Skip to main content

Onlangs hebben wij KPN glas gekregen. Ik gebruik daarop alleen internet (dus geen IPTV en telefonie). Momenteel hebben we (ook) nog internet via Ziggo. Ik heb een Edgerouter X SFP in gebruik voor ons thuisnetwerk en daarop WAN loadbalancing geconfigureerd.

Nu ben ik bezig om de box 12 er tussen uit te halen en direct vanuit de XGSPON ONT met de Edgerouter verbinding te maken. In principe werkt het allemaal: ik krijg de VLAN en PPPOE aan de praat en als ik de routering via de KPN verbinding laat lopen, zie ik dat alle verkeer netjes via de glasvezel komt.

Althans, het werkt voor bestaande verbindingen en bijvoorbeeld VPN verkeer, maar alles waar een nieuwe DNS request voor nodig is loopt verkeerd. Verbinding met IP adressen heb ik dus wel, maar zodra een domeinnaam moet worden omgezet gaat het mis.

Zelfs als ik op de clients in het netwerk, handmatig een DNS server instel (bijv. 8.8.8.8) dan nog werkt het resolven van de domeinnaam niet. Overigens werkt alles via de Ziggo interface (voorlopig) nog wel.

Heeft iemand een idee wat ik over het hoofd zie, waardoor ik via KPN glas geen DNS krijg?

Kan je hier eens jouw config.boot in een spoiler element posten?

Jouw config.boot graag in zo’n spoiler element om het topic “leesbaar” te houden.

Haal wel eventuele privé gegevens uit jouw configuratie. 

 

Heb je overigens ook al gekeken naar de configuratie scripts voor de EdgeRouters in het openingsbericht van het onderstaande topic.

 

Dergelijke configuratiescripts heb ik bekeken, maar omdat daarmee alle bestaande instellingen (zoals vlans, routing tabellen) verloren gaan heb ik besloten alles handmatig in te stellen. Ik kom er net achter dat mijn config.boot te groot is (meer dan 30000 tekens) voor dit forum… Ik zal even kijken of ik een verkorte versie kan invoegen met de relevante secties.

Bij deze mijn actuele config.boot:

firewall {    all-ping enable    broadcast-ping disable    group {        address-group Chromecast_address {            address 192.168.2.157            address 192.168.2.159            description "Alle apparaten die chromecast ondersteunen"        }        address-group IP_Cameras {            address 192.168.2.102            address 192.168.2.104            description "IP cameras"        }        address-group Robots {            address 192.168.2.110            address 192.168.2.70            description "Stofzuigrobots"        }        network-group PRIVATE_NETS {            description "Private netwerken"            network 192.168.0.0/16            network 172.16.0.0/12            network 10.0.0.0/8        }        port-group Chromecast_port {            description "Poorten voor apparaten die chromecast ondersteunen"            port 32768-61000        }        port-group General_webports {            description "Algemene webpoorten"            port 80            port 443        }    }    ipv6-receive-redirects disable    ipv6-src-route disable    ip-src-route disable    log-martians disable    modify balance {        rule 10 {            action modify            description "do NOT load balance lan to lan"            destination {                group {                    network-group PRIVATE_NETS                }            }            modify {                table main            }        }        rule 20 {            action modify            description "do NOT load balance destination public address"            destination {                group {                    address-group ADDRv4_eth0                }            }            modify {                table main            }        }        rule 30 {            action modify            description "do NOT load balance destination public address"            destination {                group {                    address-group ADDRv4_eth1                }            }            modify {                table main            }        rule 40 {            action modify            description "do NOT load balance destination public address"            destination {                group {                    address-group ADDRv4_pppoe1                }            }            modify {                table main            }        }        rule 70 {            action modify            description "do NOT load balance destination public address"            destination {                group {                    address-group ADDRv4_eth5                }            }            modify {                table main            }        }        rule 80 {            action modify            modify {                lb-group G            }        }    }    name VLAN10_Inkomend {        default-action drop        description "Verkeer naar het VLAN10"        rule 10 {            action accept            description "Toestaan bestaand/gerelateerd verkeer"            log disable            protocol all            state {                established enable                invalid disable                new disable                related enable            }        }        rule 20 {            action accept            description "DNS toestaan"            destination {                port 53            }            disable            log disable            protocol tcp_udp            source {                group {                    network-group PRIVATE_NETS                }            }        }        rule 30 {            action accept            description "Inkomend ICMP toestaan (o.a. ping)"            log disable            protocol icmp            source {                address 192.168.2.0/24            }        }        rule 40 {            action accept            description "Inkomend IGMP toestaan (Group multicast)"            log disable            protocol igmp            source {                address 192.168.2.0/24            }        }        rule 50 {            action accept            description "Toestaan TCP verkeer van chromecast"            destination {                address 192.168.1.0/24                group {                }            }            log disable            protocol tcp            source {                group {                    address-group Chromecast_address                }                port 8008-8009,8443            }        }        rule 60 {            action accept            description "Toestaan UDP verkeer van chromecast (bron)"            destination {                address 192.168.1.0/24                group {                }            }            log enable            protocol udp            source {                group {                    address-group Chromecast_address                    port-group Chromecast_port                }            }        }        rule 70 {            action accept            description "Toestaan UDP verkeer van chromecast (doel)"            destination {                address 192.168.1.0/24                group {                    port-group Chromecast_port                }            }            log enable            protocol udp            source {                group {                    address-group Chromecast_address                }            }        }        rule 71 {            action accept            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"            log disable            protocol udp            source {                port 1900            }        }    }    name VLAN10_Uitgaand {        default-action accept        description "Van Netwerk inkomend bij router"        rule 10 {            action accept            description "Virtuele containers NAS"            destination {                address 10.0.3.0/24            }            log disable            protocol tcp_udp            source {                address 192.168.1.0/24                group {                }            }        }        rule 20 {            action accept            description "Alle verkeer naar buiten"            destination {                address 0.0.0.0/0            }            log disable            protocol all            source {                address 192.168.1.0/24            }            state {                established enable                invalid disable                new enable                related enable            }        }    }    name VLAN20_Inkomend {        default-action drop        description "Verkeer naar het VLAN20"        rule 10 {            action accept            description "Toestaan bestaand/gerelateerd verkeer"            log disable            protocol all            state {                established enable                invalid disable                new disable                related enable            }        }        rule 20 {            action accept            description "DNS toestaan"            destination {                port 53            }            disable            log enable            protocol tcp_udp        }        rule 40 {            action accept            description "Verkeer van VLAN10 toelaten"            log disable            protocol all            source {                address 192.168.1.0/24                group {                }            }        }        rule 50 {            action accept            description "Inkomend Chromecasts UDP verkeer"            destination {                group {                    address-group Chromecast_address                }            }            log enable            protocol udp            source {                group {                    port-group Chromecast_port                }            }        }        rule 51 {            action accept            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"            destination {                group {                    address-group Chromecast_address                }            }            log disable            protocol udp            source {                port 1900            }        }    }    name VLAN20_LokaalManagement {        default-action accept        description "Blokkeer VLAN20 toegang tot local management"    }    name VLAN20_Uitgaand {        default-action accept        description "Uit VLAN20 naar rest"        rule 10 {            action drop            description "DNS *NIET* toestaan ivm UDP flood"            destination {                port 53            }            disable            log enable            protocol tcp_udp        }        rule 11 {            action accept            description "Cameras intern toestaan"            destination {                group {                    network-group PRIVATE_NETS                }            }            log disable            protocol all            source {                group {                    address-group IP_Cameras                }            }        }        rule 12 {            action drop            description "Cameras naar buiten blokkeren"            destination {                address 0.0.0.0/0            }            log enable            protocol all            source {                group {                    address-group IP_Cameras                }            }        }        rule 13 {            action accept            description "Robots intern toestaan"            destination {                group {                    network-group PRIVATE_NETS                }            }            log disable            protocol all            source {                group {                    address-group Robots                }            }        }        rule 14 {            action drop            description "Robots naar buiten blokkeren"            destination {                address 0.0.0.0/0            }            log enable            protocol all            source {                group {                    address-group Robots                }            }        }    }    name VLAN30_Inkomend {        default-action drop        description "Inkomend verkeer gastennetwerk"        rule 1 {            action accept            description "Toestaan bestaand/gerelateerd verkeer"            log disable            protocol all            state {                established enable                invalid disable                new disable                related enable            }        }    }    name VLAN30_LokaalManagement {        default-action drop        description "Blokkeer VLAN30 toegang tot local management"    }    name VLAN30_Uitgaand {        default-action accept        description "Verkeer van VLAN30 naar router en elders"    }    name WAN_IN {        default-action drop        description "WAN to internal"        enable-default-log        rule 