Created
October 25, 2016 02:46
-
-
Save helushune/80f4de3eb30562f82316bd74fe2b630e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| group { | |
| network-group LAN_NETWORKS { | |
| description "LAN Networks" | |
| network 10.0.0.0/8 | |
| } | |
| network-group rfc1918 { | |
| network 10.0.0.0/8 | |
| network 100.64.0.0/10 | |
| network 127.0.0.0/8 | |
| network 169.254.0.0/16 | |
| network 172.16.0.0/12 | |
| network 192.0.0.0/24 | |
| network 192.0.2.0/24 | |
| network 192.168.0.0/16 | |
| network 192.18.0.0/15 | |
| network 198.51.100.0/24 | |
| network 203.0.113.0/24 | |
| network 224.0.0.0/4 | |
| network 240.0.0.0/4 | |
| } | |
| } | |
| ipv6-name PROTECT_IN_v6 { | |
| default-action drop | |
| rule 10 { | |
| action accept | |
| description "Accept Established/Related" | |
| protocol all | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| } | |
| ipv6-name PROTECT_LOCAL_v6 { | |
| default-action drop | |
| rule 10 { | |
| action accept | |
| description "Accept DNSv6" | |
| destination { | |
| port 53 | |
| } | |
| protocol udp | |
| } | |
| rule 20 { | |
| action accept | |
| description "Accept DHCPv6" | |
| destination { | |
| port 546 | |
| } | |
| protocol udp | |
| source { | |
| port 547 | |
| } | |
| } | |
| } | |
| ipv6-name WANv6_IN { | |
| default-action drop | |
| description "WAN inbound traffic forwarded to LAN" | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established/related sessions" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "allow icmpv6" | |
| log disable | |
| protocol icmpv6 | |
| } | |
| } | |
| ipv6-name WANv6_LOCAL { | |
| default-action drop | |
| description "WAN inbound traffic to the router" | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established/related sessions" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow IPv6 ICMP" | |
| limit { | |
| burst 1 | |
| rate 50/minute | |
| } | |
| protocol ipv6-icmp | |
| } | |
| rule 40 { | |
| action accept | |
| description "Allow dhcpv6" | |
| destination { | |
| port 546 | |
| } | |
| protocol udp | |
| source { | |
| port 547 | |
| } | |
| } | |
| } | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name LAN_IN { | |
| default-action accept | |
| rule 1 { | |
| action drop | |
| description "drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name PROTECT_IN { | |
| default-action accept | |
| rule 10 { | |
| action accept | |
| description "Accept Established/Related" | |
| protocol all | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop LAN_NETWORKS" | |
| destination { | |
| group { | |
| network-group LAN_NETWORKS | |
| } | |
| } | |
| protocol all | |
| } | |
| } | |
| name PROTECT_LOCAL { | |
| default-action drop | |
| rule 10 { | |
| action accept | |
| description "Accept DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol udp | |
| } | |
| rule 20 { | |
| action accept | |
| description "Accept DHCP" | |
| destination { | |
| port 67 | |
| } | |
| protocol udp | |
| } | |
| } | |
| name WAN_IN { | |
| default-action drop | |
| description "WAN to internal" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name WAN_LOCAL { | |
| default-action drop | |
| description "WAN to router" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Limit ICMP" | |
| limit { | |
| burst 1 | |
| rate 50/minute | |
| } | |
| log enable | |
| protocol icmp | |
| } | |
| rule 80 { | |
| action drop | |
| description "drop rfc1918" | |
| log disable | |
| source { | |
| group { | |
| network-group rfc1918 | |
| } | |
| } | |
| } | |
| rule 81 { | |
| action accept | |
| description "VPN ESP" | |
| log disable | |
| protocol 50 | |
| source { | |
| } | |
| } | |
| rule 82 { | |
| action accept | |
| description "Allow L2TP" | |
| destination { | |
| port 500,1701,4500 | |
| } | |
| log disable | |
| protocol udp | |
| source { | |
| } | |
| } | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| address 10.1.1.1/29 | |
| description eth0 | |
| duplex auto | |
| speed auto | |
| vif 2 { | |
| address 10.1.2.1/28 | |
| description VLAN2 | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| } | |
| } | |
| vif 10 { | |
| address 10.1.10.1/24 | |
| description VLAN10 | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| } | |
| ipv6 { | |
| dup-addr-detect-transmits 1 | |
| router-advert { | |
| cur-hop-limit 64 | |
| link-mtu 0 | |
| managed-flag true | |
| max-interval 600 | |
| other-config-flag false | |
| prefix ::/64 { | |
| autonomous-flag true | |
| on-link-flag true | |
| valid-lifetime 2592000 | |
| } | |
| reachable-time 0 | |
| retrans-timer 0 | |
| send-advert true | |
| } | |
| } | |
| } | |
| vif 20 { | |
| address 10.1.20.1/24 | |
| description VLAN20 | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| } | |
| ipv6 { | |
| dup-addr-detect-transmits 1 | |
| router-advert { | |
| cur-hop-limit 64 | |
| link-mtu 0 | |
| managed-flag true | |
| max-interval 600 | |
| other-config-flag false | |
| prefix ::/64 { | |
| autonomous-flag true | |
| on-link-flag true | |
| valid-lifetime 2592000 | |
| } | |
| reachable-time 0 | |
| retrans-timer 0 | |
| send-advert true | |
| } | |
| } | |
| } | |
| } | |
| ethernet eth1 { | |
| address dhcp | |
| description Internet | |
| dhcpv6-pd { | |
| pd 0 { | |
| interface eth0.10 { | |
| host-address ::1 | |
| prefix-id :1 | |
| service slaac | |
| } | |
| interface eth0.20 { | |
| host-address ::1 | |
| prefix-id :2 | |
| service slaac | |
| } | |
| interface eth2 { | |
| host-address ::1 | |
| prefix-id :3 | |
| service slaac | |
| } | |
| prefix-length 60 | |
| } | |
| rapid-commit enable | |
| } | |
| duplex auto | |
| firewall { | |
| in { | |
| ipv6-name WANv6_IN | |
| name WAN_IN | |
| } | |
| local { | |
| ipv6-name WANv6_LOCAL | |
| name WAN_LOCAL | |
| } | |
| } | |
| speed auto | |
| } | |
| ethernet eth2 { | |
| address 192.168.3.1/24 | |
| description eth2 | |
| duplex auto | |
| firewall { | |
| in { | |
| ipv6-name PROTECT_IN_v6 | |
| name PROTECT_IN | |
| } | |
| local { | |
| ipv6-name PROTECT_LOCAL_v6 | |
| name PROTECT_LOCAL | |
| } | |
| } | |
| speed auto | |
| } | |
| ethernet eth3 { | |
| description eth3 | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth4 { | |
| description eth4 | |
| duplex auto | |
| poe { | |
| output off | |
| } | |
| speed auto | |
| } | |
| loopback lo { | |
| } | |
| switch switch0 { | |
| address 192.168.2.1/24 | |
| description switch0 | |
| mtu 1500 | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| dynamic-dns-update { | |
| enable true | |
| } | |
| global-parameters "key rndc-key { algorithm HMAC-MD5; secret DDNS_UPDATE_SECRET; };" | |
| global-parameters "zone home.local. { primary 10.1.2.2; key rndc-key; }" | |
| global-parameters "ddns-domainname "home.local.";" | |
| global-parameters "ddns-rev-domainname "in-addr.arpa.";" | |
| global-parameters "zone in-addr.arpa. { primary 10.1.2.2; key rndc-key; }" | |
| global-parameters "zone 1.10.in-addr.arpa. { primary 10.1.2.2; key rndc-key; }" | |
| hostfile-update disable | |
| shared-network-name Device { | |
| authoritative disable | |
| subnet 10.1.2.0/28 { | |
| default-router 10.1.2.1 | |
| dns-server 10.1.10.4 | |
| dns-server 10.1.2.2 | |
| domain-name home.local | |
| lease 86400 | |
| start 10.1.2.10 { | |
| stop 10.1.2.14 | |
| } | |
| unifi-controller 10.1.2.2 | |
| } | |
| } | |
| shared-network-name Eth2 { | |
| authoritative disable | |
| subnet 192.168.3.0/24 { | |
| default-router 192.168.3.1 | |
| dns-server 192.168.3.1 | |
| lease 86400 | |
| start 192.168.3.100 { | |
| stop 192.168.3.250 | |
| } | |
| } | |
| } | |
| shared-network-name General { | |
| authoritative disable | |
| subnet 10.1.10.0/24 { | |
| default-router 10.1.10.1 | |
| dns-server 10.1.10.4 | |
| dns-server 10.1.2.2 | |
| domain-name home.local | |
| lease 86400 | |
| start 10.1.10.100 { | |
| stop 10.1.10.250 | |
| } | |
| } | |
| } | |
| shared-network-name Guest { | |
| authoritative disable | |
| subnet 10.1.20.0/24 { | |
| default-router 10.1.20.1 | |
| dns-server 10.1.10.4 | |
| dns-server 10.1.2.2 | |
| domain-name home.local | |
| lease 86400 | |
| start 10.1.20.50 { | |
| stop 10.1.20.200 | |
| } | |
| } | |
| } | |
| use-dnsmasq disable | |
| } | |
| dns { | |
| dynamic { | |
| interface eth1 { | |
| service ddns-external { | |
| host-name dyn.dns.xyz | |
| login username | |
| password password | |
| server server.dns.xyz | |
| } | |
| } | |
| } | |
| forwarding { | |
| cache-size 1000 | |
| listen-on eth2 | |
| listen-on switch0 | |
| listen-on eth0.10 | |
| listen-on eth0.2 | |
| listen-on eth0.20 | |
| name-server 8.8.8.8 | |
| name-server 8.8.4.4 | |
| name-server 2001:4860:4860::8888 | |
| name-server 2001:4860:4860::8844 | |
| } | |
| } | |
| gui { | |
| http-port 80 | |
| https-port 443 | |
| older-ciphers disable | |
| } | |
| nat { | |
| rule 5010 { | |
| outbound-interface eth1 | |
| type masquerade | |
| } | |
| } | |
| snmp { | |
| community snmp_community { | |
| authorization ro | |
| } | |
| location somewhere | |
| } | |
| ssh { | |
| port 22 | |
| protocol-version v2 | |
| } | |
| ubnt-discover { | |
| disable | |
| } | |
| upnp { | |
| listen-on eth0.10 { | |
| outbound-interface eth1 | |
| } | |
| } | |
| } | |
| system { | |
| config-management { | |
| commit-revisions 40 | |
| } | |
| domain-name home.local | |
| host-name ubnt-er-x | |
| login { | |
| user admin { | |
| authentication { | |
| encrypted-password "" | |
| plaintext-password "" | |
| } | |
| level admin | |
| } | |
| } | |
| name-server 10.1.2.2 | |
| name-server 10.1.10.4 | |
| name-server 2001:4860:4860::8888 | |
| name-server 2001:4860:4860::8844 | |
| ntp { | |
| server clock.fmt.he.net { | |
| } | |
| server clock.sjc.he.net { | |
| prefer | |
| } | |
| } | |
| offload { | |
| hwnat enable | |
| } | |
| syslog { | |
| global { | |
| facility all { | |
| level notice | |
| } | |
| facility protocols { | |
| level debug | |
| } | |
| } | |
| } | |
| task-scheduler { | |
| task dyndns_update { | |
| executable { | |
| arguments "update dns dynamic interface eth1" | |
| path /opt/vyatta/bin/vyatta-op-cmd-wrapper | |
| } | |
| interval 7d | |
| } | |
| } | |
| time-zone America/Los_Angeles | |
| } | |
| traffic-control { | |
| smart-queue default { | |
| download { | |
| ecn enable | |
| flows 1024 | |
| fq-quantum 1514 | |
| limit 10240 | |
| rate 57mbit | |
| } | |
| upload { | |
| ecn enable | |
| flows 1024 | |
| fq-quantum 1514 | |
| limit 10240 | |
| rate 5.2mbit | |
| } | |
| wan-interface eth1 | |
| } | |
| } | |
| vpn { | |
| ipsec { | |
| auto-firewall-nat-exclude enable | |
| } | |
| l2tp { | |
| remote-access { | |
| authentication { | |
| mode radius | |
| radius-server 10.1.2.2 { | |
| key RADIUS_KEY | |
| } | |
| radius-server 10.1.10.4 { | |
| key RADIUS_KEY | |
| } | |
| } | |
| client-ip-pool { | |
| start 10.2.1.100 | |
| stop 10.2.1.150 | |
| } | |
| dhcp-interface eth1 | |
| dns-servers { | |
| server-1 10.1.10.4 | |
| server-2 10.1.2.2 | |
| } | |
| ipsec-settings { | |
| authentication { | |
| mode pre-shared-secret | |
| pre-shared-secret L2TP_VPN_KEY | |
| } | |
| ike-lifetime 3600 | |
| } | |
| } | |
| } | |
| } | |
| /* Warning: Do not remove the following line. */ | |
| /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ | |
| /* Release version: v1.9.0.4901118.160804.1131 */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment