LLDP & CDP
======================================
set service lldp
set service lldp legacy-protocols cdp

show lldp neighbors

Capture with CLI
!---------------!
show interface ethernet eth0 capture

Capture with TCPdump
!-----------------------!
sudo tcpdump -i switch0 host 

sudo tcpdump -i eth0 net /24 -w /home/ubnt/file.pcap -c 10

#Connect via WinSCP
#Copy over capture file
#Open in WireShark

SNMPv2c
==================================================
edit service snmp
 set community ABCDE12345ABCDE client 10.0.0.10
 set community ABCDE12345ABCDE authorization ro
 set listen-address 10.0.0.1 port 161

Firewall Zones
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_WAN
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_LAN
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN interface eth1
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_LOCAL
 set zone LOCAL from LAN firewall name LAN_TO_LOCAL
 set zone LOCAL local-zone

Firewall Rules
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable 

edit firewall name WAN_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description NTP
 set rule 1 log disable
 set rule 1 state established enable
 set rule 1 state related enable 
 set rule 1 protocol udp
 set rule 1 source port 123
 set rule 2 source address 2.0.0.2
 
 set rule 2 action accept
 set rule 2 description DNS
 set rule 2 log disable
 set rule 2 state established enable
 set rule 2 state related enable 
 set rule 2 protocol tcp_udp
 set rule 2 source port 53
 set rule 2 source address 8.8.8.8
 
 set rule 3 action accept
 set rule 3 description DHCP
 set rule 3 log disable
 set rule 3 state established enable
 set rule 3 state related enable 
 set rule 3 protocol udp
 set rule 3 source port 67-68
 set rule 3 source address 2.0.0.2
 
 set rule 4 action accept
 set rule 4 description SSH
 set rule 4 destination port 9222
 set rule 4 log disable
 set rule 4 protocol tcp
 set rule 4 source address 100.0.0.1 

 set rule 5 action accept
 set rule 5 description HTTPS
 set rule 5 destination port 9443
 set rule 5 log disable
 set rule 5 protocol tcp
 set rule 5 source address 100.0.0.1 

 set rule 6 action accept
 set rule 6 description ICMP
 set rule 6 log disable
 set rule 6 protocol icmp
 set rule 6 state established enable
 set rule 6 state related enable 
  
edit firewall name LAN_TO_LOCAL
 set default-action accept
 
 set rule 1 action accept
 set rule 1 description SSH
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 destination port 9222
 set rule 1 source address 10.0.0.10

 set rule 2 action accept
 set rule 2 description HTTPS
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 destination port 9443 
 set rule 2 source address 10.0.0.10
 
 set rule 3 action drop
 set rule 3 description SSH
 set rule 3 log disable
 set rule 3 protocol tcp
 set rule 3 destination port 9222
 
 set rule 4 action drop
 set rule 4 description HTTPS
 set rule 4 log disable
 set rule 4 protocol tcp
 set rule 4 destination port 9443
 
set firewall name LAN_TO_WAN default-action accept
set firewall name LOCAL_TO_ALL default-action accept

Change Default Management Ports
==================================================
edit service
 set gui https-port 9443
 set ssh port 9222
 
Misc Options
==================================================
set service dns forwarding dhcp eth0
set service dns forwarding listen-on eth1
set system ntp server 2.0.0.2

Zones
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_ALL
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_LAN
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN interface eth1
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_LOCAL
 set zone LOCAL from LAN firewall name LAN_TO_ALL
 set zone LOCAL local-zone

Firewall Rules
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 

edit firewall name WAN_TO_LOCAL
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
set firewall name LAN_TO_ALL default-action accept
set firewall name LOCAL_TO_ALL default-action accept

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
 
set routing-options static route 10.0.0.0/24 next-hop 12.0.0.2
 
VPN Tunnel
================================================
edit security ike
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group FOO0

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Disable SSH Password Authentication
====================================
edit service ssh 
 set disable-password-authentication

Load RSA Public Key
==================================== 
loadkey bpin ~/PASS.pub
loadkey bpin ~/NOPASS.pub

Add Speedtest Script
!------------------!
sudo su

curl -O /config/scripts/ https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py

#Make script executable

chmod +x speedtest.py

#Move script

mv speedtest.py /config/scripts

#Run script

/config/scripts/speedtest.py

Port Forwarding
!-------------!
edit port-forward
 set auto-firewall disable
 set hairpin-nat enable
 set lan-interface switch0
 set wan-interface eth0
 
 set rule 1 description IKE
 set rule 1 forward-to address 192.168.1.10
 set rule 1 forward-to port 500
 set rule 1 original-port 500
 set rule 1 protocol udp
 
 set rule 2 description ESP
 set rule 2 forward-to address 192.168.1.10
 set rule 2 forward-to port 4500
 set rule 2 original-port 4500
 set rule 2 protocol udp

top
 
Firewall Entries
!--------------!
edit firewall name WAN_IN
 set default-action drop
 
 set rule 10 action accept
 set rule 10 description 'Established'
 set rule 10 log disable
 set rule 10 protocol all
 set rule 10 state established enable
 set rule 10 state related enable 
 
 set rule 20 action drop
 set rule 20 description 'Invalid'
 set rule 20 log disable
 set rule 20 protocol all
 set rule 20 state invalid enable
 
 set rule 30 action accept
 set rule 30 description ESP
 set rule 30 log disable
 set rule 30 protocol udp
 set rule 30 destination port 4500

 set rule 40 action accept
 set rule 40 description IKE
 set rule 40 log disable
 set rule 40 protocol udp
 set rule 40 destination port 500 
 
top ; commit

Alternatively use Destination NAT
!-------------------------------!
edit service nat
 set rule 1 description IKE
 set rule 1 destination port 500
 set rule 1 inbound-interface eth0
 set rule 1 inside-address address 192.168.1.10
 set rule 1 inside-address port 500
 set rule 1 log disable
 set rule 1 protocol udp
 set rule 1 type destination
 
 set rule 2 description ESP
 set rule 2 destination port 4500
 set rule 2 inbound-interface eth0
 set rule 2 inside-address address 192.168.1.10
 set rule 2 inside-address port 4500
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 type destination

Verify L2TP
!---------!
sudo tcpdump -i eth0 -n udp dst port 4500 or port 500 or port 1701

show nat statistics
show nat rules 

#Zenmap for Windows
nmap -sU -p 500 
nmap -sU -p 4500 

Traffic Analysis with DPI
|-----------------------|
set system traffic-analysis dpi enable
set system traffic-analysis export enable

#Verify
show ubnt offload

Block Category
|-------------|
#See which sites are grouped under 'social networks' 
/usr/sbin/ubnt-dpi-util show-cat-apps Social-Network

#See which category a specific site is grouped under
/usr/sbin/ubnt-dpi-util search-app facebook
/usr/sbin/ubnt-dpi-util search-app twitter

#View all categories via CLI
set firewall name WAN_LOCAL rule 10 application category ?

#View all categories via GUI
Firewall Policies > WAN_LOCAL Actions > Advanced > Application

#Drop rule for social networks
edit firewall name SOCIAL_NETWORK
 set default-action accept
 set rule 10 description DROP_SOCIAL_SITES
 set rule 10 application category Social-Network
 set rule 10 action drop

top
 
#Apply to LAN interface
set interfaces switch switch0 firewall in name SOCIAL_NETWORK
 
commit

Block Custom Categories
|---------------------|
#Combine existing applications in a custom category
edit system traffic-analysis 
 set custom-category BLOCKED_SITES name Facebook
 set custom-category BLOCKED_SITES name Twitter

top 
 
#Drop rule for custom category
edit firewall name SOCIAL_NETWORK
 set default-action accept
 set rule 10 description DROP_BLOCKED_SITES 
 set rule 10 application category BLOCKED_SITES
 set rule 10 action drop

top

#Apply to LAN interface
set interfaces switch switch0 firewall in name BLOCKED_SITES
 
commit

Block Category & Allow Certain Apps
|---------------------------------|
#Combine existing applications in a custom category
edit system traffic-analysis 
 set custom-category ALLOWED_SITES name linkedin
 set custom-category ALLOWED_SITES name yammer

top 
 
#Drop rule for custom category
edit firewall name SOCIAL_NETWORK
 set default-action accept
 set rule 10 description ALLOWED_SOCIAL_SITES
 set rule 10 application category ALLOWED_SITES
 set rule 10 action accept 
 set rule 20 description DROP_SOCIAL_SITES
 set rule 20 application category Social-Network
 set rule 20 action drop

top

#Apply to LAN interface
set interfaces switch switch0 firewall in name SOCIAL_NETWORK
 
commit

Port Address Translation (Masquerade)
=====================================
edit service nat rule 5000
 set description MASQUERADE
 set log disable
 set outbound-interface eth0
 set protocol all
 set source address 10.0.0.0/24
 set type masquerade

Default Login
==================================================
Username: ubnt
Password: ubnt

Configuration Steps
==================================================
1. Associate interface with IP address
2. Create DHCP pool
3. Create reservations manually or 'Map Static IP'

Step 1
==================================================
set interfaces ethernet eth1 address 10.0.0.254/24 

Step 2
==================================================
edit service dhcp-server shared-network-name LOCAL 
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.254
 set subnet 10.0.0.0/24 dns-server 1.1.1.1
 set subnet 10.0.0.0/24 lease 28800

Step 3
==================================================
edit service dhcp-server shared-network-name LOCAL  
 set subnet 10.0.0.0/24 static-mapping XP ip-address 10.0.0.99
 set subnet 10.0.0.0/24 static-mapping XP mac-address '08:00:27:85:71:5e'

Helpful Commands
==================================================
show dhcp leases
show dhcp leases expired
show dhcp statistics

clear dhcp leases
clear dhcp lease ip 10.0.0.10

show configuration
show configuration commands

Basics
==================================================
edit interfaces 
 set ethernet eth0 address dhcp
 set ethernet eth0 description WAN

 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth1 description LAN

DHCP
==================================================
edit service dhcp-server shared-network-name LOCAL 
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 domain-name domain.local
 set subnet 10.0.0.0/24 lease 28800

Reservations
==================================================
edit service dhcp-server shared-network-name LOCAL  
 set subnet 10.0.0.0/24 static-mapping HOST1 ip-address 10.0.0.199
 set subnet 10.0.0.0/24 static-mapping HOST1 mac-address '08:00:27:85:71:5e'

Manual DNS (not needed if DNSMASQ is used)
==================================================
edit system static-host-mapping
 set host-name XP.domain.local inet 10.0.0.199
 set host-name XP.domain.local alias HOST1
 
DNSMASQ
==================================================
set interfaces ethernet eth0 dhcp-options name-server no-update

set system name-server 127.0.0.1
set system domain-name domain.local

set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding listen-on eth1
set service dhcp-server use-dnsmasq enable
 
Verify
==================================================
show dhcp leases
show dhcp leases expired
show dhcp statistics

clear dhcp leases
clear dhcp lease ip 10.0.0.10

SNMPv3 AuthPriv (Authentication & Encryption)
==================================================
edit service snmp
 set listen-address 10.0.0.1 port 161
 set v3 view VIEW oid 1
 
 set v3 group SNMP view VIEW
 set v3 group SNMP mode ro
 set v3 group SNMP seclevel priv
 
 set v3 user USER group SNMP
 set v3 user USER mode ro
 set v3 user USER auth plaintext-key Pa$$w0rd
 set v3 user USER auth type sha
 set v3 user USER privacy plaintext-key Pa$$w0rd
 set v3 user USER privacy type aes

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set ip ospf network point-to-point
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 12 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2
 
Redistribution
====================================
edit interfaces loopback lo
 set ip ospf network point-to-point
 set address 11.0.1.1/24
 set address 11.0.2.1/24
 set address 11.0.3.1/24

edit protocols ospf
 set redistribute connected metric-type 1
 set redistribute connected metric 4

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
 
edit routing-options  
 set static route 10.0.0.0/24 next-hop 12.0.0.2
 
VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group ESP

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
edit interfaces 
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth2 address 172.16.0.1/24

Zone Policies
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_ALL
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN from GUEST firewall name GUEST_TO_WAN
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_ALL
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN from GUEST firewall name GUEST_TO_LAN
 set zone LAN interface eth1

 set zone GUEST default-action drop
 set zone GUEST from WAN firewall name WAN_TO_ALL
 set zone GUEST from LOCAL firewall name LOCAL_TO_ALL
 set zone GUEST from LAN firewall name LAN_TO_ALL
 set zone GUEST interface eth2
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_ALL
 set zone LOCAL from LAN firewall name LAN_TO_ALL
 set zone LOCAL from GUEST firewall name GUEST_TO_LOCAL
 set zone LOCAL local-zone 
 
GUEST Firewall Policy
==========================================
edit firewall name GUEST_TO_LAN 
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description DNS
 set rule 1 log disable
 set rule 1 protocol tcp_udp
 set rule 1 destination port 53

 set rule 2 action accept
 set rule 2 description DHCP
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 destination port 67
 
 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state related enable
 
set firewall name GUEST_TO_WAN default-action accept
 
Other Firewall Rules
==================================================
edit firewall name WAN_TO_ALL
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 
 
set firewall name LAN_TO_ALL default-action accept
set firewall name LOCAL_TO_ALL default-action accept
 
Misc Settings
==================================================
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding name-server 8.8.8.8

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800

edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800 

GUEST_TO_LAN Firewall Policy
==========================================
edit firewall group network-group LAN
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8

edit firewall name GUEST_TO_LAN 
 set default-action accept
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

 set rule 2 action drop
 set rule 2 description "Network Group"
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 destination group network-group LAN

GUEST_TO_LOCAL Firewall Policy
==========================================
edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
 set rule 2 action accept
 set rule 2 description DNS
 set rule 2 log disable
 set rule 2 protocol tcp_udp
 set rule 2 destination port 53

 set rule 3 action accept
 set rule 3 description DHCP
 set rule 3 log disable
 set rule 3 protocol udp
 set rule 3 destination port 67

Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN

edit interfaces ethernet eth2
 set address 172.16.0.1/24
 set firewall in name GUEST_TO_LAN 
 set firewall local name GUEST_TO_LOCAL
 
Misc Settings
==================================================
edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800 

set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding name-server 8.8.8.8

Virtual Interfaces (VIF)
==================================================
edit interfaces 
 set ethernet eth1 vif 10 address 10.0.0.1/24
 set ethernet eth1 vif 172 address 172.16.0.1/24

Misc Settings
==================================================
set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.172
set service dns forwarding name-server 8.8.8.8

edit service dhcp-server shared-network-name 10_LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800
 
edit service dhcp-server shared-network-name 172_LAN 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800 

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Route-Maps & Prefix-Lists
====================================
edit policy prefix-list LOOPBACKS
 set rule 1 prefix 11.0.0.0/22
 set rule 1 ge 24
 set rule 1 le 24
 set rule 1 action permit

edit policy route-map OSPF 
 set rule 1 match ip address prefix-list LOOPBACKS
 set rule 1 action permit
 
edit protocols ospf
 set redistribute connected route-map OSPF
 set redistribute connected metric-type 2

WAN interfaces
!------------!
edit interfaces ethernet eth0 
 set pppoe 0 mtu 1492
 set pppoe 0 user-id ERX0
 set pppoe 0 password Pa$$w0rd
 set pppoe 0 name-server none
 set pppoe 0 default-route none
 set pppoe 0 firewall in name WAN_IN
 set pppoe 0 firewall local name WAN_LOCAL

top

edit interfaces ethernet eth1 
 set address dhcp
 set dhcp-options name-server no-update
 set dhcp-options default-route-distance 1
 set firewall in name WAN_IN
 set firewall local name WAN_LOCAL

set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0

set system name-server 8.8.8.8

set firewall options mss-clamp mss 1452

Load-Balancing Defaults
!---------------------!
edit firewall group network-group PRIVATE_NETS
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8

top 
 
edit firewall modify balance
 set rule 10 action modify
 set rule 10 description 'do NOT load balance lan to lan'
 set rule 10 destination group network-group PRIVATE_NETS
 set rule 10 modify table main
 set rule 20 action modify
 set rule 20 description 'do NOT load balance destination public address'
 set rule 20 destination group address-group ADDRv4_pppoe0
 set rule 20 modify table main
 set rule 30 action modify
 set rule 30 description 'do NOT load balance destination public address'
 set rule 30 destination group address-group ADDRv4_eth1
 set rule 30 modify table main
 set rule 70 action modify
 set rule 70 modify lb-group G

top

edit interfaces switch switch0 
 set address 192.168.1.1/24
 set firewall in modify balance
 set switch-port interface eth2
 set switch-port interface eth3
 set switch-port interface eth4

top 

edit load-balance group G
 set interface eth1
 set interface pppoe0
 set lb-local enable

edit service nat
 set rule 5000 description 'masquerade for WAN'
 set rule 5000 outbound-interface pppoe0
 set rule 5000 type masquerade
 set rule 5002 description 'masquerade for WAN 2'
 set rule 5002 outbound-interface eth1
 set rule 5002 type masquerade

top 

edit system conntrack 
 set expect-table-size 4096
 set hash-size 4096
 set table-size 32768
 set tcp half-open-connections 512
 set tcp loose enable
 set tcp max-retrans 3

top ; commit

Change Load-Balancing Defaults
!----------------------------!
edit load-balance group G

 set sticky dest-addr enable

 set interface pppoe0 route-test type ping target 8.8.8.8
 set interface pppoe0 route-test interval 5
 set interface pppoe0 route-test initial-delay 15
 
 set interface eth1 route-test type ping target 8.8.8.8 
 set interface eth1 route-test interval 5
 set interface eth1 route-test initial-delay 15

Influence Weighting
!-----------------!
edit load-balance group G 
 set interface pppoe0 weight 67
 set interface eth1 weight 33

Set one link to failover only
!---------------------------!
edit load-balance group G 
 set interface eth1 failover-only
 
Verify Load-Balancing
!-------------------!
show ip route
show load-balance status
show load-balance watchdog

show ip route table 201
show ip route table 202

Add route to Windows
==================================================
1. route print -4
2. determine PPTP vpn interface ID (32 in my case)
3. route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

Optionally create a batch (.bat) file
==================================================
rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

PPTP
==================================================
edit vpn pptp remote-access 
 set authentication mode local
 set authentication local-users username vpnbpin password Pa$$w0rd
 set client-ip-pool start 172.16.0.200
 set client-ip-pool stop 172.16.0.220
 ;set dhcp-interface eth0
 set outside-address 2.0.0.1
 set mtu 1024
 set dns-servers server-1 10.0.0.100
 set dns-servers server-2 8.8.8.8
 
Firewall Rule PPTP
==========================================
edit firewall name VPN
 set default-action drop
 set rule 1 action accept
 set rule 1 description PPTP
 set rule 1 destination port 1723
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description GRE
 set rule 2 log disable
 set rule 2 protocol gre
 set rule 2 source address 100.0.0.1
 
 set rule 3 action accept
 set rule 3 description SSH
 set rule 3 destination port 22
 set rule 3 log disable
 set rule 3 protocol tcp
 set rule 3 source address 100.0.0.1

 set rule 4 action accept
 set rule 4 description HTTPS
 set rule 4 destination port 443
 set rule 4 log disable
 set rule 4 protocol tcp
 set rule 4 source address 100.0.0.1
 
Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name VPN

Zones
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_ALL
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_LAN
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN interface eth1
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_LOCAL
 set zone LOCAL from LAN firewall name LAN_TO_ALL
 set zone LOCAL local-zone

Firewall Rules
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 

edit firewall name WAN_TO_LOCAL
 set default-action drop
 set description 'Limit Management Access'
 set rule 1 action accept
 set rule 1 description SSH
 set rule 1 destination port 22
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 100.0.0.1 
  
 set rule 2 action accept
 set rule 2 description HTTPS
 set rule 2 destination port 443
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 source address 100.0.0.1
 
 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state invalid disable
 set rule 3 state new disable
 set rule 3 state related enable
 
set firewall name LAN_TO_ALL default-action accept
set firewall name LOCAL_TO_ALL default-action accept

Add route to Windows
==================================================
1. route print -4
2. determine PPTP vpn interface ID (32 in my case)
3. route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

Optionally create a batch (.bat) file
==================================================
rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

PPTP
==================================================
edit vpn pptp remote-access 
 set authentication mode local
 set authentication local-users username vpnbpin password Pa$$w0rd
 set client-ip-pool start 172.16.0.200
 set client-ip-pool stop 172.16.0.220
 ;set dhcp-interface eth0
 set outside-address 2.0.0.1
 set mtu 1024
 set dns-servers server-1 10.0.0.100
 set dns-servers server-2 8.8.8.8
 
Firewall Rule PPTP
==========================================
edit firewall name VPN
 set default-action drop
 set rule 1 action accept
 set rule 1 description PPTP
 set rule 1 destination port 1723
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description GRE
 set rule 2 log disable
 set rule 2 protocol gre
 set rule 2 source address 100.0.0.1
 
 set rule 3 action accept
 set rule 3 description SSH
 set rule 3 destination port 22
 set rule 3 log disable
 set rule 3 protocol tcp
 set rule 3 source address 100.0.0.1

 set rule 4 action accept
 set rule 4 description HTTPS
 set rule 4 destination port 443
 set rule 4 log disable
 set rule 4 protocol tcp
 set rule 4 source address 100.0.0.1
 
Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name VPN

Site-to-Site IPsec VPN
|--------------------|
edit vpn ipsec 
 set auto-firewall-nat-exclude enable
 
 set ike-group FOO0 lifetime 86400 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes256
 set ike-group FOO0 proposal 1 hash sha256
 set ike-group FOO0 dead-peer-detection action restart
 set ike-group FOO0 dead-peer-detection interval 30
 set ike-group FOO0 dead-peer-detection timeout 120
 
 set esp-group FOO0 lifetime 43200
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 2.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type respond
 set local-address 1.0.0.1
 set ike-group FOO0
 
 set tunnel 1 esp-group FOO0
 set tunnel 1 local prefix 192.168.1.0/24
 set tunnel 1 remote prefix 10.0.0.0/24

Verify IPsec Tunnel
|-----------------|
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

sudo ipsec statusall

#Logs
show vpn log

#Reset connection
clear vpn ipsec-peer 2.0.0.1
sudo ipsec restart

#Verify StrongSwan
cat /etc/ipsec.conf 

Linux StrongSwan VPN
|------------------|
sudo apt-get install strongswan

sudo nano /etc/ipsec.conf
conn peer-1.0.0.1-tunnel-1
        left=1.0.0.1
        right=2.0.0.1
        leftsubnet=192.168.1.0/24
        rightsubnet=10.0.0.0/24
        ike=aes256-sha256-modp2048!
        keyexchange=ikev1
        aggressive=no
        ikelifetime=86400s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        esp=aes128-md5!
        keylife=43200s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=1

sudo nano /etc/ipsec.secrets
	2.0.0.1 1.0.0.1 : PSK "Pa$$w0rd"

#Enable routing between interfaces
echo 1 > /proc/sys/net/ipv4/ip_forward

Verify IPsec Tunnel
|-----------------|
sudo ipsec statusall

grep -a charon /var/log/auth.log

#Reset connection
sudo ipsec restart

Restore to Factory Defaults
==================================================
cp /opt/vyatta/etc/config.boot.default /config/config.boot

Configurations & Saving
==================================================
save
load config.boot

save alternateconfig.boot
load alternateconfig.boot

sudo -i
ls -l /config/
cat /config/config.boot
vi /config/config.boot

cat /config/alternateconfig.boot
vi /config/alternateconfig.boot

Edit Factory Default Configuration
==================================================
sudo -i
vi /opt/vyatta/etc/config.boot.default

Basic WAN_TO_LAN Rule
====================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable

Apply to Interface
====================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN
 
Optional
====================================
edit service
 set gui listen-address 10.0.0.1
 set ssh listen-address 10.0.0.1 

Basics
==================================================
edit interfaces 
 set ethernet eth0 address dhcp
 set ethernet eth0 description WAN

 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth1 description LAN

DHCP
==================================================
edit service dhcp-server shared-network-name LOCAL 
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 domain-name domain.local
 set subnet 10.0.0.0/24 lease 28800

Reservations
==================================================
edit service dhcp-server shared-network-name LOCAL  
 set subnet 10.0.0.0/24 static-mapping HOST1 ip-address 10.0.0.199
 set subnet 10.0.0.0/24 static-mapping HOST1 mac-address '08:00:27:85:71:5e'

Manual DNS (not needed if DNSMASQ is used)
==================================================
edit system static-host-mapping
 set host-name XP.domain.local inet 10.0.0.199
 set host-name XP.domain.local alias HOST1
 
DNSMASQ
==================================================
set interfaces ethernet eth0 dhcp-options name-server no-update

set system name-server 127.0.0.1
set system domain-name domain.local

set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding listen-on eth1
set service dhcp-server use-dnsmasq enable
 
Verify
==================================================
show dhcp leases
show dhcp leases expired
show dhcp statistics

clear dhcp leases
clear dhcp lease ip 10.0.0.10

Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
WAN Management Filter
==========================================
edit firewall name MGMT
 set default-action drop
 set description 'Limit Management Access'
 set rule 1 action accept
 set rule 1 description SSH_9222
 set rule 1 destination port 9222
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description HTTPS_9443
 set rule 2 destination port 9443
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 source address 100.0.0.1

Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name MGMT
 
edit service
 set gui listen-address 2.0.0.1
 set gui listen-address 10.0.0.1
 set gui https-port 9443
 set ssh listen-address 2.0.0.1
 set gui listen-address 10.0.0.1
 set ssh port 9222

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 13
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set ip ospf network point-to-point
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 12 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2

HTTPS & SSH Rules
==========================================
edit firewall name MGMT
 set default-action drop
 set description 'Limit Management Access'
 
 set rule 1 action accept
 set rule 1 description SSH
 set rule 1 destination port 22
 set rule 1 log enable
 set rule 1 protocol tcp
 set rule 1 source address 10.0.0.11
  
 set rule 2 action accept
 set rule 2 description HTTPS
 set rule 2 destination port 443
 set rule 2 log enable
 set rule 2 protocol tcp
 set rule 2 source address 10.0.0.10

Apply to Interface
==========================================
edit interfaces ethernet eth1
 set description LAN
 set address 10.0.0.1/24
 set firewall local name MGMT

iPerf3 Server (Receiver)
!---------------------!
-s = Run in server mode
-p = Port (5201 by default)
-f = Format
	 k - Kbits
	 m - Mbits
	 K - Kytes
	 M - MBytes

#Run default	 
iperf3 -s -f m

#Listen on port 5555
iperf3 -s -p 5555 -f m

iPerf3 Client (Sender)
!-------------------!
-c = Run in client mode and specify remote ip
-p = Port (5201 by default)
-f = Format
	 k - Kbits
	 m - Mbits
	 K - Kytes
	 M - MBytes
-P = Number of parallel streams (TCP only)
-u = Test with UDP instead of TCP
-i = Interval (1 second is default)
-t = Testing time (default is 10)

#Run default
iperf3 -c 192.168.1.1 -f m

#Run 5 parallel streams on port 5555
iperf3 -c 192.168.1.1 -f m -p 5555 -P 5

#Run UDP for 10 seconds with 2 second interval
iPerf3 -c 192.168.1.1 -f m -u -i 2 -t 10

Dual Bidirectional Test (iPerf2 only)
!-----------------------!
#First install iPerf2
#Add the Wheezy Debian repositories
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy 
set system package repository wheezy url http://http.us.debian.org/debian

sudo apt-get install iperf

#Server
iperf -s -f m -i 1

#Client
iperf -c 192.168.1.1 -f m -i 1 -d

Hardware Offloading 
======================================
edit system offload
 set hwnat enable
 set ipsec enable
 
 set ipv4 forwarding enable
 set ipv4 gre enable
 set ipv6 forwarding enable
 set ipv6 gre enable
 
reboot
show ubnt offload 

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
  
VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
OSPF
==================================================
set routing-options router-id 1.1.1.1 

edit protocols ospf 
 set area 1 interface st0.0 interface-type p2p  
 set area 1 interface fe-0/0/1.0    

Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

show ospf neighbor 
show ospf interface
show ospf database

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group ESP

OSPF
==================================================
edit protocols ospf
 set parameters router-id 2.2.2.2
 set area 0 network 10.0.0.0/24
 set area 1 network 12.0.0.0/30
 
set interfaces vti vti0 ip ospf network point-to-point

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

show ip ospf neighbor
show ip ospf interface brief
show ip ospf database

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set ip ospf network point-to-point
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 12 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2
 
Redistribution
====================================
edit interfaces loopback lo
 set ip ospf network point-to-point
 set address 11.0.1.1/24
 set address 11.0.2.1/24
 set address 11.0.3.1/24

edit protocols ospf
 set redistribute connected metric-type 1
 set redistribute connected metric 4

Port Address Translation (Masquerade)
=====================================
edit service nat rule 5000
 set description MASQUERADE
 set log disable
 set outbound-interface eth0
 set protocol all
 set source address 10.0.0.0/24
 set type masquerade

Static 1:1 Source NAT
==================================================
edit service nat rule 5001
 set description STATIC
 set log disable
 set outbound-interface eth0
 set protocol all
 set outside-address address 2.0.0.100/32
 set source address 10.0.0.100/32
 set type source

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
  
VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
OSPF
==================================================
set routing-options router-id 1.1.1.1 

edit protocols ospf 
 set area 1 interface st0.0 interface-type p2p  
 set area 1 interface fe-0/0/1.0    

Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

show ospf neighbor 
show ospf interface
show ospf database

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group FOO0
 set vti bind vti0
 set vti esp-group FOO0

OSPF
==================================================
edit protocols ospf
 set parameters router-id 2.2.2.2
 set area 0 network 10.0.0.0/24
 set area 1 network 12.0.0.0/30
 
set interfaces vti vti0 ip ospf network point-to-point

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

show ip ospf neighbor
show ip ospf interface brief
show ip ospf database

Traffic Analysis with DPI
|-----------------------|
set system traffic-analysis dpi enable
set system traffic-analysis export enable

#Verify
show ubnt offload

Block Category & Allow Certain Apps
|---------------------------------|
#See which sites are grouped under 'adult websites' 
/usr/sbin/ubnt-dpi-util show-cat-apps TopSites-Adult

#If this list is empty, upgrade your firmware!

#See which category a specific site is grouped under
/usr/sbin/ubnt-dpi-util search-app pornhub.com
/usr/sbin/ubnt-dpi-util search-app penthouse

#Some adult websites are listed under Streaming-Media

#Combine Streaming-Media applications in a custom category
edit system traffic-analysis 
 set custom-category ADULT name hustlertube
 set custom-category ADULT name livejasmin.com
 set custom-category ADULT name porn.com
 set custom-category ADULT name pornhub.com
 set custom-category ADULT name redtube.com
 set custom-category ADULT name xhamster.com
 set custom-category ADULT name xnxx.com
 set custom-category ADULT name xtube
 set custom-category ADULT name xvideos.com
 set custom-category ADULT name youjizz
 set custom-category ADULT name youporn.com 
 
top 
 
#Drop rule for adult websites including custom category
edit firewall name BLOCK_ADULT
 set default-action accept
 set rule 10 description DROP_ADULT_SITES
 set rule 10 application category TopSites-Adult
 set rule 10 action drop 
 set rule 10 description DROP_ADULT_SITES
 set rule 20 application category ADULT
 set rule 20 action drop

top

#Apply to LAN interface
set interfaces switch switch0 firewall in name BLOCK_ADULT
 
commit

Port Mirroring
===========================================
edit interfaces
 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth1 description SOURCE
 set ethernet eth1 mirror eth0
 
 set ethernet eth0 description DESTINATION

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group FOO0
 
 set tunnel 1 esp-group FOO0
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto Map VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel
 
crypto map CMAP 10 ipsec-isakmp 
 set peer 2.0.0.1
 set transform-set TS 
 match address VPN
 set security-association lifetime seconds 3600

ip access-list extended VPN 
 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255

int g0/0 
 crypto map CMAP

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

Pre-Login Banner
==================================================
set system login banner pre-login "**********************************************************************\n\n\tThis system is for the use of authorized clients only.\n\tIndividuals using the computer network system without\n\tany authorization, or in excess of their authorization,\n\tare subject to having all their activity monitored and\n\trecorded by system personnel. To protect the environment\n\tfrom unauthorized use and to ensure the computer system\n\tis functioning properly, system technicians continously\n\tmonitor the network environment for unauthorized usage.\n\n\tUnauthorized access is a violation of criminal, civil,\n\tstate and federal laws.\n\n**********************************************************************\n\n"

Post-Login Banner
==================================================
set system login banner post-login "You are logged on to Edgerouter-X 5-Port with version v1.9.0\n"

UniFi Re-Installation / Upgrade
!-----------------------------!
#This part assumes that you have already installed UniFi v4 Stable

nano /etc/apt/sources.list

#This should be in the sources list:
#UniFi v4 Stable
deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti

#Uncomment/remove above and add:
#UniFi v5 
deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti

tail /etc/apt/sources.list

#This key should already be added if you have installed UniFi v4 Stable
apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

apt-get update

#If you have previously disabled the UniFi update (hold), unhold the package:
apt-mark unhold unifi

#Verify the unhold (should be ii, not hi)
dpkg -l | grep unifi

#Stop the UniFi service
service unifi stop

apt-get upgrade

reboot

Verify UniFi Installation
!-----------------------!
systemctl status unifi

https://192.168.1.10:8443

apt-get install nmap

nmap localhost

#nmap should show
8080/tcp open  http-proxy
8443/tcp open  https-alt

#After upgrade you can put the UniFi package on hold again
apt-mark hold unifi

Traffic Analysis with DPI
|-----------------------|
set system traffic-analysis dpi enable
set system traffic-analysis export enable

Traffic Analysis without DPI
|--------------------------|
set system traffic-analysis dpi disable
set system traffic-analysis export enable

#Verify
show ubnt offload

https://www.youtube.com/c/+BenPin

Switch Interface
=============================================
edit interfaces switch switch0
 set vif 10 address 10.0.0.1/24
 set vif 172 address 172.16.0.1/24
 set switch-port interface eth1 vlan vid 10
 set switch-port interface eth1 vlan vid 172
 set switch-port interface eth2 vlan pvid 10
 set switch-port interface eth3 vlan pvid 172
 set switch-port vlan-aware enable
 set mtu 1500

Port Address Translation (Masquerade)
=====================================
edit service nat rule 5000
 set description MASQUERADE
 set log disable
 set outbound-interface eth0
 set protocol all
 set source address 10.0.0.0/24
 set type masquerade

VRRP
===============================================
edit interfaces fe-0/0/1.0
 set description LAN
 edit family inet address 10.0.0.2/24
  set vrrp-group 12 preempt
  set vrrp-group 12 priority 100
  set vrrp-group 12 authentication-type simple
  set vrrp-group 12 authentication-key Pa$$w0rd
  set vrrp-group 12 virtual-address 10.0.0.254 

Verify
===============================================
show vrrp
show vrrp extensive
show vrrp summary 

VRRP
===============================
int g1/0
 ip add 10.0.0.2 255.255.255.0
 description LAN
 no shutdown
 vrrp 12 preempt
 vrrp 12 priority 100
 vrrp 12 ip 10.0.0.254 
 vrrp 12 authentication Pa$$w0rd

VRRP
=============================================
edit interfaces ethernet eth1
 set address 10.0.0.1/24
 set description LAN
 edit vrrp vrrp-group 12 
  set priority 100
  set preempt true
  set authentication type plaintext-password
  set authentication password Pa$$w0rd
  set virtual-address 10.0.0.254/24

Verify
=============================================
show vrrp
show vrrp summary

clear vrrp master interface eth1 group 12

Temporary Management Connection
!-----------------------------!
delete interfaces switch switch0 switch-port interface eth2
set interfaces ethernet eth2 address 172.16.0.1/24

#On PC, configure static IP:
Address	: 172.16.0.10
Mask	: 255.255.255.0
Gateway	: -

#Patch into Eth2 and navigate to:
https://172.16.0.1

Switch0 Modification
!------------------!
edit interfaces switch switch0
 delete address 192.168.1.1/24
 set vif 1 address 192.168.1.1/24
 set vif 10 address 10.0.0.1/24
 set switch-port interface eth3 vlan pvid 10
 set switch-port interface eth4 vlan pvid 1
 set switch-port vlan-aware enable
 set mtu 1500
 top ; commit

#On PC, change adapter back to DHCP
#Patch into Eth3 and navigate to:
https://10.0.0.1

delete interfaces ethernet eth2 address 172.16.0.1/24
edit interfaces switch switch0 
 set switch-port interface eth1 vlan pvid 1 or 10
 set switch-port interface eth2 vlan pvid 1 or 10
 top ; commit
 
Misc Settings
!-----------!
set service dns forwarding listen-on switch0.1
set service dns forwarding listen-on switch0.10
set service dns forwarding name-server 8.8.8.8
 
edit service dhcp-server shared-network-name LAN 
 set subnet 192.168.1.0/24 default-router 192.168.1.1
 set subnet 192.168.1.0/24 dns-server 192.168.1.1
 set subnet 192.168.1.0/24 lease 86400
 set subnet 192.168.1.0/24 start 192.168.1.38 stop 192.168.1.243
 
edit service dhcp-server shared-network-name VLAN10 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 86400
 set subnet 10.0.0.0/24 start 10.0.0.38 stop 10.0.0.243

Virtual Interfaces (VIF)
==================================================
edit interfaces 
 set ethernet eth1 vif 10 address 10.0.0.1/24
 set ethernet eth1 vif 172 address 172.16.0.1/24

Zone Policies
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_ALL
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN from GUEST firewall name GUEST_TO_WAN
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_ALL
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN from GUEST firewall name GUEST_TO_LAN
 set zone LAN interface eth1.10

 set zone GUEST default-action drop
 set zone GUEST from WAN firewall name WAN_TO_ALL
 set zone GUEST from LOCAL firewall name LOCAL_TO_ALL
 set zone GUEST from LAN firewall name LAN_TO_ALL
 set zone GUEST interface eth1.172
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_ALL
 set zone LOCAL from LAN firewall name LAN_TO_ALL
 set zone LOCAL from GUEST firewall name GUEST_TO_LOCAL
 set zone LOCAL local-zone 
 
GUEST Firewall Policy
==========================================
edit firewall name GUEST_TO_LAN 
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description DNS
 set rule 1 log disable
 set rule 1 protocol tcp_udp
 set rule 1 destination port 53

 set rule 2 action accept
 set rule 2 description DHCP
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 destination port 67
 
 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state related enable
 
set firewall name GUEST_TO_WAN default-action accept
 
Other Firewall Rules
==================================================
edit firewall name WAN_TO_ALL
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 
 
set firewall name LAN_TO_ALL default-action accept
set firewall name LOCAL_TO_ALL default-action accept
 
Misc Settings
==================================================
set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.172
set service dns forwarding name-server 8.8.8.8

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800

edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800 

Bonding interfaces
==================================================
edit interfaces bonding bond0
 set address 10.0.12.1/30
 set mode 802.3ad

set interfaces ethernet eth1 bond-group bond0
set interfaces ethernet eth2 bond-group bond0
 
show interfaces bonding  
show interfaces bonding brief

Configuration Commands
==================================================
configure
edit system
 set host-name Edgerouter
 set login user bpin level admin
 set login user bpin authentication plaintext-password Pa$$w0rd
 set name-server 8.8.8.8
 set name-server 8.8.4.4
 set time-zone Europe/Amsterdam

edit interfaces 
 set ethernet eth0 address 2.0.0.1/24 
 set ethernet eth0 description WAN  
 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth1 description LAN  

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 

Zones
==================================================
edit zone-policy
 set zone WAN default-action drop
 set zone WAN from LAN firewall name LAN_TO_ALL
 set zone WAN from LOCAL firewall name LOCAL_TO_ALL
 set zone WAN interface eth0
 
 set zone LAN default-action drop
 set zone LAN from WAN firewall name WAN_TO_LAN
 set zone LAN from LOCAL firewall name LOCAL_TO_ALL
 set zone LAN interface eth1
 
 set zone LOCAL default-action drop
 set zone LOCAL from WAN firewall name WAN_TO_LOCAL
 set zone LOCAL from LAN firewall name LAN_TO_ALL
 set zone LOCAL local-zone

Firewall Rules
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 

edit firewall name WAN_TO_LOCAL
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
set firewall name LAN_TO_ALL default-action accept
set firewall name LOCAL_TO_ALL default-action accept

Default Logging
==================================================
edit system syslog
 delete global facility protocols 
 set global facility all level debug

show log | no-more
cat /var/log/messages

sudo -i
ls -l /var/log/

Custom File Logging
==================================================
Stored in /var/log/user

edit system syslog
 set file AUTH facility auth level debug
 set file ALL facility all level debug

show log file AUTH 
cat /var/log/user/AUTH

Remote Syslog Logging	  
==================================================
edit system syslog
  set host 192.168.1.99 facility all level debug

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
 
set routing-options static route 10.0.0.0/24 next-hop 12.0.0.2
 
VPN Tunnel
================================================
edit security
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group FOO0

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.0 
 set interface fe-0/0/0.0 interface-type p2p
 
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX

edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 0 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2

client
dev tun
proto udp
remote 2.0.0.1 1194
float
comp-lzo yes
push "comp-lzo yes"
resolv-retry infinite 
nobind
persist-key 
persist-tun 
verb 3
auth SHA256
cipher AES-256-CBC
ca cacert.pem 
cert CLIENT.pem
key CLIENT-NOPASS.key

OpenVPN Certificates
==================================================
sudo -i
cd /usr/lib/ssl/misc
./CA.sh -newca
	Passphrase				  = Pa$$w0rd
	countryName               = NL
	stateOrProvinceName       = QUICKCONFIGS
	organizationName          = QUICKCONFIGS
	organizationalUnitName    = QUICKCONFIGS
	commonName                = ROOT
	
cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

./CA.sh -newreq
./CA.sh -sign
	countryName               = NL
	stateOrProvinceName       = QUICKCONFIGS
	localityName              = QUICKCONFIGS
	organizationName          = QUICKCONFIGS
	organizationalUnitName    = QUICKCONFIGS
	commonName                = SERVER

mv newcert.pem /config/auth/SERVER.pem
mv newkey.pem /config/auth/SERVER.key

openssl dhparam -out /config/auth/DH.pem -2 1024

./CA.sh -newreq
./CA.sh -sign
	countryName               = NL
	stateOrProvinceName       = QUICKCONFIGS
	localityName              = QUICKCONFIGS
	organizationName          = QUICKCONFIGS
	organizationalUnitName    = QUICKCONFIGS
	commonName                = CLIENT

mv newcert.pem /config/auth/CLIENT.pem
mv newkey.pem /config/auth/CLIENT.key

openssl rsa -in /config/auth/SERVER.key -out /config/auth/SERVER-NOPASS.key
openssl rsa -in /config/auth/CLIENT.key -out /config/auth/CLIENT-NOPASS.key
	
OpenVPN Interface
==================================================
edit interfaces openvpn vtun0
 set mode server
 set description OpenVPN
 set encryption aes256
 set hash sha256
 set server subnet 172.16.0.0/24
 set server push-route 10.0.0.0/24
 set server name-server 10.0.0.100
 
 set tls ca-cert-file /config/auth/cacert.pem
 set tls cert-file /config/auth/SERVER.pem
 set tls key-file /config/auth/SERVER-NOPASS.key
 set tls dh-file /config/auth/DH.pem
 set openvpn-option "--comp-lzo no"
 
Firewall Rule OpenVPN
==========================================
edit firewall name VPN
 set default-action drop
 set rule 1 action accept
 set rule 1 description OpenVPN
 set rule 1 destination port 1194
 set rule 1 log disable
 set rule 1 protocol udp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description SSH
 set rule 2 destination port 22
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 source address 100.0.0.1

 set rule 3 action accept
 set rule 3 description HTTPS
 set rule 3 destination port 443
 set rule 3 log disable
 set rule 3 protocol tcp
 set rule 3 source address 100.0.0.1
 
Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name VPN
 
Misc Settings
==================================================
set service dns forwarding listen-on vtun0
set service dns forwarding name-server 8.8.8.8

Verify
==================================================
show openvpn status server

Port Address Translation (Masquerade)
=====================================
edit service nat rule 5000
 set description MASQUERADE
 set log disable
 set outbound-interface eth0
 set protocol all
 set source address 10.0.0.0/24
 set type masquerade

Static 1:1 Source NAT
==================================================
edit service nat rule 5001
 set description STATIC
 set log disable
 set outbound-interface eth0
 set protocol all
 set outside-address address 2.0.0.100/32
 set source address 10.0.0.100/32
 set type source

Default Login
==================================================
Username: ubnt
Password: ubnt

Configuration Steps
==================================================
1. Associate interface with IP address
2. Create DHCP pool
3. Create reservations manually or 'Map Static IP'

Step 1
==================================================
set interfaces ethernet eth1 address 10.0.0.254/24 

Step 2
==================================================
edit service dhcp-server shared-network-name LOCAL 
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.254
 set subnet 10.0.0.0/24 dns-server 1.1.1.1
 set subnet 10.0.0.0/24 lease 28800

Step 3
==================================================
edit service dhcp-server shared-network-name LOCAL  
 set subnet 10.0.0.0/24 static-mapping XP ip-address 10.0.0.99
 set subnet 10.0.0.0/24 static-mapping XP mac-address '08:00:27:85:71:5e'

Helpful Commands
==================================================
show dhcp leases
show dhcp leases expired
show dhcp statistics

clear dhcp leases
clear dhcp lease ip 10.0.0.10

show configuration
show configuration commands

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.0 
 set interface fe-0/0/0.0 interface-type p2p
 
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX

edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 0 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf message-digest-key 1 md5 ubnt
 ip ospf authentication message-digest
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.0 
 set interface fe-0/0/0.0 interface-type p2p
 set interface fe-0/0/0.0 authentication simple-password ubnt
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 0 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2
 
Interface Authentication
====================================
edit interfaces ethernet eth1 ip ospf
 set authentication plaintext-password ubnt
 
edit interfaces ethernet eth2 ip ospf
 set authentication md5 key-id 1 md5-key ubnt
 
Area Authentication
====================================
edit protocols ospf area 0
 set authentication md5

Bridge Interface
==================================================
edit interfaces
 set bridge br0 address 10.0.0.1/24
 set bridge br0 stp false
 set bridge br0 description BRIDGEDLAN
 
 set ethernet eth1 bridge-group bridge br0
 set ethernet eth1 description BRIDGEDLAN

 set ethernet eth2 bridge-group bridge br0
 set ethernet eth2 description BRIDGEDLAN

 set ethernet eth0 address 2.0.0.1/30
 set ethernet eth0 description WAN
 
DHCP Services
==================================================
edit service dhcp-server shared-network-name BRIDGEDLAN
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 8.8.8.8
 set subnet 10.0.0.0/24 lease 28800
 
set service dns forwarding listen-on br0
set service dns forwarding name-server 8.8.8.8

PPPoE Client
!----------!
edit interfaces ethernet eth0 
 set pppoe 0 mtu 1492
 set pppoe 0 user-id ERX0
 set pppoe 0 password Pa$$w0rd
 set pppoe 0 name-server none
 set pppoe 0 default-route none
 set pppoe 0 firewall in name WAN_IN
 set pppoe 0 firewall local name WAN_LOCAL

set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0

set system name-server 8.8.8.8
set system name-server 8.8.4.4

set firewall options mss-clamp mss 1452

Verify PPPoE Connection
!----------------------!
show interfaces pppoe pppoe0 log
clear interfaces connection pppoe0
connect interface pppoe0

Virtual Interfaces (VIF)
==================================================
edit interfaces 
 set ethernet eth1 vif 10 address 10.0.0.1/24
 set ethernet eth1 vif 172 address 172.16.0.1/24

GUEST_TO_LAN Firewall Policy
==========================================
edit firewall group network-group LAN
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8
 
edit firewall name GUEST_TO_LAN 
 set default-action accept
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

 set rule 2 action drop
 set rule 2 description "Network Group"
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 destination group network-group LAN

GUEST_TO_LOCAL Firewall Policy
==========================================
edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description DNS
 set rule 1 log disable
 set rule 1 protocol tcp_udp
 set rule 1 destination port 53

 set rule 2 action accept
 set rule 2 description DHCP
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 destination port 67

 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state related enable 
 
Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 
edit interfaces ethernet eth1 vif 172
 set firewall in name GUEST_TO_LAN 
 set firewall local name GUEST_TO_LOCAL
 
Misc Settings
==================================================
edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800 
 
set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.172
set service dns forwarding name-server 8.8.8.8

Switch Interface
=============================================
edit interfaces switch switch0
 set vif 10 address 10.0.0.1/24
 set vif 172 address 172.16.0.1/24
 set switch-port interface eth1 vlan vid 10
 set switch-port interface eth1 vlan vid 172
 set switch-port interface eth2 vlan pvid 10
 set switch-port interface eth3 vlan pvid 172
 set switch-port vlan-aware enable
 set mtu 1500

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24

set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interfaces
==================================================
set interfaces st0.0 family inet 

set routing-options static route 10.0.0.0/24 next-hop st0.0

VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800

 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1 
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0 
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately
 
 set ipsec vpn ESP_VPN ike proxy-identity local 172.16.0.0/24
 set ipsec vpn ESP_VPN ike proxy-identity remote 10.0.0.0/24
 set ipsec vpn ESP_VPN ike proxy-identity service any
 
Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group FOO0
 
 set tunnel 1 esp-group FOO0
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Archival & Managing Commit
==================================================
edit system config-management 
 set commit-archive location tftp://192.168.1.99/
 set commit-revisions 5

set service telnet
commit comment ADDED_TELNET
commit confirm 5

Saving and Loading Running Configuration
==================================================
save
save tftp://192.168.1.99/config.txt 
load tftp://192.168.1.99/config.txt 

TFTP backup
==================================================
copy file running://config/config.boot to tftp://192.168.1.99/startup-config.txt

Viewing Commit Files
==================================================
show system commit
show system commit file 0 
show configuration

show system commit diff 0

Delete Commit History 
==================================================
delete file running://config/archive/config.boot.0.gz

Command History
==================================================
show history  
show history brief 

Using the Linux Shell
==================================================
sudo -i
ls -l /config/
ls -l /config/archive

cat /config/config.boot

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24
 
set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interface
================================================== 
edit interfaces
 set st0 unit 0 family inet mtu 1400
 set st0 unit 0 family inet address 12.0.0.1/30
 
set routing-options static route 10.0.0.0/24 next-hop 12.0.0.2
 
VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800
 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately

Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group ESP

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
 
 set auto-firewall-nat-exclude enable 
 
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group FOO0
 
 set tunnel 1 esp-group FOO0
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto Map VPN
================================================
crypto isakmp policy 10
 encr aes 
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel
 
crypto map CMAP 10 ipsec-isakmp 
 set peer 2.0.0.1
 set transform-set TS 
 match address VPN
 set security-association lifetime seconds 3600

ip access-list extended VPN 
 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255

int g0/0 
 crypto map CMAP

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

System Management
==================================================
edit service
 set telnet port 23
 set telnet listen-address 10.0.0.1
 set gui https-port 8443
 
User Management
==================================================
edit system login 
 set user bpin level operator 
 set user bpin authentication plaintext-password Pa$$w0rd
 delete system login user ubnt

Root Account 
================================================== 
sudo -i

edit system login
 set user root authentication plaintext-password Pa$$w0rd

set service telnet allow-root 

Limit Access
==================================================
edit firewall name MGMT
 set default-action drop
 set rule 1 action accept
 set rule 1 destination port 23
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 10.0.0.99/32
 
set interfaces ethernet eth1 firewall local name MGMT

Port Forwarding
==========================================
edit port-forward
 set auto-firewall disable
 set lan-interface eth1
 set wan-interface eth0
 
 set rule 1 description "80_TO_WEBSERVER"
 set rule 1 protocol tcp
 set rule 1 original-port 80
 set rule 1 forward-to address 10.0.0.100
 set rule 1 forward-to port 80
 
 set rule 2 description "8080_TO_WEBSERVER"
 set rule 2 protocol tcp
 set rule 2 original-port 8080
 set rule 2 forward-to address 10.0.0.100
 set rule 2 forward-to port 80
 
Firewall Entries
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description PortForward
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 destination port 80
 
 set rule 2 action accept
 set rule 2 description Established
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 state established enable
 set rule 2 state related enable 
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN

Basic WAN_TO_LAN Rule
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable

Apply to Interface
==================================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN
 
Optional
==================================================
edit service
 set gui listen-address 10.0.0.1
 set gui https-port 9443
 set ssh listen-address 10.0.0.1 
 set ssh port 9222

