Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- address-group Corp_VLANs {
- address 192.168.1.0/24
- address 192.168.2.0/24
- address 192.168.3.0/24
- address 192.168.4.0/24
- description customized
- }
- address-group authorized_guests {
- description "authorized guests MAC addresses"
- }
- address-group guest_allow_addresses {
- description "allow addresses for guests"
- }
- address-group guest_allow_dns_servers {
- description "allow dns servers for guests"
- }
- address-group guest_portal_address {
- description "guest portal address"
- }
- address-group guest_restricted_addresses {
- description "restricted addresses for guests"
- }
- address-group unifi_controller_addresses {
- address 192.168.2.100
- }
- address-group voip_sip_server_addresses {
- description "VOIP SIP server addresses"
- }
- network-group captive_portal_subnets {
- description "captive portal subnets"
- }
- network-group corporate_network {
- description "corporate subnets"
- network 192.168.1.0/24
- network 192.168.3.0/24
- network 192.168.4.0/24
- network 192.168.2.0/24
- }
- network-group guest_allow_subnets {
- description "allow subnets for guests"
- }
- network-group guest_network {
- description "guest subnets"
- network 192.168.5.0/24
- }
- network-group guest_restricted_subnets {
- description "restricted subnets for guests"
- }
- network-group remote_client_vpn_network {
- description "remote client VPN subnets"
- }
- network-group remote_site_vpn_network {
- description "remote site VPN subnets"
- }
- network-group remote_user_vpn_network {
- description "remote user vpn subnets"
- }
- network-group voip_network {
- description "voip subnets"
- }
- port-group guest_portal_ports {
- description "guest portal ports"
- }
- port-group guest_portal_redirector_ports {
- description "guest portal redirector ports"
- port 39080
- port 39443
- }
- port-group unifi_controller_ports-tcp {
- description "unifi tcp ports"
- port 8080
- }
- port-group unifi_controller_ports-udp {
- description "unifi udp ports"
- port 3478
- }
- port-group voip_sip_server_ports {
- description "voip sip server udp ports"
- port 5060
- port 10000-10100
- }
- }
- name AUTHORIZED_GUESTS {
- default-action drop
- description "authorization check packets from guest network"
- }
- name GUEST_IN {
- default-action accept
- description "packets from guest network"
- rule 3001 {
- action accept
- description "allow DNS packets to external name servers"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow packets to captive portal"
- destination {
- group {
- network-group captive_portal_subnets
- }
- port 443
- }
- protocol tcp
- }
- rule 3003 {
- action accept
- description "allow packets to allow subnets"
- destination {
- group {
- address-group guest_allow_addresses
- }
- }
- }
- rule 3004 {
- action drop
- description "drop packets to restricted subnets"
- destination {
- group {
- address-group guest_restricted_addresses
- }
- }
- }
- rule 3005 {
- action drop
- description "drop packets to intranet"
- destination {
- group {
- network-group corporate_network
- }
- }
- }
- rule 3006 {
- action drop
- description "drop packets to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- }
- rule 3007 {
- action drop
- description "drop packets to remote user"
- destination {
- group {
- network-group remote_user_vpn_network
- }
- }
- }
- rule 3008 {
- action drop
- description "authorized guests white list"
- destination {
- group {
- address-group authorized_guests
- }
- }
- }
- rule 6001 {
- action accept
- description "accounting defined network 192.168.5.0/24"
- source {
- address 192.168.5.0/24
- }
- }
- }
- name GUEST_LOCAL {
- default-action drop
- description "packets from guest network to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- }
- name GUEST_OUT {
- default-action accept
- description "packets forward to guest network"
- rule 6001 {
- action accept
- description "accounting defined network 192.168.5.0/24"
- destination {
- address 192.168.5.0/24
- }
- }
- }
- name LAN_IN {
- default-action accept
- description "packets from intranet"
- rule 3001 {
- action accept
- description "packets from unifi to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- source {
- group {
- address-group unifi_controller_addresses
- }
- }
- }
- rule 3002 {
- action drop
- description "packets from intranet to voip"
- destination {
- group {
- network-group voip_network
- }
- }
- }
- rule 6001 {
- action accept
- description "accounting defined network 192.168.1.0/24"
- source {
- address 192.168.1.0/24
- }
- }
- rule 6002 {
- action accept
- description "accounting defined network 192.168.3.0/24"
- source {
- address 192.168.3.0/24
- }
- }
- rule 6003 {
- action accept
- description "accounting defined network 192.168.4.0/24"
- source {
- address 192.168.4.0/24
- }
- }
- rule 6004 {
- action accept
- description "accounting defined network 192.168.2.0/24"
- source {
- address 192.168.2.0/24
- }
- }
- }
- name LAN_LOCAL {
- default-action accept
- description "packets from intranet to gateway"
- }
- name LAN_OUT {
- default-action accept
- description "packets forward to intranet"
- rule 6001 {
- action accept
- description "accounting defined network 192.168.1.0/24"
- destination {
- address 192.168.1.0/24
- }
- }
- rule 6002 {
- action accept
- description "accounting defined network 192.168.3.0/24"
- destination {
- address 192.168.3.0/24
- }
- }
- rule 6003 {
- action accept
- description "accounting defined network 192.168.4.0/24"
- destination {
- address 192.168.4.0/24
- }
- }
- rule 6004 {
- action accept
- description "accounting defined network 192.168.2.0/24"
- destination {
- address 192.168.2.0/24
- }
- }
- }
- name VOIP_IN {
- default-action accept
- description "packets from voip to intranet"
- rule 3001 {
- action accept
- description "icmp to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- protocol icmp
- }
- rule 3002 {
- action accept
- description "inform to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- port-group unifi_controller_ports-tcp
- }
- }
- protocol tcp
- }
- rule 3003 {
- action accept
- description "stun to unifi"
- destination {
- group {
- address-group unifi_controller_addresses
- port-group unifi_controller_ports-udp
- }
- }
- protocol udp
- }
- rule 3004 {
- action accept
- description "allow established/related sessions"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3005 {
- action drop
- description "drop invalid state"
- destination {
- group {
- address-group unifi_controller_addresses
- }
- }
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3006 {
- action drop
- description "drop VoIP to LAN traffic"
- destination {
- group {
- network-group corporate_network
- }
- }
- }
- rule 3007 {
- action drop
- description "drop VoIP to GUEST traffic"
- destination {
- group {
- network-group guest_network
- }
- }
- }
- rule 3008 {
- action drop
- description "drop VoIP to REMOTE USER traffic"
- destination {
- group {
- network-group remote_user_vpn_network
- }
- }
- }
- }
- name VOIP_LOCAL {
- default-action drop
- description "packets from voip to gateway"
- rule 3001 {
- action accept
- description "allow DNS"
- destination {
- port 53
- }
- protocol udp
- }
- rule 3002 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- rule 3003 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3004 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name VOIP_OUT {
- default-action accept
- description "packets forward to voip"
- }
- name WAN_IN {
- default-action drop
- description "packets from internet to intranet"
- }
- name WAN_LOCAL {
- default-action drop
- description "packets from internet to gateway"
- rule 3001 {
- action accept
- description "allow established/related sessions"
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 3002 {
- action drop
- description "drop invalid state"
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- rule 3003 {
- action accept
- description "allow ICMP"
- protocol icmp
- }
- }
- options {
- mss-clamp {
- interface-type pppoe
- interface-type pptp
- mss 1412
- }
- }
- receive-redirects disable
- send-redirects enable
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- address dhcp
- dhcp-options {
- client-option "retry 60;"
- default-route-distance 1
- name-server no-update
- }
- firewall {
- in {
- name WAN_IN
- }
- local {
- name WAN_LOCAL
- }
- }
- }
- ethernet eth1 {
- address 192.168.1.1/24
- firewall {
- in {
- name LAN_IN
- }
- local {
- name LAN_LOCAL
- }
- out {
- name LAN_OUT
- }
- }
- vif 20 {
- address 192.168.2.1/24
- firewall {
- in {
- name LAN_IN
- }
- local {
- name LAN_LOCAL
- }
- out {
- name LAN_OUT
- }
- }
- }
- vif 30 {
- address 192.168.3.1/24
- firewall {
- in {
- name LAN_IN
- }
- local {
- name LAN_LOCAL
- }
- out {
- name LAN_OUT
- }
- }
- }
- vif 40 {
- address 192.168.4.1/24
- firewall {
- in {
- name LAN_IN
- }
- local {
- name LAN_LOCAL
- }
- out {
- name LAN_OUT
- }
- }
- }
- vif 50 {
- address 192.168.5.1/24
- firewall {
- in {
- name GUEST_IN
- }
- local {
- name GUEST_LOCAL
- }
- out {
- name GUEST_OUT
- }
- }
- }
- }
- ethernet eth2 {
- disable
- }
- loopback lo {
- }
- }
- port-forward {
- auto-firewall disable
- hairpin-nat enable
- lan-interface eth1
- lan-interface eth1.40
- lan-interface eth1.30
- lan-interface eth1.20
- wan-interface eth0
- }
- service {
- dhcp-server {
- disabled false
- hostfile-update enable
- shared-network-name Guest_192.168.5.0-24 {
- authoritative enable
- description vlan50
- subnet 192.168.5.0/24 {
- default-router 192.168.5.1
- dns-server 192.168.5.1
- lease 400
- start 192.168.5.100 {
- stop 192.168.5.254
- }
- }
- }
- shared-network-name HOMELAB_192.168.2.0-24 {
- authoritative enable
- description vlan20
- subnet 192.168.2.0/24 {
- default-router 192.168.2.1
- dns-server 192.168.2.1
- lease 86400
- start 192.168.2.225 {
- stop 192.168.2.254
- }
- }
- }
- shared-network-name HOME_AUTOMATION_192.168.3.0-24 {
- authoritative enable
- description vlan30
- subnet 192.168.3.0/24 {
- default-router 192.168.3.1
- dns-server 192.168.3.1
- lease 86400
- start 192.168.3.100 {
- stop 192.168.3.199
- }
- }
- }
- shared-network-name ORG_192.168.1.0-24 {
- authoritative enable
- description vlan1
- subnet 192.168.1.0/24 {
- default-router 192.168.1.1
- dns-server 192.168.1.1
- lease 43200
- start 192.168.1.240 {
- stop 192.168.1.254
- }
- }
- }
- shared-network-name WLAN_192.168.4.0-24 {
- authoritative enable
- description vlan40
- subnet 192.168.4.0/24 {
- default-router 192.168.4.1
- dns-server 192.168.4.1
- lease 86400
- start 192.168.4.100 {
- stop 192.168.4.254
- }
- }
- }
- }
- dns {
- dynamic {
- interface eth0 {
- service dyndns {
- SECRET
- }
- }
- }
- forwarding {
- cache-size 500
- except-interface eth0
- options host-record=unifi,192.168.2.100
- }
- }
- gui {
- https-port 443
- }
- lldp {
- interface eth0 {
- disable
- }
- }
- mdns {
- reflector
- }
- nat {
- rule 6001 {
- description "MASQ corporate_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group corporate_network
- }
- }
- type masquerade
- }
- rule 6002 {
- description "MASQ voip_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group voip_network
- }
- }
- type masquerade
- }
- rule 6003 {
- description "MASQ remote_user_vpn_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group remote_user_vpn_network
- }
- }
- type masquerade
- }
- rule 6004 {
- description "MASQ guest_network to WAN"
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- network-group guest_network
- }
- }
- type masquerade
- }
- }
- ssh {
- port 22
- protocol-version v2
- }
- upnp2 {
- listen-on eth1
- listen-on eth1.40
- listen-on eth1.30
- listen-on eth1.20
- nat-pmp enable
- secure-mode disable
- wan eth0
- }
- }
- system {
- host-name USG
- login {
- user poldim {
- authentication {
- encrypted-password ****************
- }
- level admin
- }
- }
- name-server 8.8.8.8
- name-server 4.4.4.4
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- }
- offload {
- ipsec enable
- ipv4 {
- forwarding enable
- pppoe enable
- vlan enable
- }
- ipv6 {
- forwarding enable
- vlan enable
- }
- }
- static-host-mapping {
- host-name setup.ubnt.com {
- alias setup
- inet 192.168.1.1
- }
- }
- time-zone America/Los_Angeles
- traffic-analysis {
- dpi enable
- }
- }
- unifi {
- mgmt {
- cfgversion 4c0dc606bf8ef2ce
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement