Advertisement
hansdg1

ERL Config

Feb 3rd, 2016
276
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group vlan10 {
  6. address 192.168.10.0/23
  7. description "vlan10 subnet (192.168.10.0/23)"
  8. }
  9. address-group vlan20 {
  10. address 192.168.20.0/23
  11. description "vlan20 subnet (192.168.20.0/23)"
  12. }
  13. address-group vlan30 {
  14. address 192.168.30.0/23
  15. description "vlan30 subnet (192.168.30.0/23)"
  16. }
  17. address-group vlan40 {
  18. address 192.168.40.0/23
  19. description "vlan40 subnet (192.168.40.0/23)"
  20. }
  21. network-group RFC-1918_networks {
  22. description "Used to easily block RFC-1918_networks"
  23. network 192.168.0.0/16
  24. network 172.16.0.0/12
  25. network 10.0.0.0/8
  26. }
  27. }
  28. ipv6-receive-redirects disable
  29. ipv6-src-route disable
  30. ip-src-route disable
  31. log-martians enable
  32. name LAN_IN {
  33. default-action accept
  34. description "Internal network to Internet"
  35. rule 1 {
  36. action accept
  37. description "Allow Admin To Wired (redundant)"
  38. destination {
  39. group {
  40. address-group vlan20
  41. }
  42. }
  43. log disable
  44. protocol all
  45. source {
  46. group {
  47. address-group vlan10
  48. }
  49. }
  50. }
  51. rule 2 {
  52. action accept
  53. description "Allow Admin To Member (redundant)"
  54. destination {
  55. group {
  56. address-group vlan30
  57. }
  58. }
  59. log disable
  60. protocol all
  61. source {
  62. group {
  63. address-group vlan10
  64. }
  65. }
  66. }
  67. rule 3 {
  68. action accept
  69. description "Allow Admin To Guest (redundant)"
  70. destination {
  71. group {
  72. address-group vlan40
  73. }
  74. }
  75. log disable
  76. protocol all
  77. source {
  78. group {
  79. address-group vlan10
  80. }
  81. }
  82. }
  83. rule 4 {
  84. action drop
  85. description "Drop Wired to Admin"
  86. destination {
  87. group {
  88. address-group vlan10
  89. }
  90. }
  91. log disable
  92. protocol all
  93. source {
  94. group {
  95. address-group vlan20
  96. }
  97. }
  98. }
  99. rule 5 {
  100. action drop
  101. description "Drop Wired to Member"
  102. destination {
  103. group {
  104. address-group vlan30
  105. }
  106. }
  107. log disable
  108. protocol all
  109. source {
  110. group {
  111. address-group vlan20
  112. }
  113. }
  114. }
  115. rule 6 {
  116. action drop
  117. description "Drop Wired to Guest"
  118. destination {
  119. group {
  120. address-group vlan40
  121. }
  122. }
  123. log disable
  124. protocol all
  125. source {
  126. group {
  127. address-group vlan20
  128. }
  129. }
  130. }
  131. rule 7 {
  132. action drop
  133. description "Drop Member to Admin"
  134. destination {
  135. group {
  136. address-group vlan10
  137. }
  138. }
  139. log disable
  140. protocol all
  141. source {
  142. group {
  143. address-group vlan30
  144. }
  145. }
  146. }
  147. rule 8 {
  148. action drop
  149. description "Drop Member to Wired"
  150. destination {
  151. group {
  152. address-group vlan20
  153. }
  154. }
  155. log disable
  156. protocol all
  157. source {
  158. group {
  159. address-group vlan30
  160. }
  161. }
  162. }
  163. rule 9 {
  164. action drop
  165. description "Drop Member to Guest"
  166. destination {
  167. group {
  168. address-group vlan40
  169. }
  170. }
  171. log disable
  172. protocol all
  173. source {
  174. group {
  175. address-group vlan30
  176. }
  177. }
  178. }
  179. rule 10 {
  180. action drop
  181. description "Drop Guest to Admin"
  182. destination {
  183. group {
  184. address-group vlan10
  185. }
  186. }
  187. log disable
  188. protocol all
  189. source {
  190. group {
  191. address-group vlan40
  192. }
  193. }
  194. }
  195. rule 11 {
  196. action drop
  197. description "Drop Guest to Wired"
  198. destination {
  199. group {
  200. address-group vlan20
  201. }
  202. }
  203. log disable
  204. protocol all
  205. source {
  206. group {
  207. address-group vlan40
  208. }
  209. }
  210. }
  211. rule 12 {
  212. action drop
  213. description "Drop Guest to Member"
  214. destination {
  215. group {
  216. address-group vlan30
  217. }
  218. }
  219. log disable
  220. protocol all
  221. source {
  222. group {
  223. address-group vlan40
  224. }
  225. }
  226. }
  227. }
  228. name LAN_LOCAL {
  229. default-action accept
  230. description "Internal network to router"
  231. }
  232. name Member-VLAN {
  233. default-action accept
  234. description "Isolate Member VLAN"
  235. rule 1 {
  236. action drop
  237. description "Drop Route to RFC-1918_networks"
  238. destination {
  239. group {
  240. network-group RFC-1918_networks
  241. }
  242. }
  243. log enable
  244. protocol all
  245. }
  246. rule 2 {
  247. action drop
  248. description "Drop Traffic Between Clients"
  249. destination {
  250. group {
  251. address-group vlan30
  252. }
  253. }
  254. log disable
  255. protocol all
  256. source {
  257. group {
  258. address-group vlan30
  259. }
  260. }
  261. }
  262. }
  263. name WAN_IN {
  264. default-action drop
  265. description "packets from Internet to LAN & WLAN"
  266. enable-default-log
  267. rule 1 {
  268. action accept
  269. description "allow established sessions"
  270. log disable
  271. protocol all
  272. state {
  273. established enable
  274. invalid disable
  275. new disable
  276. related enable
  277. }
  278. }
  279. rule 2 {
  280. action drop
  281. description "drop invalid state"
  282. log disable
  283. protocol all
  284. state {
  285. established disable
  286. invalid enable
  287. new disable
  288. related disable
  289. }
  290. }
  291. rule 3 {
  292. action accept
  293. description "Allow RDP Music"
  294. destination {
  295. port 35560
  296. }
  297. log disable
  298. protocol tcp_udp
  299. }
  300. rule 4 {
  301. action accept
  302. description "Allow iperf"
  303. destination {
  304. address 192.168.10.50
  305. port 5201
  306. }
  307. log disable
  308. protocol tcp_udp
  309. }
  310. }
  311. name WAN_LOCAL {
  312. default-action drop
  313. description "packets from Internet to the router"
  314. enable-default-log
  315. rule 1 {
  316. action accept
  317. description "allow established sessions"
  318. log disable
  319. protocol all
  320. state {
  321. established enable
  322. invalid disable
  323. new disable
  324. related enable
  325. }
  326. }
  327. rule 2 {
  328. action drop
  329. description "drop invalid state"
  330. log disable
  331. protocol all
  332. state {
  333. established disable
  334. invalid enable
  335. new disable
  336. related disable
  337. }
  338. }
  339. }
  340. receive-redirects disable
  341. send-redirects enable
  342. source-validation disable
  343. syn-cookies enable
  344. }
  345. interfaces {
  346. ethernet eth0 {
  347. address dhcp
  348. address dhcpv6
  349. description "WAN To FiberJack"
  350. duplex auto
  351. firewall {
  352. in {
  353. name WAN_IN
  354. }
  355. local {
  356. name WAN_LOCAL
  357. }
  358. }
  359. speed auto
  360. }
  361. ethernet eth1 {
  362. description "Trunk To Switch"
  363. duplex auto
  364. firewall {
  365. in {
  366. name LAN_IN
  367. }
  368. }
  369. speed auto
  370. vif 10 {
  371. address 192.168.10.1/23
  372. }
  373. vif 20 {
  374. address 192.168.20.1/23
  375. }
  376. vif 30 {
  377. address 192.168.30.1/23
  378. firewall {
  379. in {
  380. name Member-VLAN
  381. }
  382. }
  383. }
  384. vif 40 {
  385. address 192.168.40.1/23
  386. }
  387. }
  388. ethernet eth2 {
  389. address 192.168.2.1/24
  390. description "Local Config Port"
  391. duplex auto
  392. speed auto
  393. }
  394. loopback lo {
  395. }
  396. }
  397. port-forward {
  398. auto-firewall enable
  399. hairpin-nat enable
  400. lan-interface eth1.10
  401. rule 1 {
  402. description "rdp music"
  403. forward-to {
  404. address 192.168.10.50
  405. port 3389
  406. }
  407. original-port 35560
  408. protocol tcp_udp
  409. }
  410. wan-interface eth0
  411. }
  412. service {
  413. dhcp-server {
  414. disabled false
  415. hostfile-update enable
  416. shared-network-name vlan10 {
  417. authoritative disable
  418. description vlan10-dhcp-pool
  419. subnet 192.168.10.0/23 {
  420. default-router 192.168.10.1
  421. dns-server 192.168.10.1
  422. lease 86400
  423. start 192.168.10.100 {
  424. stop 192.168.10.249
  425. }
  426. static-mapping Music {
  427. ip-address 192.168.10.50
  428. mac-address f0:4d:a2:f7:7a:b6
  429. }
  430. static-mapping WIFI-AP1 {
  431. ip-address 192.168.10.20
  432. mac-address 88:dc:96:37:1d:f8
  433. }
  434. static-mapping WIFI-AP2 {
  435. ip-address 192.168.10.21
  436. mac-address 88:dc:96:37:1d:fc
  437. }
  438. static-mapping sw1 {
  439. ip-address 192.168.10.10
  440. mac-address a0:63:91:96:f1:5c
  441. }
  442. }
  443. }
  444. shared-network-name vlan20 {
  445. authoritative disable
  446. description vlan20-dhcp-pool
  447. subnet 192.168.20.0/23 {
  448. default-router 192.168.20.1
  449. dns-server 192.168.20.1
  450. lease 86400
  451. start 192.168.20.100 {
  452. stop 192.168.20.249
  453. }
  454. }
  455. }
  456. shared-network-name vlan30 {
  457. authoritative disable
  458. description vlan30-dhcp-pool
  459. subnet 192.168.30.0/23 {
  460. default-router 192.168.30.1
  461. dns-server 192.168.30.1
  462. lease 86400
  463. start 192.168.30.100 {
  464. stop 192.168.30.249
  465. }
  466. }
  467. }
  468. shared-network-name vlan40 {
  469. authoritative disable
  470. description vlan40-dhcp-pool
  471. subnet 192.168.40.0/23 {
  472. default-router 192.168.40.1
  473. dns-server 192.168.40.1
  474. lease 86400
  475. start 192.168.40.100 {
  476. stop 192.168.40.249
  477. }
  478. }
  479. }
  480. }
  481. dns {
  482. dynamic {
  483. interface eth0 {
  484. service dyndns {
  485. host-name redacted
  486. login redacted
  487. password redacted
  488. server dynupdate.no-ip.com
  489. }
  490. }
  491. }
  492. forwarding {
  493. cache-size 150
  494. listen-on eth1
  495. listen-on eth1.10
  496. listen-on eth1.20
  497. listen-on eth1.30
  498. listen-on eth1.40
  499. name-server 8.8.8.8
  500. name-server 8.8.4.4
  501. }
  502. }
  503. gui {
  504. https-port 443
  505. }
  506. nat {
  507. rule 1 {
  508. description "port forward iperf 35561 to 5201 "
  509. destination {
  510. port 35561
  511. }
  512. disable
  513. inbound-interface eth0
  514. inside-address {
  515. address 192.168.10.50
  516. port 5201
  517. }
  518. log enable
  519. protocol tcp_udp
  520. type destination
  521. }
  522. rule 5010 {
  523. description "masquerade from all LANs to eth0 WAN"
  524. log disable
  525. outbound-interface eth0
  526. protocol all
  527. source {
  528. address 192.168.0.0/16
  529. }
  530. type masquerade
  531. }
  532. rule 5011 {
  533. description "Allow VLAN10 Internet"
  534. disable
  535. log disable
  536. outbound-interface eth0
  537. protocol all
  538. source {
  539. group {
  540. address-group ADDRv4_eth1.10
  541. }
  542. }
  543. type masquerade
  544. }
  545. rule 5012 {
  546. description "MASQ for hairpin"
  547. destination {
  548. address 192.168.0.0/16
  549. port 5201
  550. }
  551. log disable
  552. outbound-interface eth1
  553. protocol tcp_udp
  554. source {
  555. address 192.168.0.0/16
  556. }
  557. type masquerade
  558. }
  559. }
  560. ssh {
  561. port 22
  562. protocol-version v2
  563. }
  564. }
  565. system {
  566. host-name redacted
  567. login {
  568. user redacted {
  569. authentication {
  570. encrypted-password redacted
  571. plaintext-password ""
  572. public-keys redacted@ubnt {
  573. key redacted
  574. type ssh-rsa
  575. }
  576. }
  577. full-name "redacted"
  578. level admin
  579. }
  580. }
  581. name-server 8.8.8.8
  582. name-server 8.8.4.4
  583. name-server 2001:4860:4860::8888
  584. name-server 2001:4860:4860::8844
  585. ntp {
  586. server 0.ubnt.pool.ntp.org {
  587. }
  588. server 1.ubnt.pool.ntp.org {
  589. }
  590. server 2.ubnt.pool.ntp.org {
  591. }
  592. server 3.ubnt.pool.ntp.org {
  593. }
  594. }
  595. offload {
  596. ipsec enable
  597. ipv4 {
  598. forwarding enable
  599. }
  600. ipv6 {
  601. forwarding disable
  602. }
  603. }
  604. package {
  605. repository wheezy {
  606. components "main contrib non-free"
  607. distribution wheezy
  608. password ""
  609. url http://http.us.debian.org/debian
  610. username ""
  611. }
  612. repository wheezy-security {
  613. components main
  614. distribution wheezy/updates
  615. password ""
  616. url http://security.debian.org
  617. username ""
  618. }
  619. }
  620. syslog {
  621. global {
  622. facility all {
  623. level notice
  624. }
  625. facility protocols {
  626. level debug
  627. }
  628. }
  629. }
  630. time-zone America/Chicago
  631. traffic-analysis {
  632. dpi enable
  633. export enable
  634. }
  635. }
  636.  
  637.  
  638. /* Warning: Do not remove the following line. */
  639. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  640. /* Release version: v1.7.0.4783374.150622.1534 */
Advertisement
RAW Paste Data Copied
Advertisement