常時接続環境の日々

YAMAHA RTX1210 config 修正点

#
# IP configuration
#

ip route default gateway tunnel 1

#
# IPv6 configuration
#

ipv6 route default gateway dhcp lan2
ipv6 prefix 1 dhcp-prefix@lan2::/64

#
# LAN configuration
#

ip lan1 address 192.168.1.253/24
ip lan1 proxyarp on

ipv6 lan1 address dhcp-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
vlan lan1/1 802.1q vid=201 name=VLAN201
ip lan1/1 address 192.168.201.254/24
ip lan1/1 secure filter in 300300 300200
ip lan1/1 secure filter out 300400 300200
description lan2 "BB.excite IPoE"
ip lan2 address dhcp
ipv6 lan2 address dhcp
ipv6 lan2 secure filter in 101000 101001 101002 101098
ipv6 lan2 secure filter out 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 lan2 dhcp service client
ngn type lan2 ntt
lan link-aggregation static 1 lan1:1 lan1:5

※[101098]のフィルター（全ての内向きの接続を拒否）を明示的に追加

#
# PP configuration
#

~~pp disable all~~

※この取り消し線の部分はconfigから明示的に削除した（IPoE環境ではVPN接続ができないため）

### PP anonymous ###

~~pp select anonymous~~
~~pp bind tunnel1~~
~~pp auth request chap-pap~~
~~ppp ipcp ipaddress on~~
~~ppp ipcp msext on~~
~~ppp ccp type none~~
~~ip pp remote address pool 192.168.1.140-192.168.1.149~~
~~ip pp mtu 1258~~
~~pp enable anonymous~~

※この取り消し線の部分はconfigから明示的に削除した（IPoE環境ではVPN接続ができないため）

#
# TUNNEL configuration
#

no tunnel enable all

### TUNNEL 1 ###

tunnel select 1
tunnel encapsulation ipip
tunnel endpoint address 2404:8e00::feed:100
ip tunnel mtu 1460
ip tunnel secure filter in 200003 200020 200021 200022 200023 200024 200025 200030 200032 300000 300010 300020 300100
ip tunnel secure filter out 200013 200020 200021 200022 200023 200024 200025 200026 200027 200099 dynamic 200080 200081 200082 200083 200084 200085 200098 200099
ip tunnel tcp mss limit auto
tunnel enable 1

※IPv4 over IPv6用のIPフィルターを明示的に追加。

#
# LOOPBACK/NULL configuration
#

#
# IP filter configuration
#

ip filter 200000 reject 10.0.0.0/8 * * * *
ip filter 200001 reject 172.16.0.0/12 * * * *
ip filter 200002 reject 192.168.0.0/16 * * * *
ip filter 200003 reject 192.168.1.0/24 * * * *
ip filter 200010 reject * 10.0.0.0/8 * * *
ip filter 200011 reject * 172.16.0.0/12 * * *
ip filter 200012 reject * 192.168.0.0/16 * * *
ip filter 200013 reject * 192.168.1.0/24 * * *
ip filter 200020 reject * * udp,tcp 135 *
ip filter 200021 reject * * udp,tcp * 135
ip filter 200022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 200023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 200024 reject * * udp,tcp 445 *
ip filter 200025 reject * * udp,tcp * 445
ip filter 200026 restrict * * tcpfin * www,21,nntp
ip filter 200027 restrict * * tcprst * www,21,nntp
ip filter 200030 pass * 192.168.1.0/24 icmp * *
ip filter 200031 pass * 192.168.1.0/24 established * *
ip filter 200032 pass * 192.168.1.0/24 tcp * ident
ip filter 200033 pass * 192.168.1.0/24 tcp ftpdata *
ip filter 200034 pass * 192.168.1.0/24 tcp,udp * domain
ip filter 200035 pass * 192.168.1.0/24 udp domain *
ip filter 200036 pass * 192.168.1.0/24 udp * ntp
ip filter 200037 pass * 192.168.1.0/24 udp ntp *
ip filter 200099 pass * * * * *
ip filter 300000 reject 192.168.201.0/24 * * * *
ip filter 300010 reject * 192.168.201.0/24 * * *
ip filter 300020 pass * 192.168.201.0/24 icmp
ip filter 300100 reject * *
ip filter 300200 pass * *
ip filter 300300 reject 192.168.201.0/24 192.168.1.0/24
ip filter 300400 reject 192.168.1.0/24 192.168.201.0/24
ip filter 500000 restrict * * * * *

※IPv4 over IPv6用のIPフィルターを明示的に追加。

#
# IP dynamic filter configuration
#

ip filter dynamic 200080 * * ftp
ip filter dynamic 200081 * * domain
ip filter dynamic 200082 * * www
ip filter dynamic 200083 * * smtp
ip filter dynamic 200084 * * pop3
ip filter dynamic 200085 * * submission
ip filter dynamic 200098 * * tcp
ip filter dynamic 200099 * * udp

※IPv4 over IPv6用のIPフィルターを明示的に追加。

#
# IPSEC configuration
#

ipsec auto refresh on
ipsec transport 1 1 udp 1701

#
# IPv6 filter configuration
#

ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101098 reject * * * * *
ipv6 filter 101099 pass * * * * *

#
# IPv6 dynamic filter configuration
#

ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp

#
# DHCP configuration
#

dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.201.101-192.168.201.150/24 gateway 192.168.201.254

#
# DHCPC configuration
#

dhcp client release linkdown on

#
# DNS configuration
#

dns host lan1 lan1/1
dns service recursive
dns service fallback on
dns server dhcp lan2
dns server select 500000 dhcp lan2 any .
dns private address spoof on

※GUIで設定を変更して追加した部分

#
# SNMP configuration
#

snmpv2c host any
snmpv2c trap host 192.168.1.1 trap public
snmp trap enable snmp all

※このハイライト部分はGUIでIPoE接続を設定したら自動的に追加された