Sticky

Gebruik een eigen router i.p.v. de Experia Box

  • 8 September 2018
  • 8565 reacties
  • 562412 keer bekeken
Gebruik een eigen router i.p.v. de Experia Box
Toon eerste bericht

8565 reacties

J.Philippi
Rank
Badge

@wtb

Hoewel ik niet goed begrijp waarom het al die tijd heeft gefunctioneerd, heb ik een poging ondernomen om een VLAN4 & 6 onder eth1 te configuren.

Graag jou commentaar.

Alvast dank, John

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description "Guest WIFI Network IN"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.0"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action accept
        description "Guest WIFI Network Local"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.254"
            destination {
                address 192.168.2.254
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ppp
                user-id JPH@internet
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "Local Network"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 4 {
            address 192.168.4.254/24
            description IPTV
            egress-qos "0:5 1:5 2:5 3:5 4:5"
        }
        speed auto
        vif 6 {
            address 192.168.2.254/24
            description LAN
          }
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description "GUEST (VLAN10)"
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        enable-quickleave
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 2
        }
        interface eth1.4 {
        role downstream
        threshold 1
        }
        interface eth1.6 {
        role downstream
        threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name IPTV {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.254
                dns-server 192.168.4.254
                domain-name iptv.local
                lease 86400
                start 192.168.4.1 {
                    stop 192.168.4.253
                }
            }
        }    
        shared-network-name Thuis {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 192.168.2.254
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                lease 86400
                start 192.168.10.2 {
                    stop 192.168.10.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            listen-on eth1.10
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.2.254
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name flipchip.local
    host-name FlipChip
    login {
        user JPhilippi {
            authentication {
                encrypted-password $6$rUgFaOVeHRaZ$SdshLgJaot3SOVAemKulslQ3PecbVq5nyZUIsVVQRaAMjHlRM1fkpynjXor6.aOh2vKwooStVVlWhzk4CJaHo0
                plaintext-password ""
            }
            full-name "Local User"
            level operator
        }
        user SuperUser {
            authentication {
                encrypted-password $6$Slg9alK2ecdtQH$18fjauurfqrwB3hg3O7p7FsrUCqr42rRf.3mvZkxifJ5GpnFsYyu314tBmEv/yN7IlQaB47/QLMZnJ7tLFcYR/
                plaintext-password ""
            }
            full-name "Local SysOp"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.1.5371034.210122.1014 */

 

 

wjb
Rank
Reputatie 7

Dat geldt eveneens dan voor LAN6.

Je hebt vlan 6 dan ook niet op jouw switch geconfigureerd en dat is prima want aan de lan zijde worden in de standaard configuratie geen vlans gebruikt.

 

Afgezien dat deze installatie muv VLAN10 voortkomt uit EdgeRouter-Lite-3-KPN-zonder-VoIP, ben ik benieuwd hoe wel zou moeten.

Alvast dank voor de genomen moeite.

Dat hangt er vanaf wat je wil, gewoon IPTV standaard op het lan of op een eigen vlan.

Be positive, avoid negativity, enjoy life and stay healthy!
wjb
Rank
Reputatie 7

Hoewel ik niet goed begrijp waarom het al die tijd heeft gefunctioneerd, heb ik een poging ondernomen om een VLAN4 & 6 onder eth1 te configuren.

Graag jou commentaar.

Je moet geen vlan 6 gebruiken aan de lan zijde, ga weer terug naar jouw vorige configuratie.

Be positive, avoid negativity, enjoy life and stay healthy!
J.Philippi
Rank
Badge

@wtb 

Terug naar mijn vorige situatie is geen optie dit opdat deze niet meer werkt zoals beschreven in mijn 1e post. Het idee achter mijn beschreven configuratie is een managed switch (ThoughSwitch) te gebruiken welke de VLANS “opvangt” (4&6&10) deze doorstuurt naar ieder zijn eigen poort. M.a.w. TV verkeer heeft een eigen poort en is gescheiden van het LAN verkeer iets wat ook geldt voor het WIFI verkeer. De switch welke hangt aan “VLAN6” poort is unmanaged en regelt het verkeer van alles is bekabeld in huis.

Bij wijze van test heb ik de EdgeRouter (met configuratie waar twee jaar probleemloos heb kunnen werken)  eth1 poort & TV modem direct aangesloten op de unmanaged switch (dus LAN verkeer & IPTV over de unmanaged switch) en dit gaf dezelfde problemen als met de managed switch. Zodra het TV modem aan gaat valt het internet weg en visa versa. 

Het mag duidelijk zijn ik weet tot op heden niet waarom de beschreven configuratie na twee jaar niet meer werkt. Het moet iets zijn wat de KPN recent heeft bedacht is mijn eerste ingeving.

wjb
Rank
Reputatie 7

Je moet geen vlan 6 gebruiken aan de LAN zijde van jouw EdgeRouter en je moet ook geen switch tussen NTU en EdgeRouter plaatsen.

Nogmaals, zet jouw config terug naar die van eergisteren waarbij je geen vlan 6 op eth1 had gedefinieerd.

Als je IPTV op een apart vlan wilt plaatsen dan volg je de handelingen die in dit bericht beschreven zijn.

Let op, bij jou is eth1 de LAN poort en eth0 de WAN poort.

Be positive, avoid negativity, enjoy life and stay healthy!
J
Rank

Iptv en Lan over een unmnaged switch gaat zo wie zo niet werken.

Waarom het  2 jaar wel heeft gewerkt begrijp ik niet.

Ik zou van scratch beginnen. ER en switch terug naar fabrieksinstellingen en kijken of je zonder VLAN aan LAN zijde tevreden bent. Dus met script op 1e pagina genoemd

Zo niet instructies die wjb hierboven noemt volgen

J.Philippi
Rank
Badge

@wjb 

@jaapst64 

wtb schreef:

je moet geen vlan 6 gebruiken aan de LAN zijde van jouw EdgeRouter en je moet ook geen switch tussen NTU en EdgeRouter plaatsen.

Er zit ook geen switch tussen NTU en EdgeRouter de managed switch zit op eth1. Als ik terug ga naar de  1e configuratie en de TouchSwitch tagging van VLAN6 & VLAN4 verwijder, komt het dan niet neer op de situatie die beschreef met de unmanaged switch?

jaapst64 schreef:

Iptv en Lan over een unmnaged switch gaat zo wie zo niet werken.

Moet ik dan zo wie zo niet een VLAN4 maken op eth1 om dat verkeer met de ToughSwitch (UI 5 poort managed switch) te regelen. Een andere vraag die bij mij op komt; hoe doet een ieder die zijn eigen router wil gebruiken het de datastroom regelen. Maken zijn nog steeds gebruik van de experiabox als een veredelde switch?

Enfin, ik heb de config (Turtle) uit Voorbeeld gebruikt om VLAN4 toe te voegen aan config.boot als laatste poging.

Dank voor jullie inbreng.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description "Guest WIFI Network IN"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.0"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action accept
        description "Guest WIFI Network Local"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.254"
            destination {
                address 192.168.2.254
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ppp
                user-id JPH@internet
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "Local Network"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 4 {
            address 192.168.4.254/24
            description IPTV
            egress-qos "0:5 1:5 2:5 3:5 4:5"
        }
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description "GUEST (VLAN10)"
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        enable-quickleave
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 2
        }
        interface eth1.4 {
        role downstream
        threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name IPTV {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.254
                dns-server 192.168.4.254
                domain-name iptv.local
                lease 86400
                start 192.168.4.1 {
                    stop 192.168.4.253
                }
            }
        }    
        shared-network-name Thuis {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 192.168.2.254
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                lease 86400
                start 192.168.10.2 {
                    stop 192.168.10.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            listen-on eth1.10
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.2.254
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name flipchip.local
    host-name FlipChip
    login {
        user JPhilippi {
            authentication {
                encrypted-password $6$rUgFaOVeHRaZ$SdshLgJaot3SOVAemKulslQ3PecbVq5nyZUIsVVQRaAMjHlRM1fkpynjXor6.aOh2vKwooStVVlWhzk4CJaHo0
                plaintext-password ""
            }
            full-name "Local User"
            level operator
        }
        user SuperUser {
            authentication {
                encrypted-password $6$Slg9alK2ecdtQH$18fjauurfqrwB3hg3O7p7FsrUCqr42rRf.3mvZkxifJ5GpnFsYyu314tBmEv/yN7IlQaB47/QLMZnJ7tLFcYR/
                plaintext-password ""
            }
            full-name "Local SysOp"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.1.5371034.210122.1014 */

 

 

J
Rank

In principe is de standaardconfiguratie prima te gebruiken  als je een switch hebt die igmp ondersteunt. Deze scheidt het tv verkeer van de rest. Dat werkt prima. Alleen bij speciale wensen kun je aparte VLAN voor tv creëren wat theoretisch iets robuuster is.

Experiabox niet gebruiken. 

Overigens last ik mijn switch het gastnetwerk configureren,  maar dat kan niet elke switch.

J
Rank

Wat betreft je configuratie. Je hebt de Nat rules iptv op verkeerde subnet staan.

Ik denk niet dat die firewall instelling voor Jr gastnetwerk nodig is.

 

Als ik jou was zou ik eerst standaardinstellingen zonder vlans testen.  Als dat werkt en je hebt verder geen wensen?

wjb
Rank
Reputatie 7

 

@jaapst64 Enfin, ik heb de config (Turtle) uit Voorbeeld gebruikt om VLAN4 toe te voegen aan config.boot als laatste poging.

Dank voor jullie inbreng.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description "Guest WIFI Network IN"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.0"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action accept
        description "Guest WIFI Network Local"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.254"
            destination {
                address 192.168.2.254
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ppp
                user-id JPH@internet
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "Local Network"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 4 {
            address 192.168.4.254/24
            description IPTV
            egress-qos "0:5 1:5 2:5 3:5 4:5"
        }
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description "GUEST (VLAN10)"
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        enable-quickleave
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 2
        }
        interface eth1.4 {
        role downstream
        threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name IPTV {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.254
                dns-server 192.168.4.254
                domain-name iptv.local
                lease 86400
                start 192.168.4.1 {
                    stop 192.168.4.253
                }
            }
        }    
        shared-network-name Thuis {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.254
                dns-server 192.168.2.254
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                lease 86400
                start 192.168.10.2 {
                    stop 192.168.10.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            listen-on eth1.10
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.2.254
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name flipchip.local
    host-name FlipChip
    login {
        user JPhilippi {
            authentication {
                encrypted-password $6$rUgFaOVeHRaZ$SdshLgJaot3SOVAemKulslQ3PecbVq5nyZUIsVVQRaAMjHlRM1fkpynjXor6.aOh2vKwooStVVlWhzk4CJaHo0
                plaintext-password ""
            }
            full-name "Local User"
            level operator
        }
        user SuperUser {
            authentication {
                encrypted-password $6$Slg9alK2ecdtQH$18fjauurfqrwB3hg3O7p7FsrUCqr42rRf.3mvZkxifJ5GpnFsYyu314tBmEv/yN7IlQaB47/QLMZnJ7tLFcYR/
                plaintext-password ""
            }
            full-name "Local SysOp"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.1.5371034.210122.1014 */

 

 

Kijk nog eens goed naar dit bericht want er zijn nog drie dingen niet goed ingesteld.

Be positive, avoid negativity, enjoy life and stay healthy!
wjb
Rank
Reputatie 7

Ik denk niet dat die firewall instelling voor Jr gastnetwerk nodig is.

Voor een gastnetwerk zijn wel firewall instellingen nodig om de gasten weg te houden bij het eigen netwerk. GUEST_IN is an sich goed maar GUEST_LOCAL moet DNS requests (TCP&UDP poort 53) en DHCP requests (UDP poort 67) toestaan en verder alles droppen.

Onderstaand mijn firewall settings voor GUEST_IN (default action is accept)...

...en die voor GUEST_LOCAL (default action is drop).

