set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name DN42v6_IN default-action drop
set firewall ipv6-name DN42v6_IN description 'DN42 traffic through the router'
set firewall ipv6-name DN42v6_IN enable-default-log
set firewall ipv6-name DN42v6_IN rule 10 action accept
set firewall ipv6-name DN42v6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name DN42v6_IN rule 10 state established enable
set firewall ipv6-name DN42v6_IN rule 10 state related enable
set firewall ipv6-name DN42v6_IN rule 20 action drop
set firewall ipv6-name DN42v6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name DN42v6_IN rule 20 state invalid enable
set firewall ipv6-name DN42v6_IN rule 30 action accept
set firewall ipv6-name DN42v6_IN rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name DN42v6_IN rule 30 protocol ipv6-icmp
set firewall ipv6-name DN42v6_IN rule 100 action accept
set firewall ipv6-name DN42v6_IN rule 100 description 'Allow anything from tnet (tcp)'
set firewall ipv6-name DN42v6_IN rule 100 protocol tcp
set firewall ipv6-name DN42v6_IN rule 100 source address 'fdb1:4242:3538:2000::/52'
set firewall ipv6-name DN42v6_IN rule 101 action accept
set firewall ipv6-name DN42v6_IN rule 101 description 'Allow anything from tnet (udp)'
set firewall ipv6-name DN42v6_IN rule 101 protocol udp
set firewall ipv6-name DN42v6_IN rule 101 source address 'fdb1:4242:3538:2000::/52'
set firewall ipv6-name DN42v6_IN rule 200 action accept
set firewall ipv6-name DN42v6_IN rule 200 description 'Allow SSH'
set firewall ipv6-name DN42v6_IN rule 200 destination port 22
set firewall ipv6-name DN42v6_IN rule 200 protocol tcp
set firewall ipv6-name DN42v6_IN rule 201 action accept
set firewall ipv6-name DN42v6_IN rule 201 description 'Allow HTTP'
set firewall ipv6-name DN42v6_IN rule 201 destination port 80
set firewall ipv6-name DN42v6_IN rule 201 protocol tcp
set firewall ipv6-name DN42v6_IN rule 202 action accept
set firewall ipv6-name DN42v6_IN rule 202 description 'Allow HTTPS'
set firewall ipv6-name DN42v6_IN rule 202 destination port https
set firewall ipv6-name DN42v6_IN rule 202 protocol tcp
set firewall ipv6-name DN42v6_LOCAL default-action drop
set firewall ipv6-name DN42v6_LOCAL description 'DN42 inbound traffic to the router'
set firewall ipv6-name DN42v6_LOCAL enable-default-log
set firewall ipv6-name DN42v6_LOCAL rule 10 action accept
set firewall ipv6-name DN42v6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name DN42v6_LOCAL rule 10 state established enable
set firewall ipv6-name DN42v6_LOCAL rule 10 state related enable
set firewall ipv6-name DN42v6_LOCAL rule 20 action drop
set firewall ipv6-name DN42v6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name DN42v6_LOCAL rule 20 state invalid enable
set firewall ipv6-name DN42v6_LOCAL rule 30 action accept
set firewall ipv6-name DN42v6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name DN42v6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name DN42v6_LOCAL rule 40 action accept
set firewall ipv6-name DN42v6_LOCAL rule 40 description 'Allow SSH'
set firewall ipv6-name DN42v6_LOCAL rule 40 destination port 22
set firewall ipv6-name DN42v6_LOCAL rule 40 protocol tcp
set firewall ipv6-name DN42v6_LOCAL rule 50 action accept
set firewall ipv6-name DN42v6_LOCAL rule 50 description 'Allow BGP'
set firewall ipv6-name DN42v6_LOCAL rule 50 destination port 179
set firewall ipv6-name DN42v6_LOCAL rule 50 protocol tcp
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-name WANv6_LOCAL rule 50 action accept
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Allow SSH'
set firewall ipv6-name WANv6_LOCAL rule 50 destination port 22
set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 prefix-id ':0'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 ipv6 address
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 poe output off
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description conflatorio
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 poe output off
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description Local
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 poe output off
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description Local
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 poe output off
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description Wifi
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output 24v
set interfaces ethernet eth4 speed auto
set interfaces ethernet eth5 duplex auto
set interfaces ethernet eth5 mac '48:FD:8E:B5:98:49'
set interfaces ethernet eth5 speed auto
set interfaces loopback lo
set interfaces switch switch0 address 'fdb1:4242:3538:2008::1/64'
set interfaces switch switch0 address 192.168.11.1/24
set interfaces switch switch0 address 'fdb1:4242:3538:2009::1/64'
set interfaces switch switch0 description Local
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '2a06:2240:f002:9900::0/64' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fdb1:4242:3538:2008::0/64' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg1 address 'fdb1:4242:3538:2f02::b/64'
set interfaces wireguard wg1 description tnet-knot
set interfaces wireguard wg1 firewall in ipv6-name DN42v6_IN
set interfaces wireguard wg1 firewall local ipv6-name DN42v6_LOCAL
set interfaces wireguard wg1 mtu 1420
set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= allowed-ips '::0/0'
set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= endpoint 'knot.inamo.no:51002'
set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= persistent-keepalive 60
set interfaces wireguard wg1 private-key 4IhYSjPBx5K2TuEYs2bl3rjaKSLdx3HNgbjn2BpJimg=
set interfaces wireguard wg1 route-allowed-ips false
set policy prefix-list6 bitraf-dn42 rule 1 action permit
set policy prefix-list6 bitraf-dn42 rule 1 description 'tnet subnetworks'
set policy prefix-list6 bitraf-dn42 rule 1 le 128
set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538:2000::/60'
set policy route-map bitraf-dn42 rule 1 action permit
set policy route-map bitraf-dn42 rule 1 match ipv6 address prefix-list bitraf-dn42
set protocols bgp 4242423538 address-family ipv6-unicast redistribute connected route-map bitraf-dn42
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast capability graceful-restart
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast nexthop-self
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast route-reflector-client
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' description knot
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' password trygvis
set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f02::a' remote-as 4242423538
set protocols bgp 4242423538 parameters graceful-restart
set protocols static route6 'fdb1:4242:3538:2008::/64' blackhole
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 default-router 192.168.11.1
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 dns-server 192.168.11.1
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 start 192.168.11.100 stop 192.168.11.199
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping conflatorio ip-address 192.168.11.3
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping conflatorio mac-address '82:42:32:0c:71:61'
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping coregonus ip-address 192.168.11.4
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping coregonus mac-address '00:E0:4C:98:1B:B5'
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping teknisk ip-address 192.168.11.2
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 static-mapping teknisk mac-address 'f4:e2:c6:1c:f9:e3'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 1000
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service snmp community public authorization ro
set service snmp location lhn2ix
set service ssh port 22
set service ssh protocol-version v2
set service unms disable
set system analytics-handler send-analytics-report false
set system config-management commit-revisions 10
set system crash-handler send-crash-report false
set system domain-name trygvis.io
set system host-name lhn2ix
set system login user ubnt authentication encrypted-password '$5$Wu8xmYAo9yxLxQbq$HgzV.0uev3uJmtEfp7/GJnaw2ZIxICAlRr1Y8YbU/pB'
set system login user ubnt authentication plaintext-password ''
set system login user ubnt authentication public-keys trygvis@biwia key AAAAC3NzaC1lZDI1NTE5AAAAIK3NIIYprtLQFNut7GGf0va7YYFeSXKSgWDQi4qbf5Ph
set system login user ubnt authentication public-keys trygvis@biwia type ssh-ed25519
set system login user ubnt full-name ''
set system login user ubnt level admin
set system name-server 8.8.8.8
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system syslog console facility all level debug
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone Europe/Oslo