Last active
May 12, 2024 16:07
-
-
Save sethp/9ef1c952b188c232bbe73faeed9014ac to your computer and use it in GitHub Desktop.
Sanitized, annotated ubiquiti (vyatta) config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* firewall included for completeness; I'd also be comfortable segmenting out any device that I couldn't demonstrate had its own independent firewall (with one exception, below) */ | |
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| ipv6-name internet6-in { | |
| default-action drop | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established connections" | |
| log disable | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| disable | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| log disable | |
| protocol icmpv6 | |
| } | |
| } | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name WAN_IN { | |
| default-action drop | |
| description "WAN to internal" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action accept | |
| description "CenturyLink 6rd Tunnel" | |
| protocol 41 | |
| source { | |
| address 205.171.2.64 | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "CenturyLink 6rd Tunnel" | |
| log disable | |
| protocol icmp | |
| source { | |
| address 205.171.2.64 | |
| } | |
| } | |
| /* these next two are unnecessary now that I've got the 6rd tunnel via my ISP */ | |
| rule 40 { | |
| action accept | |
| description "he ipv6 tunnel" | |
| log disable | |
| protocol all | |
| source { | |
| address 216.218.226.238 | |
| } | |
| } | |
| rule 50 { | |
| action accept | |
| description "he ipv6 tunnel" | |
| log disable | |
| protocol icmp | |
| source { | |
| address 66.220.2.74 | |
| } | |
| } | |
| /* this is for the (unused) site to site vpn down at the bottom */ | |
| rule 60 { | |
| action accept | |
| description "gcp icmp" | |
| log disable | |
| protocol icmp | |
| source { | |
| address xxREDACTEDxx | |
| } | |
| } | |
| rule 70 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name WAN_LOCAL { | |
| default-action drop | |
| description "WAN to router" | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action accept | |
| description "CenturyLink 6rd Tunnel" | |
| protocol 41 | |
| source { | |
| address 205.171.2.64 | |
| } | |
| } | |
| rule 30 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 40 { | |
| action accept | |
| log disable | |
| protocol icmp | |
| } | |
| rule 50 { | |
| action accept | |
| description "he ipv6 tunnel" | |
| disable | |
| log disable | |
| protocol all | |
| } | |
| } | |
| options { | |
| /* | |
| NB: this is kinda weird to have in the firewall (it's how it's implemented), | |
| but this is the part that makes the internet work by editing all the TCP options from | |
| misconfigured/unconfigurable devices' claims about how big of a packet | |
| we're actually able to accept. | |
| */ | |
| mss-clamp { | |
| interface-type pppoe | |
| mss 1452 | |
| } | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| description Internet | |
| duplex auto | |
| poe { | |
| output off | |
| } | |
| speed auto | |
| /* | |
| this block is the required configuration from my ISP; good luck finding that information anywhere, though. | |
| I don't recall any longer whether the 801.2Q tag here (represented by `vif TAG`) is really required; | |
| there was a (brief) time when we _didn't_ have a PPPoE tunnel and the only thing the ISP looked for | |
| was the VLAN tag, but then we changed our plan and I guess got moved to different infrastructure on | |
| their end, so we're back to pretending we're doing DSL over a fiber connection. | |
| */ | |
| vif 201 { | |
| address dhcp | |
| description "Centurylink VLAN" | |
| pppoe 0 { | |
| default-route auto | |
| firewall { | |
| in { | |
| name WAN_IN | |
| } | |
| local { | |
| name WAN_LOCAL | |
| } | |
| } | |
| mtu 1492 | |
| name-server none | |
| password xxREDACTEDxx | |
| user-id xxREDACTEDxx | |
| } | |
| } | |
| } | |
| ethernet eth1 { | |
| description WLAN | |
| duplex auto | |
| poe { | |
| output 24v | |
| } | |
| speed auto | |
| } | |
| ethernet eth2 { | |
| description Local | |
| duplex auto | |
| poe { | |
| output 24v | |
| } | |
| speed auto | |
| } | |
| ethernet eth3 { | |
| description Local | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth4 { | |
| description Local | |
| duplex auto | |
| speed auto | |
| } | |
| ethernet eth5 { | |
| disable | |
| duplex auto | |
| speed auto | |
| } | |
| loopback lo { | |
| } | |
| switch switch0 { | |
| address 192.168.1.1/24 | |
| /* this address is configured sort-of-dynamically by `6rd-up` (a shell script, also in this gist), which lives in /config/scripts/ppp/ip-up.d/6rd-up */ | |
| address 2602:xxREDACTEDxx::1/64 | |
| address fe80::1/128 | |
| description LAN | |
| dhcpv6-options { | |
| parameters-only | |
| } | |
| ipv6 { | |
| dup-addr-detect-transmits 1 | |
| router-advert { | |
| cur-hop-limit 64 | |
| link-mtu 0 | |
| managed-flag false | |
| max-interval 30 | |
| other-config-flag false | |
| prefix ::/64 { | |
| autonomous-flag true | |
| on-link-flag true | |
| valid-lifetime 600 | |
| } | |
| reachable-time 0 | |
| retrans-timer 0 | |
| send-advert true | |
| } | |
| } | |
| mtu 1500 | |
| switch-port { | |
| interface eth1 { | |
| } | |
| interface eth2 { | |
| } | |
| interface eth3 { | |
| } | |
| interface eth4 { | |
| } | |
| vlan-aware disable | |
| } | |
| } | |
| tunnel tun0 { | |
| 6rd-prefix 2602::/24 | |
| 6rd-default-gw ::205.171.2.64 | |
| /* this address is configured sort-of-dynamically by `6rd-up` (a shell script, also in this gist), which lives in /config/scripts/ppp/ip-up.d/6rd-up */ | |
| address 2602:xxREDACTEDxx::/128 | |
| description "CenturyLink IPv6 6rd tunnel" | |
| encapsulation sit | |
| firewall { | |
| in { | |
| ipv6-name internet6-in | |
| } | |
| local { | |
| ipv6-name internet6-in | |
| } | |
| } | |
| local-ip xxREDACTEDxx | |
| mtu 1468 | |
| multicast enable | |
| ttl 255 | |
| } | |
| } | |
| /* I _think_ this is just DNAT (internet -> my network), so it's ~unused/duplicative of the NAT service below */ | |
| port-forward { | |
| auto-firewall enable | |
| hairpin-nat enable | |
| lan-interface switch0 | |
| wan-interface pppoe0 | |
| } | |
| protocols { | |
| static { | |
| interface-route6 ::/0 { | |
| next-hop-interface tun0 { | |
| } | |
| } | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| hostfile-update disable | |
| shared-network-name LAN { | |
| authoritative disable | |
| subnet 192.168.1.0/24 { | |
| default-router 192.168.1.1 | |
| dns-server 192.168.1.1 | |
| lease 86400 | |
| start 192.168.1.38 { | |
| stop 192.168.1.243 | |
| } | |
| static-mapping erx { | |
| ip-address 192.168.1.219 | |
| mac-address xxREDACTEDxx | |
| } | |
| } | |
| } | |
| static-arp disable | |
| use-dnsmasq disable | |
| } | |
| dns { | |
| forwarding { | |
| cache-size 150 | |
| listen-on switch0 | |
| } | |
| } | |
| gui { | |
| http-port 80 | |
| https-port 443 | |
| older-ciphers enable | |
| } | |
| /* ah, love the smell of IPv4 in the morning */ | |
| nat { | |
| rule 5010 { | |
| description "masquerade for WAN" | |
| log disable | |
| outbound-interface pppoe0 | |
| protocol all | |
| type masquerade | |
| } | |
| } | |
| ssh { | |
| port 22 | |
| protocol-version v2 | |
| } | |
| unms { | |
| } | |
| } | |
| system { | |
| analytics-handler { | |
| send-analytics-report true | |
| } | |
| crash-handler { | |
| send-crash-report true | |
| } | |
| host-name ubnt | |
| login { | |
| user ubnt { | |
| authentication { | |
| encrypted-password xxREDACTEDxx | |
| public-keys seth@Hopper.local { | |
| key AAAAC3NzaC1lZDI1NTE5AAAAIL6iYCxswTwdOw0WSYgQIMnVHNnsMoVhl62SP0ZxBHjh | |
| type ssh-ed25519 | |
| } | |
| public-keys seth@cerf.local { | |
| key AAAAC3NzaC1lZDI1NTE5AAAAIGrYs37s0TQKEB1UTkhE7BX6o6DLZ1MukAr+8jtSbutE | |
| type ssh-ed25519 | |
| } | |
| } | |
| group systemd-journal | |
| level admin | |
| } | |
| } | |
| name-server 9.9.9.9 | |
| name-server 149.112.112.112 | |
| name-server 2620:fe::fe | |
| name-server 2620:fe::9 | |
| ntp { | |
| server 0.ubnt.pool.ntp.org { | |
| } | |
| server 1.ubnt.pool.ntp.org { | |
| } | |
| server 2.ubnt.pool.ntp.org { | |
| } | |
| server 3.ubnt.pool.ntp.org { | |
| } | |
| } | |
| systemd { | |
| journal { | |
| runtime-max-use 64 | |
| storage persistent | |
| } | |
| } | |
| time-zone UTC | |
| } | |
| /* | |
| I don't use this at all, but it was an experiment to see if I could set up a ipsec site-to-site VPN with GCP. | |
| Included for completeness. | |
| */ | |
| vpn { | |
| ipsec { | |
| allow-access-to-local-interface disable | |
| auto-firewall-nat-exclude enable | |
| esp-group FOO0 { | |
| compression disable | |
| lifetime 3600 | |
| mode tunnel | |
| pfs enable | |
| proposal 1 { | |
| encryption aes128 | |
| hash sha1 | |
| } | |
| } | |
| ike-group FOO0 { | |
| ikev2-reauth no | |
| key-exchange ikev1 | |
| lifetime 28800 | |
| proposal 1 { | |
| dh-group 14 | |
| encryption aes128 | |
| hash sha1 | |
| } | |
| } | |
| site-to-site { | |
| peer 35.197.52.175 { | |
| authentication { | |
| mode pre-shared-secret | |
| pre-shared-secret REDACTED | |
| } | |
| connection-type initiate | |
| description gcp | |
| ike-group FOO0 | |
| ikev2-reauth inherit | |
| local-address any | |
| tunnel 1 { | |
| allow-nat-networks disable | |
| allow-public-networks disable | |
| esp-group FOO0 | |
| local { | |
| prefix 192.168.1.0/24 | |
| } | |
| remote { | |
| prefix 192.168.12.0/24 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| /* Warning: Do not remove the following line. */ | |
| /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */ | |
| /* Release version: v2.0.9-hotfix.7.5622731.230615.0857 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # via https://odensc.com/2019/05/01/centurylink-6rd | |
| ipv4addr="$(ip -br -f inet addr show pppoe0 | awk '{print $3}')" | |
| ipv6addr="$(printf "2602:%02x:%02x%02x:%02x00::/56\n" $(echo $ipv4addr | tr . ' '))" | |
| echo "$ipv4addr -> $ipv6addr" | |
| source /opt/vyatta/etc/functions/script-template | |
| configure | |
| delete interfaces switch switch0 address | |
| set interfaces switch switch0 address 192.168.1.1/24 | |
| set interfaces switch switch0 address "${ipv6addr%%::/56}::1/64" | |
| set interfaces switch switch0 address "fe80::1/128" | |
| delete interfaces tunnel tun0 address | |
| delete interfaces tunnel tun0 local-ip | |
| set interfaces tunnel tun0 address "${ipv6addr%%00::/56}ff::/128" | |
| set interfaces tunnel tun0 local-ip "$ipv4addr" | |
| commit || exit 1 | |
| save | |
| exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment