API tools faq
paste
Advertisement
Guest User

USG4P_config

a guest
Jul 24th, 2016
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.29 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group authorized_guests {
  6. description "authorized guests MAC addresses"
  7. }
  8. address-group guest_allow_addresses {
  9. description "allow addresses for guests"
  10. }
  11. address-group guest_allow_dns_servers {
  12. description "allow dns servers for guests"
  13. }
  14. address-group guest_portal_address {
  15. description "guest portal address"
  16. }
  17. address-group guest_restricted_addresses {
  18. address 192.168.0.0/16
  19. address 172.16.0.0/12
  20. address 10.0.0.0/8
  21. description "restricted addresses for guests"
  22. }
  23. address-group unifi_controller_addresses {
  24. address 192.168.0.11
  25. }
  26. address-group voip_sip_server_addresses {
  27. description "VOIP SIP server addresses"
  28. }
  29. network-group captive_portal_subnets {
  30. description "captive portal subnets"
  31. }
  32. network-group corporate_network {
  33. description "corporate subnets"
  34. network 192.168.0.0/24
  35. }
  36. network-group guest_allow_subnets {
  37. description "allow subnets for guests"
  38. }
  39. network-group guest_network {
  40. description "guest subnets"
  41. }
  42. network-group guest_restricted_subnets {
  43. description "restricted subnets for guests"
  44. }
  45. network-group remote_user_vpn_network {
  46. description "remote user vpn subnets"
  47. }
  48. network-group voip_network {
  49. description "voip subnets"
  50. }
  51. port-group guest_portal_ports {
  52. description "guest portal ports"
  53. }
  54. port-group guest_portal_redirector_ports {
  55. description "guest portal redirector ports"
  56. port 39080
  57. }
  58. port-group unifi_controller_ports-tcp {
  59. description "unifi tcp ports"
  60. port 8080
  61. }
  62. port-group unifi_controller_ports-udp {
  63. description "unifi udp ports"
  64. port 3478
  65. }
  66. port-group voip_sip_server_ports {
  67. description "voip sip server udp ports"
  68. port 5060
  69. port 10000-10100
  70. }
  71. }
  72. name AUTHORIZED_GUESTS {
  73. default-action drop
  74. description "authorization check packets from guest network"
  75. }
  76. name GUEST_IN {
  77. default-action accept
  78. description "packets from guest network"
  79. rule 3001 {
  80. action accept
  81. description "allow DNS packets to external name servers"
  82. destination {
  83. port 53
  84. }
  85. protocol udp
  86. }
  87. rule 3002 {
  88. action accept
  89. description "allow packets to captive portal"
  90. destination {
  91. group {
  92. network-group captive_portal_subnets
  93. }
  94. port 443
  95. }
  96. protocol tcp
  97. }
  98. rule 3003 {
  99. action accept
  100. description "allow packets to allow subnets"
  101. destination {
  102. group {
  103. address-group guest_allow_addresses
  104. }
  105. }
  106. }
  107. rule 3004 {
  108. action drop
  109. description "drop packets to restricted subnets"
  110. destination {
  111. group {
  112. address-group guest_restricted_addresses
  113. }
  114. }
  115. }
  116. rule 3005 {
  117. action drop
  118. description "drop packets to intranet"
  119. destination {
  120. group {
  121. network-group corporate_network
  122. }
  123. }
  124. }
  125. rule 3006 {
  126. action drop
  127. description "drop packets to voip"
  128. destination {
  129. group {
  130. network-group voip_network
  131. }
  132. }
  133. }
  134. rule 3007 {
  135. action drop
  136. description "drop packets to remote user"
