aboutsummaryrefslogtreecommitdiff
path: root/config/lhn2ix.txt
diff options
context:
space:
mode:
Diffstat (limited to 'config/lhn2ix.txt')
-rw-r--r--config/lhn2ix.txt229
1 files changed, 229 insertions, 0 deletions
diff --git a/config/lhn2ix.txt b/config/lhn2ix.txt
new file mode 100644
index 0000000..b05d5d9
--- /dev/null
+++ b/config/lhn2ix.txt
@@ -0,0 +1,229 @@
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall ipv6-name DN42v6_IN default-action drop
+set firewall ipv6-name DN42v6_IN description 'DN42 traffic through the router'
+set firewall ipv6-name DN42v6_IN enable-default-log
+set firewall ipv6-name DN42v6_IN rule 10 action accept
+set firewall ipv6-name DN42v6_IN rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name DN42v6_IN rule 10 state established enable
+set firewall ipv6-name DN42v6_IN rule 10 state related enable
+set firewall ipv6-name DN42v6_IN rule 20 action drop
+set firewall ipv6-name DN42v6_IN rule 20 description 'Drop invalid state'
+set firewall ipv6-name DN42v6_IN rule 20 state invalid enable
+set firewall ipv6-name DN42v6_IN rule 30 action accept
+set firewall ipv6-name DN42v6_IN rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name DN42v6_IN rule 30 protocol ipv6-icmp
+set firewall ipv6-name DN42v6_IN rule 100 action accept
+set firewall ipv6-name DN42v6_IN rule 100 description 'Allow anything from tnet (tcp)'
+set firewall ipv6-name DN42v6_IN rule 100 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 100 source address 'fdb1:4242:3538:2000::/52'
+set firewall ipv6-name DN42v6_IN rule 101 action accept
+set firewall ipv6-name DN42v6_IN rule 101 description 'Allow anything from tnet (udp)'
+set firewall ipv6-name DN42v6_IN rule 101 protocol udp
+set firewall ipv6-name DN42v6_IN rule 101 source address 'fdb1:4242:3538:2000::/52'
+set firewall ipv6-name DN42v6_IN rule 200 action accept
+set firewall ipv6-name DN42v6_IN rule 200 description 'Allow SSH'
+set firewall ipv6-name DN42v6_IN rule 200 destination port 22
+set firewall ipv6-name DN42v6_IN rule 200 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 201 action accept
+set firewall ipv6-name DN42v6_IN rule 201 description 'Allow HTTP'
+set firewall ipv6-name DN42v6_IN rule 201 destination port 80
+set firewall ipv6-name DN42v6_IN rule 201 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 202 action accept
+set firewall ipv6-name DN42v6_IN rule 202 description 'Allow HTTPS'
+set firewall ipv6-name DN42v6_IN rule 202 destination port https
+set firewall ipv6-name DN42v6_IN rule 202 protocol tcp
+set firewall ipv6-name DN42v6_LOCAL default-action drop
+set firewall ipv6-name DN42v6_LOCAL description 'DN42 inbound traffic to the router'
+set firewall ipv6-name DN42v6_LOCAL enable-default-log
+set firewall ipv6-name DN42v6_LOCAL rule 10 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name DN42v6_LOCAL rule 10 state established enable
+set firewall ipv6-name DN42v6_LOCAL rule 10 state related enable
+set firewall ipv6-name DN42v6_LOCAL rule 20 action drop
+set firewall ipv6-name DN42v6_LOCAL rule 20 description 'Drop invalid state'
+set firewall ipv6-name DN42v6_LOCAL rule 20 state invalid enable
+set firewall ipv6-name DN42v6_LOCAL rule 30 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name DN42v6_LOCAL rule 30 protocol ipv6-icmp
+set firewall ipv6-name DN42v6_LOCAL rule 40 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 40 description 'Allow SSH'
+set firewall ipv6-name DN42v6_LOCAL rule 40 destination port 22
+set firewall ipv6-name DN42v6_LOCAL rule 40 protocol tcp
+set firewall ipv6-name DN42v6_LOCAL rule 50 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 50 description 'Allow BGP'
+set firewall ipv6-name DN42v6_LOCAL rule 50 destination port 179
+set firewall ipv6-name DN42v6_LOCAL rule 50 protocol tcp
+set firewall ipv6-name WANv6_IN default-action drop
+set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
+set firewall ipv6-name WANv6_IN rule 10 action accept
+set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_IN rule 10 state established enable
+set firewall ipv6-name WANv6_IN rule 10 state related enable
+set firewall ipv6-name WANv6_IN rule 20 action drop
+set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_IN rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL default-action drop
+set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
+set firewall ipv6-name WANv6_LOCAL enable-default-log
+set firewall ipv6-name WANv6_LOCAL rule 10 action accept
+set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
+set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
+set firewall ipv6-name WANv6_LOCAL rule 20 action drop
+set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL rule 30 action accept
+set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
+set firewall ipv6-name WANv6_LOCAL rule 40 action accept
+set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6'
+set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
+set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
+set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
+set firewall ipv6-name WANv6_LOCAL rule 50 action accept
+set firewall ipv6-name WANv6_LOCAL rule 50 description 'Allow SSH'
+set firewall ipv6-name WANv6_LOCAL rule 50 destination port 22
+set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces ethernet eth0 address dhcp
+set interfaces ethernet eth0 description Internet
+set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 host-address '::1'
+set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 prefix-id ':0'
+set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 service slaac
+set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
+set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
+set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
+set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
+set interfaces ethernet eth0 ipv6 address
+set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
+set interfaces ethernet eth0 poe output off
+set interfaces ethernet eth0 speed auto
+set interfaces ethernet eth1 description conflatorio
+set interfaces ethernet eth1 duplex auto
+set interfaces ethernet eth1 poe output off
+set interfaces ethernet eth1 speed auto
+set interfaces ethernet eth2 description Local
+set interfaces ethernet eth2 duplex auto
+set interfaces ethernet eth2 poe output off
+set interfaces ethernet eth2 speed auto
+set interfaces ethernet eth3 description Local
+set interfaces ethernet eth3 duplex auto
+set interfaces ethernet eth3 poe output off
+set interfaces ethernet eth3 speed auto
+set interfaces ethernet eth4 description Wifi
+set interfaces ethernet eth4 duplex auto
+set interfaces ethernet eth4 poe output 24v
+set interfaces ethernet eth4 speed auto
+set interfaces ethernet eth5 duplex auto
+set interfaces ethernet eth5 mac '48:FD:8E:B5:98:49'
+set interfaces ethernet eth5 speed auto
+set interfaces loopback lo
+set interfaces switch switch0 address 'fdb1:4242:3538:2008::1/64'
+set interfaces switch switch0 address 192.168.11.1/24
+set interfaces switch switch0 address 'fdb1:4242:3538:2009::1/64'
+set interfaces switch switch0 description Local
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
+set interfaces switch switch0 ipv6 router-advert link-mtu 0
+set interfaces switch switch0 ipv6 router-advert managed-flag true
+set interfaces switch switch0 ipv6 router-advert max-interval 600
+set interfaces switch switch0 ipv6 router-advert other-config-flag false
+set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert reachable-time 0
+set interfaces switch switch0 ipv6 router-advert retrans-timer 0
+set interfaces switch switch0 ipv6 router-advert send-advert true
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg1 address 'fdb1:4242:3538:2f02::b/64'
+set interfaces wireguard wg1 description tnet-knot
+set interfaces wireguard wg1 firewall in ipv6-name DN42v6_IN
+set interfaces wireguard wg1 firewall local ipv6-name DN42v6_LOCAL
+set interfaces wireguard wg1 mtu 1420
+set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= allowed-ips '::0/0'
+set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= endpoint 'knot.inamo.no:51002'
+set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= persistent-keepalive 60
+set interfaces wireguard wg1 private-key 4IhYSjPBx5K2TuEYs2bl3rjaKSLdx3HNgbjn2BpJimg=
+set interfaces wireguard wg1 route-allowed-ips false
+set policy prefix-list6 bitraf-dn42 rule 1 action permit
+set policy prefix-list6 bitraf-dn42 rule 1 description 'tnet subnetworks'
+set policy prefix-list6 bitraf-dn42 rule 1 le 128
+set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538:2000::/60'
+set policy route-map bitraf-dn42 rule 1 action permit
+set policy route-map bitraf-dn42 rule 1 match ipv6 address prefix-list bitraf-dn42
+set protocols bgp 4242423538 address-family ipv6-unicast redistribute connected route-map bitraf-dn42
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast nexthop-self
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast route-reflector-client
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' description knot
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' password trygvis
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' remote-as 4242423538
+set protocols bgp 4242423538 parameters graceful-restart
+set protocols static route6 'fdb1:4242:3538:2008::/64' blackhole
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 default-router 192.168.11.1
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 dns-server 192.168.11.1
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 dns-server 8.8.8.8
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 lease 86400
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 start 192.168.11.100 stop 192.168.11.199
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping conflatorio ip-address 192.168.11.3
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping conflatorio mac-address '82:42:32:0c:71:61'
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping coregonus ip-address 192.168.11.4
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping coregonus mac-address '00:E0:4C:98:1B:B5'
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping teknisk ip-address 192.168.11.2
+set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping teknisk mac-address 'f4:e2:c6:1c:f9:e3'
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 1000
+set service dns forwarding listen-on switch0
+set service gui http-port 80
+set service gui https-port 443
+set service gui older-ciphers enable
+set service nat rule 5010 description 'masquerade for WAN'
+set service nat rule 5010 outbound-interface eth0
+set service nat rule 5010 type masquerade
+set service snmp community public authorization ro
+set service snmp location lhn2ix
+set service ssh port 22
+set service ssh protocol-version v2
+set service unms disable
+set system analytics-handler send-analytics-report false
+set system config-management commit-revisions 10
+set system crash-handler send-crash-report false
+set system domain-name trygvis.io
+set system host-name lhn2ix
+set system login user ubnt authentication encrypted-password '$5$Wu8xmYAo9yxLxQbq$HgzV.0uev3uJmtEfp7/GJnaw2ZIxICAlRr1Y8YbU/pB'
+set system login user ubnt authentication plaintext-password ''
+set system login user ubnt authentication public-keys trygvis@biwia key AAAAC3NzaC1lZDI1NTE5AAAAIK3NIIYprtLQFNut7GGf0va7YYFeSXKSgWDQi4qbf5Ph
+set system login user ubnt authentication public-keys trygvis@biwia type ssh-ed25519
+set system login user ubnt full-name ''
+set system login user ubnt level admin
+set system name-server 8.8.8.8
+set system ntp server 0.ubnt.pool.ntp.org
+set system ntp server 1.ubnt.pool.ntp.org
+set system ntp server 2.ubnt.pool.ntp.org
+set system ntp server 3.ubnt.pool.ntp.org
+set system syslog console facility all level debug
+set system syslog global facility all level notice
+set system syslog global facility protocols level debug
+set system time-zone Europe/Oslo
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-15 10:46:21 +0000