Snippi

firewall { all-ping enable broadcast-ping disable group { address-group authorized_guests { description "authorized guests MAC addresses" } address-group guest_allow_dns_servers { description "allow dns servers for guests" } address-group guest_portal_address { description "guest portal address" } address-group guest_pre_allow { description "allow addresses for guests" } address-group guest_restricted { address 192.168.0.0/16 address 10.0.0.0/8 address 172.16.0.0/12 description "restricted addresses for guests" } address-group unifi_controller_addresses { address 21.0.0.20 description "UniFi addresses" } ipv6-network-group corporate_networkv6 { description "IPv6 corporate subnets" } ipv6-network-group guest_networkv6 { description "IPv6 guest subnets" } network-group captive_portal_subnets { description "captive portal subnets" } network-group corporate_network { description "corporate subnets" network 21.0.0.0/24 } network-group guest_network { description "guest subnets" } network-group remote_client_vpn_network { description "remote client VPN subnets" } network-group remote_site_vpn_network { description "remote site VPN subnets" } network-group remote_user_vpn_network { description "Remote User VPN subnets" } port-group guest_portal_ports { description "guest portal ports" } port-group guest_portal_redirector_ports { description "guest portal redirector ports" port 39080 port 39443 } port-group unifi_controller_ports-tcp { description "unifi tcp ports" port 8080 } port-group unifi_controller_ports-udp { description "unifi udp ports" port 3478 } } ipv6-name AUTHORIZED_GUESTSv6 { default-action drop description "authorization check packets from guest network" } ipv6-name GUESTv6_IN { default-action accept description "packets from guest network" rule 3001 { action drop description "drop packets to intranet" destination { group { ipv6-network-group corporate_networkv6 } } } } ipv6-name GUESTv6_LOCAL { default-action drop description "packets from guest network to gateway" rule 3001 { action accept description "allow DNS" destination { port 53 } protocol udp } rule 3002 { action accept description "allow ICMP" protocol icmp } } ipv6-name GUESTv6_OUT { default-action accept description "packets forward to guest network" } ipv6-name LANv6_IN { default-action accept description "packets from intranet" } ipv6-name LANv6_LOCAL { default-action accept description "packets from intranet to gateway" } ipv6-name LANv6_OUT { default-action accept description "packets forward to intranet" } ipv6-name WANv6_IN { default-action drop description "packets from internet to intranet" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } ipv6-name WANv6_LOCAL { default-action drop description "packets from internet to gateway" rule 3001 { action accept description "Allow neighbor advertisements" icmpv6 { type neighbor-advertisement } protocol ipv6-icmp } rule 3002 { action accept description "Allow neighbor solicitation" icmpv6 { type neighbor-solicitation } protocol ipv6-icmp } rule 3003 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3004 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } ipv6-name WANv6_OUT { default-action accept description "packets to internet" } name AUTHORIZED_GUESTS { default-action drop description "authorization check packets from guest network" } name GUEST_IN { default-action accept description "packets from guest network" rule 3001 { action accept description "allow DNS packets to external name servers" destination { port 53 } protocol tcp_udp } rule 3002 { action accept description "allow packets to captive portal" destination { group { network-group captive_portal_subnets } port 443 } protocol tcp } rule 3003 { action accept description "allow packets to allow subnets" destination { group { address-group guest_pre_allow } } } rule 3004 { action drop description "drop packets to restricted subnets" destination { group { address-group guest_restricted } } } rule 3005 { action drop description "drop packets to intranet" destination { group { network-group corporate_network } } } rule 3006 { action drop description "drop packets to remote user" destination { group { network-group remote_user_vpn_network } } } rule 3007 { action drop description "allow authorized and drop unauthorized" destination { group { address-group authorized_guests } } } } name GUEST_LOCAL { default-action drop description "packets from guest network to gateway" rule 3001 { action accept description "allow DNS" destination { port 53 } protocol tcp_udp } rule 3002 { action accept description "allow ICMP" protocol icmp } rule 3003 { action accept description "allow to DHCP server" destination { port 67 } protocol udp source { port 68 } } } name GUEST_OUT { default-action accept description "packets forward to guest network" } name LAN_IN { default-action accept description "packets from intranet" rule 6001 { action accept description "accounting defined network 21.0.0.0/24" source { address 21.0.0.0/24 } } } name LAN_LOCAL { default-action accept description "packets from intranet to gateway" } name LAN_OUT { default-action accept description "packets forward to intranet" rule 6001 { action accept description "accounting defined network 21.0.0.0/24" destination { address 21.0.0.0/24 } } } name WAN_IN { default-action drop description "packets from internet to intranet" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } name WAN_LOCAL { default-action drop description "packets from internet to gateway" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } name WAN_OUT { default-action accept description "packets to internet" } options { mss-clamp { interface-type pppoe interface-type pptp interface-type vti mss 1452 } mss-clamp6 { interface-type pppoe interface-type pptp mss 1432 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { disable } ethernet eth1 { disable } ethernet eth2 { description WAN vif 101 { address dhcp description IPTV dhcp-options { default-route no-update default-route-distance 210 name-server update } mac AA:CF:4F:34:50:16 //Altibox-mac } vif 102 { address dhcp description Internett dhcp-options { client-option "retry 60;" default-route-distance 1 name-server no-update } firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } out { ipv6-name WANv6_OUT name WAN_OUT } } } } ethernet eth3 { address 21.0.0.1/24 description LAN firewall { in { ipv6-name LANv6_IN name LAN_IN } local { ipv6-name LANv6_LOCAL name LAN_LOCAL } out { ipv6-name LANv6_OUT name LAN_OUT } } } loopback lo { } } port-forward { auto-firewall disable hairpin-nat enable lan-interface eth3 wan-interface eth2.102 } protocols { igmp-proxy { interface eth0 { alt-subnet 0.0.0.0/0 role downstream threshold 1 } interface eth2.101 { alt-subnet 172.21.0.0/16 role upstream threshold 1 } } static { route 172.21.0.0/16 { next-hop 10.174.206.1 { distance 1 } } } } service { dhcp-server { disabled false global-parameters "class "denied" { match substring (hardware, 1, 6); deny booting; } subclass "denied" 18:e8:29:b3:ad:55; subclass "denied" 18:e8:29:b3:ad:56; subclass "denied" 18:e8:29:b3:ad:57; subclass "denied" 18:e8:29:b3:ad:58;" hostfile-update enable shared-network-name net_LAN_eth3_21.0.0.0-24 { authoritative enable description vlan1 subnet 21.0.0.0/24 { default-router 21.0.0.1 dns-server 21.0.0.1 lease 42400 start 21.0.0.2 { stop 21.0.0.254 } static-mapping 02-41-9e-2c-0e-40 { host-record disable ip-address 21.0.0.20 mac-address 02:41:9e:2c:0e:40 } static-mapping 08-66-98-96-4c-ab { host-record disable ip-address 21.0.0.30 mac-address 08:66:98:96:4c:ab } static-mapping 20-df-b9-c4-b3-41 { host-record disable ip-address 21.0.0.4 mac-address 20:df:b9:c4:b3:41 } static-mapping 48-65-ee-13-26-ee { host-record disable ip-address 21.0.0.38 mac-address 48:65:ee:13:26:ee } static-mapping 78-4f-43-5a-6d-8b { host-record disable ip-address 21.0.0.33 mac-address 78:4f:43:5a:6d:8b } static-mapping b4-fb-e4-05-34-87 { host-record disable ip-address 21.0.0.8 mac-address b4:fb:e4:05:34:87 } static-mapping dc-56-e7-3e-b8-10 { host-record disable ip-address 21.0.0.39 mac-address dc:56:e7:3e:b8:10 } static-mapping dc-72-23-26-d5-0c { host-record disable ip-address 21.0.0.36 mac-address dc:72:23:26:d5:0c } static-mapping f0-9f-c2-6b-b5-9e { host-record disable ip-address 21.0.0.27 mac-address f0:9f:c2:6b:b5:9e } } } use-dnsmasq disable } dns { forwarding { cache-size 10000 except-interface eth2.102 options ptr-record=1.0.0.21.in-addr.arpa,Unifigateway options all-servers options server=92.220.228.70 options server=109.247.114.4 options host-record=unifi,21.0.0.20 } } gui { https-port 443 } ips { alien enable enable 7 interface eth3 { op add } rules ruleset { ciarmy enable compromised enable dshield enable emerging-exploit enable emerging-malware enable emerging-mobile enable emerging-shellcode enable emerging-trojan enable emerging-webserver enable emerging-worm enable tor enable } signature-scheduler 24 tor enable } lldp { interface eth2 { disable } } nat { rule 5001 { destination { address 172.21.0.0/16 } log disable outbound-interface eth2.101 protocol all type masquerade } rule 6001 { description "MASQ corporate_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group corporate_network } } type masquerade } rule 6002 { description "MASQ remote_user_vpn_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group remote_user_vpn_network } } type masquerade } rule 6003 { description "MASQ guest_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group guest_network } } type masquerade } } ssh { port 22 protocol-version v2 } utm { deviceid 18:e8:29:b3:ad:55 enable event-type alert optin enable token 203ce8723877f2695e5d46f29e8979cc30a46766716106550cf39cc98a8e78263 } } system { conntrack { modules { ftp { disable } gre { disable } h323 { disable } pptp { disable } sip { disable } tftp { disable } } timeout { icmp 30 other 600 tcp { close 10 close-wait 60 established 7440 fin-wait 120 last-ack 30 syn-recv 60 syn-sent 120 time-wait 120 } udp { other 30 stream 180 } } } host-name Unifigateway ip { arp { table-size 262144 } override-hostname-ip 21.0.0.1 } login { user BRUKERNAVN { authentication { encrypted-password PASSORD } level admin } } name-server 127.0.0.1 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { ipsec disable ipv4 { forwarding disable gre disable pppoe disable vlan disable } ipv6 { forwarding disable vlan disable } } static-host-mapping { host-name setup.ubnt.com { alias setup inet 21.0.0.1 } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Oslo traffic-analysis { dpi enable export enable } } unifi { mgmt { cfgversion 52879f9a7d17db20 } }