Used for giving wired devices (such as femtocells) access to the internet without access to local devices.
Following is rules required assuming subnet desired is 192.168.71.1/24.
Last active
January 23, 2017 21:22
-
-
Save wjdp/ddecaa2c1b8e0a02f67c61328876a556 to your computer and use it in GitHub Desktop.
USG LAN2 / EXT network
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firewall { | |
| name EXT_IN { | |
| default-action accept | |
| description "packets from ext to intranet" | |
| rule 3006 { | |
| action drop | |
| description "drop EXT to LAN traffic" | |
| destination { | |
| group { | |
| network-group corporate_network | |
| } | |
| } | |
| } | |
| rule 3007 { | |
| action drop | |
| description "drop EXT to GUEST traffic" | |
| destination { | |
| group { | |
| network-group guest_network | |
| } | |
| } | |
| } | |
| rule 3008 { | |
| action drop | |
| description "drop EXT to REMOTE USER traffic" | |
| destination { | |
| group { | |
| network-group remote_user_vpn_network | |
| } | |
| } | |
| } | |
| } | |
| name EXT_LOCAL { | |
| default-action drop | |
| description "packets from ext to gateway" | |
| rule 3001 { | |
| action accept | |
| description "allow DNS" | |
| destination { | |
| port 53 | |
| } | |
| protocol udp | |
| } | |
| rule 3002 { | |
| action accept | |
| description "allow ICMP" | |
| protocol icmp | |
| } | |
| rule 3003 { | |
| action accept | |
| description "allow established/related sessions" | |
| state { | |
| established enable | |
| invalid disable | |
| new disable | |
| related enable | |
| } | |
| } | |
| rule 3004 { | |
| action drop | |
| description "drop invalid state" | |
| state { | |
| established disable | |
| invalid enable | |
| new disable | |
| related disable | |
| } | |
| } | |
| } | |
| name EXT_OUT { | |
| default-action accept | |
| description "packets forward to EXT" | |
| } | |
| } | |
| interfaces { | |
| ethernet eth2 { | |
| address 192.168.72.1/24 | |
| firewall { | |
| in { | |
| name EXT_IN | |
| } | |
| local { | |
| name EXT_LOCAL | |
| } | |
| out { | |
| name EXT_OUT | |
| } | |
| } | |
| } | |
| } | |
| service { | |
| dhcp-server { | |
| shared-network-name EXT_DHCP { | |
| authoritative enable | |
| subnet 192.168.71.1/24 { | |
| default-router 192.168.71.1 | |
| dns-server 192.168.71.1 | |
| lease 86400 | |
| start 192.168.71.100 { | |
| stop 192.168.71.199 | |
| } | |
| } | |
| } | |
| nat { | |
| rule 6002 { | |
| description "MASQ EXT_network to WAN" | |
| log disable | |
| outbound-interface pppoe0 | |
| protocol all | |
| source { | |
| group { | |
| network-group EXT_network | |
| } | |
| } | |
| type masquerade | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment