====== Customer CPE with IPv4 & IPv6 ====== This config, by default, NATs out traffic from the LAN on IPv4 and allows IPv6 traffic out from the LAN, but not from the Internet towards the LAN. This helps protect internal machines which do not have proper IPv6 firewalling. Please note that the config provided here is simply for example. You **will** need to make custom changes and review the config files or bad things may happen (like getting locked out). ===== Basic Machine Setup ===== * eth0: Internet facing interface * eth1: LAN facing interface * Dynamic IPv4 address from ISP on eth0 * Dynamic IPv6 /64 range from ISP assigned to eth1 * Need to MSS clamp outbound traffic due to PPPoE in the path * Internal LAN machines are on private subnet mask 192.168.0.0/24 ===== Configuration ===== Config: etc/srfirewall/local.conf Defaultv4InPolicy="DROP" Defaultv4OutPolicy="ACCEPT" Defaultv4FwdPolicy="DROP" Defaultv6InPolicy="DROP" Defaultv6OutPolicy="ACCEPT" Defaultv6FwdPolicy="DROP" Enablev6NAT="no" Config: etc/srfirewall/ipv4/nat.conf MASQ eth1 192.168.0.0/24 eth0 Config: etc/srfirewall/ipv4/mss-clamp.conf and etc/srfirewall/ipv6/mss-clamp.conf eth0 - out eth0 - fwd Config: etc/srfirewall/ipv6/forward.conf ACCEPT eth1 - eth0 - no - - - - NEW,ESTABLISHED,RELATED ACCEPT eth0 - eth1 - no - - - - ESTABLISHED,RELATED DROP eth0 - eth1 - no - - - - INVALID