Manual Time and Date
==================================================
Format = MMDDhhmmYYYY.ss

set date 0818hhmm2016.00

NTP & Timezones
==================================================
edit system 
 delete ntp server 0.ubnt.pool.ntp.org 
 delete ntp server 1.ubnt.pool.ntp.org 
 delete ntp server 2.ubnt.pool.ntp.org 
 delete ntp server 3.ubnt.pool.ntp.org 
 set ntp server nl.pool.ntp.org
 
 set time-zone Europe/Amsterdam

set date ntp
show date
show system uptime

show ntp nl.pool.ntp.org
show ntp

Port Mirroring
===========================================
edit interfaces
 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth1 description SOURCE
 set ethernet eth1 mirror eth0
 
 set ethernet eth0 description DESTINATION

HTTPS & SSH Rules
==================================================
edit firewall name MGMT
 set default-action drop
 set description 'Limit Management Access'
 set rule 1 action accept
 set rule 1 description SSH
 set rule 1 destination port 22
 set rule 1 log enable
 set rule 1 protocol tcp
 set rule 1 source address 10.0.0.10
  
 set rule 2 action accept
 set rule 2 description HTTPS
 set rule 2 destination port 443
 set rule 2 log enable
 set rule 2 protocol tcp
 set rule 2 source address 10.0.0.11

Apply to Interface
==================================================
edit interfaces ethernet eth1
 set description LAN
 set address 10.0.0.1/24
 set firewall local name MGMT

Default Interfaces
==================================================
edit interfaces
 set fe-0/0/0 unit 0 family inet address 1.0.0.1/24
 set fe-0/0/1 unit 0 family inet address 172.16.0.1/24

set routing-options static route 0.0.0.0/0 next-hop 1.0.0.2

VTI Interfaces
==================================================
set interfaces st0.0 family inet 

set routing-options static route 10.0.0.0/24 next-hop st0.0

VPN Tunnel
================================================
edit security 
 set ike proposal IKE authentication-method pre-shared-keys
 set ike proposal IKE dh-group group14
 set ike proposal IKE authentication-algorithm md5
 set ike proposal IKE encryption-algorithm aes-128-cbc
 set ike proposal IKE lifetime-seconds 28800

 set ike policy IKE_POLICY mode main
 set ike policy IKE_POLICY proposals IKE
 set ike policy IKE_POLICY pre-shared-key ascii-text Pa$$w0rd
 set ike gateway IKE_GATEWAY ike-policy IKE_POLICY
 set ike gateway IKE_GATEWAY address 2.0.0.1
 set ike gateway IKE_GATEWAY external-interface fe-0/0/0
 set ike gateway IKE_GATEWAY local-address 1.0.0.1 
 
 set ipsec proposal ESP protocol esp
 set ipsec proposal ESP authentication-algorithm hmac-md5-96
 set ipsec proposal ESP encryption-algorithm aes-128-cbc
 set ipsec proposal ESP lifetime-seconds 3600
 set ipsec policy ESP_POLICY proposals ESP
 set ipsec vpn ESP_VPN bind-interface st0.0 
 set ipsec vpn ESP_VPN ike gateway IKE_GATEWAY
 set ipsec vpn ESP_VPN ike ipsec-policy ESP_POLICY
 set ipsec vpn ESP_VPN establish-tunnels immediately
 
 set ipsec vpn ESP_VPN ike proxy-identity local 172.16.0.0/24
 set ipsec vpn ESP_VPN ike proxy-identity remote 10.0.0.0/24
 set ipsec vpn ESP_VPN ike proxy-identity service any
 
Security Settings
==================================================
set security zones security-zone trust interfaces st0.0

edit security policies from-zone trust to-zone trust 
 set policy trust-to-trust match source-address any
 set policy trust-to-trust match destination-address any
 set policy trust-to-trust match application any
 set policy trust-to-trust then permit
 
Verify 
==================================================
show security ike security-associations
show security ike security-associations detail

show security ipsec sa
show security ipsec sa detail
show security ipsec statistics

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 
 set tunnel 1 esp-group ESP
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

VRRP
===============================================
edit interfaces fe-0/0/1.0
 set description LAN
 edit family inet address 10.0.0.2/24
  set vrrp-group 12 preempt
  set vrrp-group 12 priority 100
  set vrrp-group 12 authentication-type simple
  set vrrp-group 12 authentication-key Pa$$w0rd
  set vrrp-group 12 virtual-address 10.0.0.254 

Verify
===============================================
show vrrp
show vrrp extensive
show vrrp summary 

VRRP
===============================
int g1/0
 ip add 10.0.0.2 255.255.255.0
 description LAN
 no shutdown
 vrrp 12 preempt
 vrrp 12 priority 100
 vrrp 12 ip 10.0.0.254 
 vrrp 12 authentication Pa$$w0rd

VRRP
=============================================
edit interfaces ethernet eth1
 set address 10.0.0.1/24
 set description LAN
 edit vrrp vrrp-group 12 
  set priority 100
  set preempt true
  set authentication type plaintext-password
  set authentication password Pa$$w0rd
  set virtual-address 10.0.0.254/24

Verify
=============================================
show vrrp
show vrrp summary

clear vrrp master interface eth1 group 12

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 
 set tunnel 1 esp-group ESP
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto Map VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel
 
crypto map CMAP 10 ipsec-isakmp 
 set peer 2.0.0.1
 set transform-set TS 
 match address VPN
 set security-association lifetime seconds 3600

ip access-list extended VPN 
 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255

int g0/0 
 crypto map CMAP

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
WAN Management Filter
==========================================
edit firewall name MGMT
 set default-action drop
 set description 'Limit Management Access'
 set rule 1 action accept
 set rule 1 description SSH_9222
 set rule 1 destination port 9222
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description HTTPS_9443
 set rule 2 destination port 9443
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 source address 100.0.0.1

Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name MGMT
 
edit service
 set gui listen-address 2.0.0.1
 set gui listen-address 10.0.0.1
 set gui https-port 9443
 set ssh listen-address 2.0.0.1
 set gui listen-address 10.0.0.1
 set ssh port 9222

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Route-Maps & Prefix-Lists
====================================
edit policy prefix-list LOOPBACKS
 set rule 1 prefix 11.0.0.0/22
 set rule 1 ge 24
 set rule 1 le 24
 set rule 1 action permit

edit policy route-map OSPF 
 set rule 1 match ip address prefix-list LOOPBACKS
 set rule 1 action permit
 
edit protocols ospf
 set redistribute connected route-map OSPF
 set redistribute connected metric-type 2

Basic Configuration
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth0 description WAN

 set ethernet eth1 address 10.0.0.1/24
 set ethernet eth0 description LAN

Destination NAT Rules
==================================================
edit service nat
 set rule 1 description HTTP_100
 set rule 1 inside-address address 10.0.0.100
 set rule 1 inside-address port 80
 set rule 1 destination address 2.0.0.100
 set rule 1 destination port 80
 set rule 1 inbound-interface eth0
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 type destination

 set rule 2 description HTTP_1
 set rule 2 inside-address address 10.0.0.100
 set rule 2 inside-address port 80
 set rule 2 destination address 2.0.0.1
 set rule 2 destination port 80
 set rule 2 inbound-interface eth0
 set rule 2 log disable
 set rule 2 protocol tcp
 set rule 2 type destination

Assign Multiple IPs to External Interface
==================================================
edit interfaces ethernet eth0
 set address 2.0.0.100/24

Bridge Interface
==================================================
edit interfaces
 set bridge br0 address 10.0.0.1/24
 set bridge br0 stp false
 set bridge br0 description BRIDGEDLAN
 
 set ethernet eth1 bridge-group bridge br0
 set ethernet eth1 description BRIDGEDLAN

 set ethernet eth2 bridge-group bridge br0
 set ethernet eth2 description BRIDGEDLAN

 set ethernet eth0 address 2.0.0.1/30
 set ethernet eth0 description WAN
 
DHCP Services
==================================================
edit service dhcp-server shared-network-name BRIDGEDLAN
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 8.8.8.8
 set subnet 10.0.0.0/24 lease 28800
 
set service dns forwarding listen-on br0
set service dns forwarding name-server 8.8.8.8

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group FOO0

RIP
==================================================
edit protocols rip
 set interface vti0
 set network 10.0.0.0/24
 set neighbor 12.0.0.1
 
Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Default Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel

crypto ipsec profile IPSEC
 set transform-set TS  
 set security-association lifetime seconds 3600

VTI Interface
================================================== 
interface tun0
 ip add 12.0.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.0.0.1
 tunnel destination 2.0.0.1
 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
 
RIP
==================================================
router rip
 version 2
 no auto-summary
 network 12.0.0.0 
 network 172.16.0.0 
 neighbor 12.0.0.2

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf message-digest-key 1 md5 ubnt
 ip ospf authentication message-digest
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 0
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.0 
 set interface fe-0/0/0.0 interface-type p2p
 set interface fe-0/0/0.0 authentication simple-password ubnt
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 0 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2
 
Interface Authentication
====================================
edit interfaces ethernet eth1 ip ospf
 set authentication plaintext-password ubnt
 
edit interfaces ethernet eth2 ip ospf
 set authentication md5 key-id 1 md5-key ubnt
 
Area Authentication
====================================
edit protocols ospf area 0
 set authentication md5

Virtual Interfaces (VIF)
==================================================
edit interfaces 
 set ethernet eth1 vif 10 address 10.0.0.1/24
 set ethernet eth1 vif 172 address 172.16.0.1/24

GUEST_TO_LAN Firewall Policy
==========================================
edit firewall group network-group LAN
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8
 
edit firewall name GUEST_TO_LAN 
 set default-action accept
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

 set rule 2 action drop
 set rule 2 description "Network Group"
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 destination group network-group LAN

GUEST_TO_LOCAL Firewall Policy
==========================================
edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description DNS
 set rule 1 log disable
 set rule 1 protocol tcp_udp
 set rule 1 destination port 53

 set rule 2 action accept
 set rule 2 description DHCP
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 destination port 67

 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state related enable 
 
Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 
edit interfaces ethernet eth1 vif 172
 set firewall in name GUEST_TO_LAN 
 set firewall local name GUEST_TO_LOCAL
 
Misc Settings
==================================================
edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800 
 
set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.172
set service dns forwarding name-server 8.8.8.8

Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 
 set tunnel 1 esp-group ESP
 set tunnel 1 local prefix 10.0.0.0/24
 set tunnel 1 remote prefix 172.16.0.0/24

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto Map VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel
 
crypto map CMAP 10 ipsec-isakmp 
 set peer 2.0.0.1
 set transform-set TS 
 match address VPN
 set security-association lifetime seconds 3600

ip access-list extended VPN 
 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255

int g0/0 
 crypto map CMAP

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

GUEST_TO_LAN Firewall Policy
==========================================
edit firewall group network-group LAN
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8

edit firewall name GUEST_TO_LAN 
 set default-action accept
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

 set rule 2 action drop
 set rule 2 description "Network Group"
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 destination group network-group LAN

GUEST_TO_LOCAL Firewall Policy
==========================================
edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
 set rule 2 action accept
 set rule 2 description DNS
 set rule 2 log disable
 set rule 2 protocol tcp_udp
 set rule 2 destination port 53

 set rule 3 action accept
 set rule 3 description DHCP
 set rule 3 log disable
 set rule 3 protocol udp
 set rule 3 destination port 67

Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN

edit interfaces ethernet eth2
 set address 172.16.0.1/24
 set firewall in name GUEST_TO_LAN 
 set firewall local name GUEST_TO_LOCAL
 
Misc Settings
==================================================
edit service dhcp-server shared-network-name GUEST 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800

edit service dhcp-server shared-network-name LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800 

set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding name-server 8.8.8.8

Virtual Interfaces (VIF)
==================================================
edit interfaces 
 set ethernet eth1 vif 10 address 10.0.0.1/24
 set ethernet eth1 vif 172 address 172.16.0.1/24

Misc Settings
==================================================
set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.172
set service dns forwarding name-server 8.8.8.8

edit service dhcp-server shared-network-name 10_LAN 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.150
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 lease 28800
 
edit service dhcp-server shared-network-name 172_LAN 
 set subnet 172.16.0.0/24 default-router 172.16.0.1
 set subnet 172.16.0.0/24 start 172.16.0.10 stop 172.16.0.150
 set subnet 172.16.0.0/24 dns-server 172.16.0.1
 set subnet 172.16.0.0/24 lease 28800 

Passthrough PoE
!-------------!
edit interfaces ethernet eth4 
 set poe output pthru
 top ; commit
 
PoE Watchdog
!----------!
edit interfaces ethernet eth4 
 set poe watchdog address 192.168.1.x
 set poe watchdog failure-count 3
 set poe watchdog interval 15
 set poe watchdog off-delay 5
 set poe watchdog start-delay 300
 top ; commit
 
show interfaces ethernet poe watchdog

Manual Time and Date
=======================================
Format = MMDDhhmmYYYY.ss

set date 08271445082016.00

NTP & Timezones
=======================================
edit system 
 delete ntp server 0.ubnt.pool.ntp.org 
 delete ntp server 1.ubnt.pool.ntp.org 
 delete ntp server 2.ubnt.pool.ntp.org 
 delete ntp server 3.ubnt.pool.ntp.org 
 set ntp server nl.pool.ntp.org
 
 set time-zone Europe/Amsterdam

set date ntp
show date
show system uptime

show ntp nl.pool.ntp.org
show ntp

Temporary Management Connection (Optional)
!----------------------------------------!
delete interfaces switch switch0 switch-port interface eth3
set interfaces ethernet eth3 address 172.16.0.1/24

#On PC, configure static IP:
Address	: 172.16.0.10
Mask	: 255.255.255.0
Gateway	: -

#Patch into Eth3 and navigate to:
https://172.16.0.1

VIF & PVID Interfaces
!-------------------!
edit interfaces switch switch0
 delete address 192.168.1.1/24
 set vif 1 address 192.168.1.1/24
 set vif 10 address 10.0.0.1/24
 set switch-port interface eth1 vlan pvid 1
 set switch-port interface eth2 vlan pvid 1
 set switch-port interface eth4 vlan pvid 1
 set switch-port interface eth4 vlan vid 10
 set switch-port vlan-aware enable
 set mtu 1500
 
 top 
 
set interfaces ethernet eth4 poe output pthru  

#After config you can patch back into Eth1  
#Set PC back to DHCP and remove Eth3 config

delete interfaces ethernet eth3 address 172.16.0.1/24
set interfaces switch switch0 switch-port interface eth3 vlan pvid 1

GUEST_TO_LAN Firewall Policy
!--------------------------!
edit firewall group network-group LAN
 set network 192.168.0.0/16
 set network 172.16.0.0/12
 set network 10.0.0.0/8

top 
 
edit firewall name GUEST_TO_LAN 
 set default-action accept
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable

 set rule 2 action drop
 set rule 2 description LAN_RANGES
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 destination group network-group LAN

GUEST_TO_LOCAL Firewall Policy
!----------------------------!
edit firewall name GUEST_TO_LOCAL
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description DNS
 set rule 1 log disable
 set rule 1 protocol tcp_udp
 set rule 1 destination port 53

 set rule 2 action accept
 set rule 2 description DHCP
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 destination port 67

 set rule 3 action accept
 set rule 3 description Established
 set rule 3 log disable
 set rule 3 protocol all
 set rule 3 state established enable
 set rule 3 state related enable 
 
WAN_TO_LAN Firewall Policy
!------------------------!
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Apply Policies to Interfaces 
!--------------------------!
edit interfaces switch switch0 
 set vif 10 firewall in name GUEST_TO_LAN 
 set vif 10 firewall local name GUEST_TO_LOCAL
 
DHCP Settings
!-----------!
edit service dhcp-server shared-network-name GUEST 
 set subnet 10.0.0.0/24 default-router 10.0.0.1
 set subnet 10.0.0.0/24 dns-server 10.0.0.1
 set subnet 10.0.0.0/24 start 10.0.0.10 stop 10.0.0.50
 set subnet 10.0.0.0/24 lease 86400
 
edit service dhcp-server shared-network-name LAN 
 set subnet 192.168.1.0/24 default-router 192.168.1.1
 set subnet 192.168.1.0/24 dns-server 192.168.1.1
 set subnet 192.168.1.0/24 start 192.168.1.38 stop 192.168.1.243
 set subnet 192.168.1.0/24 lease 86400
 
DNS Forwarding
!------------!
edit service dns
 set forwarding listen-on switch0.1
 set forwarding listen-on switch0.10
 set forwarding cache-size 150
 set forwarding name-server 8.8.8.8
 
UniFi Configuration
!-----------------!
#Either use startup wizard (after install) or configure WLANs manually
Settings > Wireless Networks > WLAN Group Default > Create New WLAN
Name/SSID : GUEST 
Security  : Open or WPA
Policy    : Check or Uncheck 'Apply Guest Policies'
VLAN	  : Use VLAN with VLAN-id 10

#If you want the EdgeRouter to handle the policies (firewall rules), uncheck this
#If you leave this checked, then you don't need the GUEST_TO_LAN and GUEST_TO_LOCAL policies above
 
Name/SSID : LAN 
Security  : WPA
VLAN	  : No VLAN-id

#Management traffic from UAPs is always untagged
#In this case untagged traffic is put in VLAN 1 using the PVID (Native VLAN)

#(Optional) Disable DHCP server on Controller
Settings > Networks > LAN > Uncheck 'Enable DHCP Server' (USG)

Create Basic Script
!-----------------!
sudo vi /config/scripts/dhcp
#!/bin/bash
run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
$run release dhcp interface eth0
$run renew dhcp interface eth0
/bin/sleep 10
$run show interfaces
$run ping www.youtube.com

#Make script executable
chmod +x /config/scripts/dhcp

#Verify script
cat /config/scripts/dhcp

#Run script
/config/scripts/dhcp

Windows L2TP Settings
==================================================
Allow these protocols -> MS-CHAP v2

Add route to Windows
==================================================
1. route print -4
2. determine PPTP vpn interface ID (32 in my case)
3. route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

Optionally create a batch (.bat) file
==================================================
rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

rasdial Edgerouter vpnbpin Pa$$w0rd
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

L2TP
==================================================
edit vpn
 set ipsec ipsec-interfaces interface eth0
 set ipsec nat-networks allowed-network 0.0.0.0/0
 set l2tp remote-access authentication mode local
 set l2tp remote-access authentication local-users username vpnbpin password Pa$$w0rd
 set l2tp remote-access client-ip-pool start 172.16.0.200
 set l2tp remote-access client-ip-pool stop 172.16.0.220
 set l2tp remote-access ipsec-settings authentication mode pre-shared-secret
 set l2tp remote-access ipsec-settings authentication pre-shared-secret Pa$$w0rd
 set l2tp remote-access ipsec-settings ike-lifetime 3600
 set l2tp remote-access outside-address 2.0.0.1
 set l2tp remote-access mtu 1450
 
Firewall Rule L2TP
==========================================
edit firewall name VPN
 set default-action drop
 set rule 1 action accept
 set rule 1 description IKE
 set rule 1 destination port 500
 set rule 1 log disable
 set rule 1 protocol udp
 set rule 1 source address 100.0.0.1
  
 set rule 2 action accept
 set rule 2 description L2TP
 set rule 2 destination port 1701
 set rule 2 log disable
 set rule 2 protocol udp
 set rule 2 source address 100.0.0.1

 set rule 3 action accept
 set rule 3 description ESP
 set rule 3 log disable
 set rule 3 protocol esp
 set rule 3 source address 100.0.0.1
 
 set rule 4 action accept
 set rule 4 description SSH
 set rule 4 destination port 22
 set rule 4 log disable
 set rule 4 protocol tcp
 set rule 4 source address 100.0.0.1

 set rule 5 action accept
 set rule 5 description HTTPS
 set rule 5 destination port 443
 set rule 5 log disable
 set rule 5 protocol tcp
 set rule 5 source address 100.0.0.1 

Default WAN_TO_LAN Rule
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable 
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN
 set firewall local name VPN
 
Verify
==================================================
show vpn remote-access 
show vpn ipsec sa
show vpn log

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group FOO0 lifetime 28800 
 set ike-group FOO0 proposal 1 dh-group 14
 set ike-group FOO0 proposal 1 encryption aes128
 set ike-group FOO0 proposal 1 hash md5

 set esp-group FOO0 lifetime 3600
 set esp-group FOO0 proposal 1 encryption aes128
 set esp-group FOO0 proposal 1 hash md5
 
 set esp-group FOO0 mode tunnel
 set esp-group FOO0 pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group FOO0

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Default Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel

crypto ipsec profile IPSEC
 set transform-set TS  
 set security-association lifetime seconds 3600

VTI Interface
================================================== 
interface tun0
 ip add 12.0.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.0.0.1
 tunnel destination 2.0.0.1
 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
 
ip route 10.0.0.0 255.255.255.0 12.0.0.2

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

Basic WAN Limit Smart Queue QoS
|-----------------------------|
edit traffic-control smart-queue SHAPER
 set wan-interface eth0
 set upload rate 420kbit
 set download rate 5.2mbit

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group ESP

RIP
==================================================
edit protocols rip
 set interface vti0
 set network 10.0.0.0/24
 set neighbor 12.0.0.1
 
Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

show ip rip interface 
show ip rip

Default Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel

crypto ipsec profile IPSEC
 set transform-set TS  
 set security-association lifetime seconds 3600

VTI Interface
================================================== 
interface tun0
 ip add 12.0.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.0.0.1
 tunnel destination 2.0.0.1
 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
 
RIP
==================================================
router rip
 version 2
 no auto-summary
 network 12.0.0.0 
 network 172.16.0.0 
 neighbor 12.0.0.2

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

show ip protocols
show ip rip database

Add Wheezy Repository
!-------------------!
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy 
set system package repository wheezy url http://http.us.debian.org/debian