  137. destination {
  138. group {
  139. network-group remote_user_vpn_network
  140. }
  141. }
  142. }
  143. rule 3008 {
  144. action drop
  145. description "authorized guests white list"
  146. destination {
  147. group {
  148. address-group authorized_guests
  149. }
  150. }
  151. }
  152. }
  153. name GUEST_LOCAL {
  154. default-action drop
  155. description "packets from guest network to gateway"
  156. rule 3001 {
  157. action accept
  158. description "allow DNS"
  159. destination {
  160. port 53
  161. }
  162. protocol udp
  163. }
  164. rule 3002 {
  165. action accept
  166. description "allow ICMP"
  167. protocol icmp
  168. }
  169. }
  170. name GUEST_OUT {
  171. default-action accept
  172. description "packets forward to guest network"
  173. }
  174. name LAN_IN {
  175. default-action accept
  176. description "packets from intranet"
  177. rule 3001 {
  178. action accept
  179. description "packets from unifi to voip"
  180. destination {
  181. group {
  182. network-group voip_network
  183. }
  184. }
  185. source {
  186. group {
  187. address-group unifi_controller_addresses
  188. }
  189. }
  190. }
  191. rule 3002 {
  192. action drop
  193. description "packets from intranet to voip"
  194. destination {
  195. group {
  196. network-group voip_network
  197. }
  198. }
  199. }
  200. rule 6001 {
  201. action accept
  202. description "accounting defined network 192.168.0.0/24"
  203. source {
  204. address 192.168.0.0/24
  205. }
  206. }
  207. }
  208. name LAN_LOCAL {
  209. default-action accept
  210. description "packets from intranet to gateway"
  211. }
  212. name LAN_OUT {
  213. default-action accept
  214. description "packets forward to intranet"
  215. rule 6001 {
  216. action accept
  217. description "accounting defined network 192.168.0.0/24"
  218. destination {
  219. address 192.168.0.0/24
  220. }
  221. }
  222. }
  223. name VOIP_IN {
  224. default-action accept
  225. description "packets from voip to intranet"
  226. rule 3001 {
  227. action accept
  228. description "icmp to unifi"
  229. destination {
  230. group {
  231. address-group unifi_controller_addresses
  232. }
  233. }
  234. protocol icmp
  235. }
  236. rule 3002 {
  237. action accept
  238. description "inform to unifi"
  239. destination {
  240. group {
  241. address-group unifi_controller_addresses
  242. port-group unifi_controller_ports-tcp
  243. }
  244. }
  245. protocol tcp
  246. }
  247. rule 3003 {
  248. action accept
  249. description "stun to unifi"
  250. destination {
  251. group {
  252. address-group unifi_controller_addresses
  253. port-group unifi_controller_ports-udp
  254. }
  255. }
  256. protocol udp
  257. }
  258. rule 3004 {
  259. action accept
  260. description "allow established/related sessions"
  261. destination {
  262. group {
  263. address-group unifi_controller_addresses
  264. }
  265. }
  266. state {
  267. established enable
  268. invalid disable
  269. new disable
  270. related enable
  271. }
  272. }
  273. rule 3005 {
  274. action drop
  275. description "drop invalid state"
  276. destination {
  277. group {
  278. address-group unifi_controller_addresses
  279. }
  280. }
  281. state {
  282. established disable
  283. invalid enable
  284. new disable
  285. related disable
  286. }
  287. }
  288. rule 3006 {
  289. action drop
  290. description "drop VoIP to LAN traffic"
  291. destination {
  292. group {
  293. network-group corporate_network
  294. }
  295. }
  296. }
  297. rule 3007 {
  298. action drop
  299. description "drop VoIP to GUEST traffic"
  300. destination {
  301. group {
  302. network-group guest_network
  303. }
  304. }
  305. }
  306. rule 3008 {
  307. action drop
  308. description "drop VoIP to REMOTE USER traffic"
  309. destination {
  310. group {
  311. network-group remote_user_vpn_network
  312. }
  313. }
  314. }
  315. }
  316. name VOIP_LOCAL {
  317. default-action drop
  318. description "packets from voip to gateway"
  319. rule 3001 {
  320. action accept
  321. description "allow DNS"
  322. destination {
  323. port 53
  324. }
  325. protocol udp
  326. }
  327. rule 3002 {
  328. action accept
  329. description "allow ICMP"
  330. protocol icmp
  331. }
  332. rule 3003 {
  333. action accept
  334. description "allow established/related sessions"
  335. state {
  336. established enable
  337. invalid disable
  338. new disable
  339. related enable
  340. }
  341. }
  342. rule 3004 {
  343. action drop
  344. description "drop invalid state"
  345. state {
  346. established disable
  347. invalid enable
  348. new disable
  349. related disable
  350. }
  351. }
  352. }
  353. name VOIP_OUT {
  354. default-action accept
  355. description "packets forward to voip"
  356. }
  357. name WAN_IN {
  358. default-action drop
  359. description "packets from internet to intranet"
  360. rule 3001 {
  361. action accept
  362. description "allow established/related sessions"
  363. state {
  364. established enable
  365. invalid disable
  366. new disable
  367. related enable
  368. }
  369. }
  370. rule 3002 {
  371. action drop
  372. description "drop invalid state"
  373. state {
  374. established disable
  375. invalid enable
  376. new disable
  377. related disable
  378. }
  379. }
  380. rule 3003 {
  381. action accept
  382. description "PortForward [ssl]"
  383. destination {
  384. address 192.168.0.68
  385. port 443
  386. }
  387. log enable
  388. protocol tcp
  389. }
  390. }
  391. name WAN_LOCAL {
  392. default-action drop
  393. description "packets from internet to gateway"
  394. rule 3001 {
  395. action accept
  396. description "allow established/related sessions"
  397. state {
  398. established enable
  399. invalid disable
  400. new disable
  401. related enable
  402. }
  403. }
  404. rule 3002 {
  405. action drop
  406. description "drop invalid state"
  407. state {
  408. established disable
  409. invalid enable
  410. new disable
  411. related disable
  412. }
  413. }
  414. rule 3003 {
  415. action accept
  416. description "allow ICMP"
  417. protocol icmp
  418. }
  419. }
  420. options {
  421. mss-clamp {
  422. interface-type pppoe
  423. interface-type pptp
  424. mss 1412
  425. }
  426. }
  427. receive-redirects disable
  428. send-redirects enable
  429. syn-cookies enable
  430. }
  431. interfaces {
  432. ethernet eth0 {
  433. address 192.168.0.1/24
  434. firewall {
  435. in {
  436. name LAN_IN
  437. }
  438. local {
  439. name LAN_LOCAL
  440. }
  441. out {
  442. name LAN_OUT
  443. }
  444. }
  445. }
  446. ethernet eth1 {
  447. disable
  448. }
  449. ethernet eth2 {
  450. address aa.bb.cc.dd/ee
  451. firewall {
  452. in {
  453. name WAN_IN
  454. }
  455. local {
  456. name WAN_LOCAL
  457. }
  458. }
  459. }
  460. ethernet eth3 {
  461. disable
  462. firewall {
  463. in {
  464. name WAN_IN
  465. }
  466. local {
  467. name WAN_LOCAL
  468. }
  469. }
  470. }
  471. loopback lo {
  472. }
  473. }
  474. port-forward {
  475. auto-firewall disable
  476. hairpin-nat enable
  477. lan-interface eth0
  478. rule 3001 {
  479. description ssl
  480. forward-to {
  481. address 192.168.0.68
  482. }
  483. original-port 443
