====== Customer CPE with IPv4 & IPv6 ======
This config, by default, NATs out traffic from the LAN on IPv4 and allows IPv6 traffic out from the LAN, but not from the Internet towards the LAN. This helps protect internal machines which do not have proper IPv6 firewalling.
Please note that the config provided here is simply for example. You **will** need to make custom changes and review the config files or bad things may happen (like getting locked out).
===== Basic Machine Setup =====
* eth0: Internet facing interface
* eth1: LAN facing interface
* Dynamic IPv4 address from ISP on eth0
* Dynamic IPv6 /64 range from ISP assigned to eth1
* Need to MSS clamp outbound traffic due to PPPoE in the path
* Internal LAN machines are on private subnet mask 192.168.0.0/24
===== Configuration =====
Config: etc/srfirewall/local.conf
Defaultv4InPolicy="DROP"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="DROP"
Defaultv6InPolicy="DROP"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="DROP"
Enablev6NAT="no"
Config: etc/srfirewall/ipv4/nat.conf
MASQ eth1 192.168.0.0/24 eth0
Config: etc/srfirewall/ipv4/mss-clamp.conf and etc/srfirewall/ipv6/mss-clamp.conf
eth0 - out
eth0 - fwd
Config: etc/srfirewall/ipv6/forward.conf
ACCEPT eth1 - eth0 - no - - - - NEW,ESTABLISHED,RELATED
ACCEPT eth0 - eth1 - no - - - - ESTABLISHED,RELATED
DROP eth0 - eth1 - no - - - - INVALID