#Update Sources
sudo apt-get update

#See installed packages
sudo dkpg -l

iPerf3 Server (Receiver)
!---------------------!
-s = Run in server mode
-p = Port (5201 by default)
-f = Format
	 k - Kbits
	 m - Mbits
	 K - Kytes
	 M - MBytes

#Run default	 
iperf3 -s -f m

#Listen on port 5555
iperf3 -s -p 5555 -f m

iPerf3 Client (Sender)
!-------------------!
-c = Run in client mode and specify remote ip
-p = Port (5201 by default)
-f = Format
	 k - Kbits
	 m - Mbits
	 K - Kytes
	 M - MBytes
-P = Number of parallel streams (TCP only)
-u = Test with UDP instead of TCP
-i = Interval (1 second is default)
-t = Testing time (default is 10)

#Run default
iperf3 -c 192.168.1.1 -f m

#Run 5 parallel streams on port 5555
iperf3 -c 192.168.1.1 -f m -p 5555 -P 5

#Run UDP for 10 seconds with 2 second interval
iPerf3 -c 192.168.1.1 -f m -u -i 2 -t 10

Cisco Config
============================================
interface gi0/0 
 ip address 10.0.13.3 255.255.255.0
 ip ospf network point-to-point
 no shutdown

int lo1
 ip address 13.0.1.1 255.255.255.0
 ip ospf network point-to-point
int lo2
 ip address 13.0.2.1 255.255.255.0
 ip ospf network point-to-point
int lo3
 ip address 13.0.3.1 255.255.255.0
 ip ospf network point-to-point
 
router ospf 1
 router-id 3.3.3.3
 network 10.0.13.0 0.0.0.255 area 0
 network 13.0.0.0 0.0.3.255 area 13
 passive-interface default
 no passive-interface gi0/0

SRX Config
============================================
set interfaces fe-0/0/0 unit 0 family inet address 10.0.12.2/30

set routing-options router-id 2.2.2.2

edit protocols ospf area 0.0.0.12
 set interface fe-0/0/0.0 interface-type p2p
edit security zones security-zone trust
 set interface fe-0/0/0.0
 set host-inbound-traffic protocols ospf

Enable Interfaces for OSPF
====================================
edit interfaces ethernet eth1
 set address 10.0.12.1/30
 set ip ospf network point-to-point
 set description TO_SRX
 
edit interfaces ethernet eth2
 set address 10.0.13.1/24
 set ip ospf network point-to-point
 set description TO_CISCO
 
Advertise Networks
====================================
edit protocols ospf
 set area 12 network 10.0.12.0/24
 set area 0 network 10.0.13.0/30
 set parameters router-id 1.1.1.1
 set passive-interface default
 set passive-interface-exclude eth1
 set passive-interface-exclude eth2

Default Login
==================================================
Username: ubnt
Password: ubnt

Configuration Steps
==================================================
1. Setup admin username and password
2. Configure default gateway (GW) and name servers (DNS) 
3. Configure optional system settings
4. Setup dynamic IP (DHCP) services and interfaces
5. Configure source NAT using masquerade (PAT)
6. Configure firewall
7. Associate IP addresses to WAN and LAN interfaces using DHCP or static addresses
8. Associate firewall zones with interfaces

Step 1, 2 & 3
==================================================
configure
edit system
 set gateway-address 2.0.0.2
 set host-name EdgeRouter
 set login user bpin level admin
 set login user bpin authentication plaintext-password Pa$$w0rd
 set name-server 8.8.8.8
 set name-server 8.8.4.4
 set time-zone Europe/Amsterdam

Step 4
==================================================
set interfaces ethernet eth1 address 2.0.0.1/30

edit service dhcp-server shared-network-name LOCAL 
 set subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.150
 set subnet 192.168.1.0/24 default-router 192.168.1.1
 set subnet 192.168.1.0/24 dns-server 192.168.1.1

Step 5
==================================================
edit service nat rule 5000
 set description "MASQUERADE"
 set log disable
 set outbound-interface eth1
 set protocol all
 set type masquerade

Step 6
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state related enable
 
Step 7 & 8
================================================== 
edit interfaces ethernet eth1
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN

Default Interfaces
==================================================
edit interfaces
 set ethernet eth0 address 2.0.0.1/24
 set ethernet eth1 address 10.0.0.1/24

set protocols static route 0.0.0.0/0 next-hop 2.0.0.2 
 
VTI Interface
==================================================
set interfaces vti vti0 address 12.0.0.2/30 
set interfaces vti vti0 mtu 1400
 
edit protocols static 
 set route 172.16.0.0/24 next-hop 12.0.0.1 
 set interface-route 172.16.0.0/24 next-hop-interface vti0
 
VPN Tunnel
==================================================
edit vpn ipsec 
 set ike-group IKE lifetime 28800 
 set ike-group IKE proposal 1 dh-group 14
 set ike-group IKE proposal 1 encryption aes128
 set ike-group IKE proposal 1 hash md5

 set esp-group ESP lifetime 3600
 set esp-group ESP proposal 1 encryption aes128
 set esp-group ESP proposal 1 hash md5
 
 set esp-group ESP mode tunnel
 set esp-group ESP pfs disable
  
edit vpn ipsec site-to-site peer 1.0.0.1
 set authentication mode pre-shared-secret 
 set authentication pre-shared-secret Pa$$w0rd
 set description IPsecVPN
 set connection-type initiate
 set local-address 2.0.0.1
 set ike-group IKE
 set vti bind vti0
 set vti esp-group ESP

Verify 
==================================================
show vpn log
show vpn ipsec policy 
show vpn ipsec status
show vpn ipsec sa

Default Interfaces
==================================================
interface gi0/0
 ip address 1.0.0.1 255.255.255.0
 no shutdown
interface gi1/0
 ip address 172.16.0.1 255.255.255.0
 no shutdown
 
ip route 0.0.0.0 0.0.0.0 1.0.0.2
 
Crypto VPN
================================================
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 14
 lifetime 28800
 
crypto isakmp key Pa$$w0rd address 2.0.0.1        

crypto ipsec transform-set TS esp-aes esp-md5-hmac 
 mode tunnel

crypto ipsec profile IPSEC
 set transform-set TS  
 set security-association lifetime seconds 3600

VTI Interface
================================================== 
interface tun0
 ip add 12.0.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.0.0.1
 tunnel destination 2.0.0.1
 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
 
ip route 10.0.0.0 255.255.255.0 12.0.0.2

Verify 
==================================================
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

debug crypto isakmp

Configuration Steps Part #1
!-------------------------!
Power EdgeRouter-X using provided 12V power brick
Attach computer to Eth0 interface using standard (cat5e / cat6) UTP cable
Attach UAP-AC-LITE to Eth4 interface using standard (cat5e / cat6) UTP cable
Assign a static IP address to your PCs ethernet adapter
Open browser and navigate to http://192.168.1.1
Complete the basic wizard and reboot the device

Configuration Steps Part #2
!-------------------------!
After reboot, remove static IP address from your PCs ethernet adapter > DHCP
Unplug PC from Eth0 and re-attach to Eth1, Eth2 or Eth3 interface
Attach your Modem’s LAN interface to the ‘LAN’ port on the PoE-Injector
Attach the PoE-Injector ‘PoE’ port to the Eth0 interface of the EdgeRouter-X
Unplug the 12V power brick, the EdgeRouter will remain powered

Verify PCs IP address now given through DHCP
Open browser and navigate to http://192.168.1.1
Enable HWNAT Offloading through webpage or CLI
Reboot the EdgeRouter-X 

Enable passthrough PoE on the Eth4 interface, the UAP will now come online
Verify presence of UAP-AC-LITE using the ‘UBNT Device Discovery Tool’
Install controller on desired location and adopt UAP

Hardware Offloading
!-----------------!
configure
set system offload hwnat enable

commit
save 
exit

reboot

show ubnt offload

Reset to Factory Defaults
!-----------------------!
cp /opt/vyatta/etc/config.boot.default /config/config.boot

Default Login
==================================================
Username: ubnt
Password: ubnt

Configuration Steps
==================================================
1. Setup admin username and password
2. Configure default gateway (GW) and name servers (DNS) 
3. Configure optional system settings
4. Setup dynamic IP (DHCP) services and interfaces
5. Configure source NAT using masquerade (PAT)
6. Configure firewall
7. Associate IP addresses to WAN and LAN interfaces using DHCP or static addresses
8. Associate firewall zones with interfaces

Step 1, 2 & 3
==================================================
configure
edit system
 set gateway-address 2.0.0.2
 set host-name EdgeRouter
 set login user bpin level admin
 set login user bpin authentication plaintext-password Pa$$w0rd
 set name-server 8.8.8.8
 set name-server 8.8.4.4
 set time-zone Europe/Amsterdam
 delete login user ubnt

Step 4
==================================================
set interfaces ethernet eth1 address 2.0.0.1/24 

edit service dhcp-server shared-network-name LOCAL 
 set subnet 192.168.1.0/24 start 192.168.1.11 stop 192.168.1.150
 set subnet 192.168.1.0/24 default-router 192.168.1.1
 set subnet 192.168.1.0/24 dns-server 8.8.8.8
 set subnet 192.168.1.0/24 dns-server 8.8.4.4

Step 5
==================================================
edit service nat rule 5000
 set description "MASQUERADE (PAT)"
 set log disable
 set outbound-interface eth1
 set protocol all
 set type masquerade

Step 6
==================================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 set rule 1 action accept
 set rule 1 description Established
 set rule 1 log disable
 set rule 1 protocol all
 set rule 1 state established enable
 set rule 1 state invalid disable
 set rule 1 state new disable
 set rule 1 state related enable
 
Step 7 & 8
================================================== 
edit interfaces ethernet eth1
 set firewall in name WAN_TO_LAN
 set firewall local name WAN_TO_LAN

Port Forwarding
==========================================
edit port-forward
 set auto-firewall disable
 set lan-interface eth1
 set wan-interface eth0
 
 set rule 1 description "80_TO_WEBSERVER"
 set rule 1 protocol tcp
 set rule 1 original-port 80
 set rule 1 forward-to address 10.0.0.100
 set rule 1 forward-to port 80
 
 set rule 2 description "8080_TO_WEBSERVER"
 set rule 2 protocol tcp
 set rule 2 original-port 8080
 set rule 2 forward-to address 10.0.0.100
 set rule 2 forward-to port 80
 
Firewall Entries
==========================================
edit firewall name WAN_TO_LAN 
 set default-action drop
 
 set rule 1 action accept
 set rule 1 description PortForward
 set rule 1 log disable
 set rule 1 protocol tcp
 set rule 1 destination port 80
 
 set rule 2 action accept
 set rule 2 description Established
 set rule 2 log disable
 set rule 2 protocol all
 set rule 2 state established enable
 set rule 2 state related enable 
 
Apply to Interface 
==========================================
edit interfaces ethernet eth0
 set firewall in name WAN_TO_LAN