Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- address-group authorized_guests {
- description "authorized guests MAC addresses"
- }
- address-group guest_allow_addresses {
- description "allow addresses for guests"
- }
- address-group guest_allow_dns_servers {
- description "allow dns servers for guests"
- }
- address-group guest_portal_address {
- description "guest portal address"
- }
- address-group guest_restricted_addresses {
- address 192.168.0.0/16
- address 172.16.0.0/12
- address 10.0.0.0/8
- description "restricted addresses for guests"
- }
- address-group unifi_controller_addresses {
- address 192.168.1.4
- }
- ipv6-network-group corporate_networkv6 {
- description "IPv6 corporate subnets"
- }
- ipv6-network-group guest_networkv6 {
- description "IPv6 guest subnets"
- }
- network-group captive_portal_subnets {
- description "captive portal subnets"
- }
- network-group corporate_network {
- description "corporate subnets"
- network 192.168.1.0/24
- network 192.168.2.0/24
- }
- network-group guest_allow_subnets {
- description "allow subnets for guests"
- }
- network-group guest_network {
- description "guest subnets"
- }
- network-group guest_restricted_subnets {
- description "restricted subnets for guests"
- }
- network-group remote_client_vpn_network {
- description "remote client VPN subnets"
- }
- network-group remote_site_vpn_network {
- description "remote site VPN subnets"
- }
- network-group remote_user_vpn_network {
- description "Remote User VPN subnets"
- }
- port-group guest_portal_ports {
- description "guest portal ports"
- }
- port-group guest_portal_redirector_ports {
- description "guest portal redirector ports"
- port 39080
- port 39443
- }
- port-group unifi_controller_ports-tcp {
- description "unifi tcp ports"
- port 8080
- }
- port-group unifi_controller_ports-udp {
- description "unifi udp ports"
- port 3478
- }
- }
- ipv6-name AUTHORIZED_GUESTSv6 {
- default-action drop
- description "authorization check packets from guest network"
- }
- ipv6-name GUESTv6_IN {
- default-action accept
- description "packets from guest network"
- rule 3001 {
- action drop
- description "drop packets to intranet"
- destination {
- group {
- ipv6-network-group corporate_networkv6
- }
- }
- }
- }
- ipv6-name GUESTv6_LOCAL {
- default-action drop
- description "packets from guest network to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- }
- ipv6-name GUESTv6_OUT {
- default-action accept
- description "packets forward to guest network"
- }
- ipv6-name LANv6_IN {
- default-action accept
- description "packets from intranet"
- }
- ipv6-name LANv6_LOCAL {
- default-action accept
- description "packets from intranet to gateway"
- }
- ipv6-name LANv6_OUT {
- default-action accept
- description "packets forward to intranet"
- }
- ipv6-name WANv6_IN {
- default-action drop
- description "packets from internet to intranet"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- ipv6-name WANv6_LOCAL {
- default-action drop
- description "packets from internet to gateway"
- rule 3001 {
- action accept
- description "Allow neighbor advertisements"
- icmpv6 {
- type neighbor-advertisement
- }
- protocol ipv6-icmp
- }
- rule 3002 {
- action accept
- description "Allow neighbor solicitation"
- icmpv6 {
- type neighbor-solicitation
- }
- protocol ipv6-icmp
- }
- rule 3003 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3004 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- ipv6-name WANv6_OUT {
- default-action accept
- description "packets to internet"
- }
- name AUTHORIZED_GUESTS {
- default-action drop
- description "authorization check packets from guest network"
- }
- name GUEST_IN {
- default-action accept
- description "packets from guest network"
- rule 3001 {
- action accept
- description "allow DNS packets to external name servers"
- destination {
- port 53
- }
- protocol tcp_udp
- }
- rule 3002 {
- action accept
- description "allow packets to captive portal"
- destination {
- group {
- network-group captive_portal_subnets
- }
- port 443
- }
- protocol tcp
- }
- rule 3003 {
- action accept
- description "allow packets to allow subnets"
- destination {
- group {
- address-group guest_allow_addresses
- }
- }
- }
- rule 3004 {
- action drop
- description "drop packets to restricted subnets"
- destination {
- group {
- address-group guest_restricted_addresses
- }
- }
- }
- rule 3005 {
- action drop
- description "drop packets to intranet"
- destination {
- group {
- network-group corporate_network
- }
- }
- }
- rule 3006 {
- action drop
- description "drop packets to remote user"
- destination {
- group {
- network-group remote_user_vpn_network
- }
- }
- }
- rule 3007 {
- action drop
- description "authorized guests white list"
- destination {
- group {
- address-group authorized_guests
- }
- }
- }
- }
- name GUEST_LOCAL {
- default-action drop
- description "packets from guest network to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- rule 3003 {
- action accept
- description "allow to DHCP server"
- destination {
- port 67
- }
- protocol udp
- source {
- port 68
- }
- }
- }
- name GUEST_OUT {
- default-action accept
- description "packets forward to guest network"
- }
- name LAN_IN {
- default-action accept
- description "packets from intranet"
- rule 6001 {
- action accept
- description "accounting defined network 192.168.1.0/24"
- source {
- address 192.168.1.0/24
- }
- }
- rule 6002 {
- action accept
- description "accounting defined network 192.168.2.0/24"
- source {
- address 192.168.2.0/24
- }
- }
- }
- name LAN_LOCAL {
- default-action accept
- description "packets from intranet to gateway"
- rule 2000 {
- action accept
- description "allow all"
- protocol all
- }
- }
- name LAN_OUT {
- default-action accept
- description "packets forward to intranet"
- rule 6001 {
- action accept
- description "accounting defined network 192.168.1.0/24"
- destination {
- address 192.168.1.0/24
- }
- }
- rule 6002 {
- action accept
- description "accounting defined network 192.168.2.0/24"
- destination {
- address 192.168.2.0/24
- }
- }
- }
- name WAN_IN {
- default-action drop
- description "packets from internet to intranet"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3003 {
- action accept
- description "PortForward [Plex]"
- destination {
- address 192.168.1.4
- port 32400
- }
- protocol tcp_udp
- }
- rule 3004 {
- action accept
- description "PortForward [RDP]"
- destination {
- address 192.168.1.4
- port 3389
- }
- protocol tcp_udp
- }
- rule 3005 {
- action accept
- description "PortForward [TS]"
- destination {
- address 192.168.1.4
- port 10011,9987,30033
- }
- protocol tcp_udp
- }
- rule 3006 {
- action accept
- description "PortForward [uTorrent]"
- destination {
- address 192.168.1.4
- port 44776
- }
- protocol tcp_udp
- }
- }
- name WAN_LOCAL {
- default-action drop
- description "packets from internet to gateway"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name WAN_OUT {
- default-action accept
- description "packets to internet"
- }
- options {
- mss-clamp {
- interface-type pppoe
- interface-type pptp
- interface-type vti
- mss 1452
- }
- mss-clamp6 {
- interface-type pppoe
- interface-type pptp
- mss 1452
- }
- }
- receive-redirects disable
- send-redirects enable
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- address dhcp
- dhcp-options {
- client-option "retry 60;"
- default-route-distance 1
- }
- firewall {
- in {
- ipv6-name WANv6_IN
- name WAN_IN
- }
- local {
- ipv6-name WANv6_LOCAL
- name WAN_LOCAL
- }
- out {
- ipv6-name WANv6_OUT
- name WAN_OUT
- }
- }
- }
- ethernet eth1 {
- address 192.168.1.1/24
- firewall {
- in {
- ipv6-name LANv6_IN
- name LAN_IN
- }
- local {
- ipv6-name LANv6_LOCAL
- name LAN_LOCAL
- }
- out {
- ipv6-name LANv6_OUT
- name LAN_OUT
- }
- }
- }
- ethernet eth2 {
- address 192.168.2.1/24
- firewall {
- in {
- ipv6-name LANv6_IN
- name LAN_IN
- }
- local {
- ipv6-name LANv6_LOCAL
- name LAN_LOCAL
- }
- out {
- ipv6-name LANv6_OUT
- name LAN_OUT
- }
- }
- }
- loopback lo {
- }
- }
- port-forward {
- auto-firewall disable
- hairpin-nat enable
- lan-interface eth2
- lan-interface eth1
- rule 3001 {
- description Plex
- forward-to {
- address 192.168.1.4
- }
- original-port 32400
- protocol tcp_udp
- }
- rule 3002 {
- description RDP
- forward-to {
- address 192.168.1.4
- }
- original-port 3389
- protocol tcp_udp
- }
- rule 3003 {
- description TS
- forward-to {
- address 192.168.1.4
- }
- original-port 10011,9987,30033
- protocol tcp_udp
- }
- rule 3004 {
- description uTorrent
- forward-to {
- address 192.168.1.4
- }
- original-port 44776
- protocol tcp_udp
- }
- wan-interface eth0
- }
- service {
- dhcp-server {
- disabled false
- hostfile-update enable
- shared-network-name net_DarkWeb_LAN_192.168.1.0-24 {
- authoritative enable
- description vlan1
- subnet 192.168.1.0/24 {
- default-router 192.168.1.1
- dns-server 8.8.8.8
- dns-server 8.8.4.4
- dns-server 192.168.1.1
- domain-name localdomain
- lease 86400
- start 192.168.1.6 {
- stop 192.168.1.254
- }
- static-mapping 6c-ad-f8-bd-a7-13 {
- ip-address 192.168.1.8
- mac-address 6c:ad:f8:bd:a7:13
- }
- }
- }
- shared-network-name net_Darkweb_LAN2_192.168.2.0-24 {
- authoritative enable
- description vlan4012
- subnet 192.168.2.0/24 {
- default-router 192.168.2.1
- dns-server 192.168.2.1
- lease 86400
- start 192.168.2.6 {
- stop 192.168.2.254
- }
- }
- }
- use-dnsmasq disable
- }
- dns {
- forwarding {
- cache-size 10000
- except-interface eth0
- options ptr-record=1.1.168.192.in-addr.arpa,Darkweb-gateway
- options host-record=unifi,192.168.1.4
- }
- }
- gui {
- https-port 443
- }
- lldp {
- interface eth0 {
- disable
- }
- }
- mdns {
- reflector
- }
- nat {
- rule 6001 {
- description "MASQ corporate_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group corporate_network
- }
- }
- type masquerade
- }
- rule 6002 {
- description "MASQ remote_user_vpn_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group remote_user_vpn_network
- }
- }
- type masquerade
- }
- rule 6003 {
- description "MASQ guest_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group guest_network
- }
- }
- type masquerade
- }
- }
- ssh {
- port 22
- protocol-version v2
- }
- }
- system {
- conntrack {
- modules {
- sip {
- disable
- }
- }
- timeout {
- icmp 30
- other 600
- tcp {
- close 10
- close-wait 60
- established 7440
- fin-wait 120
- last-ack 30
- syn-recv 60
- syn-sent 120
- time-wait 120
- }
- udp {
- other 30
- stream 180
- }
- }
- }
- domain-name localdomain
- host-name Darkweb-gateway
- ip {
- override-hostname-ip 192.168.1.1
- }
- login {
- user admin {
- authentication {
- encrypted-password ****************
- }
- level admin
- }
- }
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- server 1.ubnt.pool.ntp.org {
- }
- server 2.ubnt.pool.ntp.org {
- }
- server 3.ubnt.pool.ntp.org {
- }
- }
- offload {
- ipsec enable
- ipv4 {
- forwarding enable
- gre enable
- pppoe enable
- vlan enable
- }
- ipv6 {
- forwarding enable
- vlan enable
- }
- }
- static-host-mapping {
- host-name setup.ubnt.com {
- alias setup
- inet 192.168.1.1
- }
- }
- syslog {
- global {
- facility all {
- level notice
- }
- facility protocols {
- level debug
- }
- }
- }
- time-zone Europe/Amsterdam
- traffic-analysis {
- dpi enable
- export disable
- }
- }
- unifi {
- mgmt {
- cfgversion b603ef9f162817cf
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement