Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- address-group authorized_guests {
- description "authorized guests MAC addresses"
- }
- address-group guest_allow_addresses {
- description "allow addresses for guests"
- }
- address-group guest_allow_dns_servers {
- description "allow dns servers for guests"
- }
- address-group guest_portal_address {
- description "guest portal address"
- }
- address-group guest_restricted_addresses {
- address 192.168.0.0/16
- address 172.16.0.0/12
- address 10.0.0.0/8
- description "restricted addresses for guests"
- }
- address-group unifi_controller_addresses {
- address 192.168.0.11
- }
- address-group voip_sip_server_addresses {
- description "VOIP SIP server addresses"
- }
- network-group captive_portal_subnets {
- description "captive portal subnets"
- }
- network-group corporate_network {
- description "corporate subnets"
- network 192.168.0.0/24
- }
- network-group guest_allow_subnets {
- description "allow subnets for guests"
- }
- network-group guest_network {
- description "guest subnets"
- }
- network-group guest_restricted_subnets {
- description "restricted subnets for guests"
- }
- network-group remote_user_vpn_network {
- description "remote user vpn subnets"
- }
- network-group voip_network {
- description "voip subnets"
- }
- port-group guest_portal_ports {
- description "guest portal ports"
- }
- port-group guest_portal_redirector_ports {
- description "guest portal redirector ports"
- port 39080
- }
- port-group unifi_controller_ports-tcp {
- description "unifi tcp ports"
- port 8080
- }
- port-group unifi_controller_ports-udp {
- description "unifi udp ports"
- port 3478
- }
- port-group voip_sip_server_ports {
- description "voip sip server udp ports"
- port 5060
- port 10000-10100
- }
- }
- name AUTHORIZED_GUESTS {
- default-action drop
- description "authorization check packets from guest network"
- }
- name GUEST_IN {
- default-action accept
- description "packets from guest network"
- rule 3001 {
- action accept
- description "allow DNS packets to external name servers"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow packets to captive portal"
- destination {
- group {
- network-group captive_portal_subnets
- }
- port 443
- }
- protocol tcp
- }
- rule 3003 {
- action accept
- description "allow packets to allow subnets"
- destination {
- group {
- address-group guest_allow_addresses
- }
- }
- }
- rule 3004 {
- action drop
- description "drop packets to restricted subnets"
- destination {
- group {
- address-group guest_restricted_addresses
- }
- }
- }
- rule 3005 {
- action drop
- description "drop packets to intranet"
- destination {
- group {
- network-group corporate_network
- }
- }
- }
- rule 3006 {
- action drop
- description "drop packets to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- }
- rule 3007 {
- action drop
- description "drop packets to remote user"
- destination {
- group {
- network-group remote_user_vpn_network
- }
- }
- }
- rule 3008 {
- action drop
- description "authorized guests white list"
- destination {
- group {
- address-group authorized_guests
- }
- }
- }
- }
- name GUEST_LOCAL {
- default-action drop
- description "packets from guest network to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- }
- name GUEST_OUT {
- default-action accept
- description "packets forward to guest network"
- }
- name LAN_IN {
- default-action accept
- description "packets from intranet"
- rule 3001 {
- action accept
- description "packets from unifi to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- source {
- group {
- address-group unifi_controller_addresses
- }
- }
- }
- rule 3002 {
- action drop
- description "packets from intranet to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- }
- rule 6001 {
- action accept
- description "accounting defined network 192.168.0.0/24"
- source {
- address 192.168.0.0/24
- }
- }
- }
- name LAN_LOCAL {
- default-action accept
- description "packets from intranet to gateway"
- }
- name LAN_OUT {
- default-action accept
- description "packets forward to intranet"
- rule 6001 {
- action accept
- description "accounting defined network 192.168.0.0/24"
- destination {
- address 192.168.0.0/24
- }
- }
- }
- name VOIP_IN {
- default-action accept
- description "packets from voip to intranet"
- rule 3001 {
- action accept
- description "icmp to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- protocol icmp
- }
- rule 3002 {
- action accept
- description "inform to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- port-group unifi_controller_ports-tcp
- }
- }
- protocol tcp
- }
- rule 3003 {
- action accept
- description "stun to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- port-group unifi_controller_ports-udp
- }
- }
- protocol udp
- }
- rule 3004 {
- action accept
- description "allow established/related sessions"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3005 {
- action drop
- description "drop invalid state"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3006 {
- action drop
- description "drop VoIP to LAN traffic"
- destination {
- group {
- network-group corporate_network
- }
- }
- }
- rule 3007 {
- action drop
- description "drop VoIP to GUEST traffic"
- destination {
- group {
- network-group guest_network
- }
- }
- }
- rule 3008 {
- action drop
- description "drop VoIP to REMOTE USER traffic"
- destination {
- group {
- network-group remote_user_vpn_network
- }
- }
- }
- }
- name VOIP_LOCAL {
- default-action drop
- description "packets from voip to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- rule 3003 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3004 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name VOIP_OUT {
- default-action accept
- description "packets forward to voip"
- }
- name WAN_IN {
- default-action drop
- description "packets from internet to intranet"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3003 {
- action accept
- description "PortForward [ssl]"
- destination {
- address 192.168.0.68
- port 443
- }
- log enable
- protocol tcp
- }
- }
- name WAN_LOCAL {
- default-action drop
- description "packets from internet to gateway"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3003 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- }
- options {
- mss-clamp {
- interface-type pppoe
- interface-type pptp
- mss 1412
- }
- }
- receive-redirects disable
- send-redirects enable
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- address 192.168.0.1/24
- firewall {
- in {
- name LAN_IN
- }
- local {
- name LAN_LOCAL
- }
- out {
- name LAN_OUT
- }
- }
- }
- ethernet eth1 {
- disable
- }
- ethernet eth2 {
- address aa.bb.cc.dd/ee
- firewall {
- in {
- name WAN_IN
- }
- local {
- name WAN_LOCAL
- }
- }
- }
- ethernet eth3 {
- disable
- firewall {
- in {
- name WAN_IN
- }
- local {
- name WAN_LOCAL
- }
- }
- }
- loopback lo {
- }
- }
- port-forward {
- auto-firewall disable
- hairpin-nat enable
- lan-interface eth0
- rule 3001 {
- description ssl
- forward-to {
- address 192.168.0.68
- }
- original-port 443
- protocol tcp
- }
- wan-interface eth2
- }
- protocols {
- static {
- route 0.0.0.0/0 {
- next-hop aa.bb.cc.dd {
- }
- }
- }
- }
- service {
- dhcp-server {
- disabled false
- hostfile-update enable
- shared-network-name LAN_192.168.0.0-24 {
- authoritative enable
- description vlan1
- subnet 192.168.0.0/24 {
- default-router 192.168.0.1
- dns-server 8.8.8.8
- dns-server 8.8.4.4
- lease 86400
- start 192.168.0.30 {
- stop 192.168.0.200
- }
- static-mapping 0c-4d-e9-d3-bc-86 {
- ip-address 192.168.0.13
- mac-address 0c:4d:e9:d3:bc:86
- }
- static-mapping 5c-96-9d-6f-2e-64 {
- ip-address 192.168.0.210
- mac-address 5c:96:9d:6f:2e:64
- }
- static-mapping 08-00-23-6f-2a-33 {
- ip-address 192.168.0.9
- mac-address 08:00:23:6f:2a:33
- }
- static-mapping 38-c9-86-31-ca-fd {
- ip-address 192.168.0.202
- mac-address 38:c9:86:31:ca:fd
- }
- static-mapping bc-c3-42-03-0c-29 {
- ip-address 192.168.0.10
- mac-address bc:c3:42:03:0c:29
- }
- }
- }
- }
- dns {
- forwarding {
- cache-size 500
- except-interface eth2
- options host-record=unifi,192.168.0.11
- }
- }
- gui {
- https-port 443
- }
- lldp {
- interface eth2 {
- disable
- }
- interface eth3 {
- disable
- }
- }
- nat {
- rule 6001 {
- description "MASQ corporate_network to WAN"
- log disable
- outbound-interface eth2
- protocol all
- source {
- group {
- network-group corporate_network
- }
- }
- type masquerade
- }
- rule 6002 {
- description "MASQ voip_network to WAN"
- log disable
- outbound-interface eth2
- protocol all
- source {
- group {
- network-group voip_network
- }
- }
- type masquerade
- }
- rule 6003 {
- description "MASQ remote_user_vpn_network to WAN"
- log disable
- outbound-interface eth2
- protocol all
- source {
- group {
- network-group remote_user_vpn_network
- }
- }
- type masquerade
- }
- rule 6004 {
- description "MASQ guest_network to WAN"
- log disable
- outbound-interface eth2
- protocol all
- source {
- group {
- network-group guest_network
- }
- }
- type masquerade
- }
- }
- ssh {
- port 22
- protocol-version v2
- }
- }
- system {
- host-name USG4P
- login {
- user admin {
- authentication {
- encrypted-password ****************
- }
- level admin
- }
- }
- name-server 8.8.8.8
- name-server 8.8.4.4
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- }
- offload {
- ipsec enable
- ipv4 {
- forwarding enable
- pppoe enable
- vlan enable
- }
- ipv6 {
- forwarding enable
- vlan enable
- }
- }
- static-host-mapping {
- host-name setup.ubnt.com {
- alias setup
- inet 192.168.0.1
- }
- }
- syslog {
- global {
- facility all {
- level notice
- }
- facility protocols {
- level debug
- }
- }
- }
- time-zone Europe/Moscow
- traffic-analysis {
- dpi disable
- }
- }
- unifi {
- mgmt {
- cfgversion e9502a244cdf1d36
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement