server 0.ubnt.pool.ntp.org set system ntp server 1.ubnt.pool.ntp.org set system ntp server 2.ubnt.pool.ntp.org set system ntp server 3.ubnt.pool.ntp.org // Hardware offloading voor de Edgerouter X aanzetten (performance!!) set system offload hwnat enable // Misc settings set system package set system syslog global facility all level notice set system syslog global facility protocols level debug set system time-zone UTC set system traffic-analysis dpi disable set system traffic-analysis export disable
