· 6 years ago · Apr 11, 2019, 02:24 PM
1firewall {
2 all-ping enable
3 broadcast-ping disable
4 ipv6-receive-redirects disable
5 ipv6-src-route disable
6 ip-src-route disable
7 log-martians enable
8 modify wg_routing {
9 rule 11 {
10 action modify
11 description REDACTED
12 modify {
13 table 1
14 }
15 source {
16 mac-address fc:aa:14:9d:22:ff
17 }
18 }
19 rule 12 {
20 action modify
21 description REDACTED
22 modify {
23 table 1
24 }
25 source {
26 mac-address c0:ee:fb:f4:ae:60
27 }
28 }
29 rule 13 {
30 action modify
31 modify {
32 table 1
33 }
34 source {
35 mac-address 38:37:8b:f4:c3:00
36 }
37 }
38 rule 14 {
39 action modify
40 modify {
41 table 1
42 }
43 source {
44 mac-address 30:65:ec:70:66:1
45 }
46 }
47 }
48 name WAN_IN {
49 default-action drop
50 description "WAN to internal"
51 rule 10 {
52 action accept
53 description "Allow established/related"
54 state {
55 established enable
56 related enable
57 }
58 }
59 rule 20 {
60 action drop
61 description "Drop invalid state"
62 state {
63 invalid enable
64 }
65 }
66 }
67 name WAN_LOCAL {
68 default-action drop
69 description "WAN to router"
70 rule 10 {
71 action accept
72 description "Allow established/related"
73 state {
74 established enable
75 related enable
76 }
77 }
78 rule 20 {
79 action drop
80 description "Drop invalid state"
81 state {
82 invalid enable
83 }
84 }
85 rule 30 {
86 action accept
87 description wireguard
88 destination {
89 port 51820
90 }
91 log disable
92 protocol udp
93 }
94 }
95 receive-redirects disable
96 send-redirects enable
97 source-validation disable
98 syn-cookies enable
99}
100interfaces {
101 ethernet eth0 {
102 address dhcp
103 description Internet
104 dhcp-options {
105 default-route update
106 default-route-distance 210
107 name-server no-update
108 }
109 duplex auto
110 firewall {
111 in {
112 name WAN_IN
113 }
114 local {
115 name WAN_LOCAL
116 }
117 }
118 speed auto
119 }
120 ethernet eth1 {
121 address 192.168.1.1/24
122 description Local
123 dhcp-options {
124 default-route update
125 default-route-distance 210
126 name-server no-update
127 }
128 duplex auto
129 firewall {
130 in {
131 modify wg_routing
132 }
133 }
134 speed auto
135 }
136 ethernet eth2 {
137 address 192.168.2.1/24
138 description "Local 2"
139 disable
140 duplex auto
141 speed auto
142 }
143 ethernet eth3 {
144 disable
145 duplex auto
146 speed auto
147 }
148 loopback lo {
149 }
150 wireguard wg0 {
151 address REDACTED
152 listen-port 51820
153 mtu 1420
154 peer REDACTED {
155 allowed-ips 0.0.0.0/0
156 endpoint REDACTED
157 }
158 private-key /config/auth/wg-priv.key
159 route-allowed-ips false
160 }
161}
162protocols {
163 static {
164 table 1 {
165 description "table to force wg0"
166 interface-route 0.0.0.0/0 {
167 next-hop-interface wg0 {
168 }
169 }
170 route 0.0.0.0/0 {
171 blackhole {
172 distance 255
173 }
174 }
175 }
176 }
177}
178service {
179 dhcp-server {
180 disabled false
181 hostfile-update disable
182 shared-network-name LAN1 {
183 authoritative enable
184 subnet 192.168.1.0/24 {
185 default-router 192.168.1.1
186 dns-server 192.168.1.12
187 domain-name home.lan
188 lease 86400
189 start 192.168.1.38 {
190 stop 192.168.1.243
191 }
192 static-mapping desktop {
193 ip-address 192.168.1.11
194 mac-address fc:aa:14:9d:22:ff
195 }
196 static-mapping pihole {
197 ip-address 192.168.1.12
198 mac-address 30:65:ec:70:66:1b
199 }
200 }
201 }
202 static-arp disable
203 use-dnsmasq enable
204 }
205 dns {
206 forwarding {
207 cache-size 150
208 listen-on eth1
209 listen-on eth2
210 name-server 192.168.1.12
211 system
212 }
213 }
214 gui {
215 http-port 80
216 https-port 443
217 older-ciphers enable
218 }
219 nat {
220 rule 5000 {
221 description "masquerade for WAN"
222 outbound-interface eth0
223 type masquerade
224 }
225 rule 5001 {
226 description REDACTED
227 outbound-interface wg0
228 source {
229 address 192.168.1.0/24
230 }
231 type masquerade
232 }
233 }
234 ssh {
235 port 22
236 protocol-version v2
237 }
238}
239system {
240 domain-name home.lan
241 host-name REDACTED
242 login {
243 user REDACTED {
244 authentication {
245 encrypted-password REDACTED
246 }
247 level admin
248 }
249 }
250 name-server 127.0.0.1
251 ntp {
252 server 0.ubnt.pool.ntp.org {
253 }
254 server 1.ubnt.pool.ntp.org {
255 }
256 server 2.ubnt.pool.ntp.org {
257 }
258 server 3.ubnt.pool.ntp.org {
259 }
260 }
261 syslog {
262 global {
263 facility all {
264 level notice
265 }
266 facility protocols {
267 level debug
268 }
269 }
270 }
271 time-zone UTC
272}