Ubiquiti EdgeOS router configuration for the Swiss FTTH provider Fiber7. Including VLANs (Guest, Internal, Mgmt), IPv6 and Firewall. Should also work with other ISPs supporting DHCPv6 PD and "bring-your-own-router".

Optimized for 1Gbit WAN to LAN performance 🚀 Multiple VLANs to create a secure #CHFreeWifi setup.

⚠️ Warning: dont copy/paste. It will enable power-over-ethernet and could break your network devices.

• Ubiquiti edge router x sfp: EdgeOS v1.9.1
• 2x Ubiquiti Networks 2.4GHz/5GHz, 867Mbit, 24V Passiv PoE, UAP-AC-LITE: v3.8.3
• UniFi Switch 8 US-8: v3.8.3

Allow traffic from external (Internet) to the internal network. Only accept established/related sessions for connections which have SYN/ACK. (started from your internal network)

Accept local connnections with the icmpv6 protocol and allow internal DHCPv6 PD server and client connections.

Secure the networks between your VLANs (drop). But allow to access Unifi controller <> Unifi Devices and to the Router interfaces.

rule 10 Accept Router_IPs of your gateway's. List should be specified under adress-group Router_IPs

rule 15 Static whitelist to your Unifi controller. Specify the Unifi devices IPs (Switch, Wifi etc) under address-group unifi_devices

rule 16 Opposite direction of the rule 15

rule 19 Allow connection to the Unifi Wifi portal.

rule 20 Drop all other connections between VLANs.

See WANv6_IN

See WANv6_LOCAL

eth 0 Normal port configuration.

eth 1 Normal port configuration (printer).

eth 2 Enable power-over-ethernet (PoE) for the Unifi access-point.

eth 3 Normal port configuration.

eth 4 Enable power-over-ethernet (PoE) for the Unifi access-point.

eth 5 WAN / Internet port with the SFP plugged.

Notes:

• IPv4 over DHCP
• IPv6 with DHCPv6 prefix-delegation (PD). _request your own /48 subnet from the init7 support 🔥 _
• Prefix-id: add the missing 16 bits to announce a /64 to your internal network. Needed for SLAAC (Stateless Address Autoconfiguration).

VLAN 1 Management network with range (192.168.0.0/24).

yes, should be 192.168.1 - but was to lazy to change all my internal devices which already had a 192.168.1 network)

VLAN 2 Internal network: secure infrastructure (NAS, 📱 📺 💻 )

Network: 192.168.1.0/24

VLAN 9 Guest VLAN: Network: 192.168.2.0/24

Assign the VLANs to the interfaces. Using trunk ports on eth0 - eth4.

• pvid: default / native VLAN (if not set it's always VLAN 1) for the untagged traffic. Set the printer interface to the internal VLAN only.
• vid: all traffic from the APs and the Switch is expected tagged (VLAN 2 or 9).

Add the gateway IPs to the virtual interface (VIF) of the VLANs.

Some old-school port forwarding / NATing for devices and services which dont support IPv6 😢

Enable offload { hwnat enable } to boost your WAN to LAN performance to 1Gbit up/down. 🚀