ルータ：FWX120を買ってみた。

前に中古で買ったRTX1500からのリプレースで珍しく（！？）新品購入

ヨドバシで55000円ぐらいだった、ポイント分を考えると最安級
そろそろフレッツネクストのハイスピードにしたかったので
WAN側にGigaのインターフェイスがあるルータが欲しかったのです。
他にRTX1200の中古などが検討材料にあったのだけど、新製品にいっとくかーという感じで
LAN3が無いけどVLANで代替出来て、ISDNはいらなかったので。

Yamaha以外の業務用ルータはUPnPが無いので、家でメインに使うには不向き・・・
地味にゲームやアプリでUPnPが欲しくなるのよね。いちいちNAT追加していくの面倒だから。
CiscoのASAとかNECのIXとかにUPnPが付いてたら、ちょっと考えたかも。
性能はあっちの方が圧倒的に高いというのがあるので。

見た目、、、というかたぶんハードそのものはRTX810そのもののようなので
1万円ぐらい高いので迷っていたのだけど、だいたい以下の理由が決め手に

赤い
ポリシーフィルターが面白そうなこと
メモリが従来機の倍あること(RTX810以前は128MB、FWX120は256MB)
NATのセッションがRTX810の3倍、RTX1200の1.5倍（FWX120は30000セッション）
ファイヤウオールのパフォーマンスが100kPPSと記述されてる
統計情報のグラフが見られる
できたてほやほやの新製品！

VPNの対地数なんかはあんまり考えない方向でー
それでもRTX810よりは多いのだ。

パケットの処理能力はRTX1500の半分以下になってしまったのが気になるところ。
http://www.rtpro.yamaha.co.jp/RT/FAQ/TCPIP/routing-performance.html
実害は無いと思うんだけどなぁ、こればっかりは動かしてみないと。

さっそく使ってみた感じ、ポリシーフィルターの動作は従来機とはちょっと違うので
だいぶ戸惑った、というか望んだ動作にならなかったので首をひねりまくり
ラストマッチなので後の方にあるフィルターが作動するのはわかっているのだけど
最初うまく必要なルールが作れなくて困ってた。
結局NATの追加をブラウザから行うと自動でフィルターも追加される仕様だったので
それを見て大体理解した。Webブラウザのインターフェイスは基本的な部分を教えてくれるので良い先生だね。

そんなわけでコマンド入力とWebインターフェイスを活用して作ったコンフィグはこちら
一部あぶないところは削っております。

[plain]# FWX120 Rev.11.03.02 (Wed Sep 26 10:26:43 2012)
# MAC Address : *, *
# Memory 256Mbytes, 2LAN
# main: FWX120 ver=00 serial=* MAC-Address=* MAC-Address=*
# Reporting Date: Jan 17 10:41:48 2013
login password *
administrator password *
console columns 100
console lines infinity
console prompt FWX120
login timer 600
ip routing process fast
ip route default gateway pp 1 filter 500000 gateway pp 2 filter 500000 gateway pp 1
ip lan1 address 192.168.221.1/24
ip lan1 proxyarp on
ip lan1 intrusion detection in on
ip lan1 intrusion detection in ip on reject=off
ip lan1 intrusion detection in ip-option on reject=off
ip lan1 intrusion detection in fragment on reject=off
ip lan1 intrusion detection in icmp on reject=off
ip lan1 intrusion detection in udp on reject=off
ip lan1 intrusion detection in tcp on reject=off
ip lan1 intrusion detection in default off
ip lan1 intrusion detection out on
ip lan1 intrusion detection out ftp on reject=off
ip lan1 intrusion detection out default off
ip lan1 forward filter 10
provider type isdn-terminal
provider filter routing connection
provider lan1 name LAN:
provider lan2 name PPPoE/0/1/5/0/0/0:*
provider ntpdate ntp.jst.mfeed.ad.jp
pp select 1
pp name PRV/1/1/5/0/0/0:*
pp keepalive interval 30 retry-interval=30 count=12
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname * *
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp intrusion detection in on
ip pp intrusion detection in ip-option on reject=off
ip pp intrusion detection in fragment on reject=off
ip pp intrusion detection in icmp on reject=off
ip pp intrusion detection in udp on reject=off
ip pp intrusion detection in tcp on reject=off
ip pp intrusion detection in default off
ip pp intrusion detection out on
ip pp intrusion detection out ftp on reject=off
ip pp intrusion detection out default off
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1099
ip pp nat descriptor 1000
pp enable 1
provider set 1 *
provider dns server pp 1 1
provider select 1
pp select 2
pp name PRV/2/1/5/0/0/0:*
pp keepalive interval 30 retry-interval=30 count=12
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname * *
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp intrusion detection in on
ip pp intrusion detection in ip-option on reject=off
ip pp intrusion detection in fragment on reject=off
ip pp intrusion detection in icmp on reject=off
ip pp intrusion detection in udp on reject=off
ip pp intrusion detection in tcp on reject=off
ip pp intrusion detection in default off
ip pp intrusion detection out on
ip pp intrusion detection out ftp on reject=off
ip pp intrusion detection out default off
ip pp inbound filter list 1101 1102 1103 1104 1105 1106 1107 1199
ip pp nat descriptor 1100
pp enable 2
provider set 2 *
provider dns server pp 2 2
pp select anonymous
pp name L2TP/IPsec
pp bind tunnel9
pp auth request mschap-v2
pp auth username * *
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp remote address pool dhcp
ip pp mtu 1258
pp enable anonymous
tunnel select 9
tunnel encapsulation l2tp
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 off
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text *
ipsec ike remote address 1 any
l2tp tunnel auth off
l2tp tunnel disconnect time off
l2tp keepalive use on
ip tunnel tcp mss limit auto
tunnel enable 9
ip filter 111 pass 192.168.221.111 * * * *
ip filter 112 pass 192.168.221.112 * * * *
ip filter 114 pass 192.168.221.114 * * * *
ip filter 500000 restrict * * * * *
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.221.0/24 * * * *
ip inbound filter 1099 pass-nolog * * * * *
ip inbound filter 1101 reject-nolog * * tcp,udp * 135
ip inbound filter 1102 reject-nolog * * tcp,udp 135 *
ip inbound filter 1103 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1104 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1105 reject-nolog * * tcp,udp * 445
ip inbound filter 1106 reject-nolog * * tcp,udp 445 *
ip inbound filter 1107 reject-nolog 192.168.221.0/24 * * * *
ip inbound filter 1199 pass-nolog * * * * *
ip policy interface group 101 name=Private local lan1

ip policy address group 101 name=Private 192.168.221.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns ntp
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 111 name=L2TP-NAT-T ike esp l2tp ipsec-nat-t

ip policy filter 1 pass-nolog * * * 1 1
ip policy filter 2 pass-nolog * * * 1 2
ip policy filter 3 pass-nolog * * * 2 3
ip policy filter 4 pass-nolog * * * 3 4
ip policy filter 5 pass-nolog * * * 4 5
ip policy filter 6 pass-nolog * * * 5 6
ip policy filter 7 pass-nolog * * * 6 7
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-nolog * * 192.168.221.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1150 pass-nolog * pp1 * * *
ip policy filter 1160 pass-nolog * pp2 * * *
ip policy filter 1500 reject-log pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1560 static-pass-nolog * local * * 111
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1610 pass-nolog * 101 * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1660 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 111
ip policy filter 3000 reject-log * * * * *

ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1150 1160 1130] 1600 [1630 1610 1660] 1500 [1520 1560] 1700 [1710 1750] 3000
ip policy filter set enable 101
ip forward filter 10 111 gateway pp 2 filter 111
ip forward filter 10 112 gateway pp 2 filter 112
ip forward filter 10 114 gateway pp 2 filter 114
nat descriptor type 1000 masquerade

nat descriptor masquerade static 1000 8 192.168.221.1 udp 1701
nat descriptor masquerade static 1000 9 192.168.221.1 udp 500
nat descriptor masquerade static 1000 10 192.168.221.1 esp
nat descriptor masquerade static 1000 11 192.168.221.1 udp 4500
nat descriptor type 1100 masquerade

ipsec auto refresh on
ipsec transport 9 1 udp 1701
syslog host 192.168.221.10
syslog facility local6
syslog notice on
syslog debug off
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.221.100-192.168.221.199/24

dns server pp 1
dns server select 500001 pp 1 any . restrict pp 1
dns server select 500002 pp 2 any . restrict pp 2
dns private address spoof on
schedule at 1 */* 01:53 * ntpdate ntp.jst.mfeed.ad.jp
l2tp service on
upnp use on
external-memory syslog filename usb1:fwx120.log backup=100
external-memory config filename sd1:config.rtfg,*:config.txt 0
statistics cpu on
statistics memory on
statistics traffic on
statistics flow on
statistics route on
statistics nat on
statistics filter on
statistics qos on
#[/plain]