1450 lines
41 KiB
Plaintext
1450 lines
41 KiB
Plaintext
firewall {
|
|
group {
|
|
interface-group GUEST {
|
|
interface "br1.17"
|
|
interface "br1.20"
|
|
}
|
|
port-group HTTP {
|
|
description "HTTP Standard Ports"
|
|
port "80"
|
|
port "443"
|
|
}
|
|
port-group MAIL {
|
|
description "MAIL standard ports"
|
|
port "25"
|
|
port "110"
|
|
port "143"
|
|
port "465"
|
|
port "587"
|
|
port "993"
|
|
port "995"
|
|
}
|
|
}
|
|
ipv4 {
|
|
forward {
|
|
filter {
|
|
default-action "accept"
|
|
rule 5 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "MAIN-IN-v4"
|
|
}
|
|
rule 50 {
|
|
action "jump"
|
|
inbound-interface {
|
|
group "GUEST"
|
|
}
|
|
jump-target "GUEST-OUT-v4"
|
|
}
|
|
rule 51 {
|
|
action "jump"
|
|
jump-target "GUEST-IN-v4"
|
|
outbound-interface {
|
|
group "GUEST"
|
|
}
|
|
}
|
|
rule 100 {
|
|
action "jump"
|
|
jump-target "MAIN-OUT-v4"
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
input {
|
|
filter {
|
|
default-action "accept"
|
|
rule 5 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "MAIN-LOCAL-v4"
|
|
}
|
|
}
|
|
}
|
|
name GUEST-IN-v4 {
|
|
default-action "reject"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Allow ping"
|
|
icmp {
|
|
type "8"
|
|
}
|
|
protocol "icmp"
|
|
}
|
|
}
|
|
name GUEST-OUT-v4 {
|
|
default-action "reject"
|
|
default-log
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow DNS-Access"
|
|
destination {
|
|
port "53"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 300 {
|
|
action "accept"
|
|
description "Forbid Local Traffic"
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
}
|
|
rule 301 {
|
|
action "accept"
|
|
description "Allow Traefik Access"
|
|
destination {
|
|
address "10.35.0.201"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
}
|
|
name MAIN-IN-v4 {
|
|
default-action "reject"
|
|
description "Filtering of incoming Gateway traffic"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow ping"
|
|
icmp {
|
|
type "8"
|
|
}
|
|
protocol "icmp"
|
|
}
|
|
rule 300 {
|
|
action "accept"
|
|
description "Allow https"
|
|
destination {
|
|
group {
|
|
port-group "HTTP"
|
|
}
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 301 {
|
|
action "accept"
|
|
description "Allow Mail"
|
|
destination {
|
|
group {
|
|
port-group "MAIL"
|
|
}
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 302 {
|
|
action "accept"
|
|
description "Allow SSH for git"
|
|
destination {
|
|
port "2222"
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 303 {
|
|
action "accept"
|
|
description "Minecraft Server"
|
|
destination {
|
|
port "25565-25570"
|
|
}
|
|
log
|
|
protocol "tcp"
|
|
}
|
|
rule 304 {
|
|
action "accept"
|
|
description "Matrix Federation"
|
|
destination {
|
|
port "8448"
|
|
}
|
|
log
|
|
protocol "tcp"
|
|
}
|
|
rule 305 {
|
|
action "accept"
|
|
description "ark"
|
|
destination {
|
|
address "10.38.0.41"
|
|
port "7777"
|
|
}
|
|
log
|
|
protocol "udp"
|
|
}
|
|
}
|
|
name MAIN-LOCAL-v4 {
|
|
default-action "reject"
|
|
description "Filtering of traffic for this host"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow SSH"
|
|
destination {
|
|
port "22"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Allow ping"
|
|
icmp {
|
|
type "8"
|
|
}
|
|
protocol "icmp"
|
|
}
|
|
