Created
December 3, 2021 12:18
-
-
Save fatred/e2e31dd9512f7ef86b01ef7731954744 to your computer and use it in GitHub Desktop.
Fiber7-X VyOS Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set firewall all-ping 'enable' | |
set firewall broadcast-ping 'disable' | |
set firewall config-trap 'disable' | |
set firewall group network-group inside-nets network '192.168.99.0/24' | |
set firewall group network-group inside-nets network '10.31.74.0/28' | |
set firewall ipv6-receive-redirects 'disable' | |
set firewall ipv6-src-route 'disable' | |
set firewall ip-src-route 'disable' | |
set firewall log-martians 'enable' | |
set firewall receive-redirects 'disable' | |
set firewall send-redirects 'enable' | |
set firewall source-validation 'disable' | |
set firewall syn-cookies 'enable' | |
set firewall twa-hazards-protection 'disable' | |
set firewall ipv6-name lan-local-6 default-action 'drop' | |
set firewall ipv6-name lan-local-6 description 'LAN to This Router IPv6' | |
set firewall ipv6-name lan-local-6 enable-default-log | |
set firewall ipv6-name lan-local-6 rule 1 action 'accept' | |
set firewall ipv6-name lan-wan-6 default-action 'drop' | |
set firewall ipv6-name lan-wan-6 description 'LAN to WAN IPv6' | |
set firewall ipv6-name lan-wan-6 enable-default-log | |
set firewall ipv6-name lan-wan-6 rule 1 action 'accept' | |
set firewall ipv6-name lan-wan-6 rule 1 description 'better this than default accept and then you change your mind!' | |
set firewall ipv6-name local-lan-6 default-action 'drop' | |
set firewall ipv6-name local-lan-6 description 'This router to LAN IPv6' | |
set firewall ipv6-name local-lan-6 enable-default-log | |
set firewall ipv6-name local-lan-6 rule 1 action 'accept' | |
set firewall ipv6-name local-lan-6 rule 1 description 'better this than default allow and want to change later!' | |
set firewall ipv6-name local-wan-6 default-action 'drop' | |
set firewall ipv6-name local-wan-6 description 'This Router to WAN IPv6' | |
set firewall ipv6-name local-wan-6 enable-default-log | |
set firewall ipv6-name local-wan-6 rule 1 action 'accept' | |
set firewall ipv6-name wan-lan-6 default-action 'drop' | |
set firewall ipv6-name wan-lan-6 description 'WAN to LAN IPv6' | |
set firewall ipv6-name wan-lan-6 enable-default-log | |
set firewall ipv6-name wan-lan-6 rule 1 action 'accept' | |
set firewall ipv6-name wan-lan-6 rule 1 state established 'enable' | |
set firewall ipv6-name wan-lan-6 rule 1 state related 'enable' | |
set firewall ipv6-name wan-lan-6 rule 2 action 'accept' | |
set firewall ipv6-name wan-lan-6 rule 2 protocol 'icmpv6' | |
set firewall ipv6-name wan-local-6 default-action 'drop' | |
set firewall ipv6-name wan-local-6 description 'WAN to This Device IPv6' | |
set firewall ipv6-name wan-local-6 rule 1 action 'accept' | |
set firewall ipv6-name wan-local-6 rule 1 state established 'enable' | |
set firewall ipv6-name wan-local-6 rule 1 state related 'enable' | |
set firewall ipv6-name wan-local-6 rule 2 action 'accept' | |
set firewall ipv6-name wan-local-6 rule 2 protocol 'icmpv6' | |
set firewall ipv6-name wan-local-6 rule 3 action 'accept' | |
set firewall ipv6-name wan-local-6 rule 3 description 'DHCPv6 Replies' | |
set firewall ipv6-name wan-local-6 rule 3 destination port '546' | |
set firewall ipv6-name wan-local-6 rule 3 protocol 'udp' | |
set firewall ipv6-name wan-local-6 rule 3 source port '547' | |
set firewall name lan-local default-action 'drop' | |
set firewall name lan-local description 'LAN to This Router IPv4' | |
set firewall name lan-local enable-default-log | |
set firewall name lan-local rule 1 action 'accept' | |
set firewall name lan-local rule 1 description 'Better this than default allow and change later!' | |
set firewall name lan-wan default-action 'drop' | |
set firewall name lan-wan description 'LAN to WAN IPv4' | |
set firewall name lan-wan enable-default-log | |
set firewall name lan-wan rule 1 action 'accept' | |
set firewall name lan-wan rule 1 description 'better this than default accept and then you change your mind!' | |
set firewall name local-lan default-action 'drop' | |
set firewall name local-lan description 'This Firewall to LAN IPv4' | |
set firewall name local-lan enable-default-log | |
set firewall name local-lan rule 1 action 'accept' | |
set firewall name local-lan rule 1 description 'Better this than default allow and want to change later!' | |
set firewall name local-wan default-action 'drop' | |
set firewall name local-wan description 'This Router to WAN IPv4' | |
set firewall name local-wan enable-default-log | |
set firewall name local-wan rule 1 action 'accept' | |
set firewall name wan-lan default-action 'drop' | |
set firewall name wan-lan description 'WAN to LAN IPv4' | |
set firewall name wan-lan enable-default-log | |
set firewall name wan-lan rule 1 action 'accept' | |
set firewall name wan-lan rule 1 state established 'enable' | |
set firewall name wan-lan rule 1 state related 'enable' | |
set firewall name wan-lan rule 2 action 'drop' | |
set firewall name wan-lan rule 2 state invalid 'enable' | |
set firewall name wan-lan rule 443 action 'accept' | |
set firewall name wan-lan rule 443 description 'HTTPS to ingress' | |
set firewall name wan-lan rule 443 destination address '192.168.99.252' | |
set firewall name wan-lan rule 443 destination port '443' | |
set firewall name wan-lan rule 443 protocol 'tcp_udp' | |
set firewall name wan-local default-action 'drop' | |
set firewall name wan-local description 'WAN to This Device IPv4' | |
set firewall name wan-local enable-default-log | |
set firewall name wan-local rule 1 action 'accept' | |
set firewall name wan-local rule 1 state established 'enable' | |
set firewall name wan-local rule 1 state related 'enable' | |
set firewall name wan-local rule 2 action 'drop' | |
set firewall name wan-local rule 2 state invalid 'enable' | |
set firewall name wan-local rule 3 action 'accept' | |
set firewall name wan-local rule 3 description 'DHCP Replies' | |
set firewall name wan-local rule 3 destination port '67,68' | |
set firewall name wan-local rule 3 protocol 'udp' | |
set firewall name wan-local rule 3 source port '67,68' | |
set firewall name wan-local rule 771 action 'accept' | |
set firewall name wan-local rule 771 description 'Allow tv7 streams' | |
set firewall name wan-local rule 771 destination address '239.77.0.0/16' | |
set firewall name wan-local rule 771 destination port '5000' | |
set firewall name wan-local rule 771 protocol 'udp' | |
set firewall name wan-local rule 772 action 'accept' | |
set firewall name wan-local rule 772 description 'Allow tv7 IGMP' | |
set firewall name wan-local rule 772 protocol 'igmp' | |
set interfaces ethernet eth0 address '10.31.74.1/28' | |
set interfaces ethernet eth0 description 'MGMT' | |
set interfaces ethernet eth1 address 'dhcp' | |
set interfaces ethernet eth1 address 'dhcpv6' | |
set interfaces ethernet eth1 description 'Init7' | |
set interfaces ethernet eth1 dhcpv6-options pd 0 interface eth2.9 address '9' | |
set interfaces ethernet eth1 dhcpv6-options pd 0 length '48' | |
set interfaces ethernet eth1 ipv6 address autoconf | |
set interfaces ethernet eth2 vif 9 address 'fda4:7911:df45:9::1/64' | |
set interfaces ethernet eth2 vif 9 address '192.168.99.1/24' | |
set interfaces loopback lo | |
set nat destination rule 443 description 'HTTPS to Ingress' | |
set nat destination rule 443 destination port '443' | |
set nat destination rule 443 inbound-interface 'eth1' | |
set nat destination rule 443 protocol 'tcp_udp' | |
set nat destination rule 443 translation address '192.168.99.252' | |
set nat destination rule 443 translation port '443' | |
set nat source rule 771 outbound-interface 'eth1' | |
set nat source rule 771 source address '192.168.99.0/24' | |
set nat source rule 771 translation address 'masquerade' | |
set nat source rule 772 outbound-interface 'eth1' | |
set nat source rule 772 source address '10.31.74.0/24' | |
set nat source rule 772 translation address 'masquerade' | |
set nat66 destination rule 9 destination address '2a02:168:4047:9::/64' | |
set nat66 destination rule 9 inbound-interface 'eth1' | |
set nat66 destination rule 9 translation address 'fda4:7911:df45:9::/64' | |
set nat66 source rule 9 outbound-interface 'eth1' | |
set nat66 source rule 9 source prefix 'fda4:7911:df45:9::/64' | |
set nat66 source rule 9 translation address '2a02:168:4047:9::/64' | |
set protocols igmp-proxy interface eth1 alt-subnet '0.0.0.0/0' | |
set protocols igmp-proxy interface eth1 role 'upstream' | |
set protocols igmp-proxy interface eth2.9 role 'downstream' | |
set protocols static route 0.0.0.0/0 dhcp-interface 'eth1' | |
set service dhcp-server listen-address '10.31.74.1' | |
set service dhcp-server shared-network-name mgmt authoritative | |
set service dhcp-server shared-network-name mgmt description 'MGMT' | |
set service dhcp-server shared-network-name mgmt name-server '192.168.99.4' | |
set service dhcp-server shared-network-name mgmt name-server '192.168.99.2' | |
set service dhcp-server shared-network-name mgmt ping-check | |
set service dhcp-server shared-network-name mgmt subnet 10.31.74.0/28 default-router '10.31.74.1' | |
set service dhcp-server shared-network-name mgmt subnet 10.31.74.0/28 range scope1 start '10.31.74.2' | |
set service dhcp-server shared-network-name mgmt subnet 10.31.74.0/28 range scope1 stop '10.31.74.14' | |
set service dhcp-server shared-network-name mgmt subnet 10.31.74.0/28 static-mapping core-sw ip-address '10.31.74.2' | |
set service dhcp-server shared-network-name mgmt subnet 10.31.74.0/28 static-mapping core-sw mac-address '2c:c8:1b:6a:c8:8d' | |
set service lldp interface eth0 | |
set service lldp interface eth2.9 | |
set service lldp management-address '10.31.74.1' | |
set service router-advert interface eth2.9 name-server '2606:4700:4700::1111' | |
set service router-advert interface eth2.9 name-server '2606:4700:4700::1001' | |
set service router-advert interface eth2.9 prefix fda4:7911:df45:9::/64 | |
set service ssh ciphers '[email protected]' | |
set service ssh ciphers '[email protected]' | |
set service ssh ciphers '[email protected]' | |
set service ssh ciphers 'aes256-ctr' | |
set service ssh ciphers 'aes192-ctr' | |
set service ssh ciphers 'aes128-ctr' | |
set service ssh listen-address '192.168.99.1' | |
set service ssh listen-address '10.31.74.1' | |
set service ssh mac 'hmac-sha2-256' | |
set service ssh mac '[email protected]' | |
set service ssh mac 'hmac-sha2-512' | |
set service ssh mac '[email protected]' | |
set service ssh port '22' | |
set system config-management commit-revisions '100' | |
set system conntrack modules ftp | |
set system conntrack modules h323 | |
set system conntrack modules nfs | |
set system conntrack modules pptp | |
set system conntrack modules sip | |
set system conntrack modules sqlnet | |
set system conntrack modules tftp | |
set system console device ttyS0 speed '115200' | |
set system domain-name 'fatred.co.uk' | |
set system host-name 'rtr-iojh-vyos01' | |
set system name-server 'eth1' | |
set system ntp server 0.ch.pool.ntp.org pool | |
set system ntp server 1.ch.pool.ntp.org pool | |
set system option performance 'throughput' | |
set system syslog global facility all level 'info' | |
set system syslog global facility protocols level 'debug' | |
set zone-policy zone lan default-action 'drop' | |
set zone-policy zone lan from local firewall ipv6-name 'local-lan-6' | |
set zone-policy zone lan from local firewall name 'local-lan' | |
set zone-policy zone lan from wan firewall ipv6-name 'wan-lan-6' | |
set zone-policy zone lan from wan firewall name 'wan-lan' | |
set zone-policy zone lan interface 'eth2.9' | |
set zone-policy zone lan interface 'eth0' | |
set zone-policy zone local default-action 'drop' | |
set zone-policy zone local from lan firewall ipv6-name 'lan-local-6' | |
set zone-policy zone local from lan firewall name 'lan-local' | |
set zone-policy zone local from wan firewall ipv6-name 'wan-local-6' | |
set zone-policy zone local from wan firewall name 'wan-local' | |
set zone-policy zone local local-zone | |
set zone-policy zone wan default-action 'drop' | |
set zone-policy zone wan from lan firewall ipv6-name 'lan-wan-6' | |
set zone-policy zone wan from lan firewall name 'lan-wan' | |
set zone-policy zone wan from local firewall ipv6-name 'local-wan-6' | |
set zone-policy zone wan from local firewall name 'local-wan' | |
set zone-policy zone wan interface 'eth1' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment