kipusoep/config.boot Secret

## config.boot
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN IPv6 naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN IPv6 naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "Allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN naar LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN naar Router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 21 {
            action accept
            description "Web UI"
            destination {
                port 80,443
            }
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description FTTH
        duplex auto
        mtu 1512
        speed auto
        vif 4 {
            address dhcp
            description "KPN IPTV"
            dhcp-options {
                client-option "send vendor-class-identifier &quot;IPTV_RG&quot;;"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            mtu 1500
        }
        vif 6 {
            description "KPN Internet"
            mtu 1508
            pppoe 0 {
                default-route auto
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id :1
                            service slaac
                        }
                        prefix-length /48
                    }
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name WANv6_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name WANv6_LOCAL
                        name WAN_LOCAL
                    }
                }
                idle-timeout 180
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1500
                name-server auto
                password kpn
                user-id <MAC_ADRES_ETH0>@internet
            }
        }
    }
    ethernet eth1 {
        address 10.0.0.1/24
        description Thuis
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                name-server 2a02:a47f:e000::53
                name-server 2a02:a47f:e000::54
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
    }
    ethernet eth2 {
        description "Niet in gebruik"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description "Diskstation, Domoticz, CouchPotato"
        forward-to {
            address 10.0.0.10
        }
        original-port 5000,5001,8084,5050
        protocol tcp
    }
    rule 2 {
        description Emby
        forward-to {
            address 10.0.0.11
        }
        original-port 8096
        protocol tcp
    }
    rule 3 {
        description "L2TP / IPSec VPN Server"
        forward-to {
            address 10.0.0.10
        }
        original-port 500,1701,4500
        protocol udp
    }
    wan-interface pppoe0
}
protocols {
    igmp-proxy {
        disable-quickleave
        interface eth0.4 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
    static {
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        global-parameters "option vendor-class-identifier code 60 = string;"
        global-parameters "option broadcast-address code 28 = ip-address;"
        hostfile-update disable
        shared-network-name Thuis {
            authoritative enable
            subnet 10.0.0.0/24 {
                lease 86400
                start 10.0.0.20 {
                    stop 10.0.0.254
                }
                static-mapping HarmonyHub {
                    ip-address 10.0.0.204
                    mac-address 00:04:20:FB:5D:7E
                }
                static-mapping nas {
                    ip-address 10.0.0.10
                    mac-address 00:11:32:52:3E:A7
                }
                static-mapping rpi3 {
                    ip-address 10.0.0.11
                    mac-address B8:27:EB:2F:6C:BF
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 4000
            listen-on eth1
            name-server 1.1.1.1
            name-server 208.67.220.220
            name-server 2a02:a47f:e000::53
            name-server 2a02:a47f:e000::54
            options listen-address=10.0.0.1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description IPTV
            destination {
                address 213.75.112.0/21
            }
            log disable
            outbound-interface eth0.4
            protocol all
            source {
                address 10.0.0.0/24
            }
            type masquerade
        }
        rule 5010 {
            description Internet
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    telnet {
        port 23
    }
    unms {
        disable
    }
}
system {
    domain-name thuis.local
    host-name Thuis
    login {
        user <iemand> {
            authentication {
                encrypted-password <dingen>
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.nl.pool.ntp.org {
        }
        server 1.nl.pool.ntp.org {
        }
        server ntp0.nl.net {
        }
        server ntp1.nl.net {
        }
        server time.kpn.net {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    static-host-mapping {
        host-name thuis.<een_domein>.nl {
            alias thuis
            inet 10.0.0.1
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
    traffic-analysis {
        dpi disable
        export disable
    }
}
	firewall {
	all-ping enable
	broadcast-ping disable
	ipv6-name WANv6_IN {
	default-action drop
	description "WAN IPv6 naar LAN"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	rule 30 {
	action accept
	description "Allow IPv6 icmp"
	icmpv6 {
	type echo-request
	}
	protocol ipv6-icmp
	}
	}
	ipv6-name WANv6_LOCAL {
	default-action drop
	description "WAN IPv6 naar Router"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	rule 30 {
	action accept
	description "Allow IPv6 icmp"
	protocol ipv6-icmp
	}
	rule 40 {
	action accept
	description "Allow dhcpv6"
	destination {
	port 546
	}
	protocol udp
	source {
	port 547
	}
	}
	}
	ipv6-receive-redirects disable
	ipv6-src-route disable
	ip-src-route disable
	log-martians enable
	name WAN_IN {
	default-action drop
	description "WAN naar LAN"
	rule 10 {
	action accept
	description "Allow established/related"
	log disable
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	}
	name WAN_LOCAL {
	default-action drop
	description "WAN naar Router"
	rule 10 {
	action accept
	description "Allow established/related"
	log disable
	state {
	established enable
	invalid disable
	new disable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	established disable
	invalid enable
	new disable
	related disable
	}
	}
	rule 21 {
	action accept
	description "Web UI"
	destination {
	port 80,443
	}
	log disable
	protocol tcp
	}
	}
	receive-redirects disable
	send-redirects enable
	source-validation disable
	syn-cookies enable
	}
	interfaces {
	ethernet eth0 {
	description FTTH
	duplex auto
	mtu 1512
	speed auto
	vif 4 {
	address dhcp
	description "KPN IPTV"
	dhcp-options {
	client-option "send vendor-class-identifier "IPTV_RG";"
	client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
	default-route no-update
	default-route-distance 210
	name-server update
	}
	mtu 1500
	}
	vif 6 {
	description "KPN Internet"
	mtu 1508
	pppoe 0 {
	default-route auto
	dhcpv6-pd {
	no-dns
	pd 0 {
	interface eth1 {
	host-address ::1
	no-dns
	prefix-id :1
	service slaac
	}
	prefix-length /48
	}
	rapid-commit enable
	}
	firewall {
	in {
	ipv6-name WANv6_IN
	name WAN_IN
	}
	local {
	ipv6-name WANv6_LOCAL
	name WAN_LOCAL
	}
	}
	idle-timeout 180
	ipv6 {
	address {
	autoconf
	}
	dup-addr-detect-transmits 1
	enable {
	}
	}
	mtu 1500
	name-server auto
	password kpn
	user-id <MAC_ADRES_ETH0>@internet
	}
	}
	}
	ethernet eth1 {
	address 10.0.0.1/24
	description Thuis
	duplex auto
	ipv6 {
	dup-addr-detect-transmits 1
	router-advert {
	cur-hop-limit 64
	link-mtu 0
	managed-flag false
	max-interval 600
	name-server 2a02:a47f:e000::53
	name-server 2a02:a47f:e000::54
	other-config-flag false
	prefix ::/64 {
	autonomous-flag true
	on-link-flag true
	valid-lifetime 2592000
	}
	radvd-options "RDNSS 2a02:a47f:e000::53 2a02:a47f:e000::54 {};"
	reachable-time 0
	retrans-timer 0
	send-advert true
	}
	}
	speed auto
	}
	ethernet eth2 {
	description "Niet in gebruik"
	duplex auto
	speed auto
	}
	loopback lo {
	}
	}
	port-forward {
	auto-firewall enable
	hairpin-nat enable
	lan-interface eth1
	rule 1 {
	description "Diskstation, Domoticz, CouchPotato"
	forward-to {
	address 10.0.0.10
	}
	original-port 5000,5001,8084,5050
	protocol tcp
	}
	rule 2 {
	description Emby
	forward-to {
	address 10.0.0.11
	}
	original-port 8096
	protocol tcp
	}
	rule 3 {
	description "L2TP / IPSec VPN Server"
	forward-to {
	address 10.0.0.10
	}
	original-port 500,1701,4500
	protocol udp
	}
	wan-interface pppoe0
	}
	protocols {
	igmp-proxy {
	disable-quickleave
	interface eth0.4 {
	alt-subnet 0.0.0.0/0
	role upstream
	threshold 1
	}
	interface eth1 {
	alt-subnet 0.0.0.0/0
	role downstream
	threshold 1
	}
	}
	static {
	interface-route6 ::/0 {
	next-hop-interface pppoe0 {
	}
	}
	}
	}
	service {
	dhcp-server {
	disabled false
	global-parameters "option vendor-class-identifier code 60 = string;"
	global-parameters "option broadcast-address code 28 = ip-address;"
	hostfile-update disable
	shared-network-name Thuis {
	authoritative enable
	subnet 10.0.0.0/24 {
	lease 86400
	start 10.0.0.20 {
	stop 10.0.0.254
	}
	static-mapping HarmonyHub {
	ip-address 10.0.0.204
	mac-address 00:04:20:FB:5D:7E
	}
	static-mapping nas {
	ip-address 10.0.0.10
	mac-address 00:11:32:52:3E:A7
	}
	static-mapping rpi3 {
	ip-address 10.0.0.11
	mac-address B8:27:EB:2F:6C:BF
	}
	}
	}
	static-arp disable
	use-dnsmasq enable
	}
	dns {
	forwarding {
	cache-size 4000
	listen-on eth1
	name-server 1.1.1.1
	name-server 208.67.220.220
	name-server 2a02:a47f:e000::53
	name-server 2a02:a47f:e000::54
	options listen-address=10.0.0.1
	}
	}
	gui {
	http-port 80
	https-port 443
	older-ciphers enable
	}
	nat {
	rule 5000 {
	description IPTV
	destination {
	address 213.75.112.0/21
	}
	log disable
	outbound-interface eth0.4
	protocol all
	source {
	address 10.0.0.0/24
	}
	type masquerade
	}
	rule 5010 {
	description Internet
	log disable
	outbound-interface pppoe0
	protocol all
	type masquerade
	}
	}
	ssh {
	port 22
	protocol-version v2
	}
	telnet {
	port 23
	}
	unms {
	disable
	}
	}
	system {
	domain-name thuis.local
	host-name Thuis
	login {
	user <iemand> {
	authentication {
	encrypted-password <dingen>
	plaintext-password ""
	}
	level admin
	}
	}
	name-server 127.0.0.1
	ntp {
	server 0.nl.pool.ntp.org {
	}
	server 1.nl.pool.ntp.org {
	}
	server ntp0.nl.net {
	}
	server ntp1.nl.net {
	}
	server time.kpn.net {
	}
	}
	offload {
	hwnat disable
	ipsec enable
	ipv4 {
	forwarding enable
	gre enable
	pppoe enable
	vlan enable
	}
	ipv6 {
	forwarding enable
	pppoe disable
	vlan enable
	}
	}
	static-host-mapping {
	host-name thuis.<een_domein>.nl {
	alias thuis
	inet 10.0.0.1
	}
	}
	syslog {
	global {
	facility all {
	level notice
	}
	facility protocols {
	level debug
	}
	}
	}
	time-zone Europe/Amsterdam
	traffic-analysis {
	dpi disable
	export disable
	}
	}