====== Customer CPE with IPv4 & IPv6 ======
This config, by default, NATs out traffic from the LAN on IPv4 and allows IPv6 traffic out from the LAN, but not from the Internet towards the LAN.  This helps protect internal machines which do not have proper IPv6 firewalling.

Please note that the config provided here is simply for example.  You **will** need to make custom changes and review the config files or bad things may happen (like getting locked out).
===== Basic Machine Setup =====
  * eth0: Internet facing interface
  * eth1: LAN facing interface
  * Dynamic IPv4 address from ISP on eth0
  * Dynamic IPv6 /64 range from ISP assigned to eth1
  * Need to MSS clamp outbound traffic due to PPPoE in the path
  * Internal LAN machines are on private subnet mask 192.168.0.0/24

===== Configuration =====

Config: etc/srfirewall/local.conf
<file - local.conf>
Defaultv4InPolicy="DROP"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="DROP"

Defaultv6InPolicy="DROP"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="DROP"

Enablev6NAT="no"
</file>

Config: etc/srfirewall/ipv4/nat.conf
<file - nat.conf>
MASQ eth1 192.168.0.0/24 eth0
</file>

Config: etc/srfirewall/ipv4/mss-clamp.conf and etc/srfirewall/ipv6/mss-clamp.conf
<file - mss-clamp.conf>
eth0			-		out
eth0			-		fwd
</file>

Config: etc/srfirewall/ipv6/forward.conf
<file - forward.conf>
ACCEPT eth1 - eth0 - no - - - - NEW,ESTABLISHED,RELATED
ACCEPT eth0 - eth1 - no - - - - ESTABLISHED,RELATED
DROP eth0 - eth1 - no - - - - INVALID
</file>