Created
January 28, 2024 11:58
-
-
Save glw119/888e318fd1f49ec4063fc016e67c7079 to your computer and use it in GitHub Desktop.
Home Network Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
source /config/user-data/edgerouter-backup.conf | |
# ref https://github.com/psitem/edgerouter-backup | |
# This script runs during the commit | |
# Pull commit info | |
COMMIT_VIA=${COMMIT_VIA:-other} | |
COMMIT_CMT=${COMMIT_COMMENT:-$DEFAULT_COMMIT_MESSAGE} | |
# If no comment, replace with default | |
if [ "$COMMIT_CMT" == "commit" ]; | |
then | |
COMMIT_CMT=$DEFAULT_COMMIT_MESSAGE | |
fi | |
# Check if rollback | |
if [ $# -eq 1 ] && [ $1 = "rollback" ]; | |
then | |
COMMIT_VIA="rollback/reboot" | |
fi | |
TIME=$(date +%Y-%m-%d" "%H:%M:%S) | |
USER=$(whoami) | |
GIT_COMMIT_MSG="$COMMIT_CMT | by $USER | via $COMMIT_VIA | $TIME" | |
# Remove temporary files | |
#echo "edgerouter-backup: Removing temporary files" | |
sudo rm /tmp/edgerouter-backup-$FNAME_CONFIG &> /dev/null | |
sudo rm /tmp/edgerouter-backup-$FNAME_CLI &> /dev/null | |
sudo rm /tmp/edgerouter-backup-$FNAME_BACKUP.tar &> /dev/null | |
# Generate temporary config files | |
sudo cli-shell-api showConfig --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CONFIG | |
sudo cli-shell-api showConfig --show-commands --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CLI | |
sudo find /config/* | grep -v "/config/dhcpd.leases" | xargs tar cf /tmp/edgerouter-backup-$FNAME_BACKUP.tar &> /dev/null | |
# Push config files | |
echo "edgerouter-backup: Copying backup files to $SSH_USER@$SSH_HOST:$REPO_PATH" | |
sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CONFIG $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CONFIG > /dev/null | |
sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CLI $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CLI > /dev/null | |
sudo cat /tmp/edgerouter-backup-$FNAME_BACKUP.tar | sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST "gzip -cnq9 > $REPO_PATH/$FNAME_BACKUP.tar.gz" > /dev/null | |
# git commit and git push on remote host | |
echo "edgerouter-backup: Triggering 'git commit'" | |
sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST 'bash -s' << ENDSSH > /dev/null | |
cd $REPO_PATH | |
git add $REPO_PATH/$FNAME_CONFIG | |
git add $REPO_PATH/$FNAME_CLI | |
git add $REPO_PATH/$FNAME_BACKUP.tar.gz | |
git commit -m "$GIT_COMMIT_MSG" | |
ENDSSH | |
#git push | |
echo "edgerouter-backup: Complete" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
firewall { | |
all-ping enable | |
broadcast-ping disable | |
group { | |
address-group douyin-address { | |
address xx.xx.xx.xx/24 | |
description "douyin ipv4 address" | |
} | |
address-group rfc1918 { | |
address 10.0.0.0/8 | |
address 172.16.0.0/12 | |
address 192.168.0.0/16 | |
description "RFC1918 ranges" | |
} | |
ipv6-address-group douyin-ipv6-address { | |
description "douyin ipv6 address" | |
ipv6-address xx:xx:xx:xx::/64 | |
} | |
port-group douyin-port { | |
description "douyin dns" | |
port 6443 | |
} | |
} | |
ipv6-name WANv6_IN { | |
default-action drop | |
description "WAN inbound traffic forwarded to LAN" | |
rule 10 { | |
action accept | |
description "Allow established/related sessions" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
rule 30 { | |
action accept | |
description transmission | |
destination { | |
port xx | |
} | |
protocol tcp_udp | |
} | |
rule 40 { | |
action drop | |
description "blocking brute-forcing attempts" | |
destination { | |
port xx | |
} | |
protocol tcp | |
recent { | |
count 4 | |
time 60 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 41 { | |
action accept | |
description nas-ssh | |
destination { | |
port xx | |
} | |
protocol tcp | |
state { | |
new enable | |
} | |
} | |
rule 50 { | |
action accept | |
description https | |
destination { | |
port xx | |
} | |
protocol tcp | |
} | |
} | |
ipv6-name WANv6_LOCAL { | |
default-action drop | |
description "WAN inbound traffic to the router" | |
rule 10 { | |
action accept | |
description "Allow established/related sessions" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Allow IPv6 icmp" | |
protocol ipv6-icmp | |
} | |
rule 40 { | |
action accept | |
description "allow dhcpv6" | |
destination { | |
port 546 | |
} | |
protocol udp | |
source { | |
port 547 | |
} | |
} | |
rule 50 { | |
action drop | |
description "blocking brute-forcing attempts" | |
destination { | |
port xx | |
} | |
protocol tcp | |
recent { | |
count 4 | |
time 60 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 51 { | |
action accept | |
description "allow ssh" | |
destination { | |
port xx | |
} | |
protocol tcp | |
state { | |
new enable | |
} | |
} | |
} | |
ipv6-name WANv6_OUT { | |
default-action accept | |
rule 10 { | |
action drop | |
description "deny douyin ipv6 address group weekdays" | |
destination { | |
group { | |
ipv6-address-group douyin-ipv6-address | |
} | |
} | |
disable | |
protocol all | |
time { | |
contiguous | |
starttime 15:00:00 | |
stoptime 07:00:00 | |
weekdays !Sat,Sun | |
} | |
} | |
rule 20 { | |
action drop | |
description "deny douyin ipv6 address group weekend" | |
destination { | |
group { | |
ipv6-address-group douyin-ipv6-address | |
} | |
} | |
disable | |
protocol all | |
time { | |
weekdays Sat,Sun | |
} | |
} | |
} | |
ipv6-receive-redirects disable | |
ipv6-src-route disable | |
ip-src-route disable | |
log-martians enable | |
name WAN_IN { | |
default-action drop | |
description "WAN to internal" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
rule 30 { | |
action accept | |
description Transmission | |
destination { | |
port xx | |
} | |
protocol tcp_udp | |
} | |
} | |
name WAN_LOCAL { | |
default-action drop | |
description "WAN to router" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
name WAN_OUT { | |
default-action accept | |
rule 10 { | |
action drop | |
description "deny douyin port" | |
destination { | |
group { | |
port-group douyin-port | |
} | |
} | |
disable | |
protocol tcp_udp | |
} | |
rule 20 { | |
action drop | |
description "deny douyin ipv4 address weekdays" | |
destination { | |
group { | |
address-group douyin-address | |
} | |
} | |
disable | |
protocol all | |
time { | |
contiguous | |
starttime 15:00:00 | |
stoptime 07:00:00 | |
weekdays !Sat,Sun | |
} | |
} | |
rule 30 { | |
action drop | |
description "deny douyin ipv4 address weekend" | |
destination { | |
group { | |
address-group douyin-address | |
} | |
} | |
disable | |
protocol all | |
time { | |
weekdays Sat,Sun | |
} | |
} | |
} | |
options { | |
mss-clamp { | |
interface-type pppoe | |
mss 1452 | |
} | |
mss-clamp6 { | |
interface-type pppoe | |
mss 1432 | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation strict | |
syn-cookies enable | |
} | |
interfaces { | |
ethernet eth0 { | |
description "Internet (PPPoE)" | |
disable | |
duplex auto | |
poe { | |
output off | |
} | |
pppoe 0 { | |
default-route auto | |
dhcpv6-pd { | |
no-dns | |
pd 0 { | |
interface switch0.200 { | |
host-address ::1 | |
no-dns | |
prefix-id :1 | |
service slaac | |
} | |
prefix-length /60 | |
} | |
rapid-commit enable | |
} | |
firewall { | |
in { | |
ipv6-name WANv6_IN | |
name WAN_IN | |
} | |
local { | |
ipv6-name WANv6_LOCAL | |
name WAN_LOCAL | |
} | |
out { | |
ipv6-name WANv6_OUT | |
name WAN_OUT | |
} | |
} | |
ipv6 { | |
address { | |
autoconf | |
} | |
dup-addr-detect-transmits 1 | |
enable { | |
} | |
} | |
mtu 1492 | |
name-server auto | |
password **************** | |
user-id ** | |
} | |
speed auto | |
} | |
ethernet eth1 { | |
description Local | |
duplex auto | |
poe { | |
output off | |
} | |
speed auto | |
} | |
ethernet eth2 { | |
description Local | |
disable | |
duplex auto | |
poe { | |
output off | |
} | |
speed auto | |
} | |
ethernet eth3 { | |
address 192.168.200.x/24 | |
description MikroTik | |
duplex auto | |
poe { | |
output 24v | |
} | |
speed auto | |
} | |
ethernet eth4 { | |
duplex auto | |
poe { | |
output off | |
} | |
speed auto | |
vif 8 { | |
address 192.168.8.x/24 | |
} | |
} | |
ethernet eth5 { | |
address 192.168.100.1/24 | |
description "Internet SFP" | |
duplex auto | |
pppoe 1 { | |
default-route auto | |
dhcpv6-pd { | |
no-dns | |
pd 1 { | |
interface switch0.1000 { | |
host-address ::1 | |
no-dns | |
prefix-id :1 | |
service slaac | |
} | |
prefix-length /60 | |
} | |
rapid-commit enable | |
} | |
firewall { | |
in { | |
ipv6-name WANv6_IN | |
name WAN_IN | |
} | |
local { | |
ipv6-name WANv6_LOCAL | |
name WAN_LOCAL | |
} | |
out { | |
ipv6-name WANv6_OUT | |
name WAN_OUT | |
} | |
} | |
ipv6 { | |
address { | |
autoconf | |
} | |
dup-addr-detect-transmits 1 | |
enable { | |
} | |
} | |
mtu 1492 | |
name-server auto | |
password **************** | |
user-id *** | |
} | |
speed auto | |
} | |
loopback lo { | |
} | |
switch switch0 { | |
address 10.0.0.1/24 | |
description Local | |
ip { | |
ospf { | |
dead-interval 40 | |
hello-interval 10 | |
priority 100 | |
retransmit-interval 5 | |
transmit-delay 1 | |
} | |
} | |
mtu 1500 | |
switch-port { | |
interface eth1 { | |
} | |
interface eth2 { | |
} | |
vlan-aware disable | |
} | |
vif 1000 { | |
description IPv6_HOME_LAN | |
ipv6 { | |
router-advert { | |
default-lifetime 1800 | |
max-interval 600 | |
min-interval 60 | |
prefix ::/64 { | |
autonomous-flag true | |
on-link-flag true | |
preferred-lifetime 86400 | |
valid-lifetime 86400 | |
} | |
reachable-time 0 | |
retrans-timer 0 | |
send-advert true | |
} | |
} | |
} | |
} | |
wireguard wg0 { | |
address 10.8.2.3/32 | |
description Wireguard | |
mtu 1420 | |
peer xxx { | |
allowed-ips 10.8.2.0/24 | |
endpoint xxxx:52550 | |
persistent-keepalive 60 | |
} | |
private-key **************** | |
route-allowed-ips true | |
} | |
} | |
port-forward { | |
auto-firewall enable | |
hairpin-nat enable | |
lan-interface switch0 | |
rule 1 { | |
description transmission | |
forward-to { | |
address 192.168.1.x | |
port xxx | |
} | |
original-port xxx | |
protocol tcp_udp | |
} | |
wan-interface pppoe1 | |
} | |
protocols { | |
ospf { | |
area 0 { | |
area-type { | |
normal | |
} | |
network 10.0.0.0/24 | |
} | |
area 2 { | |
area-type { | |
normal | |
} | |
network 192.168.100.0/24 | |
network 192.168.200.0/24 | |
} | |
default-information { | |
originate { | |
always | |
metric-type 2 | |
} | |
} | |
parameters { | |
abr-type cisco | |
router-id 10.0.0.1 | |
} | |
} | |
static { | |
} | |
} | |
service { | |
dhcp-server { | |
disabled false | |
hostfile-update disable | |
shared-network-name LAN { | |
authoritative enable | |
disable | |
subnet 192.168.1.0/24 { | |
default-router 192.168.1.1 | |
dns-server 192.168.1.199 | |
lease 86400 | |
start 192.168.1.51 { | |
stop 192.168.1.250 | |
} | |
} | |
} | |
shared-network-name MikroTik { | |
authoritative enable | |
subnet 192.168.200.0/24 { | |
default-router 192.168.200.1 | |
dns-server 192.168.1.199 | |
lease 86400 | |
start 192.168.200.51 { | |
stop 192.168.200.250 | |
} | |
} | |
} | |
static-arp disable | |
use-dnsmasq disable | |
} | |
dns { | |
forwarding { | |
cache-size 150 | |
listen-on switch0 | |
} | |
} | |
nat { | |
rule 10 { | |
description DNS | |
destination { | |
address !192.168.1.199 | |
port 53,5353,5354,853 | |
} | |
inbound-interface switch0 | |
inside-address { | |
address 192.168.1.199 | |
port 53 | |
} | |
protocol tcp_udp | |
source { | |
address !192.168.1.199 | |
} | |
type destination | |
} | |
rule 5000 { | |
description "masquerade for WAN" | |
log disable | |
outbound-interface pppoe1 | |
protocol all | |
type masquerade | |
} | |
rule 5001 { | |
description "masquerade for WAN" | |
disable | |
log disable | |
outbound-interface pppoe0 | |
protocol all | |
type masquerade | |
} | |
rule 5002 { | |
description "Maqquerade for DNS" | |
destination { | |
address 192.168.1.199 | |
port 53 | |
} | |
outbound-interface switch0 | |
protocol tcp_udp | |
source { | |
address 192.168.0.0/16 | |
} | |
type masquerade | |
} | |
} | |
ssh { | |
disable-password-authentication | |
port xx | |
protocol-version v2 | |
} | |
ubnt-discover { | |
disable | |
} | |
unms { | |
disable | |
} | |
} | |
system { | |
analytics-handler { | |
send-analytics-report false | |
} | |
config-management { | |
commit-revisions 20 | |
} | |
crash-handler { | |
send-crash-report false | |
} | |
host-name ER-X-SFP | |
ipv6 { | |
} | |
login { | |
user liangwu { | |
authentication { | |
encrypted-password **************** | |
public-keys xx { | |
key **************** | |
type ssh-rsa | |
} | |
public-keys tencent { | |
key **************** | |
type ssh-rsa | |
} | |
} | |
full-name "xx" | |
level admin | |
} | |
} | |
ntp { | |
server 0.ubnt.pool.ntp.org { | |
} | |
server 1.ubnt.pool.ntp.org { | |
} | |
server 2.ubnt.pool.ntp.org { | |
} | |
server 3.ubnt.pool.ntp.org { | |
} | |
} | |
offload { | |
hwnat enable | |
ipsec enable | |
} | |
syslog { | |
global { | |
facility all { | |
level notice | |
} | |
} | |
host 192.168.1.199 { | |
facility all { | |
level err | |
} | |
} | |
} | |
task-scheduler { | |
task backup-edgeos { | |
executable { | |
path /config/user-data/hooks/03-edgerouter-backup.sh | |
} | |
interval 1d | |
} | |
task pihole-check { | |
executable { | |
path /config/user-data/scripts/pihole-check.sh | |
} | |
interval 1m | |
} | |
task updateEdgeosDNS { | |
executable { | |
path /config/scripts/updateEdgeosDNS.sh | |
} | |
interval 1h | |
} | |
} | |
time-zone Asia/Shanghai | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
source /config/user-data/edgerouter-backup.conf | |
source /opt/vyatta/etc/functions/script-template | |
RESPONSE=$(curl -m 1 --write-out '%{http_code}' --silent --output /dev/null "http://$SSH_HOST:5380") | |
if [ "$RESPONSE" -eq 403 ]; then | |
# if /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics | awk '{print $1"\t"$2}' | grep 10 | grep -q disabled; then | |
if run show nat statistics | awk '{print $1"\t"$2}' | grep -w 10 | grep -q disabled; then | |
configure | |
delete service nat rule 10 disable | |
delete service nat rule 5002 disable | |
commit | |
exit | |
fi | |
else | |
# if ! /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics | awk '{print $1"\t"$2}' | grep 10 | grep -q disabled; then | |
if ! run show nat statistics | awk '{print $1"\t"$2}' | grep -w 10 | grep -q disabled; then | |
configure | |
set service nat rule 10 disable | |
set service nat rule 5002 disable | |
commit | |
exit | |
fi | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
!Software Version V200R021C00SPC600 | |
# | |
sysname HUAWEI-SW | |
# | |
info-center channel 6 name loghost1 | |
info-center loghost 192.168.1.x channel 6 security-log operation-log | |
# | |
ipv6 | |
# | |
dns resolve | |
dns server 223.5.5.5 | |
# | |
vlan batch 8 100 200 210 220 230 1000 | |
# | |
authentication-profile name default_authen_profile | |
authentication-profile name dot1x_authen_profile | |
authentication-profile name dot1xmac_authen_profile | |
authentication-profile name mac_authen_profile | |
authentication-profile name multi_authen_profile | |
authentication-profile name portal_authen_profile | |
# | |
igmp-snooping enable | |
# | |
mld-snooping enable | |
# | |
http server-source -i Vlanif8 | |
# | |
clock timezone BJ add 08:00:00 | |
# | |
time-range Deny_CMCC-TV 00:00 to 23:59 off-day | |
time-range Deny_CMCC-TV 00:00 to 08:00 working-day | |
time-range Deny_CMCC-TV 16:00 to 23:59 working-day | |
# | |
dhcp enable | |
dhcp speed-limit auto | |
undo dhcp anti-attack check udp-checksum | |
dhcp broadcast suppress enable | |
# | |
dhcp snooping enable | |
# | |
dhcp server database enable | |
dhcp server database recover | |
# | |
smart-upgrade web-prompt disable | |
# | |
radius-server template default | |
# | |
acl name Deny_CMCC-TV 2000 | |
rule 5 deny source 192.168.21.x 0 time-range Deny_CMCC-TV | |
rule 10 deny source 192.168.21.x 0 time-range Deny_CMCC-TV | |
rule 15 deny source 192.168.21.x 0 time-range Deny_CMCC-TV | |
rule 20 deny source 192.168.21.x 0 | |
# | |
acl name acl_source-vlan210 3001 | |
rule 5 permit ip source 192.168.21.0 0.0.0.255 | |
acl name acl_dest-vlan210 3002 | |
rule 5 permit ip destination 192.168.21.0 0.0.0.255 | |
acl name acl_source-vlan220 3003 | |
rule 5 permit ip source 192.168.22.0 0.0.0.255 | |
acl name acl_dest-vlan220 3004 | |
rule 5 permit ip destination 192.168.22.0 0.0.0.255 | |
acl name acl_source-vlan230 3005 | |
rule 5 deny ip source 192.168.23.0 0.0.0.255 | |
acl name acl_dest-vlan230 3006 | |
rule 5 deny ip destination 192.168.23.0 0.0.0.255 | |
acl name acl_vlan210-to-lan 3010 | |
rule 5 permit ip destination 192.168.1.x 0 | |
rule 15 deny ip destination 192.168.1.0 0.0.0.255 | |
rule 20 deny ip destination 192.168.8.0 0.0.0.255 | |
acl name acl_permit-199 3011 | |
rule 5 permit ip source 192.168.1.x 0 | |
# | |
traffic classifier tc_cmcc-tv operator or | |
if-match acl Deny_CMCC-TV | |
traffic classifier tc_dest-vlan210 operator or | |
if-match acl acl_dest-vlan210 | |
traffic classifier tc_dest-vlan220 operator or | |
if-match acl acl_dest-vlan220 | |
traffic classifier tc_dest-vlan230 operator or | |
if-match acl acl_dest-vlan230 | |
traffic classifier tc_permit-199 operator or | |
if-match acl acl_permit-199 | |
traffic classifier tc_source-vlan210 operator or | |
if-match acl acl_source-vlan210 | |
traffic classifier tc_source-vlan220 operator or | |
if-match acl acl_source-vlan220 | |
traffic classifier tc_source-vlan230 operator or | |
if-match acl acl_source-vlan230 | |
traffic classifier tc_vlan210-to-lan operator or | |
if-match acl acl_vlan210-to-lan | |
# | |
traffic behavior tb_deny | |
deny | |
traffic behavior tb_dest-vlan210 | |
car cir 51200 pir 102400 cbs 6400000 pbs 12800000 mode color-blind green pass yellow pass red discard | |
traffic behavior tb_dest-vlan220 | |
car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard | |
traffic behavior tb_permit | |
permit | |
traffic behavior tb_source-vlan210 | |
car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard | |
traffic behavior tb_source-vlan220 | |
car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard | |
traffic behavior tb_vlan210-to-lan | |
permit | |
# | |
traffic policy tp_dest-vlan210 | |
classifier tc_dest-vlan210 behavior tb_dest-vlan210 | |
classifier tc_dest-vlan220 behavior tb_dest-vlan220 | |
classifier tc_dest-vlan230 behavior tb_permit | |
traffic policy tp_dest-vlan220 | |
classifier tc_dest-vlan220 behavior tb_dest-vlan220 | |
traffic policy tp_dest-vlan230 | |
classifier tc_dest-vlan230 behavior tb_permit | |
traffic policy tp_permit-199 | |
classifier tc_permit-199 behavior tb_deny | |
traffic policy tp_source-vlan210 | |
classifier tc_cmcc-tv behavior tb_permit | |
classifier tc_source-vlan210 behavior tb_source-vlan210 | |
classifier tc_source-vlan220 behavior tb_source-vlan220 | |
classifier tc_source-vlan230 behavior tb_permit | |
traffic policy tp_source-vlan220 | |
classifier tc_source-vlan220 behavior tb_source-vlan220 | |
traffic policy tp_source-vlan230 | |
classifier tc_vlan210-to-lan behavior tb_vlan210-to-lan | |
# | |
free-rule-template name default_free_rule | |
# | |
portal-access-profile name portal_access_profile | |
# | |
vlan 8 | |
description lan for mgmt | |
name MGMT_LAN | |
management-vlan | |
vlan 100 | |
description to route | |
vlan 200 | |
description lan for home | |
name HOME_LAN | |
mac-vlan mac-address e45e-3732-xxxx priority 0 | |
mac-vlan mac-address 2037-a51f-xxxx priority 0 | |
mac-vlan mac-address b831-b51e-xxxx priority 0 | |
mac-vlan mac-address b831-b51e-xxxx priority 0 | |
mac-vlan mac-address 1c98-ec0f-xxxx priority 0 | |
dhcp snooping enable | |
ipv4 source check user-bind enable | |
ipv6 source check user-bind enable | |
vlan 210 | |
description lan for guest | |
name GUEST_LAN | |
dhcp snooping enable | |
ipv4 source check user-bind enable | |
ipv6 source check user-bind enable | |
traffic-policy tp_vlan210-to-lan inbound | |
vlan 220 | |
description lan for IoT | |
name IoT_LAN | |
mac-vlan mac-address ec3d-fdbe-xxxx priority 0 | |
mac-vlan mac-address a03e-6b46-xxxx priority 0 | |
mac-vlan mac-address 2cdd-5fb6-xxxx priority 0 | |
dhcp snooping enable | |
ipv4 source check user-bind enable | |
ipv6 source check user-bind enable | |
traffic-policy tp_vlan210-to-lan inbound | |
vlan 230 | |
description intranet | |
name Intra_LAN | |
mac-vlan mac-address 345b-bb8f-xxxx priority 0 | |
mac-vlan mac-address 345b-bba1-xxxx priority 0 | |
mac-vlan mac-address bc14-efdb-xxxx priority 0 | |
mac-vlan mac-address 9ca6-9d70-xxxx priority 0 | |
mac-vlan mac-address 5455-d578-xxxx priority 0 | |
mac-vlan mac-address 04cf-8c91-xxxx priority 0 | |
mac-vlan mac-address 8444-afb9-xxxx priority 0 | |
dhcp snooping enable | |
ipv4 source check user-bind enable | |
ipv6 source check user-bind enable | |
traffic-policy tp_permit-199 inbound | |
vlan 1000 | |
description ipv6 for lan | |
# | |
ntp-service server disable | |
ntp-service ipv6 server disable | |
ntp-service unicast-server 202.112.29.82 | |
ntp-service unicast-server 119.28.183.184 | |
ntp-service unicast-server 78.46.102.180 | |
ntp-service unicast-server 202.112.31.197 | |
# | |
interface Vlanif8 | |
ip address 192.168.8.x 255.255.255.0 | |
# | |
interface Vlanif100 | |
ip address 10.0.0.2 255.255.255.0 | |
# | |
interface Vlanif200 | |
ip address 192.168.1.1 255.255.255.0 | |
dhcp select interface | |
dhcp server ip-range 192.168.1.x 192.168.1.x | |
dhcp server gateway-list 192.168.1.1 | |
dhcp server static-bind ip-address 192.168.1.x mac-address 000c-2936-xxxx | |
dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx | |
dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx | |
dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx | |
dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114 | |
dhcp server logging allocation-fail allocation-success renew-success | |
# | |
interface Vlanif210 | |
ip address 192.168.21.1 255.255.255.0 | |
dhcp select interface | |
dhcp server ip-range 192.168.21.x 192.168.21.x | |
dhcp server gateway-list 192.168.21.1 | |
dhcp server static-bind ip-address 192.168.21.x mac-address 007e-5637-xxxx | |
dhcp server static-bind ip-address 192.168.21.x mac-address f09c-d791-xxxx | |
dhcp server static-bind ip-address 192.168.21.x mac-address e206-5fe2-xxxx | |
dhcp server static-bind ip-address 192.168.21.x mac-address a4d7-3c55-xxxx | |
dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114 | |
# | |
interface Vlanif220 | |
ip address 192.168.22.1 255.255.255.0 | |
dhcp select interface | |
dhcp server ip-range 192.168.22.x 192.168.22.x | |
dhcp server gateway-list 192.168.22.1 | |
dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114 | |
dhcp server logging allocation-fail allocation-success renew-success | |
# | |
interface Vlanif230 | |
ip address 192.168.23.1 255.255.255.0 | |
dhcp select interface | |
dhcp server ip-range 192.168.23.x 192.168.23.x | |
dhcp server gateway-list 192.168.23.1 | |
dhcp server static-bind ip-address 192.168.23.x mac-address a4d7-3c55-xxxx | |
dhcp server dns-list 192.168.23.1 | |
dhcp server logging allocation-fail allocation-success renew-success | |
# | |
interface Vlanif1000 | |
# | |
interface Eth-Trunk1 | |
port link-type trunk | |
undo port trunk allow-pass vlan 1 | |
port trunk allow-pass vlan 8 200 210 220 230 1000 | |
loopback-detect enable | |
stp edged-port enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/1 | |
energy-efficient-ethernet enable | |
port-auto-sleep enable | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/2 | |
port link-type hybrid | |
port hybrid pvid vlan 100 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 1000 | |
port hybrid untagged vlan 100 | |
loopback-detect enable | |
traffic-policy tp_dest-vlan210 inbound | |
traffic-policy tp_source-vlan210 outbound | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/3 | |
energy-efficient-ethernet enable | |
port-auto-sleep enable | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
port description desktop | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/4 | |
energy-efficient-ethernet enable | |
port-auto-sleep enable | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/5 | |
energy-efficient-ethernet enable | |
port-auto-sleep enable | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/6 | |
eth-trunk 1 | |
# | |
# | |
interface GigabitEthernet0/0/7 | |
energy-efficient-ethernet enable | |
port-auto-sleep enable | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/8 | |
eth-trunk 1 | |
# | |
interface GigabitEthernet0/0/9 | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/10 | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/11 | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface GigabitEthernet0/0/12 | |
port link-type hybrid | |
port hybrid pvid vlan 210 | |
undo port hybrid vlan 1 | |
port hybrid tagged vlan 8 | |
port hybrid untagged vlan 200 210 220 230 | |
loopback-detect enable | |
stp edged-port enable | |
mac-vlan enable | |
dhcp snooping enable | |
# | |
interface NULL0 | |
# | |
ospf 1 router-id 10.0.0.2 | |
area 0.0.0.0 | |
network 10.0.0.0 0.0.0.255 | |
area 0.0.0.1 | |
network 192.168.1.0 0.0.0.255 | |
network 192.168.21.0 0.0.0.255 | |
network 192.168.22.0 0.0.0.255 | |
# | |
undo icmp name timestamp-request receive | |
# | |
# | |
sftp server enable | |
stelnet server enable | |
ssh user admin | |
ssh user admin authentication-type password | |
ssh user admin service-type all | |
ssh user admin sftp-directory flash: | |
ssh user liangwu | |
ssh user liangwu authentication-type all | |
ssh user liangwu assign rsa-key liangwu | |
ssh user liangwu service-type all | |
ssh user liangwu sftp-directory flash: | |
ssh server-source -i Vlanif8 | |
ssh server cipher aes256_ctr aes128_ctr | |
ssh server hmac sha2_256 | |
ssh server key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256 | |
ssh client cipher aes256_ctr aes128_ctr | |
ssh client hmac sha2_256 | |
ssh client key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256 | |
ssh server dh-exchange min-len 2048 | |
ssh server publickey rsa_sha2_512 rsa_sha2_256 | |
# | |
user-interface con 0 | |
authentication-mode aaa | |
user-interface vty 0 4 | |
authentication-mode aaa | |
user-interface vty 16 20 | |
# | |
dot1x-access-profile name dot1x_access_profile | |
# | |
mac-access-profile name mac_access_profile | |
# | |
ops | |
# | |
return |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DIGITALOCEAN_TOKEN=xx | |
IP=$(ip -6 addr show switch0.1000 | grep inet6 | grep -v -E "link|host|deprecated|temporary" | awk '{print $2}' | awk -F'/' '{print $1}') | |
curl -X PUT \ | |
-H "Content-Type: application/json" \ | |
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ | |
-d '{"data":"'"$IP"'"}' \ | |
"https://api.digitalocean.com/v2/domains/x.com/records/x" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment