Last active
January 9, 2017 23:12
-
-
Save stevejenkins/12c016396a323c8710b95beea5514345 to your computer and use it in GitHub Desktop.
ER-Lite config where remote HTTPS / SSH does not work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firewall { | |
| all-ping enable | |
| broadcast-ping disable | |
| ipv6-name WAN6_IN { | |
| default-action drop | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow ICMPv6" | |
| log disable | |
| protocol icmpv6 | |
| } | |
| } | |
| ipv6-name WAN6_LOCAL { | |
| default-action drop | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow ICMPv6" | |
| icmpv6 { | |
| } | |
| protocol ipv6-icmp | |
| } | |
| rule 40 { | |
| action accept | |
| description "Allow DHCPv6" | |
| destination { | |
| port 546 | |
| } | |
| protocol udp | |
| source { | |
| port 547 | |
| } | |
| } | |
| } | |
| ipv6-name WAN6_OUT { | |
| default-action accept | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action reject | |
| description "Reject invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-receive-redirects disable | |
| ipv6-src-route disable | |
| ip-src-route disable | |
| log-martians enable | |
| name LAN_IN { | |
| default-action accept | |
| description "LAN to Internal" | |
| enable-default-log | |
| rule 10 { | |
| action drop | |
| description "drop invalid state" | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name WAN_IN { | |
| default-action drop | |
| description "WAN to Internal" | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| log disable | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name WAN_LOCAL { | |
| default-action drop | |
| description "WAN to Router" | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| log disable | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action drop | |
| description "Drop invalid state" | |
| log enable | |
| protocol all | |
| state { | |
| invalid enable | |
| } | |
| } | |
| rule 30 { | |
| action accept | |
| description "Allow ICMP" | |
| log disable | |
| protocol icmp | |
| } | |
| rule 40 { | |
| action accept | |
| description "Port Forward - Router SSH" | |
| destination { | |
| address 192.168.0.1 | |
| port 22 | |
| } | |
| log disable | |
| protocol tcp | |
| } | |
| rule 50 { | |
| action accept | |
| description "Port Forward - Router HTTPS" | |
| destination { | |
| address 192.168.0.1 | |
| port 443 | |
| } | |
| log disable | |
| protocol tcp | |
| } | |
| } | |
| name WAN_OUT { | |
| default-action accept | |
| description "Internal to WAN" | |
| enable-default-log | |
| rule 10 { | |
| action accept | |
| description "Allow established/related" | |
| log disable | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 20 { | |
| action reject | |
| description "Reject invalid state" | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| options { | |
| mss-clamp { | |
| interface-type all | |
| mss 1460 | |
| } | |
| } | |
| receive-redirects disable | |
| send-redirects enable | |
| source-validation disable | |
| syn-cookies enable | |
| } | |
| interfaces { | |
| ethernet eth0 { | |
| address 192.168.0.1/24 | |
| description LAN | |
| duplex auto | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| } | |
| speed auto | |
| vif 102 { | |
| address 10.0.0.1/24 | |
| description "Guest Network VLAN" | |
| mtu 1500 | |
| } | |
| } | |
| ethernet eth1 { | |
| description "Google Fiber Jack" | |
| duplex auto | |
| speed auto | |
| vif 2 { | |
| address dhcp | |
| description "Google Fiber WAN" | |
| dhcpv6-pd { | |
| pd 0 { | |
| interface eth0 { | |
| host-address ::1 | |
| prefix-id :0 | |
| service slaac | |
| } | |
| interface eth0.102 { | |
| host-address ::1 | |
| prefix-id :1 | |
| service slaac | |
| } | |
| interface eth2 { | |
| host-address ::1 | |
| prefix-id :2 | |
| service slaac | |
| } | |
| prefix-length /56 | |
| } | |
| rapid-commit enable | |
| } | |
| egress-qos 0:3 | |
| firewall { | |
| in { | |
| ipv6-name WAN6_IN | |
| name WAN_IN | |
| } | |
| local { | |
| ipv6-name WAN6_LOCAL | |
| name WAN_LOCAL | |
| } | |
| out { | |
| ipv6-name WAN6_OUT | |
| name WAN_OUT | |
| } | |
| } | |
| } | |
| } | |
| ethernet eth2 { | |
| address 192.168.3.1/24 | |
| description "Local Config Port" | |
| duplex auto | |
| firewall { | |
| in { | |
| name LAN_IN | |
| } | |
| } | |
| speed auto | |
| } | |
| loopback lo { | |
| } | |
| } | |
| port-forward { | |
| auto-firewall enable | |
| hairpin-nat enable | |
| lan-interface eth0 | |
| rule 10 { | |
| description "Router SSH" | |
| forward-to { | |
| address 192.168.0.1 | |
| port 22 | |
| } | |
| original-port 7777 | |
| protocol tcp_udp | |
| } | |
| rule 20 { | |
| description "Router HTTPS" | |
| forward-to { | |
| address 192.168.0.1 | |
| port 443 | |
| } | |
| original-port 8888 | |
| protocol tcp_udp | |
| } | |
| wan-interface eth1.2 | |
| } | |
| service { | |
| dhcp-server { | |
| disabled false | |
| hostfile-update enable | |
| shared-network-name Guest { | |
| authoritative disable | |
| subnet 10.0.0.0/24 { | |
| default-router 10.0.0.1 | |
| dns-server 8.8.8.8 | |
| dns-server 8.8.4.4 | |
| domain-name utguest.example.com | |
| lease 86400 | |
| start 10.0.0.10 { | |
| stop 10.0.0.199 | |
| } | |
| } | |
| } | |
| shared-network-name LAN { | |
| authoritative disable | |
| subnet 192.168.0.0/24 { | |
| default-router 192.168.0.1 | |
| dns-server 192.168.0.1 | |
| dns-server 8.8.8.8 | |
| dns-server 8.8.4.4 | |
| domain-name utah.example.com | |
| lease 86400 | |
| start 192.168.0.101 { | |
| stop 192.168.0.254 | |
| } | |
| } | |
| } | |
| shared-network-name LAN2 { | |
| authoritative disable | |
| subnet 192.168.3.0/24 { | |
| default-router 192.168.3.1 | |
| dns-server 8.8.8.8 | |
| dns-server 8.8.4.4 | |
| domain-name utconfig.example.com | |
| lease 86400 | |
| start 192.168.3.101 { | |
| stop 192.168.3.255 | |
| } | |
| } | |
| } | |
| use-dnsmasq disable | |
| } | |
| dns { | |
| dynamic { | |
| interface eth1.2 { | |
| service afraid { | |
| host-name utah.example.com | |
| login xxxxxxxx | |
| password **************** | |
| server freedns.afraid.org | |
| } | |
| } | |
| } | |
| forwarding { | |
| cache-size 500 | |
| listen-on eth0 | |
| name-server 2001:4860:4860::8888 | |
| name-server 2001:4860:4860::8844 | |
| name-server 8.8.8.8 | |
| name-server 8.8.4.4 | |
| } | |
| } | |
| gui { | |
| http-port 80 | |
| https-port 443 | |
| older-ciphers enable | |
| } | |
| nat { | |
| rule 5000 { | |
| description "Masquerade for WAN" | |
| log disable | |
| outbound-interface eth1.2 | |
| protocol all | |
| type masquerade | |
| } | |
| } | |
| ssh { | |
| port 22 | |
| protocol-version v2 | |
| } | |
| upnp2 { | |
| listen-on eth0 | |
| nat-pmp disable | |
| secure-mode disable | |
| wan eth1.2 | |
| } | |
| } | |
| system { | |
| domain-name utah.example.com | |
| host-name utah-gateway | |
| login { | |
| user ******** { | |
| authentication { | |
| encrypted-password **************** | |
| plaintext-password **************** | |
| } | |
| full-name "Admin User" | |
| level admin | |
| } | |
| } | |
| name-server 2001:4860:4860::8888 | |
| name-server 2001:4860:4860::8844 | |
| name-server 8.8.8.8 | |
| name-server 8.8.4.4 | |
| ntp { | |
| server 0.ubnt.pool.ntp.org { | |
| } | |
| server 1.ubnt.pool.ntp.org { | |
| } | |
| server 2.ubnt.pool.ntp.org { | |
| } | |
| server 3.ubnt.pool.ntp.org { | |
| } | |
| } | |
| offload { | |
| hwnat disable | |
| ipsec enable | |
| ipv4 { | |
| forwarding enable | |
| vlan enable | |
| } | |
| ipv6 { | |
| forwarding enable | |
| vlan enable | |
| } | |
| } | |
| package { | |
| repository debian { | |
| components main | |
| distribution wheezy | |
| password "" | |
| url http://ftp.us.debian.org/debian | |
| username "" | |
| } | |
| repository wheezy { | |
| components "main contrib non-free" | |
| distribution wheezy | |
| password "" | |
| url http://http.us.debian.org/debian | |
| username "" | |
| } | |
| } | |
| syslog { | |
| global { | |
| facility all { | |
| level notice | |
| } | |
| facility protocols { | |
| level debug | |
| } | |
| } | |
| } | |
| time-zone America/Denver | |
| traffic-analysis { | |
| dpi enable | |
| export enable | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment