├── README.md ├── rfc3442-classless-routes ├── juniper-srx-altibox ├── mikrotik-rb4011-altibox └── edgerouter-x-altibox /README.md: -------------------------------------------------------------------------------- 1 | # routerconfig 2 | 3 | Repo med diverse konfig for forskjellige typer routere, for native IPv6 (ikke 6rd) mot Altibox. 4 | 5 | Foruten at konfigene er ment å fungere med Altibox, så er det ingen koblinger til Altibox. Altibox har med andre ord ingenting med disse konfigene å gjøre og har ingen plikt eller ansvar for deres ende av konfigen er kompatibel med disse konfigurasjonsfilene. 6 | 7 | OBS, førstegangsoppkobling av q22 vil ikke virke, en må enten først koble opp via en fmg/vmg. Eller så må du ringe kundesenteret og be dem legge inn mac adressen på ditt kundeforhold. 8 | -------------------------------------------------------------------------------- /rfc3442-classless-routes: -------------------------------------------------------------------------------- 1 | # Original copied from https://gist.githubusercontent.com/kgersen/58c26951f087e89cef28/raw/bbb20531f108bc7e03897a10a6d0dad4dc2c26d1/rfc3442-classless-routes 2 | # needed to change metric on routes installed 3 | # set classless routes based on the format specified in RFC3442 4 | # e.g.: 5 | # new_rfc3442_classless_static_routes='24 192 168 10 192 168 1 1 8 10 10 17 66 41' 6 | # specifies the routes: 7 | # 192.168.10.0/24 via 192.168.1.1 8 | # 10.0.0.0/8 via 10.10.17.66.41 9 | 10 | RUN="yes" 11 | metric="250" 12 | 13 | if [ "$RUN" = "yes" ]; then 14 | if [ -n "$new_rfc3442_classless_static_routes" ]; then 15 | if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then 16 | 17 | set -- $new_rfc3442_classless_static_routes 18 | 19 | while [ $# -gt 0 ]; do 20 | net_length=$1 21 | via_arg='' 22 | 23 | case $net_length in 24 | 32|31|30|29|28|27|26|25) 25 | net_address="${2}.${3}.${4}.${5}" 26 | gateway="${6}.${7}.${8}.${9}" 27 | shift 9 28 | ;; 29 | 24|23|22|21|20|19|18|17) 30 | net_address="${2}.${3}.${4}.0" 31 | gateway="${5}.${6}.${7}.${8}" 32 | shift 8 33 | ;; 34 | 16|15|14|13|12|11|10|9) 35 | net_address="${2}.${3}.0.0" 36 | gateway="${4}.${5}.${6}.${7}" 37 | shift 7 38 | ;; 39 | 8|7|6|5|4|3|2|1) 40 | net_address="${2}.0.0.0" 41 | gateway="${3}.${4}.${5}.${6}" 42 | shift 6 43 | ;; 44 | 0) # default route 45 | net_address="0.0.0.0" 46 | gateway="${2}.${3}.${4}.${5}" 47 | shift 5 48 | ;; 49 | *) # error 50 | return 1 51 | ;; 52 | esac 53 | 54 | # take care of link-local routes 55 | if [ "${gateway}" != '0.0.0.0' ]; then 56 | via_arg="via ${gateway}" 57 | fi 58 | 59 | # set route (ip detects host routes automatically) 60 | ip -4 route add "${net_address}/${net_length}" \ 61 | ${via_arg} dev "${interface}" metric "${metric}" >/dev/null 2>&1 62 | done 63 | fi 64 | fi 65 | fi 66 | -------------------------------------------------------------------------------- /juniper-srx-altibox: -------------------------------------------------------------------------------- 1 | # Dette er en ganske skrellet Junos-config for å få opp en Juniper SRX mot Altibox native IPv6 (ikke 6rd) med Prefix Delegation via FMG i bridge mode. 2 | # Dette funker for undertegnede, om det ikke funker for deg så kan jeg ha kommet i skade for å ha utelatt en detalj. :-) 3 | # dhcpcd på en klient i vlan 666 besørger en adresse og rute ut, men terminerer deretter uventet. Ikke ferdig debugget. 4 | # 5 | # Jeg har en aksessport mot FMG i VLAN 256, og bruker VLAN 666 i en annen securityzone som innsidebein. Tilpass etter behov. 6 | # Nix TV her altså. 7 | 8 | # Første steg er å enable IPv6: 9 | set security forwarding-options family inet6 mode flow-based 10 | 11 | # Når man committer foregående linje, så får man beskjed om å reboote for å aktivere endringen. 12 | # Verifisering: 13 | 14 | # user@JuniperSRX> show security flow status 15 | # Flow forwarding mode: 16 | # Inet forwarding mode: flow based 17 | # Inet6 forwarding mode: flow based 18 | # MPLS forwarding mode: drop 19 | # ISO forwarding mode: drop 20 | 21 | # Konfig for Altibox 22 | 23 | # Interfaces (merk totalt fravær av statisk IP-info) 24 | # ========= 25 | set interfaces irb unit 256 description "Mot Altibox" 26 | set interfaces irb unit 256 family inet dhcp 27 | set interfaces irb unit 256 family inet unconditional-src-learn 28 | set interfaces irb unit 256 family inet6 dhcpv6-client client-type stateful 29 | set interfaces irb unit 256 family inet6 dhcpv6-client client-ia-type ia-pd 30 | set interfaces irb unit 256 family inet6 dhcpv6-client rapid-commit 31 | set interfaces irb unit 256 family inet6 dhcpv6-client client-identifier duid-type duid-llt 32 | set interfaces irb unit 256 family inet6 dhcpv6-client req-option dns-server 33 | set interfaces irb unit 256 family inet6 dhcpv6-client retransmission-attempt 0 34 | set interfaces irb unit 256 family inet6 dhcpv6-client update-router-advertisement interface irb.666 other-stateful-configuration 35 | set interfaces irb unit 256 family inet6 dhcpv6-client update-router-advertisement interface irb.666 max-advertisement-interval 6 36 | set interfaces irb unit 256 family inet6 dhcpv6-client update-router-advertisement interface irb.666 min-advertisement-interval 3 37 | # 38 | set interfaces irb unit 666 description "Test6 innside-interface" 39 | set interfaces irb unit 666 family inet6 40 | 41 | # System services (litt usikker på om dette gjør noe fra eller til uten å samtidig angi en statisk pool) 42 | # =============== 43 | set system services dhcp-local-server dhcpv6 overrides interface-client-limit 100 44 | set system services dhcp-local-server dhcpv6 overrides rapid-commit 45 | set system services dhcp-local-server dhcpv6 overrides always-add-option-dns-server 46 | set system services dhcp-local-server dhcpv6 group dhcpv6-group-1 interface irb.666 47 | set system services dhcp-local-server dhcpv6 allow-leasequery 48 | 49 | # Security zones 50 | # ============== 51 | set security zones security-zone untrust host-inbound-traffic system-services ping 52 | set security zones security-zone untrust host-inbound-traffic system-services dhcp 53 | set security zones security-zone untrust host-inbound-traffic system-services ntp 54 | set security zones security-zone untrust host-inbound-traffic system-services dhcpv6 55 | set security zones security-zone untrust host-inbound-traffic protocols router-discovery 56 | set security zones security-zone untrust interfaces irb.256 57 | set security zones security-zone test6 host-inbound-traffic system-services dhcpv6 58 | set security zones security-zone test6 host-inbound-traffic system-services ping 59 | set security zones security-zone test6 host-inbound-traffic protocols router-discovery 60 | set security zones security-zone test6 interfaces irb.666 61 | 62 | # Security policies (adapt as you see fit, allowed traffic from untrust to test6 is limited to icmp and ssh) 63 | # ================= 64 | set security policies global policy permit-untrust match source-address any 65 | set security policies global policy permit-untrust match destination-address any 66 | set security policies global policy permit-untrust match application any 67 | set security policies global policy permit-untrust match from-zone untrust 68 | set security policies global policy permit-untrust match to-zone untrust 69 | set security policies global policy permit-untrust then permit 70 | set security policies global policy permit-test6 match source-address any 71 | set security policies global policy permit-test6 match destination-address any 72 | set security policies global policy permit-test6 match application junos-icmp-ping 73 | set security policies global policy permit-test6 match application junos-ssh 74 | set security policies global policy permit-test6 match from-zone untrust 75 | set security policies global policy permit-test6 match to-zone test6 76 | set security policies global policy permit-test6 then permit 77 | set security policies global policy block-untrust-in match source-address any 78 | set security policies global policy block-untrust-in match destination-address any 79 | set security policies global policy block-untrust-in match application any 80 | set security policies global policy block-untrust-in match from-zone untrust 81 | set security policies global policy block-untrust-in match to-zone any 82 | set security policies global policy block-untrust-in then deny 83 | set security policies global policy permit-all match source-address any 84 | set security policies global policy permit-all match destination-address any 85 | set security policies global policy permit-all match application any 86 | set security policies global policy permit-all match from-zone any 87 | set security policies global policy permit-all match to-zone any 88 | set security policies global policy permit-all then permit 89 | 90 | # Protocols (router-adv på irb.666 er dynamisk enablet) 91 | # ========= 92 | set protocols router-advertisement interface irb.256 93 | set protocols neighbor-discovery 94 | 95 | # VLANs 96 | # ===== 97 | set vlans altibox vlan-id 256 98 | set vlans altibox l3-interface irb.256 99 | set vlans test6 vlan-id 666 100 | set vlans test6 l3-interface irb.666 101 | 102 | # Deaktivert konfig, kan være relevant for oppsett med TV? 103 | # ===================================================== 104 | # set vlans altibox forwarding-options dhcp-security dhcpv6-options option-16 use-string VMG8825-B50B 105 | # deactivate vlans altibox forwarding-options dhcp-security dhcpv6-options option-16 106 | 107 | ----- End config ---------------- 108 | 109 | Verifisering: 110 | user@JuniperSRX> show dhcpv6 client binding 111 | 112 | IP/prefix Expires State ClientType Interface Client DUID 113 | 2a01:799:fff:ff00::/56 27092 BOUND STATEFUL irb.256 LL_TIME0x3-0x608cea06-ec:13:db:ff:ff:33 114 | 115 | 116 | 117 | user@JuniperSRX> show interfaces terse | match "256|666|inet6" 118 | inet6 119 | irb.256 up up inet 92.666.666.666/20 120 | inet6 fe80::ee13:dbff:ff:ff30/64 121 | irb.666 up up inet6 2a01:799:fff:ff00::1/64 122 | 123 | 124 | Merk at utsideinterfacet kun vil ha en link local adresse med denne konfigen. Det funker helt fint. 125 | 126 | 127 | 128 | user@JuniperSRX> show route table inet6.0 129 | 130 | inet6.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) 131 | + = Active Route, - = Last Active, * = Both 132 | 133 | ::/0 *[Access-internal/12] 3d 09:03:22 134 | > to fe80::208:ff:fe01:1 via irb.256 135 | [......] 136 | div lokale ruter kommer her. 137 | -------------------------------------------------------------------------------- /mikrotik-rb4011-altibox: -------------------------------------------------------------------------------- 1 | [admin@router] > /export 2 | # apr/29/2022 23:32:56 by RouterOS 7.2.1 3 | # software id = 83CT-MQM9 4 | # 5 | # model = RB4011iGS+ 6 | # serial number = AAAF0A4A2105 7 | /interface bridge 8 | add admin-mac=74:4D:28:27:8E:D0 auto-mac=no comment=defconf igmp-snooping=yes name=bridge-lan 9 | /interface ethernet 10 | set [ find default-name=ether10 ] name=routed-port 11 | 12 | /interface vlan 13 | add interface=sfp-sfpplus1 name=vlan-isp vlan-id=102 14 | add interface=sfp-sfpplus1 name=vlan-tv vlan-id=101 15 | add interface=sfp-sfpplus1 name=vlan-voip vlan-id=100 16 | 17 | /interface list 18 | add comment=defconf name=WAN 19 | add comment=defconf name=LAN 20 | 21 | /ip dhcp-client option 22 | add code=60 name=vendor-class-identifier value=0x46542D503334313042 23 | /ip dhcp-server option 24 | add code=43 name=q22 value="'Altibox-TMS-Server-Address:https://tmc.services.altibox.net:37020/acs'" 25 | 26 | /ip pool 27 | add name=dhcp ranges=10.11.12.50-10.11.12.200 28 | 29 | /ip dhcp-server 30 | add address-pool=dhcp interface=bridge-lan lease-time=23h59m name=lan 31 | 32 | /interface bridge port 33 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether2 34 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether3 35 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether4 36 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether5 37 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether6 38 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether7 39 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether8 40 | add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether9 41 | add bridge=bridge-lan ingress-filtering=no interface=ether1 42 | 43 | /interface list member 44 | add comment=defconf interface=bridge-lan list=LAN 45 | add comment=defconf interface=vlan-isp list=WAN 46 | 47 | /ip address 48 | add address=10.11.12.1/24 comment=defconf interface=ether1 network=10.11.12.0 49 | 50 | /ip dhcp-client 51 | add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=vlan-voip use-peer-dns=no use-peer-ntp=no 52 | add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=vlan-tv use-peer-dns=no use-peer-ntp=no 53 | add dhcp-options=vendor-class-identifier interface=vlan-isp 54 | add disabled=yes interface=sfp-sfpplus1 55 | 56 | /ip dhcp-server network 57 | add address=10.11.12.0/24 comment=defconf dhcp-option=q22 dns-server=10.11.12.1 gateway=10.11.12.1 netmask=24 ntp-server=\ 58 | 92.220.229.76,109.247.114.45,45.14.53.68,92.220.229.77 59 | /ip dhcp-server vendor-class-id 60 | add address-pool=dhcp name=q22 server=lan vid=Q22 61 | 62 | 63 | /ip firewall address-list 64 | add address=10.11.12.2-10.11.12.254 list=allowed_to_router 65 | 66 | /ip firewall filter 67 | add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 68 | add action=accept chain=input in-interface=vlan-tv protocol=igmp 69 | add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp 70 | add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid 71 | add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid 72 | add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes 73 | add action=accept chain=forward connection-state=established,related 74 | add action=accept chain=input src-address-list=allowed_to_router 75 | add action=accept chain=input comment="WAN to router" connection-state=established,related in-interface-list=WAN 76 | add action=accept chain=input src-address-list=allowed_to_router 77 | add action=drop chain=input in-interface-list=WAN 78 | 79 | /ip firewall nat 80 | add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan-isp 81 | add action=masquerade chain=srcnat out-interface=vlan-tv 82 | add action=masquerade chain=srcnat out-interface=vlan-voip 83 | 84 | 85 | /ipv6 address 86 | add address=::1 from-pool=ipv6-pd interface=bridge-lan 87 | 88 | /ipv6 dhcp-client 89 | add add-default-route=yes comment="Altibox pd" interface=vlan-isp pool-name=ipv6-pd prefix-hint=::/56 request=address,prefix use-peer-dns=no 90 | 91 | /ipv6 firewall address-list 92 | add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 93 | add address=::1/128 comment="defconf: lo" list=bad_ipv6 94 | add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 95 | add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 96 | add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 97 | add address=100::/64 comment="defconf: discard only " list=bad_ipv6 98 | add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 99 | add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 100 | add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 101 | add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 102 | add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 103 | add address=::/104 comment="defconf: other" list=bad_ipv6 104 | add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 105 | 106 | /ipv6 firewall filter 107 | add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 108 | add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah 109 | add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid 110 | add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 111 | add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp 112 | add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 113 | add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp 114 | add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp 115 | add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec 116 | add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN 117 | add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 118 | add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid 119 | add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 120 | add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 121 | add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 122 | add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 123 | add action=accept chain=forward comment="defconf: accept HIP" protocol=139 124 | add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp 125 | add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah 126 | add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp 127 | add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec 128 | add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN 129 | 130 | /ipv6 nd 131 | set [ find default=yes ] interface=bridge-lan other-configuration=yes 132 | 133 | /routing igmp-proxy 134 | set quick-leave=yes 135 | 136 | /routing igmp-proxy interface 137 | add alternative-subnets=0.0.0.0/0 interface=vlan-tv upstream=yes 138 | add interface=bridge-lan 139 | 140 | /system clock 141 | set time-zone-name=Europe/Oslo 142 | 143 | /system ntp client 144 | set enabled=yes 145 | /system ntp client servers 146 | add address=ntp.altibox.no 147 | [admin@mikrotik] > 148 | -------------------------------------------------------------------------------- /edgerouter-x-altibox: -------------------------------------------------------------------------------- 1 | Følgende ting trengs for å få tv og internet fra Altibox på en edgerouter-x 2 | 3 | 4 | Legg in exit hook for dhcp klienten slik at routeren tar i bruk router via dhcp opsjon 5 | 6 | sudo su 7 | 8 | curl https://gist.github.com/kgersen/58c26951f087e89cef28/raw/bbb20531f108bc7e03897a10a6d0dad4dc2c26d1/rfc3442-classless-routes -o /etc/dhcp3/dhclient-exit-hooks.d/rfc3442-classless-routes && chmod 755 /etc/dhcp3/dhclient-exit-hooks.d/rfc3442-classless-routes 9 | 10 | exit 11 | 12 | 13 | set firewall all-ping enable 14 | set firewall broadcast-ping disable 15 | 16 | set firewall ipv6-name WANv6_IN default-action drop 17 | set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN' 18 | set firewall ipv6-name WANv6_IN rule 10 action accept 19 | set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions' 20 | set firewall ipv6-name WANv6_IN rule 10 state established enable 21 | set firewall ipv6-name WANv6_IN rule 10 state related enable 22 | set firewall ipv6-name WANv6_IN rule 20 action drop 23 | set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state' 24 | set firewall ipv6-name WANv6_IN rule 20 state invalid enable 25 | 26 | set firewall ipv6-name WANv6_LOCAL default-action drop 27 | set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router' 28 | set firewall ipv6-name WANv6_LOCAL enable-default-log 29 | set firewall ipv6-name WANv6_LOCAL rule 10 action accept 30 | set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions' 31 | set firewall ipv6-name WANv6_LOCAL rule 10 state established enable 32 | set firewall ipv6-name WANv6_LOCAL rule 10 state related enable 33 | set firewall ipv6-name WANv6_LOCAL rule 20 action drop 34 | set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state' 35 | set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable 36 | set firewall ipv6-name WANv6_LOCAL rule 30 action accept 37 | set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp' 38 | set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp 39 | set firewall ipv6-name WANv6_LOCAL rule 40 action accept 40 | set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6' 41 | set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 42 | set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp 43 | set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 44 | 45 | set firewall ipv6-receive-redirects disable 46 | set firewall ipv6-src-route disable 47 | set firewall ip-src-route disable 48 | set firewall log-martians enable 49 | 50 | set firewall name WAN_IN default-action drop 51 | set firewall name WAN_IN description 'WAN to internal' 52 | set firewall name WAN_IN rule 10 action accept 53 | set firewall name WAN_IN rule 10 description 'Allow established/related' 54 | set firewall name WAN_IN rule 10 state established enable 55 | set firewall name WAN_IN rule 10 state related enable 56 | set firewall name WAN_IN rule 20 action drop 57 | set firewall name WAN_IN rule 20 description 'Drop invalid state' 58 | set firewall name WAN_IN rule 20 state invalid enable 59 | 60 | set firewall name WAN_LOCAL default-action drop 61 | set firewall name WAN_LOCAL description 'WAN to router' 62 | set firewall name WAN_LOCAL rule 10 action accept 63 | set firewall name WAN_LOCAL rule 10 description 'Allow established/related' 64 | set firewall name WAN_LOCAL rule 10 state established enable 65 | set firewall name WAN_LOCAL rule 10 state related enable 66 | set firewall name WAN_LOCAL rule 20 action drop 67 | set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' 68 | set firewall name WAN_LOCAL rule 20 state invalid enable 69 | 70 | set firewall receive-redirects disable 71 | set firewall send-redirects enable 72 | set firewall source-validation disable 73 | set firewall syn-cookies enable 74 | 75 | set interfaces ethernet eth0 description Uplink 76 | set interfaces ethernet eth0 duplex auto 77 | set interfaces ethernet eth0 mac 'XX:XX:XX:XX:XX:XX' 78 | set interfaces ethernet eth0 speed auto 79 | 80 | set interfaces ethernet eth0 vif 101 address dhcp 81 | set interfaces ethernet eth0 vif 101 description IPTV 82 | set interfaces ethernet eth0 vif 101 dhcp-options client-option 'request subnet-mask, routers, rfc3442-classless-static-routes;' 83 | set interfaces ethernet eth0 vif 101 dhcp-options client-option 'send vendor-class-identifier "VMG8825-B50B";' 84 | set interfaces ethernet eth0 vif 101 dhcp-options default-route no-update 85 | set interfaces ethernet eth0 vif 101 dhcp-options default-route-distance 255 86 | set interfaces ethernet eth0 vif 101 dhcp-options name-server no-update 87 | 88 | set interfaces ethernet eth0 vif 102 address dhcp 89 | set interfaces ethernet eth0 vif 102 description Internet 90 | set interfaces ethernet eth0 vif 102 dhcp-options default-route update 91 | set interfaces ethernet eth0 vif 102 dhcp-options name-server update 92 | set interfaces ethernet eth0 vif 102 dhcpv6-pd pd 1 interface switch0 host-address '::1' 93 | set interfaces ethernet eth0 vif 102 dhcpv6-pd pd 1 interface switch0 prefix-id ':1' 94 | set interfaces ethernet eth0 vif 102 dhcpv6-pd pd 1 interface switch0 service slaac 95 | set interfaces ethernet eth0 vif 102 dhcpv6-pd pd 1 prefix-length 56 96 | set interfaces ethernet eth0 vif 102 dhcpv6-pd rapid-commit enable 97 | set interfaces ethernet eth0 vif 102 firewall in ipv6-name WANv6_IN 98 | set interfaces ethernet eth0 vif 102 firewall in name WAN_IN 99 | set interfaces ethernet eth0 vif 102 firewall local ipv6-name WANv6_LOCAL 100 | set interfaces ethernet eth0 vif 102 firewall local name WAN_LOCAL 101 | 102 | set interfaces ethernet eth1 description Local 103 | set interfaces ethernet eth1 duplex auto 104 | set interfaces ethernet eth1 speed auto 105 | set interfaces ethernet eth2 description Local 106 | set interfaces ethernet eth2 duplex auto 107 | set interfaces ethernet eth2 speed auto 108 | set interfaces ethernet eth3 description Local 109 | set interfaces ethernet eth3 duplex auto 110 | set interfaces ethernet eth3 speed auto 111 | set interfaces ethernet eth4 description Local 112 | set interfaces ethernet eth4 duplex auto 113 | set interfaces ethernet eth4 speed auto 114 | set interfaces loopback lo 115 | set interfaces switch switch0 address 192.168.1.1/24 116 | set interfaces switch switch0 description Local 117 | set interfaces switch switch0 mtu 1500 118 | set interfaces switch switch0 switch-port interface eth1 119 | set interfaces switch switch0 switch-port interface eth2 120 | set interfaces switch switch0 switch-port interface eth3 121 | set interfaces switch switch0 switch-port interface eth4 122 | set interfaces switch switch0 switch-port vlan-aware disable 123 | 124 | set port-forward auto-firewall enable 125 | set port-forward hairpin-nat enable 126 | set port-forward lan-interface switch0 127 | set port-forward wan-interface eth0.102 128 | 129 | set protocols igmp-proxy interface eth0.101 alt-subnet 0.0.0.0/0 130 | set protocols igmp-proxy interface eth0.101 role upstream 131 | set protocols igmp-proxy interface eth0.101 threshold 1 132 | set protocols igmp-proxy interface switch0 role downstream 133 | set protocols igmp-proxy interface switch0 threshold 1 134 | 135 | set service dhcp-server disabled false 136 | set service dhcp-server global-parameters 'option option-43 code 43 = string;' 137 | set service dhcp-server hostfile-update disable 138 | set service dhcp-server shared-network-name LAN authoritative enable 139 | set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1 140 | set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1 141 | set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400 142 | set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.38 stop 192.168.1.243 143 | set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 subnet-parameters 'option option-43 "Altibox-TMS-Server-Address:https://tmc.services.altibox.net:37020/acs";' 144 | 145 | set service dhcp-server static-arp disable 146 | set service dhcp-server use-dnsmasq disable 147 | set service dns forwarding cache-size 150 148 | set service dns forwarding listen-on switch0 149 | set service gui http-port 80 150 | set service gui https-port 443 151 | set service gui older-ciphers disable 152 | set service lldp interface switch0 153 | 154 | set service nat rule 5010 description 'Internet - Vlan102' 155 | set service nat rule 5010 log disable 156 | set service nat rule 5010 outbound-interface eth0.102 157 | set service nat rule 5010 protocol all 158 | set service nat rule 5010 type masquerade 159 | set service nat rule 5011 description 'TV - Vlan 101' 160 | set service nat rule 5011 log disable 161 | set service nat rule 5011 outbound-interface eth0.101 162 | set service nat rule 5011 protocol all 163 | set service nat rule 5011 type masquerade 164 | set service ssh port 22 165 | set service ssh protocol-version v2 166 | 167 | set system ntp server 0.ntp.altibox.no 168 | set system ntp server 1.ntp.altibox.no 169 | set system ntp server 2.ntp.altibox.no 170 | set system ntp server 3.ntp.altibox.no 171 | 172 | set system offload hwnat enable 173 | set system offload ipsec enable 174 | set system syslog global facility all level notice 175 | set system syslog global facility protocols level debug 176 | set system time-zone Europe/Oslo 177 | set system traffic-analysis dpi disable 178 | set system traffic-analysis export disable 179 | --------------------------------------------------------------------------------