Edgerouter config met IPV6 icmp firewalling (RFC 4890)

Marty · 30 april 2026 om 22:40

Hoi,

Een tijdje terug gaf @Larry aan dat het handig is om m’n routerconfig hier te delen. Helaas ben ik er niet eerder aan toe gekomen maar in het kader van beter laat dan nooit bij deze.

Allereerst wel een paar puntjes omtrent deze config:

Kopieer deze config niet 1 op 1. Dat gaat sowieso niet werken omdat ik wat dingen geanonimiseerd heb.
Ondanks dat deze router baby jumbo frames zou moeten ondersteunen kreeg ik daar issues mee. Denk hierbij aan een gigantische performance drop en een hoge SI state. Hierom is de MTU ook verlaagd en wordt er mss-clamping gebruikt.
Clients krijgen alleen een IPV4 DNS server toegewezen. Dit is iets dat ik nog moet fixen.

Nu ja, dat was het wel een beetje dus hieronder ter lering ende vermaek de config.

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name GUESTv6_IN default-action drop
set firewall ipv6-name GUESTv6_IN rule 10 action accept
set firewall ipv6-name GUESTv6_IN rule 10 state established enable
set firewall ipv6-name GUESTv6_IN rule 10 state related enable
set firewall ipv6-name GUESTv6_IN rule 20 action accept
set firewall ipv6-name GUESTv6_IN rule 20 icmpv6 type echo-request
set firewall ipv6-name GUESTv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name GUESTv6_IN rule 30 action accept
set firewall ipv6-name GUESTv6_IN rule 30 icmpv6 type packet-too-big
set firewall ipv6-name GUESTv6_IN rule 30 protocol ipv6-icmp
set firewall ipv6-name GUESTv6_IN rule 40 action accept
set firewall ipv6-name GUESTv6_IN rule 40 icmpv6 type time-exceeded
set firewall ipv6-name GUESTv6_IN rule 40 protocol ipv6-icmp
set firewall ipv6-name GUESTv6_IN rule 50 action accept
set firewall ipv6-name GUESTv6_IN rule 50 icmpv6 type destination-unreachable
set firewall ipv6-name GUESTv6_IN rule 50 protocol ipv6-icmp
set firewall ipv6-name GUESTv6_IN rule 60 action drop
set firewall ipv6-name GUESTv6_IN rule 60 destination address ‘2a10:3781:XXXX:16::/64’
set firewall ipv6-name GUESTv6_IN rule 70 action drop
set firewall ipv6-name GUESTv6_IN rule 70 description ‘Block guest to ULA (Needs fixing)’
set firewall ipv6-name GUESTv6_IN rule 70 destination address ‘fc00::/7’
set firewall ipv6-name GUESTv6_LOCAL default-action drop
set firewall ipv6-name GUESTv6_LOCAL rule 10 action accept
set firewall ipv6-name GUESTv6_LOCAL rule 10 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 icmpv6 type echo-request
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 icmpv6 type packet-too-big
set firewall ipv6-name WANv6_IN rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 40 action accept
set firewall ipv6-name WANv6_IN rule 40 icmpv6 type time-exceeded
set firewall ipv6-name WANv6_IN rule 40 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 50 action accept
set firewall ipv6-name WANv6_IN rule 50 icmpv6 type destination-unreachable
set firewall ipv6-name WANv6_IN rule 50 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source address ‘fe80::/10’
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name GUESTv4_IN default-action accept
set firewall name GUESTv4_IN rule 10 action accept
set firewall name GUESTv4_IN rule 10 state established enable
set firewall name GUESTv4_IN rule 10 state related enable
set firewall name GUESTv4_IN rule 20 action drop
set firewall name GUESTv4_IN rule 20 destination address 172.16.16.0/24
set firewall name GUESTv4_LOCAL default-action drop
set firewall name GUESTv4_LOCAL rule 10 action accept
set firewall name GUESTv4_LOCAL rule 10 destination port 67
set firewall name GUESTv4_LOCAL rule 10 protocol udp
set firewall name WANv4_IN default-action drop
set firewall name WANv4_IN rule 10 action accept
set firewall name WANv4_IN rule 10 state established enable
set firewall name WANv4_IN rule 10 state related enable
set firewall name WANv4_LOCAL default-action drop
set firewall name WANv4_LOCAL rule 10 action accept
set firewall name WANv4_LOCAL rule 10 state established enable
set firewall name WANv4_LOCAL rule 10 state related enable
set firewall options mss-clamp mss 1452
set firewall options mss-clamp6 mss 1432
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 mtu 1500
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 6 mtu 1500
set interfaces ethernet eth0 vif 6 pppoe 0 default-route auto
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.16 host-address ‘::1’
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.16 no-dns
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.16 prefix-id ‘:16’
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.16 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.17 host-address ‘::1’
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.17 no-dns
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.17 prefix-id ‘:17’
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface switch0.17 service slaac
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 prefix-length /48
set interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall in name WANv4_IN
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 vif 6 pppoe 0 firewall local name WANv4_LOCAL
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 vif 6 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 6 pppoe 0 mtu 1492
set interfaces ethernet eth0 vif 6 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 6 pppoe 0 password 1234
set interfaces ethernet eth0 vif 6 pppoe 0 user-id fake@freedom.nl
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan vid 16
set interfaces switch switch0 switch-port interface eth1 vlan vid 17
set interfaces switch switch0 switch-port interface eth2 vlan pvid 16
set interfaces switch switch0 switch-port interface eth3 vlan pvid 17
set interfaces switch switch0 switch-port interface eth4 vlan pvid 16
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 16 address 172.16.16.1/24
set interfaces switch switch0 vif 16 ipv6 address autoconf
set interfaces switch switch0 vif 16 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 vif 17 address 172.16.17.1/24
set interfaces switch switch0 vif 17 firewall in ipv6-name GUESTv6_IN
set interfaces switch switch0 vif 17 firewall in name GUESTv4_IN
set interfaces switch switch0 vif 17 firewall local ipv6-name GUESTv6_LOCAL
set interfaces switch switch0 vif 17 firewall local name GUESTv4_LOCAL
set interfaces switch switch0 vif 17 ipv6 address autoconf
set interfaces switch switch0 vif 17 ipv6 dup-addr-detect-transmits 1
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name vlan16 authoritative enable
set service dhcp-server shared-network-name vlan16 subnet 172.16.16.0/24 default-router 172.16.16.1
set service dhcp-server shared-network-name vlan16 subnet 172.16.16.0/24 dns-server 86.54.11.13
set service dhcp-server shared-network-name vlan16 subnet 172.16.16.0/24 lease 3600
set service dhcp-server shared-network-name vlan16 subnet 172.16.16.0/24 start 172.16.16.128 stop 172.16.16.254
set service dhcp-server shared-network-name vlan17 authoritative enable
set service dhcp-server shared-network-name vlan17 subnet 172.16.17.0/24 default-router 172.16.17.1
set service dhcp-server shared-network-name vlan17 subnet 172.16.17.0/24 dns-server 86.54.11.13
set service dhcp-server shared-network-name vlan17 subnet 172.16.17.0/24 lease 3600
set service dhcp-server shared-network-name vlan17 subnet 172.16.17.0/24 start 172.16.17.128 stop 172.16.17.254
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service ubnt-discover disable
set service ubnt-discover-server disable
set service unms disable
set system analytics-handler send-analytics-report false
set system crash-handler send-crash-report false
set system host-name router
set system login user XXXX authentication encrypted-password ‘XXXX’
set system login user XXXX authentication plaintext-password ‘’
set system login user XXXX level admin
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system offload hwnat enable
set system offload ipsec enable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Europe/Amsterdam

Greets,

Marty

Larry · 1 mei 2026 om 10:11

Cool en sws goed voor anderen om dan een blik te kunnen werpen.

Is nog duidelijk (eventueel vet?) te maken wat minimaal nodig is/was om vanuit default, dingen tot (Freedom) connectie te brengen ?
Ik vermoed dat alles aangaande firewall en m.n. vlan(16/17); vooral aanscherping resp. jouw situatie betreft.