User Tools

Site Tools


software:srfirewall:examples:cpe-home-block-incoming-v6

Customer CPE with IPv4 & IPv6

This config, by default, NATs out traffic from the LAN on IPv4 and allows IPv6 traffic out from the LAN, but not from the Internet towards the LAN. This helps protect internal machines which do not have proper IPv6 firewalling.

Please note that the config provided here is simply for example. You will need to make custom changes and review the config files or bad things may happen (like getting locked out).

Basic Machine Setup

  • eth0: Internet facing interface
  • eth1: LAN facing interface
  • Dynamic IPv4 address from ISP on eth0
  • Dynamic IPv6 /64 range from ISP assigned to eth1
  • Need to MSS clamp outbound traffic due to PPPoE in the path
  • Internal LAN machines are on private subnet mask 192.168.0.0/24

Configuration

Config: etc/srfirewall/local.conf

local.conf
Defaultv4InPolicy="DROP"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="DROP"

Defaultv6InPolicy="DROP"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="DROP"

Enablev6NAT="no"

Config: etc/srfirewall/ipv4/nat.conf

nat.conf
MASQ eth1 192.168.0.0/24 eth0

Config: etc/srfirewall/ipv4/mss-clamp.conf and etc/srfirewall/ipv6/mss-clamp.conf

mss-clamp.conf
eth0			-		out
eth0			-		fwd

Config: etc/srfirewall/ipv6/forward.conf

forward.conf
ACCEPT eth1 - eth0 - no - - - - NEW,ESTABLISHED,RELATED
ACCEPT eth0 - eth1 - no - - - - ESTABLISHED,RELATED
DROP eth0 - eth1 - no - - - - INVALID