10 {            action accept            description "Allow established/related"            state {                established enable                related enable            }        }        rule 20 {            action drop            description "Drop invalid state"            state {                invalid enable            }        }    }    name WAN_LOCAL {        default-action drop        description "WAN to router"        rule 10 {            action accept            description "Allow established/related"            state {                established enable                related enable            }        }        rule 20 {            action drop            description "Drop invalid state"            state {                invalid enable            }        }    }    receive-redirects disable    send-redirects enable    source-validation disable    syn-cookies enable}interfaces {    ethernet eth0 {        address dhcp        description "WAN 1 Ziggo"        duplex auto        firewall {            in {                name WAN_IN            }            local {                name WAN_LOCAL            }        }        poe {            output off        }        speed auto    }    ethernet eth1 {        address dhcp        description "WAN 2 KPN"        duplex auto        firewall {            in {                name WAN_IN            }            local {                name WAN_LOCAL            }        }        poe {            output off        }        speed auto        vif 6 {            address dhcp            description "KPN Internet VLAN"            firewall {                in {                    name WAN_IN                }                local {                    name WAN_LOCAL                }            }            pppoe 1 {                default-route auto                description "pppoe over kpn vlan6"                firewall {                    in {                        name WAN_IN                    }                    local {                        name WAN_LOCAL                    }                }                ip {                    ospf {                        authentication {                        }                        dead-interval 40                        hello-interval 10                        priority 1                        retransmit-interval 5                        transmit-delay 1                    }                }                mtu 1492                name-server auto                password #secret#                user-id #secret#            }        }    }    ethernet eth2 {        description "LAN 1 - eth2"        duplex auto        poe {            output off        }        speed auto    }    ethernet eth3 {        description "LAN 2 - eth3"        duplex auto        poe {            output off        }        speed auto    }    ethernet eth4 {        address 172.16.0.1/24        description "LAN 3 - eth4 - backup-mgnt"        duplex auto        poe {            output off        }        speed auto    }    ethernet eth5 {        address dhcp        description "WAN 3"        disable        duplex auto        firewall {            in {                name WAN_IN            }            local {                name WAN_LOCAL            }        }        speed auto    }    loopback lo {    }    switch switch0 {        address 192.0.1.1/24        description Local        mtu 1500        switch-port {            interface eth2 {                vlan {                    pvid 1                    vid 10                    vid 20                    vid 30                }            }            interface eth3 {                vlan {                    pvid 1                    vid 10                    vid 20                    vid 30                }            }            vlan-aware enable        }        vif 10 {            address 192.168.1.1/24            description VLAN10-Netwerk            firewall {                in {                    name VLAN10_Uitgaand                }                out {                    name VLAN10_Inkomend                }            }            mtu 1500        }        vif 20 {            address 192.168.2.1/24            description VLAN20-IOT-devices            firewall {                in {                    name VLAN20_Uitgaand                }                local {                    name VLAN20_LokaalManagement                }                out {                    name VLAN20_Inkomend                }            }            mtu 1500        }        vif 30 {            address 192.168.3.1/24            description VLAN30-GamingGuest            firewall {                in {                    name VLAN30_Uitgaand                }                local {                    name VLAN30_LokaalManagement                }                out {                    name VLAN30_Inkomend                }            }        }    }}load-balance {    group G {        exclude-local-dns disable        flush-on-active enable        gateway-update-interval 20        interface eth0 {            failover-only        }        interface pppoe1 {        }        lb-local enable        lb-local-metric-change disable    }}protocols {    static {        interface-route 0.0.0.0/0 {            next-hop-interface pppoe1 {                description "Route via KPN glas"                distance 1            }        }        route 10.0.3.0/24 {            next-hop 192.168.1.200 {                description "Virtuele containers NAS"                distance 5            }        }        route 192.168.178.0/24 {            next-hop 192.168.178.1 {                description "Naar ziggo EPC3925 netwerk"            }        }    }}service {    dhcp-server {        disabled false        hostfile-update disable        shared-network-name ManagementPort {            authoritative disable            subnet 172.16.0.0/24 {                default-router 172.16.0.1                dns-server 8.8.8.8                dns-server 80.80.80.80                lease 86400                start 172.16.0.10 {                    stop 172.16.0.100                }            }        }        shared-network-name VLAN1 {            authoritative disable            subnet 192.0.1.0/24 {                default-router 192.0.1.1                dns-server 9.9.9.9                dns-server 1.1.1.1                lease 86400                start 192.0.1.38 {                    stop 192.0.1.199                }            }        }        shared-network-name VLAN10 {            authoritative disable            subnet 192.168.1.0/24 {                default-router 192.168.1.1                dns-server 8.8.8.8                dns-server 9.9.9.9                lease 600                start 192.168.1.2 {                    stop 192.168.1.199                }            }        }        shared-network-name VLAN20 {            authoritative disable            subnet 192.168.2.0/24 {                default-router 192.168.2.1                dns-server 1.1.1.1                dns-server 9.9.9.9                lease 600                start 192.168.2.2 {                    stop 192.168.2.199                }            }        }        shared-network-name VLAN30 {            authoritative disable            subnet 192.168.3.0/24 {                default-router 192.168.3.1                dns-server 9.9.9.9                dns-server 1.1.1.1                lease 600                start 192.168.3.2 {                    stop 192.168.3.199                }            }        }        static-arp disable        use-dnsmasq disable    }    dns {    }    gui {        http-port 80        https-port 443        older-ciphers enable    }    mdns {        reflector        repeater {            interface switch0.10            interface switch0.20        }    }    nat {        rule 5000 {            description "masquerade for PPPoe1 (KPN VLAN6)"            log enable            outbound-interface pppoe1            protocol all            type masquerade        }        rule 5001 {            description "masquerade for WAN 1 (Ziggo)"            log disable            outbound-interface eth0            protocol all            type masquerade        }        rule 5002 {            description "masquerade for Eth 1.6 (KPN)"            disable            log disable            outbound-interface eth1.6            protocol all            type masquerade        }        rule 5003 {            description "masquerade for WAN 2 (KPN)"            disable            log disable            outbound-interface eth1            protocol all            type masquerade        }        rule 5004 {            description "masquerade for WAN 3 (SFP port)"            disable            log disable            outbound-interface eth5            protocol all            type masquerade        }    }    ubnt-discover {        disable    }    unms {        disable    }}system {    analytics-handler {        send-analytics-report false    }    conntrack {        expect-table-size 4096        hash-size 4096        table-size 32768        tcp {            half-open-connections 512            loose enable            max-retrans 3        }    }    crash-handler {        send-crash-report false    }    domain-name LAN    host-name EdgeRouter-X-SFP-6-Port    login {        user #secret# {            authentication {                encrypted-password #secret#            }            level admin        }    }    name-server 8.8.8.8    name-server 8.8.4.4    name-server 80.80.80.80    name-server 9.9.9.9    ntp {        server 0.ubnt.pool.ntp.org {        }        server 1.ubnt.pool.ntp.org {        }        server 2.ubnt.pool.ntp.org {        }        server 3.ubnt.pool.ntp.org {        }    }    syslog {        global {            facility all {                level notice            }            facility protocols {                level debug            }        }    }    time-zone UTC    traffic-analysis {        custom-category Media_streaming {            name Youtube            name Netflix            name Spotify        }        custom-category Network_protocols {            name "DNS over TLS"            name DNS        }        dpi enable        export enable    }}traffic-control {    smart-queue VLAN20 {        download {            ecn enable            flows 1024            fq-quantum 1514            limit 10240            rate 8mbit        }        upload {            ecn enable            flows 1024            fq-quantum 1514            limit 10240            rate 16mbit        }        wan-interface switch0.20    }}/* Warning: Do not remove the following line. *//* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === *//* Release version: v2.0.9-hotfix.2.5402463.210511.1317 */

 

Dit is echt onleesbaar.

Kan je de structuur behouden en niet alles in één grote brij achter elkaar zetten.

Er gaat iets helemaal mis met de tekencodering bij het plakken. Op een of andere manier worden er veel te veel tekens geplakt (want mijn config.boot is helemaal geen 30000 tekens) waardoor deze chaos ontstaat… Ik ga nog even proberen of ik het op een andere manier voor elkaar kan krijgen.

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Chromecast_address {
            address 192.168.2.157
            address 192.168.2.159
            description "Alle apparaten die chromecast ondersteunen"
        }
        address-group IP_Cameras {
            address 192.168.2.102
            address 192.168.2.104
            description "IP cameras"
        }
        address-group Robots {
            address 192.168.2.110
            address 192.168.2.70
            description "Stofzuigrobots"
        }
        network-group PRIVATE_NETS {
            description "Private netwerken"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
        port-group Chromecast_port {
            description "Poorten voor apparaten die chromecast ondersteunen"
            port 32768-61000
        }
        port-group General_webports {
            description "Algemene webpoorten"
            port 80
            port 443
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe1
                }
            }
            modify {
                table main
            }
        }
        rule 70 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth5
                }
            }
            modify {
                table main
            }
        }
        rule 80 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name VLAN10_Inkomend {
        default-action drop
        description "Verkeer naar het VLAN10"
        rule 10 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "DNS toestaan"
            destination {
                port 53
            }
            disable
            log disable
            protocol tcp_udp
            source {
                group {
                    network-group PRIVATE_NETS
                }
            }
        }
        rule 30 {
            action accept
            description "Inkomend ICMP toestaan (o.a. ping)"
            log disable
            protocol icmp
            source {
                address 192.168.2.0/24
            }
        }
        rule 40 {
            action accept
            description "Inkomend IGMP toestaan (Group multicast)"
            log disable
            protocol igmp
            source {
                address 192.168.2.0/24
            }
        }
        rule 50 {
            action accept
            description "Toestaan TCP verkeer van chromecast"
            destination {
                address 192.168.1.0/24
                group {
                }
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group Chromecast_address
                }
                port 8008-8009,8443
            }
        }
        rule 60 {
            action accept
            description "Toestaan UDP verkeer van chromecast (bron)"
            destination {
                address 192.168.1.0/24
                group {
                }
            }
            log enable
            protocol udp
            source {
                group {
                    address-group Chromecast_address
                    port-group Chromecast_port
                }
            }
        }
        rule 70 {
            action accept
            description "Toestaan UDP verkeer van chromecast (doel)"
            destination {
                address 192.168.1.0/24
                group {
                    port-group Chromecast_port
                }
            }
            log enable
            protocol udp
            source {
                group {
                    address-group Chromecast_address
                }
            }
        }
        rule 71 {
            action accept
            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"
            log disable
            protocol udp
            source {
                port 1900
            }
        }
    }
    name VLAN10_Uitgaand {
        default-action accept
        description "Van Netwerk inkomend bij router"
        rule 10 {
            action accept
            description "Virtuele containers NAS"
            destination {
                address 10.0.3.0/24
            }
            log disable
            protocol tcp_udp
            source {
                address 192.168.1.0/24
                group {
                }
            }
        }
        rule 20 {
            action accept
            description "Alle verkeer naar buiten"
            destination {
                address 0.0.0.0/0
            }
            log disable
            protocol all
            source {
                address 192.168.1.0/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name VLAN20_Inkomend {
        default-action drop
        description "Verkeer naar het VLAN20"
        rule 10 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "DNS toestaan"
            destination {
                port 53
            }
            disable
            log enable
            protocol tcp_udp
        }
        rule 40 {
            action accept
            description "Verkeer van VLAN10 toelaten"
            log disable
            protocol all
            source {
                address 192.168.1.0/24
                group {
                }
            }
        }
        rule 50 {
            action accept
            description "Inkomend Chromecasts UDP verkeer"
            destination {
                group {
                    address-group Chromecast_address
                }
            }
            log enable
            protocol udp
            source {
                group {
                    port-group Chromecast_port
                }
            }
        }
        rule 51 {
            action accept
            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"
            destination {
                group {
                    address-group Chromecast_address
                }
            }
            log disable
            protocol udp
            source {
                port 1900
            }
        }
    }
    name VLAN20_LokaalManagement {
        default-action accept
        description "Blokkeer VLAN20 toegang tot local management"
    }
    name VLAN20_Uitgaand {
        default-action accept
        description "Uit VLAN20 naar rest"
        rule 10 {
            action drop
            description "DNS *NIET* toestaan ivm UDP flood"
            destination {
                port 53
            }
            disable
            log enable
            protocol tcp_udp
        }
        rule 11 {
            action accept
            description "Cameras intern toestaan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                    address-group IP_Cameras
                }
            }
        }
        rule 12 {
            action drop
            description "Cameras naar buiten blokkeren"
            destination {
                address 0.0.0.0/0
            }
            log enable
            protocol all
            source {
                group {
                    address-group IP_Cameras
                }
            }
        }
        rule 13 {
            action accept
            description "Robots intern toestaan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                    address-group Robots
                }
            }
        }
        rule 14 {
            action drop
            description "Robots naar buiten blokkeren"
            destination {
                address 0.0.0.0/0
            }
            log enable
            protocol all
            source {
                group {
                    address-group Robots
                }
            }
        }
    }
    name VLAN30_Inkomend {
        default-action drop
        description "Inkomend verkeer gastennetwerk"
        rule 1 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
    }
    name VLAN30_LokaalManagement {
        default-action drop
        description "Blokkeer VLAN30 toegang tot local management"
    }
    name VLAN30_Uitgaand {
        default-action accept
        description "Verkeer van VLAN30 naar router en elders"
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