rule 300 {
|
|
action "accept"
|
|
description "allow wireguard"
|
|
destination {
|
|
port "2224"
|
|
}
|
|
protocol "udp"
|
|
}
|
|
}
|
|
name MAIN-OUT-v4 {
|
|
default-action "accept"
|
|
description "Filtering of outgoing Gateway traffic"
|
|
rule 200 {
|
|
action "drop"
|
|
log
|
|
source {
|
|
mac-address "50:8b:b9:bb:5a:df"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
ipv6 {
|
|
forward {
|
|
filter {
|
|
default-action "accept"
|
|
rule 5 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "MAIN-IN-v6"
|
|
}
|
|
rule 50 {
|
|
action "jump"
|
|
inbound-interface {
|
|
group "GUEST"
|
|
}
|
|
jump-target "GUEST-OUT-v6"
|
|
}
|
|
rule 51 {
|
|
action "jump"
|
|
jump-target "GUEST-IN-v6"
|
|
outbound-interface {
|
|
group "GUEST"
|
|
}
|
|
}
|
|
rule 100 {
|
|
action "jump"
|
|
jump-target "MAIN-OUT-v6"
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
input {
|
|
filter {
|
|
default-action "accept"
|
|
rule 5 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "MAIN-LOCAL-v6"
|
|
}
|
|
}
|
|
}
|
|
name GUEST-IN-v6 {
|
|
default-action "reject"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Allow icmpv6"
|
|
protocol "icmpv6"
|
|
}
|
|
rule 102 {
|
|
action "accept"
|
|
description "Allow outgoing link-local"
|
|
source {
|
|
address "fe80::/10"
|
|
}
|
|
}
|
|
rule 103 {
|
|
action "accept"
|
|
description "Allow outgoing multicast"
|
|
destination {
|
|
address "ff00::/8"
|
|
}
|
|
}
|
|
rule 104 {
|
|
action "accept"
|
|
description "Allow outgoing multicast"
|
|
destination {
|
|
address "ff00::/8"
|
|
}
|
|
}
|
|
}
|
|
name GUEST-OUT-v6 {
|
|
default-action "reject"
|
|
default-log
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow DNS-Access"
|
|
destination {
|
|
port "53"
|
|
}
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Enable DNS Access"
|
|
destination {
|
|
address "fd74:af:0:30::53"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 300 {
|
|
action "accept"
|
|
description "Forbid Local Traffic"
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
}
|
|
rule 301 {
|
|
action "accept"
|
|
description "Allow Traefik Access"
|
|
destination {
|
|
address "fd74:af:0:35::201"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
}
|
|
name MAIN-IN-v6 {
|
|
default-action "reject"
|
|
description "Filtering of incoming Gateway traffic"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow ping"
|
|
icmpv6 {
|
|
type "8"
|
|
}
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Allow http"
|
|
destination {
|
|
group {
|
|
port-group "HTTP"
|
|
}
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 102 {
|
|
action "accept"
|
|
description "Allow icmp"
|
|
protocol "icmpv6"
|
|
}
|
|
rule 103 {
|
|
action "accept"
|
|
description "Allow outgoing link-local"
|
|
source {
|
|
address "fe80::/10"
|
|
}
|
|
}
|
|
rule 104 {
|
|
action "accept"
|
|
description "Allow outgoing multicast"
|
|
destination {
|
|
address "ff00::/8"
|
|
}
|
|
}
|
|
rule 301 {
|
|
action "accept"
|
|
description "Allow Mail"
|
|
destination {
|
|
group {
|
|
port-group "MAIL"
|
|
}
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 302 {
|
|
action "accept"
|
|
description "Allow SSH for git"
|
|
destination {
|
|
port "2222"
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 303 {
|
|
action "accept"
|
|
description "Minecraft Server"
|
|
destination {
|
|
port "25565-25570"
|
|
}
|
|
log
|
|
protocol "tcp"
|
|
}
|
|
rule 304 {
|
|
action "accept"
|
|
description "Matrix Federation"
|
|
destination {
|
|
port "8448"
|
|
}
|
|
log
|
|
protocol "tcp"
|
|
}
|
|
}
|
|
name MAIN-LOCAL-v6 {
|
|
default-action "reject"
|
|
description "Filtering of traffic for this host"
|
|
rule 1 {
|
|
action "accept"
|
|
description "Allow related and established"
|
|
state "established"
|
|
state "related"
|
|
}
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow SSH"
|
|
destination {
|
|
port "22"
|
|
}
|
|
protocol "tcp_udp"
|
|
}
|
|
rule 101 {
|
|
action "accept"
|
|
description "Allow icmpv6"
|
|
protocol "icmpv6"
|
|
}
|
|
rule 102 {
|
|
action "accept"
|
|
description "Allow outgoing link-local"
|
|
source {
|
|
address "fe80::/10"
|
|
}
|
|
}
|
|
rule 103 {
|
|
action "accept"
|
|
description "Allow outgoing multicast"
|
|
destination {
|
|
address "ff00::/8"
|
|
}
|
|
}
|
|
}
|
|
name MAIN-OUT-v6 {
|
|
default-action "accept"
|
|
description "Filtering of outgoing Gateway traffic"
|
|
rule 200 {
|
|
action "drop"
|
|
log
|
|
source {
|
|
mac-address "50:8b:b9:bb:5a:df"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
interfaces {
|
|
bridge br1 {
|
|
description "LAN"
|
|
enable-vlan
|
|
member {
|
|
interface eth1 {
|
|
allowed-vlan "35"
|
|
native-vlan "35"
|
|
}
|
|
interface eth2 {
|
|
allowed-vlan "35"
|
|
allowed-vlan "15"
|
|
allowed-vlan "16"
|
|
allowed-vlan "31"
|
|
allowed-vlan "38"
|
|
allowed-vlan "50"
|
|
native-vlan "35"
|
|
}
|
|
interface eth3 {
|
|
allowed-vlan "35"
|
|
allowed-vlan "15"
|
|
allowed-vlan "16"
|
|
allowed-vlan "17"
|
|
allowed-vlan "20"
|
|
allowed-vlan "31"
|
|
allowed-vlan "38"
|
|
allowed-vlan "50"
|
|
allowed-vlan "39"
|
|
native-vlan "35"
|
|
}
|
|
}
|
|
vif 15 {
|
|
address "10.15.0.1/24"
|
|
address "fd74:af:0:15::1/64"
|
|
description "wlan_mgmt"
|
|
}
|
|
vif 16 {
|
|
address "10.16.0.1/24"
|
|
description "wlan_client"
|
|
}
|
|
vif 17 {
|
|
address "10.17.0.1/24"
|
|
description "wlan_guest"
|
|
}
|
|
vif 20 {
|
|
address "10.20.0.1/24"
|
|
description "guest"
|
|
}
|
|
vif 31 {
|
|
address "10.31.0.1/24"
|
|
description "workstations"
|
|
}
|
|
vif 35 {
|
|
address "10.35.0.1/24"
|
|
address "fd74:af:0:35::1/64"
|
|
description "server"
|
|
}
|
|
vif 38 {
|
|
address "10.38.0.1/24"
|
|
address "fd74:af:0:38::1/64"
|
|
description "dmz"
|
|
}
|
|
vif 39 {
|
|
address "10.39.0.1/24"
|
|
address "fd74:af:0:39::1/64"
|
|
description "kit"
|
|
}
|
|
vif 50 {
|
|
address "10.50.0.1/24"
|
|
address "fd74:af:0:50::1/64"
|
|
description "iot"
|
|
}
|
|
}
|
|
dummy dum1 {
|
|
address "10.10.0.1/32"
|
|
address "fd74:af:0:10::1/128"
|
|
}
|
|
ethernet eth0 {
|
|
description "2.5G-1 - WAN"
|
|
hw-id "64:62:66:2f:3b:ae"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth1 {
|
|
description "2.5G-2"
|
|
hw-id "64:62:66:2f:3b:af"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth2 {
|
|
description "2.5G-3"
|
|
hw-id "64:62:66:2f:3b:b0"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth3 {
|
|
description "2.5G-4"
|
|
hw-id "64:62:66:2f:3b:b1"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
loopback lo {
|
|
}
|
|
pppoe pppoe0 {
|
|
authentication {
|
|
password "26571316"
|
|
username "551013112907"
|
|
}
|
|
dhcpv6-options {
|
|
pd 0 {
|
|
interface br1.16 {
|
|
address "1"
|
|
sla-id "16"
|
|
}
|
|
interface br1.17 {
|
|
address "1"
|
|
sla-id "17"
|
|
}
|
|
interface br1.31 {
|
|
address "1"
|
|
sla-id "31"
|
|
}
|
|
interface br1.35 {
|
|
address "1"
|
|
sla-id "35"
|
|
}
|
|
interface br1.38 {
|
|
address "1"
|
|
sla-id "38"
|
|
}
|
|
interface br1.39 {
|
|
address "1"
|
|
sla-id "39"
|
|
}
|
|
length "56"
|
|
}
|
|
}
|
|
ip {
|
|
adjust-mss "1452"
|
|
}
|
|
ipv6 {
|
|
address {
|
|
autoconf
|
|
}
|
|
adjust-mss "1452"
|
|
}
|
|
source-interface "eth0"
|
|
}
|
|
wireguard wg1 {
|
|
address "fd74:af:0:401::1/64"
|
|
address "10.40.1.1/24"
|
|
peer jenny-handy {
|
|
allowed-ips "10.40.1.12/32"
|
|
allowed-ips "fd74:af:0:401::12/128"
|
|
persistent-keepalive "30"
|
|
public-key "sYUoQrXxFVp2rZRGunzeRqXk2NjvLm67taBOu+6Z9Vk="
|
|
}
|
|
peer oberon {
|
|
allowed-ips "10.40.1.11/32"
|
|
allowed-ips "fd74:af:0:401::11/128"
|
|
persistent-keepalive "30"
|
|
public-key "jYnEKBfCNHf3Q9pA34ZJnUeZwbsF1Zv5AwFOfhNepw8="
|
|
}
|
|
peer oma {
|
|
allowed-ips "10.40.1.13/32"
|
|
allowed-ips "fd74:af:0:401::13/128"
|
|
persistent-keepalive "30"
|
|
public-key "luCTIvLZuy8zAezOBT1Na9acK35wK9u8x2EMwJxifxk="
|
|
}
|
|
peer s23-FE {
|
|
allowed-ips "10.40.1.10/32"
|
|
allowed-ips "fd74:af:0:401::10/128"
|
|
persistent-keepalive "30"
|
|
public-key "jOsFAM8H2WhO3gao3gSkIq8IyvAFsmnKl99/SfCZFV0="
|
|
}
|
|
port "2224"
|
|
private-key "GMNxomUWZPGQv60+AK0Z6ZEK54RrtwI/lgarcqSTkmM="
|
|
}
|
|
}
|
|
nat {
|
|
destination {
|
|
rule 1 {
|
|
destination {
|
|
port "80,443,2222,8448"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "10.35.0.201"
|
|
}
|
|
}
|
|
rule 2 {
|
|
destination {
|
|
port "25,110,143,465,857,993,995,587"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "10.35.0.111"
|
|
}
|
|
}
|
|
rule 3 {
|
|
description "minecraft"
|
|
destination {
|
|
port "25565-25570"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "10.38.0.10"
|
|
}
|
|
}
|
|
rule 4 {
|
|
description "ark"
|
|
destination {
|
|
port "7777"
|
|
}
|
|
inbound-interface {
|
|
name "br1.31"
|
|
}
|
|
protocol "udp"
|
|
translation {
|
|
address "10.38.0.41"
|
|
}
|
|
}
|
|
rule 5 {
|
|
description "ark"
|
|
destination {
|
|
port "7777"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "udp"
|
|
translation {
|
|
address "10.38.0.41"
|
|
}
|
|
}
|
|
}
|
|
source {
|
|
rule 1 {
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
source {
|
|
address "10.0.0.0/8"
|
|
}
|
|
translation {
|
|
address "masquerade"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
nat66 {
|
|
destination {
|
|
rule 1 {
|
|
destination {
|
|
port "80,443,2222,8448"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "fd74:af:0:35::201"
|
|
}
|
|
}
|
|
rule 2 {
|
|
destination {
|
|
port "25,110,143,465,857,993,995,587"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "fd74:af:0:35::111"
|
|
}
|
|
}
|
|
rule 3 {
|
|
description "minecraft"
|
|
destination {
|
|
port "25565-25570"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "fd74:af:0:38::10"
|
|
}
|
|
}
|
|
}
|
|
source {
|
|
rule 1 {
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
source {
|
|
prefix "fd74:af::/56"
|
|
}
|
|
translation {
|
|
address "masquerade"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
protocols {
|
|
static {
|
|
route 10.10.64.2/32 {
|
|
next-hop 10.35.0.105 {
|
|
}
|
|
}
|
|
route 10.30.0.53/32 {
|
|
next-hop 10.35.0.210 {
|
|
}
|
|
}
|
|
route6 64:ff9b::/96 {
|
|
next-hop fd74:af:0:35::105 {
|
|
}
|
|
}
|
|
route6 fd74:af:0:30::53/128 {
|
|
next-hop fd74:af:0:35::210 {
|
|
}
|
|
}
|
|
}
|
|
}
|
|
service {
|
|
broadcast-relay {
|
|
id 1 {
|
|
interface "br1.31"
|
|
interface "br1.16"
|
|
port "24727"
|
|
}
|
|
}
|
|
dhcp-server {
|
|
hostfile-update
|
|
shared-network-name games {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
}
|
|
subnet 10.38.0.0/24 {
|
|
option {
|
|
default-router "10.38.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.38.0.2"
|
|
stop "10.38.0.254"
|
|
}
|
|
static-mapping factorio {
|
|
ip-address "10.38.0.11"
|
|
mac "1E:84:D7:00:62:D1"
|
|
}
|
|
static-mapping minecraft {
|
|
ip-address "10.38.0.10"
|
|
mac "EA:CB:21:4D:87:5A"
|
|
}
|
|
subnet-id "1"
|
|
}
|
|
}
|
|
shared-network-name guest {
|
|
authoritative
|
|
option {
|
|
ipv6-only-preferred "86400"
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
}
|
|
subnet 10.20.0.0/24 {
|
|
option {
|
|
default-router "10.20.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.20.0.2"
|
|
stop "10.20.0.254"
|
|
}
|
|
subnet-id "2"
|
|
}
|
|
}
|
|
shared-network-name iot {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
ntp-server "10.10.0.1"
|
|
}
|
|
subnet 10.50.0.0/24 {
|
|
option {
|
|
default-router "10.50.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.50.0.2"
|
|
stop "10.50.0.254"
|
|
}
|
|
static-mapping ag-wohnzimmer {
|
|
ip-address "10.50.0.4"
|
|
mac "40:4c:ca:67:0f:ec"
|
|
}
|
|
static-mapping kueche {
|
|
ip-address "10.50.0.6"
|
|
mac "c8:c9:a3:70:12:34"
|
|
}
|
|
static-mapping schlafzimmer {
|
|
ip-address "10.50.0.7"
|
|
mac "c8:c9:a3:70:1a:64"
|
|
}
|
|
static-mapping shelly-3dp {
|
|
ip-address "10.50.0.19"
|
|
mac "90:70:69:45:51:C0"
|
|
}
|
|
static-mapping shelly-desktop {
|
|
ip-address "10.50.0.2"
|
|
mac "34:94:54:8f:fe:a8"
|
|
}
|
|
static-mapping shelly-server {
|
|
ip-address "10.50.0.3"
|
|
mac "34:94:54:8f:8a:3c"
|
|
}
|
|
static-mapping shelly-tv {
|
|
ip-address "10.50.0.8"
|
|
mac "08:3A:8D:F4:39:9E"
|
|
}
|
|
static-mapping terasse {
|
|
ip-address "10.50.0.5"
|
|
mac "c8:c9:a3:70:19:df"
|
|
}
|
|
subnet-id "3"
|
|
}
|
|
}
|
|
shared-network-name kit {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
}
|
|
subnet 10.39.0.0/24 {
|
|
option {
|
|
default-router "10.39.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.39.0.10"
|
|
stop "10.39.0.250"
|
|
}
|
|
subnet-id "39"
|
|
}
|
|
}
|
|
shared-network-name server {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
ntp-server "10.10.0.1"
|
|
}
|
|
subnet 10.35.0.0/24 {
|
|
option {
|
|
default-router "10.35.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.35.0.2"
|
|
stop "10.35.0.254"
|
|
}
|
|
static-mapping atlas {
|
|
ip-address "10.35.0.3"
|
|
mac "26:5d:59:65:6c:30"
|
|
}
|
|
static-mapping automation {
|
|
ip-address "10.35.0.107"
|
|
mac "02:A2:DA:98:97:5C"
|
|
}
|
|
static-mapping backup {
|
|
ip-address "10.35.0.155"
|
|
mac "9E:F2:32:EA:53:8D"
|
|
}
|
|
static-mapping bitwarden {
|
|
ip-address "10.35.0.152"
|
|
mac "2E:85:FB:30:0F:81"
|
|
}
|
|
static-mapping calendar {
|
|
ip-address "10.35.0.157"
|
|
mac "9A:59:DC:93:6C:6A"
|
|
}
|
|
static-mapping ci {
|
|
ip-address "10.35.0.109"
|
|
mac "1E:19:A2:E9:71:73"
|
|
}
|
|
static-mapping cloud {
|
|
ip-address "10.35.0.104"
|
|
mac "96:16:94:EE:5C:97"
|
|
}
|
|
static-mapping dns {
|
|
ip-address "10.35.0.160"
|
|
mac "12:14:C0:AF:94:7B"
|
|
}
|
|
static-mapping docker {
|
|
ip-address "10.35.0.101"
|
|
mac "bc:24:11:80:17:e6"
|
|
}
|
|
static-mapping documents {
|
|
ip-address "10.35.0.102"
|
|
mac "9A:59:AC:E0:25:A5"
|
|
}
|
|
static-mapping entry {
|
|
ip-address "10.35.0.110"
|
|
mac "D6:AB:3D:41:B1:F2"
|
|
}
|
|
static-mapping equinox {
|
|
ip-address "10.35.0.2"
|
|
mac "74:56:3c:55:e9:d7"
|
|
}
|
|
static-mapping finance {
|
|
ip-address "10.35.0.158"
|
|
mac "76:69:81:6F:67:1D"
|
|
}
|
|
static-mapping gauss {
|
|
ip-address "10.35.0.8"
|
|
mac "48:a9:8a:cc:c1:4b"
|
|
}
|
|
static-mapping grafana {
|
|
ip-address "10.35.0.153"
|
|
mac "6A:6D:C0:A8:0C:A4"
|
|
}
|
|
static-mapping ittools {
|
|
ip-address "10.35.0.159"
|
|
mac "7E:F0:F5:C3:5C:45"
|
|
}
|
|
static-mapping lounge {
|
|
ip-address "10.35.0.150"
|
|
mac "56:3E:C5:EE:EE:5E"
|
|
}
|
|
static-mapping mail {
|
|
ip-address "10.35.0.111"
|
|
mac "BC:24:11:EE:23:C2"
|
|
}
|
|
static-mapping matrix {
|
|
ip-address "10.35.0.108"
|
|
mac "02:84:E0:99:0F:2C"
|
|
}
|
|
static-mapping media {
|
|
ip-address "10.35.0.106"
|
|
mac "4A:87:40:F3:8F:F2"
|
|
}
|
|
static-mapping monitor {
|
|
ip-address "10.35.0.100"
|
|
mac "0A:73:14:54:C2:E2"
|
|
}
|
|
static-mapping nova {
|
|
disable
|
|
ip-address "10.35.0.7"
|
|
mac "48:a9:8a:cc:c1:4b"
|
|
}
|
|
static-mapping printer {
|
|
ip-address "10.35.0.15"
|
|
mac "30:05:5c:17:26:f3"
|
|
}
|
|
static-mapping projects {
|
|
ip-address "10.35.0.156"
|
|
mac "A2:38:B8:7B:83:8E"
|
|
}
|
|
static-mapping sensors {
|
|
ip-address "10.35.0.10"
|
|
mac "70:b3:d5:50:91:bd"
|
|
}
|
|
static-mapping speedtest {
|
|
ip-address "10.35.0.154"
|
|
mac "86:00:BC:4A:1B:30"
|
|
}
|
|
static-mapping traefik {
|
|
ip-address "10.35.0.151"
|
|
mac "62:80:2D:4E:1A:C8"
|
|
}
|
|
static-mapping trinity {
|
|
ip-address "10.35.0.4"
|
|
mac "00:11:32:86:93:49"
|
|
}
|
|
static-mapping ultrastar {
|
|
ip-address "10.35.0.103"
|
|
mac "8A:77:95:29:0E:D0"
|
|
}
|
|
static-mapping voip {
|
|
ip-address "10.35.0.113"
|
|
mac "86:F5:5B:BA:CB:74"
|
|
}
|
|
subnet-id "4"
|
|
}
|
|
}
|
|
shared-network-name wlan_client {
|
|
authoritative
|
|
option {
|
|
domain-name "home"
|
|
ipv6-only-preferred "86400"
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
ntp-server "10.10.0.1"
|
|
}
|
|
subnet 10.16.0.0/24 {
|
|
option {
|
|
default-router "10.16.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.16.0.2"
|
|
stop "10.16.0.254"
|
|
}
|
|
static-mapping wax615 {
|
|
ip-address "10.16.0.2"
|
|
mac "94:18:65:c2:ea:ff"
|
|
}
|
|
subnet-id "5"
|
|
}
|
|
}
|
|
shared-network-name wlan_guest {
|
|
authoritative
|
|
option {
|
|
ipv6-only-preferred "86400"
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
}
|
|
subnet 10.17.0.0/24 {
|
|
option {
|
|
default-router "10.17.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.17.0.2"
|
|
stop "10.17.0.254"
|
|
}
|
|
subnet-id "6"
|
|
}
|
|
}
|
|
shared-network-name wlan_mgmt {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
}
|
|
subnet 10.15.0.0/24 {
|
|
option {
|
|
default-router "10.15.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.15.0.2"
|
|
stop "10.15.0.254"
|
|
}
|
|
static-mapping gyre {
|
|
ip-address "10.15.0.4"
|
|
mac "A8:52:D4:91:FF:39"
|
|
}
|
|
static-mapping volt {
|
|
ip-address "10.15.0.5"
|
|
mac "00:a0:57:6c:4a:3e"
|
|
}
|
|
subnet-id "7"
|
|
}
|
|
}
|
|
shared-network-name workstations {
|
|
authoritative
|
|
option {
|
|
name-server "10.30.0.53"
|
|
name-server "10.10.0.1"
|
|
ntp-server "10.10.0.1"
|
|
}
|
|
subnet 10.31.0.0/24 {
|
|
option {
|
|
default-router "10.31.0.1"
|
|
}
|
|
range 1 {
|
|
start "10.31.0.2"
|
|
stop "10.31.0.254"
|
|
}
|
|
static-mapping oberon {
|
|
ip-address "10.31.0.11"
|
|
mac "30:24:a9:91:70:61"
|
|
}
|
|
static-mapping titania {
|
|
ip-address "10.31.0.10"
|
|
mac "d8:5e:d3:40:f9:5b"
|
|
}
|
|
subnet-id "8"
|
|
}
|
|
}
|
|
}
|
|
dns {
|
|
dynamic {
|
|
name service-lewellien-net-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "gw.lewellien.net"
|
|
ip-version "ipv4"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
name service-lewellien-net-v6-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "gw.lewellien.net"
|
|
ip-version "ipv6"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
name service-mail-lewellien-net-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "mail.lewellien.net"
|
|
ip-version "ipv4"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
name service-mail-lewellien-net-v6-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "mail.lewellien.net"
|
|
ip-version "ipv6"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
name service-matrix-lewellien-net-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "matrix.lewellien.net"
|
|
ip-version "ipv4"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
name service-matrix-lewellien-net-v6-pppoe0 {
|
|
address {
|
|
interface "pppoe0"
|
|
}
|
|
host-name "matrix.lewellien.net"
|
|
ip-version "ipv6"
|
|
password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL"
|
|
protocol "dyndns2"
|
|
server "dyndns.strato.com"
|
|
username "lewellien.net"
|
|
}
|
|
}
|
|
forwarding {
|
|
allow-from "10.0.0.0/8"
|
|
allow-from "fd74:af::/56"
|
|
authoritative-domain lewellien.net {
|
|
records {
|
|
a any {
|
|
address "10.35.0.201"
|
|
}
|
|
aaaa any {
|
|
address "fd74:af:0:35::201"
|
|
}
|
|
}
|
|
}
|
|
listen-address "10.10.0.1"
|
|
listen-address "fd74:af:0:10::1"
|
|
zone-cache afinfra.de {
|
|
options {
|
|
refresh {
|
|
interval "1800"
|
|
}
|
|
}
|
|
source {
|
|
axfr "fd74:af:0:30::53"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lldp {
|
|
interface eth0 {
|
|
}
|
|
interface eth1 {
|
|
}
|
|
interface eth2 {
|
|
}
|
|
management-address "10.10.0.1"
|
|
management-address "fd74:af:0:10::1"
|
|
}
|
|
monitoring {
|
|
prometheus {
|
|
frr-exporter {
|
|
listen-address "fd74:af:0:10::1"
|
|
}
|
|
node-exporter {
|
|
listen-address "10.10.0.1"
|
|
}
|
|
}
|
|
telegraf {
|
|
prometheus-client {
|
|
allow-from "fd74:af:0:35::/64"
|
|
allow-from "10.35.0.0/24"
|
|
listen-address "10.10.0.1"
|
|
}
|
|
}
|
|
}
|
|
ntp {
|
|
allow-client {
|
|
address "127.0.0.0/8"
|
|
address "169.254.0.0/16"
|
|
address "10.0.0.0/8"
|
|
address "172.16.0.0/12"
|
|
address "192.168.0.0/16"
|
|
address "::1/128"
|
|
address "fe80::/10"
|
|
address "fc00::/7"
|
|
address "0.0.0.0/0"
|
|
address "::/0"
|
|
}
|
|
server ntp1.sda.t-online.de {
|
|
}
|
|
server ntp1.sul.t-online.de {
|
|
}
|
|
server time1.vyos.net {
|
|
}
|
|
server time2.vyos.net {
|
|
}
|
|
}
|
|
router-advert {
|
|
interface br1.15 {
|
|
name-server "fd74:af:0:10::1"
|
|
}
|
|
interface br1.16 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "fd74:af:0:10::1"
|
|
nat64prefix 64:ff9b::/96 {
|
|
}
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.17 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "fd74:af:0:10::1"
|
|
nat64prefix 64:ff9b::/96 {
|
|
}
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.20 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "fd74:af:0:10::1"
|
|
nat64prefix 64:ff9b::/96 {
|
|
}
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.31 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "fd74:af:0:10::1"
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.35 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "fd74:af:0:10::1"
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.38 {
|
|
name-server "fd74:af:0:10::1"
|
|
}
|
|
interface br1.39 {
|
|
link-mtu "1492"
|
|
name-server "fd74:af:0:30::53"
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
interface br1.50 {
|
|
name-server "fd74:af:0:10::1"
|
|
}
|
|
}
|
|
ssh {
|
|
listen-address "10.10.0.1"
|
|
listen-address "fd74:af:0:10::1"
|
|
}
|
|
}
|
|
system {
|
|
config-management {
|
|
commit-archive {
|
|
location "git+https://vyos:uLLPLpARiKLe5ViFJm3dDUNA5m9wMMym@git.lewellien.net/lewellien/vyos-config.git"
|
|
}
|
|
commit-revisions "101"
|
|
}
|
|
console {
|
|
device ttyS0 {
|
|
speed "115200"
|
|
}
|
|
}
|
|
host-name "router"
|
|
login {
|
|
user lewellien {
|
|
authentication {
|
|
public-keys lewellien@server {
|
|
key "AAAAC3NzaC1lZDI1NTE5AAAAIIC2v6gFjGdq47jGeqoamDLdLVmvEYpQrIFEqZnmnaCb"
|
|
type "ssh-ed25519"
|
|
}
|
|
}
|
|
}
|
|
user vyos {
|
|
authentication {
|
|
encrypted-password "$6$rounds=656000$DD0L1d4zCpPTFRm6$85IGUPK9OvLhF6f/N5BZR9ABOpBpLkVZCpTTLoWpRgBlLjZgn0iaEiPAk5O4M.g/wA58bx/VnfgZ2SYuJ7V/w0"
|
|
plaintext-password ""
|
|
}
|
|
}
|
|
}
|
|
name-server "10.30.0.53"
|
|
name-server "fd74:af:0:30::53"
|
|
name-server "1.1.1.1"
|
|
option {
|
|
keyboard-layout "de"
|
|
}
|
|
syslog {
|
|
local {
|
|
facility all {
|
|
level "info"
|
|
}
|
|
facility local7 {
|
|
level "debug"
|
|
}
|
|
}
|
|
}
|
|
time-zone "Europe/Berlin"
|
|
}
|
|
|
|
|
|
// Warning: Do not remove the following line.
|
|
// vyos-config-version: "bgp@6:broadcast-relay@1:cluster@2:config-management@1:conntrack@6:conntrack-sync@2:container@3:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@20:flow-accounting@3:https@7:ids@2:interfaces@34:ipoe-server@4:ipsec@14:isis@3:l2tp@9:lldp@3:mdns@1:monitoring@2:nat@8:nat66@3:nhrp@1:ntp@3:openconnect@3:openvpn@5:ospf@2:pim@1:policy@9:pppoe-server@11:pptp@5:qos@3:quagga@12:reverse-proxy@3:rip@1:rpki@2:salt@1:snmp@3:ssh@3:sstp@6:system@30:vpp@4:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@4:webproxy@2"
|
|
// Release version: 2026.01.16-0022-rolling
|