API tools faq
paste
Advertisement
skaramicke

Fungerande config

skaramicke
Jul 21st, 2017
269
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.19 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group dangerous_machines {
  6. address 192.168.1.224
  7. description "Dangerous Machines"
  8. }
  9. }
  10. ipv6-receive-redirects disable
  11. ipv6-src-route disable
  12. ip-src-route disable
  13. log-martians enable
  14. modify SOURCE_ROUTE {
  15. rule 10 {
  16. description "Dangerous Machines through vtun0"
  17. modify {
  18. table 1
  19. }
  20. source {
  21. group {
  22. address-group dangerous_machines
  23. }
  24. }
  25. }
  26. rule 20 {
  27. description "Everything else through eth0"
  28. modify {
  29. table 2
  30. }
  31. source {
  32. address 0.0.0.0/0
  33. }
  34. }
  35. }
  36. name WAN_IN {
  37. default-action drop
  38. description "WAN to internal"
  39. rule 10 {
  40. action accept
  41. description "Allow established/related"
  42. state {
  43. established enable
  44. related enable
  45. }
  46. }
  47. rule 20 {
  48. action drop
  49. description "Drop invalid state"
  50. state {
  51. invalid enable
  52. }
  53. }
  54. }
  55. name WAN_LOCAL {
  56. default-action drop
  57. description "WAN to router"
  58. rule 10 {
  59. action accept
  60. description "Allow established/related"
  61. state {
  62. established enable
  63. related enable
  64. }
  65. }
  66. rule 20 {
  67. action drop
  68. description "Drop invalid state"
  69. state {
  70. invalid enable
  71. }
  72. }
  73. }
  74. receive-redirects disable
  75. send-redirects enable
  76. source-validation disable
  77. syn-cookies enable
  78. }
  79. interfaces {
  80. ethernet eth0 {
  81. address dhcp
  82. description Internet
  83. duplex auto
  84. firewall {
  85. local {
  86. name WAN_LOCAL
  87. }
  88. }
  89. speed auto
  90. }
  91. ethernet eth1 {
  92. description Local
  93. duplex auto
  94. speed auto
  95. }
  96. ethernet eth2 {
  97. description Local
  98. duplex auto
  99. speed auto
  100. }
  101. ethernet eth3 {
  102. description Local
  103. duplex auto
  104. speed auto
  105. }
  106. ethernet eth4 {
  107. description Local
  108. duplex auto
  109. speed auto
  110. }
  111. loopback lo {
  112. }
  113. openvpn vtun0 {
  114. config-file /config/auth/integrity/integrity.ovpn
  115. }
  116. switch switch0 {
  117. address 192.168.1.1/24
  118. description Local
  119. firewall {
  120. in {
  121. modify SOURCE_ROUTE
  122. }
  123. }
  124. mtu 1500
  125. switch-port {
  126. interface eth1
  127. interface eth2
  128. interface eth3
  129. interface eth4
  130. }
  131. }
  132. }
  133. port-forward {
  134. auto-firewall enable
  135. hairpin-nat enable
  136. lan-interface eth1
  137. lan-interface eth2
  138. lan-interface eth3
  139. lan-interface eth4
  140. lan-interface switch0
  141. wan-interface eth0
  142. }
  143. protocols {
  144. static {
  145. table 1 {
  146. interface-route 0.0.0.0/0 {
  147. next-hop-interface vtun0 {
  148. }
  149. }
  150. }
  151. table 2 {
  152. interface-route 0.0.0.0/0 {
  153. next-hop-interface eth0 {
  154. }
  155. }
  156. }
  157. }
  158. }
  159. service {
  160. dhcp-server {
  161. disabled false
  162. hostfile-update enable
  163. shared-network-name LAN {
  164. authoritative disable
  165. subnet 192.168.1.0/24 {
  166. default-router 192.168.1.1
  167. dns-server 192.168.1.1
  168. domain-name local
  169. lease 86400
  170. start 192.168.1.38 {
  171. stop 192.168.1.243
  172. }
  173. static-mapping dangerous1 {
  174. ip-address 192.168.1.224
  175. mac-address [redacted]
  176. }
  177. }
  178. }
  179. }
  180. dns {
  181. forwarding {
  182. cache-size 150
  183. listen-on switch0
  184. name-server 8.8.8.8
  185. name-server 8.8.4.4
  186. }
  187. }
  188. gui {
  189. https-port 443
  190. }
  191. nat {
  192. rule 5001 {
  193. description "Masquerade for VTUN0"
  194. log disable
  195. outbound-interface vtun0
  196. protocol all
  197. source {
  198. group {
  199. address-group dangerous_machines
  200. }
  201. }
  202. type masquerade
  203. }
  204. rule 5002 {
  205. description "Exclude dangerous machines from open internet"
  206. destination {
  207. group {
  208. }
  209. }
  210. exclude
  211. log disable
  212. outbound-interface eth0
  213. protocol all
  214. source {
  215. group {
  216. address-group dangerous_machines
  217. }
  218. }
  219. type masquerade
  220. }
  221. rule 5010 {
  222. description "masquerade for WAN"
  223. log disable
  224. outbound-interface eth0
  225. type masquerade
  226. }
  227. }
  228. ssh {
  229. port 22
  230. protocol-version v2
  231. }
  232. }
  233. system {
  234. host-name ubnt
  235. login {
  236. [redacted]
  237. }
  238. name-server 127.0.0.1
  239. ntp {
  240. server 0.ubnt.pool.ntp.org {
  241. }
  242. server 1.ubnt.pool.ntp.org {
  243. }
  244. server 2.ubnt.pool.ntp.org {
  245. }
  246. server 3.ubnt.pool.ntp.org {
  247. }
  248. }
  249. syslog {
  250. global {
  251. facility all {
  252. level notice
  253. }
  254. facility protocols {
  255. level debug
  256. }
  257. }
  258. }
  259. time-zone UTC
  260. }
  261. vpn {
  262. ipsec {
  263. ipsec-interfaces {
  264. interface eth0
  265. }
  266. nat-networks {
  267. allowed-network 10.0.0.0/8 {
  268. }
  269. allowed-network 172.16.0.0/12 {
  270. }
  271. allowed-network 192.168.0.0/16 {
  272. }
  273. }
  274. nat-traversal enable
  275. }
  276. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!