  484. protocol tcp
  485. }
  486. wan-interface eth2
  487. }
  488. protocols {
  489. static {
  490. route 0.0.0.0/0 {
  491. next-hop aa.bb.cc.dd {
  492. }
  493. }
  494. }
  495. }
  496. service {
  497. dhcp-server {
  498. disabled false
  499. hostfile-update enable
  500. shared-network-name LAN_192.168.0.0-24 {
  501. authoritative enable
  502. description vlan1
  503. subnet 192.168.0.0/24 {
  504. default-router 192.168.0.1
  505. dns-server 8.8.8.8
  506. dns-server 8.8.4.4
  507. lease 86400
  508. start 192.168.0.30 {
  509. stop 192.168.0.200
  510. }
  511. static-mapping 0c-4d-e9-d3-bc-86 {
  512. ip-address 192.168.0.13
  513. mac-address 0c:4d:e9:d3:bc:86
  514. }
  515. static-mapping 5c-96-9d-6f-2e-64 {
  516. ip-address 192.168.0.210
  517. mac-address 5c:96:9d:6f:2e:64
  518. }
  519. static-mapping 08-00-23-6f-2a-33 {
  520. ip-address 192.168.0.9
  521. mac-address 08:00:23:6f:2a:33
  522. }
  523. static-mapping 38-c9-86-31-ca-fd {
  524. ip-address 192.168.0.202
  525. mac-address 38:c9:86:31:ca:fd
  526. }
  527. static-mapping bc-c3-42-03-0c-29 {
  528. ip-address 192.168.0.10
  529. mac-address bc:c3:42:03:0c:29
  530. }
  531. }
  532. }
  533. }
  534. dns {
  535. forwarding {
  536. cache-size 500
  537. except-interface eth2
  538. options host-record=unifi,192.168.0.11
  539. }
  540. }
  541. gui {
  542. https-port 443
  543. }
  544. lldp {
  545. interface eth2 {
  546. disable
  547. }
  548. interface eth3 {
  549. disable
  550. }
  551. }
  552. nat {
  553. rule 6001 {
  554. description "MASQ corporate_network to WAN"
  555. log disable
  556. outbound-interface eth2
  557. protocol all
  558. source {
  559. group {
  560. network-group corporate_network
  561. }
  562. }
  563. type masquerade
  564. }
  565. rule 6002 {
  566. description "MASQ voip_network to WAN"
  567. log disable
  568. outbound-interface eth2
  569. protocol all
  570. source {
  571. group {
  572. network-group voip_network
  573. }
  574. }
  575. type masquerade
  576. }
  577. rule 6003 {
  578. description "MASQ remote_user_vpn_network to WAN"
  579. log disable
  580. outbound-interface eth2
  581. protocol all
  582. source {
  583. group {
  584. network-group remote_user_vpn_network
  585. }
  586. }
  587. type masquerade
  588. }
  589. rule 6004 {
  590. description "MASQ guest_network to WAN"
  591. log disable
  592. outbound-interface eth2
  593. protocol all
  594. source {
  595. group {
  596. network-group guest_network
  597. }
  598. }
  599. type masquerade
  600. }
  601. }
  602. ssh {
  603. port 22
  604. protocol-version v2
  605. }
  606. }
  607. system {
  608. host-name USG4P
  609. login {
  610. user admin {
  611. authentication {
  612. encrypted-password ****************
  613. }
  614. level admin
  615. }
  616. }
  617. name-server 8.8.8.8
  618. name-server 8.8.4.4
  619. ntp {
  620. server 0.ubnt.pool.ntp.org {
  621. }
  622. }
  623. offload {
  624. ipsec enable
  625. ipv4 {
  626. forwarding enable
  627. pppoe enable
  628. vlan enable
  629. }
  630. ipv6 {
  631. forwarding enable
  632. vlan enable
  633. }
  634. }
  635. static-host-mapping {
  636. host-name setup.ubnt.com {
  637. alias setup
  638. inet 192.168.0.1
  639. }
  640. }
  641. syslog {
  642. global {
  643. facility all {
  644. level notice
  645. }
  646. facility protocols {
  647. level debug
  648. }
  649. }
  650. }
  651. time-zone Europe/Moscow
  652. traffic-analysis {
  653. dpi disable
  654. }
  655. }
  656. unifi {
  657. mgmt {
  658. cfgversion e9502a244cdf1d36
  659. }
  660. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!