Auteur Sujet: Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)  (Lu 303440 fois)

0 Membres et 1 Invité sur ce sujet

jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #24 le: 25 octobre 2017 à 14:48:47 »

during the installation it will also ask you if you want to start dibbler at boot, hit yes

Is it possible to re-run the program so I can define this parameter? Or can I edit the existing .conf file?

Thank you for your help :)

mike78530

  • Abonné Orange Fibre
  • *
  • Messages: 232
  • Toussus-le-Noble (78)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #25 le: 25 octobre 2017 à 14:56:26 »
Is it possible to re-run the program so I can define this parameter? Or can I edit the existing .conf file?

Thank you for your help :)

I think that you have to replace the client.conf in /etc/dibbler/ by the one that i provide on my gdrive and that's all

jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #26 le: 25 octobre 2017 à 15:17:48 »
I think that you have to replace the client.conf in /etc/dibbler/ by the one that i provide on my gdrive and that's all

I have already done that, and made sure to replace the hex code with the one that I generated. I also just tired to re-run script_orange_eth0_IPV6.sh. I will attach a screenshot of the errors I received. Its strange because I seem to be getting an IPv6 IP assigned to me (see the other screenshot), but ipv6-test.com is telling me that I don't have IPv6 available.



mike78530

  • Abonné Orange Fibre
  • *
  • Messages: 232
  • Toussus-le-Noble (78)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #27 le: 25 octobre 2017 à 15:39:20 »
I don’t know why sometimes running the script create errors

The only solution that I found was to split the script with some elementary element (by example only firewall rules, then an other script with element for ETH1...)

Other solution execute all line from the script manually line by line via ssh

jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #28 le: 25 octobre 2017 à 18:30:09 »
I don’t know why sometimes running the script create errors

The only solution that I found was to split the script with some elementary element (by example only firewall rules, then an other script with element for ETH1...)

Other solution execute all line from the script manually line by line via ssh

Ok, Ill go try that and see if I have any luck. Were you able to configure your livebox TV decoder to work? Since I am using multiple switches (I have a central patchboard that routes RJ45 throughout the apartment), a direct connection from the LAN2 port to the LiveboxTV is not possible. Is a direct connection the only way to make this work?

Also, there seems to be some conflict between WAN1 and WAN2 when I enable the TV Network on WAN2. I will attach some screenshots. Thanks again for your help, this has been a huge learning experience for me haha!


mike78530

  • Abonné Orange Fibre
  • *
  • Messages: 232
  • Toussus-le-Noble (78)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #29 le: 26 octobre 2017 à 09:54:08 »
Were you able to configure your livebox TV decoder to work?

I don't have the TV decoder, so all informations given are not verified

Since I am using multiple switches (I have a central patchboard that routes RJ45 throughout the apartment), a direct connection from the LAN2 port to the LiveboxTV is not possible. Is a direct connection the only way to make this work?

It's possible to use LAN1 for the decoder, you have to adjust the command lines to your network configuration.

Also, there seems to be some conflict between WAN1 and WAN2 when I enable the TV Network on WAN2. I will attach some screenshots. Thanks again for your help, this has been a huge learning experience for me haha!

The 3rd port should be LAN2 and not WAN2, go to the setting section on the unifi controler and change that

jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #30 le: 26 octobre 2017 à 11:40:24 »

The 3rd port should be LAN2 and not WAN2, go to the setting section on the unifi controler and change that

Ok, thank you for clearing that up for me. I'm not sure which Orange DNS I should be using. I copied two Orange DNS records from the forum here, but it seems that Orange might have updated their DNS. Can you tell me which records I should be using for the Livebox TV vlan?

80.10.246.3
81.253.149.10

or

80.10.246.2
80.10.246.129

mike78530

  • Abonné Orange Fibre
  • *
  • Messages: 232
  • Toussus-le-Noble (78)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #31 le: 26 octobre 2017 à 12:27:31 »
80.10.246.2
80.10.246.129

are good

jma64

  • Pau Broadband Country (64)
  • Abonné Orange Fibre
  • *
  • Messages: 592
  • FTTH Jet LB3 et FTTH 500 LB5 sur Pau (64)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #32 le: 26 octobre 2017 à 15:04:19 »
bonjour

je viens de vérifier à l'instant:

primaire: idem

secondaire:   81.253.149.2     ! ! !

bizarre....



jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #33 le: 26 octobre 2017 à 15:52:23 »
Still no luck for both the IPv6 or TV  :'(

I applied all the commands (line per line) from the script_orange_eth0_IPV6.sh file via ssh. I only got three errors. This might be why IPv6 isn't working correctly:

$ set firewall ipv6-name WAN_IN-6 description packets from internet to intranet
The specified configuration node is not valid
Set failed


$ set firewall ipv6-name WAN_LOCAL-6 description packets from internet to gateway
The specified configuration node is not valid
Set failed


$ set firewall ipv6-name WAN_OUT-6 description packets to internet
The specified configuration node is not valid
Set failed

$ commit

[ firewall ipv6-name WAN_IN-6 ]
calling cfgPathGetValue() without config session

[ firewall ipv6-name WAN_OUT-6 ]
calling cfgPathGetValue() without config session

[ firewall ipv6-name WAN_LOCAL-6 ]
calling cfgPathGetValue() without config session

[ interfaces ethernet eth0 vif 832 firewall in ipv6-name WAN_IN-6 ]
Firewall config error: Rule set WAN_IN-6 is not configured

[ interfaces ethernet eth1 ipv6 router-advert ]
Re-generating radvd config file for interface eth1...
Starting radvd...
Starting radvd: radvd.

Commit failed

jonlprd

  • Abonné Orange Fibre
  • *
  • Messages: 66
  • Antony (92)
    • Personal Blog
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #34 le: 26 octobre 2017 à 15:53:16 »
Here is my config.boot file from the USG. I'm determined to get this all to work!  8)

Does the cloud key controller override all the parameters I define on the USG? How do I make sure the settings persist on restart?

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group authorized_guests {
            description "authorized guests MAC addresses"
        }
        address-group guest_allow_addresses {
            description "allow addresses for guests"
        }
        address-group guest_allow_dns_servers {
            description "allow dns servers for guests"
        }
        address-group guest_portal_address {
            description "guest portal address"
        }
        address-group guest_restricted_addresses {
            address 192.168.0.0/16
            address 172.16.0.0/12
            address 10.0.0.0/8
            description "restricted addresses for guests"
        }
        address-group unifi_controller_addresses {
            address 192.168.1.15
        }
        network-group captive_portal_subnets {
            description "captive portal subnets"
        }
        network-group corporate_network {
            description "corporate subnets"
            network 192.168.1.0/24
        }
        network-group guest_allow_subnets {
            description "allow subnets for guests"
        }
        network-group guest_network {
            description "guest subnets"
        }
        network-group guest_restricted_subnets {
            description "restricted subnets for guests"
        }
        network-group remote_client_vpn_network {
            description "remote client VPN subnets"
        }
        network-group remote_site_vpn_network {
            description "remote site VPN subnets"
        }
        network-group remote_user_vpn_network {
            description "remote user vpn subnets"
        }
        port-group guest_portal_ports {
            description "guest portal ports"
        }
        port-group guest_portal_redirector_ports {
            description "guest portal redirector ports"
            port 39080
            port 39443
        }
        port-group unifi_controller_ports-tcp {
            description "unifi tcp ports"
            port 8080
        }
        port-group unifi_controller_ports-udp {
            description "unifi udp ports"
            port 3478
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify LOAD_BALANCE {
        description LOAD_BALANCE
        rule 3001 {
            action accept
            destination {
                group {
                    network-group corporate_network
                }
            }
            source {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3002 {
            action accept
            destination {
                group {
                    network-group remote_user_vpn_network
                }
            }
            source {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3003 {
            action accept
            destination {
                group {
                    network-group remote_site_vpn_network
                }
            }
            source {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3004 {
            action accept
            destination {
                group {
                    network-group remote_client_vpn_network
                }
            }
            source {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3005 {
            action accept
            destination {
                group {
                    address-group guest_portal_address
                    port-group guest_portal_ports
                }
            }
            source {
                group {
                    network-group guest_network
                }
            }
        }
        rule 3006 {
            action accept
            destination {
                group {
                    network-group captive_portal_subnets
                }
                port 443
            }
            protocol tcp
            source {
                group {
                    network-group guest_network
                }
            }
        }
        rule 3007 {
            action accept
            destination {
                group {
                    address-group guest_allow_addresses
                }
            }
            source {
                group {
                    network-group guest_network
                }
            }
        }
        rule 3008 {
            action modify
            modify {
                lb-group wan_failover
            }
        }
    }
    name AUTHORIZED_GUESTS {
        default-action drop
        description "authorization check packets from guest network"
    }
    name GUEST_IN {
        default-action accept
        description "packets from guest network"
        rule 3001 {
            action accept
            description "allow DNS packets to external name servers"
            destination {
                port 53
            }
            protocol udp
        }
        rule 3002 {
            action accept
            description "allow packets to captive portal"
            destination {
                group {
                    network-group captive_portal_subnets
                }
                port 443
            }
            protocol tcp
        }
        rule 3003 {
            action accept
            description "allow packets to allow subnets"
            destination {
                group {
                    address-group guest_allow_addresses
                }
            }
        }
        rule 3004 {
            action drop
            description "drop packets to restricted subnets"
            destination {
                group {
                    address-group guest_restricted_addresses
                }
            }
        }
        rule 3005 {
            action drop
            description "drop packets to intranet"
            destination {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3006 {
            action drop
            description "drop packets to remote user"
            destination {
                group {
                    network-group remote_user_vpn_network
                }
            }
        }
        rule 3007 {
            action drop
            description "authorized guests white list"
            destination {
                group {
                    address-group authorized_guests
                }
            }
        }
    }
    name GUEST_LOCAL {
        default-action drop
        description "packets from guest network to gateway"
        rule 3001 {
            action accept
            description "allow DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 3002 {
            action accept
            description "allow ICMP"
            protocol icmp
        }
    }
    name GUEST_OUT {
        default-action accept
        description "packets forward to guest network"
    }
    name LAN_IN {
        default-action accept
        description "packets from intranet"
        rule 6001 {
            action accept
            description "accounting defined network 192.168.1.0/24"
            source {
                address 192.168.1.0/24
            }
        }
        rule 6002 {
            action accept
            description "accounting defined network 192.168.2.0/24"
            source {
                address 192.168.2.0/24
            }
        }
    }
    name LAN_LOCAL {
        default-action accept
        description "packets from intranet to gateway"
    }
    name LAN_OUT {
        default-action accept
        description "packets forward to intranet"
        rule 6001 {
            action accept
            description "accounting defined network 192.168.1.0/24"
            destination {
                address 192.168.1.0/24
            }
        }
        rule 6002 {
            action accept
            description "accounting defined network 192.168.2.0/24"
            destination {
                address 192.168.2.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "packets from internet to intranet"
        rule 3001 {
            action accept
            description "allow established/related sessions"
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 3002 {
            action drop
            description "drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "packets from internet to gateway"
        rule 3001 {
            action accept
            description "allow established/related sessions"
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 3002 {
            action drop
            description "drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "packets to internet"
    }
    options {
        mss-clamp {
            interface-type pppoe
            interface-type pptp
            interface-type vti
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        dhcp-options {
            client-option "retry 60;"
            default-route update
            default-route-distance 1
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
        vif 832 {
            address dhcp
            dhcp-options {
                client-option "retry 60;"
                client-option "send vendor-class-identifier "sagem";"
                client-option "send user-class "\053FSVDSL_livebox.Internet.softathome.Livebox4";"
                client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:/*fti credentials*/"
                client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;"
                default-route update
                default-route-distance 1
                name-server update
            }
            egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
                out {
                    name WAN_OUT
                }
            }
        }
    }
    ethernet eth1 {
        address 192.168.1.1/24
        duplex auto
        firewall {
            in {
                modify LOAD_BALANCE
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
            out {
                name LAN_OUT
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        dhcp-options {
            client-option "retry 60;"
            default-route update
            default-route-distance 220
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
        vif 832 {
            address 192.168.2.1/24
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
                out {
                    name LAN_OUT
                }
            }
        }
    }
    loopback lo {
    }
}
load-balance {
    group wan_failover {
        interface eth0.832 {
            route-test {
                initial-delay 20
                interval 10
            }
        }
        interface eth2 {
            failover-only
            route-test {
                initial-delay 20
                interval 10
            }
        }
        lb-local enable
        lb-local-metric-change enable
        sticky {
            dest-addr enable
            dest-port enable
            source-addr enable
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface eth1
    wan-interface eth0.832
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN_192.168.1.0-24 {
            authoritative enable
            description vlan1
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                domain-name localdomain
                lease 86400
                start 192.168.1.6 {
                    stop 192.168.1.254
                }
            }
        }
        shared-network-name TV_192.168.2.0-24 {
            authoritative enable
            description vlan832
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 80.10.246.2
                dns-server 80.10.246.129
                lease 86400
                start 192.168.2.6 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 10000
            except-interface eth0.832
            except-interface eth2
            options host-record=unifi,192.168.1.8
            options host-record=unifi,192.168.1.15
        }
    }
    gui {
        https-port 443
    }
    lldp {
        interface eth0 {
            disable
        }
        interface eth2 {
            disable
        }
    }
    nat {
        rule 6001 {
            description "MASQ corporate_network to WAN"
            log disable
            outbound-interface eth0.832
            protocol all
            source {
                group {
                    network-group corporate_network
                }
            }
            type masquerade
        }
        rule 6002 {
            description "MASQ remote_user_vpn_network to WAN"
            log disable
            outbound-interface eth0.832
            protocol all
            source {
                group {
                    network-group remote_user_vpn_network
                }
            }
            type masquerade
        }
        rule 6003 {
            description "MASQ guest_network to WAN"
            log disable
            outbound-interface eth0.832
            protocol all
            source {
                group {
                    network-group guest_network
                }
            }
            type masquerade
        }
        rule 6004 {
            description "MASQ corporate_network to WAN"
            log disable
            outbound-interface eth2
            protocol all
            source {
                group {
                    network-group corporate_network
                }
            }
            type masquerade
        }
        rule 6005 {
            description "MASQ remote_user_vpn_network to WAN"
            log disable
            outbound-interface eth2
            protocol all
            source {
                group {
                    network-group remote_user_vpn_network
                }
            }
            type masquerade
        }
        rule 6006 {
            description "MASQ guest_network to WAN"
            log disable
            outbound-interface eth2
            protocol all
            source {
                group {
                    network-group guest_network
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    ip {
        override-hostname-ip 192.168.1.1
    }
    login {
        user admin {
            authentication {
                encrypted-password /* removed */
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
    static-host-mapping {
        host-name setup.ubnt.com {
            alias setup
            inet 192.168.1.1
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Brussels
    traffic-analysis {
        dpi enable
    }
}
unifi {
    mgmt {
        cfgversion 2b520da9e5f29bfb
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v4.3.60.5012138.170825.0015 */



If anyone has managed to get IPv6 working correctly, please give me any input you have. Also, for the TV, I am still receiving code erreur S04-03 (message coming from the livebox tv).


mike78530

  • Abonné Orange Fibre
  • *
  • Messages: 232
  • Toussus-le-Noble (78)
Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6)
« Réponse #35 le: 26 octobre 2017 à 17:05:38 »
Here is my config.boot file from the USG. I'm determined to get this all to work!  8)

Does the cloud key controller override all the parameters I define on the USG? How do I make sure the settings persist on restart?

Yes, that the reason why on step 9 I say to disconnect the controller (read this https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json)

copy all files listed on my #1 post, run dibbler and copy the config.gateway.json attached to this post on your controller and the provisionne again the USG, IPV6 should works

by the way, open first the config.gateway.json and change the xx:xx... by your fti/....

THIS config.gateway.json is for IPV6 only, no TV