thewh1teagle/dhcp

## dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option nonegcache '1'
	option authoritative '1'
	option logqueries '0'
	option logdhcp '0'
	option allservers '1'
	option clearonreload '1'
	option cachesize '1000'
	option negttl '300'
	option maxttl '300'
	option maxcachettl '1800'
	option local_ttl '0'
	option dnsforwardmax '300'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option client_update_ddns '1'

config dhcp 'ready'
	option interface 'ready'
	option start '10'
	option limit '20'
	option leasetime '5m'
	option force '1'


## firewall

config defaults
	option syn_flood '0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option drop_invalid '1'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	option network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vlan10'
	option dest 'lan'

config zone
	option name 'vlan10'
	option network 'vlan10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include 'webinitrdr'
	option path '/lib/firewall.sysapi.loader webinitrdr'
	option reload '1'
	option enabled '1'

config include 'dnsmiwifi'
	option path '/lib/firewall.sysapi.loader dnsmiwifi'
	option reload '1'
	option enabled '1'

config include 'macfilter'
	option path '/lib/firewall.sysapi.loader macfilter'
	option reload '1'
	option enabled '1'

config include 'miqos'
	option path '/lib/firewall.sysapi.loader miqos'
	option reload '1'

config include 'turbo'
	option path '/lib/firewall.sysapi.loader turbo'
	option reload '1'
	option enabled '1'

config include 'xqfp'
	option path '/lib/firewall.sysapi.loader xqfp'
	option reload '1'

config include 'firewalluser'
	option path '/etc/firewall.user'
	option reload '1'

config include 'dmz_bypass_ctf'
	option path '/lib/firewall.sysapi.loader dmz_bypass_ctf'
	option reload '1'

config include 'rr_rule'
	option path '/lib/firewall/rr.load reload'
	option reload '1'

config rule 'xunleiwantcpports'
	option name 'xunlei wan accept tcp port 1080 4662 2080 2062'
	option src 'wan'
	option dest_port '1080 4662 2080 2062'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'xunleiwanudpports'
	option name 'xunlei wan accept udp port 4661 3027 888 666 2037 2061 2048 2066'
	option src 'wan'
	option dest_port '4661 3027 888 666 2037 2061 2048 2066'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'xunleiN_TCPports'
	option name 'xunlei_port_limit_localhost 9000'
	option src '*'
	option dest_port '9000'
	option proto 'tcp'
	option target 'REJECT'

config rule 'guest_8999'
	option name 'Hello wifi 8999'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8999'
	option target 'ACCEPT'

config rule 'guest_8300'
	option name 'Hello wifi 8300'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8300'
	option target 'ACCEPT'

config rule 'guest_7080'
	option name 'Hello wifi 7080'
	option src 'guest'
	option proto 'tcp'
	option dest_port '7080'
	option target 'ACCEPT'

config zone 'ready_zone'
	option name 'ready'
	list network 'ready'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

config rule 'ready_dhcp'
	option name 'DHCP for ready'
	option src 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ready_dhcp_out'
	option name 'DHCP for ready'
	option dest 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ready_minet_in'
	option name 'minet ready'
	option src 'ready'
	option dest_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'ready_minet_out'
	option name 'minet ready'
	option src 'ready'
	option src_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config redirect 'nxdomain'
	option name 'nxdomain'
	option src 'lan'
	option src_dport '80'
	option src_dip '198.51.100.9'
	option dest_port '8190'
	option proto 'tcp'
	option target 'DNAT'

config rule 'ptdownload'
	option name 'ingress port for PT download'
	option src 'wan'
	option dest_port '51413'
	option proto 'tcpudp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'


## network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.8'
	option gateway '10.0.0.138'
	option mtu '1500'
	list dns '10.0.0.138'

config interface 'vlan10'
	option ifname 'eth0.10'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option auto '0'

config interface 'ifb'
	option ifname 'ifb0'

config interface 'ready'
	option proto 'static'
	option ipaddr '169.254.29.1'
	option netmask '255.255.255.0'

config interface 'openvpn'
	option ifname 'tun0'
	option proto 'openvpn'


## wireless

config wifi-device 'mt7603e'
	option type 'mt7603e'
	option vendor 'ralink'
	option channel '0'
	option bw '0'
	option autoch '2'
	option radio '1'
	option txpwr 'max'
	option hwband '2_4G'
	option hwmode '11ng'
	option disabled '0'
	option region '1'
	option aregion '6'
	option ed_chk '0'
	option country '<COUNTRY>'

config wifi-iface
	option device 'mt7603e'
	option ifname 'wl1'
	option network 'lan'
	option mode 'ap'
	option encryption 'mixed-psk'
	option key 'password'
	option macfilter 'disabled'
	option disabled '0'
	option ssid 'SSID_2G'
	option hidden '0'

config wifi-iface 'minet_ready'
	option disabled '1'
	option device 'mt7603e'
	option ifname 'wl2'
	option network 'ready'
	option mode 'ap'
	option ssid 'minet_ready'
	option hidden '1'
	option encryption 'none'

config wifi-iface 'guest_2G'
	option disabled '1'
	option device 'mt7603e'
	option ifname 'wl3'
	option network 'guest'
	option mode 'ap'
	option wpsdevicename 'XIAOMI_ROUTER_GUEST'

config wifi-device 'mt7612'
	option type 'mt7612'
	option vendor 'ralink'
	option channel '0'
	option bw '0'
	option autoch '2'
	option radio '1'
	option txpwr 'max'
	option hwband '5G'
	option hwmode '11ac'
	option disabled '0'
	option region '1'
	option aregion '6'
	option ed_chk '0'
	option country '<COUNTRY>'

config wifi-iface
	option device 'mt7612'
	option ifname 'wl0'
	option network 'vlan10'
	option wds '0'
	option isolate '0'
	option mode 'ap'
	option encryption 'mixed-psk'
	option key 'password'
	option macfilter 'disabled'
	option disabled '0'
	option ssid 'SSID_5G'
	option hidden '0'

config wifi-iface
	option ifname 'apcli0'
	option network 'lan'
	option encryption 'WPA2PSK'
	option device 'mt7603e'
	option enctype 'AES'
	option scanifname 'wl1'
	option apcliband '2g'
	option key 'password'
	option mode 'sta'
	option disabled '0'
	option ssid 'MAIN_ROUTER_SSID'

	config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option nonegcache '1'
	option authoritative '1'
	option logqueries '0'
	option logdhcp '0'
	option allservers '1'
	option clearonreload '1'
	option cachesize '1000'
	option negttl '300'
	option maxttl '300'
	option maxcachettl '1800'
	option local_ttl '0'
	option dnsforwardmax '300'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option client_update_ddns '1'

	config dhcp 'ready'
	option interface 'ready'
	option start '10'
	option limit '20'
	option leasetime '5m'
	option force '1'

	config defaults
	option syn_flood '0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option drop_invalid '1'
	option disable_ipv6 '1'

	config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

	config zone
	option name 'wan'
	option network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

	config forwarding
	option src 'lan'
	option dest 'wan'

	config forwarding
	option src 'vlan10'
	option dest 'lan'

	config zone
	option name 'vlan10'
	option network 'vlan10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

	config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

	config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

	config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

	config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

	config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

	config include 'webinitrdr'
	option path '/lib/firewall.sysapi.loader webinitrdr'
	option reload '1'
	option enabled '1'

	config include 'dnsmiwifi'
	option path '/lib/firewall.sysapi.loader dnsmiwifi'
	option reload '1'
	option enabled '1'

	config include 'macfilter'
	option path '/lib/firewall.sysapi.loader macfilter'
	option reload '1'
	option enabled '1'

	config include 'miqos'
	option path '/lib/firewall.sysapi.loader miqos'
	option reload '1'

	config include 'turbo'
	option path '/lib/firewall.sysapi.loader turbo'
	option reload '1'
	option enabled '1'

	config include 'xqfp'
	option path '/lib/firewall.sysapi.loader xqfp'
	option reload '1'

	config include 'firewalluser'
	option path '/etc/firewall.user'
	option reload '1'

	config include 'dmz_bypass_ctf'
	option path '/lib/firewall.sysapi.loader dmz_bypass_ctf'
	option reload '1'

	config include 'rr_rule'
	option path '/lib/firewall/rr.load reload'
	option reload '1'

	config rule 'xunleiwantcpports'
	option name 'xunlei wan accept tcp port 1080 4662 2080 2062'
	option src 'wan'
	option dest_port '1080 4662 2080 2062'
	option proto 'tcp'
	option target 'ACCEPT'

	config rule 'xunleiwanudpports'
	option name 'xunlei wan accept udp port 4661 3027 888 666 2037 2061 2048 2066'
	option src 'wan'
	option dest_port '4661 3027 888 666 2037 2061 2048 2066'
	option proto 'udp'
	option target 'ACCEPT'

	config rule 'xunleiN_TCPports'
	option name 'xunlei_port_limit_localhost 9000'
	option src '*'
	option dest_port '9000'
	option proto 'tcp'
	option target 'REJECT'

	config rule 'guest_8999'
	option name 'Hello wifi 8999'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8999'
	option target 'ACCEPT'

	config rule 'guest_8300'
	option name 'Hello wifi 8300'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8300'
	option target 'ACCEPT'

	config rule 'guest_7080'
	option name 'Hello wifi 7080'
	option src 'guest'
	option proto 'tcp'
	option dest_port '7080'
	option target 'ACCEPT'

	config zone 'ready_zone'
	option name 'ready'
	list network 'ready'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

	config rule 'ready_dhcp'
	option name 'DHCP for ready'
	option src 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

	config rule 'ready_dhcp_out'
	option name 'DHCP for ready'
	option dest 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

	config rule 'ready_minet_in'
	option name 'minet ready'
	option src 'ready'
	option dest_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

	config rule 'ready_minet_out'
	option name 'minet ready'
	option src 'ready'
	option src_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

	config redirect 'nxdomain'
	option name 'nxdomain'
	option src 'lan'
	option src_dport '80'
	option src_dip '198.51.100.9'
	option dest_port '8190'
	option proto 'tcp'
	option target 'DNAT'

	config rule 'ptdownload'
	option name 'ingress port for PT download'
	option src 'wan'
	option dest_port '51413'
	option proto 'tcpudp'
	option target 'ACCEPT'

	config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'

	config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

	config interface 'lan'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.8'
	option gateway '10.0.0.138'
	option mtu '1500'
	list dns '10.0.0.138'

	config interface 'vlan10'
	option ifname 'eth0.10'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'

	config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option auto '0'

	config interface 'ifb'
	option ifname 'ifb0'

	config interface 'ready'
	option proto 'static'
	option ipaddr '169.254.29.1'
	option netmask '255.255.255.0'

	config interface 'openvpn'
	option ifname 'tun0'
	option proto 'openvpn'

	config wifi-device 'mt7603e'
	option type 'mt7603e'
	option vendor 'ralink'
	option channel '0'
	option bw '0'
	option autoch '2'
	option radio '1'
	option txpwr 'max'
	option hwband '2_4G'
	option hwmode '11ng'
	option disabled '0'
	option region '1'
	option aregion '6'
	option ed_chk '0'
	option country '<COUNTRY>'

	config wifi-iface
	option device 'mt7603e'
	option ifname 'wl1'
	option network 'lan'
	option mode 'ap'
	option encryption 'mixed-psk'
	option key 'password'
	option macfilter 'disabled'
	option disabled '0'
	option ssid 'SSID_2G'
	option hidden '0'

	config wifi-iface 'minet_ready'
	option disabled '1'
	option device 'mt7603e'
	option ifname 'wl2'
	option network 'ready'
	option mode 'ap'
	option ssid 'minet_ready'
	option hidden '1'
	option encryption 'none'

	config wifi-iface 'guest_2G'
	option disabled '1'
	option device 'mt7603e'
	option ifname 'wl3'
	option network 'guest'
	option mode 'ap'
	option wpsdevicename 'XIAOMI_ROUTER_GUEST'

	config wifi-device 'mt7612'
	option type 'mt7612'
	option vendor 'ralink'
	option channel '0'
	option bw '0'
	option autoch '2'
	option radio '1'
	option txpwr 'max'
	option hwband '5G'
	option hwmode '11ac'
	option disabled '0'
	option region '1'
	option aregion '6'
	option ed_chk '0'
	option country '<COUNTRY>'

	config wifi-iface
	option device 'mt7612'
	option ifname 'wl0'
	option network 'vlan10'
	option wds '0'
	option isolate '0'
	option mode 'ap'
	option encryption 'mixed-psk'
	option key 'password'
	option macfilter 'disabled'
	option disabled '0'
	option ssid 'SSID_5G'
	option hidden '0'

	config wifi-iface
	option ifname 'apcli0'
	option network 'lan'
	option encryption 'WPA2PSK'
	option device 'mt7603e'
	option enctype 'AES'
	option scanifname 'wl1'
	option apcliband '2g'
	option key 'password'
	option mode 'sta'
	option disabled '0'
	option ssid 'MAIN_ROUTER_SSID'