API tools faq
paste
Advertisement
poldim

USG config

poldim
Jun 25th, 2017
221
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.48 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group Corp_VLANs {
  6. address 192.168.1.0/24
  7. address 192.168.2.0/24
  8. address 192.168.3.0/24
  9. address 192.168.4.0/24
  10. description customized
  11. }
  12. address-group authorized_guests {
  13. description "authorized guests MAC addresses"
  14. }
  15. address-group guest_allow_addresses {
  16. description "allow addresses for guests"
  17. }
  18. address-group guest_allow_dns_servers {
  19. description "allow dns servers for guests"
  20. }
  21. address-group guest_portal_address {
  22. description "guest portal address"
  23. }
  24. address-group guest_restricted_addresses {
  25. description "restricted addresses for guests"
  26. }
  27. address-group unifi_controller_addresses {
  28. address 192.168.2.100
  29. }
  30. address-group voip_sip_server_addresses {
  31. description "VOIP SIP server addresses"
  32. }
  33. network-group captive_portal_subnets {
  34. description "captive portal subnets"
  35. }
  36. network-group corporate_network {
  37. description "corporate subnets"
  38. network 192.168.1.0/24
  39. network 192.168.3.0/24
  40. network 192.168.4.0/24
  41. network 192.168.2.0/24
  42. }
  43. network-group guest_allow_subnets {
  44. description "allow subnets for guests"
  45. }
  46. network-group guest_network {
  47. description "guest subnets"
  48. network 192.168.5.0/24
  49. }
  50. network-group guest_restricted_subnets {
  51. description "restricted subnets for guests"
  52. }
  53. network-group remote_client_vpn_network {
  54. description "remote client VPN subnets"
  55. }
  56. network-group remote_site_vpn_network {
  57. description "remote site VPN subnets"
  58. }
  59. network-group remote_user_vpn_network {
  60. description "remote user vpn subnets"
  61. }
  62. network-group voip_network {
  63. description "voip subnets"
  64. }
  65. port-group guest_portal_ports {
  66. description "guest portal ports"
  67. }
  68. port-group guest_portal_redirector_ports {
  69. description "guest portal redirector ports"
  70. port 39080
  71. port 39443
  72. }
  73. port-group unifi_controller_ports-tcp {
  74. description "unifi tcp ports"
  75. port 8080
  76. }
  77. port-group unifi_controller_ports-udp {
  78. description "unifi udp ports"
  79. port 3478
  80. }
  81. port-group voip_sip_server_ports {
  82. description "voip sip server udp ports"
  83. port 5060
  84. port 10000-10100
  85. }
  86. }
  87. name AUTHORIZED_GUESTS {
  88. default-action drop
  89. description "authorization check packets from guest network"
  90. }
  91. name GUEST_IN {
  92. default-action accept
  93. description "packets from guest network"
  94. rule 3001 {
  95. action accept
  96. description "allow DNS packets to external name servers"
  97. destination {
  98. port 53
  99. }
  100. protocol udp
  101. }
  102. rule 3002 {
  103. action accept
  104. description "allow packets to captive portal"
  105. destination {
  106. group {
  107. network-group captive_portal_subnets
  108. }
  109. port 443
  110. }
  111. protocol tcp
  112. }
  113. rule 3003 {
  114. action accept
  115. description "allow packets to allow subnets"
  116. destination {
  117. group {
  118. address-group guest_allow_addresses
  119. }
  120. }
  121. }
  122. rule 3004 {
  123. action drop
  124. description "drop packets to restricted subnets"
  125. destination {
  126. group {
  127. address-group guest_restricted_addresses
  128. }
  129. }
  130. }
  131. rule 3005 {
  132. action drop
  133. description "drop packets to intranet"
  134. destination {
  135. group {
  136. network-group corporate_network
  137. }
  138. }
  139. }
  140. rule 3006 {
  141. action drop
  142. description "drop packets to voip"
  143. destination {
  144. group {
  145. network-group voip_network
  146. }
  147. }
  148. }
  149. rule 3007 {
  150. action drop
  151. description "drop packets to remote user"
  152. destination {
  153. group {
  154. network-group remote_user_vpn_network
  155. }
  156. }
  157. }
  158. rule 3008 {
  159. action drop
  160. description "authorized guests white list"
  161. destination {
  162. group {
  163. address-group authorized_guests
  164. }
  165. }
  166. }
  167. rule 6001 {
  168. action accept
  169. description "accounting defined network 192.168.5.0/24"
  170. source {
  171. address 192.168.5.0/24
  172. }
  173. }
  174. }
  175. name GUEST_LOCAL {
  176. default-action drop
  177. description "packets from guest network to gateway"
  178. rule 3001 {
  179. action accept
  180. description "allow DNS"
  181. destination {
  182. port 53
  183. }
  184. protocol udp
  185. }
  186. rule 3002 {
  187. action accept
  188. description "allow ICMP"
  189. protocol icmp
  190. }
  191. }
  192. name GUEST_OUT {
  193. default-action accept
  194. description "packets forward to guest network"
  195. rule 6001 {
  196. action accept
  197. description "accounting defined network 192.168.5.0/24"
  198. destination {
  199. address 192.168.5.0/24
  200. }
  201. }
  202. }
  203. name LAN_IN {
  204. default-action accept
  205. description "packets from intranet"
  206. rule 3001 {
  207. action accept
  208. description "packets from unifi to voip"
  209. destination {
  210. group {
  211. network-group voip_network
  212. }
  213. }
  214. source {
  215. group {
  216. address-group unifi_controller_addresses
  217. }
  218. }
  219. }
  220. rule 3002 {
  221. action drop
  222. description "packets from intranet to voip"
  223. destination {
  224. group {
  225. network-group voip_network
  226. }
  227. }
  228. }
  229. rule 6001 {
  230. action accept
  231. description "accounting defined network 192.168.1.0/24"
  232. source {
  233. address 192.168.1.0/24
  234. }
  235. }
  236. rule 6002 {
  237. action accept
  238. description "accounting defined network 192.168.3.0/24"
  239. source {
  240. address 192.168.3.0/24
  241. }
  242. }
  243. rule 6003 {
  244. action accept
  245. description "accounting defined network 192.168.4.0/24"
  246. source {
  247. address 192.168.4.0/24
  248. }
  249. }
  250. rule 6004 {
  251. action accept
  252. description "accounting defined network 192.168.2.0/24"
  253. source {
  254. address 192.168.2.0/24
  255. }
  256. }
  257. }
  258. name LAN_LOCAL {
  259. default-action accept
  260. description "packets from intranet to gateway"
  261. }
  262. name LAN_OUT {
  263. default-action accept
  264. description "packets forward to intranet"
  265. rule 6001 {
  266. action accept
  267. description "accounting defined network 192.168.1.0/24"
  268. destination {
  269. address 192.168.1.0/24
  270. }
  271. }
  272. rule 6002 {
  273. action accept
  274. description "accounting defined network 192.168.3.0/24"
  275. destination {
  276. address 192.168.3.0/24
  277. }
  278. }
  279. rule 6003 {
  280. action accept
  281. description "accounting defined network 192.168.4.0/24"
  282. destination {
  283. address 192.168.4.0/24
  284. }
  285. }
  286. rule 6004 {
  287. action accept
  288. description "accounting defined network 192.168.2.0/24"
  289. destination {
  290. address 192.168.2.0/24
  291. }
  292. }
  293. }
  294. name VOIP_IN {
  295. default-action accept
  296. description "packets from voip to intranet"
  297. rule 3001 {
  298. action accept
  299. description "icmp to unifi"
  300. destination {
  301. group {
  302. address-group unifi_controller_addresses
  303. }
  304. }
  305. protocol icmp
  306. }
  307. rule 3002 {
  308. action accept
  309. description "inform to unifi"
  310. destination {
  311. group {
  312. address-group unifi_controller_addresses
  313. port-group unifi_controller_ports-tcp
  314. }
  315. }
  316. protocol tcp
  317. }
  318. rule 3003 {
  319. action accept
  320. description "stun to unifi"
  321. destination {
  322. group {
  323. address-group unifi_controller_addresses
  324. port-group unifi_controller_ports-udp
  325. }
  326. }
  327. protocol udp
  328. }
  329. rule 3004 {
  330. action accept
  331. description "allow established/related sessions"
  332. destination {
  333. group {
  334. address-group unifi_controller_addresses
  335. }
  336. }
  337. state {
  338. established enable
  339. invalid disable
  340. new disable
  341. related enable
  342. }
  343. }
  344. rule 3005 {
  345. action drop
  346. description "drop invalid state"
  347. destination {
  348. group {
  349. address-group unifi_controller_addresses
  350. }
  351. }
  352. state {
  353. established disable
  354. invalid enable
  355. new disable
  356. related disable
  357. }
  358. }
  359. rule 3006 {
  360. action drop
  361. description "drop VoIP to LAN traffic"
  362. destination {
  363. group {
  364. network-group corporate_network
  365. }
  366. }
  367. }
  368. rule 3007 {
  369. action drop
  370. description "drop VoIP to GUEST traffic"
  371. destination {
  372. group {
  373. network-group guest_network
  374. }
  375. }
  376. }
  377. rule 3008 {
  378. action drop
  379. description "drop VoIP to REMOTE USER traffic"
  380. destination {
  381. group {
  382. network-group remote_user_vpn_network
  383. }
  384. }
  385. }
  386. }
  387. name VOIP_LOCAL {
  388. default-action drop
  389. description "packets from voip to gateway"
  390. rule 3001 {
  391. action accept
  392. description "allow DNS"
  393. destination {
  394. port 53
  395. }
  396. protocol udp
  397. }
  398. rule 3002 {
  399. action accept
  400. description "allow ICMP"
  401. protocol icmp
  402. }
  403. rule 3003 {
  404. action accept
  405. description "allow established/related sessions"
  406. state {
  407. established enable
  408. invalid disable
  409. new disable
  410. related enable
  411. }
  412. }
  413. rule 3004 {
  414. action drop
  415. description "drop invalid state"
  416. state {
  417. established disable
  418. invalid enable
  419. new disable
  420. related disable
  421. }
  422. }
  423. }
  424. name VOIP_OUT {
  425. default-action accept
  426. description "packets forward to voip"
  427. }
  428. name WAN_IN {
  429. default-action drop
  430. description "packets from internet to intranet"
  431. }
  432. name WAN_LOCAL {
  433. default-action drop
  434. description "packets from internet to gateway"
  435. rule 3001 {
  436. action accept
  437. description "allow established/related sessions"
  438. state {
  439. established enable
  440. invalid disable
  441. new disable
  442. related enable
  443. }
  444. }
  445. rule 3002 {
  446. action drop
  447. description "drop invalid state"
  448. state {
  449. established disable
  450. invalid enable
  451. new disable
  452. related disable
  453. }
  454. }
  455. rule 3003 {
  456. action accept
  457. description "allow ICMP"
  458. protocol icmp
  459. }
  460. }
  461. options {
  462. mss-clamp {
  463. interface-type pppoe
  464. interface-type pptp
  465. mss 1412
  466. }
  467. }
  468. receive-redirects disable
  469. send-redirects enable
  470. syn-cookies enable
  471. }
  472. interfaces {
  473. ethernet eth0 {
  474. address dhcp
  475. dhcp-options {
  476. client-option "retry 60;"
  477. default-route-distance 1
  478. name-server no-update
  479. }
  480. firewall {
  481. in {
  482. name WAN_IN
  483. }
  484. local {
  485. name WAN_LOCAL
  486. }
  487. }
  488. }
  489. ethernet eth1 {
  490. address 192.168.1.1/24
  491. firewall {
  492. in {
  493. name LAN_IN
  494. }
  495. local {
  496. name LAN_LOCAL
  497. }
  498. out {
  499. name LAN_OUT
  500. }
  501. }
  502. vif 20 {
  503. address 192.168.2.1/24
  504. firewall {
  505. in {
  506. name LAN_IN
  507. }
  508. local {
  509. name LAN_LOCAL
  510. }
  511. out {
  512. name LAN_OUT
  513. }
  514. }
  515. }
  516. vif 30 {
  517. address 192.168.3.1/24
  518. firewall {
  519. in {
  520. name LAN_IN
  521. }
  522. local {
  523. name LAN_LOCAL
  524. }
  525. out {
  526. name LAN_OUT
  527. }
  528. }
  529. }
  530. vif 40 {
  531. address 192.168.4.1/24
  532. firewall {
  533. in {
  534. name LAN_IN
  535. }
  536. local {
  537. name LAN_LOCAL
  538. }
  539. out {
  540. name LAN_OUT
  541. }
  542. }
  543. }
  544. vif 50 {
  545. address 192.168.5.1/24
  546. firewall {
  547. in {
  548. name GUEST_IN
  549. }
  550. local {
  551. name GUEST_LOCAL
  552. }
  553. out {
  554. name GUEST_OUT
  555. }
  556. }
  557. }
  558. }
  559. ethernet eth2 {
  560. disable
  561. }
  562. loopback lo {
  563. }
  564. }
  565. port-forward {
  566. auto-firewall disable
  567. hairpin-nat enable
  568. lan-interface eth1
  569. lan-interface eth1.40
  570. lan-interface eth1.30
  571. lan-interface eth1.20
  572. wan-interface eth0
  573. }
  574. service {
  575. dhcp-server {
  576. disabled false
  577. hostfile-update enable
  578. shared-network-name Guest_192.168.5.0-24 {
  579. authoritative enable
  580. description vlan50
  581. subnet 192.168.5.0/24 {
  582. default-router 192.168.5.1
  583. dns-server 192.168.5.1
  584. lease 400
  585. start 192.168.5.100 {
  586. stop 192.168.5.254
  587. }
  588. }
  589. }
  590. shared-network-name HOMELAB_192.168.2.0-24 {
  591. authoritative enable
  592. description vlan20
  593. subnet 192.168.2.0/24 {
  594. default-router 192.168.2.1
  595. dns-server 192.168.2.1
  596. lease 86400
  597. start 192.168.2.225 {
  598. stop 192.168.2.254
  599. }
  600. }
  601. }
  602. shared-network-name HOME_AUTOMATION_192.168.3.0-24 {
  603. authoritative enable
  604. description vlan30
  605. subnet 192.168.3.0/24 {
  606. default-router 192.168.3.1
  607. dns-server 192.168.3.1
  608. lease 86400
  609. start 192.168.3.100 {
  610. stop 192.168.3.199
  611. }
  612. }
  613. }
  614. shared-network-name ORG_192.168.1.0-24 {
  615. authoritative enable
  616. description vlan1
  617. subnet 192.168.1.0/24 {
  618. default-router 192.168.1.1
  619. dns-server 192.168.1.1
  620. lease 43200
  621. start 192.168.1.240 {
  622. stop 192.168.1.254
  623. }
  624. }
  625. }
  626. shared-network-name WLAN_192.168.4.0-24 {
  627. authoritative enable
  628. description vlan40
  629. subnet 192.168.4.0/24 {
  630. default-router 192.168.4.1
  631. dns-server 192.168.4.1
  632. lease 86400
  633. start 192.168.4.100 {
  634. stop 192.168.4.254
  635. }
  636. }
  637. }
  638. }
  639. dns {
  640. dynamic {
  641. interface eth0 {
  642. service dyndns {
  643. SECRET
  644. }
  645. }
  646. }
  647. forwarding {
  648. cache-size 500
  649. except-interface eth0
  650. options host-record=unifi,192.168.2.100
  651. }
  652. }
  653. gui {
  654. https-port 443
  655. }
  656. lldp {
  657. interface eth0 {
  658. disable
  659. }
  660. }
  661. mdns {
  662. reflector
  663. }
  664. nat {
  665. rule 6001 {
  666. description "MASQ corporate_network to WAN"
  667. log disable
  668. outbound-interface eth0
  669. protocol all
  670. source {
  671. group {
  672. network-group corporate_network
  673. }
  674. }
  675. type masquerade
  676. }
  677. rule 6002 {
  678. description "MASQ voip_network to WAN"
  679. log disable
  680. outbound-interface eth0
  681. protocol all
  682. source {
  683. group {
  684. network-group voip_network
  685. }
  686. }
  687. type masquerade
  688. }
  689. rule 6003 {
  690. description "MASQ remote_user_vpn_network to WAN"
  691. log disable
  692. outbound-interface eth0
  693. protocol all
  694. source {
  695. group {
  696. network-group remote_user_vpn_network
  697. }
  698. }
  699. type masquerade
  700. }
  701. rule 6004 {
  702. description "MASQ guest_network to WAN"
  703. log disable
  704. outbound-interface eth0
  705. protocol all
  706. source {
  707. group {
  708. network-group guest_network
  709. }
  710. }
  711. type masquerade
  712. }
  713. }
  714. ssh {
  715. port 22
  716. protocol-version v2
  717. }
  718. upnp2 {
  719. listen-on eth1
  720. listen-on eth1.40
  721. listen-on eth1.30
  722. listen-on eth1.20
  723. nat-pmp enable
  724. secure-mode disable
  725. wan eth0
  726. }
  727. }
  728. system {
  729. host-name USG
  730. login {
  731. user poldim {
  732. authentication {
  733. encrypted-password ****************
  734. }
  735. level admin
  736. }
  737. }
  738. name-server 8.8.8.8
  739. name-server 4.4.4.4
  740. ntp {
  741. server 0.ubnt.pool.ntp.org {
  742. }
  743. }
  744. offload {
  745. ipsec enable
  746. ipv4 {
  747. forwarding enable
  748. pppoe enable
  749. vlan enable
  750. }
  751. ipv6 {
  752. forwarding enable
  753. vlan enable
  754. }
  755. }
  756. static-host-mapping {
  757. host-name setup.ubnt.com {
  758. alias setup
  759. inet 192.168.1.1
  760. }
  761. }
  762. time-zone America/Los_Angeles
  763. traffic-analysis {
  764. dpi enable
  765. }
  766. }
  767. unifi {
  768. mgmt {
  769. cfgversion 4c0dc606bf8ef2ce
  770. }
  771. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!