From 9ce761daaf16285ab5a418c7baaab4183cce2def Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Sun, 31 Jul 2022 21:39:37 -0700 Subject: [PATCH] Update new config with mss clamp --- router/config/new-config.boot | 173 ++++++++++++++++++---------------- 1 file changed, 91 insertions(+), 82 deletions(-) diff --git a/router/config/new-config.boot b/router/config/new-config.boot index 000e70c..90291c8 100644 --- a/router/config/new-config.boot +++ b/router/config/new-config.boot @@ -43,23 +43,12 @@ firewall { } } } - options { - mss-clamp { - mss 1200 - } - } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { - ethernet eth0 { - description "Emergency ad-hoc" - address 192.168.200.1/24 - duplex auto - speed auto - } bridge br0 { address 192.168.1.1/24 member { @@ -69,173 +58,195 @@ interfaces { } } } + ethernet eth0 { + address 192.168.200.1/24 + description "Emergency ad-hoc" + duplex auto + hw-id d4:3d:7e:94:6e:eb + speed auto + } ethernet eth1 { description "Primary Switch" duplex auto - speed auto + hw-id 00:15:17:b8:dc:28 offload { sg tso } + speed auto } ethernet eth2 { description "PoE Switch for WAPs" duplex auto + hw-id 00:15:17:b8:dc:29 + offload { + sg + tso + } speed auto + } + ethernet eth3 { + description "Reserved for multi-gig switch" + hw-id 00:15:17:b8:dc:2a offload { sg tso } } - ethernet eth3 { - description "Reserved for multi-gig switch" - disabled - } ethernet eth4 { - description "Internet (PPPoE)" address dhcp + description "Internet (PPPoE)" duplex auto - pppoe 0 { - default-route auto - firewall { - in { - name WAN_IN - } - local { - name WAN_LOCAL - } - } - mtu 1492 - name-server none - password 24ydrUYs - user-id hafnerjoseph + hw-id 00:15:17:b8:dc:2b + ip { + adjust-mss 1200 + } + offload { + sg + tso } speed auto } loopback lo { } + pppoe pppoe0 { + authentication { + password **************** + user hafnerjoseph + } + firewall { + in { + name WAN_IN + } + local { + name WAN_LOCAL + } + } + mtu 1492 + no-peer-dns + source-interface eth4 + } } nat { - destination { + destination { rule 101 { - description "https,http" - inbound-interface eth4 + description https,http destination { port 443,80 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 102 { - description "Plex" - inbound-interface eth4 + description Plex destination { port 32400 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 103 { - description "BitTorrent" - inbound-interface eth4 + description BitTorrent destination { port 50000 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 104 { - description "WireGuard" - inbound-interface eth4 + description WireGuard destination { port 53820-53829 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 105 { - description "Minecraft" - inbound-interface eth4 + description Minecraft destination { port 25565 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 106 { - description "Iperf" - inbound-interface eth4 + description Iperf destination { port 50201 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 107 { description "PeerTube Live" - inbound-interface eth4 destination { port 1935 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 108 { description "Git SSH" - inbound-interface eth4 destination { port 2228-2229 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 109 { - description "SFTP" - inbound-interface eth4 + description SFTP destination { port 23450 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.23 } - protocol tcp_udp } rule 110 { - description "Terraria" - inbound-interface eth4 + description Terraria destination { port 50777 } + inbound-interface eth4 + protocol tcp_udp translation { address 192.168.1.100 port 7777 } - protocol tcp_udp } } source { rule 1000 { - desription "NAT Reflection: Switch1" - outbound-interface eth1 destination { address 192.168.1.0/24 } + outbound-interface eth1 source { address 192.168.1.0/24 } @@ -244,11 +255,10 @@ nat { } } rule 1001 { - desription "NAT Reflection: Switch2" - outbound-interface eth2 destination { address 192.168.1.0/24 } + outbound-interface eth2 source { address 192.168.1.0/24 } @@ -257,11 +267,10 @@ nat { } } rule 1002 { - desription "NAT Reflection: Switch3" - outbound-interface eth3 destination { address 192.168.1.0/24 } + outbound-interface eth3 source { address 192.168.1.0/24 } @@ -274,19 +283,18 @@ nat { service { dhcp-server { shared-network-name LAN1 { + authoritative domain-name local domain-search local name-server 1.1.1.1 name-server 1.0.0.1 - ping-check enable - authoritative enable subnet 192.168.1.0/24 { - lease 86400 default-router 192.168.1.1 + lease 86400 range 1 { start 192.168.1.100 stop 192.168.1.254 - } + } static-mapping U6-Lite { ip-address 192.168.1.3 mac-address 78:45:58:67:87:14 @@ -332,6 +340,8 @@ service { } dns { forwarding { + allow-from 0.0.0.0/0 + allow-from ::/0 cache-size 1000000 listen-address 192.168.1.1 name-server 192.168.1.1 @@ -340,22 +350,21 @@ service { system } } - ssh { - port 22 - protocol-version v2 - disable-password-authentication - } monitoring { telegraf { prometheus-client { } } } - - + ssh { + disable-password-authentication + port 22 + } } system { - commit-revision 100 + config-management { + commit-revisions 200 + } conntrack { modules { ftp @@ -376,22 +385,22 @@ system { login { user vyos { authentication { - encrypted-password $5$j8QJRFCpc2Pc90kV$AA7DbPJldnwMlahDbbFWf0N9WiNnL9faW473jO9z1Z0 + encrypted-password **************** public-keys jafner425@gmail.com { - key AAAAB3NzaC1yc2EAAAADAQABAAAEAQCyolGiQAOvyKZ9GtPx2FbKwdt8twLuKs8l0+o3QVZsS5NCG4pX6GXuH8GspmHSedy4yfgVBN0NlOoVPpwxGslZZ5BLkOyhfcoiayPMbYyEpyiujcmnIUlNLI04otz7Ucqhopy+DC/+UpLTMqgnlevWDJW5YgYNAInPFNP7cIJ//sjimisP/su0n4DTzq/1WDUHN+Pk2LKw9P6NnAyk+RhSAH2v5Z/sq0FjUVxe57oNnCGec8KzVsxvI3PP44ax17n8MIyZlXhDa41+1u/LsE9oHSeidaWz8S8IZaRQbUkdtaViiOL+JS55ZOut11cmEOBTsXgmwEH9d1gLS5NKukwTDruBjznqJDXuFlcoRvHIYOTbBXVBDzI710kX7hucks/XZuUhXuOsO0hqQjqAJFX/LKbeR/XN+7AvuGIy25bslZu3/HUdL9UYhenm/AJL5YtUKRsLIeznRyHJcJ8905qgMIELRVWYxTDlekbsL5rNzrRSJ4+gV9Y5TFe1uxRaqqGiuyJ1T7/R2++z+p+sYoBJOY+vehUul7CtaYeVe7FUGuJzWHylkmkOMSJQb0XvjQWjFgSOstIf4MoFcRSfgztL4C2utDNayvR2XjLjRcaZnIzzAkBweY/g0Y0Jnnjk+dmnKWeoDHUXOT/GHGi/KfL4lwnQFRtS8x6M52sX417Of9K14ljILaHESJibjPN2jWboQdvTw0PFhbr72jr6+rhayuiP3n+5rENtDxwPlfYdSsCdgVyg7HC/2F6ZL5QHXctJFjIswMdJds+3pHnb7l5d4TiRdBQNQGVv7pYYfZdyqMGk5sdKXBzn/uS1a0SRqzJAhgH6nA67HfuBKq2xwu86hlOnc6hsFuehXAweaZ/UvTBiCE+4oYokAyHcpHsjOYqTmK6rSTTfGQ3Yc8zgD5vGb04tGRMVFA0+uQSrcBeIidxFZA1pbrMuDGDQDqtevIyna+rN958IWjCMvs8O+wro4SFYKAHYOkaBW0syQl1m/GKePcDJR6rkLx8eLrr6jaj4rHAS5fVJVYOpPIkrnfI5kTvnuRqJTH9NIaan3q4+6mAQ1prBqrtO2RUWcdmfkuVuUapDcqhgqGQqzsaKNWjsiCr21CPnYuj8pYItyJziF2VGS5oci2feCxWwbqqW8WUXZha7PnhQaIIiv7vyIo/JVWKK12v8UfeFRiRL73JOfFdtRCWldQxF2yRTt5gFxObCPQj5oSj1+Buc/IzQwqkKxeKpjUdtYt1RjsU3rJR1JDjEhrbbN/LZg986wkxrsLVqQmsXxSniai2X4vN+9KZu4kcg8Crk4g29+L0Snj0P7PQ61SXT3HMZxp5T2jLvekwLyn9yIKl75IiQSdgp+DIv + key **************** type ssh-rsa } public-keys joey@joey-server { - key AAAAB3NzaC1yc2EAAAADAQABAAACAQDOCCXndD7BbVmUHsYEkVLobZVBbZ8mgHjpKreUSsyZLah9Et2VxzATOh1bnXwapHu137h/cMeBDBPD3AfoCT3njd/mvVZB3INkyS8mPoFuwYViHmlW2L+6Bv5kGiMpjK/G5lPkKLsA79bTMu2kuAM6usslap3hEdwNW0vK3a+feM1RSwxirQmDXq4WRmsY9r4Md9wIfxLaezy0l0oK8k7xqMeiLrqMsrpsDOVV5Cb7iyufDqEx4QbicosrMD+C4Mql8ptdOYVj86jOND9lcpoqujOQWD2k8Cvl/zdoWY3ZG7duZjD9NYFgvM7F62LM5p7t5iNicxcegCqdZmFR5+ueZtoIn6BpCT4cvAWHSipRuvNmAWaQBnfr/NKh4H2QF0wJluDkG+wTrJPjH9FmK4sUHdOx+rqZ4iWhhZ7a2c4wNgm9i+UHoh//MPSvWOC5lQ97FvTUVBmE8BiWh8tZ82SxjSUtWaYPGZEmJvEIVXus70aY8Rwelxn9gXTwLlzRZl+0G7XOQia1EIj8VnUtPtWMxHeI09klOP1BRUVSRXBGOvz1UjbHIAEYvnxkTiW5LG1xxJopUQ3QiyDDERBbelLtM3iBIRFbVlFcqyIG3OsZaR90LwngBFIMtPZrv3vWTg3YdtMDw7uW1SVHHBDfxEc9cSBYQinVGupUmyztTLkM4Q== + key **************** type ssh-rsa } } - level admin } } name-server 192.168.1.1 name-server 1.1.1.1 name-server 1.0.0.1 + name-server eth4 ntp { server time-a-wwv.nist.gov { }