Er-x config with ipv6

1. firewall {
2. all-ping enable
3. broadcast-ping disable
4. group {
5. address-group Block-going-out {
6. address 192.168.10.67
7. description "Blocks devices from accessing internet"
8. }
9. }
10. ipv6-name HE-To-LAN {
11. default-action drop
12. }
13. ipv6-name HE-to-LAN {
14. default-action drop
15. description "HE to LAN"
16. rule 1 {
17. action accept
18. description "Drop non-related incoming IPv6"
19. state {
20. established enable
21. related enable
22. }
23. }
24. rule 2 {
25. action drop
26. state {
27. invalid enable
28. }
29. }
30. }
31. ipv6-name LAN-to-HE {
32. default-action accept
33. description "LAN to HE"
34. rule 1 {
35. action accept
36. state {
37. established enable
38. related enable
39. }
40. }
41. rule 2 {
42. action drop
43. state {
44. invalid enable
45. }
46. }
47. }
48. ipv6-receive-redirects disable
49. ipv6-src-route disable
50. ip-src-route disable
51. log-martians enable
52. name LAN_IN {
53. default-action accept
54. description "This is used for blocking external for one device"
55. rule 1 {
56. action drop
57. log disable
58. protocol all
59. source {
60. group {
61. address-group Block-going-out
62. }
63. }
64. }
65. }
66. name WAN_IN {
67. default-action drop
68. description "WAN to internal"
69. rule 10 {
70. action accept
71. description "Allow established/related"
72. state {
73. established enable
74. related enable
75. }
76. }
77. rule 20 {
78. action drop
79. description "Drop invalid state"
80. state {
81. invalid enable
82. }
83. }
84. }
85. name WAN_LOCAL {
86. default-action drop
87. description "WAN to router"
88. rule 10 {
89. action accept
90. description "Allow established/related"
91. state {
92. established enable
93. related enable
94. }
95. }
96. rule 20 {
97. action drop
98. description "Drop invalid state"
99. state {
100. invalid enable
101. }
102. }
103. rule 21 {
104. action accept
105. description "allow icmp"
106. log disable
107. protocol icmp
108. }
109. }
110. receive-redirects disable
111. send-redirects enable
112. source-validation disable
113. syn-cookies enable
114. }
115. interfaces {
116. ethernet eth0 {
117. address dhcp
118. description Internet
119. duplex auto
120. firewall {
121. in {
122. name WAN_IN
123. }
124. local {
125. name WAN_LOCAL
126. }
127. }
128. speed auto
129. }
130. ethernet eth1 {
131. duplex auto
132. speed auto
133. }
134. ethernet eth2 {
135. duplex auto
136. speed auto
137. }
138. ethernet eth3 {
139. address 192.168.99.1/24
140. description "temp to toughswitch"
141. duplex auto
142. speed auto
143. vif 5 {
144. address 192.168.5.1/24
145. mtu 1500
146. }
147. vif 10 {
148. address 192.168.0.1/24
149. description manForVM
150. mtu 1500
151. }
152. vif 11 {
153. address 192.168.10.1/24
154. address 2001:470:1f08:253::1/64
155. description unifi
156. dhcpv6-options {
157. parameters-only
158. }
159. firewall {
160. in {
161. ipv6-name LAN-to-HE
162. name LAN_IN
163. }
164. }
165. mtu 1500
166. }
167. vif 50 {
168. address 192.168.50.1/24
169. description "tivo vlan 50"
170. mtu 1500
171. }
172. vif 90 {
173. address 192.168.90.1/24
174. description "vlan for powerline"
175. mtu 1500
176. }
177. vif 100 {
178. address 192.168.1.1/24
179. description "192.168.1.x VLAN"
180. }
181. }
182. ethernet eth4 {
183. address 192.168.200.1/24
184. description TimeMachine
185. duplex auto
186. poe {
187. output off
188. }
189. speed auto
190. }
191. loopback lo {
192. }
193. switch switch0 {
194. description Local
195. mtu 1500
196. }
197. tunnel tun0 {
198. address 2001:470:1f08:253::2/64
199. description "HE.NET IPv6 Tunnel"
200. encapsulation sit
201. firewall {
202. in {
203. ipv6-name HE-to-LAN
204. }
205. local {
206. ipv6-name HE-to-LAN
207. }
208. }
209. local-ip 86.20.231.213
210. multicast disable
211. remote-ip 216.66.80.26
212. ttl 255
213. }
214. }
215. port-forward {
216. auto-firewall enable
217. hairpin-nat enable
218. lan-interface eth2
219. lan-interface eth4
220. lan-interface eth3.90
221. lan-interface eth3.10
222. lan-interface eth3.100
223. lan-interface eth3.50
224. lan-interface eth3.11
225. rule 1 {
226. description "SSH to media"
227. forward-to {
228. address 192.168.90.254
229. port 22
230. }
231. original-port 22
232. protocol tcp
233. }
234. rule 2 {
235. description "transmission to media"
236. forward-to {
237. address 192.168.90.254
238. port 9091
239. }
240. original-port 9091
241. protocol tcp
242. }
243. rule 3 {
244. description "subsonic to media"
245. forward-to {
246. address 192.168.90.254
247. port 4040
248. }
249. original-port 4040
250. protocol tcp
251. }
252. rule 4 {
253. description openvpn
254. forward-to {
255. address 192.168.0.2
256. port 1194
257. }
258. original-port 1194
259. protocol tcp_udp
260. }
261. rule 5 {
262. description http
263. forward-to {
264. address 192.168.1.10
265. port 80
266. }
267. original-port 80
268. protocol tcp
269. }
270. rule 6 {
271. description https
272. forward-to {
273. address 192.168.1.10
274. port 443
275. }
276. original-port 443
277. protocol tcp
278. }
279. rule 7 {
280. description mqtt
281. forward-to {
282. address 192.168.10.254
283. port 1880
284. }
285. original-port 1880
286. protocol tcp
287. }
288. rule 8 {
289. description Guacamole
290. forward-to {
291. address 192.168.1.65
292. port 8080
293. }
294. original-port 8080
295. protocol tcp
296. }
297. rule 9 {
298. description "SNMP HTTP"
299. forward-to {
300. address 192.168.1.54
301. port 80
302. }
303. original-port 1234
304. protocol tcp
305. }
306. rule 10 {
307. description "media server http"
308. forward-to {
309. address 192.168.90.254
310. port 80
311. }
312. original-port 1912
313. protocol tcp
314. }
315. rule 11 {
316. description rundeck
317. forward-to {
318. address 192.168.1.56
319. port 4440
320. }
321. original-port 4440
322. protocol tcp
323. }
324. rule 12 {
325. description mosquitto
326. forward-to {
327. address 192.168.10.254
328. port 1883
329. }
330. original-port 1883
331. protocol tcp
332. }
333. wan-interface eth0
334. }
335. protocols {
336. static {
337. interface-route6 ::/0 {
338. next-hop-interface tun0 {
339. }
340. }
341. }
342. }
343. service {
344. dhcp-server {
345. disabled false
346. hostfile-update disable
347. shared-network-name 192.168.1.x {
348. authoritative disable
349. subnet 192.168.1.0/24 {
350. bootfile-name pxelinux.0
351. bootfile-server 192.168.1.100
352. default-router 192.168.1.1
353. dns-server 192.168.1.254
354. lease 86400
355. start 192.168.1.20 {
356. stop 192.168.1.200
357. }
358. static-mapping Guacamole {
359. ip-address 192.168.1.65
360. mac-address 00:50:56:9a:38:e9
361. }
362. subnet-parameters "filename "/pxe-boot/pxelinux.0";"
363. }
364. }
365. shared-network-name TimeMachine {
366. authoritative disable
367. subnet 192.168.200.0/24 {
368. default-router 192.168.200.1
369. dns-server 8.8.8.8
370. lease 86400
371. start 192.168.200.10 {
372. stop 192.168.200.20
373. }
374. }
375. }
376. shared-network-name Wifi {
377. authoritative disable
378. subnet 192.168.10.0/24 {
379. default-router 192.168.10.1
380. dns-server 192.168.1.254
381. domain-name local.home
382. lease 86400
383. start 192.168.10.50 {
384. stop 192.168.10.150
385. }
386. static-mapping BedroomPi {
387. ip-address 192.168.10.51
388. mac-address 44:33:4c:3a:d3:29
389. }
390. static-mapping DashButton {
391. ip-address 192.168.10.67
392. mac-address 18:74:2e:70:76:cc
393. }
394. static-mapping Gems-Iphone {
395. ip-address 192.168.10.72
396. mac-address d4:a3:3d:ac:ce:3f
397. }
398. static-mapping Gem-work-laptop-4G1DVY1 {
399. ip-address 192.168.10.62
400. mac-address 34:23:87:58:52:f4
401. }
402. static-mapping HUAWEI_Mate_10_Pro-7fb61c {
403. ip-address 192.168.10.73
404. mac-address 94:0e:6b:6c:4b:a8
405. }
406. static-mapping Peters-MBP {
407. ip-address 192.168.10.53
408. mac-address f4:0f:24:1c:13:80
409. }
410. static-mapping Taylors-iPad {
411. ip-address 192.168.10.56
412. mac-address d0:4f:7e:71:d2:1d
413. }
414. static-mapping Zachs-Tablet {
415. ip-address 192.168.10.64
416. mac-address 88:71:e5:c7:5a:bd
417. }
418. }
419. }
420. shared-network-name powerline-vlan90 {
421. authoritative disable
422. subnet 192.168.90.0/24 {
423. default-router 192.168.90.1
424. dns-server 194.168.4.100
425. dns-server 194.168.8.100
426. lease 86400
427. start 192.168.90.10 {
428. stop 192.168.90.100
429. }
430. }
431. }
432. static-arp disable
433. use-dnsmasq disable
434. }
435. dns {
436. forwarding {
437. cache-size 150
438. listen-on eth3.5
439. listen-on eth3.10
440. listen-on eth3.11
441. listen-on eth3.50
442. listen-on eth3.90
443. listen-on eth3.100
444. listen-on eth4
445. }
446. }
447. gui {
448. http-port 80
449. https-port 443
450. older-ciphers enable
451. }
452. nat {
453. rule 5010 {
454. description "masquerade for WAN"
455. outbound-interface eth0
456. type masquerade
457. }
458. }
459. snmp {
460. community home {
461. authorization ro
462. client 192.168.1.81
463. }
464. listen-address 192.168.1.1 {
465. port 161
466. }
467. }
468. ssh {
469. port 22
470. protocol-version v2
471. }
472. unms {
473. disable
474. }
475. }
476. system {
477. domain-name home.local
478. host-name ubnt
479. login {
480. user peter {
481. authentication {
482. encrypted-password ****************
483. plaintext-password ****************
484. }
485. level admin
486. }
487. user ubnt {
488. authentication {
489. encrypted-password ****************
490. }
491. level admin
492. }
493. }
494. name-server 192.168.1.254
495. ntp {
496. server 0.ubnt.pool.ntp.org {
497. }
498. server 1.ubnt.pool.ntp.org {
499. }
500. server 2.ubnt.pool.ntp.org {
501. }
502. server 3.ubnt.pool.ntp.org {
503. }
504. }
505. offload {
506. hwnat enable
507. }
508. syslog {
509. global {
510. facility all {
511. level notice
512. }
513. facility protocols {
514. level debug
515. }
516. }
517. }
518. time-zone Europe/London
519. traffic-analysis {
520. dpi enable
521. export enable
522. }
523. }