693 lines
18 KiB
Clojure
693 lines
18 KiB
Clojure
firewall {
|
|
global-options {
|
|
all-ping enable
|
|
broadcast-ping disable
|
|
ipv6-receive-redirects disable
|
|
ipv6-src-route disable
|
|
ip-src-route disable
|
|
log-martians enable
|
|
receive-redirects disable
|
|
send-redirects enable
|
|
source-validation disable
|
|
syn-cookies enable
|
|
}
|
|
group {
|
|
interface-group IG_LAN {
|
|
interface eth6
|
|
}
|
|
interface-group IG_WAN {
|
|
interface pppoe1
|
|
}
|
|
}
|
|
ipv4 {
|
|
forward {
|
|
filter {
|
|
default-action accept
|
|
rule 5 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-name pppoe1
|
|
}
|
|
jump-target WAN_IN
|
|
}
|
|
rule 101 {
|
|
action accept
|
|
inbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 106 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
jump-target WAN_IN
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 111 {
|
|
action drop
|
|
description "zone_LAN default-action"
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 116 {
|
|
action accept
|
|
inbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
rule 121 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
jump-target IN_WAN
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
rule 126 {
|
|
action drop
|
|
description "zone_WAN default-action"
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
}
|
|
}
|
|
input {
|
|
filter {
|
|
default-action accept
|
|
rule 5 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-name pppoe1
|
|
}
|
|
jump-target WAN_LOCAL
|
|
}
|
|
rule 101 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
jump-target IN_LOCAL
|
|
}
|
|
rule 106 {
|
|
action jump
|
|
inbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
jump-target WAN_LOCAL
|
|
}
|
|
rule 111 {
|
|
action drop
|
|
}
|
|
}
|
|
}
|
|
name IN_LOCAL {
|
|
default-action accept
|
|
}
|
|
name IN_WAN {
|
|
default-action accept
|
|
}
|
|
name LOCAL_IN {
|
|
default-action accept
|
|
}
|
|
name LOCAL_WAN {
|
|
default-action accept
|
|
}
|
|
name WAN_IN {
|
|
default-action drop
|
|
description "WAN to internal"
|
|
rule 10 {
|
|
action accept
|
|
description "Allow established/related"
|
|
state {
|
|
established enable
|
|
related enable
|
|
}
|
|
}
|
|
rule 20 {
|
|
action drop
|
|
description "Drop invalid state"
|
|
state {
|
|
invalid enable
|
|
}
|
|
}
|
|
rule 1000 {
|
|
action accept
|
|
description Plex
|
|
destination {
|
|
port 32400
|
|
}
|
|
protocol tcp_udp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
rule 1001 {
|
|
action accept
|
|
description BitTorrent
|
|
destination {
|
|
port 49500
|
|
}
|
|
protocol tcp_udp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
rule 1002 {
|
|
action accept
|
|
description WireGuard
|
|
destination {
|
|
port 53820-53829
|
|
}
|
|
protocol tcp_udp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
rule 1003 {
|
|
action accept
|
|
description Minecraft
|
|
destination {
|
|
port 25565
|
|
}
|
|
protocol tcp_udp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
rule 1005 {
|
|
action accept
|
|
description Web
|
|
destination {
|
|
port 443,80
|
|
}
|
|
protocol tcp_udp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
}
|
|
name WAN_LOCAL {
|
|
default-action drop
|
|
description "WAN to router"
|
|
rule 10 {
|
|
action accept
|
|
description "Allow established/related"
|
|
state {
|
|
established enable
|
|
related enable
|
|
}
|
|
}
|
|
rule 20 {
|
|
action accept
|
|
protocol icmp
|
|
state {
|
|
new enable
|
|
}
|
|
}
|
|
rule 30 {
|
|
action drop
|
|
description "Drop invalid state"
|
|
state {
|
|
invalid enable
|
|
}
|
|
}
|
|
}
|
|
output {
|
|
filter {
|
|
default-action accept
|
|
rule 101 {
|
|
action jump
|
|
jump-target LOCAL_IN
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 106 {
|
|
action jump
|
|
jump-target LOCAL_WAN
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
rule 111 {
|
|
action drop
|
|
}
|
|
}
|
|
}
|
|
}
|
|
ipv6 {
|
|
forward {
|
|
filter {
|
|
default-action accept
|
|
rule 101 {
|
|
action accept
|
|
inbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 106 {
|
|
action drop
|
|
description "zone_LAN default-action"
|
|
outbound-interface {
|
|
interface-group IG_LAN
|
|
}
|
|
}
|
|
rule 111 {
|
|
action accept
|
|
inbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
rule 116 {
|
|
action drop
|
|
description "zone_WAN default-action"
|
|
outbound-interface {
|
|
interface-group IG_WAN
|
|
}
|
|
}
|
|
}
|
|
}
|
|
input {
|
|
filter {
|
|
default-action accept
|
|
rule 101 {
|
|
action drop
|
|
}
|
|
}
|
|
}
|
|
output {
|
|
filter {
|
|
default-action accept
|
|
rule 101 {
|
|
action drop
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
interfaces {
|
|
ethernet eth0 {
|
|
hw-id d4:3d:7e:94:6e:eb
|
|
}
|
|
ethernet eth5 {
|
|
address dhcp
|
|
hw-id 6c:b3:11:32:46:24
|
|
offload {
|
|
sg
|
|
tso
|
|
}
|
|
vif 201 {
|
|
}
|
|
}
|
|
ethernet eth6 {
|
|
address 192.168.1.1/24
|
|
description "Primary Switch"
|
|
duplex auto
|
|
hw-id 6c:b3:11:32:46:25
|
|
offload {
|
|
rps
|
|
sg
|
|
tso
|
|
}
|
|
speed auto
|
|
}
|
|
loopback lo {
|
|
}
|
|
pppoe pppoe1 {
|
|
authentication {
|
|
password ****************
|
|
username hafnerjoseph
|
|
}
|
|
ip {
|
|
adjust-mss 1452
|
|
}
|
|
mtu 1492
|
|
no-peer-dns
|
|
source-interface eth5.201
|
|
}
|
|
}
|
|
nat {
|
|
destination {
|
|
rule 1000 {
|
|
description Plex
|
|
destination {
|
|
port 32400
|
|
}
|
|
inbound-interface pppoe1
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1001 {
|
|
description BitTorrent
|
|
destination {
|
|
port 49500
|
|
}
|
|
inbound-interface pppoe1
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1002 {
|
|
description WireGuard
|
|
destination {
|
|
port 53820-53829
|
|
}
|
|
inbound-interface pppoe1
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1003 {
|
|
description Minecraft
|
|
destination {
|
|
port 25565
|
|
}
|
|
inbound-interface pppoe1
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1005 {
|
|
description Web
|
|
destination {
|
|
port 443,80
|
|
}
|
|
inbound-interface pppoe1
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1100 {
|
|
description "Plex (Hairpin NAT)"
|
|
destination {
|
|
address 174.21.57.251
|
|
port 32400
|
|
}
|
|
inbound-interface eth6
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1102 {
|
|
description "Wireguard (Hairpin NAT)"
|
|
destination {
|
|
address 174.21.57.251
|
|
port 53820-53829
|
|
}
|
|
inbound-interface eth6
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1103 {
|
|
description "Minecraft (Hairpin NAT)"
|
|
destination {
|
|
address 174.21.57.251
|
|
port 25565
|
|
}
|
|
inbound-interface eth6
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
rule 1105 {
|
|
description "Web (Hairpin NAT)"
|
|
destination {
|
|
address 174.21.57.251
|
|
port 80,443
|
|
}
|
|
inbound-interface eth6
|
|
protocol tcp_udp
|
|
translation {
|
|
address 192.168.1.23
|
|
}
|
|
}
|
|
}
|
|
source {
|
|
rule 99 {
|
|
description "Masquerade as public IP on internet"
|
|
outbound-interface pppoe1
|
|
source {
|
|
address 192.168.1.0/24
|
|
}
|
|
translation {
|
|
address masquerade
|
|
}
|
|
}
|
|
rule 100 {
|
|
description "NAT Reflection"
|
|
destination {
|
|
address 192.168.1.0/24
|
|
}
|
|
outbound-interface eth6
|
|
protocol tcp_udp
|
|
source {
|
|
address 192.168.1.0/24
|
|
}
|
|
translation {
|
|
address masquerade
|
|
}
|
|
}
|
|
}
|
|
}
|
|
qos {
|
|
interface eth6 {
|
|
egress GIGABIT-FQCODEL
|
|
}
|
|
interface pppoe1 {
|
|
ingress LIMITER
|
|
}
|
|
policy {
|
|
fq-codel GIGABIT-FQCODEL {
|
|
codel-quantum 8000
|
|
flows 1024
|
|
queue-limit 800
|
|
}
|
|
limiter LIMITER {
|
|
default {
|
|
bandwidth 700mbit
|
|
burst 262.5mbit
|
|
}
|
|
}
|
|
}
|
|
}
|
|
service {
|
|
dhcp-server {
|
|
shared-network-name LAN {
|
|
domain-name local
|
|
domain-search local
|
|
name-server 192.168.1.32
|
|
subnet 192.168.1.0/24 {
|
|
default-router 192.168.1.1
|
|
lease 86400
|
|
range 1 {
|
|
start 192.168.1.100
|
|
stop 192.168.1.254
|
|
}
|
|
static-mapping U6-Lite {
|
|
ip-address 192.168.1.3
|
|
mac-address 78:45:58:67:87:14
|
|
}
|
|
static-mapping UAP-AC-LR {
|
|
ip-address 192.168.1.2
|
|
mac-address 18:e8:29:50:f7:5b
|
|
}
|
|
static-mapping joey-desktop {
|
|
ip-address 192.168.1.100
|
|
mac-address 04:92:26:DA:BA:C5
|
|
}
|
|
static-mapping joey-nas {
|
|
ip-address 192.168.1.10
|
|
mac-address 40:8d:5c:52:41:89
|
|
}
|
|
static-mapping joey-nas2 {
|
|
ip-address 192.168.1.11
|
|
mac-address 90:2b:34:37:ce:ea
|
|
}
|
|
static-mapping joey-server {
|
|
ip-address 192.168.1.23
|
|
mac-address 70:85:c2:9c:6a:16
|
|
}
|
|
static-mapping joey-server2 {
|
|
ip-address 192.168.1.24
|
|
mac-address 24:4b:fe:57:bc:85
|
|
}
|
|
static-mapping joey-server3 {
|
|
ip-address 192.168.1.25
|
|
mac-address 78:45:c4:05:4f:21
|
|
}
|
|
static-mapping joey-server4 {
|
|
ip-address 192.168.1.26
|
|
mac-address 90:2b:34:37:ce:e8
|
|
}
|
|
static-mapping pihole1 {
|
|
ip-address 192.168.1.21
|
|
mac-address b8:27:eb:3c:8e:bb
|
|
}
|
|
static-mapping pihole2 {
|
|
ip-address 192.168.1.22
|
|
mac-address b8:27:eb:ff:76:6e
|
|
}
|
|
static-mapping tasmota-1 {
|
|
ip-address 192.168.1.50
|
|
mac-address 3C:61:05:F6:44:1E
|
|
}
|
|
static-mapping tasmota-2 {
|
|
ip-address 192.168.1.51
|
|
mac-address 3c:61:05:f6:d7:d3
|
|
}
|
|
static-mapping tasmota-3 {
|
|
ip-address 192.168.1.52
|
|
mac-address 3c:61:05:f6:f0:62
|
|
}
|
|
static-mapping wyse1 {
|
|
ip-address 192.168.1.31
|
|
mac-address 6c:2b:59:37:89:40
|
|
}
|
|
static-mapping wyse2 {
|
|
ip-address 192.168.1.32
|
|
mac-address 6c:2b:59:37:9e:91
|
|
}
|
|
static-mapping wyse3 {
|
|
ip-address 192.168.1.33
|
|
mac-address 6c:2b:59:37:9e:00
|
|
}
|
|
}
|
|
}
|
|
}
|
|
dns {
|
|
forwarding {
|
|
allow-from 192.168.1.0/24
|
|
cache-size 1000000
|
|
listen-address 192.168.1.1
|
|
name-server 192.168.1.32 {
|
|
}
|
|
}
|
|
}
|
|
monitoring {
|
|
telegraf {
|
|
prometheus-client {
|
|
}
|
|
}
|
|
}
|
|
ntp {
|
|
allow-client {
|
|
address 0.0.0.0/0
|
|
address ::/0
|
|
}
|
|
server time-a-wwv.nist.gov {
|
|
}
|
|
server time-b-wwv.nist.gov {
|
|
}
|
|
server time-c-wwv.nist.gov {
|
|
}
|
|
server time-d-wwv.nist.gov {
|
|
}
|
|
server time-e-wwv.nist.gov {
|
|
}
|
|
}
|
|
ssh {
|
|
disable-password-authentication
|
|
port 22
|
|
}
|
|
}
|
|
system {
|
|
config-management {
|
|
commit-revisions 200
|
|
}
|
|
conntrack {
|
|
expect-table-size 8192
|
|
hash-size 32768
|
|
modules {
|
|
ftp
|
|
h323
|
|
nfs
|
|
pptp
|
|
sip
|
|
sqlnet
|
|
tftp
|
|
}
|
|
table-size 262144
|
|
timeout {
|
|
tcp {
|
|
time-wait 15
|
|
}
|
|
}
|
|
}
|
|
console {
|
|
device ttyS0 {
|
|
speed 115200
|
|
}
|
|
}
|
|
host-name vyos
|
|
login {
|
|
banner {
|
|
}
|
|
user vyos {
|
|
authentication {
|
|
encrypted-password ****************
|
|
otp {
|
|
key ****************
|
|
rate-limit 3
|
|
rate-time 30
|
|
window-size 3
|
|
}
|
|
public-keys ed25519_jafner425@gmail.com {
|
|
key ****************
|
|
type ssh-ed25519
|
|
}
|
|
}
|
|
}
|
|
}
|
|
name-server 192.168.1.32
|
|
option {
|
|
performance latency
|
|
}
|
|
syslog {
|
|
global {
|
|
facility all {
|
|
level info
|
|
}
|
|
facility local7 {
|
|
level debug
|
|
}
|
|
}
|
|
}
|
|
task-scheduler {
|
|
task update-nat-reflection {
|
|
executable {
|
|
path /home/vyos/ipupdate.sh
|
|
}
|
|
interval 5
|
|
}
|
|
}
|
|
time-zone America/Los_Angeles
|
|
} |