Page MenuHomeVyOS Platform
Files F3823454

config.boot-pre-fw-prived
All Users
Actions

Authored By
twan
Aug 16 2023, 6:40 PM
Size
14 KB
Referenced Files
None
Subscribers
None

config.boot-pre-fw-prived
View Options

firewall {
all-ping enable
group {
address-group ROUTERS {
address xxx.xxx.40.1-xxx.xxx.40.3
address xxx.xxx.60.1-xxx.xxx.60.3
description "Router IPs"
}
interface-group GUEST {
interface eth1.60
}
interface-group INTERNAL {
include GUEST
include LAN
include IoT
include NoT
include MGMT
include SRV
}
interface-group INTERNAL-ISOLATED {
include NoT
include MGMT
}
interface-group INTERNAL-TRUSTED {
include LAN
include SRV
include MGMT
}
interface-group IoT {
interface eth1.20
}
interface-group LAN {
interface eth1
}
interface-group MGMT {
interface eth1.40
}
interface-group NoT {
interface eth1.30
}
interface-group OUTSIDE {
include WAN
}
interface-group SRV {
interface eth1.10
}
interface-group WAN {
interface eth0
}
network-group RFC1918 {
network xxx.xxx.0.0/8
network xxx.xxx.0.0/12
network xxx.xxx.0.0/16
}
port-group Chromecast {
port 8008-8009
port 5556
port 5558
port 5353
}
}
interface eth0 {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
out {
name OUTSIDE-OUT
}
}
interface "eth1*" {
in {
name INSIDE-IN
}
local {
name INSIDE-LOCAL
}
out {
name INSIDE-OUT
}
}
name INSIDE-IN {
default-action drop
rule 10 {
action accept
description "Allow ping"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 20 {
action drop
description "Deny all ISOLATED to WAN"
inbound-interface {
interface-group INTERNAL-ISOLATED
}
outbound-interface {
interface-group WAN
}
}
rule 21 {
action accept
description "Allow all INTERNAL to WAN"
inbound-interface {
interface-group INTERNAL
}
outbound-interface {
interface-group WAN
}
}
}
name INSIDE-LOCAL {
default-action drop
rule 10 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 20 {
action accept
description "Allow INTERNAL-TRUSTED to LOCAL SSH"
destination {
port ssh
}
inbound-interface {
interface-group INTERNAL-TRUSTED
}
protocol tcp
}
rule 30 {
action accept
description "Allow All INTERNAL to LOCAL NTP"
destination {
port ntp
}
inbound-interface {
interface-group INTERNAL
}
protocol udp
}
rule 40 {
action accept
description "Allow INTERNAL to LOCAL dns"
destination {
port domain
}
inbound-interface {
interface-group INTERNAL
}
protocol tcp_udp
}
rule 50 {
action accept
description "Allow DHCP"
destination {
port bootps
}
inbound-interface {
interface-group INTERNAL
}
protocol udp
source {
port bootpc
}
}
rule 60 {
action accept
description "Allow all rtr<->rtr"
inbound-interface {
interface-group MGMT
}
source {
group {
address-group ROUTERS
}
}
}
rule 61 {
action accept
description "Allow VRRP from ROUTERS"
disable
protocol vrrp
source {
group {
address-group ROUTERS
}
}
}
}
name INSIDE-OUT {
default-action accept
}
name OUTSIDE-IN {
default-action drop
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 20 {
action accept
destination {
port 22
}
log enable
protocol tcp
state {
new enable
}
}
rule 30 {
action accept
description "Allow Wireguard"
destination {
port 2224
}
protocol udp
}
}
name OUTSIDE-OUT {
default-action accept
}
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
}
high-availability {
vrrp {
group GUEST {
address xxx.xxx.60.1/24 {
}
hello-source-address xxx.xxx.60.3
interface eth1.60
peer-address xxx.xxx.60.2
priority 100
vrid 60
}
sync-group INTERNAL {
member GUEST
}
}
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
hw-id xx:xx:xx:xx:xx:1d
}
ethernet eth1 {
address xxx.xxx.0.3/24
description LAN
hw-id xx:xx:xx:xx:xx:20
vif 10 {
address xxx.xxx.1.3/24
description Servers
}
vif 20 {
address xxx.xxx.20.3/24
description IoT
}
vif 30 {
address xxx.xxx.30.3/24
description NoT
}
vif 40 {
address xxx.xxx.40.3/24
description Management
}
vif 60 {
address xxx.xxx.60.3/24
description Guests
}
}
loopback lo {
}
wireguard wg0 {
address xxx.xxx.2.3/24
description RoadWarrior
peer phone {
allowed-ips xxx.xxx.2.12/32
persistent-keepalive 15
preshared-key XXX
public-key XXX
}
peer rupert {
allowed-ips xxx.xxx.2.11/32
persistent-keepalive 15
preshared-key XXX
public-key XXX
}
port 2224
private-key xxxxxx
}
}
nat {
source {
rule 10 {
description "MASQ all RFC1918 to eth0"
outbound-interface eth0
source {
group {
network-group RFC1918
}
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route xxx.xxx.0.0/0 {
dhcp-interface eth0
next-hop xxx.xxx.0.1 {
}
}
}
}
service {
conntrack-sync {
accept-protocol tcp
accept-protocol udp
accept-protocol icmp
accept-protocol icmp6
failover-mechanism {
vrrp {
sync-group INTERNAL
}
}
ignore-address xxx.xxx.0.0/30
ignore-address xxx.xxx.2.0/30
ignore-address xxx.xxx.1.0/30
ignore-address xxx.xxx.20.0/30
ignore-address xxx.xxx.30.0/30
ignore-address xxx.xxx.40.0/30
ignore-address xxx.xxx.60.0/30
ignore-address xxx.xxx.0.1
ignore-address ::1
interface eth1.40 {
peer xxxxx.tld
}
listen-address xxx.xxx.40.3
}
dhcp-server {
failover {
name ROUTER
remote xxx.xxx.40.2
source-address xxx.xxx.40.3
status secondary
}
global-parameters "ddns-updates on;"
global-parameters "update-static-leases on;"
global-parameters "update-optimization true;"
global-parameters "key dhcpdupdate { algorithm hmac-md5; secret &quot;XXXXquot;; };"
global-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
global-parameters "zone in-addr.arpa. { primary xxx.xxx.1.153; key xxxxxx }"
global-parameters "update-conflict-detection off;"
global-parameters "ddns-update-style standard;"
global-parameters "ddns-ttl 86400;"
host-decl-name
shared-network-name xxxxxx {
authoritative
description "Guest - VLAN 60"
domain-name xxxxxx
name-server xxx.xxx.60.1
shared-network-parameters "zone guest.example.com. { primary xxx.xxx.1.153; key xxxxxx }"
shared-network-parameters "ddns-domainname &quot;guest.example.com&quot;;"
subnet xxx.xxx.60.0/24 {
default-router xxx.xxx.60.1
enable-failover
range 0 {
start xxx.xxx.60.20
stop xxx.xxx.60.254
}
}
}
}
dns {
dynamic {
address eth0 {
rfc2136 PDNS {
host-name xxxxxx
key xxxxxx
server xxxxx.tld
zone example.com
}
}
}
/* Use dhcp eth0 in future, instead of hardcoded name-servers */
forwarding {
allow-from xxx.xxx.0.0/16
allow-from xxx.xxx.0.0/8
domain 0.x.x.in-addr.arpa. {
name-server xxx.xxx.1.153 {
}
}
domain 1.x.x.in-addr.arpa. {
name-server xxx.xxx.1.153 {
}
}
domain 20.x.x.in-addr.arpa. {
name-server xxx.xxx.1.153 {
}
}
domain 30.x.x.in-addr.arpa. {
name-server xxx.xxx.1.153 {
}
}
domain 40.x.x.in-addr.arpa. {
name-server xxx.xxx.1.153 {
}
}
domain home.example.com {
name-server xxx.xxx.1.153 {
}
}
domain iot.example.com {
name-server xxx.xxx.1.153 {
}
}
domain lan.example.com {
name-server xxx.xxx.1.153 {
}
}
domain mgmt.example.com {
name-server xxx.xxx.1.153 {
}
}
domain not.example.com {
name-server xxx.xxx.1.153 {
}
}
listen-address xxx.xxx.0.0
name-server xxx.xxx.98.2 {
}
name-server xxx.xxx.101.3 {
}
}
}
https {
api {
keys {
id SYNC {
key xxxxxx
}
}
socket
}
virtual-host sync {
listen-address xxx.xxx.40.3
}
}
lldp {
interface all {
}
interface eth0 {
disable
}
}
monitoring {
telegraf {
prometheus-client xxxxxx
allow-from xxx.xxx.0.0/16
}
}
}
ntp {
allow-client xxxxxx
address xxx.xxx.0.0/16
address xxx.xxx.0.0/8
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
prefer
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
ssh {
disable-password-authentication
dynamic-protection {
allow-from xxx.xxx.0.0/16
}
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
}
console {
device ttyS0 {
speed 115200
}
}
domain-name xxxxxx
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
}
}
}
name-server xxx.xxx.0.1
option {
ctrl-alt-delete ignore
keyboard-layout se-latin1
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
time-zone Europe/Stockholm
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@4:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-dynamic@1:dns-forwarding@4:firewall@10:flow-accounting@1:https@4:ids@1:interfaces@30:ipoe-server@1:ipsec@12:isis@3:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@3:openconnect@2:ospf@2:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4-rolling-202308050917

File Metadata

Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
187829
Default Alt Text
config.boot-pre-fw-prived (14 KB)

Event Timeline