Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- network-group Camera_Network {
- network 10.0.40.0/24
- }
- network-group Guest_network {
- description ""
- network 10.0.30.0/24
- }
- network-group Private_Networks {
- description ""
- network 10.0.5.0/24
- network 10.0.10.0/24
- network 10.0.20.0/24
- }
- }
- ipv6-name Guest_in_v6 {
- default-action accept
- description "IPv6 Guest internet access"
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- }
- ipv6-name Guest_local_v6 {
- default-action accept
- description "IPv6 Guest to router"
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- }
- ipv6-name LAN_in_v6 {
- default-action accept
- description "IPv6 LAN to other networks"
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- }
- ipv6-name LAN_local_v6 {
- default-action accept
- description "IPv6 LAN to router"
- rule 1 {
- action accept
- description "Allow established/enable"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- }
- ipv6-name WAN_in_v6 {
- default-action drop
- description "IPv6 Internet to internal networks"
- enable-default-log
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- rule 5 {
- action accept
- description "Limit ICMPv6"
- limit {
- burst 3
- rate 50/minute
- }
- log disable
- protocol ipv6-icmp
- }
- }
- ipv6-name WAN_local_v6 {
- default-action drop
- description "IPv6 Internet to router"
- enable-default-log
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- rule 5 {
- action accept
- description "Limit ICMPv6"
- limit {
- burst 3
- rate 50/minute
- }
- log disable
- protocol ipv6-icmp
- }
- rule 10 {
- action accept
- description "Allow DHCPv6"
- destination {
- port 546
- }
- log disable
- protocol udp
- source {
- port 547
- }
- }
- }
- ipv6-receive-redirects disable
- ipv6-src-route disable
- ip-src-route disable
- log-martians enable
- name Camera_In {
- default-action drop
- description ""
- rule 10 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 20 {
- action drop
- description "Block access to Guest"
- destination {
- group {
- network-group Guest_network
- }
- }
- log disable
- protocol all
- }
- rule 30 {
- action drop
- description "Block private networks"
- destination {
- group {
- network-group Private_Networks
- }
- }
- log disable
- protocol all
- }
- rule 40 {
- action accept
- description "Allow NTP"
- destination {
- port 123
- }
- log disable
- protocol tcp_udp
- source {
- port 123
- }
- }
- rule 50 {
- action accept
- description "Allow DNS"
- destination {
- port 53
- }
- log disable
- protocol udp
- }
- }
- name Camera_local {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3 {
- action drop
- description "Drop access to Private network gateways"
- destination {
- group {
- network-group Private_Networks
- }
- }
- log disable
- protocol all
- }
- rule 4 {
- action drop
- description "Drop access to Guest Gateway"
- destination {
- group {
- network-group Guest_network
- }
- }
- log disable
- protocol all
- }
- }
- name Devices_in {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name Devices_local {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name Guest_in {
- default-action accept
- description "Guest internet access"
- rule 10 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 40 {
- action drop
- description "Block access to Cameras"
- destination {
- group {
- network-group Camera_Network
- }
- }
- log enable
- protocol all
- }
- rule 61 {
- action drop
- description "Block access to private networks"
- destination {
- group {
- network-group Private_Networks
- }
- }
- log disable
- protocol all
- }
- }
- name Guest_local {
- default-action accept
- description "Guest to Router"
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- rule 3 {
- action drop
- description "Drop access to Private networks"
- destination {
- group {
- network-group Private_Networks
- }
- }
- log disable
- protocol all
- }
- rule 4 {
- action drop
- description "Drop access to cameras"
- destination {
- group {
- network-group Camera_Network
- }
- }
- log disable
- protocol all
- }
- }
- name Management_in {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name Management_local {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name Server_In {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name Server_local {
- default-action accept
- description ""
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name WAN_in {
- default-action drop
- description "Internet to internal networks"
- enable-default-log
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 2 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- rule 3 {
- action accept
- description "Allow Plex"
- destination {
- address 10.0.10.55
- port 32400
- }
- log disable
- protocol tcp_udp
- source {
- port 32400
- }
- }
- }
- name WAN_local {
- default-action drop
- description "Internet to router"
- enable-default-log
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 5 {
- action drop
- description "Drop invalid"
- log enable
- protocol all
- state {
- invalid enable
- }
- }
- rule 10 {
- action accept
- description "Limit ICMP"
- limit {
- burst 3
- rate 30/minute
- }
- log enable
- protocol icmp
- }
- }
- name WAN_out {
- default-action accept
- description "Traffic to internet"
- rule 1 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- related enable
- }
- }
- rule 10 {
- action drop
- description "Block SMTP port 25"
- destination {
- port 25
- }
- log enable
- protocol tcp
- }
- }
- receive-redirects disable
- send-redirects enable
- source-validation disable
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- address 192.168.2.125/24
- description eth0_Maintenance
- duplex auto
- speed auto
- }
- ethernet eth1 {
- description eth1_GFiberJack
- duplex auto
- speed auto
- vif 2 {
- address dhcp
- description Google_Fiber
- dhcp-options {
- default-route update
- default-route-distance 210
- name-server update
- }
- dhcpv6-pd {
- pd 1 {
- interface eth2.5 {
- host-address ::1
- prefix-id :5
- service slaac
- }
- interface eth2.10 {
- host-address ::1
- prefix-id :10
- service slaac
- }
- interface eth2.20 {
- host-address ::1
- prefix-id :20
- service slaac
- }
- interface eth2.30 {
- host-address ::1
- prefix-id :30
- service slaac
- }
- interface eth2.40 {
- host-address ::1
- prefix-id :40
- service slaac
- }
- prefix-length /56
- }
- rapid-commit enable
- }
- egress-qos 0:2
- firewall {
- in {
- ipv6-name WAN_in_v6
- name WAN_in
- }
- local {
- ipv6-name WAN_local_v6
- name WAN_local
- }
- out {
- name WAN_out
- }
- }
- ipv6 {
- address {
- autoconf
- }
- dup-addr-detect-transmits 1
- }
- }
- }
- ethernet eth2 {
- duplex auto
- speed auto
- vif 5 {
- address 10.0.5.1/24
- description Private_Maintenance
- firewall {
- in {
- ipv6-name LAN_in_v6
- name Management_in
- }
- local {
- ipv6-name LAN_local_v6
- name Management_local
- }
- }
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS fe80::<REDACTED> {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- }
- vif 10 {
- address 10.0.10.1/24
- description Private_Servers
- firewall {
- in {
- ipv6-name LAN_in_v6
- name Server_In
- }
- local {
- ipv6-name LAN_local_v6
- name Server_local
- }
- }
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS fe80::<REDACTED> {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- }
- vif 20 {
- address 10.0.20.1/24
- description Private_Devices
- firewall {
- in {
- ipv6-name LAN_in_v6
- name Devices_in
- }
- local {
- ipv6-name LAN_local_v6
- name Devices_local
- }
- }
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS fe80::<REDACTED> {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- }
- vif 30 {
- address 10.0.30.1/24
- description Guest
- firewall {
- in {
- ipv6-name Guest_in_v6
- name Guest_in
- }
- local {
- ipv6-name Guest_local_v6
- name Guest_local
- }
- }
- }
- vif 40 {
- address 10.0.40.1/24
- description Private_Cameras
- firewall {
- in {
- name Camera_In
- }
- local {
- name Camera_local
- }
- }
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS fe80::<REDACTED> {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- }
- }
- loopback lo {
- }
- }
- port-forward {
- auto-firewall enable
- hairpin-nat enable
- lan-interface eth2.5
- lan-interface eth2.10
- lan-interface eth2.20
- lan-interface eth2.30
- lan-interface eth2.40
- rule 1 {
- description "Plex Server"
- forward-to {
- address 10.0.10.55
- port 32400
- }
- original-port 32400
- protocol tcp_udp
- }
- rule 2 {
- description "mqqt owntracks"
- forward-to {
- address 10.0.10.52
- port 18883
- }
- original-port 18883
- protocol tcp_udp
- }
- rule 6 {
- description guacamole
- forward-to {
- address 10.0.10.57
- port 8080
- }
- original-port 8080
- protocol tcp_udp
- }
- wan-interface eth1.2
- }
- service {
- dhcp-server {
- disabled false
- hostfile-update enable
- shared-network-name DHCP_Guest {
- authoritative disable
- subnet 10.0.30.0/24 {
- default-router 10.0.30.1
- dns-server 8.8.8.8
- dns-server 8.8.4.4
- lease 86400
- start 10.0.30.100 {
- stop 10.0.30.199
- }
- }
- }
- shared-network-name DHCP_Maintenance {
- authoritative disable
- subnet 10.0.5.0/24 {
- default-router 10.0.5.1
- dns-server 10.0.10.58
- dns-server 10.0.10.60
- lease 86400
- start 10.0.5.100 {
- stop 10.0.5.199
- }
- }
- }
- shared-network-name DHCP_Private_Cameras {
- authoritative disable
- subnet 10.0.40.0/24 {
- default-router 10.0.40.1
- dns-server 8.8.8.8
- dns-server 8.8.4.4
- lease 86400
- start 10.0.40.100 {
- stop 10.0.40.199
- }
- }
- }
- shared-network-name DHCP_Private_Devices {
- authoritative disable
- subnet 10.0.20.0/24 {
- default-router 10.0.20.1
- dns-server 10.0.10.58
- dns-server 10.0.10.60
- lease 86400
- start 10.0.20.100 {
- stop 10.0.20.199
- }
- }
- }
- shared-network-name DHCP_Private_Server {
- authoritative disable
- subnet 10.0.10.0/24 {
- default-router 10.0.10.1
- dns-server 10.0.10.58
- dns-server 10.0.10.60
- lease 86400
- start 10.0.10.100 {
- stop 10.0.10.199
- }
- }
- }
- use-dnsmasq disable
- }
- dns {
- dynamic {
- interface eth1.2 {
- service custom {
- host-name <REDACTED>
- login <REDACTED>
- password <REDACTED>
- protocol <REDACTED>
- server <REDACTED>
- }
- }
- }
- forwarding {
- cache-size 500
- listen-on eth2
- name-server 2001:4860:4860::8888
- name-server 2001:4860:4860::8844
- name-server 8.8.8.8
- name-server 8.8.4.4
- }
- }
- gui {
- http-port 80
- https-port 443
- older-ciphers enable
- }
- nat {
- rule 5000 {
- description "Masquerade to WAN"
- log disable
- outbound-interface eth1.2
- protocol all
- type masquerade
- }
- }
- snmp {
- community <REDACTED> {
- authorization ro
- }
- contact <REDACTED>
- location <REDACTED>
- }
- ssh {
- port 22
- protocol-version v2
- }
- unms {
- connection wss://<REDACTED>
- }
- }
- system {
- conntrack {
- expect-table-size 4096
- hash-size 4096
- table-size 32768
- tcp {
- half-open-connections 512
- loose disable
- max-retrans 3
- }
- }
- host-name ubnt
- login {
- user gx1400 {
- authentication {
- encrypted-password <REDACTED>
- plaintext-password ""
- }
- level admin
- }
- }
- name-server 2001:4860:4860::8888
- name-server 2001:4860:4860::8844
- name-server 8.8.8.8
- name-server 8.8.4.4
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- server 1.ubnt.pool.ntp.org {
- }
- server 2.ubnt.pool.ntp.org {
- }
- server 3.ubnt.pool.ntp.org {
- }
- }
- offload {
- hwnat disable
- ipsec enable
- ipv4 {
- forwarding enable
- vlan enable
- }
- ipv6 {
- forwarding enable
- vlan enable
- }
- }
- syslog {
- global {
- facility all {
- level notice
- }
- facility protocols {
- level debug
- }
- }
- }
- time-zone <REDACTED>
- }
- /* Warning: Do not remove the following line. */
- /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
- /* Release version: v1.9.7+hotfix.4.5024004.171005.0403 */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement