glw119/03-edgerouter-backup.sh

## 03-edgerouter-backup.sh
#!/bin/bash
source /config/user-data/edgerouter-backup.conf

# ref https://github.com/psitem/edgerouter-backup

# This script runs during the commit

# Pull commit info
COMMIT_VIA=${COMMIT_VIA:-other}
COMMIT_CMT=${COMMIT_COMMENT:-$DEFAULT_COMMIT_MESSAGE}

# If no comment, replace with default
if [ "$COMMIT_CMT" == "commit" ];
then
    COMMIT_CMT=$DEFAULT_COMMIT_MESSAGE
fi

# Check if rollback
if [ $# -eq 1 ] && [ $1 = "rollback" ];
then
    COMMIT_VIA="rollback/reboot"
fi

TIME=$(date +%Y-%m-%d" "%H:%M:%S)
USER=$(whoami)

GIT_COMMIT_MSG="$COMMIT_CMT | by $USER | via $COMMIT_VIA | $TIME"

# Remove temporary files
#echo "edgerouter-backup: Removing temporary files"
sudo rm /tmp/edgerouter-backup-$FNAME_CONFIG  &> /dev/null
sudo rm /tmp/edgerouter-backup-$FNAME_CLI  &> /dev/null
sudo rm /tmp/edgerouter-backup-$FNAME_BACKUP.tar  &> /dev/null


# Generate temporary config files
sudo cli-shell-api showConfig --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CONFIG
sudo cli-shell-api showConfig --show-commands --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CLI
sudo find /config/* | grep -v "/config/dhcpd.leases" | xargs tar cf /tmp/edgerouter-backup-$FNAME_BACKUP.tar &> /dev/null

# Push config files
echo "edgerouter-backup: Copying backup files to $SSH_USER@$SSH_HOST:$REPO_PATH"
sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CONFIG $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CONFIG > /dev/null
sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CLI $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CLI > /dev/null
sudo cat /tmp/edgerouter-backup-$FNAME_BACKUP.tar | sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST "gzip -cnq9 > $REPO_PATH/$FNAME_BACKUP.tar.gz" > /dev/null

# git commit and git push on remote host
echo "edgerouter-backup: Triggering 'git commit'"
sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST 'bash -s' << ENDSSH > /dev/null
cd $REPO_PATH
git add $REPO_PATH/$FNAME_CONFIG
git add $REPO_PATH/$FNAME_CLI
git add $REPO_PATH/$FNAME_BACKUP.tar.gz
git commit -m "$GIT_COMMIT_MSG"
ENDSSH
#git push

echo "edgerouter-backup: Complete"

## er-x-sfp.config
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group douyin-address {
            address xx.xx.xx.xx/24
            description "douyin ipv4 address"
        }
        address-group rfc1918 {
            address 10.0.0.0/8
            address 172.16.0.0/12
            address 192.168.0.0/16
            description "RFC1918 ranges"
        }
        ipv6-address-group douyin-ipv6-address {
            description "douyin ipv6 address"
            ipv6-address xx:xx:xx:xx::/64
        }
        port-group douyin-port {
            description "douyin dns"
            port 6443
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description transmission
            destination {
                port xx
            }
            protocol tcp_udp
        }
        rule 40 {
            action drop
            description "blocking brute-forcing attempts"
            destination {
                port xx
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 41 {
            action accept
            description nas-ssh
            destination {
                port xx
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 50 {
            action accept
            description https
            destination {
                port xx
            }
            protocol tcp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
        rule 50 {
            action drop
            description "blocking brute-forcing attempts"
            destination {
                port xx
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 51 {
            action accept
            description "allow ssh"
            destination {
                port xx
            }
            protocol tcp
            state {
                new enable
            }
        }
    }
    ipv6-name WANv6_OUT {
        default-action accept
        rule 10 {
            action drop
            description "deny douyin ipv6 address group weekdays"
            destination {
                group {
                    ipv6-address-group douyin-ipv6-address
                }
            }
            disable
            protocol all
            time {
                contiguous
                starttime 15:00:00
                stoptime 07:00:00
                weekdays !Sat,Sun
            }
        }
        rule 20 {
            action drop
            description "deny douyin ipv6 address group weekend"
            destination {
                group {
                    ipv6-address-group douyin-ipv6-address
                }
            }
            disable
            protocol all
            time {
                weekdays Sat,Sun
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description Transmission
            destination {
                port xx
            }
            protocol tcp_udp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        rule 10 {
            action drop
            description "deny douyin port"
            destination {
                group {
                    port-group douyin-port
                }
            }
            disable
            protocol tcp_udp
        }
        rule 20 {
            action drop
            description "deny douyin ipv4 address weekdays"
            destination {
                group {
                    address-group douyin-address
                }
            }
            disable
            protocol all
            time {
                contiguous
                starttime 15:00:00
                stoptime 07:00:00
                weekdays !Sat,Sun
            }
        }
        rule 30 {
            action drop
            description "deny douyin ipv4 address weekend"
            destination {
                group {
                    address-group douyin-address
                }
            }
            disable
            protocol all
            time {
                weekdays Sat,Sun
            }
        }
    }
    options {
        mss-clamp {
            interface-type pppoe
            mss 1452
        }
        mss-clamp6 {
            interface-type pppoe
            mss 1432
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation strict
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        disable
        duplex auto
        poe {
            output off
        }
        pppoe 0 {
            default-route auto
            dhcpv6-pd {
                no-dns
                pd 0 {
                    interface switch0.200 {
                        host-address ::1
                        no-dns
                        prefix-id :1
                        service slaac
                    }
                    prefix-length /60
                }
                rapid-commit enable
            }
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
                out {
                    ipv6-name WANv6_OUT
                    name WAN_OUT
                }
            }
            ipv6 {
                address {
                    autoconf
                }
                dup-addr-detect-transmits 1
                enable {
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id **
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        disable
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        address 192.168.200.x/24
        description MikroTik
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
        vif 8 {
            address 192.168.8.x/24
        }
    }
    ethernet eth5 {
        address 192.168.100.1/24
        description "Internet SFP"
        duplex auto
        pppoe 1 {
            default-route auto
            dhcpv6-pd {
                no-dns
                pd 1 {
                    interface switch0.1000 {
                        host-address ::1
                        no-dns
                        prefix-id :1
                        service slaac
                    }
                    prefix-length /60
                }
                rapid-commit enable
            }
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
                out {
                    ipv6-name WANv6_OUT
                    name WAN_OUT
                }
            }
            ipv6 {
                address {
                    autoconf
                }
                dup-addr-detect-transmits 1
                enable {
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id ***
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.0.0.1/24
        description Local
        ip {
            ospf {
                dead-interval 40
                hello-interval 10
                priority 100
                retransmit-interval 5
                transmit-delay 1
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            vlan-aware disable
        }
        vif 1000 {
            description IPv6_HOME_LAN
            ipv6 {
                router-advert {
                    default-lifetime 1800
                    max-interval 600
                    min-interval 60
                    prefix ::/64 {
                        autonomous-flag true
                        on-link-flag true
                        preferred-lifetime 86400
                        valid-lifetime 86400
                    }
                    reachable-time 0
                    retrans-timer 0
                    send-advert true
                }
            }
        }
    }
    wireguard wg0 {
        address 10.8.2.3/32
        description Wireguard
        mtu 1420
        peer xxx {
            allowed-ips 10.8.2.0/24
            endpoint xxxx:52550
            persistent-keepalive 60
        }
        private-key ****************
        route-allowed-ips true
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description transmission
        forward-to {
            address 192.168.1.x
            port xxx
        }
        original-port xxx
        protocol tcp_udp
    }
    wan-interface pppoe1
}
protocols {
    ospf {
        area 0 {
            area-type {
                normal
            }
            network 10.0.0.0/24
        }
        area 2 {
            area-type {
                normal
            }
            network 192.168.100.0/24
            network 192.168.200.0/24
        }
        default-information {
            originate {
                always
                metric-type 2
            }
        }
        parameters {
            abr-type cisco
            router-id 10.0.0.1
        }
    }
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.199
                lease 86400
                start 192.168.1.51 {
                    stop 192.168.1.250
                }
            }
        }
        shared-network-name MikroTik {
            authoritative enable
            subnet 192.168.200.0/24 {
                default-router 192.168.200.1
                dns-server 192.168.1.199
                lease 86400
                start 192.168.200.51 {
                    stop 192.168.200.250
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    nat {
        rule 10 {
            description DNS
            destination {
                address !192.168.1.199
                port 53,5353,5354,853
            }
            inbound-interface switch0
            inside-address {
                address 192.168.1.199
                port 53
            }
            protocol tcp_udp
            source {
                address !192.168.1.199
            }
            type destination
        }
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface pppoe1
            protocol all
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN"
            disable
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
        rule 5002 {
            description "Maqquerade for DNS"
            destination {
                address 192.168.1.199
                port 53
            }
            outbound-interface switch0
            protocol tcp_udp
            source {
                address 192.168.0.0/16
            }
            type masquerade
        }
    }
    ssh {
        disable-password-authentication
        port xx
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    config-management {
        commit-revisions 20
    }
    crash-handler {
        send-crash-report false
    }
    host-name ER-X-SFP
    ipv6 {
    }
    login {
        user liangwu {
            authentication {
                encrypted-password ****************
                public-keys xx {
                    key ****************
                    type ssh-rsa
                }
                public-keys tencent {
                    key ****************
                    type ssh-rsa
                }
            }
            full-name "xx"
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
        }
        host 192.168.1.199 {
            facility all {
                level err
            }
        }
    }
    task-scheduler {
        task backup-edgeos {
            executable {
                path /config/user-data/hooks/03-edgerouter-backup.sh
            }
            interval 1d
        }
        task pihole-check {
            executable {
                path /config/user-data/scripts/pihole-check.sh
            }
            interval 1m
        }
        task updateEdgeosDNS {
            executable {
                path /config/scripts/updateEdgeosDNS.sh
            }
            interval 1h
        }
    }
    time-zone Asia/Shanghai
}

## pihole-check.sh
#!/bin/bash

source /config/user-data/edgerouter-backup.conf

source /opt/vyatta/etc/functions/script-template

RESPONSE=$(curl -m 1 --write-out '%{http_code}' --silent --output /dev/null "http://$SSH_HOST:5380")

if [ "$RESPONSE" -eq 403 ]; then
#       if /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics | awk '{print $1"\t"$2}' | grep 10 | grep -q disabled; then
        if run show nat statistics | awk '{print $1"\t"$2}' | grep -w 10 | grep -q disabled; then
                configure
                delete service nat rule 10 disable
                delete service nat rule 5002 disable
                commit
                exit
        fi
else
#       if ! /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics | awk '{print $1"\t"$2}' | grep 10 | grep -q disabled; then
        if ! run show nat statistics | awk '{print $1"\t"$2}' | grep -w 10 | grep -q disabled; then
                configure
                set service nat rule 10 disable
                set service nat rule 5002 disable
                commit
                exit
        fi
fi

## S5735S-L8T4S-QA2.config
!Software Version V200R021C00SPC600
#
sysname HUAWEI-SW
#
info-center channel 6 name loghost1
info-center loghost 192.168.1.x channel 6 security-log operation-log
#
ipv6
#
dns resolve
dns server 223.5.5.5
#
vlan batch 8 100 200 210 220 230 1000
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name portal_authen_profile
#
igmp-snooping enable
#
mld-snooping enable
#
http server-source -i Vlanif8
#
clock timezone BJ add 08:00:00
#
time-range Deny_CMCC-TV 00:00 to 23:59 off-day
time-range Deny_CMCC-TV 00:00 to 08:00 working-day
time-range Deny_CMCC-TV 16:00 to 23:59 working-day
#
dhcp enable
dhcp speed-limit auto
undo dhcp anti-attack check udp-checksum
dhcp broadcast suppress enable
#
dhcp snooping enable
#
dhcp server database enable
dhcp server database recover
#
smart-upgrade web-prompt disable
#
radius-server template default
#
acl name Deny_CMCC-TV 2000
 rule 5 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
 rule 10 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
 rule 15 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
 rule 20 deny source 192.168.21.x 0
#
acl name acl_source-vlan210 3001
 rule 5 permit ip source 192.168.21.0 0.0.0.255
acl name acl_dest-vlan210 3002
 rule 5 permit ip destination 192.168.21.0 0.0.0.255
acl name acl_source-vlan220 3003
 rule 5 permit ip source 192.168.22.0 0.0.0.255
acl name acl_dest-vlan220 3004
 rule 5 permit ip destination 192.168.22.0 0.0.0.255
acl name acl_source-vlan230 3005
 rule 5 deny ip source 192.168.23.0 0.0.0.255
acl name acl_dest-vlan230 3006
 rule 5 deny ip destination 192.168.23.0 0.0.0.255
acl name acl_vlan210-to-lan 3010
 rule 5 permit ip destination 192.168.1.x 0
 rule 15 deny ip destination 192.168.1.0 0.0.0.255
 rule 20 deny ip destination 192.168.8.0 0.0.0.255
acl name acl_permit-199 3011
 rule 5 permit ip source 192.168.1.x 0
#
traffic classifier tc_cmcc-tv operator or
 if-match acl Deny_CMCC-TV
traffic classifier tc_dest-vlan210 operator or
 if-match acl acl_dest-vlan210
traffic classifier tc_dest-vlan220 operator or
 if-match acl acl_dest-vlan220
traffic classifier tc_dest-vlan230 operator or
 if-match acl acl_dest-vlan230
traffic classifier tc_permit-199 operator or
 if-match acl acl_permit-199
traffic classifier tc_source-vlan210 operator or
 if-match acl acl_source-vlan210
traffic classifier tc_source-vlan220 operator or
 if-match acl acl_source-vlan220
traffic classifier tc_source-vlan230 operator or
 if-match acl acl_source-vlan230
traffic classifier tc_vlan210-to-lan operator or
 if-match acl acl_vlan210-to-lan
#
traffic behavior tb_deny
 deny
traffic behavior tb_dest-vlan210
 car cir 51200 pir 102400 cbs 6400000 pbs 12800000 mode color-blind green pass yellow pass red discard
traffic behavior tb_dest-vlan220
 car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
traffic behavior tb_permit
 permit
traffic behavior tb_source-vlan210
 car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
traffic behavior tb_source-vlan220
 car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
traffic behavior tb_vlan210-to-lan
 permit
#
traffic policy tp_dest-vlan210
 classifier tc_dest-vlan210 behavior tb_dest-vlan210
 classifier tc_dest-vlan220 behavior tb_dest-vlan220
 classifier tc_dest-vlan230 behavior tb_permit
traffic policy tp_dest-vlan220
 classifier tc_dest-vlan220 behavior tb_dest-vlan220
traffic policy tp_dest-vlan230
 classifier tc_dest-vlan230 behavior tb_permit
traffic policy tp_permit-199
 classifier tc_permit-199 behavior tb_deny
traffic policy tp_source-vlan210
 classifier tc_cmcc-tv behavior tb_permit
 classifier tc_source-vlan210 behavior tb_source-vlan210
 classifier tc_source-vlan220 behavior tb_source-vlan220
 classifier tc_source-vlan230 behavior tb_permit
traffic policy tp_source-vlan220
 classifier tc_source-vlan220 behavior tb_source-vlan220
traffic policy tp_source-vlan230
 classifier tc_vlan210-to-lan behavior tb_vlan210-to-lan
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
vlan 8
 description lan for mgmt
 name MGMT_LAN
 management-vlan
vlan 100
 description to route
vlan 200
 description lan for home
 name HOME_LAN
 mac-vlan mac-address e45e-3732-xxxx priority 0
 mac-vlan mac-address 2037-a51f-xxxx priority 0
 mac-vlan mac-address b831-b51e-xxxx priority 0
 mac-vlan mac-address b831-b51e-xxxx priority 0
 mac-vlan mac-address 1c98-ec0f-xxxx priority 0
 dhcp snooping enable
 ipv4 source check user-bind enable
 ipv6 source check user-bind enable
vlan 210
 description lan for guest
 name GUEST_LAN
 dhcp snooping enable
 ipv4 source check user-bind enable
 ipv6 source check user-bind enable
 traffic-policy tp_vlan210-to-lan inbound
vlan 220
 description lan for IoT
 name IoT_LAN
 mac-vlan mac-address ec3d-fdbe-xxxx priority 0
 mac-vlan mac-address a03e-6b46-xxxx priority 0
 mac-vlan mac-address 2cdd-5fb6-xxxx priority 0
 dhcp snooping enable
 ipv4 source check user-bind enable
 ipv6 source check user-bind enable
 traffic-policy tp_vlan210-to-lan inbound
vlan 230
 description intranet
 name Intra_LAN
 mac-vlan mac-address 345b-bb8f-xxxx priority 0
 mac-vlan mac-address 345b-bba1-xxxx priority 0
 mac-vlan mac-address bc14-efdb-xxxx priority 0
 mac-vlan mac-address 9ca6-9d70-xxxx priority 0
 mac-vlan mac-address 5455-d578-xxxx priority 0
 mac-vlan mac-address 04cf-8c91-xxxx priority 0
 mac-vlan mac-address 8444-afb9-xxxx priority 0
 dhcp snooping enable
 ipv4 source check user-bind enable
 ipv6 source check user-bind enable
 traffic-policy tp_permit-199 inbound
vlan 1000
 description ipv6 for lan
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server 202.112.29.82
ntp-service unicast-server 119.28.183.184
ntp-service unicast-server 78.46.102.180
ntp-service unicast-server 202.112.31.197
#
interface Vlanif8
 ip address 192.168.8.x 255.255.255.0
#
interface Vlanif100
 ip address 10.0.0.2 255.255.255.0
#
interface Vlanif200
 ip address 192.168.1.1 255.255.255.0
 dhcp select interface
 dhcp server ip-range 192.168.1.x 192.168.1.x
 dhcp server gateway-list 192.168.1.1
 dhcp server static-bind ip-address 192.168.1.x mac-address 000c-2936-xxxx
 dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
 dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
 dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
 dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
 dhcp server logging allocation-fail allocation-success renew-success
#
interface Vlanif210
 ip address 192.168.21.1 255.255.255.0
 dhcp select interface
 dhcp server ip-range 192.168.21.x 192.168.21.x
 dhcp server gateway-list 192.168.21.1
 dhcp server static-bind ip-address 192.168.21.x mac-address 007e-5637-xxxx
 dhcp server static-bind ip-address 192.168.21.x mac-address f09c-d791-xxxx
 dhcp server static-bind ip-address 192.168.21.x mac-address e206-5fe2-xxxx
 dhcp server static-bind ip-address 192.168.21.x mac-address a4d7-3c55-xxxx
 dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
#
interface Vlanif220
 ip address 192.168.22.1 255.255.255.0
 dhcp select interface
 dhcp server ip-range 192.168.22.x 192.168.22.x
 dhcp server gateway-list 192.168.22.1
 dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
 dhcp server logging allocation-fail allocation-success renew-success
#
interface Vlanif230
 ip address 192.168.23.1 255.255.255.0
 dhcp select interface
 dhcp server ip-range 192.168.23.x 192.168.23.x
 dhcp server gateway-list 192.168.23.1
 dhcp server static-bind ip-address 192.168.23.x mac-address a4d7-3c55-xxxx
 dhcp server dns-list 192.168.23.1
 dhcp server logging allocation-fail allocation-success renew-success
#
interface Vlanif1000
#
interface Eth-Trunk1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 8 200 210 220 230 1000
 loopback-detect enable
 stp edged-port enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/1
 energy-efficient-ethernet enable
 port-auto-sleep enable
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/2
 port link-type hybrid
 port hybrid pvid vlan 100
 undo port hybrid vlan 1
 port hybrid tagged vlan 1000
 port hybrid untagged vlan 100
 loopback-detect enable
 traffic-policy tp_dest-vlan210 inbound
 traffic-policy tp_source-vlan210 outbound
 dhcp snooping enable
#
interface GigabitEthernet0/0/3
 energy-efficient-ethernet enable
 port-auto-sleep enable
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 port description desktop
 dhcp snooping enable
#
interface GigabitEthernet0/0/4
 energy-efficient-ethernet enable
 port-auto-sleep enable
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/5
 energy-efficient-ethernet enable
 port-auto-sleep enable
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/6
 eth-trunk 1
#
#
interface GigabitEthernet0/0/7
 energy-efficient-ethernet enable
 port-auto-sleep enable
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/8
 eth-trunk 1
#
interface GigabitEthernet0/0/9
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/10
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/11
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface GigabitEthernet0/0/12
 port link-type hybrid
 port hybrid pvid vlan 210
 undo port hybrid vlan 1
 port hybrid tagged vlan 8
 port hybrid untagged vlan 200 210 220 230
 loopback-detect enable
 stp edged-port enable
 mac-vlan enable
 dhcp snooping enable
#
interface NULL0
#
ospf 1 router-id 10.0.0.2
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
 area 0.0.0.1
  network 192.168.1.0 0.0.0.255
  network 192.168.21.0 0.0.0.255
  network 192.168.22.0 0.0.0.255
#
undo icmp name timestamp-request receive
#
#
sftp server enable
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type all
ssh user admin sftp-directory flash:
ssh user liangwu
ssh user liangwu authentication-type all
ssh user liangwu assign rsa-key liangwu
ssh user liangwu service-type all
ssh user liangwu sftp-directory flash:
ssh server-source -i Vlanif8
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256
ssh server key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256
ssh client key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
ssh server dh-exchange min-len 2048
ssh server publickey rsa_sha2_512 rsa_sha2_256
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
ops
#
return

## updateEdgeosDNS.sh
DIGITALOCEAN_TOKEN=xx

IP=$(ip -6 addr show switch0.1000 | grep inet6 | grep -v -E "link|host|deprecated|temporary" | awk '{print $2}' | awk -F'/' '{print $1}')

curl -X PUT \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"data":"'"$IP"'"}' \
  "https://api.digitalocean.com/v2/domains/x.com/records/x"
	#!/bin/bash
	source /config/user-data/edgerouter-backup.conf

	# ref https://github.com/psitem/edgerouter-backup

	# This script runs during the commit

	# Pull commit info
	COMMIT_VIA=${COMMIT_VIA:-other}
	COMMIT_CMT=${COMMIT_COMMENT:-$DEFAULT_COMMIT_MESSAGE}

	# If no comment, replace with default
	if [ "$COMMIT_CMT" == "commit" ];
	then
	COMMIT_CMT=$DEFAULT_COMMIT_MESSAGE
	fi

	# Check if rollback
	if [ $# -eq 1 ] && [ $1 = "rollback" ];
	then
	COMMIT_VIA="rollback/reboot"
	fi

	TIME=$(date +%Y-%m-%d" "%H:%M:%S)
	USER=$(whoami)

	GIT_COMMIT_MSG="$COMMIT_CMT \| by $USER \| via $COMMIT_VIA \| $TIME"

	# Remove temporary files
	#echo "edgerouter-backup: Removing temporary files"
	sudo rm /tmp/edgerouter-backup-$FNAME_CONFIG &> /dev/null
	sudo rm /tmp/edgerouter-backup-$FNAME_CLI &> /dev/null
	sudo rm /tmp/edgerouter-backup-$FNAME_BACKUP.tar &> /dev/null


	# Generate temporary config files
	sudo cli-shell-api showConfig --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CONFIG
	sudo cli-shell-api showConfig --show-commands --show-active-only --show-ignore-edit --show-show-defaults > /tmp/edgerouter-backup-$FNAME_CLI
	sudo find /config/* \| grep -v "/config/dhcpd.leases" \| xargs tar cf /tmp/edgerouter-backup-$FNAME_BACKUP.tar &> /dev/null

	# Push config files
	echo "edgerouter-backup: Copying backup files to $SSH_USER@$SSH_HOST:$REPO_PATH"
	sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CONFIG $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CONFIG > /dev/null
	sudo scp -P $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /tmp/edgerouter-backup-$FNAME_CLI $SSH_USER@$SSH_HOST:$REPO_PATH/$FNAME_CLI > /dev/null
	sudo cat /tmp/edgerouter-backup-$FNAME_BACKUP.tar \| sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST "gzip -cnq9 > $REPO_PATH/$FNAME_BACKUP.tar.gz" > /dev/null

	# git commit and git push on remote host
	echo "edgerouter-backup: Triggering 'git commit'"
	sudo ssh -p $SSH_PORT -q -i $SSH_KEYFILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SSH_USER@$SSH_HOST 'bash -s' << ENDSSH > /dev/null
	cd $REPO_PATH
	git add $REPO_PATH/$FNAME_CONFIG
	git add $REPO_PATH/$FNAME_CLI
	git add $REPO_PATH/$FNAME_BACKUP.tar.gz
	git commit -m "$GIT_COMMIT_MSG"
	ENDSSH
	#git push

	echo "edgerouter-backup: Complete"
	firewall {
	all-ping enable
	broadcast-ping disable
	group {
	address-group douyin-address {
	address xx.xx.xx.xx/24
	description "douyin ipv4 address"
	}
	address-group rfc1918 {
	address 10.0.0.0/8
	address 172.16.0.0/12
	address 192.168.0.0/16
	description "RFC1918 ranges"
	}
	ipv6-address-group douyin-ipv6-address {
	description "douyin ipv6 address"
	ipv6-address xx:xx:xx:xx::/64
	}
	port-group douyin-port {
	description "douyin dns"
	port 6443
	}
	}
	ipv6-name WANv6_IN {
	default-action drop
	description "WAN inbound traffic forwarded to LAN"
	rule 10 {
	action accept
	description "Allow established/related sessions"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	rule 30 {
	action accept
	description transmission
	destination {
	port xx
	}
	protocol tcp_udp
	}
	rule 40 {
	action drop
	description "blocking brute-forcing attempts"
	destination {
	port xx
	}
	protocol tcp
	recent {
	count 4
	time 60
	}
	state {
	new enable
	}
	}
	rule 41 {
	action accept
	description nas-ssh
	destination {
	port xx
	}
	protocol tcp
	state {
	new enable
	}
	}
	rule 50 {
	action accept
	description https
	destination {
	port xx
	}
	protocol tcp
	}
	}
	ipv6-name WANv6_LOCAL {
	default-action drop
	description "WAN inbound traffic to the router"
	rule 10 {
	action accept
	description "Allow established/related sessions"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	rule 30 {
	action accept
	description "Allow IPv6 icmp"
	protocol ipv6-icmp
	}
	rule 40 {
	action accept
	description "allow dhcpv6"
	destination {
	port 546
	}
	protocol udp
	source {
	port 547
	}
	}
	rule 50 {
	action drop
	description "blocking brute-forcing attempts"
	destination {
	port xx
	}
	protocol tcp
	recent {
	count 4
	time 60
	}
	state {
	new enable
	}
	}
	rule 51 {
	action accept
	description "allow ssh"
	destination {
	port xx
	}
	protocol tcp
	state {
	new enable
	}
	}
	}
	ipv6-name WANv6_OUT {
	default-action accept
	rule 10 {
	action drop
	description "deny douyin ipv6 address group weekdays"
	destination {
	group {
	ipv6-address-group douyin-ipv6-address
	}
	}
	disable
	protocol all
	time {
	contiguous
	starttime 15:00:00
	stoptime 07:00:00
	weekdays !Sat,Sun
	}
	}
	rule 20 {
	action drop
	description "deny douyin ipv6 address group weekend"
	destination {
	group {
	ipv6-address-group douyin-ipv6-address
	}
	}
	disable
	protocol all
	time {
	weekdays Sat,Sun
	}
	}
	}
	ipv6-receive-redirects disable
	ipv6-src-route disable
	ip-src-route disable
	log-martians enable
	name WAN_IN {
	default-action drop
	description "WAN to internal"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	rule 30 {
	action accept
	description Transmission
	destination {
	port xx
	}
	protocol tcp_udp
	}
	}
	name WAN_LOCAL {
	default-action drop
	description "WAN to router"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	}
	name WAN_OUT {
	default-action accept
	rule 10 {
	action drop
	description "deny douyin port"
	destination {
	group {
	port-group douyin-port
	}
	}
	disable
	protocol tcp_udp
	}
	rule 20 {
	action drop
	description "deny douyin ipv4 address weekdays"
	destination {
	group {
	address-group douyin-address
	}
	}
	disable
	protocol all
	time {
	contiguous
	starttime 15:00:00
	stoptime 07:00:00
	weekdays !Sat,Sun
	}
	}
	rule 30 {
	action drop
	description "deny douyin ipv4 address weekend"
	destination {
	group {
	address-group douyin-address
	}
	}
	disable
	protocol all
	time {
	weekdays Sat,Sun
	}
	}
	}
	options {
	mss-clamp {
	interface-type pppoe
	mss 1452
	}
	mss-clamp6 {
	interface-type pppoe
	mss 1432
	}
	}
	receive-redirects disable
	send-redirects enable
	source-validation strict
	syn-cookies enable
	}
	interfaces {
	ethernet eth0 {
	description "Internet (PPPoE)"
	disable
	duplex auto
	poe {
	output off
	}
	pppoe 0 {
	default-route auto
	dhcpv6-pd {
	no-dns
	pd 0 {
	interface switch0.200 {
	host-address ::1
	no-dns
	prefix-id :1
	service slaac
	}
	prefix-length /60
	}
	rapid-commit enable
	}
	firewall {
	in {
	ipv6-name WANv6_IN
	name WAN_IN
	}
	local {
	ipv6-name WANv6_LOCAL
	name WAN_LOCAL
	}
	out {
	ipv6-name WANv6_OUT
	name WAN_OUT
	}
	}
	ipv6 {
	address {
	autoconf
	}
	dup-addr-detect-transmits 1
	enable {
	}
	}
	mtu 1492
	name-server auto
	password ****************
	user-id **
	}
	speed auto
	}
	ethernet eth1 {
	description Local
	duplex auto
	poe {
	output off
	}
	speed auto
	}
	ethernet eth2 {
	description Local
	disable
	duplex auto
	poe {
	output off
	}
	speed auto
	}
	ethernet eth3 {
	address 192.168.200.x/24
	description MikroTik
	duplex auto
	poe {
	output 24v
	}
	speed auto
	}
	ethernet eth4 {
	duplex auto
	poe {
	output off
	}
	speed auto
	vif 8 {
	address 192.168.8.x/24
	}
	}
	ethernet eth5 {
	address 192.168.100.1/24
	description "Internet SFP"
	duplex auto
	pppoe 1 {
	default-route auto
	dhcpv6-pd {
	no-dns
	pd 1 {
	interface switch0.1000 {
	host-address ::1
	no-dns
	prefix-id :1
	service slaac
	}
	prefix-length /60
	}
	rapid-commit enable
	}
	firewall {
	in {
	ipv6-name WANv6_IN
	name WAN_IN
	}
	local {
	ipv6-name WANv6_LOCAL
	name WAN_LOCAL
	}
	out {
	ipv6-name WANv6_OUT
	name WAN_OUT
	}
	}
	ipv6 {
	address {
	autoconf
	}
	dup-addr-detect-transmits 1
	enable {
	}
	}
	mtu 1492
	name-server auto
	password ****************
	user-id ***
	}
	speed auto
	}
	loopback lo {
	}
	switch switch0 {
	address 10.0.0.1/24
	description Local
	ip {
	ospf {
	dead-interval 40
	hello-interval 10
	priority 100
	retransmit-interval 5
	transmit-delay 1
	}
	}
	mtu 1500
	switch-port {
	interface eth1 {
	}
	interface eth2 {
	}
	vlan-aware disable
	}
	vif 1000 {
	description IPv6_HOME_LAN
	ipv6 {
	router-advert {
	default-lifetime 1800
	max-interval 600
	min-interval 60
	prefix ::/64 {
	autonomous-flag true
	on-link-flag true
	preferred-lifetime 86400
	valid-lifetime 86400
	}
	reachable-time 0
	retrans-timer 0
	send-advert true
	}
	}
	}
	}
	wireguard wg0 {
	address 10.8.2.3/32
	description Wireguard
	mtu 1420
	peer xxx {
	allowed-ips 10.8.2.0/24
	endpoint xxxx:52550
	persistent-keepalive 60
	}
	private-key ****************
	route-allowed-ips true
	}
	}
	port-forward {
	auto-firewall enable
	hairpin-nat enable
	lan-interface switch0
	rule 1 {
	description transmission
	forward-to {
	address 192.168.1.x
	port xxx
	}
	original-port xxx
	protocol tcp_udp
	}
	wan-interface pppoe1
	}
	protocols {
	ospf {
	area 0 {
	area-type {
	normal
	}
	network 10.0.0.0/24
	}
	area 2 {
	area-type {
	normal
	}
	network 192.168.100.0/24
	network 192.168.200.0/24
	}
	default-information {
	originate {
	always
	metric-type 2
	}
	}
	parameters {
	abr-type cisco
	router-id 10.0.0.1
	}
	}
	static {
	}
	}
	service {
	dhcp-server {
	disabled false
	hostfile-update disable
	shared-network-name LAN {
	authoritative enable
	disable
	subnet 192.168.1.0/24 {
	default-router 192.168.1.1
	dns-server 192.168.1.199
	lease 86400
	start 192.168.1.51 {
	stop 192.168.1.250
	}
	}
	}
	shared-network-name MikroTik {
	authoritative enable
	subnet 192.168.200.0/24 {
	default-router 192.168.200.1
	dns-server 192.168.1.199
	lease 86400
	start 192.168.200.51 {
	stop 192.168.200.250
	}
	}
	}
	static-arp disable
	use-dnsmasq disable
	}
	dns {
	forwarding {
	cache-size 150
	listen-on switch0
	}
	}
	nat {
	rule 10 {
	description DNS
	destination {
	address !192.168.1.199
	port 53,5353,5354,853
	}
	inbound-interface switch0
	inside-address {
	address 192.168.1.199
	port 53
	}
	protocol tcp_udp
	source {
	address !192.168.1.199
	}
	type destination
	}
	rule 5000 {
	description "masquerade for WAN"
	log disable
	outbound-interface pppoe1
	protocol all
	type masquerade
	}
	rule 5001 {
	description "masquerade for WAN"
	disable
	log disable
	outbound-interface pppoe0
	protocol all
	type masquerade
	}
	rule 5002 {
	description "Maqquerade for DNS"
	destination {
	address 192.168.1.199
	port 53
	}
	outbound-interface switch0
	protocol tcp_udp
	source {
	address 192.168.0.0/16
	}
	type masquerade
	}
	}
	ssh {
	disable-password-authentication
	port xx
	protocol-version v2
	}
	ubnt-discover {
	disable
	}
	unms {
	disable
	}
	}
	system {
	analytics-handler {
	send-analytics-report false
	}
	config-management {
	commit-revisions 20
	}
	crash-handler {
	send-crash-report false
	}
	host-name ER-X-SFP
	ipv6 {
	}
	login {
	user liangwu {
	authentication {
	encrypted-password ****************
	public-keys xx {
	key ****************
	type ssh-rsa
	}
	public-keys tencent {
	key ****************
	type ssh-rsa
	}
	}
	full-name "xx"
	level admin
	}
	}
	ntp {
	server 0.ubnt.pool.ntp.org {
	}
	server 1.ubnt.pool.ntp.org {
	}
	server 2.ubnt.pool.ntp.org {
	}
	server 3.ubnt.pool.ntp.org {
	}
	}
	offload {
	hwnat enable
	ipsec enable
	}
	syslog {
	global {
	facility all {
	level notice
	}
	}
	host 192.168.1.199 {
	facility all {
	level err
	}
	}
	}
	task-scheduler {
	task backup-edgeos {
	executable {
	path /config/user-data/hooks/03-edgerouter-backup.sh
	}
	interval 1d
	}
	task pihole-check {
	executable {
	path /config/user-data/scripts/pihole-check.sh
	}
	interval 1m
	}
	task updateEdgeosDNS {
	executable {
	path /config/scripts/updateEdgeosDNS.sh
	}
	interval 1h
	}
	}
	time-zone Asia/Shanghai
	}
	#!/bin/bash

	source /config/user-data/edgerouter-backup.conf

	source /opt/vyatta/etc/functions/script-template

	RESPONSE=$(curl -m 1 --write-out '%{http_code}' --silent --output /dev/null "http://$SSH_HOST:5380")

	if [ "$RESPONSE" -eq 403 ]; then
	# if /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics \| awk '{print $1"\t"$2}' \| grep 10 \| grep -q disabled; then
	if run show nat statistics \| awk '{print $1"\t"$2}' \| grep -w 10 \| grep -q disabled; then
	configure
	delete service nat rule 10 disable
	delete service nat rule 5002 disable
	commit
	exit
	fi
	else
	# if ! /opt/vyatta/bin/vyatta-op-cmd-wrapper show nat statistics \| awk '{print $1"\t"$2}' \| grep 10 \| grep -q disabled; then
	if ! run show nat statistics \| awk '{print $1"\t"$2}' \| grep -w 10 \| grep -q disabled; then
	configure
	set service nat rule 10 disable
	set service nat rule 5002 disable
	commit
	exit
	fi
	fi
	!Software Version V200R021C00SPC600
	#
	sysname HUAWEI-SW
	#
	info-center channel 6 name loghost1
	info-center loghost 192.168.1.x channel 6 security-log operation-log
	#
	ipv6
	#
	dns resolve
	dns server 223.5.5.5
	#
	vlan batch 8 100 200 210 220 230 1000
	#
	authentication-profile name default_authen_profile
	authentication-profile name dot1x_authen_profile
	authentication-profile name dot1xmac_authen_profile
	authentication-profile name mac_authen_profile
	authentication-profile name multi_authen_profile
	authentication-profile name portal_authen_profile
	#
	igmp-snooping enable
	#
	mld-snooping enable
	#
	http server-source -i Vlanif8
	#
	clock timezone BJ add 08:00:00
	#
	time-range Deny_CMCC-TV 00:00 to 23:59 off-day
	time-range Deny_CMCC-TV 00:00 to 08:00 working-day
	time-range Deny_CMCC-TV 16:00 to 23:59 working-day
	#
	dhcp enable
	dhcp speed-limit auto
	undo dhcp anti-attack check udp-checksum
	dhcp broadcast suppress enable
	#
	dhcp snooping enable
	#
	dhcp server database enable
	dhcp server database recover
	#
	smart-upgrade web-prompt disable
	#
	radius-server template default
	#
	acl name Deny_CMCC-TV 2000
	rule 5 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
	rule 10 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
	rule 15 deny source 192.168.21.x 0 time-range Deny_CMCC-TV
	rule 20 deny source 192.168.21.x 0
	#
	acl name acl_source-vlan210 3001
	rule 5 permit ip source 192.168.21.0 0.0.0.255
	acl name acl_dest-vlan210 3002
	rule 5 permit ip destination 192.168.21.0 0.0.0.255
	acl name acl_source-vlan220 3003
	rule 5 permit ip source 192.168.22.0 0.0.0.255
	acl name acl_dest-vlan220 3004
	rule 5 permit ip destination 192.168.22.0 0.0.0.255
	acl name acl_source-vlan230 3005
	rule 5 deny ip source 192.168.23.0 0.0.0.255
	acl name acl_dest-vlan230 3006
	rule 5 deny ip destination 192.168.23.0 0.0.0.255
	acl name acl_vlan210-to-lan 3010
	rule 5 permit ip destination 192.168.1.x 0
	rule 15 deny ip destination 192.168.1.0 0.0.0.255
	rule 20 deny ip destination 192.168.8.0 0.0.0.255
	acl name acl_permit-199 3011
	rule 5 permit ip source 192.168.1.x 0
	#
	traffic classifier tc_cmcc-tv operator or
	if-match acl Deny_CMCC-TV
	traffic classifier tc_dest-vlan210 operator or
	if-match acl acl_dest-vlan210
	traffic classifier tc_dest-vlan220 operator or
	if-match acl acl_dest-vlan220
	traffic classifier tc_dest-vlan230 operator or
	if-match acl acl_dest-vlan230
	traffic classifier tc_permit-199 operator or
	if-match acl acl_permit-199
	traffic classifier tc_source-vlan210 operator or
	if-match acl acl_source-vlan210
	traffic classifier tc_source-vlan220 operator or
	if-match acl acl_source-vlan220
	traffic classifier tc_source-vlan230 operator or
	if-match acl acl_source-vlan230
	traffic classifier tc_vlan210-to-lan operator or
	if-match acl acl_vlan210-to-lan
	#
	traffic behavior tb_deny
	deny
	traffic behavior tb_dest-vlan210
	car cir 51200 pir 102400 cbs 6400000 pbs 12800000 mode color-blind green pass yellow pass red discard
	traffic behavior tb_dest-vlan220
	car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
	traffic behavior tb_permit
	permit
	traffic behavior tb_source-vlan210
	car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
	traffic behavior tb_source-vlan220
	car cir 5120 pir 10240 cbs 640000 pbs 1280000 mode color-blind green pass yellow pass red discard
	traffic behavior tb_vlan210-to-lan
	permit
	#
	traffic policy tp_dest-vlan210
	classifier tc_dest-vlan210 behavior tb_dest-vlan210
	classifier tc_dest-vlan220 behavior tb_dest-vlan220
	classifier tc_dest-vlan230 behavior tb_permit
	traffic policy tp_dest-vlan220
	classifier tc_dest-vlan220 behavior tb_dest-vlan220
	traffic policy tp_dest-vlan230
	classifier tc_dest-vlan230 behavior tb_permit
	traffic policy tp_permit-199
	classifier tc_permit-199 behavior tb_deny
	traffic policy tp_source-vlan210
	classifier tc_cmcc-tv behavior tb_permit
	classifier tc_source-vlan210 behavior tb_source-vlan210
	classifier tc_source-vlan220 behavior tb_source-vlan220
	classifier tc_source-vlan230 behavior tb_permit
	traffic policy tp_source-vlan220
	classifier tc_source-vlan220 behavior tb_source-vlan220
	traffic policy tp_source-vlan230
	classifier tc_vlan210-to-lan behavior tb_vlan210-to-lan
	#
	free-rule-template name default_free_rule
	#
	portal-access-profile name portal_access_profile
	#
	vlan 8
	description lan for mgmt
	name MGMT_LAN
	management-vlan
	vlan 100
	description to route
	vlan 200
	description lan for home
	name HOME_LAN
	mac-vlan mac-address e45e-3732-xxxx priority 0
	mac-vlan mac-address 2037-a51f-xxxx priority 0
	mac-vlan mac-address b831-b51e-xxxx priority 0
	mac-vlan mac-address b831-b51e-xxxx priority 0
	mac-vlan mac-address 1c98-ec0f-xxxx priority 0
	dhcp snooping enable
	ipv4 source check user-bind enable
	ipv6 source check user-bind enable
	vlan 210
	description lan for guest
	name GUEST_LAN
	dhcp snooping enable
	ipv4 source check user-bind enable
	ipv6 source check user-bind enable
	traffic-policy tp_vlan210-to-lan inbound
	vlan 220
	description lan for IoT
	name IoT_LAN
	mac-vlan mac-address ec3d-fdbe-xxxx priority 0
	mac-vlan mac-address a03e-6b46-xxxx priority 0
	mac-vlan mac-address 2cdd-5fb6-xxxx priority 0
	dhcp snooping enable
	ipv4 source check user-bind enable
	ipv6 source check user-bind enable
	traffic-policy tp_vlan210-to-lan inbound
	vlan 230
	description intranet
	name Intra_LAN
	mac-vlan mac-address 345b-bb8f-xxxx priority 0
	mac-vlan mac-address 345b-bba1-xxxx priority 0
	mac-vlan mac-address bc14-efdb-xxxx priority 0
	mac-vlan mac-address 9ca6-9d70-xxxx priority 0
	mac-vlan mac-address 5455-d578-xxxx priority 0
	mac-vlan mac-address 04cf-8c91-xxxx priority 0
	mac-vlan mac-address 8444-afb9-xxxx priority 0
	dhcp snooping enable
	ipv4 source check user-bind enable
	ipv6 source check user-bind enable
	traffic-policy tp_permit-199 inbound
	vlan 1000
	description ipv6 for lan
	#
	ntp-service server disable
	ntp-service ipv6 server disable
	ntp-service unicast-server 202.112.29.82
	ntp-service unicast-server 119.28.183.184
	ntp-service unicast-server 78.46.102.180
	ntp-service unicast-server 202.112.31.197
	#
	interface Vlanif8
	ip address 192.168.8.x 255.255.255.0
	#
	interface Vlanif100
	ip address 10.0.0.2 255.255.255.0
	#
	interface Vlanif200
	ip address 192.168.1.1 255.255.255.0
	dhcp select interface
	dhcp server ip-range 192.168.1.x 192.168.1.x
	dhcp server gateway-list 192.168.1.1
	dhcp server static-bind ip-address 192.168.1.x mac-address 000c-2936-xxxx
	dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
	dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
	dhcp server static-bind ip-address 192.168.1.x mac-address 1c98-ec0f-xxxx
	dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
	dhcp server logging allocation-fail allocation-success renew-success
	#
	interface Vlanif210
	ip address 192.168.21.1 255.255.255.0
	dhcp select interface
	dhcp server ip-range 192.168.21.x 192.168.21.x
	dhcp server gateway-list 192.168.21.1
	dhcp server static-bind ip-address 192.168.21.x mac-address 007e-5637-xxxx
	dhcp server static-bind ip-address 192.168.21.x mac-address f09c-d791-xxxx
	dhcp server static-bind ip-address 192.168.21.x mac-address e206-5fe2-xxxx
	dhcp server static-bind ip-address 192.168.21.x mac-address a4d7-3c55-xxxx
	dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
	#
	interface Vlanif220
	ip address 192.168.22.1 255.255.255.0
	dhcp select interface
	dhcp server ip-range 192.168.22.x 192.168.22.x
	dhcp server gateway-list 192.168.22.1
	dhcp server dns-list 192.168.1.199 223.5.5.5 114.114.114.114
	dhcp server logging allocation-fail allocation-success renew-success
	#
	interface Vlanif230
	ip address 192.168.23.1 255.255.255.0
	dhcp select interface
	dhcp server ip-range 192.168.23.x 192.168.23.x
	dhcp server gateway-list 192.168.23.1
	dhcp server static-bind ip-address 192.168.23.x mac-address a4d7-3c55-xxxx
	dhcp server dns-list 192.168.23.1
	dhcp server logging allocation-fail allocation-success renew-success
	#
	interface Vlanif1000
	#
	interface Eth-Trunk1
	port link-type trunk
	undo port trunk allow-pass vlan 1
	port trunk allow-pass vlan 8 200 210 220 230 1000
	loopback-detect enable
	stp edged-port enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/1
	energy-efficient-ethernet enable
	port-auto-sleep enable
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/2
	port link-type hybrid
	port hybrid pvid vlan 100
	undo port hybrid vlan 1
	port hybrid tagged vlan 1000
	port hybrid untagged vlan 100
	loopback-detect enable
	traffic-policy tp_dest-vlan210 inbound
	traffic-policy tp_source-vlan210 outbound
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/3
	energy-efficient-ethernet enable
	port-auto-sleep enable
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	port description desktop
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/4
	energy-efficient-ethernet enable
	port-auto-sleep enable
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/5
	energy-efficient-ethernet enable
	port-auto-sleep enable
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/6
	eth-trunk 1
	#
	#
	interface GigabitEthernet0/0/7
	energy-efficient-ethernet enable
	port-auto-sleep enable
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/8
	eth-trunk 1
	#
	interface GigabitEthernet0/0/9
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/10
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/11
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface GigabitEthernet0/0/12
	port link-type hybrid
	port hybrid pvid vlan 210
	undo port hybrid vlan 1
	port hybrid tagged vlan 8
	port hybrid untagged vlan 200 210 220 230
	loopback-detect enable
	stp edged-port enable
	mac-vlan enable
	dhcp snooping enable
	#
	interface NULL0
	#
	ospf 1 router-id 10.0.0.2
	area 0.0.0.0
	network 10.0.0.0 0.0.0.255
	area 0.0.0.1
	network 192.168.1.0 0.0.0.255
	network 192.168.21.0 0.0.0.255
	network 192.168.22.0 0.0.0.255
	#
	undo icmp name timestamp-request receive
	#
	#
	sftp server enable
	stelnet server enable
	ssh user admin
	ssh user admin authentication-type password
	ssh user admin service-type all
	ssh user admin sftp-directory flash:
	ssh user liangwu
	ssh user liangwu authentication-type all
	ssh user liangwu assign rsa-key liangwu
	ssh user liangwu service-type all
	ssh user liangwu sftp-directory flash:
	ssh server-source -i Vlanif8
	ssh server cipher aes256_ctr aes128_ctr
	ssh server hmac sha2_256
	ssh server key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
	ssh client cipher aes256_ctr aes128_ctr
	ssh client hmac sha2_256
	ssh client key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
	ssh server dh-exchange min-len 2048
	ssh server publickey rsa_sha2_512 rsa_sha2_256
	#
	user-interface con 0
	authentication-mode aaa
	user-interface vty 0 4
	authentication-mode aaa
	user-interface vty 16 20
	#
	dot1x-access-profile name dot1x_access_profile
	#
	mac-access-profile name mac_access_profile
	#
	ops
	#
	return
	DIGITALOCEAN_TOKEN=xx

	IP=$(ip -6 addr show switch0.1000 \| grep inet6 \| grep -v -E "link\|host\|deprecated\|temporary" \| awk '{print $2}' \| awk -F'/' '{print $1}')

	curl -X PUT \
	-H "Content-Type: application/json" \
	-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
	-d '{"data":"'"$IP"'"}' \
	"https://api.digitalocean.com/v2/domains/x.com/records/x"