• 1.
    firewall {
  • 2.
         all-ping enable
  • 3.
         broadcast-ping disable
  • 4.
         group {
  • 5.
             address-group authorized_guests {
  • 6.
                 description "authorized guests MAC addresses"
  • 7.
             }
  • 8.
             address-group guest_allow_dns_servers {
  • 9.
                 description "allow dns servers for guests"
  • 10.
             }
  • 11.
             address-group guest_portal_address {
  • 12.
                 description "guest portal address"
  • 13.
             }
  • 14.
             address-group guest_pre_allow {
  • 15.
                 description "allow addresses for guests"
  • 16.
             }
  • 17.
             address-group guest_restricted {
  • 18.
                 address 192.168.0.0/16
  • 19.
                 address 10.0.0.0/8
  • 20.
                 address 172.16.0.0/12
  • 21.
                 description "restricted addresses for guests"
  • 22.
             }
  • 23.
             address-group unifi_controller_addresses {
  • 24.
                 address 21.0.0.20
  • 25.
                 description "UniFi addresses"
  • 26.
             }
  • 27.
             ipv6-network-group corporate_networkv6 {
  • 28.
                 description "IPv6 corporate subnets"
  • 29.
             }
  • 30.
             ipv6-network-group guest_networkv6 {
  • 31.
                 description "IPv6 guest subnets"
  • 32.
             }
  • 33.
             network-group captive_portal_subnets {
  • 34.
                 description "captive portal subnets"
  • 35.
             }
  • 36.
             network-group corporate_network {
  • 37.
                 description "corporate subnets"
  • 38.
                 network 21.0.0.0/24
  • 39.
              }
  • 40.
             network-group guest_network {
  • 41.
                 description "guest subnets"
  • 42.
             }
  • 43.
             network-group remote_client_vpn_network {
  • 44.
                 description "remote client VPN subnets"
  • 45.
             }
  • 46.
             network-group remote_site_vpn_network {
  • 47.
                 description "remote site VPN subnets"
  • 48.
             }
  • 49.
             network-group remote_user_vpn_network {
  • 50.
                 description "Remote User VPN subnets"
  • 51.
             }
  • 52.
             port-group guest_portal_ports {
  • 53.
                 description "guest portal ports"
  • 54.
             }
  • 55.
             port-group guest_portal_redirector_ports {
  • 56.
                 description "guest portal redirector ports"
  • 57.
                 port 39080
  • 58.
                 port 39443
  • 59.
             }
  • 60.
             port-group unifi_controller_ports-tcp {
  • 61.
                 description "unifi tcp ports"
  • 62.
                 port 8080
  • 63.
             }
  • 64.
             port-group unifi_controller_ports-udp {
  • 65.
                 description "unifi udp ports"
  • 66.
                 port 3478
  • 67.
             }
  • 68.
         }
  • 69.
         ipv6-name AUTHORIZED_GUESTSv6 {
  • 70.
             default-action drop
  • 71.
             description "authorization check packets from guest network"
  • 72.
         }
  • 73.
         ipv6-name GUESTv6_IN {
  • 74.
             default-action accept
  • 75.
             description "packets from guest network"
  • 76.
             rule 3001 {
  • 77.
                 action drop
  • 78.
                 description "drop packets to intranet"
  • 79.
                 destination {
  • 80.
                     group {
  • 81.
                         ipv6-network-group corporate_networkv6
  • 82.
                     }
  • 83.
                 }
  • 84.
             }
  • 85.
         }
  • 86.
         ipv6-name GUESTv6_LOCAL {
  • 87.
             default-action drop
  • 88.
             description "packets from guest network to gateway"
  • 89.
             rule 3001 {
  • 90.
                 action accept
  • 91.
                 description "allow DNS"
  • 92.
                 destination {
  • 93.
                     port 53
  • 94.
                 }
  • 95.
                 protocol udp
  • 96.
             }
  • 97.
             rule 3002 {
  • 98.
                 action accept
  • 99.
                 description "allow ICMP"
  • 100.
                 protocol icmp
  • 101.
             }
  • 102.
         }
  • 103.
         ipv6-name GUESTv6_OUT {
  • 104.
             default-action accept
  • 105.
             description "packets forward to guest network"
  • 106.
         }
  • 107.
         ipv6-name LANv6_IN {
  • 108.
             default-action accept
  • 109.
             description "packets from intranet"
  • 110.
         }
  • 111.
         ipv6-name LANv6_LOCAL {
  • 112.
             default-action accept
  • 113.
             description "packets from intranet to gateway"
  • 114.
         }
  • 115.
         ipv6-name LANv6_OUT {
  • 116.
             default-action accept
  • 117.
             description "packets forward to intranet"
  • 118.
         }
  • 119.
         ipv6-name WANv6_IN {
  • 120.
             default-action drop
  • 121.
             description "packets from internet to intranet"
  • 122.
             rule 3001 {
  • 123.
                 action accept
  • 124.
                 description "allow established/related sessions"
  • 125.
                 state {
  • 126.
                     established enable
  • 127.
                     invalid disable
  • 128.
                     new disable
  • 129.
                     related enable
  • 130.
                 }
  • 131.
             }
  • 132.
             rule 3002 {
  • 133.
                 action drop
  • 134.
                 description "drop invalid state"
  • 135.
                 state {
  • 136.
                     established disable
  • 137.
                     invalid enable
  • 138.
                     new disable
  • 139.
                     related disable
  • 140.
                 }
  • 141.
             }
  • 142.
         }
  • 143.
         ipv6-name WANv6_LOCAL {
  • 144.
             default-action drop
  • 145.
             description "packets from internet to gateway"
  • 146.
             rule 3001 {
  • 147.
                 action accept
  • 148.
                 description "Allow neighbor advertisements"
  • 149.
                 icmpv6 {
  • 150.
                     type neighbor-advertisement
  • 151.
                 }
  • 152.
                 protocol ipv6-icmp
  • 153.
             }
  • 154.
             rule 3002 {
  • 155.
                 action accept
  • 156.
                 description "Allow neighbor solicitation"
  • 157.
                 icmpv6 {
  • 158.
                     type neighbor-solicitation
  • 159.
                 }
  • 160.
                 protocol ipv6-icmp
  • 161.
             }
  • 162.
             rule 3003 {
  • 163.
                 action accept
  • 164.
                 description "allow established/related sessions"
  • 165.
                 state {
  • 166.
                     established enable
  • 167.
                     invalid disable
  • 168.
                     new disable
  • 169.
                     related enable
  • 170.
                 }
  • 171.
             }
  • 172.
             rule 3004 {
  • 173.
                 action drop
  • 174.
                 description "drop invalid state"
  • 175.
                 state {
  • 176.
                     established disable
  • 177.
                     invalid enable
  • 178.
                     new disable
  • 179.
                     related disable
  • 180.
                 }
  • 181.
             }
  • 182.
         }
  • 183.
         ipv6-name WANv6_OUT {
  • 184.
             default-action accept
  • 185.
             description "packets to internet"
  • 186.
         }
  • 187.
         name AUTHORIZED_GUESTS {
  • 188.
             default-action drop
  • 189.
             description "authorization check packets from guest network"
  • 190.
         }
  • 191.
         name GUEST_IN {
  • 192.
             default-action accept
  • 193.
             description "packets from guest network"
  • 194.
             rule 3001 {
  • 195.
                 action accept
  • 196.
                 description "allow DNS packets to external name servers"
  • 197.
                 destination {
  • 198.
                     port 53
  • 199.
                 }
  • 200.
                 protocol tcp_udp
  • 201.
             }
  • 202.
             rule 3002 {
  • 203.
                 action accept
  • 204.
                 description "allow packets to captive portal"
  • 205.
                 destination {
  • 206.
                     group {
  • 207.
                         network-group captive_portal_subnets
  • 208.
                     }
  • 209.
                     port 443
  • 210.
                 }
  • 211.
                 protocol tcp
  • 212.
             }
  • 213.
             rule 3003 {
  • 214.
                 action accept
  • 215.
                 description "allow packets to allow subnets"
  • 216.
                 destination {
  • 217.
                     group {
  • 218.
                         address-group guest_pre_allow
  • 219.
                     }
  • 220.
                 }
  • 221.
             }
  • 222.
             rule 3004 {
  • 223.
                 action drop
  • 224.
                 description "drop packets to restricted subnets"
  • 225.
                 destination {
  • 226.
                     group {
  • 227.
                         address-group guest_restricted
  • 228.
                     }
  • 229.
                 }
  • 230.
             }
  • 231.
             rule 3005 {
  • 232.
                 action drop
  • 233.
                 description "drop packets to intranet"
  • 234.
                 destination {
  • 235.
                     group {
  • 236.
                         network-group corporate_network
  • 237.
                     }
  • 238.
                 }
  • 239.
             }
  • 240.
             rule 3006 {
  • 241.
                 action drop
  • 242.
                 description "drop packets to remote user"
  • 243.
                 destination {
  • 244.
                     group {
  • 245.
                         network-group remote_user_vpn_network
  • 246.
                     }
  • 247.
                 }
  • 248.
             }
  • 249.
             rule 3007 {
  • 250.
                 action drop
  • 251.
                 description "allow authorized and drop unauthorized"
  • 252.
                 destination {
  • 253.
                     group {
  • 254.
                         address-group authorized_guests
  • 255.
                     }
  • 256.
                 }
  • 257.
             }
  • 258.
         }
  • 259.
         name GUEST_LOCAL {
  • 260.
             default-action drop
  • 261.
             description "packets from guest network to gateway"
  • 262.
             rule 3001 {
  • 263.
                 action accept
  • 264.
                 description "allow DNS"
  • 265.
                 destination {
  • 266.
                     port 53
  • 267.
                 }
  • 268.
                 protocol tcp_udp
  • 269.
             }
  • 270.
             rule 3002 {
  • 271.
                 action accept
  • 272.
                 description "allow ICMP"
  • 273.
                 protocol icmp
  • 274.
             }
  • 275.
             rule 3003 {
  • 276.
                 action accept
  • 277.
                 description "allow to DHCP server"
  • 278.
                 destination {
  • 279.
                     port 67
  • 280.
                 }
  • 281.
                 protocol udp
  • 282.
                 source {
  • 283.
                     port 68
  • 284.
                 }
  • 285.
             }
  • 286.
         }
  • 287.
         name GUEST_OUT {
  • 288.
             default-action accept
  • 289.
             description "packets forward to guest network"
  • 290.
         }
  • 291.
         name LAN_IN {
  • 292.
             default-action accept
  • 293.
             description "packets from intranet"
  • 294.
             rule 6001 {
  • 295.
                 action accept
  • 296.
                 description "accounting defined network 21.0.0.0/24"
  • 297.
                 source {
  • 298.
                     address 21.0.0.0/24
  • 299.
                 }
  • 300.
             }
  • 301.
         }
  • 302.
         name LAN_LOCAL {
  • 303.
             default-action accept
  • 304.
             description "packets from intranet to gateway"
  • 305.
           }
  • 306.
         name LAN_OUT {
  • 307.
             default-action accept
  • 308.
             description "packets forward to intranet"
  • 309.
             rule 6001 {
  • 310.
                 action accept
  • 311.
                 description "accounting defined network 21.0.0.0/24"
  • 312.
                 destination {
  • 313.
                     address 21.0.0.0/24
  • 314.
                 }
  • 315.
             }
  • 316.
         }
  • 317.
         name WAN_IN {
  • 318.
             default-action drop
  • 319.
             description "packets from internet to intranet"
  • 320.
             rule 3001 {
  • 321.
                 action accept
  • 322.
                 description "allow established/related sessions"
  • 323.
                 state {
  • 324.
                     established enable
  • 325.
                     invalid disable
  • 326.
                     new disable
  • 327.
                     related enable
  • 328.
                 }
  • 329.
             }
  • 330.
             rule 3002 {
  • 331.
                 action drop
  • 332.
                 description "drop invalid state"
  • 333.
                 state {
  • 334.
                     established disable
  • 335.
                     invalid enable
  • 336.
                     new disable
  • 337.
                     related disable
  • 338.
                 }
  • 339.
             }
  • 340.
         }
  • 341.
         name WAN_LOCAL {
  • 342.
             default-action drop
  • 343.
            description "packets from internet to gateway"
  • 344.
             rule 3001 {
  • 345.
                 action accept
  • 346.
                 description "allow established/related sessions"
  • 347.
                 state {
  • 348.
                     established enable
  • 349.
                     invalid disable
  • 350.
                     new disable
  • 351.
                     related enable
  • 352.
                 }
  • 353.
             }
  • 354.
             rule 3002 {
  • 355.
                 action drop
  • 356.
                 description "drop invalid state"
  • 357.
                 state {
  • 358.
                     established disable
  • 359.
                     invalid enable
  • 360.
                     new disable
  • 361.
                     related disable
  • 362.
                 }
  • 363.
             }
  • 364.
         }
  • 365.
         name WAN_OUT {
  • 366.
             default-action accept
  • 367.
             description "packets to internet"
  • 368.
         }
  • 369.
         options {
  • 370.
             mss-clamp {
  • 371.
                 interface-type pppoe
  • 372.
                 interface-type pptp
  • 373.
                 interface-type vti
  • 374.
                 mss 1452
  • 375.
             }
  • 376.
             mss-clamp6 {
  • 377.
                 interface-type pppoe
  • 378.
                 interface-type pptp
  • 379.
                 mss 1432
  • 380.
             }
  • 381.
         }
  • 382.
         receive-redirects disable
  • 383.
         send-redirects enable
  • 384.
         source-validation disable
  • 385.
         syn-cookies enable
  • 386.
     }
  • 387.
     interfaces {
  • 388.
         ethernet eth0 {
  • 389.
             disable
  • 390.
         }
  • 391.
         ethernet eth1 {
  • 392.
             disable
  • 393.
         }
  • 394.
         ethernet eth2 {
  • 395.
             description WAN
  • 396.
             vif 101 {
  • 397.
                 address dhcp
  • 398.
                 description IPTV
  • 399.
                 dhcp-options {
  • 400.
                     default-route no-update
  • 401.
                     default-route-distance 210
  • 402.
                     name-server update
  • 403.
                 }
  • 404.
                 mac AA:CF:4F:34:50:16 //Altibox-mac
  • 405.
             }
  • 406.
             vif 102 {
  • 407.
                 address dhcp
  • 408.
                 description Internett
  • 409.
                 dhcp-options {
  • 410.
                     client-option "retry 60;"
  • 411.
                     default-route-distance 1
  • 412.
                     name-server no-update
  • 413.
                 }
  • 414.
                 firewall {
  • 415.
                     in {
  • 416.
                         ipv6-name WANv6_IN
  • 417.
                         name WAN_IN
  • 418.
                     }
  • 419.
                     local {
  • 420.
                         ipv6-name WANv6_LOCAL
  • 421.
                         name WAN_LOCAL
  • 422.
                     }
  • 423.
                     out {
  • 424.
                         ipv6-name WANv6_OUT
  • 425.
                         name WAN_OUT
  • 426.
                     }
  • 427.
                 }
  • 428.
             }
  • 429.
         }
  • 430.
         ethernet eth3 {
  • 431.
             address 21.0.0.1/24
  • 432.
             description LAN
  • 433.
             firewall {
  • 434.
                 in {
  • 435.
                     ipv6-name LANv6_IN
  • 436.
                     name LAN_IN
  • 437.
                 }
  • 438.
                 local {
  • 439.
                     ipv6-name LANv6_LOCAL
  • 440.
                     name LAN_LOCAL
  • 441.
                 }
  • 442.
                 out {
  • 443.
                     ipv6-name LANv6_OUT
  • 444.
                     name LAN_OUT
  • 445.
                 }
  • 446.
             }
  • 447.
         }
  • 448.
         loopback lo {
  • 449.
         }
  • 450.
     }
  • 451.
     port-forward {
  • 452.
         auto-firewall disable
  • 453.
         hairpin-nat enable
  • 454.
         lan-interface eth3
  • 455.
         wan-interface eth2.102
  • 456.
     }
  • 457.
    protocols {
  • 458.
         igmp-proxy {
  • 459.
             interface eth0 {
  • 460.
                 alt-subnet 0.0.0.0/0
  • 461.
                 role downstream
  • 462.
                 threshold 1
  • 463.
             }
  • 464.
             interface eth2.101 {
  • 465.
                 alt-subnet 172.21.0.0/16
  • 466.
                 role upstream
  • 467.
                 threshold 1
  • 468.
             }
  • 469.
         }
  • 470.
         static {
  • 471.
             route 172.21.0.0/16 {
  • 472.
                 next-hop 10.174.206.1 {
  • 473.
                     distance 1
  • 474.
                 }
  • 475.
             }
  • 476.
         }
  • 477.
     }
  • 478.
     service {
  • 479.
         dhcp-server {
  • 480.
             disabled false
  • 481.
             global-parameters "class "denied" { match substring (hardware, 1, 6); deny booting; } subclass "denied" 18:e8:29:b3:ad:55; subclass "denied" 18:e8:29:b3:ad:56; subclass "denied" 18:e8:29:b3:ad:57; subclass "denied" 18:e8:29:b3:ad:58;"
  • 482.
             hostfile-update enable
  • 483.
             shared-network-name net_LAN_eth3_21.0.0.0-24 {
  • 484.
                 authoritative enable
  • 485.
                 description vlan1
  • 486.
                 subnet 21.0.0.0/24 {
  • 487.
                     default-router 21.0.0.1
  • 488.
                     dns-server 21.0.0.1
  • 489.
                     lease 42400
  • 490.
                     start 21.0.0.2 {
  • 491.
                         stop 21.0.0.254
  • 492.
                     }
  • 493.
                       static-mapping 02-41-9e-2c-0e-40 {
  • 494.
                         host-record disable
  • 495.
                         ip-address 21.0.0.20
  • 496.
                         mac-address 02:41:9e:2c:0e:40
  • 497.
                     }
  • 498.
                     static-mapping 08-66-98-96-4c-ab {
  • 499.
                         host-record disable
  • 500.
                         ip-address 21.0.0.30
  • 501.
                         mac-address 08:66:98:96:4c:ab
  • 502.
                     }
  • 503.
                     static-mapping 20-df-b9-c4-b3-41 {
  • 504.
                         host-record disable
  • 505.
                         ip-address 21.0.0.4
  • 506.
                         mac-address 20:df:b9:c4:b3:41
  • 507.
                     }
  • 508.
                     static-mapping 48-65-ee-13-26-ee {
  • 509.
                         host-record disable
  • 510.
                         ip-address 21.0.0.38
  • 511.
                         mac-address 48:65:ee:13:26:ee
  • 512.
                     }
  • 513.
                     static-mapping 78-4f-43-5a-6d-8b {
  • 514.
                         host-record disable
  • 515.
                         ip-address 21.0.0.33
  • 516.
                         mac-address 78:4f:43:5a:6d:8b
  • 517.
                     }
  • 518.
                     static-mapping b4-fb-e4-05-34-87 {
  • 519.
                         host-record disable
  • 520.
                         ip-address 21.0.0.8
  • 521.
                         mac-address b4:fb:e4:05:34:87
  • 522.
                     }
  • 523.
                     static-mapping dc-56-e7-3e-b8-10 {
  • 524.
                         host-record disable
  • 525.
                         ip-address 21.0.0.39
  • 526.
                         mac-address dc:56:e7:3e:b8:10
  • 527.
                     }
  • 528.
                     static-mapping dc-72-23-26-d5-0c {
  • 529.
                         host-record disable
  • 530.
                         ip-address 21.0.0.36
  • 531.
                        mac-address dc:72:23:26:d5:0c
  • 532.
                     }
  • 533.
                     static-mapping f0-9f-c2-6b-b5-9e {
  • 534.
                         host-record disable
  • 535.
                         ip-address 21.0.0.27
  • 536.
                         mac-address f0:9f:c2:6b:b5:9e
  • 537.
                     }
  • 538.
                 }
  • 539.
             }
  • 540.
             use-dnsmasq disable
  • 541.
         }
  • 542.
         dns {
  • 543.
             forwarding {
  • 544.
                 cache-size 10000
  • 545.
                 except-interface eth2.102
  • 546.
                 options ptr-record=1.0.0.21.in-addr.arpa,Unifigateway
  • 547.
                 options all-servers
  • 548.
                 options server=92.220.228.70
  • 549.
                 options server=109.247.114.4
  • 550.
                 options host-record=unifi,21.0.0.20
  • 551.
             }
  • 552.
         }
  • 553.
         gui {
  • 554.
             https-port 443
  • 555.
         }
  • 556.
         ips {
  • 557.
             alien enable
  • 558.
             enable 7
  • 559.
             interface eth3 {
  • 560.
                 op add
  • 561.
             }
  • 562.
             rules ruleset {
  • 563.
                 ciarmy enable
  • 564.
                 compromised enable
  • 565.
                 dshield enable
  • 566.
                 emerging-exploit enable
  • 567.
                 emerging-malware enable
  • 568.
                 emerging-mobile enable
  • 569.
                emerging-shellcode enable
  • 570.
                 emerging-trojan enable
  • 571.
                 emerging-webserver enable
  • 572.
                 emerging-worm enable
  • 573.
                 tor enable
  • 574.
             }
  • 575.
             signature-scheduler 24
  • 576.
             tor enable
  • 577.
         }
  • 578.
         lldp {
  • 579.
             interface eth2 {
  • 580.
                 disable
  • 581.
             }
  • 582.
         }
  • 583.
         nat {
  • 584.
             rule 5001 {
  • 585.
                 destination {
  • 586.
                     address 172.21.0.0/16
  • 587.
                 }
  • 588.
                 log disable
  • 589.
                 outbound-interface eth2.101
  • 590.
                 protocol all
  • 591.
                 type masquerade
  • 592.
             }
  • 593.
             rule 6001 {
  • 594.
                 description "MASQ corporate_network to WAN"
  • 595.
                 log disable
  • 596.
                 outbound-interface eth2.102
  • 597.
                 protocol all
  • 598.
                 source {
  • 599.
                     group {
  • 600.
                         network-group corporate_network
  • 601.
                     }
  • 602.
                 }
  • 603.
                 type masquerade
  • 604.
             }
  • 605.
             rule 6002 {
  • 606.
                 description "MASQ remote_user_vpn_network to WAN"
  • 607.
               log disable
  • 608.
                 outbound-interface eth2.102
  • 609.
                 protocol all
  • 610.
                 source {
  • 611.
                     group {
  • 612.
                         network-group remote_user_vpn_network
  • 613.
                     }
  • 614.
                 }
  • 615.
                 type masquerade
  • 616.
             }
  • 617.
             rule 6003 {
  • 618.
                 description "MASQ guest_network to WAN"
  • 619.
                 log disable
  • 620.
                 outbound-interface eth2.102
  • 621.
                 protocol all
  • 622.
                 source {
  • 623.
                     group {
  • 624.
                         network-group guest_network
  • 625.
                     }
  • 626.
                 }
  • 627.
                 type masquerade
  • 628.
             }
  • 629.
         }
  • 630.
         ssh {
  • 631.
             port 22
  • 632.
             protocol-version v2
  • 633.
         }
  • 634.
         utm {
  • 635.
             deviceid 18:e8:29:b3:ad:55
  • 636.
             enable
  • 637.
             event-type alert
  • 638.
             optin enable
  • 639.
             token 203ce8723877f2695e5d46f29e8979cc30a46766716106550cf39cc98a8e78263
  • 640.
         }
  • 641.
     }
  • 642.
     system {
  • 643.
         conntrack {
  • 644.
             modules {
  • 645.
                 ftp {
  • 646.
                     disable
  • 647.
                 }
  • 648.
                 gre {
  • 649.
                     disable
  • 650.
                 }
  • 651.
                 h323 {
  • 652.
                     disable
  • 653.
                 }
  • 654.
                 pptp {
  • 655.
                     disable
  • 656.
                 }
  • 657.
                 sip {
  • 658.
                     disable
  • 659.
                 }
  • 660.
                 tftp {
  • 661.
                     disable
  • 662.
                 }
  • 663.
             }
  • 664.
             timeout {
  • 665.
                 icmp 30
  • 666.
                 other 600
  • 667.
                 tcp {
  • 668.
                     close 10
  • 669.
                     close-wait 60
  • 670.
                     established 7440
  • 671.
                     fin-wait 120
  • 672.
                     last-ack 30
  • 673.
                     syn-recv 60
  • 674.
                     syn-sent 120
  • 675.
                     time-wait 120
  • 676.
                 }
  • 677.
                 udp {
  • 678.
                     other 30
  • 679.
                     stream 180
  • 680.
                 }
  • 681.
             }
  • 682.
         }    
  • 683.
              host-name Unifigateway
  • 684.
         ip {
  • 685.
             arp {
  • 686.
                 table-size 262144
  • 687.
             }
  • 688.
             override-hostname-ip 21.0.0.1
  • 689.
         }
  • 690.
         login {
  • 691.
             user  BRUKERNAVN {
  • 692.
                 authentication {
  • 693.
                     encrypted-password PASSORD
  • 694.
                 }
  • 695.
                 level admin
  • 696.
             }
  • 697.
         }
  • 698.
         name-server 127.0.0.1
  • 699.
         ntp {
  • 700.
             server 0.ubnt.pool.ntp.org {
  • 701.
             }
  • 702.
             server 1.ubnt.pool.ntp.org {
  • 703.
             }
  • 704.
             server 2.ubnt.pool.ntp.org {
  • 705.
             }
  • 706.
             server 3.ubnt.pool.ntp.org {
  • 707.
             }
  • 708.
         }
  • 709.
         offload {
  • 710.
             ipsec disable
  • 711.
             ipv4 {
  • 712.
                 forwarding disable
  • 713.
                 gre disable
  • 714.
                 pppoe disable
  • 715.
                 vlan disable
  • 716.
             }
  • 717.
             ipv6 {
  • 718.
                 forwarding disable
  • 719.
                 vlan disable
  • 720.
             }
  • 721.
         }
  • 722.
         static-host-mapping {
  • 723.
             host-name setup.ubnt.com {
  • 724.
                 alias setup
  • 725.
                 inet 21.0.0.1
  • 726.
             }
  • 727.
         }
  • 728.
         syslog {
  • 729.
             global {
  • 730.
                 facility all {
  • 731.
                     level notice
  • 732.
                 }
  • 733.
                 facility protocols {
  • 734.
                     level debug
  • 735.
                 }
  • 736.
             }
  • 737.
         }
  • 738.
         time-zone Europe/Oslo
  • 739.
         traffic-analysis {
  • 740.
             dpi enable
  • 741.
             export enable
  • 742.
         }
  • 743.
     }
  • 744.
     unifi {
  • 745.
         mgmt {
  • 746.
             cfgversion 52879f9a7d17db20
  • 747.
         }
  • 748.
     }
  • 749.
     
firewall { all-ping enable broadcast-ping disable group { address-group authorized_guests { description "authorized guests MAC addresses" } address-group guest_allow_dns_servers { description "allow dns servers for guests" } address-group guest_portal_address { description "guest portal address" } address-group guest_pre_allow { description "allow addresses for guests" } address-group guest_restricted { address 192.168.0.0/16 address 10.0.0.0/8 address 172.16.0.0/12 description "restricted addresses for guests" } address-group unifi_controller_addresses { address 21.0.0.20 description "UniFi addresses" } ipv6-network-group corporate_networkv6 { description "IPv6 corporate subnets" } ipv6-network-group guest_networkv6 { description "IPv6 guest subnets" } network-group captive_portal_subnets { description "captive portal subnets" } network-group corporate_network { description "corporate subnets" network 21.0.0.0/24 } network-group guest_network { description "guest subnets" } network-group remote_client_vpn_network { description "remote client VPN subnets" } network-group remote_site_vpn_network { description "remote site VPN subnets" } network-group remote_user_vpn_network { description "Remote User VPN subnets" } port-group guest_portal_ports { description "guest portal ports" } port-group guest_portal_redirector_ports { description "guest portal redirector ports" port 39080 port 39443 } port-group unifi_controller_ports-tcp { description "unifi tcp ports" port 8080 } port-group unifi_controller_ports-udp { description "unifi udp ports" port 3478 } } ipv6-name AUTHORIZED_GUESTSv6 { default-action drop description "authorization check packets from guest network" } ipv6-name GUESTv6_IN { default-action accept description "packets from guest network" rule 3001 { action drop description "drop packets to intranet" destination { group { ipv6-network-group corporate_networkv6 } } } } ipv6-name GUESTv6_LOCAL { default-action drop description "packets from guest network to gateway" rule 3001 { action accept description "allow DNS" destination { port 53 } protocol udp } rule 3002 { action accept description "allow ICMP" protocol icmp } } ipv6-name GUESTv6_OUT { default-action accept description "packets forward to guest network" } ipv6-name LANv6_IN { default-action accept description "packets from intranet" } ipv6-name LANv6_LOCAL { default-action accept description "packets from intranet to gateway" } ipv6-name LANv6_OUT { default-action accept description "packets forward to intranet" } ipv6-name WANv6_IN { default-action drop description "packets from internet to intranet" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } ipv6-name WANv6_LOCAL { default-action drop description "packets from internet to gateway" rule 3001 { action accept description "Allow neighbor advertisements" icmpv6 { type neighbor-advertisement } protocol ipv6-icmp } rule 3002 { action accept description "Allow neighbor solicitation" icmpv6 { type neighbor-solicitation } protocol ipv6-icmp } rule 3003 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3004 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } ipv6-name WANv6_OUT { default-action accept description "packets to internet" } name AUTHORIZED_GUESTS { default-action drop description "authorization check packets from guest network" } name GUEST_IN { default-action accept description "packets from guest network" rule 3001 { action accept description "allow DNS packets to external name servers" destination { port 53 } protocol tcp_udp } rule 3002 { action accept description "allow packets to captive portal" destination { group { network-group captive_portal_subnets } port 443 } protocol tcp } rule 3003 { action accept description "allow packets to allow subnets" destination { group { address-group guest_pre_allow } } } rule 3004 { action drop description "drop packets to restricted subnets" destination { group { address-group guest_restricted } } } rule 3005 { action drop description "drop packets to intranet" destination { group { network-group corporate_network } } } rule 3006 { action drop description "drop packets to remote user" destination { group { network-group remote_user_vpn_network } } } rule 3007 { action drop description "allow authorized and drop unauthorized" destination { group { address-group authorized_guests } } } } name GUEST_LOCAL { default-action drop description "packets from guest network to gateway" rule 3001 { action accept description "allow DNS" destination { port 53 } protocol tcp_udp } rule 3002 { action accept description "allow ICMP" protocol icmp } rule 3003 { action accept description "allow to DHCP server" destination { port 67 } protocol udp source { port 68 } } } name GUEST_OUT { default-action accept description "packets forward to guest network" } name LAN_IN { default-action accept description "packets from intranet" rule 6001 { action accept description "accounting defined network 21.0.0.0/24" source { address 21.0.0.0/24 } } } name LAN_LOCAL { default-action accept description "packets from intranet to gateway" } name LAN_OUT { default-action accept description "packets forward to intranet" rule 6001 { action accept description "accounting defined network 21.0.0.0/24" destination { address 21.0.0.0/24 } } } name WAN_IN { default-action drop description "packets from internet to intranet" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } name WAN_LOCAL { default-action drop description "packets from internet to gateway" rule 3001 { action accept description "allow established/related sessions" state { established enable invalid disable new disable related enable } } rule 3002 { action drop description "drop invalid state" state { established disable invalid enable new disable related disable } } } name WAN_OUT { default-action accept description "packets to internet" } options { mss-clamp { interface-type pppoe interface-type pptp interface-type vti mss 1452 } mss-clamp6 { interface-type pppoe interface-type pptp mss 1432 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { disable } ethernet eth1 { disable } ethernet eth2 { description WAN vif 101 { address dhcp description IPTV dhcp-options { default-route no-update default-route-distance 210 name-server update } mac AA:CF:4F:34:50:16 //Altibox-mac } vif 102 { address dhcp description Internett dhcp-options { client-option "retry 60;" default-route-distance 1 name-server no-update } firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } out { ipv6-name WANv6_OUT name WAN_OUT } } } } ethernet eth3 { address 21.0.0.1/24 description LAN firewall { in { ipv6-name LANv6_IN name LAN_IN } local { ipv6-name LANv6_LOCAL name LAN_LOCAL } out { ipv6-name LANv6_OUT name LAN_OUT } } } loopback lo { } } port-forward { auto-firewall disable hairpin-nat enable lan-interface eth3 wan-interface eth2.102 } protocols { igmp-proxy { interface eth0 { alt-subnet 0.0.0.0/0 role downstream threshold 1 } interface eth2.101 { alt-subnet 172.21.0.0/16 role upstream threshold 1 } } static { route 172.21.0.0/16 { next-hop 10.174.206.1 { distance 1 } } } } service { dhcp-server { disabled false global-parameters "class "denied" { match substring (hardware, 1, 6); deny booting; } subclass "denied" 18:e8:29:b3:ad:55; subclass "denied" 18:e8:29:b3:ad:56; subclass "denied" 18:e8:29:b3:ad:57; subclass "denied" 18:e8:29:b3:ad:58;" hostfile-update enable shared-network-name net_LAN_eth3_21.0.0.0-24 { authoritative enable description vlan1 subnet 21.0.0.0/24 { default-router 21.0.0.1 dns-server 21.0.0.1 lease 42400 start 21.0.0.2 { stop 21.0.0.254 } static-mapping 02-41-9e-2c-0e-40 { host-record disable ip-address 21.0.0.20 mac-address 02:41:9e:2c:0e:40 } static-mapping 08-66-98-96-4c-ab { host-record disable ip-address 21.0.0.30 mac-address 08:66:98:96:4c:ab } static-mapping 20-df-b9-c4-b3-41 { host-record disable ip-address 21.0.0.4 mac-address 20:df:b9:c4:b3:41 } static-mapping 48-65-ee-13-26-ee { host-record disable ip-address 21.0.0.38 mac-address 48:65:ee:13:26:ee } static-mapping 78-4f-43-5a-6d-8b { host-record disable ip-address 21.0.0.33 mac-address 78:4f:43:5a:6d:8b } static-mapping b4-fb-e4-05-34-87 { host-record disable ip-address 21.0.0.8 mac-address b4:fb:e4:05:34:87 } static-mapping dc-56-e7-3e-b8-10 { host-record disable ip-address 21.0.0.39 mac-address dc:56:e7:3e:b8:10 } static-mapping dc-72-23-26-d5-0c { host-record disable ip-address 21.0.0.36 mac-address dc:72:23:26:d5:0c } static-mapping f0-9f-c2-6b-b5-9e { host-record disable ip-address 21.0.0.27 mac-address f0:9f:c2:6b:b5:9e } } } use-dnsmasq disable } dns { forwarding { cache-size 10000 except-interface eth2.102 options ptr-record=1.0.0.21.in-addr.arpa,Unifigateway options all-servers options server=92.220.228.70 options server=109.247.114.4 options host-record=unifi,21.0.0.20 } } gui { https-port 443 } ips { alien enable enable 7 interface eth3 { op add } rules ruleset { ciarmy enable compromised enable dshield enable emerging-exploit enable emerging-malware enable emerging-mobile enable emerging-shellcode enable emerging-trojan enable emerging-webserver enable emerging-worm enable tor enable } signature-scheduler 24 tor enable } lldp { interface eth2 { disable } } nat { rule 5001 { destination { address 172.21.0.0/16 } log disable outbound-interface eth2.101 protocol all type masquerade } rule 6001 { description "MASQ corporate_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group corporate_network } } type masquerade } rule 6002 { description "MASQ remote_user_vpn_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group remote_user_vpn_network } } type masquerade } rule 6003 { description "MASQ guest_network to WAN" log disable outbound-interface eth2.102 protocol all source { group { network-group guest_network } } type masquerade } } ssh { port 22 protocol-version v2 } utm { deviceid 18:e8:29:b3:ad:55 enable event-type alert optin enable token 203ce8723877f2695e5d46f29e8979cc30a46766716106550cf39cc98a8e78263 } } system { conntrack { modules { ftp { disable } gre { disable } h323 { disable } pptp { disable } sip { disable } tftp { disable } } timeout { icmp 30 other 600 tcp { close 10 close-wait 60 established 7440 fin-wait 120 last-ack 30 syn-recv 60 syn-sent 120 time-wait 120 } udp { other 30 stream 180 } } } host-name Unifigateway ip { arp { table-size 262144 } override-hostname-ip 21.0.0.1 } login { user BRUKERNAVN { authentication { encrypted-password PASSORD } level admin } } name-server 127.0.0.1 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { ipsec disable ipv4 { forwarding disable gre disable pppoe disable vlan disable } ipv6 { forwarding disable vlan disable } } static-host-mapping { host-name setup.ubnt.com { alias setup inet 21.0.0.1 } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Oslo traffic-analysis { dpi enable export enable } } unifi { mgmt { cfgversion 52879f9a7d17db20 } }

Copy Code to Clipboard Raw

Sign-in or Create a Free Account.

Snippi uses Twitter or Facebook to register and create accounts. Registration will enable you to keep track of your snippets. We never spam your timeline or wall. Ever.

Sign-in with Facebook Sign-in with Twitter