 

En het tweede deel:


interfaces {
    ethernet eth0 {
        address dhcp
        description "WAN 1 Ziggo"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2 KPN"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
        vif 6 {
            address dhcp
            description "KPN Internet VLAN"
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            pppoe 1 {
                default-route auto
                description "pppoe over kpn vlan6"
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                }
                ip {
                    ospf {
                        authentication {
                        }
                        dead-interval 40
                        hello-interval 10
                        priority 1
                        retransmit-interval 5
                        transmit-delay 1
                    }
                }
                mtu 1492
                name-server auto
                password #secret#
                user-id #secret#
            }
        }
    }
    ethernet eth2 {
        description "LAN 1 - eth2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "LAN 2 - eth3"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        address 172.16.0.1/24
        description "LAN 3 - eth4 - backup-mgnt"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        address dhcp
        description "WAN 3"
        disable
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.0.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                }
            }
            interface eth3 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                }
            }
            vlan-aware enable
        }
        vif 10 {
            address 192.168.1.1/24
            description VLAN10-Netwerk
            firewall {
                in {
                    name VLAN10_Uitgaand
                }
                out {
                    name VLAN10_Inkomend
                }
            }
            mtu 1500
        }
        vif 20 {
            address 192.168.2.1/24
            description VLAN20-IOT-devices
            firewall {
                in {
                    name VLAN20_Uitgaand
                }
                local {
                    name VLAN20_LokaalManagement
                }
                out {
                    name VLAN20_Inkomend
                }
            }
            mtu 1500
        }
        vif 30 {
            address 192.168.3.1/24
            description VLAN30-GamingGuest
            firewall {
                in {
                    name VLAN30_Uitgaand
                }
                local {
                    name VLAN30_LokaalManagement
                }
                out {
                    name VLAN30_Inkomend
                }
            }
        }
    }
}
load-balance {
    group G {
        exclude-local-dns disable
        flush-on-active enable
        gateway-update-interval 20
        interface eth0 {
            failover-only
        }
        interface pppoe1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface pppoe1 {
                description "Route via KPN glas"
                distance 1
            }
        }
        route 10.0.3.0/24 {
            next-hop 192.168.1.200 {
                description "Virtuele containers NAS"
                distance 5
            }
        }
        route 192.168.178.0/24 {
            next-hop 192.168.178.1 {
                description "Naar ziggo EPC3925 netwerk"
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name ManagementPort {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                dns-server 80.80.80.80
                lease 86400
                start 172.16.0.10 {
                    stop 172.16.0.100
                }
            }
        }
        shared-network-name VLAN1 {
            authoritative disable
            subnet 192.0.1.0/24 {
                default-router 192.0.1.1
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 86400
                start 192.0.1.38 {
                    stop 192.0.1.199
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 9.9.9.9
                lease 600
                start 192.168.1.2 {
                    stop 192.168.1.199
                }
            }
        }
        shared-network-name VLAN20 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 1.1.1.1
                dns-server 9.9.9.9
                lease 600
                start 192.168.2.2 {
                    stop 192.168.2.199
                }
            }
        }
        shared-network-name VLAN30 {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 600
                start 192.168.3.2 {
                    stop 192.168.3.199
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    mdns {
        reflector
        repeater {
            interface switch0.10
            interface switch0.20
        }
    }
    nat {
        rule 5000 {
            description "masquerade for PPPoe1 (KPN VLAN6)"
            log enable
            outbound-interface pppoe1
            protocol all
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN 1 (Ziggo)"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5002 {
            description "masquerade for Eth 1.6 (KPN)"
            disable
            log disable
            outbound-interface eth1.6
            protocol all
            type masquerade
        }
        rule 5003 {
            description "masquerade for WAN 2 (KPN)"
            disable
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 3 (SFP port)"
            disable
            log disable
            outbound-interface eth5
            protocol all
            type masquerade
        }
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    crash-handler {
        send-crash-report false
    }
    domain-name LAN
    host-name EdgeRouter-X-SFP-6-Port
    login {
        user #secret# {
            authentication {
                encrypted-password #secret#
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    name-server 80.80.80.80
    name-server 9.9.9.9
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        custom-category Media_streaming {
            name Youtube
            name Netflix
            name Spotify
        }
        custom-category Network_protocols {
            name "DNS over TLS"
            name DNS
        }
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue VLAN20 {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 8mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 16mbit
        }
        wan-interface switch0.20
    }
}

 

 

 

Opgelost, met dank aan de tip van wbj voor de scripts. Heb deze handmatig nog eens doorgelopen en zag dat ik de IPv6 configuratie niet had meegenomen. Ik gebruik(te) tot heden alleen IPv4, dus toch maar even toegevoegd en nu werkt het 😀!

Vreemd want de IPv6 configuratie heeft weinig raakvlakken met het door jou gemelde issue en ook zonder IPv6 zou het natuurlijk nog altijd o.b.v. IPv4 moeten werken.

Ik neem overigens aan dat je ook de IPv6 firewall dan netjes ingericht hebt.

Ja, ik heb ook de nodige IPv6 WAN zijdige firewall regels aangemaakt.

Overigens vond ik het ook vreemd dat alleen IPv4 configuratie niet werkte,  maar ik heb hoofdzakelijk de IPv6 configuratie uit de scripts overgenomen, de mtu waarden van de kpn vlan en pppoe aangepast  en de radvd-options op de switch toegevoegd. Daarmee werkt het in ieder geval.

 

Nog een kleine test gedaan: ik heb in de firewall even alle IPv6 verkeer geblocked en vervolgens had ik (weer) geen goede DNS resolving. Met IPv6 (dhcpv6 poort 546 en 547) en established/related verkeer op de local switch werkt het wel.

Plaats weer eens jouw config.boot in een spoiler element.

Bijgesloten de werkende versie. Overigens zie ik ook (en dat heb ik overgenomen uit de scripts) dat de eerste DNS server nu de 127.0.0.1 is, in combinatie met de port forwarding op de edgerouter is dat denk ik de oplossing geweest. Overigens heb ik in deze config.boot toen het allemaal weer werkte, via een NAT regel, de DNS over mijn pi-hole gestuurd.

 

