Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@OpenWrt:/share# ip address show; ip route show table all; ip rule show; iptables-save -c; \
- > wg show; uci show network; uci show firewall; uci show dhcp; \
- > head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP group default qlen 1024
- link/ether 94:83:c4:0a:44:5c brd ff:ff:ff:ff:ff:ff
- inet6 fe80::9683:c4ff:fe0a:445c/64 scope link
- valid_lft forever preferred_lft forever
- 3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether 94:83:c4:0a:44:5c brd ff:ff:ff:ff:ff:ff
- inet 192.168.0.254/24 brd 192.168.0.255 scope global wan
- valid_lft forever preferred_lft forever
- inet6 fe80::9683:c4ff:fe0a:445c/64 scope link
- valid_lft forever preferred_lft forever
- 4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-SECURE state UP group default qlen 1000
- link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
- 5: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
- link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
- inet 192.168.20.1/24 brd 192.168.20.255 scope global lan1
- valid_lft forever preferred_lft forever
- 6: br-SECURE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
- inet 192.168.10.1/24 brd 192.168.10.255 scope global br-SECURE
- valid_lft forever preferred_lft forever
- inet6 fe80::9683:c4ff:fe0a:445d/64 scope link
- valid_lft forever preferred_lft forever
- 7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
- link/none
- inet 10.55.0.1/24 brd 10.55.0.255 scope global wg0
- valid_lft forever preferred_lft forever
- default via 192.168.0.1 dev wan proto static
- 10.55.0.0/24 via 192.168.10.1 dev br-SECURE proto static
- 10.55.0.2 dev wg0 proto static scope link
- 10.55.0.3 dev wg0 proto static scope link
- 172.31.0.0/16 via 192.168.10.2 dev br-SECURE proto static
- 192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.254
- 192.168.10.0/24 dev br-SECURE proto kernel scope link src 192.168.10.1
- 192.168.20.0/24 dev lan1 proto kernel scope link src 192.168.20.1 linkdown
- 192.168.255.0/24 via 192.168.10.2 dev br-SECURE proto static
- broadcast 10.55.0.0 dev wg0 table local proto kernel scope link src 10.55.0.1
- local 10.55.0.1 dev wg0 table local proto kernel scope host src 10.55.0.1
- broadcast 10.55.0.255 dev wg0 table local proto kernel scope link src 10.55.0.1
- broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
- local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
- local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
- broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
- broadcast 192.168.0.0 dev wan table local proto kernel scope link src 192.168.0.254
- local 192.168.0.254 dev wan table local proto kernel scope host src 192.168.0.254
- broadcast 192.168.0.255 dev wan table local proto kernel scope link src 192.168.0.254
- broadcast 192.168.10.0 dev br-SECURE table local proto kernel scope link src 192.168.10.1
- local 192.168.10.1 dev br-SECURE table local proto kernel scope host src 192.168.10.1
- broadcast 192.168.10.255 dev br-SECURE table local proto kernel scope link src 192.168.10.1
- broadcast 192.168.20.0 dev lan1 table local proto kernel scope link src 192.168.20.1 linkdown
- local 192.168.20.1 dev lan1 table local proto kernel scope host src 192.168.20.1
- broadcast 192.168.20.255 dev lan1 table local proto kernel scope link src 192.168.20.1 linkdown
- unreachable fd19:e684:5061::/48 dev lo proto static metric 2147483647 pref medium
- fe80::/64 dev eth0 proto kernel metric 256 pref medium
- fe80::/64 dev br-SECURE proto kernel metric 256 pref medium
- fe80::/64 dev wan proto kernel metric 256 pref medium
- local ::1 dev lo table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
- anycast fe80:: dev br-SECURE table local proto kernel metric 0 pref medium
- anycast fe80:: dev wan table local proto kernel metric 0 pref medium
- local fe80::9683:c4ff:fe0a:445c dev eth0 table local proto kernel metric 0 pref medium
- local fe80::9683:c4ff:fe0a:445c dev wan table local proto kernel metric 0 pref medium
- local fe80::9683:c4ff:fe0a:445d dev br-SECURE table local proto kernel metric 0 pref medium
- multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
- multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
- multicast ff00::/8 dev br-SECURE table local proto kernel metric 256 pref medium
- multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
- 0: from all lookup local
- 32766: from all lookup main
- 32767: from all lookup default
- # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
- *nat
- :PREROUTING ACCEPT [2497:194804]
- :INPUT ACCEPT [885:96559]
- :OUTPUT ACCEPT [504:34791]
- :POSTROUTING ACCEPT [2095:132132]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_unsecure_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :postrouting_wireguard_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_unsecure_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :prerouting_wireguard_rule - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_unsecure_postrouting - [0:0]
- :zone_unsecure_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- :zone_wireguard_postrouting - [0:0]
- :zone_wireguard_prerouting - [0:0]
- [2498:194980] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- [2255:175910] -A PREROUTING -i br-SECURE -m comment --comment "!fw3" -j zone_lan_prerouting
- [46:5626] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
- [0:0] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_unsecure_prerouting
- [197:13444] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wireguard_prerouting
- [2095:132132] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- [29:3100] -A POSTROUTING -o br-SECURE -m comment --comment "!fw3" -j zone_lan_postrouting
- [2061:128734] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
- [0:0] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_unsecure_postrouting
- [0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wireguard_postrouting
- [29:3100] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- [2255:175910] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- [0:0] -A zone_unsecure_postrouting -m comment --comment "!fw3: Custom unsecure postrouting rule chain" -j postrouting_unsecure_rule
- [0:0] -A zone_unsecure_prerouting -m comment --comment "!fw3: Custom unsecure prerouting rule chain" -j prerouting_unsecure_rule
- [2061:128734] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- [46:5626] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- [0:0] -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN" -j DNAT --to-destination 192.168.10.118:1194
- [1:176] -A zone_wan_prerouting -p udp -m udp --dport 1337 -m comment --comment "!fw3: WireguardVPN" -j DNAT --to-destination 192.168.10.1:1337
- [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5060:5076 -m comment --comment "!fw3: Gigaset-IP-Phone-SIP" -j DNAT --to-destination 192.168.10.90:5060-5076
- [0:0] -A zone_wan_prerouting -p udp -m udp --dport 5060:5076 -m comment --comment "!fw3: Gigaset-IP-Phone-SIP" -j DNAT --to-destination 192.168.10.90:5060-5076
- [0:0] -A zone_wan_prerouting -p udp -m udp --dport 5004:5020 -m comment --comment "!fw3: Gigaset-IP-Phone-RTP" -j DNAT --to-destination 192.168.10.90:5004-5020
- [0:0] -A zone_wireguard_postrouting -m comment --comment "!fw3: Custom wireguard postrouting rule chain" -j postrouting_wireguard_rule
- [197:13444] -A zone_wireguard_prerouting -m comment --comment "!fw3: Custom wireguard prerouting rule chain" -j prerouting_wireguard_rule
- COMMIT
- # Completed on Wed Jul 28 23:50:49 2021
- # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
- *mangle
- :PREROUTING ACCEPT [44418:13838693]
- :INPUT ACCEPT [6333:827292]
- :FORWARD ACCEPT [38063:13010321]
- :OUTPUT ACCEPT [3735:910695]
- :POSTROUTING ACCEPT [41829:13923938]
- [362:22356] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [359:21040] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Wed Jul 28 23:50:49 2021
- # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_unsecure_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :forwarding_wireguard_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_unsecure_rule - [0:0]
- :input_wan_rule - [0:0]
- :input_wireguard_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_unsecure_rule - [0:0]
- :output_wan_rule - [0:0]
- :output_wireguard_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_unsecure_dest_ACCEPT - [0:0]
- :zone_unsecure_dest_REJECT - [0:0]
- :zone_unsecure_forward - [0:0]
- :zone_unsecure_input - [0:0]
- :zone_unsecure_output - [0:0]
- :zone_unsecure_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_ACCEPT - [0:0]
- :zone_wireguard_dest_ACCEPT - [0:0]
- :zone_wireguard_forward - [0:0]
- :zone_wireguard_input - [0:0]
- :zone_wireguard_output - [0:0]
- :zone_wireguard_src_ACCEPT - [0:0]
- [20:1428] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- [6313:825864] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- [4413:534579] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [5:312] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- [1663:270801] -A INPUT -i br-SECURE -m comment --comment "!fw3" -j zone_lan_input
- [40:7040] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
- [0:0] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_unsecure_input
- [197:13444] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard_input
- [38063:13010321] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- [32470:12660283] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [5593:350038] -A FORWARD -m comment --comment "!fw3: Zone * to lan forwarding policy" -j zone_lan_dest_ACCEPT
- [5547:346224] -A FORWARD -i br-SECURE -m comment --comment "!fw3" -j zone_lan_forward
- [0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
- [0:0] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_unsecure_forward
- [0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard_forward
- [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
- [20:1428] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- [3717:909093] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- [2932:827182] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [19:1166] -A OUTPUT -o br-SECURE -m comment --comment "!fw3" -j zone_lan_output
- [766:80745] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
- [0:0] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_unsecure_output
- [0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard_output
- [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
- [5:312] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
- [65:4980] -A zone_lan_dest_ACCEPT -o br-SECURE -m comment --comment "!fw3" -j ACCEPT
- [5547:346224] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- [5547:346224] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [1663:270801] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- [0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [1663:270801] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- [19:1166] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- [19:1166] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [1663:270801] -A zone_lan_src_ACCEPT -i br-SECURE -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_unsecure_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_unsecure_dest_REJECT -o lan1 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_unsecure_forward -m comment --comment "!fw3: Custom unsecure forwarding rule chain" -j forwarding_unsecure_rule
- [0:0] -A zone_unsecure_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_unsecure_forward -m comment --comment "!fw3" -j zone_unsecure_dest_REJECT
- [0:0] -A zone_unsecure_input -m comment --comment "!fw3: Custom unsecure input rule chain" -j input_unsecure_rule
- [0:0] -A zone_unsecure_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_unsecure_input -m comment --comment "!fw3" -j zone_unsecure_src_ACCEPT
- [0:0] -A zone_unsecure_output -m comment --comment "!fw3: Custom unsecure output rule chain" -j output_unsecure_rule
- [0:0] -A zone_unsecure_output -m comment --comment "!fw3" -j zone_unsecure_dest_ACCEPT
- [0:0] -A zone_unsecure_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [6313:426969] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --sport 3478 --dport 3478 -m comment --comment "!fw3: Allow-Alexa" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p tcp -m tcp --sport 4070 --dport 4070 -m comment --comment "!fw3: Allow-Sonos-Spotify-Connect" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --sport 5353 --dport 5353 -m comment --comment "!fw3: Allow-Sonos-Spotify-Connect" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to * forwarding policy" -j ACCEPT
- [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [40:7040] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [8:288] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- [1:176] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [31:6576] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
- [766:80745] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- [766:80745] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [31:6576] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wireguard_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Custom wireguard forwarding rule chain" -j forwarding_wireguard_rule
- [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to lan forwarding policy" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
- [197:13444] -A zone_wireguard_input -m comment --comment "!fw3: Custom wireguard input rule chain" -j input_wireguard_rule
- [0:0] -A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [197:13444] -A zone_wireguard_input -m comment --comment "!fw3" -j zone_wireguard_src_ACCEPT
- [0:0] -A zone_wireguard_output -m comment --comment "!fw3: Custom wireguard output rule chain" -j output_wireguard_rule
- [0:0] -A zone_wireguard_output -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
- [197:13444] -A zone_wireguard_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- COMMIT
- # Completed on Wed Jul 28 23:50:49 2021
- interface: wg0
- public key: dxxx
- private key: (hidden)
- listening port: 1337
- peer: oxxxYM6QE=
- endpoint: xxxx:58984
- allowed ips: 10.55.0.2/32
- latest handshake: 1 minute, 22 seconds ago
- transfer: 677.77 KiB received, 1.22 MiB sent
- persistent keepalive: every 25 seconds
- peer: xxx=
- endpoint: xxxxx:1037
- allowed ips: 10.55.0.3/32
- latest handshake: 2 hours, 33 minutes, 5 seconds ago
- transfer: 19.97 KiB received, 412.39 KiB sent
- persistent keepalive: every 25 seconds
- network.loopback=interface
- network.loopback.ifname='lo'
- network.loopback.proto='static'
- network.loopback.ipaddr='127.0.0.1'
- network.loopback.netmask='255.0.0.0'
- network.globals=globals
- network.globals.ula_prefix='xxx'
- network.wan=interface
- network.wan.ifname='wan'
- network.wan.delegate='0'
- network.wan.proto='static'
- network.wan.force_link='0'
- network.wan.ipaddr='192.168.0.254'
- network.wan.netmask='255.255.255.0'
- network.wan.gateway='192.168.0.1'
- network.wan6=interface
- network.wan6.ifname='wan'
- network.wan6.proto='static'
- network.wan6.auto='0'
- network.SECURE=interface
- network.SECURE.proto='static'
- network.SECURE.ifname='lan0'
- network.SECURE.netmask='255.255.255.0'
- network.SECURE.delegate='0'
- network.SECURE.force_link='0'
- network.SECURE.ipaddr='192.168.10.1'
- network.SECURE.gateway='192.168.0.1'
- network.SECURE.type='bridge'
- network.SECURE.igmp_snooping='1'
- network.SECURE.dns='192.168.10.1'
- network.UNSECURE=interface
- network.UNSECURE.proto='static'
- network.UNSECURE.ifname='lan1'
- network.UNSECURE.ipaddr='192.168.20.1'
- network.UNSECURE.netmask='255.255.255.0'
- network.UNSECURE.dns='192.168.10.108'
- network.UNSECURE.gateway='192.168.0.1'
- network.@route[0]=route
- network.@route[0].target='192.168.255.0'
- network.@route[0].netmask='255.255.255.0'
- network.@route[0].gateway='192.168.10.2'
- network.@route[0].interface='SECURE'
- network.@route[1]=route
- network.@route[1].interface='SECURE'
- network.@route[1].target='172.31.0.0'
- network.@route[1].netmask='255.255.0.0'
- network.@route[1].gateway='192.168.10.2'
- network.wg0=interface
- network.wg0.proto='wireguard'
- network.wg0.private_key='xxx'
- network.wg0.listen_port='1337'
- network.wg0.addresses='10.55.0.1/24'
- network.wg0.mtu='1300'
- network.@route[2]=route
- network.@route[2].interface='SECURE'
- network.@route[2].target='10.55.0.0/24'
- network.@route[2].netmask='255.255.255.0'
- network.@route[2].gateway='192.168.10.1'
- network.@wireguard_wg0[0]=wireguard_wg0
- network.@wireguard_wg0[0].description='MacbookAir'
- network.@wireguard_wg0[0].public_key='xxx'
- network.@wireguard_wg0[0].route_allowed_ips='1'
- network.@wireguard_wg0[0].persistent_keepalive='25'
- network.@wireguard_wg0[0].allowed_ips='10.55.0.2/32'
- network.@wireguard_wg0[1]=wireguard_wg0
- network.@wireguard_wg0[1].description='iPhone'
- network.@wireguard_wg0[1].route_allowed_ips='1'
- network.@wireguard_wg0[1].persistent_keepalive='25'
- network.@wireguard_wg0[1].public_key='xxx='
- network.@wireguard_wg0[1].allowed_ips='10.55.0.3/32'
- network.@route[3]=route
- network.@route[3].interface='SECURE'
- network.@route[3].netmask='255.255.255.0'
- network.@route[3].target='192.168.0.1'
- network.@route[3].gateway='192.168.10.1'
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@defaults[0].synflood_protect='1'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].network='SECURE'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='wan' 'wan6'
- firewall.@zone[1].input='ACCEPT'
- firewall.@zone[1].forward='ACCEPT'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@rule[9]=rule
- firewall.@rule[9].name='Support-UDP-Traceroute'
- firewall.@rule[9].src='wan'
- firewall.@rule[9].dest_port='33434:33689'
- firewall.@rule[9].proto='udp'
- firewall.@rule[9].family='ipv4'
- firewall.@rule[9].target='REJECT'
- firewall.@rule[9].enabled='0'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.@zone[2]=zone
- firewall.@zone[2].name='unsecure'
- firewall.@zone[2].input='ACCEPT'
- firewall.@zone[2].output='ACCEPT'
- firewall.@zone[2].forward='REJECT'
- firewall.@zone[2].network='UNSECURE'
- firewall.@redirect[0]=redirect
- firewall.@redirect[0].target='DNAT'
- firewall.@redirect[0].name='OpenVPN'
- firewall.@redirect[0].proto='udp'
- firewall.@redirect[0].src='wan'
- firewall.@redirect[0].src_dport='1194'
- firewall.@redirect[0].dest='lan'
- firewall.@redirect[0].dest_ip='192.168.10.118'
- firewall.@redirect[0].dest_port='1194'
- firewall.@redirect[1]=redirect
- firewall.@redirect[1].target='DNAT'
- firewall.@redirect[1].name='WireguardVPN'
- firewall.@redirect[1].proto='udp'
- firewall.@redirect[1].src='wan'
- firewall.@redirect[1].src_dport='1337'
- firewall.@redirect[1].dest='lan'
- firewall.@redirect[1].dest_ip='192.168.10.1'
- firewall.@redirect[1].dest_port='1337'
- firewall.@rule[10]=rule
- firewall.@rule[10].proto='udp'
- firewall.@rule[10].src='wan'
- firewall.@rule[10].src_port='3478'
- firewall.@rule[10].dest='lan'
- firewall.@rule[10].dest_port='3478'
- firewall.@rule[10].target='ACCEPT'
- firewall.@rule[10].name='Allow-Alexa'
- firewall.@rule[11]=rule
- firewall.@rule[11].name='Allow-Sonos-Spotify-Connect'
- firewall.@rule[11].proto='tcp'
- firewall.@rule[11].src='wan'
- firewall.@rule[11].src_port='4070'
- firewall.@rule[11].dest='lan'
- firewall.@rule[11].dest_port='4070'
- firewall.@rule[11].target='ACCEPT'
- firewall.@rule[12]=rule
- firewall.@rule[12].name='Allow-Sonos-Spotify-Connect'
- firewall.@rule[12].proto='udp'
- firewall.@rule[12].src='wan'
- firewall.@rule[12].src_port='5353 '
- firewall.@rule[12].dest='lan'
- firewall.@rule[12].dest_port='5353 '
- firewall.@rule[12].target='ACCEPT'
- firewall.@forwarding[1]=forwarding
- firewall.@forwarding[1].dest='lan'
- firewall.@forwarding[2]=forwarding
- firewall.@forwarding[2].src='wan'
- firewall.@zone[3]=zone
- firewall.@zone[3].name='wireguard'
- firewall.@zone[3].input='ACCEPT'
- firewall.@zone[3].output='ACCEPT'
- firewall.@zone[3].forward='ACCEPT'
- firewall.@zone[3].network='wg0'
- firewall.@forwarding[3]=forwarding
- firewall.@forwarding[3].src='wireguard'
- firewall.@forwarding[3].dest='lan'
- firewall.@forwarding[4]=forwarding
- firewall.@forwarding[4].src='wireguard'
- firewall.@forwarding[4].dest='wan'
- firewall.@redirect[2]=redirect
- firewall.@redirect[2].target='DNAT'
- firewall.@redirect[2].src='wan'
- firewall.@redirect[2].src_dport='5060-5076'
- firewall.@redirect[2].dest='lan'
- firewall.@redirect[2].dest_ip='192.168.10.90'
- firewall.@redirect[2].dest_port='5060-5076'
- firewall.@redirect[2].name='Gigaset-IP-Phone-SIP'
- firewall.@redirect[3]=redirect
- firewall.@redirect[3].target='DNAT'
- firewall.@redirect[3].proto='udp'
- firewall.@redirect[3].src='wan'
- firewall.@redirect[3].src_dport='5004-5020'
- firewall.@redirect[3].dest='lan'
- firewall.@redirect[3].dest_ip='192.168.10.90'
- firewall.@redirect[3].dest_port='5004-5020'
- firewall.@redirect[3].name='Gigaset-IP-Phone-RTP'
- dhcp.@dnsmasq[0]=dnsmasq
- dhcp.@dnsmasq[0].domainneeded='1'
- dhcp.@dnsmasq[0].localise_queries='1'
- dhcp.@dnsmasq[0].rebind_protection='1'
- dhcp.@dnsmasq[0].rebind_localhost='1'
- dhcp.@dnsmasq[0].expandhosts='1'
- dhcp.@dnsmasq[0].authoritative='1'
- dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
- dhcp.@dnsmasq[0].localservice='1'
- dhcp.@dnsmasq[0].ednspacket_max='1232'
- dhcp.@dnsmasq[0].leasefile='/share/dhcp.leases'
- dhcp.@dnsmasq[0].local='/home/'
- dhcp.@dnsmasq[0].domain='home'
- dhcp.@dnsmasq[0].nohosts='1'
- dhcp.@dnsmasq[0].addnhosts='/share/hosts'
- dhcp.lan=dhcp
- dhcp.lan.interface='lan'
- dhcp.lan.start='100'
- dhcp.lan.limit='150'
- dhcp.lan.leasetime='12h'
- dhcp.lan.dhcpv4='server'
- dhcp.lan.dhcpv6='server'
- dhcp.lan.ra='server'
- dhcp.lan.ra_slaac='1'
- dhcp.lan.ra_flags='managed-config' 'other-config'
- dhcp.lan.ra_maxinterval='600'
- dhcp.lan.ra_mininterval='200'
- dhcp.lan.ra_lifetime='1800'
- dhcp.lan.ra_mtu='0'
- dhcp.lan.ra_hoplimit='0'
- dhcp.lan.ra_management='1'
- dhcp.wan=dhcp
- dhcp.wan.interface='wan'
- dhcp.wan.ignore='1'
- dhcp.odhcpd=odhcpd
- dhcp.odhcpd.maindhcp='0'
- dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
- dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
- dhcp.odhcpd.loglevel='4'
- dhcp.SECURE=dhcp
- dhcp.SECURE.interface='SECURE'
- dhcp.SECURE.start='200'
- dhcp.SECURE.limit='254'
- dhcp.SECURE.leasetime='24h'
- dhcp.SECURE.force='1'
- dhcp.UNSECURE=dhcp
- dhcp.UNSECURE.interface='UNSECURE'
- dhcp.UNSECURE.start='100'
- dhcp.UNSECURE.limit='150'
- dhcp.UNSECURE.leasetime='12h'
- dhcp.UNSECURE.force='1'
- ==> /etc/resolv.conf <==
- search home
- nameserver 127.0.0.1
- nameserver ::1
- ==> /tmp/resolv.conf <==
- search home
- nameserver 127.0.0.1
- nameserver ::1
- ==> /tmp/resolv.conf.d <==
- head: /tmp/resolv.conf.d: I/O error
- ==> /tmp/resolv.conf.d/resolv.conf.auto <==
- # Interface SECURE
- nameserver 192.168.10.1
- # Interface UNSECURE
- nameserver 192.168.10.108
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement