Forked from sforshee/erl3-example-config.txt
Last active
January 8, 2017 19:34
Revisions
-
loesak revised this gist
Jan 8, 2017 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -993,6 +993,7 @@ zone-policy { name allow-all } } #where did this interface get created? interface eth0.2 } } -
Jan 4, 2017 . 1 changed file with 17 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -83,6 +83,7 @@ firewall { } protocol tcp_udp } # why is this not DHCPv6? rule 700 { action accept description "Allow DHCP" @@ -91,6 +92,7 @@ firewall { } protocol udp } # why is there no HTTP/HTTPS? } ipv6-name local-WAN-6 { default-action drop @@ -141,6 +143,7 @@ firewall { } } } #can you explain the mgmt vlan? what type of devices are running on it? is this the managed switch? ipv6-name mgmt-local-6 { default-action drop enable-default-log @@ -170,6 +173,7 @@ firewall { } protocol tcp_udp } # why is this not DHCPv6? rule 700 { action accept description "Allow DHCP" @@ -178,6 +182,7 @@ firewall { } protocol udp } # why is there no http/https? } ipv6-name officelan-local-6 { default-action drop @@ -200,6 +205,7 @@ firewall { action accept protocol ipv6-icmp } # why is https port 9443 and not 443? rule 200 { action accept description "Allow HTTP/HTTPS" @@ -216,6 +222,7 @@ firewall { } protocol tcp_udp } # is this only here to allow SSH connections to outside your network (not SSH between VLANS)? rule 800 { action accept description "Allow SSH" @@ -224,6 +231,7 @@ firewall { } protocol tcp } # why is there no DHCPv6 here? } ipv6-name officelan-mgmt-6 { default-action drop @@ -280,10 +288,12 @@ firewall { invalid enable } } # why are incoming icmp requests allowed? rule 100 { action accept protocol ipv6-icmp } # why are incoming dchp requests allowed? rule 700 { action accept description "Allow DHCPv6" @@ -334,6 +344,7 @@ firewall { invalid enable } } # why no icmp like in the ipv6 version? } name homelan-local { default-action drop @@ -372,6 +383,7 @@ firewall { } protocol udp } # why no http/https? } name local-WAN { default-action drop @@ -456,6 +468,7 @@ firewall { } protocol udp } # why no http/https? } name officelan-local { default-action drop @@ -478,6 +491,7 @@ firewall { action accept protocol icmp } # why port 9443 vs 443 rule 200 { action accept description "Allow HTTP/HTTPS" @@ -566,6 +580,7 @@ firewall { invalid enable } } # this does not have same rules for dhcp and icmp as does ipv6 version rule 50 { action accept description "Allow OpenVPN connections" @@ -584,6 +599,7 @@ interfaces { ethernet eth0 { address dhcp description Internet # can you educate me on whats going on here? dhcpv6-pd { pd 1 { interface eth2.1 { @@ -824,6 +840,7 @@ zone-policy { name allow-est-drop-inv } } #can a zone reference a non-virtual interface? like eth1? interface eth2.2 } zone local { -
sforshee revised this gist
Dec 8, 2016 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -674,7 +674,7 @@ service { disabled false hostfile-update enable shared-network-name home-vlan { authoritative enable subnet 192.168.102.0/24 { default-router 192.168.102.1 dns-server 192.168.102.1 @@ -685,7 +685,7 @@ service { } } shared-network-name mgmt { authoritative enable subnet 192.168.101.0/24 { default-router 192.168.101.1 dns-server 192.168.101.1 @@ -696,7 +696,7 @@ service { } } shared-network-name office-vlan { authoritative enable subnet 192.168.103.0/24 { default-router 192.168.103.1 dns-server 192.168.103.1 -
Dec 8, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Dec 8, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,986 @@ # EdgeRouter Lite 3 configuration example based on the walkthroughs starting # with # http://www.forshee.me/2016/03/01/ubiquiti-edgerouter-lite-setup-part-1-the-basics.html. # # Demonstrates a network setup utilizing VLANs, a zone-based firewall, and # an OpenVPN server. The network has VLANs to segregate home and home-office # network traffic, plus a management VLAN for "smart" networking equipment. # The office VLAN has administrative access to web and SSH interfaces on the # router and the management VLAN whereas the home network does not. # # This configuration is for DEMONSTRATION PURPOSES ONLY. It is untested so # there is absolutely no gaurantee that it is complete, secure, or even # functional. firewall { all-ping enable broadcast-ping disable ipv6-name allow-all-6 { default-action accept rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } ipv6-name allow-est-drop-inv-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } } ipv6-name homelan-local-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } } ipv6-name local-WAN-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 400 { action accept description "Allow NTP" destination { port 123 } protocol udp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCPv6" destination { port 547 } protocol udp source { port 546 } } } ipv6-name mgmt-local-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } } ipv6-name officelan-local-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 200 { action accept description "Allow HTTP/HTTPS" destination { port 80,9443 } protocol tcp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 800 { action accept description "Allow SSH" destination { port 22 } protocol tcp } } ipv6-name officelan-mgmt-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 200 { action accept description "Allow HTTP/HTTPS" destination { port 80,443 } protocol tcp } rule 800 { action accept description "Allow SSH" destination { port 22 } protocol tcp } } ipv6-name WAN-local-6 { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol ipv6-icmp } rule 700 { action accept description "Allow DHCPv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name allow-all { default-action accept rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name allow-est-drop-inv { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name homelan-local { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol icmp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } } name local-WAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol icmp } rule 400 { action accept description "Allow NTP" destination { port 123 } protocol udp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } } name mgmt-local { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol icmp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } } name officelan-local { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol icmp } rule 200 { action accept description "Allow HTTP/HTTPS" destination { port 80,9443 } protocol tcp } rule 600 { action accept description "Allow DNS" destination { port 53 } protocol tcp_udp } rule 700 { action accept description "Allow DHCP" destination { port 67,68 } protocol udp } rule 800 { action accept description "Allow SSH" destination { port 22 } protocol tcp } } name officelan-mgmt { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept protocol icmp } rule 200 { action accept description "Allow HTTP/HTTPS" destination { port 80,443 } protocol tcp } rule 800 { action accept description "Allow SSH" destination { port 22 } protocol tcp } } name WAN-local { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 50 { action accept description "Allow OpenVPN connections" destination { port 443 } protocol tcp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet dhcpv6-pd { pd 1 { interface eth2.1 { host-address ::1 prefix-id 1 service slaac } interface eth2.2 { host-address ::1 prefix-id 2 service slaac } interface eth2.3 { host-address ::1 prefix-id 3 service slaac } prefix-length /56 } rapid-commit enable } duplex auto speed auto } ethernet eth1 { disable duplex auto speed auto } ethernet eth2 { description LANs duplex auto speed auto vif 1 { address 192.168.101.1/24 description "Management VLAN" ipv6 { address { autoconf } dup-addr-detect-transmits 1 } } vif 2 { address 192.168.102.1/24 description "Home VLAN" ipv6 { address { autoconf } dup-addr-detect-transmits 1 } } vif 3 { address 192.168.103.1/24 description "Office VLAN" ipv6 { address { autoconf } dup-addr-detect-transmits 1 } } } loopback lo { } openvpn vtun0 { description OpenVPN local-port 443 mode server openvpn-option "--tls-auth /config/auth/openvpn/ta.key 0" protocol tcp-passive server { push-route 192.168.103.0/24 subnet 192.168.200.0/24 topology subnet } tls { ca-cert-file /config/auth/openvpn/cacert.pem cert-file /config/auth/openvpn/host.pem dh-file /config/auth/openvpn/dhp.pem key-file /config/auth/openvpn/host.key } } } service { dhcp-server { disabled false hostfile-update enable shared-network-name home-vlan { authoritative disable subnet 192.168.102.0/24 { default-router 192.168.102.1 dns-server 192.168.102.1 lease 86400 start 192.168.102.150 { stop 192.168.102.254 } } } shared-network-name mgmt { authoritative disable subnet 192.168.101.0/24 { default-router 192.168.101.1 dns-server 192.168.101.1 lease 86400 start 192.168.101.150 { stop 192.168.101.254 } } } shared-network-name office-vlan { authoritative disable subnet 192.168.103.0/24 { default-router 192.168.103.1 dns-server 192.168.103.1 lease 86400 start 192.168.103.150 { stop 192.168.103.254 } } } use-dnsmasq disable } dns { dynamic { interface eth0 { service dyndns { host-name all.dnsomatic.com login xxxx password xxxx server updates.dnsomatic.com } } } forwarding { cache-size 150 listen-on eth2.1 listen-on eth2.2 listen-on eth2.3 system } } gui { http-port 80 https-port 9443 older-ciphers disable } nat { rule 1000 { description "Port forward for OpenVPN" destination { port 80 } inbound-interface eth0 inside-address { port 443 } protocol tcp type destination } rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } } system { domain-name xxxx host-name xxxx login { user xxxx { authentication { encrypted-password xxxx plaintext-password "" public-keys xxxx { key xxxx type ssh-rsa } } level admin } } name-server 8.8.8.8 name-server 8.8.4.4 name-server 2001:4860:4860::8888 name-server 2001:4860:4860::8844 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipv4 { forwarding enable vlan enable } ipv6 { forwarding enable vlan enable } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/Chicago } zone-policy { zone homelan { default-action drop from local { firewall { ipv6-name allow-all-6 name allow-all } } from WAN { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } interface eth2.2 } zone local { default-action drop from homelan { firewall { ipv6-name homelan-local-6 name homelan-local } } from mgmt { firewall { ipv6-name mgmt-local-6 name mgmt-local } } from officelan { firewall { ipv6-name officelan-local-6 name officelan-local } } from vpn { firewall { ipv6-name officelan-local-6 name officelan-local } } from WAN { firewall { ipv6-name WAN-local-6 name WAN-local } } local-zone } zone mgmt { default-action drop from local { firewall { ipv6-name allow-all-6 name allow-all } } from officelan { firewall { ipv6-name officelan-mgmt-6 name officelan-mgmt } } from vpn { firewall { ipv6-name officelan-mgmt-6 name officelan-mgmt } } from WAN { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } interface eth2.1 } zone officelan { default-action drop from local { firewall { ipv6-name allow-all-6 name allow-all } } from mgmt { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } from vpn { firewall { ipv6-name allow-all-6 name allow-all } } from WAN { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } interface eth2.3 } zone vpn { default-action drop from local { firewall { ipv6-name allow-all-6 name allow-all } } from mgmt { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } from officelan { firewall { ipv6-name allow-all-6 name allow-all } } from WAN { firewall { ipv6-name allow-est-drop-inv-6 name allow-est-drop-inv } } interface vtun0 } zone WAN { default-action drop from homelan { firewall { ipv6-name allow-all-6 name allow-all } } from local { firewall { ipv6-name local-WAN-6 name local-WAN } } from mgmt { firewall { ipv6-name allow-all-6 name allow-all } } from officelan { firewall { ipv6-name allow-all-6 name allow-all } } from vpn { firewall { ipv6-name allow-all-6 name allow-all } } interface eth0.2 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.9.0.4901118.160804.1131 */