API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 11th, 2018
496
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.09 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group authorized_guests {
  6. description "authorized guests MAC addresses"
  7. }
  8. address-group guest_allow_addresses {
  9. description "allow addresses for guests"
  10. }
  11. address-group guest_allow_dns_servers {
  12. description "allow dns servers for guests"
  13. }
  14. address-group guest_portal_address {
  15. description "guest portal address"
  16. }
  17. address-group guest_restricted_addresses {
  18. address 192.168.0.0/16
  19. address 172.16.0.0/12
  20. address 10.0.0.0/8
  21. description "restricted addresses for guests"
  22. }
  23. address-group unifi_controller_addresses {
  24. address 192.168.1.4
  25. }
  26. ipv6-network-group corporate_networkv6 {
  27. description "IPv6 corporate subnets"
  28. }
  29. ipv6-network-group guest_networkv6 {
  30. description "IPv6 guest subnets"
  31. }
  32. network-group captive_portal_subnets {
  33. description "captive portal subnets"
  34. }
  35. network-group corporate_network {
  36. description "corporate subnets"
  37. network 192.168.1.0/24
  38. network 192.168.2.0/24
  39. }
  40. network-group guest_allow_subnets {
  41. description "allow subnets for guests"
  42. }
  43. network-group guest_network {
  44. description "guest subnets"
  45. }
  46. network-group guest_restricted_subnets {
  47. description "restricted subnets for guests"
  48. }
  49. network-group remote_client_vpn_network {
  50. description "remote client VPN subnets"
  51. }
  52. network-group remote_site_vpn_network {
  53. description "remote site VPN subnets"
  54. }
  55. network-group remote_user_vpn_network {
  56. description "Remote User VPN subnets"
  57. }
  58. port-group guest_portal_ports {
  59. description "guest portal ports"
  60. }
  61. port-group guest_portal_redirector_ports {
  62. description "guest portal redirector ports"
  63. port 39080
  64. port 39443
  65. }
  66. port-group unifi_controller_ports-tcp {
  67. description "unifi tcp ports"
  68. port 8080
  69. }
  70. port-group unifi_controller_ports-udp {
  71. description "unifi udp ports"
  72. port 3478
  73. }
  74. }
  75. ipv6-name AUTHORIZED_GUESTSv6 {
  76. default-action drop
  77. description "authorization check packets from guest network"
  78. }
  79. ipv6-name GUESTv6_IN {
  80. default-action accept
  81. description "packets from guest network"
  82. rule 3001 {
  83. action drop
  84. description "drop packets to intranet"
  85. destination {
  86. group {
  87. ipv6-network-group corporate_networkv6
  88. }
  89. }
  90. }
  91. }
  92. ipv6-name GUESTv6_LOCAL {
  93. default-action drop
  94. description "packets from guest network to gateway"
  95. rule 3001 {
  96. action accept
  97. description "allow DNS"
  98. destination {
  99. port 53
  100. }
  101. protocol udp
  102. }
  103. rule 3002 {
  104. action accept
  105. description "allow ICMP"
  106. protocol icmp
  107. }
  108. }
  109. ipv6-name GUESTv6_OUT {
  110. default-action accept
  111. description "packets forward to guest network"
  112. }
  113. ipv6-name LANv6_IN {
  114. default-action accept
  115. description "packets from intranet"
  116. }
  117. ipv6-name LANv6_LOCAL {
  118. default-action accept
  119. description "packets from intranet to gateway"
  120. }
  121. ipv6-name LANv6_OUT {
  122. default-action accept
  123. description "packets forward to intranet"
  124. }
  125. ipv6-name WANv6_IN {
  126. default-action drop
  127. description "packets from internet to intranet"
  128. rule 3001 {
  129. action accept
  130. description "allow established/related sessions"
  131. state {
  132. established enable
  133. invalid disable
  134. new disable
  135. related enable
  136. }
  137. }
  138. rule 3002 {
  139. action drop
  140. description "drop invalid state"
  141. state {
  142. established disable
  143. invalid enable
  144. new disable
  145. related disable
  146. }
  147. }
  148. }
  149. ipv6-name WANv6_LOCAL {
  150. default-action drop
  151. description "packets from internet to gateway"
  152. rule 3001 {
  153. action accept
  154. description "Allow neighbor advertisements"
  155. icmpv6 {
  156. type neighbor-advertisement
  157. }
  158. protocol ipv6-icmp
  159. }
  160. rule 3002 {
  161. action accept
  162. description "Allow neighbor solicitation"
  163. icmpv6 {
  164. type neighbor-solicitation
  165. }
  166. protocol ipv6-icmp
  167. }
  168. rule 3003 {
  169. action accept
  170. description "allow established/related sessions"
  171. state {
  172. established enable
  173. invalid disable
  174. new disable
  175. related enable
  176. }
  177. }
  178. rule 3004 {
  179. action drop
  180. description "drop invalid state"
  181. state {
  182. established disable
  183. invalid enable
  184. new disable
  185. related disable
  186. }
  187. }
  188. }
  189. ipv6-name WANv6_OUT {
  190. default-action accept
  191. description "packets to internet"
  192. }
  193. name AUTHORIZED_GUESTS {
  194. default-action drop
  195. description "authorization check packets from guest network"
  196. }
  197. name GUEST_IN {
  198. default-action accept
  199. description "packets from guest network"
  200. rule 3001 {
  201. action accept
  202. description "allow DNS packets to external name servers"
  203. destination {
  204. port 53
  205. }
  206. protocol tcp_udp
  207. }
  208. rule 3002 {
  209. action accept
  210. description "allow packets to captive portal"
  211. destination {
  212. group {
  213. network-group captive_portal_subnets
  214. }
  215. port 443
  216. }
  217. protocol tcp
  218. }
  219. rule 3003 {
  220. action accept
  221. description "allow packets to allow subnets"
  222. destination {
  223. group {
  224. address-group guest_allow_addresses
  225. }
  226. }
  227. }
  228. rule 3004 {
  229. action drop
  230. description "drop packets to restricted subnets"
  231. destination {
  232. group {
  233. address-group guest_restricted_addresses
  234. }
  235. }
  236. }
  237. rule 3005 {
  238. action drop
  239. description "drop packets to intranet"
  240. destination {
  241. group {
  242. network-group corporate_network
  243. }
  244. }
  245. }
  246. rule 3006 {
  247. action drop
  248. description "drop packets to remote user"
  249. destination {
  250. group {
  251. network-group remote_user_vpn_network
  252. }
  253. }
  254. }
  255. rule 3007 {
  256. action drop
  257. description "authorized guests white list"
  258. destination {
  259. group {
  260. address-group authorized_guests
  261. }
  262. }
  263. }
  264. }
  265. name GUEST_LOCAL {
  266. default-action drop
  267. description "packets from guest network to gateway"
  268. rule 3001 {
  269. action accept
  270. description "allow DNS"
  271. destination {
  272. port 53
  273. }
  274. protocol udp
  275. }
  276. rule 3002 {
  277. action accept
  278. description "allow ICMP"
  279. protocol icmp
  280. }
  281. rule 3003 {
  282. action accept
  283. description "allow to DHCP server"
  284. destination {
  285. port 67
  286. }
  287. protocol udp
  288. source {
  289. port 68
  290. }
  291. }
  292. }
  293. name GUEST_OUT {
  294. default-action accept
  295. description "packets forward to guest network"
  296. }
  297. name LAN_IN {
  298. default-action accept
  299. description "packets from intranet"
  300. rule 6001 {
  301. action accept
  302. description "accounting defined network 192.168.1.0/24"
  303. source {
  304. address 192.168.1.0/24
  305. }
  306. }
  307. rule 6002 {
  308. action accept
  309. description "accounting defined network 192.168.2.0/24"
  310. source {
  311. address 192.168.2.0/24
  312. }
  313. }
  314. }
  315. name LAN_LOCAL {
  316. default-action accept
  317. description "packets from intranet to gateway"
  318. rule 2000 {
  319. action accept
  320. description "allow all"
  321. protocol all
  322. }
  323. }
  324. name LAN_OUT {
  325. default-action accept
  326. description "packets forward to intranet"
  327. rule 6001 {
  328. action accept
  329. description "accounting defined network 192.168.1.0/24"
  330. destination {
  331. address 192.168.1.0/24
  332. }
  333. }
  334. rule 6002 {
  335. action accept
  336. description "accounting defined network 192.168.2.0/24"
  337. destination {
  338. address 192.168.2.0/24
  339. }
  340. }
  341. }
  342. name WAN_IN {
  343. default-action drop
  344. description "packets from internet to intranet"
  345. rule 3001 {
  346. action accept
  347. description "allow established/related sessions"
  348. state {
  349. established enable
  350. invalid disable
  351. new disable
  352. related enable
  353. }
  354. }
  355. rule 3002 {
  356. action drop
  357. description "drop invalid state"
  358. state {
  359. established disable
  360. invalid enable
  361. new disable
  362. related disable
  363. }
  364. }
  365. rule 3003 {
  366. action accept
  367. description "PortForward [Plex]"
  368. destination {
  369. address 192.168.1.4
  370. port 32400
  371. }
  372. protocol tcp_udp
  373. }
  374. rule 3004 {
  375. action accept
  376. description "PortForward [RDP]"
  377. destination {
  378. address 192.168.1.4
  379. port 3389
  380. }
  381. protocol tcp_udp
  382. }
  383. rule 3005 {
  384. action accept
  385. description "PortForward [TS]"
  386. destination {
  387. address 192.168.1.4
  388. port 10011,9987,30033
  389. }
  390. protocol tcp_udp
  391. }
  392. rule 3006 {
  393. action accept
  394. description "PortForward [uTorrent]"
  395. destination {
  396. address 192.168.1.4
  397. port 44776
  398. }
  399. protocol tcp_udp
  400. }
  401. }
  402. name WAN_LOCAL {
  403. default-action drop
  404. description "packets from internet to gateway"
  405. rule 3001 {
  406. action accept
  407. description "allow established/related sessions"
  408. state {
  409. established enable
  410. invalid disable
  411. new disable
  412. related enable
  413. }
  414. }
  415. rule 3002 {
  416. action drop
  417. description "drop invalid state"
  418. state {
  419. established disable
  420. invalid enable
  421. new disable
  422. related disable
  423. }
  424. }
  425. }
  426. name WAN_OUT {
  427. default-action accept
  428. description "packets to internet"
  429. }
  430. options {
  431. mss-clamp {
  432. interface-type pppoe
  433. interface-type pptp
  434. interface-type vti
  435. mss 1452
  436. }
  437. mss-clamp6 {
  438. interface-type pppoe
  439. interface-type pptp
  440. mss 1452
  441. }
  442. }
  443. receive-redirects disable
  444. send-redirects enable
  445. syn-cookies enable
  446. }
  447. interfaces {
  448. ethernet eth0 {
  449. address dhcp
  450. dhcp-options {
  451. client-option "retry 60;"
  452. default-route-distance 1
  453. }
  454. firewall {
  455. in {
  456. ipv6-name WANv6_IN
  457. name WAN_IN
  458. }
  459. local {
  460. ipv6-name WANv6_LOCAL
  461. name WAN_LOCAL
  462. }
  463. out {
  464. ipv6-name WANv6_OUT
  465. name WAN_OUT
  466. }
  467. }
  468. }
  469. ethernet eth1 {
  470. address 192.168.1.1/24
  471. firewall {
  472. in {
  473. ipv6-name LANv6_IN
  474. name LAN_IN
  475. }
  476. local {
  477. ipv6-name LANv6_LOCAL
  478. name LAN_LOCAL
  479. }
  480. out {
  481. ipv6-name LANv6_OUT
  482. name LAN_OUT
  483. }
  484. }
  485. }
  486. ethernet eth2 {
  487. address 192.168.2.1/24
  488. firewall {
  489. in {
  490. ipv6-name LANv6_IN
  491. name LAN_IN
  492. }
  493. local {
  494. ipv6-name LANv6_LOCAL
  495. name LAN_LOCAL
  496. }
  497. out {
  498. ipv6-name LANv6_OUT
  499. name LAN_OUT
  500. }
  501. }
  502. }
  503. loopback lo {
  504. }
  505. }
  506. port-forward {
  507. auto-firewall disable
  508. hairpin-nat enable
  509. lan-interface eth2
  510. lan-interface eth1
  511. rule 3001 {
  512. description Plex
  513. forward-to {
  514. address 192.168.1.4
  515. }
  516. original-port 32400
  517. protocol tcp_udp
  518. }
  519. rule 3002 {
  520. description RDP
  521. forward-to {
  522. address 192.168.1.4
  523. }
  524. original-port 3389
  525. protocol tcp_udp
  526. }
  527. rule 3003 {
  528. description TS
  529. forward-to {
  530. address 192.168.1.4
  531. }
  532. original-port 10011,9987,30033
  533. protocol tcp_udp
  534. }
  535. rule 3004 {
  536. description uTorrent
  537. forward-to {
  538. address 192.168.1.4
  539. }
  540. original-port 44776
  541. protocol tcp_udp
  542. }
  543. wan-interface eth0
  544. }
  545. service {
  546. dhcp-server {
  547. disabled false
  548. hostfile-update enable
  549. shared-network-name net_DarkWeb_LAN_192.168.1.0-24 {
  550. authoritative enable
  551. description vlan1
  552. subnet 192.168.1.0/24 {
  553. default-router 192.168.1.1
  554. dns-server 8.8.8.8
  555. dns-server 8.8.4.4
  556. dns-server 192.168.1.1
  557. domain-name localdomain
  558. lease 86400
  559. start 192.168.1.6 {
  560. stop 192.168.1.254
  561. }
  562. static-mapping 6c-ad-f8-bd-a7-13 {
  563. ip-address 192.168.1.8
  564. mac-address 6c:ad:f8:bd:a7:13
  565. }
  566. }
  567. }
  568. shared-network-name net_Darkweb_LAN2_192.168.2.0-24 {
  569. authoritative enable
  570. description vlan4012
  571. subnet 192.168.2.0/24 {
  572. default-router 192.168.2.1
  573. dns-server 192.168.2.1
  574. lease 86400
  575. start 192.168.2.6 {
  576. stop 192.168.2.254
  577. }
  578. }
  579. }
  580. use-dnsmasq disable
  581. }
  582. dns {
  583. forwarding {
  584. cache-size 10000
  585. except-interface eth0
  586. options ptr-record=1.1.168.192.in-addr.arpa,Darkweb-gateway
  587. options host-record=unifi,192.168.1.4
  588. }
  589. }
  590. gui {
  591. https-port 443
  592. }
  593. lldp {
  594. interface eth0 {
  595. disable
  596. }
  597. }
  598. mdns {
  599. reflector
  600. }
  601. nat {
  602. rule 6001 {
  603. description "MASQ corporate_network to WAN"
  604. log disable
  605. outbound-interface eth0
  606. protocol all
  607. source {
  608. group {
  609. network-group corporate_network
  610. }
  611. }
  612. type masquerade
  613. }
  614. rule 6002 {
  615. description "MASQ remote_user_vpn_network to WAN"
  616. log disable
  617. outbound-interface eth0
  618. protocol all
  619. source {
  620. group {
  621. network-group remote_user_vpn_network
  622. }
  623. }
  624. type masquerade
  625. }
  626. rule 6003 {
  627. description "MASQ guest_network to WAN"
  628. log disable
  629. outbound-interface eth0
  630. protocol all
  631. source {
  632. group {
  633. network-group guest_network
  634. }
  635. }
  636. type masquerade
  637. }
  638. }
  639. ssh {
  640. port 22
  641. protocol-version v2
  642. }
  643. }
  644. system {
  645. conntrack {
  646. modules {
  647. sip {
  648. disable
  649. }
  650. }
  651. timeout {
  652. icmp 30
  653. other 600
  654. tcp {
  655. close 10
  656. close-wait 60
  657. established 7440
  658. fin-wait 120
  659. last-ack 30
  660. syn-recv 60
  661. syn-sent 120
  662. time-wait 120
  663. }
  664. udp {
  665. other 30
  666. stream 180
  667. }
  668. }
  669. }
  670. domain-name localdomain
  671. host-name Darkweb-gateway
  672. ip {
  673. override-hostname-ip 192.168.1.1
  674. }
  675. login {
  676. user admin {
  677. authentication {
  678. encrypted-password ****************
  679. }
  680. level admin
  681. }
  682. }
  683. ntp {
  684. server 0.ubnt.pool.ntp.org {
  685. }
  686. server 1.ubnt.pool.ntp.org {
  687. }
  688. server 2.ubnt.pool.ntp.org {
  689. }
  690. server 3.ubnt.pool.ntp.org {
  691. }
  692. }
  693. offload {
  694. ipsec enable
  695. ipv4 {
  696. forwarding enable
  697. gre enable
  698. pppoe enable
  699. vlan enable
  700. }
  701. ipv6 {
  702. forwarding enable
  703. vlan enable
  704. }
  705. }
  706. static-host-mapping {
  707. host-name setup.ubnt.com {
  708. alias setup
  709. inet 192.168.1.1
  710. }
  711. }
  712. syslog {
  713. global {
  714. facility all {
  715. level notice
  716. }
  717. facility protocols {
  718. level debug
  719. }
  720. }
  721. }
  722. time-zone Europe/Amsterdam
  723. traffic-analysis {
  724. dpi enable
  725. export disable
  726. }
  727. }
  728. unifi {
  729. mgmt {
  730. cfgversion b603ef9f162817cf
  731. }
  732. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!