The Fritz!Box 7390 has issues with VAS and icmp forwarding, secondly I feel like the performance of the router is not meeting it's expections, yet no verification possible yet. Hence the switch to a FreeBSD based router/setup. First of all homework. Read the XS4ALL recommendations and some good reading of Roel Traag part 1 and part 2. Cisco examples at KPN forum. Improvements; use PIM to make to more clean.
file:/etc/dhclient.conf
interface "re0vlan4" { request routers,classless-routes; send dhcp-class-identifier "IPTV_RG"; }
file:/etc/rc.conf
hostname="routerZW.vanderzwet.net" sshd_enable="YES" gateway_enable="YES" ipv6_gateway_enable="YES" ipv6_cpe_wanif="ng0" ifconfig_re0="up -wol -arp" vlans_re0="re0vlan4 re0vlan6" create_args_re0vlan4="vlan 4" create_args_re0vlan6="vlan 6 -arp" # IPTV VLAN ifconfig_re0vlan4="DHCP" # Internet VLAN ifconfig_re0_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" ifconfig_re0vlan6_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" # Wireless Leiden ifconfig_re1="172.17.107.20/24" # Local Area Network ifconfig_re2="192.168.178.1/24" ifconfig_re2_alias0="80.127.152.25/29" ifconfig_re2_ipv6="inet6 2001:984:ac89:ffff::1" # Routing Wireless Leiden static_routes="wleiden" route_wleiden="-net 172.16.0.0/12 172.17.107.1" # PPPoE Tunnel for INET mpd_enable="YES" # DHCP for IPv6 (started via mpd5 - linkup script) dhcp6c_enable="NO" dhcp6c_interfaces="ng0" # IPv6 on LAN rtadvd_enable="YES" rtadvd_interfaces="re2" # IPv6 on WAN rtsold_enable="YES" # IPv4 on LAN dhcpd_enable="YES" dhcpd_ifaces="re2" # Firewall ACL firewall_type="open" firewall_enable="YES" firewall_script="/etc/firewall.sh" # NAT for LAN natd_enable="YES" natd_flags="-f /etc/natd.conf" # IPTV Multicast proxy igmpproxy_enable="YES" # Caching DNS Server unbound_enable="YES"
file:/boot/loader.conf
# Force output to run trough the comconsole, no exceptions console="comconsole" # PC Engines Alix APU board default serial settings cannot changed so 115200 it is. comconsole_speed="115200" ip_mroute_load="YES"
file:/usr/local/etc/mpd5/linkup.sh
#!/bin/sh # test -z "$1" && exit 1 if [ "$2" = "inet" ] then /usr/bin/renice -n -5 $PPID fi if [ "$2" = "inet6" ] then /sbin/ifconfig "$1" inet6 accept_rtadv -nud -no_radr (sleep 3; /usr/local/etc/rc.d/dhcp6c onerestart) & fi exit 0
file:/usr/local/etc/mpd5/linkdown.sh
#!/bin/sh # test -z "$1" && exit 1 if [ "$2" = "inet" ] then /usr/bin/renice -n +5 $PPID fi if [ "$2" = "inet6" ] then /usr/local/etc/rc.d/dhcp6c stop fi
file:/usr/local/etc/mpd5/mpd.conf
startup: # configure mpd users set user foo bar admin set user foo1 bar1 # configure the console set console self 127.0.0.1 5005 set console open # configure the web server set web self 0.0.0.0 5006 set web open # # Default configuration is "dialup" default: load pppoe_client pppoe_client: # # PPPoE client: only outgoing calls, auto reconnect, # ipcp-negotiated address, one-sided authentication, # default route points on ISP's end # create bundle static B1 set iface up-script /usr/local/etc/mpd5/linkup.sh set iface down-script /usr/local/etc/mpd5/linkdown.sh set ipcp ranges 0.0.0.0/0 0.0.0.0/0 set bundle enable ipv6cp set iface route default load nat create link static P1 pppoe set link action bundle B1 set link latency 1200 set link bandwidth 100000000 set link max-redial 0 set link keep-alive 10 60 #set link mtu 1492 #set ppooe max-payload 1500 set auth authname FB7490@xs4all.nl set auth password FB7490 set pppoe iface re0vlan6 set pppoe service "" open
file:/etc/rtadvd.conf
re2:\ :addr="2001:984:ac89:ffff::":prefixlen#64:\ :rdnss="2001:984:ac89:ffff::1":\ :dnssl="vanderzwet.net":
file:/usr/local/etc/dhcpd.conf
default-lease-time 600; max-lease-time 7200; authoritative; log-facility local7; subnet 192.168.178.0 netmask 255.255.255.0 { range 192.168.178.50 192.168.178.200; option routers 192.168.178.1; option domain-name "thuis.vanderzwet.net"; option domain-name-servers 192.168.178.1; option vendor-class-identifier "IPTV_RG"; option broadcast-address 192.168.178.255; }
file:/usr/local/etc/unbound.conf
server: verbosity: 1 interface: 127.0.0.1 interface: ::1 interface: 192.168.178.1 interface: 2001:984:ac89:ffff::1 interface: 172.17.107.20 access-control: 192.168.178.0/24 allow access-control: 172.16.0.0/12 allow access-control: 2001:984:ac89::/48 allow python: remote-control: include: /usr/local/etc/unbound/forward.conf include: /usr/local/etc/unbound/lan-zones.conf
file:/etc/resolv.conf
search vanderzwet.net nameserver 127.0.0.1 nameserver 194.109.6.66 nameserver 194.109.9.99 nameserver 194.109.104.104 nameserver 2001:888:0:6::66 nameserver 2001:888:0:9::99
file:/etc/firewall.sh
case ${firewall_type} in [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) case ${natd_enable} in [Yy][Ee][Ss]) ${fwcmd} add 50 divert natd ip4 from not 80.127.152.25/29 to not 80.127.152.25/29 via ng0 ${fwcmd} add 51 divert 8669 ip4 from 10.201.184.0/22 to me via re0vlan4 ${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 10.201.184.0/22 via re0vlan4 ${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 213.75.112.0/21 via re0vlan4 ${fwcmd} add 51 divert 8669 ip4 from 213.75.112.0/21 to me via re0vlan4 ${fwcmd} add 52 divert 8670 ip4 from 192.168.178.0/24 to 172.16.0.0/12 out via re1 ${fwcmd} add 52 divert 8670 ip4 from 172.16.0.0/12 to me in via re1 ;; esac # Allow DHCPv6 ${fwcmd} add pass udp from fe80::/10 to me 546 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established ${fwcmd} add pass ipv6 from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Wireless Leiden Special ${fwcmd} add pass tcp from any to 80.127.152.27/32 dst-port 9000-9100 in via ng0 setup # Allow setup of incoming TCP stuff to VAS for i in 25 53 80 443 465 993 1022; do ${fwcmd} add pass tcp from any to 80.127.152.24/29 dst-port ${i} in via ng0 setup ${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 setup proto tcp done # Allow setup of incoming UDP stuff to VAS for i in 53 123; do ${fwcmd} add pass udp from any to 80.127.152.24/29 dst-port ${i} in via ng0 ${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 proto udp done # TCP Access to Router for i in 1022; do ${fwcmd} add pass tcp from any to me dst-port ${i} in via ng0 setup ${fwcmd} add pass ip6 from any to me dst-port ${i} in via ng0 setup proto tcp done # Allow UDP on VAS ${fwcmd} add check-state ${fwcmd} add pass udp from 80.127.152.24/29 to any out via ng0 proto udp keep-state ${fwcmd} add pass ip6 from 2001:984:ac89::/48 to any out via ng0 proto udp keep-state # Allow UDP on Router ${fwcmd} add pass udp from me to any out via ng0 proto udp keep-state ${fwcmd} add pass ip6 from me to any out via ng0 proto udp keep-state # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 setup proto tcp ${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 proto udp ${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 setup proto tcp ${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 proto udp # Access limit to Router ${fwcmd} add deny log ip4 from any to me in via ng0 setup proto tcp ${fwcmd} add deny log ip4 from any to me in via ng0 proto udp ${fwcmd} add deny log ip6 from any to me in via ng0 setup proto tcp ${fwcmd} add deny log ip6 from any to me in via ng0 proto udp # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world #${fwcmd} add pass udp from me to any 53 keep-state # Allow NTP queries out in the world #${fwcmd} add pass udp from me to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then if echo "${firewall_nat_interface}" | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" else firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac esac
file:/etc/natd.conf
# default instance port 8668 dynamic redirect_port udp 192.168.178.3:5060 5060 interface ng0 # second instance instance iptv port 8669 dynamic interface re0vlan4 # thirth instance instance wleiden port 8670 dynamic interface re1
file:/usr/local/etc/igmpproxy.conf
phyint re0vlan4 upstream ratelimit 0 threshold 1 altnet 213.75.0.0/16 altnet 217.166.0.0/16 phyint re2 downstream ratelimit 0 threshold 1 altnet 192.168.178.0/24 phyint lo0 disabled phyint ng0 disabled phyint re0vlan6 disabled