 

De LAN_NETWORKS zijn als onderstaand gedefinieerd.

 

Be positive, avoid negativity, enjoy life and stay healthy!
J
Rank

Wjb, als een gastnetwerk op een ander vlan zit. Is het dan toch mogelijk het eigen netwerk te benaderen? 

wjb
Rank
Reputatie 7

Wjb, als een gastnetwerk op een ander vlan zit. Is het dan toch mogelijk het eigen netwerk te benaderen? 

Jawel hoor, als je het IP adres van een apparaat op een ander (v)lan weet dan is dat apparaat te benaderen tenzij je een firewall opstelt.

Be positive, avoid negativity, enjoy life and stay healthy!
J.Philippi
Rank
Badge

@wjb 

Teneinde de drie verschillen waar jij over spreekt het hoofd te bieden (dank daarvoor)  heb ik de backup maar teruggezet op mijn EdgeRouter en stap voor stap jou instelling overgenomen incl. de rules voor GUEST_LOCAL.

Ik zit nog met twee dingen die mij niet duidelijk zijn ;

 Ik zie geen protocol-proxy-/interface/eth1.4 alleen eth1. Correct?

 ik heb in NAT drie rules, waarvan rule 5000 en 5011 op het destination address na gelijk zijn. Correct?

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description "Guest WIFI Network IN"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.0"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action accept
        description "Guest WIFI Network Local"
        rule 10 {
            action accept
            description DNS
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
        }
        rule 30 {
            action drop
            description "DROP access to 192.168.2.254"
            destination {
                address 192.168.2.254
            }
            log disable
            protocol all
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ppp
                user-id JPH@internet
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "Local Network"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 4 {
            address 192.168.4.254/24
            description IPTV
            egress-qos "0:5 1:5 2:5 3:5 4:5"
        }
        vif 10 {
            address 192.168.10.1/24
            description "GUEST (VLAN10)"
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name IPTV {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.254
                dns-server 195.121.1.34
                dns-server 195.121.1.66
                domain-name iptv.local
                lease 86400
                start 192.168.4.1 {
                    stop 192.168.4.253
                }
            }
        }
        shared-network-name Thuis {
            authoritative enable
            subnet 192.168.2.0/24 {
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                lease 86400
                start 192.168.10.2 {
                    stop 192.168.10.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            listen-on eth1.10
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.2.254
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
                address 192.168.2.0/24
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
        rule 5011 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name flipchip.local
    host-name FlipChip
    login {
        user JPhilippi {
            authentication {
                encrypted-password $6$rUgFaOVeHRaZ$SdshLgJaot3SOVAemKulslQ3PecbVq5nyZUIsVVQRaAMjHlRM1fkpynjXor6.aOh2vKwooStVVlWhzk4CJaHo0
                plaintext-password ""
            }
            full-name "Local User"
            level operator
        }
        user SuperUser {
            authentication {
                encrypted-password $6$Slg9alK2ecdtQH$18fjauurfqrwB3hg3O7p7FsrUCqr42rRf.3mvZkxifJ5GpnFsYyu314tBmEv/yN7IlQaB47/QLMZnJ7tLFcYR/
                plaintext-password ""
            }
            full-name "Local SysOp"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.1.5371034.210122.1014 */

 

 

wjb
Rank
Reputatie 7

De downstream interface voor de IGMP proxy server moet op eth1.4 gezet worden i.p.v. eth1.

In de NAT rule 5000 (IPTV) moet het source IP adres weggehaald worden en NAT rule 5011 moet verwijderd worden.

 

Bij de firewall GUEST_LOCAL moet je de default action op drop zetten en kan rule 30 vervolgens verwijderd worden. Hierdoor voorkom je dat vanuit het gastnetwerk de EdgeRouter op bijvoorbeeld 192.168.10.254 of 192.168.4.254 benaderd kan worden.

 

Op de switch moet vlan 4 tagged geplaatst worden op de poort waar de EdgeRouter mee verbonden is. De poort waar de TV ontvanger op aangesloten is moet alleen vlan 4 untagged gaan krijgen. De pvid moet ook op 4 staan en er mogen geen andere vlans op actief zijn.

Be positive, avoid negativity, enjoy life and stay healthy!
J.Philippi
Rank
Badge

@wjb

Dank voor je aanvulling. eth1 naar eth1.4 omzetten is voor jou wellicht dagelijkse kost:wink: . Het duurde even voor ik doorhad dat je eerst in interfaces eth1 moet verwijderen en aanvullen met eth1.4.

Tag & untag, goed dat je het zegt. Als ik de handleiding lees van de ThoughSwitch lees ik het net andersom. Dus voor de volledigheid:

ThoughSwitch Port def.

LAN (unmanaged switch) komt dan uit op port 2.

Ik hoop voor de laatste keer config.boot

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name GUEST_IN {
        default-action accept
        description "Guest WIFI Network IN"
        rule 1 {
            action drop
            description "DROP access to 192.168.2.0"
            destination {
                address 192.168.2.0/24
            }
            log disable
            protocol all
        }
    }
    name GUEST_LOCAL {
        default-action drop
        description "Guest WIFI Network Local"
        rule 10 {
            action accept
            description DNS
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier "IPTV_RG";"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password ppp
                user-id JPH@internet
            }
        }
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description "Local Network"
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vif 4 {
            address 192.168.4.254/24
            description IPTV
            egress-qos "0:5 1:5 2:5 3:5 4:5"
        }
        vif 10 {
            address 192.168.10.1/24
            description "GUEST (VLAN10)"
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
        }
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    igmp-proxy {
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1.4 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name IPTV {
            authoritative disable
            subnet 192.168.4.0/24 {
                default-router 192.168.4.254
                dns-server 195.121.1.34
                dns-server 195.121.1.66
                domain-name iptv.local
                lease 86400
                start 192.168.4.1 {
                    stop 192.168.4.253
                }
            }
        }
        shared-network-name Thuis {
            authoritative enable
            subnet 192.168.2.0/24 {
                lease 86400
                start 192.168.2.1 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.10.0/24 {
                lease 86400
                start 192.168.10.2 {
                    stop 192.168.10.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            listen-on eth1.10
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.2.254
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name flipchip.local
    host-name FlipChip
    login {
        user JPhilippi {
            authentication {
                encrypted-password $6$rUgFaOVeHRaZ$SdshLgJaot3SOVAemKulslQ3PecbVq5nyZUIsVVQRaAMjHlRM1fkpynjXor6.aOh2vKwooStVVlWhzk4CJaHo0
                plaintext-password ""
            }
            full-name "Local User"
            level operator
        }
        user SuperUser {
            authentication {
                encrypted-password $6$Slg9alK2ecdtQH$18fjauurfqrwB3hg3O7p7FsrUCqr42rRf.3mvZkxifJ5GpnFsYyu314tBmEv/yN7IlQaB47/QLMZnJ7tLFcYR/
                plaintext-password ""
            }
            full-name "Local SysOp"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.1.5371034.210122.1014 */

 

 

J
Rank

VLAN 1 is niet alleen management, maar ook je algemene Lan. Die moet je uitsluiten van de poort waar je IPTV op zit. De poort waar je IPTV op zit is geen trunk poort volgens mij.(3 zo te zien)

 

M
Rank

Ik heb mijn KPN modem ook vervangen door een EdgeRouter en dit werkt al een maand probleemloos! Echter was er zojuist een stroomstoring en daarna deed het internet en interactieve TV het niet meer. Ik heb toen de EdgeRouter via het menu een restart gegeven, maar nog steeds geen internet.

Pas toen ik de EdgeRouter weer had vervangen door het KPN modem, deed het internet en interactieve tv het weer. Vervolgens weer het KPN modem eraf gehaald en de EdgeRouter weer aangesloten. Die werkte vervolgens weer prima. Lijkt er op dat het KPN modem nodig was om alles weer te “activeren"… Enig idee hoe dit kan??

 

wjb
Rank
Reputatie 7

Ik hoop voor de laatste keer config.boot

Die ziet er volgens mij goed uit.

 

Zorg er voor dat vlan 1 niet op poort 3 van de switch aangeboden wordt.

Als je dat gedaan hebt en de TV ontvanger opnieuw hebt gestart dan zou het moeten werken.

Op poort 4 en 5 staan 2 vlans untagged en dat is niet correct, als er meerdere vlans op een poort worden aangeboden dan is er altijd maar 1 untagged en de anderen tagged.

Wat wordt er op poort 4 en 5 aangesloten.

Be positive, avoid negativity, enjoy life and stay healthy!
J.Philippi
Rank
Badge

@wjb 

Dan komt de switch configuratie er zo uit te zien. Port 1 is trunk port voor VLAN4 en VLAN10.

VLAN4 komt uit op poort 3 dus deze wordt Untagged en Excluded in Port1.

VLAN10 komt uit op poort 4 & 5, Port 1 trunk en 4 & 5 Excluded in Port 1.

Port 2 blijft Untagged in Port 1 waarover LAN (bekabelde netwerk d.m.v. unmanaged switch) verkeer loopt

Op porten 4 & 5 zitten UI AP PoE . Beide AP hebben een twee gescheiden services GUEST en internal. Je raad het al GUEST is voor VLAN10.

ThoughSwitch VLAN def.

 

wjb
Rank
Reputatie 7

Poort 1, 2 en 3 zijn nu prima.

Poort 4 en 5 niet want nu zullen jouw UI accesspoints niet goed functioneren voor het gewone wifi netwerk.

Volgens mij moet op poort 4 en 5 vlan 1 untagged en vlan 10 tagged geplaatst worden.

Uiteraard zal dat ook correct ingesteld moeten worden op de UI accesspoints zelf.

Be positive, avoid negativity, enjoy life and stay healthy!
F
Rank

Ik heb mijn KPN modem ook vervangen door een EdgeRouter en dit werkt al een maand probleemloos! Echter was er zojuist een stroomstoring en daarna deed het internet en interactieve TV het niet meer. Ik heb toen de EdgeRouter via het menu een restart gegeven, maar nog steeds geen internet.

Pas toen ik de EdgeRouter weer had vervangen door het KPN modem, deed het internet en interactieve tv het weer. Vervolgens weer het KPN modem eraf gehaald en de EdgeRouter weer aangesloten. Die werkte vervolgens weer prima. Lijkt er op dat het KPN modem nodig was om alles weer te “activeren"… Enig idee hoe dit kan??

 

I had exactly the same problem, since around 1AM the internet stopped working.

I called KPN this morning, they said that there was some maintenance work on my modem and that they only officially support their own equipment.

So basically, I connected the v12 box, everything ran normally, then reconnected my zyxel. I hope that this isn't something that needs to be done very often. Other than that, all good. 

wjb
Rank
Reputatie 7

I had exactly the same problem, since around 1AM the internet stopped working.

I called KPN this morning, they said that there was some maintenance work on my modem and that they only officially support their own equipment.

So basically, I connected the v12 box, everything ran normally, then reconnected my zyxel. I hope that this isn't something that needs to be done very often. Other than that, all good. 

I have not connected my Experia Box since december 2019.

Be positive, avoid negativity, enjoy life and stay healthy!
B
Rank

Kan iemand mij helpen met het instellen van Adguard? ik heb deze EdgeRouter X + AdGuardHome. More notes for my self here. Here is… | by Cason Adams | Medium site gevonden om het in te stellen, maar adguard blijft klagen dat port 53 al in gebruik is. Iemand enig idee?

J.Philippi
Rank
Badge

@wjb 

Je hebt gelijk als gebruikelijk zou ik haast zeggen:grinning: , was iets te enthousiast met Untagging.

Ik ga vanmiddag live.. Ik hoop dat de eerdere problemen zijn verdwenen nu met de juiste VLAN4 settings.

Nogmaals dank voor je inbreng.

 

Reageer


De Kennisbank

Heb je vragen over diensten, producten of wil je weten hoe je modeminstellingen verandert? Vind het antwoord op de meest gestelde vragen in onze Kennisbank
Forumvoorwaarden