Deel 1 van de config.boot:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Chromecast_address {
            address 192.168.2.157
            address 192.168.2.159
            description "Alle apparaten die chromecast ondersteunen"
        }
        address-group IP_Cameras {
            address 192.168.2.102
            address 192.168.2.104
            description "IP cameras"
        }
        address-group Robots {
            address 192.168.2.110
            address 192.168.2.70
            description "Stofzuigrobots"
        }
        network-group PRIVATE_NETS {
            description "Private netwerken"
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
        port-group Chromecast_port {
            description "Poorten voor apparaten die chromecast ondersteunen"
            port 32768-61000
        }
        port-group General_webports {
            description "Algemene webpoorten"
            port 80
            port 443
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe1
                }
            }
            modify {
                table main
            }
        }
        rule 70 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth5
                }
            }
            modify {
                table main
            }
        }
        rule 80 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name VLAN10_Inkomend {
        default-action drop
        description "Verkeer naar het VLAN10"
        rule 10 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "DNS toestaan"
            destination {
                port 53
            }
            disable
            log disable
            protocol tcp_udp
            source {
                group {
                    network-group PRIVATE_NETS
                }
            }
        }
        rule 30 {
            action accept
            description "Inkomend ICMP toestaan (o.a. ping)"
            log disable
            protocol icmp
            source {
                address 192.168.2.0/24
            }
        }
        rule 40 {
            action accept
            description "Inkomend IGMP toestaan (Group multicast)"
            log disable
            protocol igmp
            source {
                address 192.168.2.0/24
            }
        }
        rule 50 {
            action accept
            description "Toestaan TCP verkeer van chromecast"
            destination {
                address 192.168.1.0/24
                group {
                }
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group Chromecast_address
                }
                port 8008-8009,8443
            }
        }
        rule 60 {
            action accept
            description "Toestaan UDP verkeer van chromecast (bron)"
            destination {
                address 192.168.1.0/24
                group {
                }
            }
            log enable
            protocol udp
            source {
                group {
                    address-group Chromecast_address
                    port-group Chromecast_port
                }
            }
        }
        rule 70 {
            action accept
            description "Toestaan UDP verkeer van chromecast (doel)"
            destination {
                address 192.168.1.0/24
                group {
                    port-group Chromecast_port
                }
            }
            log enable
            protocol udp
            source {
                group {
                    address-group Chromecast_address
                }
            }
        }
        rule 71 {
            action accept
            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"
            log disable
            protocol udp
            source {
                port 1900
            }
        }
    }
    name VLAN10_Uitgaand {
        default-action accept
        description "Van Netwerk inkomend bij router"
        rule 10 {
            action accept
            description "Virtuele containers NAS"
            destination {
                address 10.0.3.0/24
            }
            log disable
            protocol tcp_udp
            source {
                address 192.168.1.0/24
                group {
                }
            }
        }
        rule 20 {
            action accept
            description "Alle verkeer naar buiten"
            destination {
                address 0.0.0.0/0
            }
            log disable
            protocol all
            source {
                address 192.168.1.0/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name VLAN20_Inkomend {
        default-action drop
        description "Verkeer naar het VLAN20"
        rule 10 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "DNS toestaan"
            destination {
                port 53
            }
            disable
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action accept
            description "Verkeer van VLAN10 toelaten"
            log disable
            protocol all
            source {
                address 192.168.1.0/24
                group {
                }
            }
        }
        rule 50 {
            action accept
            description "Inkomend Chromecasts UDP verkeer"
            destination {
                group {
                    address-group Chromecast_address
                }
            }
            log enable
            protocol udp
            source {
                group {
                    port-group Chromecast_port
                }
            }
        }
        rule 51 {
            action accept
            description "Inkomend SSDP/DIAL port 1900 UDP chromecast open"
            destination {
                group {
                    address-group Chromecast_address
                }
            }
            log disable
            protocol udp
            source {
                port 1900
            }
        }
    }
    name VLAN20_LokaalManagement {
        default-action accept
        description "Blokkeer VLAN20 toegang tot local management"
    }
    name VLAN20_Uitgaand {
        default-action accept
        description "Uit VLAN20 naar rest"
        rule 10 {
            action drop
            description "DNS *NIET* toestaan ivm UDP flood"
            destination {
                port 53
            }
            disable
            log enable
            protocol tcp_udp
        }
        rule 11 {
            action accept
            description "Cameras intern toestaan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                    address-group IP_Cameras
                }
            }
        }
        rule 12 {
            action drop
            description "Cameras naar buiten blokkeren"
            destination {
                address 0.0.0.0/0
            }
            log disable
            protocol all
            source {
                group {
                    address-group IP_Cameras
                }
            }
        }
        rule 13 {
            action accept
            description "Robots intern toestaan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                    address-group Robots
                }
            }
        }
        rule 14 {
            action drop
            description "Robots naar buiten blokkeren"
            destination {
                address 0.0.0.0/0
            }
            log disable
            protocol all
            source {
                group {
                    address-group Robots
                }
            }
        }
    }
    name VLAN30_Inkomend {
        default-action drop
        description "Inkomend verkeer gastennetwerk"
        rule 1 {
            action accept
            description "Toestaan bestaand/gerelateerd verkeer"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
    }
    name VLAN30_LokaalManagement {
        default-action drop
        description "Blokkeer VLAN30 toegang tot local management"
    }
    name VLAN30_Uitgaand {
        default-action accept
        description "Verkeer van VLAN30 naar router en elders"
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

 

En deel 2:


interfaces {
    ethernet eth0 {
        address dhcp
        description "WAN 1 Ziggo"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2 KPN"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        mtu 1512
        poe {
            output off
        }
        speed auto
        vif 6 {
            address dhcp
            description "KPN Internet VLAN"
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1508
            pppoe 1 {
                default-route auto
                dhcpv6-pd {
                    pd 0 {
                        interface switch0 {
                            host-address ::1
                            prefix-id 1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ip {
                    ospf {
                        authentication {
                        }
                        dead-interval 40
                        hello-interval 10
                        priority 1
                        retransmit-interval 5
                        transmit-delay 1
                    }
                }
                ipv6 {
                    dup-addr-detect-transmits 1
                }
                mtu 1500
                name-server auto
                password #secret#
                user-id #secret#
            }
        }
    }
    ethernet eth2 {
        description "LAN 1 - eth2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "LAN 2 - eth3"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        address 172.16.0.1/24
        description "LAN 3 - eth4 - backup-mgnt"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        address dhcp
        description "WAN 3"
        disable
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.0.1.1/24
        description Local
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                }
            }
            interface eth3 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                }
            }
            vlan-aware enable
        }
        vif 10 {
            address 192.168.1.1/24
            description VLAN10-Netwerk
            firewall {
                in {
                    name VLAN10_Uitgaand
                }
                out {
                    name VLAN10_Inkomend
                }
            }
            mtu 1500
        }
        vif 20 {
            address 192.168.2.1/24
            description VLAN20-IOT-devices
            firewall {
                in {
                    name VLAN20_Uitgaand
                }
                local {
                    name VLAN20_LokaalManagement
                }
                out {
                    name VLAN20_Inkomend
                }
            }
            mtu 1500
        }
        vif 30 {
            address 192.168.3.1/24
            description VLAN30-GamingGuest
            firewall {
                in {
                    name VLAN30_Uitgaand
                }
                local {
                    name VLAN30_LokaalManagement
                }
                out {
                    name VLAN30_Inkomend
                }
            }
        }
    }
}
load-balance {
    group G {
        exclude-local-dns disable
        flush-on-active enable
        gateway-update-interval 20
        interface eth0 {
        }
        interface pppoe1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface pppoe1 {
                description "Route via KPN glas"
                distance 1
            }
        }
        interface-route6 ::/0 {
            next-hop-interface pppoe1 {
            }
        }
        route 10.0.3.0/24 {
            next-hop 192.168.1.200 {
                description "Virtuele containers NAS"
                distance 5
            }
        }
        route 192.168.178.0/24 {
            next-hop 192.168.178.1 {
                description "Naar ziggo EPC3925 netwerk"
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name ManagementPort {
            authoritative disable
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                dns-server 80.80.80.80
                lease 86400
                start 172.16.0.10 {
                    stop 172.16.0.100
                }
            }
        }
        shared-network-name VLAN1 {
            authoritative disable
            subnet 192.0.1.0/24 {
                default-router 192.0.1.1
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 86400
                start 192.0.1.38 {
                    stop 192.0.1.199
                }
                static-mapping QNAP_TS-431p2_port_1 {
                    ip-address 192.0.1.2
                    mac-address 24:5e:be:19:fa:df
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 10.0.3.2
                dns-server 1.1.1.1
                lease 600
                start 192.168.1.2 {
                    stop 192.168.1.199
                }
            }
        }
        shared-network-name VLAN20 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 1.1.1.1
                dns-server 9.9.9.9
                lease 600
                start 192.168.2.2 {
                    stop 192.168.2.199
                }
            }
        }
        shared-network-name VLAN30 {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 600
                start 192.168.3.2 {
                    stop 192.168.3.199
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on switch0
            name-server 195.121.1.34
            name-server 195.121.1.66
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=192.168.1.1
            options listen-address=192.168.2.1
            options listen-address=192.168.3.1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    mdns {
        reflector
        repeater {
            interface switch0.10
            interface switch0.20
        }
    }
    nat {
        rule 1 {
            description "Lokale DNS requests via PiHole op NAS"
            destination {
                address 10.0.3.2
                port 53
            }
            inbound-interface switch0.10
            inside-address {
                address 192.168.1.200
                port 49154
            }
            log disable
            protocol tcp_udp
            source {
                address 192.168.1.2-192.168.1.255
                port 53
            }
            type destination
        }
        rule 5000 {
            description "masquerade for PPPoe1 (KPN VLAN6)"
            log enable
            outbound-interface pppoe1
            protocol all
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN 1 (Ziggo)"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 3 (SFP port)"
            disable
            log disable
            outbound-interface eth5
            protocol all
            type masquerade
        }
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    crash-handler {
        send-crash-report false
    }
    domain-name LAN
    host-name EdgeRouter-X-SFP-6-Port
    login {
        user beheerder {
            authentication {
                encrypted-password $5$kQYYGrw19vum7myO$cT9sW9LLmNK406wVrp7/iNYmist1jXjvbuH3yEbH0b1
            }
            level admin
        }
    }
    name-server 127.0.0.1
    name-server 1.1.1.1
    name-server 80.80.80.80
    name-server 9.9.9.9
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        custom-category Media_streaming {
            name Youtube
            name Netflix
            name Spotify
        }
        custom-category Network_protocols {
            name "DNS over TLS"
            name DNS
        }
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue VLAN20 {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 40mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 800mbit
        }
        wan-interface switch0.20
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.9-hotfix.2.5402463.210511.1317 */

 

 

De Kennisbank

Heb je vragen over diensten, producten of wil je weten hoe je modeminstellingen verandert? Vind het antwoord op de meest gestelde vragen in onze Kennisbank

...

Community voorwaarden