hansdg1

ERL Config

Feb 3rd, 2016
122
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group vlan10 {
  6. address 192.168.10.0/23
  7. description "vlan10 subnet (192.168.10.0/23)"
  8. }
  9. address-group vlan20 {
  10. address 192.168.20.0/23
  11. description "vlan20 subnet (192.168.20.0/23)"
  12. }
  13. address-group vlan30 {
  14. address 192.168.30.0/23
  15. description "vlan30 subnet (192.168.30.0/23)"
  16. }
  17. address-group vlan40 {
  18. address 192.168.40.0/23
  19. description "vlan40 subnet (192.168.40.0/23)"
  20. }
  21. network-group RFC-1918_networks {
  22. description "Used to easily block RFC-1918_networks"
  23. network 192.168.0.0/16
  24. network 172.16.0.0/12
  25. network 10.0.0.0/8
  26. }
  27. }
  28. ipv6-receive-redirects disable
  29. ipv6-src-route disable
  30. ip-src-route disable
  31. log-martians enable
  32. name LAN_IN {
  33. default-action accept
  34. description "Internal network to Internet"
  35. rule 1 {
  36. action accept
  37. description "Allow Admin To Wired (redundant)"
  38. destination {
  39. group {
  40. address-group vlan20
  41. }
  42. }
  43. log disable
  44. protocol all
  45. source {
  46. group {
  47. address-group vlan10
  48. }
  49. }
  50. }
  51. rule 2 {
  52. action accept
  53. description "Allow Admin To Member (redundant)"
  54. destination {
  55. group {
  56. address-group vlan30
  57. }
  58. }
  59. log disable
  60. protocol all
  61. source {
  62. group {
  63. address-group vlan10
  64. }
  65. }
  66. }
  67. rule 3 {
  68. action accept
  69. description "Allow Admin To Guest (redundant)"
  70. destination {
  71. group {
  72. address-group vlan40
  73. }
  74. }
  75. log disable
  76. protocol all
  77. source {
  78. group {
  79. address-group vlan10
  80. }
  81. }
  82. }
  83. rule 4 {
  84. action drop
  85. description "Drop Wired to Admin"
  86. destination {
  87. group {
  88. address-group vlan10
  89. }
  90. }
  91. log disable
  92. protocol all
  93. source {
  94. group {
  95. address-group vlan20
  96. }
  97. }
  98. }
  99. rule 5 {
  100. action drop
  101. description "Drop Wired to Member"
  102. destination {
  103. group {
  104. address-group vlan30
  105. }
  106. }
  107. log disable
  108. protocol all
  109. source {
  110. group {
  111. address-group vlan20
  112. }
  113. }
  114. }
  115. rule 6 {
  116. action drop
  117. description "Drop Wired to Guest"
  118. destination {
  119. group {
  120. address-group vlan40
  121. }
  122. }
  123. log disable
  124. protocol all
  125. source {
  126. group {
  127. address-group vlan20
  128. }
  129. }
  130. }
  131. rule 7 {
  132. action drop
  133. description "Drop Member to Admin"
  134. destination {
  135. group {
  136. address-group vlan10
  137. }
  138. }
  139. log disable
  140. protocol all
  141. source {
  142. group {
  143. address-group vlan30
  144. }
  145. }
  146. }
  147. rule 8 {
  148. action drop
  149. description "Drop Member to Wired"
  150. destination {
  151. group {
  152. address-group vlan20
  153. }
  154. }
  155. log disable
  156. protocol all
  157. source {
  158. group {
  159. address-group vlan30
  160. }
  161. }
  162. }
  163. rule 9 {
  164. action drop
  165. description "Drop Member to Guest"
  166. destination {
  167. group {
  168. address-group vlan40
  169. }
  170. }
  171. log disable
  172. protocol all
  173. source {
  174. group {
  175. address-group vlan30
  176. }
  177. }
  178. }
  179. rule 10 {
  180. action drop
  181. description "Drop Guest to Admin"
  182. destination {
  183. group {
  184. address-group vlan10
  185. }
  186. }
  187. log disable
  188. protocol all
  189. source {
  190. group {
  191. address-group vlan40
  192. }
  193. }
  194. }
  195. rule 11 {
  196. action drop
  197. description "Drop Guest to Wired"
  198. destination {
  199. group {
  200. address-group vlan20
  201. }
  202. }
  203. log disable
  204. protocol all
  205. source {
  206. group {
  207. address-group vlan40
  208. }
  209. }
  210. }
  211. rule 12 {
  212. action drop
  213. description "Drop Guest to Member"
  214. destination {
  215. group {
  216. address-group vlan30
  217. }
  218. }
  219. log disable
  220. protocol all
  221. source {
  222. group {
  223. address-group vlan40
  224. }
  225. }
  226. }
  227. }
  228. name LAN_LOCAL {
  229. default-action accept
  230. description "Internal network to router"
  231. }
  232. name Member-VLAN {
  233. default-action accept
  234. description "Isolate Member VLAN"
  235. rule 1 {
  236. action drop
  237. description "Drop Route to RFC-1918_networks"
  238. destination {
  239. group {
  240. network-group RFC-1918_networks
  241. }
  242. }
  243. log enable
  244. protocol all
  245. }
  246. rule 2 {
  247. action drop
  248. description "Drop Traffic Between Clients"
  249. destination {
  250. group {
  251. address-group vlan30
  252. }
  253. }
  254. log disable
  255. protocol all
  256. source {
  257. group {
  258. address-group vlan30
  259. }
  260. }
  261. }
  262. }
  263. name WAN_IN {
  264. default-action drop
  265. description "packets from Internet to LAN & WLAN"
  266. enable-default-log
  267. rule 1 {
  268. action accept
  269. description "allow established sessions"
  270. log disable
  271. protocol all
  272. state {
  273. established enable
  274. invalid disable
  275. new disable
  276. related enable
  277. }
  278. }
  279. rule 2 {
  280. action drop
  281. description "drop invalid state"
  282. log disable
  283. protocol all
  284. state {
  285. established disable
  286. invalid enable
  287. new disable
  288. related disable
  289. }
  290. }
  291. rule 3 {
  292. action accept
  293. description "Allow RDP Music"
  294. destination {
  295. port 35560
  296. }
  297. log disable
  298. protocol tcp_udp
  299. }
  300. rule 4 {
  301. action accept
  302. description "Allow iperf"
  303. destination {
  304. address 192.168.10.50
  305. port 5201
  306. }
  307. log disable
  308. protocol tcp_udp
  309. }
  310. }
  311. name WAN_LOCAL {
  312. default-action drop
  313. description "packets from Internet to the router"
  314. enable-default-log
  315. rule 1 {
  316. action accept
  317. description "allow established sessions"
  318. log disable
  319. protocol all
  320. state {
  321. established enable
  322. invalid disable
  323. new disable
  324. related enable
  325. }
  326. }
  327. rule 2 {
  328. action drop
  329. description "drop invalid state"
  330. log disable
  331. protocol all
  332. state {
  333. established disable
  334. invalid enable
  335. new disable
  336. related disable
  337. }
  338. }
  339. }
  340. receive-redirects disable
  341. send-redirects enable
  342. source-validation disable
  343. syn-cookies enable
  344. }
  345. interfaces {
  346. ethernet eth0 {
  347. address dhcp
  348. address dhcpv6
  349. description "WAN To FiberJack"
  350. duplex auto
  351. firewall {
  352. in {
  353. name WAN_IN
  354. }
  355. local {
  356. name WAN_LOCAL
  357. }
  358. }
  359. speed auto
  360. }
  361. ethernet eth1 {
  362. description "Trunk To Switch"
  363. duplex auto
  364. firewall {
  365. in {
  366. name LAN_IN
  367. }
  368. }
  369. speed auto
  370. vif 10 {
  371. address 192.168.10.1/23
  372. }
  373. vif 20 {
  374. address 192.168.20.1/23
  375. }
  376. vif 30 {
  377. address 192.168.30.1/23
  378. firewall {
  379. in {
  380. name Member-VLAN
  381. }
  382. }
  383. }
  384. vif 40 {
  385. address 192.168.40.1/23
  386. }
  387. }
  388. ethernet eth2 {
  389. address 192.168.2.1/24
  390. description "Local Config Port"
  391. duplex auto
  392. speed auto
  393. }
  394. loopback lo {
  395. }
  396. }
  397. port-forward {
  398. auto-firewall enable
  399. hairpin-nat enable
  400. lan-interface eth1.10
  401. rule 1 {
  402. description "rdp music"
  403. forward-to {
  404. address 192.168.10.50
  405. port 3389
  406. }
  407. original-port 35560
  408. protocol tcp_udp
  409. }
  410. wan-interface eth0
  411. }
  412. service {
  413. dhcp-server {
  414. disabled false
  415. hostfile-update enable
  416. shared-network-name vlan10 {
  417. authoritative disable
  418. description vlan10-dhcp-pool
  419. subnet 192.168.10.0/23 {
  420. default-router 192.168.10.1
  421. dns-server 192.168.10.1
  422. lease 86400
  423. start 192.168.10.100 {
  424. stop 192.168.10.249
  425. }
  426. static-mapping Music {
  427. ip-address 192.168.10.50
  428. mac-address f0:4d:a2:f7:7a:b6
  429. }
  430. static-mapping WIFI-AP1 {
  431. ip-address 192.168.10.20
  432. mac-address 88:dc:96:37:1d:f8
  433. }
  434. static-mapping WIFI-AP2 {
  435. ip-address 192.168.10.21
  436. mac-address 88:dc:96:37:1d:fc
  437. }
  438. static-mapping sw1 {
  439. ip-address 192.168.10.10
  440. mac-address a0:63:91:96:f1:5c
  441. }
  442. }
  443. }
  444. shared-network-name vlan20 {
  445. authoritative disable
  446. description vlan20-dhcp-pool
  447. subnet 192.168.20.0/23 {
  448. default-router 192.168.20.1
  449. dns-server 192.168.20.1
  450. lease 86400
  451. start 192.168.20.100 {
  452. stop 192.168.20.249
  453. }
  454. }
  455. }
  456. shared-network-name vlan30 {
  457. authoritative disable
  458. description vlan30-dhcp-pool
  459. subnet 192.168.30.0/23 {
  460. default-router 192.168.30.1
  461. dns-server 192.168.30.1
  462. lease 86400
  463. start 192.168.30.100 {
  464. stop 192.168.30.249
  465. }
  466. }
  467. }
  468. shared-network-name vlan40 {
  469. authoritative disable
  470. description vlan40-dhcp-pool
  471. subnet 192.168.40.0/23 {
  472. default-router 192.168.40.1
  473. dns-server 192.168.40.1
  474. lease 86400
  475. start 192.168.40.100 {
  476. stop 192.168.40.249
  477. }
  478. }
  479. }
  480. }
  481. dns {
  482. dynamic {
  483. interface eth0 {
  484. service dyndns {
  485. host-name redacted
  486. login redacted
  487. password redacted
  488. server dynupdate.no-ip.com
  489. }
  490. }
  491. }
  492. forwarding {
  493. cache-size 150
  494. listen-on eth1
  495. listen-on eth1.10
  496. listen-on eth1.20
  497. listen-on eth1.30
  498. listen-on eth1.40
  499. name-server 8.8.8.8
  500. name-server 8.8.4.4
  501. }
  502. }
  503. gui {
  504. https-port 443
  505. }
  506. nat {
  507. rule 1 {
  508. description "port forward iperf 35561 to 5201 "
  509. destination {
  510. port 35561
  511. }
  512. disable
  513. inbound-interface eth0
  514. inside-address {
  515. address 192.168.10.50
  516. port 5201
  517. }
  518. log enable
  519. protocol tcp_udp
  520. type destination
  521. }
  522. rule 5010 {
  523. description "masquerade from all LANs to eth0 WAN"
  524. log disable
  525. outbound-interface eth0
  526. protocol all
  527. source {
  528. address 192.168.0.0/16
  529. }
  530. type masquerade
  531. }
  532. rule 5011 {
  533. description "Allow VLAN10 Internet"
  534. disable
  535. log disable
  536. outbound-interface eth0
  537. protocol all
  538. source {
  539. group {
  540. address-group ADDRv4_eth1.10
  541. }
  542. }
  543. type masquerade
  544. }
  545. rule 5012 {
  546. description "MASQ for hairpin"
  547. destination {
  548. address 192.168.0.0/16
  549. port 5201
  550. }
  551. log disable
  552. outbound-interface eth1
  553. protocol tcp_udp
  554. source {
  555. address 192.168.0.0/16
  556. }
  557. type masquerade
  558. }
  559. }
  560. ssh {
  561. port 22
  562. protocol-version v2
  563. }
  564. }
  565. system {
  566. host-name redacted
  567. login {
  568. user redacted {
  569. authentication {
  570. encrypted-password redacted
  571. plaintext-password ""
  572. public-keys redacted@ubnt {
  573. key redacted
  574. type ssh-rsa
  575. }
  576. }
  577. full-name "redacted"
  578. level admin
  579. }
  580. }
  581. name-server 8.8.8.8
  582. name-server 8.8.4.4
  583. name-server 2001:4860:4860::8888
  584. name-server 2001:4860:4860::8844
  585. ntp {
  586. server 0.ubnt.pool.ntp.org {
  587. }
  588. server 1.ubnt.pool.ntp.org {
  589. }
  590. server 2.ubnt.pool.ntp.org {
  591. }
  592. server 3.ubnt.pool.ntp.org {
  593. }
  594. }
  595. offload {
  596. ipsec enable
  597. ipv4 {
  598. forwarding enable
  599. }
  600. ipv6 {
  601. forwarding disable
  602. }
  603. }
  604. package {
  605. repository wheezy {
  606. components "main contrib non-free"
  607. distribution wheezy
  608. password ""
  609. url http://http.us.debian.org/debian
  610. username ""
  611. }
  612. repository wheezy-security {
  613. components main
  614. distribution wheezy/updates
  615. password ""
  616. url http://security.debian.org
  617. username ""
  618. }
  619. }
  620. syslog {
  621. global {
  622. facility all {
  623. level notice
  624. }
  625. facility protocols {
  626. level debug
  627. }
  628. }
  629. }
  630. time-zone America/Chicago
  631. traffic-analysis {
  632. dpi enable
  633. export enable
  634. }
  635. }
  636.  
  637.  
  638. /* Warning: Do not remove the following line. */
  639. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  640. /* Release version: v1.7.0.4783374.150622.1534 */
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×