I am setting up a ER-LITE 3 for my parents who live the other side of the country - I'm going to send them the pre-configured router and have them just swap out their existing router (an ageing Draytek 2910 that is limiting their speeds). So, I need to try and get the setup correct first time....
I have used EdgeMax successfully for leased lines where there is no requirement for pppoe login, so I am familiar with the way it works.
I'm running firmware 1.9.0 and used the WAN+2LAN wizard. I have also used the TCP MSS Clamping wizard and set it to 1452 across all interfaces. In addition I have setup PPTP VPN and a few corresponding firewall rules. Could anyone comment on whether my config is likely to work OK - i.e. someone using UK VDSL (FTTC) already? I have scoured the forums and found some similar threads and my config looks OK, but I'd like someone else to take a look if possible.
Questions I have:
1) In some people's configs they same to have a "modify firewall" rule that the interface then uses as an "out" firewall rule - this appears to be a workaround for TCP clamping with older firmwares. So, does the TCP MSS Wizard do this now instead (it adds this) and the modify firewall rule is no longer required?
options {
mss-clamp {
interface-type all
mss 1452
}
}2) Do i need to set the eth0 interface (on which the pppoe client is configured) to "DHCP"? My parents have a static WAN IP address (they are on BT Business Infinity), but in their previous router (Draytek 2910) the setting for this is "Dynamic IP" which works fine (the other choice is "Static IP".
My sanitized config is below. Thanks for any advice.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow PPTP 1723"
destination {
port 1723
}
log enable
protocol tcp
}
rule 30 {
action accept
description "Allow GRE 47"
log enable
protocol gre
}
rule 40 {
action accept
description "Allow ICMP ping"
log enable
protocol icmp
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br0 {
address 192.168.10.1/24
aging 300
bridged-conntrack disable
description "Local Bridge"
hello-time 2
max-age 20
priority 32768
promiscuous enable
stp false
}
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
}
}
mtu 1492
name-server auto
password ****************
user-id something@something.com
}
speed auto
}
ethernet eth1 {
bridge-group {
bridge br0
}
description "Local Bridge"
duplex auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br0
}
description "Local Bridge"
duplex auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DHCP1_LAN {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.10.10 {
stop 192.168.10.249
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on br0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
pptp {
remote-access {
authentication {
local-users {
username some_username {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.10.250
stop 192.168.10.254
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
mtu 1492
}
}
}